[ISN] Crime Is Soaring in Cyberspace

From: InfoSec News (isnat_private)
Date: Tue Jan 28 2003 - 10:40:01 PST

  • Next message: InfoSec News: "Re: [ISN] Internet Attack's Disruptions More Serious Than Many Thought Possible"

    http://www.nytimes.com/2003/01/27/technology/27ECOM.html
    
    By BOB TEDESCHI
    January 27, 2003    
     
    CYBERCRIME, long a painful side effect of the innovations of Internet
    technology, is reaching new dimensions, security experts say. Spurred
    by a tightening economy, the increasing riches flowing through
    cyberspace and the relative ease of such crimes, technically skilled
    thieves and rank-and-file employees are stealing millions if not
    billions of dollars a year from businesses in the United States and
    abroad, according to consultants who track cybercrime.
    
    Thieves are not just diverting cash from company bank accounts, these
    experts say. They are pilfering valuable information like business
    development strategies, new product specifications or contract bidding
    plans and selling the data to competitors.
    
    "Criminal activity on the Internet is growing - not steadily, but
    exponentially, both in frequency and complexity," said Larry Ponemon,
    chairman of the Ponemon Institute, an information management group and
    consultancy. "Criminals are getting smarter and figuring out ways to
    beat the system."
    
    The number of successful, and verifiable, worldwide hacker incidents
    for the month of January is likely to surpass 20,000 - above the
    previous record of 16,000 in October, as counted by mi2g, a computer
    security firm based in London.
    
    Others also offer dire estimates, although the dollar amounts are
    difficult to verify or compare because the definitions of loss vary so
    broadly. Part of the challenge in quantifying the problem is that
    businesses are often reluctant to report and publicly discuss
    electronic theft for fear of attracting other cyberattacks or at the
    very least undermining the confidence of their customers, suppliers
    and investors — or inviting the ridicule of their competitors.
    
    In one survey of 500 computer security practitioners conducted last
    year by the Federal Bureau of Investigation and the Computer Security
    Institute, a trade group, 80 percent of those surveyed acknowledged
    financial losses to computer breaches. The computer professionals took
    part in the survey on the condition that they and their organizations
    would not be identified. Of the 223 respondents who quantified the
    damage, the average loss was $2 million. Those who had sustained
    losses of proprietary company information said each incident cost an
    average of $6.5 million, while financial fraud averaged $4.6 million
    an incident.
    
    One of the best known cases of corporate computer crime involved two
    accountants at Cisco Systems, who after pleading guilty were each
    sentenced in late 2001 to 34 months in prison for breaking into parts
    of the company's computer system they were not authorized to enter and
    issuing themselves nearly $8 million in company stock.
    
    But it is nearly impossible to identify the companies that have
    sustained the biggest losses, because of corporate reluctance to
    discuss what anonymous surveys have found to be a growing problem.  
    Computer security experts who help protect these companies say the
    attacks are hitting major banks, telecommunications companies and
    other Fortune 500 companies - with a great breadth of types of attack.
    
    "If people found out how astoundingly large this problem is, they'd be
    shocked," said James P. Hurley, an analyst with the Aberdeen Group, a
    technology consulting firm. Mr. Hurley said one client, which he
    declined to identify, endured an electronic theft worth $500 million
    last year.
    
    Other security consultants recently recounted numerous examples of
    electronic thefts, but, like Mr. Hurley, they omitted company names
    because of confidentiality clauses in their contracts. Some examples,
    all provided by consultants who had seen the damage, include these:
    
    * Last summer, someone hacked into the treasury system of an East
      Coast financial services company, and transferred more than $1
      million to what investigators presume to have been personal 
      accounts. The company suspects it was an employee because of the 
      inside knowledge required to gain access to the system. The 
      investigation is continuing, but the employee's identity is still 
      unknown.
    
    * In November 2001, a New York brokerage house noticed an intruder
      in its network from overseas, but did not know the nature of the
      intrusion. When a security firm tracked him, they saw that he was
      removing trading information on euros and was using that data to
      compete with the firm while trading in markets in the Far East.
      The estimated damage was in the millions of dollars.
    
    * Last spring, hackers broke into a publicly held bank based in the
      United States and gained access to the bank accounts of wealthy
      customers. Millions of dollars were transferred overseas. The bank
      managed to back out of most of the transfers, but total losses,
      including a security clean-up, were more than $1 million.
    
