[ISN] Y2K may mask hacker attacks

From: mea culpa (jerichoat_private)
Date: Fri Jan 22 1999 - 14:43:51 PST

  • Next message: mea culpa: "[ISN] Intel exec envisions "the trusted PC""

    Forwarded From: Simon Taplin <stickerat_private>
    
    Y2K may mask hacker attacks
    19 January, 1999
    By Sharon Machlis and Sharon Gaudin
    
         BOSTON - The rash of computer glitches expected in January 2000 may
    create a golden opportunity for hackers, who tend to thrive when IT
    attention is focused elsewhere, some security experts warn. But a
    Computerworld poll of 102 executives found that 90 percent already have
    considered the possibility and are examining ways to thwart such
    opportunist hackers. 
    
     Of those surveyed, 23 percent said their companies are taking extra
    security precautions for their computer systems as part of their year 2000
    planning. For those who aren't, many said the Internet and electronic
    commerce posed bigger potential threats. 
    
     Not everyone agreed that there will be heavy hacking at year's end.  Some
    argued that increased year 2000 systems monitoring could help security,
    while others noted that would-be attackers could suffer year 2000 systems
    p roblems of their own. 
    
     "People can attack whenever they want, but there's going to be so much
    monitoring of the system that any anomaly would be noticed," said Mike
    Riley, director of Internet development at R.R. Donnelley &amp; Sons in
    Downers Grove, Illinois. "If anything, there's going to be a heightened
    sense of awareness."
    
     Nevertheless, a half-dozen consultants contacted by Computerworld urged
    companies to prepare. "If I was a hacker, I'd attack companies on December
    1999. I'd be almost untouchable. They'd never find me," said Darek
    Milewski, president of Cmeasures, a consulting firm in Berkeley,
    California. 
    
     What to look for
    
     Those consultants recommended that companies -- in addition to testing
    their security systems' year 2000 compliance -- anticipate the following
    possible year 2000-specific attack methods: 
    
     -- With so many people expecting systems problems this January 1, bugs
    caused by malicious intruders may be misidentified as year 2000 woes --
    and thus left unfixed.
    
     -- Those trying to penetrate corporate systems, particularly economic
    spies, may have set up year 2000 outsourcing firms. "What better way to
    get in the front door than to be in the fix-it business?" asked Fran k
    Cilluffo, director of an information technology task force at the Centre
    for Strategic International Studies, a Washington think tank. 
    
     -- Any change in computer coding, no matter how simple, can cause
    unintentional problems somewhere else. Those problems could include
    opening up security holes.
    
     -- Even those who have secured their own systems face potential security
    gaps via partners. 
    
     -- Security spending, like many other IT budget items, will likely take a
    backseat to year 2000 efforts this year.
    
     -- Year 2000 also opens up a nontechnical hacking possibility. For
    example, an outsider calls into a company on Monday, January 3, 2000,
    claiming to be the firm's year 2000 consultant and asking employees for
    their user names and passwords to check that everything's OK. "The best
    time to attempt a security breach is a time of chaos," said Philip Carden,
    a consultant at Renaissance Worldwide Consulting in Hoboken, New Jersey.
    
     William Ulrich, a year 2000 consultant and columnist for Computerworld,
    advises clients to include a security specialist in year 2000 projects,
    but only one firm he works with has such a person who regularly attends
    meet ings.
    
     An audit team should "be on very, very high alert -- not just [at year's
    end], but right now, looking for financial irregularities," said Ulrich,
    president of Tactical Strategy Group in Soquel, California. 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:55 PDT