[ISN] Quo Vatis: More notes from the FBI re computer crime.

From: mea culpa (jerichoat_private)
Date: Wed Sep 16 1998 - 04:41:34 PDT

  • Next message: mea culpa: "[ISN] Global Campaign To Remove Crypto Restrictions"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.980916054042.15017Cat_private>
    While rummaging through documents on the FBI's homepage, Crypt Newsletter
    recovered some examples of unusual testimony made by agency officials to
    Congress. These particular citations come from a March 1998 hearing before
    Jim Saxton's House Joint Economic Committee. The hearings were conducted
    to gather information on criminal threats in cyberspace and/or connected
    to criminal misuse of computers. 
    The following example is pulled from Neil J. Gallagher's statement. In it,
    Gallagher, Deputy Assistant Director of the FBI's Criminal Division, gives
    two examples of "cybercrime" connected with banks. The second, reprinted
    here, is the most interesting. It is not an example of "cybercrime" but,
    rather, a surprisingly low-tech case of one anonymous yahoo who used a
    public telephone booth and a patently ridiculous hacker story in a failed
    attempt to extort money from the targeted banks. 
    "In April of 1997, telephone calls were made to banks in Portland, Oregon
    and Boston, Massachusetts claiming that the institutions, and 49 other
    financial institutions, had been targeted by an environmental group. The
    caller explained that the group had penetrated the bank's computer systems
    and if the banks did not make $2,000,000 'donations' to the group, the
    computer systems would be brought 'to a screeching' halt. The caller
    further explained that timing devices had been utilized and if the $2
    million dollar donations were not received by the group, the computer
    systems would crash within the next week. He also warned that if the banks
    involved law enforcement in the matter, the systems would be destroyed
    immediately. The caller advised his group had previously penetrated
    computer systems within the Central Intelligence Agency and other unnamed
    federal agencies. A subsequent telephone call was traced to a public pay
    phone and the subject was arrested. The subject pled guilty to one count
    of Title 18, U.S. C.  Section 875 (Interstate Extortion) and was sentenced
    to six months in jail followed by three years supervised release." 
    At the same hearing, Michael A. Vatis, another FBI Deputy Assistant
    Director, testified on an assortment of hacker menaces. 
    The most mystifying and mind-numbing claim made by the FBI man was in
    reference to electromagnetic pulse guns as hacker tools -- indicating he
    seems to believe this ongoing myth. 
    "Advanced electronic hardware also can be used in cyber attacks, including
    such items as high-energy radio frequency (RF) weapons, electromagnetic
    pulse weapons . . . These weapons can be used to destroy property and data
    .  . ." wrote Vatis. Of course, no examples were presented. 
    Vatis' statement also includes imprecise references to a number of
    spectacularly publicized hacker cases in the past few months. 
    Interestingly, it shows that skepticism about claims of imminent
    technological disaster has had some impact in 1998, causing FBI spokesmen
    to defend their assertions more analytically. 
    "Some would say that [the] vulnerability is overstated, that there are
    sufficient technological security tools to protect against malicious
    hackers and crackers, and that infrastructures have built in redundancies
    to their systems to prevent catastrophic system failures he event of a
    successful intrusion. I'm afraid that the facts prove otherwise," wrote
    The assistant director then invoked the famous cliche. 
    "Although we have not experienced the electronic equivalent of a Pearl
    Harbor or Oklahoma City as some have foretold, the statistics and our
    cases demonstrate our dangerous vulnerabilities . . ." 
    Actually, the statistics presented, what there were of them in the FBI
    assistant director's report, don't convincingly prove the point. Indeed,
    Vatis allowed they left room for interpretation. 
    For example, in one case where actual numbers were presented: ". . . the
    Carnegie Melon CERT/Coordination Center reported a small reduction in
    security incidents (2,134 in 1997, down from 2,573 in 1996) . . ." wrote
    Vatis nevertheless maintained, ". . . the type and scope of attacks
    indicates a disturbing increase in the use of automated scripts, enabling
    malevolent network users to attack very large numbers of systems with much
    greater efficiency." 
    Which could also be an indication that reporting on the precise nature of
    incidents is much better than it was in 1996, or that there are more
    relatively unskilled trivial nuisances utilizing widely publicized
    security breaching tools. 
    One of the cases the FBI now uses as a more dire illustration, repeated a
    number of times for emphasis in the Saxton committee hearing, is the
    "Many of you have also probably read about the plea bargain in
    Massachusetts this week of a teenage hacker who was able to break into the
    former NYNEX (now Bell Atlantic) system and, through it, disable
    telecommunications at a regional airport, cut off services to the
    airport's control tower, and prevent incoming planes from turning on the
    runway lights. This case is a wake-up call for those who would argue that
    hacking is simply harmless fun,"  writes Vatis. 
    Vatis went on to say the FBI has created a number of new divisions, with
    seemingly redundant functions, to analyze and deal with future threats. 
    Crypt Newsletter recommends you read the originals. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:24 PDT