Forwarded From: Zp33d13@dialup244-4-58.swipnet.se
http://chicagotribune.com/splash/article/0,1051,SAV-9809060162,00.html
COMPUTERS SPAWN A NEW CRIMINAL BREED
By Naftali Bendavid
Washington Bureau
September 6, 1998
WASHINGTON -- Michael Vatis,
dwarfed by his bare office on the
11th floor of FBI headquarters, has a big job at age 35--protecting the
vast, tangled array of all the nation's computer networks from break-ins
by criminals, pranksters, even terrorists.
Vatis heads a new FBI team charged with coordinating computer
investigations across the country. Thin, rumpled and intense--a slightly
older version, perhaps, of the teenage hackers he pursues--Vatis sips
steadily from a can of Diet Coke. A computer with a red "secret" label
sits behind him along with an FBI mousepad.
He speaks with a preacher's fervor.
"All the critical services that our society relies on for its everyday
functioning are now dependent on computers," Vatis said. "And they are
interconnected with each other in ways that are so complicated and so vast
that even if you just caused one system to crash, that would have
cascading effects on other systems in ways that we can only begin to think
about."
Vatis' group is part of a push by federal investigators to attack what
amounts to a new kind of crime--intrusions into computer networks, ranging
from Fortune 500 companies to the Defense Department.
Some predict it is a matter of time before a hacker brings down a 911
system or hospital, with catastrophic results.
Law enforcement is beginning to respond seriously. Vatis' unit, created in
February, has 50 members and will build to 125 sometime next year. The FBI
has computer crime squads in seven cities, including Chicago.
Also, a new breed of private detectives has sprung up, cybersleuths who
scrutinize hard drives the way old-fashioned gumshoes studied
fingerprints. The Computer Security Institute, a group of computer
security professionals at major companies, has grown to 5,000 members.
Vatis' operation is a sort of nerve center. Part of his job is to imagine
the worst carnage that hackers--including well-financed terrorists or
hostile nations-- could wreak.
His description sounds like a disaster movie: "Blacking out power grids,
shutting down telecommunications, bringing down our whole financial
sector, disrupting government emergency services like police, fire and
rescue, interfering with our air traffic control system, control of our
railroads and railways, and delivery of oil and gas."
For now, most hacking episodes are less apocalyptic but still troubling.
Sixty-four percent of the business and government agencies in a recent
survey reported computer security breaches within the last year, up from
42 percent two years ago. The FBI was handling 200 computer cases two
years ago; now the number is close to 500.
The newness of computer crime makes it daunting. Authorities have been
investigating murders, for example, for centuries, and their techniques
have become increasingly refined. Cybercrime, in contrast, requires
entirely new methods, new technology, new philosophies.
"In the traditional crime, you have witnesses. Here there are no
witnesses," said James Healy, who supervises the Chicago FBI's computer
crimes squad. "In the traditional crime, you have something of value
taken. Here you're talking about data loss. . . . We are looking at a
system of crime that we can't just put on a parallel to other crimes."
Healy's nine-member squad was formed a little over a year ago, and it is
just beginning to score successes. One case began when a company called
U.S. Web, which creates Web sites for other companies, reported that two
of its sites had vanished mysteriously. Healy's team closed in on a
former U.S. Web employee, James Watson, 25, of Naperville.
Watson pleaded guilty to charges of harming a computer system used in
interstate commerce, a crime under the federal anti-hacking statute. He
has not yet been sentenced.
As with other crimes, victims often are unwilling to rely on official
investigators, turning instead to the new breed of private cybersleuths. A
new field called data forensics has emerged, its experts specializing in
retrieving information that has been erased.
John Posey, president of an investigations firm called Information Risk
Group, is one of the new breed. His firm was hired by one company recently
because pornography was mysteriously popping up on its computer system,
along with copies of The Anarchist Cookbook, a radical instruction manual
on everything from explosives to drugs.
Posey's team tracked down the employee responsible, and when he came in
for his midnight shift Posey confronted him. "He had wanted to be in (his
employer's) information technology group, and they thumbed their nose at
him," Posey said, explaining the man's motive. "He thought he knew their
system better than they did, and he was right."
