http://www.eweek.com/article2/0,1759,1597361,00.asp By Dennis Fisher May 24, 2004 When Donna Getgen opened a letter from her credit union in March, the message within was anything but routine. Getgen was informed that she had been the victim of a cyber-theft. Getgen's account number, the letter read, was stolen from a database at BJ's Wholesale Club Inc., where she shopped from time to time. Stunned, Getgen, a business operations specialist for a high-tech company from Owings, Md., would later learn that she was one of tens of thousands of victims of one of the largest cyber-thefts in recent history. The BJ's security breach, which occurred over seven months from late 2003 to early this year and compromised thousands of debit and credit cards, was just the latest example of the kind of large-scale cyber-crime being perpetrated with greater frequency than ever in the United States and around the world. Ironically, as the number and scope of cyber-crimes proliferate, local, state and federal authorities are scrambling for resources to combat the threat. In many cases, the authorities are directing resources away from cyber-crime cases. "Most Americans would be surprised to know that thousands of credit card numbers are sold online every day, and very little is done to stop it," said Jim Melnick, director of threat intelligence at iDefense Inc., in Reston, Va., and a former Defense Intelligence Agency officer. "The dirty little secret is that there's all this other stuff going on that nobody is stopping. I'm not sure there's an understanding inside Washington of how pervasive cyber-crime is." Increasingly sophisticated schemes—from outright break-ins to so-called phishing scams—are among the biggest problems facing financial institutions today. The number of phishing attacks alone has grown by 1,200 percent in the past year, according to MessageLabs Inc., in New York. Phishing is the practice of sending fraudulent e-mail purporting to come from a bank, credit-card issuer or other trusted source to solicit account numbers, Social Security numbers and other sensitive data. A comprehensive study of the problem released last month by analysts at Gartner Inc., of Stamford, Conn., shows that more than 57 million Americans have received at least one phishing e-mail. The financial losses suffered by banks and credit card issuers that ultimately pay for these frauds amounted to $1.2 billion last year, the study said. Despite the mounting research, bank officials contacted for this story said they, along with credit card issuers, are doing most of the education and prevention regarding cyber-crime without much help from law enforcement or government regulators. "The biggest risk right now for us is the loss of reputation," said Michael Roberts, senior vice president and CIO of the Bank of Alameda, in California. "We get a lot of people who have had their account numbers or Social Security numbers stolen and come to us for help. We can't have that. "Identity theft is escalating, and it's moving offline. We see people coming in here with stolen numbers trying to open accounts. It's happening." Actually, cyber-crime has been happening for years. It is only now entering the public consciousness, thanks to high-profile incidents like the BJ's theft and elsewhere, such as those perpetrated on Guess Inc. and MTS Inc.'s Tower Records unit. In fact, of the 500 companies that responded to a recent FBI survey, 90 percent said they'd had a computer security breach, and 80 percent of those said they'd suffered financial loss as a result. Today, online criminals use stolen credit card numbers as illicit currency. The information is traded for other commodities, such as Social Security numbers or access to networks of compromised PCs that can be used in distributed-denial-of-service (DDoS) attacks. But as the cyber-crime rate climbs, security experts, consumers and even former government officials are questioning why federal lawmakers and administration officials have devoted so few resources to combating the menace. Many attribute the resource issue to the war on terrorism. "There were decisions made that things like credit card investigations weren't worth it at that point," said one former federal law enforcement agent who was involved in cyber-crime investigations for more than a decade. "Cyber-crime was put on the back burner. Pure investigations into cyber-crime have diminished at the FBI and the Secret Service." Indeed, in the months following the terrorist attacks of Sept. 11, 2001, counterterrorism became the highest priority for the FBI as well as the Secret Service, the two federal agencies responsible for the bulk of the government's cyber-crime investigations. That shift took its toll on the computer crime units at both agencies, and nearly 20 Secret Service agents who were working on cyber-crime at the time of the attacks were transferred to terrorism investigations. "There's a broken spirit in the government as far as cyber-crime," the former agent said. "It's one of the most daunting tasks that law enforcement has ever had to deal with." For those investigators at the FBI and Secret Service still responsible for handling cyber-crime—about 300 and 100, respectively—many are often pulled away from their regular duties to work on special details, which can lead to long delays in completing investigations. "There just aren't enough agents to do what's required," the former agent said. "The response from the government hasn't been commensurate with the problem. The