This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimet_private for more info. --------------46AA4D0C5499 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.96.980906201546.16685Xt_private> Forwarded From: Zp33d13@dialup244-4-58.swipnet.se http://chicagotribune.com/splash/article/0,1051,SAV-9809060162,00.html COMPUTERS SPAWN A NEW CRIMINAL BREED By Naftali Bendavid Washington Bureau September 6, 1998 WASHINGTON -- Michael Vatis, dwarfed by his bare office on the 11th floor of FBI headquarters, has a big job at age 35--protecting the vast, tangled array of all the nation's computer networks from break-ins by criminals, pranksters, even terrorists. Vatis heads a new FBI team charged with coordinating computer investigations across the country. Thin, rumpled and intense--a slightly older version, perhaps, of the teenage hackers he pursues--Vatis sips steadily from a can of Diet Coke. A computer with a red "secret" label sits behind him along with an FBI mousepad. He speaks with a preacher's fervor. "All the critical services that our society relies on for its everyday functioning are now dependent on computers," Vatis said. "And they are interconnected with each other in ways that are so complicated and so vast that even if you just caused one system to crash, that would have cascading effects on other systems in ways that we can only begin to think about." Vatis' group is part of a push by federal investigators to attack what amounts to a new kind of crime--intrusions into computer networks, ranging from Fortune 500 companies to the Defense Department. Some predict it is a matter of time before a hacker brings down a 911 system or hospital, with catastrophic results. Law enforcement is beginning to respond seriously. Vatis' unit, created in February, has 50 members and will build to 125 sometime next year. The FBI has computer crime squads in seven cities, including Chicago. Also, a new breed of private detectives has sprung up, cybersleuths who scrutinize hard drives the way old-fashioned gumshoes studied fingerprints. The Computer Security Institute, a group of computer security professionals at major companies, has grown to 5,000 members. Vatis' operation is a sort of nerve center. Part of his job is to imagine the worst carnage that hackers--including well-financed terrorists or hostile nations-- could wreak. His description sounds like a disaster movie: "Blacking out power grids, shutting down telecommunications, bringing down our whole financial sector, disrupting government emergency services like police, fire and rescue, interfering with our air traffic control system, control of our railroads and railways, and delivery of oil and gas." For now, most hacking episodes are less apocalyptic but still troubling. Sixty-four percent of the business and government agencies in a recent survey reported computer security breaches within the last year, up from 42 percent two years ago. The FBI was handling 200 computer cases two years ago; now the number is close to 500. The newness of computer crime makes it daunting. Authorities have been investigating murders, for example, for centuries, and their techniques have become increasingly refined. Cybercrime, in contrast, requires entirely new methods, new technology, new philosophies. "In the traditional crime, you have witnesses. Here there are no witnesses," said James Healy, who supervises the Chicago FBI's computer crimes squad. "In the traditional crime, you have something of value taken. Here you're talking about data loss. . . . We are looking at a system of crime that we can't just put on a parallel to other crimes." Healy's nine-member squad was formed a little over a year ago, and it is just beginning to score successes. One case began when a company called U.S. Web, which creates Web sites for other companies, reported that two of its sites had vanished mysteriously. Healy's team closed in on a former U.S. Web employee, James Watson, 25, of Naperville. Watson pleaded guilty to charges of harming a computer system used in interstate commerce, a crime under the federal anti-hacking statute. He has not yet been sentenced. As with other crimes, victims often are unwilling to rely on official investigators, turning instead to the new breed of private cybersleuths. A new field called data forensics has emerged, its experts specializing in retrieving information that has been erased. John Posey, president of an investigations firm called Information Risk Group, is one of the new breed. His firm was hired by one company recently because pornography was mysteriously popping up on its computer system, along with copies of The Anarchist Cookbook, a radical instruction manual on everything from explosives to drugs. Posey's team tracked down the employee responsible, and when he came in for his midnight shift Posey confronted him. "He had wanted to be in (his employer's) information technology group, and they thumbed their nose at him," Posey said, explaining