[ISN] Hacking up, disclosure down, FBI survey says

From: InfoSec News (isnat_private)
Date: Sun Apr 07 2002 - 22:22:38 PDT

  • Next message: InfoSec News: "[ISN] Outflanking The Cyberterrorist Threat"

    By D. IAN HOPPER, AP Technology Writer 
    WASHINGTON (April 7, 2002 12:18 a.m. EST) - Most large corporations
    and government agencies have been attacked by computer hackers, but
    more often and more frequently they do not inform authorities of the
    breaches, an FBI survey finds.
    The survey released Sunday found about 90 percent of respondents
    detected computer security breaches in the past year but only 34
    percent reported those attacks to authorities.
    Many respondents cited the fear of bad publicity about computer
    "There is much more illegal and unauthorized activity going on in
    cyberspace than corporations admit to their clients, stockholders and
    business partners or report to law enforcement," said Patrice Rapalus,
    director of the Computer Security Institute, which conducted the
    survey with the FBI's San Francisco computer crime squad.
    The seventh annual survey polled 503 American corporations, government
    agencies, financial and medical institutions and universities. The
    names of the organizations polled were not released.
    Overall, there were more computer crimes than in last year's survey.  
    But fewer victims reported crimes to police than in 2001, reversing a
    trend from earlier surveys.
    A former Justice Department computer crimes prosecutor said there is
    frequently little incentive for a company to report computer attacks
    or crimes.
    "It tends not to help their bottom line, but hurt their bottom line,"  
    Mark Rasch said. "What a company wants to do is solve the problem and
    move on."
    When those companies are financial institutions or other parts of the
    nation's critical technology infrastructure, however, more than the
    company's bottom line is at stake.
    The government is using partnership groups - such as the FBI's
    InfraGard chapters in each field office - to persuade companies to
    report the attacks directly to FBI agents without public disclosure.
    "They need to use a mechanism to report these incidents and
    vulnerabilities broadly so they can be fixed, but won't be
    attributable back to them," Rasch said.
    The survey respondents said they lost at least $455 million as a
    result of computer crime, compared with $377 million the previous
    year. In both surveys, only about half chose to quantify their losses.
    The most serious monetary losses came from the theft of money or
    proprietary information, such as blueprints for computer programs, and
    fraud, such as failure to deliver services or equipment that have been
    paid for.
    Despite concerns that foreign governments would begin using computer
    attacks as a method of terrorism or war, most attacks on American
    companies still come from individual hackers and disgruntled
    employees, the report said.
    The survey also addresses the increasing frequency of attacks on
    Internet retailers. There have been several reports of thefts of
    credit card data over the past year, including some instances in which
    the thief threatened to release sensitive data unless the victim paid
    a ransom.
    WorldCom, The New York Times and others have had holes exposed in
    their Web security, leading to unwanted intruders.
    Thirty-eight percent of the respondents said their Web sites have been
    broken into over the past year, and 21 percent said they were not
    sure. Eighteen percent reported some sort of theft of transaction
    information, such as credit card numbers or customer data, or
    financial fraud.
    Seventy percent of organizations reported online graffiti, usually the
    simplest and least damaging type of attack. A graffiti hacker replaces
    the Web site's front page with his or her own text and, sometimes,
    offensive pictures.
    Companies are also seeing problems from within. Seventy-eight percent
    said their employees abused Internet privileges, including downloading
    pornography or pirated software.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 03:02:20 PDT