big investigations that you see on TV with the press conferences were the exception, not the rule. "They're just showpieces. Having a massive investigation every six months is inconsequential when you have a crisis going on." According to government and law enforcement officials, the lack of interest in fighting cyber-crime comes from the top down and is traced to the current and past presidential administrations. Richard Clarke, chairman of Good Harbor Consulting LLC, in Herndon, Va., and a former counterterrorism official in the Clinton and current administration, often warned of the potential for a terrorist-based computer attack that would take out portions of the U.S. power grid or financial networks. When the power grid that serves huge swaths of the Northeast, Midwest and portions of Canada failed on a sweltering day last August, just days after the outbreak of the infamous Blaster worm, many people thought Clarke's oft-repeated prediction of a "digital Pearl Harbor" had come true. Within hours of the blackout, CNN reported from the paralyzed streets of Manhattan that U.S. officials were investigating the possibility that Blaster had caused the outage. It seemed to fit. Blaster was running rampant on the Internet, infecting hundreds of thousands of machines. More to the point, other recent worms had wreaked havoc with machines and networks not normally thought to be vulnerable. The SQL Slammer worm in January 2003 brought down the 911 dispatch system in Bellevue, Wash., and disrupted the operation of Bank of America's network of ATMs, angering customers and inciting fears that so-called crackers had stumbled on a new attack vector. Then Blaster arrived. But in the 10 months after the blackout, no evidence linking Blaster to the outage was found. In fact, an exhaustive report written by a joint U.S.-Canadian committee formed to study the blackout's effects determined there was no connection to any deliberate malicious attack on the power companies' computers. "The [Security Working Group] found no evidence that malicious actors caused or contributed to the power outage, nor is there evidence that worms or viruses circulating on the Internet ... had an effect on power generation," the report concluded. The report should have relegated Blaster to a footnote in the matter. But many security experts point to the incident as a perfect illustration of how the specter of cyber-terrorism can obscure the real problem of cyber-crime. While examples of cyber-crime abound—from database theft to Nigerian banking scams to the rigging of online gambling to worm attacks—no current or former government officials, no law enforcement officers and no security experts interviewed for this story could cite a single example of cyber-terrorism. "There haven't been any at all, to my knowledge," said Howard Schmidt, chief security officer at eBay Inc., in San Jose, Calif., and former chairman of the President's Critical Infrastructure Protection Board and one of the first dedicated computer crime investigators in the country, first with local law enforcement in Arizona, then with the FBI and later with the Air Force Office of Special Investigations. "I actually refrain from using that term [cyber-terror]." That's not to say the possibility doesn't exist for a concerted, targeted attack to bring down a critical banking network, utility grid or other vital system. Clarke, for one, sees the threat of cyber-terrorism as a serious concern for the United States. "What we see today is just the tip of the iceberg in terms of what's possible, especially if a nation-state wanted to get in on this," he said. "As long as these things are possible, we run the risk that someone will do them." And while other observers claim terrorist groups are using the Internet mainly for communications and fund-raising, Washington insiders insist the government is not sitting by idly awaiting a strike. "Cyber-crime is an alarming trend and one we're actively [focused on]," said Amit Yoran, director of the National Cyber Security Division at the Department of Homeland Security, the nation's top cyber-security post. "It's a huge issue. The Department of Justice's top priority is this. We're trying to build a threat-independent approach to protection. We don't care if it's a terrorist or a kid. If there's an impact, that's what we care about." Yoran said that relatively little data on cyber-crimes is flowing between the different departments and agencies in federal, state and local governments but that efforts are under way to change that. Another problem, he said, is the naivete of most Internet users. "I think there's a lack of general awareness among consumers about how vulnerable they are," Yoran said in Washington. "The issues right now are overly complex, and the government has to simplify it." Donna Getgen might agree, although it doesn't offer her much comfort. No fraudulent activity was found involving her debit card account in March, and the Digital Federal Credit Union, in Marlborough, Md., went ahead and canceled the card and was in the process of issuing her a replacement by the time she received the letter. But Getgen is still distressed by the incident. "I really have lost trust," said Getgen. "I haven't been back to BJ's since this happened, and I don't intend to go back. If I did, it would be on a cash basis only." _________________________________________ ISN mailing list Sponsored by: OSVDB.org
This archive was generated by hypermail 2b30 : Tue May 25 2004 - 04:47:16 PDT