Forwarded From: Simon Taplin <sticker@icon.co.za>
Y2K may mask hacker attacks
19 January, 1999
By Sharon Machlis and Sharon Gaudin
BOSTON - The rash of computer glitches expected in January 2000 may
create a golden opportunity for hackers, who tend to thrive when IT
attention is focused elsewhere, some security experts warn. But a
Computerworld poll of 102 executives found that 90 percent already have
considered the possibility and are examining ways to thwart such
opportunist hackers.
Of those surveyed, 23 percent said their companies are taking extra
security precautions for their computer systems as part of their year 2000
planning. For those who aren't, many said the Internet and electronic
commerce posed bigger potential threats.
Not everyone agreed that there will be heavy hacking at year's end. Some
argued that increased year 2000 systems monitoring could help security,
while others noted that would-be attackers could suffer year 2000 systems
p roblems of their own.
"People can attack whenever they want, but there's going to be so much
monitoring of the system that any anomaly would be noticed," said Mike
Riley, director of Internet development at R.R. Donnelley & Sons in
Downers Grove, Illinois. "If anything, there's going to be a heightened
sense of awareness."
Nevertheless, a half-dozen consultants contacted by Computerworld urged
companies to prepare. "If I was a hacker, I'd attack companies on December
1999. I'd be almost untouchable. They'd never find me," said Darek
Milewski, president of Cmeasures, a consulting firm in Berkeley,
California.
What to look for
Those consultants recommended that companies -- in addition to testing
their security systems' year 2000 compliance -- anticipate the following
possible year 2000-specific attack methods:
-- With so many people expecting systems problems this January 1, bugs
caused by malicious intruders may be misidentified as year 2000 woes --
and thus left unfixed.
-- Those trying to penetrate corporate systems, particularly economic
spies, may have set up year 2000 outsourcing firms. "What better way to
get in the front door than to be in the fix-it business?" asked Fran k
Cilluffo, director of an information technology task force at the Centre
for Strategic International Studies, a Washington think tank.
-- Any change in computer coding, no matter how simple, can cause
unintentional problems somewhere else. Those problems could include
opening up security holes.
-- Even those who have secured their own systems face potential security
gaps via partners.
-- Security spending, like many other IT budget items, will likely take a
backseat to year 2000 efforts this year.
-- Year 2000 also opens up a nontechnical hacking possibility. For
example, an outsider calls into a company on Monday, January 3, 2000,
claiming to be the firm's year 2000 consultant and asking employees for
their user names and passwords to check that everything's OK. "The best
time to attempt a security breach is a time of chaos," said Philip Carden,
a consultant at Renaissance Worldwide Consulting in Hoboken, New Jersey.
William Ulrich, a year 2000 consultant and columnist for Computerworld,
advises clients to include a security specialist in year 2000 projects,
but only one firm he works with has such a person who regularly attends
meet ings.
An audit team should "be on very, very high alert -- not just [at year's
end], but right now, looking for financial irregularities," said Ulrich,
president of Tactical Strategy Group in Soquel, California.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:05:50 1999