[ISN] Worker vengeance makes its way online

From: InfoSec News (isnat_private)
Date: Thu May 22 2003 - 22:22:28 PDT

  • Next message: InfoSec News: "[ISN] Harvard study wrestles with Gator"

    http://www.boston.com/dailyglobe2/142/metro/Workers_vengeance_makes_its_way_on_Web+.shtml
    
    By Thanassis Cambanis
    Globe Staff
    5/22/2003
    
    Furious that he'd been fired from the travel agency where he worked, 
    James O'Brien waited months before allegedly springing his carefully 
    plotted revenge. Just before Christmas 2000, according to federal 
    prosecutors, O'Brien hacked into his former employer's computer system 
    and canceled 60 customers' airline tickets. 
    
    The move cost the agency $96,000 and left dozens of would-be holiday 
    vacationers stranded at airports.
    
    O'Brien's alleged crime, according to federal law enforcement 
    officials who brought charges against him last month, is the new face 
    of hacking: Irate workers who in the old, low-tech days might have 
    simmered or spread slander about their ex-bosses now instead are 
    wreaking havoc on their former workplaces by infiltrating their 
    computer systems.
    
    ''Ten years ago, almost all computer crime tended to be kids, seeing 
    what they could do,'' said Assistant US Attorney Allison D. Burroughs, 
    who heads the Computer Hacking and Intellectual Property unit in the 
    US attorney's office in Boston. ''Now, it's disgruntled employees.''
    
    Burroughs's unit is currently working on 10 other cases in the federal 
    district of Massachusetts involving fired employees who allegedly 
    struck back at their former bosses by hacking into company computers. 
    About three-quarters of all federal hacking cases in Massachusetts, 
    she said, involve disaffected employees, compared with a decade ago 
    when that proportion of hacking cases stemmed from juveniles 
    vandalizing computer systems.
    
    The phenomenon not only marks a sea change in the criminal use of 
    computer systems, but poses a costly threat to corporations, which can 
    lose millions of dollars to hacker attacks by former insiders who know 
    their systems' vulnerabilities.
    
    ''You don't have to be that sophisticated to cause a lot of harm,'' 
    said US Attorney Michael Sullivan. A hacker with a grudge can bring a 
    company to its knees, he said, causing as much damage with a few 
    computer keystrokes as might be inflicted with a torch in a warehouse.
    
    Three cases were brought in Boston in the last month alone that 
    underscore the threat. In addition to O'Brien, who pleaded not guilty 
    May 1 in US District Court in Worcester, federal prosecutors indicted
    
    a Sutton man who allegedly broke into his Worcester employer's 
    computer system, and a man who is accused of cooking up fake e-mail in 
    a lawsuit against an Andover company. The potential for mischief is 
    great. Robert Boule, a 29-year-old Framingham man, pleaded guilty in 
    federal court in Boston in February to breaking into his former 
    company's computer system to monitor its product lines so he could 
    undercut its bids.
    
    ''Technical knowledge and a bad economy have given a certain class of 
    people the means and the motive to commit crimes they would not have 
    been able to commit,'' Burroughs said. ''There are people getting laid 
    off who have a tremendous amount of knowledge about a company's 
    security and systems.''
    
    Many companies, federal authorities say, take great precautions to 
    protect against outside hackers.
    
    But increasingly, it's insiders who know passwords and have access to 
    a company's computer system who have the ability and, at times, the 
    desire to commit electronic sabotage. ''You used to send someone home 
    and take away their keys,'' Burroughs said. ''Now, in Massachusetts in 
    particular, you have sophisticated employees who know everything you 
    can know about your computer system.''
    
    In Burroughs's nightmare scenario, a former pharmacy employee hacks 
    into the computer network that contains customer prescriptions and 
    alters dosages -- not only hurting the pharmacy, but patients.
    
    ''You don't need a lot of physical courage to commit some of these 
    crimes,'' Burroughs said. ''You can do it remotely and, people think, 
    anonymously.''
    
    Four full-time prosecutors work in the so-called CHIPs unit. In 
    addition to hacking, the unit also prosecutes fraud, as well as theft 
    of intellectual property and trade secrets.
    
    The Boston office of the FBI has 13 agents assigned to high-tech crime 
    -- one of the bureau's only growth areas other than terrorism. And the 
    US Secret Service here has another six-agent team that investigates 
    cyber-crime.
    
    ''It's kind of cowardly, and because of the anonymity people think 
    they're not going to get caught,'' said Jonathan L. Kotlier, chief of 
    Sullivan's economic crimes unit. ''That was so interesting about the 
    Christmas ticket indictment -- he actually waited months to take his 
    revenge.'' O'Brien, of Worcester, faces up to 10 years in prison and a 
    $250,000 fine if convicted.
    
    Thanassis Cambanis can be reached at tcambanisat_private 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri May 23 2003 - 00:29:55 PDT