    The weak economy is partly behind the rise in cybercrime, said Richard
    Power, global manager of security intelligence for Deloitte Touche
    Tohmatsu, a business consultancy. "In times of economic hardship,
    crime always increases," he said. "The more that money flows into
    cyberspace, the more criminal activity there'll be."
    
    Corporations, meanwhile, are struggling to keep pace. With budgets and
    personnel stretched thin, companies that added many new technologies
    to their computer systems during the dot-com build-up now find
    themselves lacking the resources to secure those systems against
    break-ins.
    
    Part of the problem is that cybercrime is much harder to detect than
    crime in the actual world.
    
    "The vast, vast majority of virtual crimes right now never get caught
    or prosecuted, where you have some chance in the real world," said Dan
    Farmer, chief technology officer of Elemental Security, a computer
    security firm in Silicon Valley. "It is extraordinarily hard to prove
    anything using digital evidence," Mr. Farmer said.
    
    Law enforcement authorities acknowledge the difficulty of catching
    electronic thieves. "The crime is much easier because you have
    anonymity," said Tim Caddigan, deputy special agent in charge of the
    Secret Service's financial crimes division. And often, he said, "It's
    much more profitable for criminals to use the computer," than to steal
    through more traditional means.
    
    Adding to the difficulty of catching wired thieves is the fact that
    the authorities are outnumbered and, in many cases, outsmarted by
    criminals with better computing skills — although the F.B.I. and the
    Secret Service are increasing their ranks of investigators with
    sophisticated computer skills. The number of investigators in the
    F.B.I.'s cyber division will roughly double in the coming months, to
    700, for example, while Mr. Caddigan of the Secret Service said 200 of
    the Service's 3,000 agents had completed training and more would
    follow.
    
    Electronic crime is also difficult to detect because it is so often an
    inside job. Security experts say the fastest-growing type of
    cybercrime involves the theft of intellectual property - the pilfering
    of a company's plans for major projects, for instance, or marketing
    schedules and budgets stolen by an employee and sold to a competitor.
    
    John Pescatore, an analyst with Gartner, a technology consulting firm,
    estimates that in 70 percent of computer systems intrusions that
    resulted in a loss, an employee was the culprit. In many cases, he
    said, those employees knew the company was headed for difficult times
    and possible layoffs, and sold information to competitors "either to
    make sure they got a good job at another place, or just to give
    themselves a golden parachute."
    
    In other industries, losses have become so widespread that accounting
    experts are starting to call for fuller disclosure of cybercrimes by
    corporate victims, saying that customers and shareholders should know
    more about the losses and risks.
    
    Mr. Ponemon, the consultant, said companies often conceal the losses
    in their balance sheets. "It'll be recorded in different accounts that
    wouldn't have the same level of scrutiny as a loss," he said. "It
    could be classified as a cost of sale, or a product cost, or in
    shipping or billing disputes and errors, and so on."
    
    Such cover-ups, do not allow for "a clean picture about how expensive
    it is to have to deal with fraudulent or criminal activities," Mr.  
    Ponemon said. "This is becoming a very material part of the business
    model, so it deserves its own disclosure. That way, people can make
    better business decisions — whether to demand better controls or
    better technology or different precautions."
    
    Securities and Exchange Commission rules say companies must disclose
    information that "a reasonable investor needs to know in order to make
    an informed decision about an investment." Regulators and securities
    lawyers interpret that rule using various thresholds, as when a loss
    equals 2 cents a share or 5 percent of net income.
    
    A securities lawyer cautioned against holding companies to a higher
    standard for disclosing cybersecurity breaches in all cases, lest they
    attract copycat attacks. "Sometimes it's more socially responsible not
    to disclose, because it could multiply a company's losses by 20," he
    said.
    
    But Jay Ehrenreich, senior manager of the cybercrime prevention and
    response group at PricewaterhouseCoopers, said requiring broader
    disclosure of cybercrimes "makes a lot of sense, and is something
    shareholders should demand."
    
    But he does not expect corporations to easily give in to such demands.  
    "A lot of times companies don't want to know what was taken," Mr.  
    Ehrenreich said. "They just want us to find what the problem was and
    close the door, because there's a cost to finding out what was
    actually taken."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 15:37:57 PST