This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --------------1AD375B638B0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.96.980916054042.15017Cat_private> http://sun.soci.niu.edu/~crypt/other/fbitest.htm While rummaging through documents on the FBI's homepage, Crypt Newsletter recovered some examples of unusual testimony made by agency officials to Congress. These particular citations come from a March 1998 hearing before Jim Saxton's House Joint Economic Committee. The hearings were conducted to gather information on criminal threats in cyberspace and/or connected to criminal misuse of computers. The following example is pulled from Neil J. Gallagher's statement. In it, Gallagher, Deputy Assistant Director of the FBI's Criminal Division, gives two examples of "cybercrime" connected with banks. The second, reprinted here, is the most interesting. It is not an example of "cybercrime" but, rather, a surprisingly low-tech case of one anonymous yahoo who used a public telephone booth and a patently ridiculous hacker story in a failed attempt to extort money from the targeted banks. "In April of 1997, telephone calls were made to banks in Portland, Oregon and Boston, Massachusetts claiming that the institutions, and 49 other financial institutions, had been targeted by an environmental group. The caller explained that the group had penetrated the bank's computer systems and if the banks did not make $2,000,000 'donations' to the group, the computer systems would be brought 'to a screeching' halt. The caller further explained that timing devices had been utilized and if the $2 million dollar donations were not received by the group, the computer systems would crash within the next week. He also warned that if the banks involved law enforcement in the matter, the systems would be destroyed immediately. The caller advised his group had previously penetrated computer systems within the Central Intelligence Agency and other unnamed federal agencies. A subsequent telephone call was traced to a public pay phone and the subject was arrested. The subject pled guilty to one count of Title 18, U.S. C. Section 875 (Interstate Extortion) and was sentenced to six months in jail followed by three years supervised release." At the same hearing, Michael A. Vatis, another FBI Deputy Assistant Director, testified on an assortment of hacker menaces. The most mystifying and mind-numbing claim made by the FBI man was in reference to electromagnetic pulse guns as hacker tools -- indicating he seems to believe this ongoing myth. "Advanced electronic hardware also can be used in cyber attacks, including such items as high-energy radio frequency (RF) weapons, electromagnetic pulse weapons . . . These weapons can be used to destroy property and data . . ." wrote Vatis. Of course, no examples were presented. Vatis' statement also includes imprecise references to a number of spectacularly publicized hacker cases in the past few months. Interestingly, it shows that skepticism about claims of imminent technological disaster has had some impact in 1998, causing FBI spokesmen to defend their assertions more analytically. "Some would say that [the] vulnerability is overstated, that there are sufficient technological security tools to protect against malicious hackers and crackers, and that infrastructures have built in redundancies to their systems to prevent catastrophic system failures he event of a successful intrusion. I'm afraid that the facts prove otherwise," wrote Vatis. The assistant director then invoked the famous cliche. "Although we have not experienced the electronic equivalent of a Pearl Harbor or Oklahoma City as some have foretold, the statistics and our cases demonstrate our dangerous vulnerabilities . . ." Actually, the statistics presented, what there were of them in the FBI assistant director's report, don't convincingly prove the point. Indeed, Vatis allowed they left room for interpretation. For example, in one case where actual numbers were presented: ". . . the Carnegie Melon CERT/Coordination Center reported a small reduction in security incidents (2,134 in 1997, down from 2,573 in 1996) . . ." wrote Vatis. Vatis nevertheless maintained, ". . . the type and scope of attacks indicates a disturbing increase in the use of automated scripts, enabling malevolent network users to attack very large numbers of systems with much greater efficiency." Which could also be an indication that reporting on the precise nature of incidents is much better than it was in 1996, or that there are more relatively unskilled trivial nuisances utilizing widely publicized security breaching tools. One of the cases the FBI now uses as a more dire illustration, repeated a number of times for emphasis in the Saxton committee hearing, is the following: "Many of you have also probably read about the plea bargain in Massachusetts this week of a teenage hacker who was able to break into the former NYNEX (now Bell Atlantic) system and, through it, disable telecommunications at a regional airport, cut off services to the airport's control tower, and prevent incoming planes from turning on the runway lights. This case is a wake-up call for those who would argue that hacking is simply harmless fun," writes Vatis. Vatis went on to say the FBI has created a number of new divisions, with seemingly redundant functions, to analyze and deal with future threats. Crypt Newsletter recommends you read the originals. --------------1AD375B638B0-- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:24 PDT