[ISN] FBI Needs Victim's Cooperation to Nab Comp Crooks

From: mea culpa (jerichot_private)
Date: Tue Oct 06 1998 - 15:53:01 PDT

  • Next message: mea culpa: "[ISN] HP reveals security initiatives"

    Posted at 01:46 a.m. PDT; Tuesday, October 6, 1998
    FBI team needs victims' cooperation to nab computer crooks
    by Peter Lewis
    Seattle Times staff reporter
    Seattle's FBI office is in line for a high-tech upgrade - a team of agents
    specially trained to counter a troubling trend, the rise of computer
    But will it have much business? 
    Prosecutors and computer-security experts are concerned about one big
    obstacle: a pattern of silence on the part of many computer-crime victims.
    One prosecutor even likened the situation to rape, with victims worried
    about being re-victimized if they go public. 
    Experts cite several reasons for the reluctance, including fear of drawing
    attention to weaknesses that might attract other attacks, liability
    questions, a perception that law enforcement isn't up to the task and
    relatively light sentences when offenders are caught. 
    For each of the past three years, the number of organizations reporting
    computer break-ins to law enforcement has held steady at 17 percent of
    those surveyed, according to the Computer Security Institute, a San
    Francisco-based international group serving information-security
    Even so, Seattle's new unit is part of a larger national effort to boost
    confidence in law enforcement's ability to fight computer crime.  The unit
    would add 11 agents to the regional office, plus about a half-dozen
    nonagent technical analysts with a computer-science background. 
    "As we become more and more dependent on computer communications, it's
    going to replace a lot of things, and it's important to protect those
    things," says federal Prosecutor Steve Schroeder, the "computer guy" in
    the U.S. Attorney's Office in Seattle. To add prosecutorial oomph, a
    second assistant, Floyd Short, is joining Schroeder to handle
    computer-crime cases. 
    Officials at FBI headquarters in Washington, D.C., say their proposed 1999
    budget includes $11.6 million to cover the cost of the new Seattle squad
    as well as five similar Computer Analysis and Response Teams around the
    country.  Funding comes in part from money freed up from Cold War-era
    counterintelligence activities. A handful of big cities, including New
    York, San Francisco and Washington, D.C., already have such squads. 
    The unit will assist in cases where computers facilitate crime - such as
    in child pornography, drug-dealing or financial crimes. 
    At a more sophisticated level, the unit will help investigate intrusions
    into computer networks, sometimes pulled off by "recreational" hackers,
    but more commonly by disgruntled employees with access to corporate
    The Seattle unit could also be called upon as part of a larger response to
    cyberterrorists intent on pulling off the electronic equivalent of the
    World Trade Center bombing. Instead of targeting buildings, dams or
    planes, such terrorists could attack power grids, military defense,
    financial institutions or telecommunications systems. What's more, they
    could do it from overseas with inexpensive equipment at no risk to their
    personal safety. 
    Some examples illustrate the problem: 
    -- In 1994, criminals operating in several countries hacked into the
    Citibank Cash Management System that is used for functions such as wire
    transfers. They attempted 40 transfers totaling $10 million. 
    -- Late last year, authorities in this country and Israel arrested three
    teenagers who are suspects in a series of intrusions into Department of
    Defense and other government agencies' computers. 
    -- Earlier this year, a Massachusetts teenager pleaded guilty to having
    crippled an airport's control tower by using a computer to disable voice
    and data communications. 
    Statistics are scarce
    "Roughly two years ago, the FBI had 100 pending (computer intrusion)
    investigations. . . . Today, we have over 500," says Ken Geide, section
    chief for the Computer Investigations and Operations section of the
    National Infrastructure Protection Center, based in Washington, D.C. 
    The mission of the center - a relatively new agency composed of
    law-enforcement, intelligence and other government officials - is in part
    to coordinate response to cyberattacks and to collect reliable data on
    Computer-crime statistics are scarce. For example, the most current
    figures, from fiscal 1997, show that the number of FBI arrests increased
    950 percent from the previous year.  That's not terribly meaningful,
    though, because the number of arrests jumped from four to 42. 
    In a similar vein, findings from a 1998 survey conducted jointly by the