The demand for services like Posey's is likely only to increase.
Virtually every company and agency, after all, now stores its crucial
information on its computer system. Criminals stalk hard drives much like
they used to follow armored trucks.
In the rush for companies to get on-line with ever better software,
experts say, security is being overlooked, and that opens the door. And it
is indisputable that hacking episodes have invaded the headlines with
increasing frequency in recent years.
Ehud Tenebaum, an 18-year-old Israeli who calls himself "Analyzer," was
arrested in March for allegedly penetrating U.S. government computers.
The same month, charges were unsealed against another hacker who allegedly
disabled a crucial computer at a Massachusetts airport.
In Chicago, a software engineer was charged recently with paralyzing the
computers at Highland Park Hospital for two days.
"It's like the Old Western gunslingers," said John Spain, vice president
of Asset Management Solutions, a corporate security firm. "A lot of people
want to put a notch in their keyboard, like the old gunslingers wanted to
notch their six-shooters."
Perhaps most terrifying for many companies is the threat that confidential
information will be erased. Executives at Omega Engineering Corp. in New
Jersey were shocked one day to find that a huge amount of software had
been deleted from their system. Omega makes sophisticated gauges for NASA
and the U.S. Navy, and the company says the lost data cost it $10 million.
Federal agents investigated, and they ultimately arrested program designer
Timothy Lloyd, who recently had left Omega. Lloyd has pleaded not guilty
to federal hacking charges.
Cybercrime is attractive partly because it is so easy to pull off, police
say. Conventional offenses-- robbery, fraud, extortion--require
perpetrators to recruit accomplices and perhaps even face gunfire and risk
death. Computer crimes can be pulled off while sitting in an easy chair.
Giving hackers an added boost are several Web sites that post hacking
plans, or "exploits," which can be downloaded and used to break into
various systems.
A site called Rootshell recently described a facet of the Yahoo Pager
program as "just plain sad." It added: "All you need to supply is a user
name to bump people off, spy on contact lists, hijack conversations,
impersonate people, etc." Then the site seemingly gave instructions on how
to do so.
Those who run such sites insist they are actually helping companies by
pointing out weaknesses so the companies can correct them, but security
specialists scoff at that. "If someone breaks into my house, it never
enters my mind that they are helping me test my security," Spain said.
The biggest problem facing anti-cybercrime efforts may be the
philosophical chasm between police agencies and business leaders. Police
want to monitor companies' private information so they can fight and
investigate crime. Businesses want to keep it secret.
Many corporate leaders distrust the FBI's new cybercrime efforts.
"The FBI . . . has been a political organization that has abused civil
liberties, spied on political dissidents and investigated enemies of the
administration in power," said libertarian scholar David Kopel. "To say
that they will get more power over something as important as computers is
very frightening."
But Richard Power, spokesman for the Computer Security Institute,
ridiculed the notion that corporations can fend off computer crime without
law enforcement. "It's as if you expected a highway system to grow up
without any yellow lines, without speed limits and without driver's
licenses," said Power, whose group represents computer security
professionals. "That's what we're expecting Internet commerce to be. And
it's just not going to happen."
Police even suspect that companies fail to report hacking incidents for
fear of damaging their reputation. That, they add, is like a bank not
reporting a robbery because doing so would reveal its vulnerability.
"If you stay inside your shell and keep all that information to yourself
and don't inform anybody, who's going to catch the bad guy and deter other
people from engaging in the same sort of activity?" Vatis asked. "It's
going to happen again and again and again."
The tensions may ease as time goes on, some say. Others predict cybercrime
itself will fade as companies begin to demand better safety mechanisms
from software manufacturers.
Still others say companies will get better at taking basic steps, like
creating secure backup systems. But few dispute that cybercrime will be
around as long as cyberspace is.
"There is incredible impetus to get on-line fast and in all ways," Power
said. "The technologies are very new and they're very vulnerable. We are
going to be in a messy situation for a while."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Sep 7 09:57:28 1998