http://ap.tbo.com/ap/breaking/MGAJV5G6JNC.html By Brian Bergstein The Associated Press Published: Jun 3, 2001 HAYWARD, Calif. (AP) - When someone cracked Slip.net's computer system, altered customer accounts and deleted important databases, the Internet service provider didn't need to look far to find the attacker. It wasn't a criminal outfit seeking credit card numbers, and it wasn't a scrawny whiz kid hacking away for a challenge in his dark bedroom. It was Nicholas Middleton, a former computer administrator for Slip.net, who had been unhappy at the San Francisco company and recently quit. Middleton fought the resulting criminal charges on a legal technicality but lost and got three years' probation. Federal investigators say this type of computer crime is on the rise. As layoffs become more common at technology companies, an increasing number of disgruntled or fired employees are hacking their companies in revenge. "The whole nature of computer crimes has changed," said Agent Greg Walton of the FBI's San Francisco-area computer intrusion squad. "The problem at big companies is, the network administrator is probably the last guy who finds out you got fired, and doesn't cut off your access. Or it's the network administrator who gets fired, and he has access." Walton and the nine other members of his squad - most of whom work out of a small, nondescript suite in Hayward - have about 10 active investigations involving allegations of hacking by disgruntled or laid-off workers. It's a significant phenomenon, since the squad usually works on 50 to 60 cases at a time. The jury that convicted Middleton found he caused more than $40,000 in damage to Slip.net, which spent days repairing its systems. Slip.net was sold the next year. Sometimes, the cost is not as problematic as the embarrassment a former worker can create. Take the case of Joseph Durnal, a former contract employee for Peak Technologies in Columbia, Md. Durnal hacked its computer system and sent e-mails purportedly from management - with a pornographic attachment - telling workers the company was going out of business. Durnal pleaded guilty and was ordered to pay $48,520 in restitution in December. Computer crimes of all kinds - by insiders and outsiders - are increasing and getting more costly, according to a recent survey of 538 companies, universities and government agencies by the San Francisco-based Computer Security Institute and the FBI. Eighty-five percent said their networks were breached in the previous year. The 186 respondents who were willing to quantify the damage they suffered put their total losses at $378 million. In last year's survey, 249 companies said they lost a total of $266 million. Richard Power, the institute's editorial director, said former employees need to be watched closely as firms downsize. "It is a known fact, a rule of thumb, in (computer security) that you have got to pay closer attention at times like these," he said. At many Silicon Valley companies, laid-off workers are instantly marched out of the building, with barely enough time to gather personal belongings. Plainclothes and uniformed security guards are usually on hand. Still, the FBI worries that many companies aren't doing enough to keep their computer systems secure. Agents emphasize the point in regular lectures at Silicon Valley companies, especially ones going through layoffs. Walton often tells human resources managers: "Not only do you know who you just hired, but do you know who you just fired?" Ross Nadel, chief of the hacking and intellectual property unit in the U.S. Attorney's Office in San Jose, said his team is also prosecuting more cases involving thefts of trade secrets and break-ins at corporate networks by former employees. Though it makes sense that Silicon Valley's economic downturn is responsible, more cases may be popping up simply because more companies are reporting such crimes to authorities than in the past, he said. Indeed, in the report from the Computer Security Institute, 36 percent of the companies, schools and agencies hacked in the previous year said they reported the incident to law enforcement, up from 25 percent the year before. Nearly all the companies that didn't tell law enforcement about their hacking problems said they feared negative publicity. Many file civil suits against perpetrators instead. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Mon Jun 04 2001 - 05:28:19 PDT