    FBI and Computer Security Institute indicate that computer crime is on the
    In a survey of 520 U.S. corporations, government agencies, financial
    institutions and universities, 64 percent reported information-security
    breaches. Total financial losses from the 241 organizations that could put
    a dollar figure on the incidents added up to nearly $137 million, a 36
    percent increase from the previous year. 
    Given this trend, Prosecutor Schroeder thinks it's good news that the
    local FBI office has been designated to receive a computer-crime squad. 
    Still, it will be of limited value if victims don't report intrusions. And
    all indications are that computer crime is seriously underreported, both
    locally and nationally. 
    "It's been relatively quiet," Schroeder says of his computer-crime
    caseload. "I'm continually amazed at how few (criminal) referrals we get
    from the big boys," including Microsoft. "There's a mindset that if (a
    break-in) gets publicized .  . . that hurts their image and business." 
    "They just don't come in," echoes King County Deputy Prosecutor Ivan
    Orton, who has been handling computer cases for the county under state law
    since 1984. He says he averages about two or three cases a year. 
    "I cannot imagine that King County is not a hotbed of criminal computer
    activity," says Orton. "There's too many computer companies and people who
    know how to do this stuff." 
    He recounts a case from the mid-1980s when an 18-year-old on the Eastside
    got into at least 50 companies' computers - and only four complained to
    `Fear and embarrassment'
    Of victim reluctance, Orton says: "It's a combination of fear and
    embarrassment." There's also a cost-benefit factor. 
    When businesses weigh the time and costs of prosecution, the need to give
    investigators access to confidential records and publicity likely to paint
    them as "the big dumb company vs.  the smart, clever hacker," they usually
    opt to handle intrusions internally, Orton says. The atmosphere reminds
    him of old "blame the victim"  attitudes toward sexual assaults. 
    At Microsoft, Howard Schmidt, director of information security,
    acknowledges that his team regularly detects people trying to get into the
    software giant's networks. 
    But many would-be intruders are not worth reporting to law enforcement, he
    says, because they don't do enough damage. 
    "You shut them (the intruders) off," says Schmidt. "There's not a whole
    heck of a lot that someone's going to be able to do with it, or should do
    with it." He described repelled computer break-ins as "attempted crimes." 
    "By the same token, if it (the intrusion) is destructive, we'd report it,"
    Schmidt adds. 
    In the year he's been at Microsoft, Schmidt says the company has made four
    referrals to law enforcement. Each is still pending, and he declined to
    disclose details. 
    The federal fraud-and-abuse computer statute was shaped in part by a
    6-year-old Seattle case, Schroeder recalls. In that case, two young Puget
    Sound area men hacked their way into the computer system maintained by
    U.S. District Court, and downloaded an encrypted password file. 
    Then, the duo got into a Boeing supercomputer, which had the ability to
    decrypt the courthouse password file, Schroeder says. That move gave them
    "superuser" status in the courthouse system, meaning they could read,
    alter or delete any file in the system. 
    At the time, Schroeder recalls, the federal computer-fraud statute covered
    interference with authorized use of a government computer but not simple
    "trespass." Somewhat sheepishly, Schroeder now acknowledges it was "a
    stretch" to charge the pair as he was forced to. 
    (Both young hackers pleaded guilty to misdemeanors; their probationary
    sentences were subsequently revoked, however, and they pleaded guilty to
    felony charges stemming from their hacking into the computerized guest
    registry at the Red Lion Inn in Bellevue to steal credit-card numbers.) 
    Congress amended law in 1994
    Privacy and monitoring shortcomings highlighted by the Seattle case caused
    Congress to amend the law in 1994 to make simple trespass a crime and to
    give system-monitoring privileges to data network providers, Schroeder
    Separate from the Seattle case, and perhaps more significant, the law was
    also broadened two years ago to cover computers used in interstate or
    foreign commerce or communications. Essentially, that includes anyone
    connected to the Internet. 
    Formerly, "protected" computers were more narrowly defined as those used
    by or for the federal government. Federal law now also allows private
    parties to recover damages when there's unauthorized access. 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:46 PDT