[ISN] Computers Spawn a New Criminal Breed

From: mea culpa (jerichot_private)
Date: Sun Sep 06 1998 - 19:22:18 PDT

  • Next message: mea culpa: "Re: [ISN] PGP's 6.0: Cat Out of the Bag"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimet_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.980906201546.16685Xt_private>
    Forwarded From: Zp33d13@dialup244-4-58.swipnet.se
    By Naftali Bendavid                   
    Washington Bureau                     
    September 6, 1998                     
    WASHINGTON -- Michael Vatis,          
    dwarfed by his bare office on the
    11th floor of FBI headquarters, has a big job at age 35--protecting the
    vast, tangled array of all the nation's computer networks from break-ins
    by criminals, pranksters, even terrorists. 
    Vatis heads a new FBI team charged with coordinating computer
    investigations across the country.  Thin, rumpled and intense--a slightly
    older version, perhaps, of the teenage hackers he pursues--Vatis sips
    steadily from a can of Diet Coke. A computer with a red "secret" label
    sits behind him along with an FBI mousepad. 
    He speaks with a preacher's fervor.
    "All the critical services that our society relies on for its everyday
    functioning are now dependent on computers," Vatis said. "And they are
    interconnected with each other in ways that are so complicated and so vast
    that even if you just caused one system to crash, that would have
    cascading effects on other systems in ways that we can only begin to think
    Vatis' group is part of a push by federal investigators to attack what
    amounts to a new kind of crime--intrusions into computer networks, ranging
    from Fortune 500 companies to the Defense Department. 
    Some predict it is a matter of time before a hacker brings down a 911
    system or hospital, with catastrophic results. 
    Law enforcement is beginning to respond seriously. Vatis' unit, created in
    February, has 50 members and will build to 125 sometime next year. The FBI
    has computer crime squads in seven cities, including Chicago. 
    Also, a new breed of private detectives has sprung up, cybersleuths who
    scrutinize hard drives the way old-fashioned gumshoes studied
    fingerprints. The Computer Security Institute, a group of computer
    security professionals at major companies, has grown to 5,000 members. 
    Vatis' operation is a sort of nerve center. Part of his job is to imagine
    the worst carnage that hackers--including well-financed terrorists or
    hostile nations-- could wreak. 
    His description sounds like a disaster movie: "Blacking out power grids,
    shutting down telecommunications, bringing down our whole financial
    sector, disrupting government emergency services like police, fire and
    rescue, interfering with our air traffic control system, control of our
    railroads and railways, and delivery of oil and gas." 
    For now, most hacking episodes are less apocalyptic but still troubling.
    Sixty-four percent of the business and government agencies in a recent
    survey reported computer security breaches within the last year, up from
    42 percent two years ago. The FBI was handling 200 computer cases two
    years ago; now the number is close to 500. 
    The newness of computer crime makes it daunting. Authorities have been
    investigating murders, for example, for centuries, and their techniques
    have become increasingly refined.  Cybercrime, in contrast, requires
    entirely new methods, new technology, new philosophies. 
    "In the traditional crime, you have witnesses. Here there are no
    witnesses," said James Healy, who supervises the Chicago FBI's computer
    crimes squad. "In the traditional crime, you have something of value
    taken. Here you're talking about data loss. . .  . We are looking at a
    system of crime that we can't just put on a parallel to other crimes." 
    Healy's nine-member squad was formed a little over a year ago, and it is
    just beginning to score successes. One case began when a company called
    U.S. Web, which creates Web sites for other companies, reported that two
    of its sites had vanished mysteriously.  Healy's team closed in on a
    former U.S. Web employee, James Watson, 25, of Naperville. 
    Watson pleaded guilty to charges of harming a computer system used in
    interstate commerce, a crime under the federal anti-hacking statute.  He
    has not yet been sentenced. 
    As with other crimes, victims often are unwilling to rely on official
    investigators, turning instead to the new breed of private cybersleuths. A
    new field called data forensics has emerged, its experts specializing in
    retrieving information that has been erased. 
    John Posey, president of an investigations firm called Information Risk
    Group, is one of the new breed. His firm was hired by one company recently
    because pornography was mysteriously popping up on its computer system,
    along with copies of The Anarchist Cookbook, a radical instruction manual
    on everything from explosives to drugs. 