the man's motive. "He thought he knew their system better than they did, and he was right." The demand for services like Posey's is likely only to increase. Virtually every company and agency, after all, now stores its crucial information on its computer system. Criminals stalk hard drives much like they used to follow armored trucks. In the rush for companies to get on-line with ever better software, experts say, security is being overlooked, and that opens the door. And it is indisputable that hacking episodes have invaded the headlines with increasing frequency in recent years. Ehud Tenebaum, an 18-year-old Israeli who calls himself "Analyzer," was arrested in March for allegedly penetrating U.S. government computers. The same month, charges were unsealed against another hacker who allegedly disabled a crucial computer at a Massachusetts airport. In Chicago, a software engineer was charged recently with paralyzing the computers at Highland Park Hospital for two days. "It's like the Old Western gunslingers," said John Spain, vice president of Asset Management Solutions, a corporate security firm. "A lot of people want to put a notch in their keyboard, like the old gunslingers wanted to notch their six-shooters." Perhaps most terrifying for many companies is the threat that confidential information will be erased. Executives at Omega Engineering Corp. in New Jersey were shocked one day to find that a huge amount of software had been deleted from their system. Omega makes sophisticated gauges for NASA and the U.S. Navy, and the company says the lost data cost it $10 million. Federal agents investigated, and they ultimately arrested program designer Timothy Lloyd, who recently had left Omega. Lloyd has pleaded not guilty to federal hacking charges. Cybercrime is attractive partly because it is so easy to pull off, police say. Conventional offenses-- robbery, fraud, extortion--require perpetrators to recruit accomplices and perhaps even face gunfire and risk death. Computer crimes can be pulled off while sitting in an easy chair. Giving hackers an added boost are several Web sites that post hacking plans, or "exploits," which can be downloaded and used to break into various systems. A site called Rootshell recently described a facet of the Yahoo Pager program as "just plain sad." It added: "All you need to supply is a user name to bump people off, spy on contact lists, hijack conversations, impersonate people, etc." Then the site seemingly gave instructions on how to do so. Those who run such sites insist they are actually helping companies by pointing out weaknesses so the companies can correct them, but security specialists scoff at that. "If someone breaks into my house, it never enters my mind that they are helping me test my security," Spain said. The biggest problem facing anti-cybercrime efforts may be the philosophical chasm between police agencies and business leaders. Police want to monitor companies' private information so they can fight and investigate crime. Businesses want to keep it secret. Many corporate leaders distrust the FBI's new cybercrime efforts. "The FBI . . . has been a political organization that has abused civil liberties, spied on political dissidents and investigated enemies of the administration in power," said libertarian scholar David Kopel. "To say that they will get more power over something as important as computers is very frightening." But Richard Power, spokesman for the Computer Security Institute, ridiculed the notion that corporations can fend off computer crime without law enforcement. "It's as if you expected a highway system to grow up without any yellow lines, without speed limits and without driver's licenses," said Power, whose group represents computer security professionals. "That's what we're expecting Internet commerce to be. And it's just not going to happen." Police even suspect that companies fail to report hacking incidents for fear of damaging their reputation. That, they add, is like a bank not reporting a robbery because doing so would reveal its vulnerability. "If you stay inside your shell and keep all that information to yourself and don't inform anybody, who's going to catch the bad guy and deter other people from engaging in the same sort of activity?" Vatis asked. "It's going to happen again and again and again." The tensions may ease as time goes on, some say. Others predict cybercrime itself will fade as companies begin to demand better safety mechanisms from software manufacturers. Still others say companies will get better at taking basic steps, like creating secure backup systems. But few dispute that cybercrime will be around as long as cyberspace is. "There is incredible impetus to get on-line fast and in all ways," Power said. "The technologies are very new and they're very vulnerable. We are going to be in a messy situation for a while." --------------46AA4D0C5499-- -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:21 PDT