[ISN] The Enemy Within

From: InfoSec News (isnat_private)
Date: Tue Jul 10 2001 - 02:30:22 PDT

  • Next message: Richard Forno: "Re: [ISN] Microsoft to tap VeriSign for security"

    http://www.computerworld.com/itresources/rcstory/0,4167,STO61983_KEY73,00.html
    
    By DAN VERTON 
    July 09, 2001
    
    It's January 2000, and the world hasn't imploded under the weight of
    the Y2k problem. Planes aren't falling out of the sky, and trains
    aren't careening off their tracks. But in a few short months, Craig
    Goldberg's start-up will come face to face with a more sinister threat
    that will take it to the brink of disaster: cybercrime.
    
    The CEO of Internet Trading Technologies Inc. (ITTI), a New York-based
    technology subsidiary of stock trade regulator LaBranche & Co., had
    just completed a second round of funding that helped fuel an expansion
    of the company's IT staff. Within two months, Goldberg hired a
    half-dozen more software developers and tapped a CIO with 15 years of
    experience to take on the role of chief operating officer.
    
    Trouble lurked beneath the surface, however. Two of the company's
    software developers approached ITTI's new COO and demanded that the
    company "pay them a lot of money or they will resign immediately and
    not provide any assistance to the development team," according to
    Goldberg, who eventually succumbed to the demands.
    
    But that wasn't enough for the two developers, who left the premises,
    demanded more money and stock options and threatened to let the
    development work founder. "It felt like we were being held up," says
    Goldberg. Faced with the equivalent of a cyberhijacking, he refused to
    budge, and the developers were dismissed.
    
    The first denial-of-service attack hit the next morning, a Thursday,
    and crashed the company's application server. Somebody sitting at a
    computer in a downtown Manhattan Kinko's had gained access to ITTI's
    server using an internal development password. The server was brought
    back online, only to be hit again two minutes later, says Goldberg.
    Passwords were changed, and development systems were air-gapped -
    physically disconnected - from the Internet. But the attacks continued
    through the weekend.
    
    The situation soon became critical. "If the attacks continued to go
    on, we would go out of business," Goldberg says. He called in a
    security consulting firm and the Secret Service.
    
    The last attack, which occurred Monday morning, hit as federal
    authorities were installing monitoring equipment on ITTI's networks.
    Authorities traced the attacker to a computer at Queens College in
    Flushing, N.Y., where one of the former employees was a student.
    Witnesses placed the individual at the specific computer at the
    precise time of the attack. Within an hour, the Secret Service
    officials had their man. No evidence or charges were brought against
    the other former employee.
    
    Stress Points
    
    Experts agree that cybercrimes, such as the one perpetrated against
    ITTI, are often the result of a combination of factors that are unique
    to the modern IT workplace. Although most managers believe, as
    Goldberg says, that "security is both about risk management and hiring
    honest people," experts in criminal psychology say the onus is often
    on managers to take action to prevent current and former employees
    from lashing out in the form of cybercrime.
    
    Jerrold Post, a professor of psychiatry at The George Washington
    University in Washington, developed the "Camp David profiles," which
    focus on understanding the psychology of terrorism and political
    violence. They were developed for then-President Jimmy Carter. Post
    says cybercrime can be seen as a subset of workplace violence, where
    employees become frustrated but have no way to mitigate the stress.
    
    "In almost every case, the act which occurs in the information system
    era is the reflection of unmet personal needs that are channeled into
    the area of expertise," says Post. "Almost all of these people are
    loyal at the time of hiring, so this isn't a matter of screening them
    out."
    
    Post acknowledges that only a small percentage of IT workers who share
    a common set of personality traits actually commit crimes. However,
    for those who do become cyberoffenders, their actions are often the
    result of not having skilled managers who can alleviate workplace
    stressors, he says.
    
    Post suggests several approaches that managers can take to both
    identify and alleviate those stressors for employees, including
    providing more distinct career paths. He also says managers need to
    acquire better leadership skills to help people feel like they really
    matter to an organization.
    
    Bill Tafoya has spent the better part of the past 25 years profiling
    criminals. A former special agent at the FBI and now a professor of
    criminal justice at Governors State University in University Park,
    Ill., Tafoya says many IT workers today sometimes feel browbeaten by
    their employers.
    
    "Most of the time, however, they merely become cynics who infect
    co-workers with their misanthropic view and undertake career-long,
    one-person work slowdowns," he says.
    
    Managers often mishandle difficult situations, he says. "In some
    organizations, when personnel falter and are subsequently disciplined,
    the records department is a favorite reassignment [that] management
    uses for purposes of punishing the miscreant," Tafoya says. "I ask
    you, who is being punished?" Career paths need to be developed for IT
    personnel who handle a company's crown jewels - its information, he
    adds.
    
    Obviously, not all cybercrimes occur as a result of frustrated
    employees. Many computer security breaches are the acts of dishonest
    people who crack into systems from the outside using the Internet.
    
    Sometimes, they get a little indirect help from unsuspecting
    employees.
    
    In February, a major bank in the Northeast whose name is being
    withheld for security purposes discovered that unauthorized purchases
    were being made on the Internet using its customers' information. The
    bank called the Emergency Response Team (ERT) at Internet Security
    Systems Inc. (ISS), an Atlanta-based security firm. After 131 hours of
    forensics processing, both ISS and bank officials suspected that a
    mole in the company was helping the attacker.
    
    "The client was convinced there was a collaborator and was ready to
    terminate a number of individuals, as well as contractors," said Allan
    Fideli, director of the ERT and the former chief of worldwide security
    at IBM. However, Fideli and another analyst eventually narrowed down
    the perpetrator to a contractor in Europe who had stolen passwords
    from his mother-in-law, who was an employee of the bank.
    
    Scott Christie, an assistant attorney at the U.S. Attorney's Office
    for the District of New Jersey in Newark, says a lack of oversight is
    a key enabler in many cybercrime cases.
    
    "Without any oversight, [criminals] can do what they want without fear
    of being caught," says Christie.
    
    Richard Hunter, an analyst at Stamford, Conn.-based Gartner Inc., says
    management inattention can be a contributing factor. "Some managers
    are inattentive to the point that they do not even check resumes for
    people being hired into positions where sensitive data is available,"
    says Hunter.
    
    Although Post acknowledges that the majority of hackers are little
    more than garden-variety criminals, the world of cybercrime does have
    its share of Lee Harvey Oswalds, he says. The most recent example is
    Abraham Abdallah, a 32-year-old Brooklyn busboy who in March managed
    to pull off the biggest Internet identity heist in history by stealing
    the online identities of 200 of the richest people in America.
    
    There is little difference in motivation between criminals like
    Abdallah and Oswald, says Post. "To steal somebody's identity is to
    escape from one's place of insignificance. It's a special species of
    assassination," he says.
    
    For Tafoya, the assassination metaphor goes too far. "Those who have
    been so victimized see the theft of their identity as more akin to
    rape," he says.
    
    According to ITTI's Goldberg, however, cybercrime is about greed. "We
    talked and negotiated in good faith, but at a certain point in time,
    it becomes extortion," he says.
    
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 02:30:52 PDT