    Posey's team tracked down the employee responsible, and when he came in
    for his midnight shift Posey confronted him. "He had wanted to be in (his
    employer's)  information technology group, and they thumbed their nose at
    him,"  Posey said, explaining the man's motive. "He thought he knew their
    system better than they did, and he was right." 
    The demand for services like Posey's is likely only to increase. 
    Virtually every company and agency, after all, now stores its crucial
    information on its computer system.  Criminals stalk hard drives much like
    they used to follow armored trucks. 
    In the rush for companies to get on-line with ever better software,
    experts say, security is being overlooked, and that opens the door. And it
    is indisputable that hacking episodes have invaded the headlines with
    increasing frequency in recent years. 
    Ehud Tenebaum, an 18-year-old Israeli who calls himself "Analyzer," was
    arrested in March for allegedly penetrating U.S.  government computers.
    The same month, charges were unsealed against another hacker who allegedly
    disabled a crucial computer at a Massachusetts airport. 
    In Chicago, a software engineer was charged recently with paralyzing the
    computers at Highland Park Hospital for two days. 
    "It's like the Old Western gunslingers," said John Spain, vice president
    of Asset Management Solutions, a corporate security firm. "A lot of people
    want to put a notch in their keyboard, like the old gunslingers wanted to
    notch their six-shooters." 
    Perhaps most terrifying for many companies is the threat that confidential
    information will be erased. Executives at Omega Engineering Corp. in New
    Jersey were shocked one day to find that a huge amount of software had
    been deleted from their system. Omega makes sophisticated gauges for NASA
    and the U.S. Navy, and the company says the lost data cost it $10 million. 
    Federal agents investigated, and they ultimately arrested program designer
    Timothy Lloyd, who recently had left Omega. Lloyd has pleaded not guilty
    to federal hacking charges. 
    Cybercrime is attractive partly because it is so easy to pull off, police
    say. Conventional offenses-- robbery, fraud, extortion--require
    perpetrators to recruit accomplices and perhaps even face gunfire and risk
    death. Computer crimes can be pulled off while sitting in an easy chair. 
    Giving hackers an added boost are several Web sites that post hacking
    plans, or "exploits," which can be downloaded and used to break into
    various systems. 
    A site called Rootshell recently described a facet of the Yahoo Pager
    program as "just plain sad."  It added: "All you need to supply is a user
    name to bump people off, spy on contact lists, hijack conversations,
    impersonate people, etc." Then the site seemingly gave instructions on how
    to do so. 
    Those who run such sites insist they are actually helping companies by
    pointing out weaknesses so the companies can correct them, but security
    specialists scoff at that.  "If someone breaks into my house, it never
    enters my mind that they are helping me test my security,"  Spain said. 
    The biggest problem facing anti-cybercrime efforts may be the
    philosophical chasm between police agencies and business leaders.  Police
    want to monitor companies' private information so they can fight and
    investigate crime.  Businesses want to keep it secret. 
    Many corporate leaders distrust the FBI's new cybercrime efforts. 
    "The FBI . . . has been a political organization that has abused civil
    liberties, spied on political dissidents and investigated enemies of the
    administration in power,"  said libertarian scholar David Kopel. "To say
    that they will get more power over something as important as computers is
    very frightening." 
    But Richard Power, spokesman for the Computer Security Institute,
    ridiculed the notion that corporations can fend off computer crime without
    law enforcement.  "It's as if you expected a highway system to grow up
    without any yellow lines, without speed limits and without driver's
    licenses,"  said Power, whose group represents computer security
    professionals.  "That's what we're expecting Internet commerce to be. And
    it's just not going to happen." 
    Police even suspect that companies fail to report hacking incidents for
    fear of damaging their reputation. That, they add, is like a bank not
    reporting a robbery because doing so would reveal its vulnerability. 
    "If you stay inside your shell and keep all that information to yourself
    and don't inform anybody, who's going to catch the bad guy and deter other
    people from engaging in the same sort of activity?" Vatis asked. "It's
    going to happen again and again and again." 
    The tensions may ease as time goes on, some say. Others predict cybercrime
    itself will fade as companies begin to demand better safety mechanisms
    from software manufacturers. 
    Still others say companies will get better at taking basic steps, like
    creating secure backup systems. But few dispute that cybercrime will be
    around as long as cyberspace is. 
    "There is incredible impetus to get on-line fast and in all ways,"  Power
    said. "The technologies are very new and they're very vulnerable. We are
    going to be in a messy situation for a while." 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:21 PDT