- The Washington Times - Monday, June 25, 2001

An employee at Peak Technologies in Columbia, Md., thought he was opening a routine e-mail during a late-night work session in January 1999.

The message, purportedly from the chief operating officer, said the company would close its doors in a few weeks because the big boss bankrupted the company when he embezzled hundreds of thousands of dollars to support his female lover, according to court documents.

An e-mail attachment included a pornographic picture and sexually graphic script.

Peak officials spent the next two days repairing damage to their computer network. The company produces computer equipment and software related to bar-code scanning.

The messages included information that only a corporate insider would know, which led investigators to Joseph Durnal, a former contract employee.

Last December, Mr. Durnal pleaded guilty to computer piracy and was ordered to pay $48,520 in restitution.

The employee who opened Mr. Durnal's falsified e-mail just as well might have been opening a window to a trend in the technology industry.

A byproduct of recent layoffs in the technology industry is disgruntled employees who seek revenge by booby-trapping computers or stealing trade secrets.

Computer crimes of all kinds are on the upswing and are getting more expensive, according to a recent survey of 538 companies, universities and government agencies by the San Francisco-based Computer Security Institute and the FBI.

Eighty-five percent said their computer networks were hacked in the previous year. The 186 respondents who added up the damage estimated their total losses at $378 million. In the survey last year, 249 companies said they lost a total of $266 million.

"Cases are increasing," says Debbie Weierman, spokeswoman for the FBI's National Infrastructure Protection Center. From its base at FBI headquarters in Washington, the center's 290 supervisors and investigators nationwide ride herd on 1,300 pending cases of computer hacking, most involving attacks on corporate computers.

'Hacktivists'

"Hackers range from 15-year-old kids to disgruntled employees to folks they call 'hacktivists' who have a political agenda to those who have financial inclinations and on up to foreign countries," Miss Weierman says. "There really is no definitive profile."

The FBI report blamed some of the victimized companies for their own security lapses.

"Too many organizations have yet to come to grips with vital organizational issues," the report

said. Among issues many companies leave unresolved are: "Where should information security report within the corporate structure? Directly to the CIO or the CFO rather than somewhere down in the bowels of IT? How much money should be dedicated to information security overall?"

Many companies are unable to bear the consequences of being unprepared for hackers, Miss Weierman says.

"It could have a debilitating impact on a company if its internal records were either defaced or divulged to the general public," Miss Weierman says. "Companies have proprietary information. It also involves the disruption of service."

In addition, credit card numbers and other private information about customers could be leaked, risking not only a loss of business but also the risk of liability.

The risk to companies and infrastructure has motivated local police departments to form computer crime squads.

The Washington Metropolitan Police Department, for example, has a special squad investigating computer crimes.

Even suburban police are training computer crime fighters.

"More and more people have computers and more and more bad guys are using computers," says Amy Bertsch, spokeswoman for the Alexandria Police Department. "We've seen an increase in these cases. It's just one more place to seize evidence of a crime."

When the FBI, police and corporate officials want help developing security systems for their technology, often they turn to Mitretek Systems Inc., a McLean-based nonprofit organization that uses technology to solve public interest problems.

Time bomb

Rick Murphy, one of Mitretek's information security engineers, tells about the time a St. Louis company called him after a former employee planted a "timer" in its software that destroyed its inventory database.

The timer was a set of commands that would reset the software in its proper format each time the employee logged on. If, however, the employee was denied access for an extended period of time, the timer would go off.

Shortly after the employee was terminated, his former colleagues came to work one day and found their computerized records were simply gone.

"They were down for a few days and as a result of that lost a lot of business," Mr. Murphy says. "There were things that could have been done to fix this problem, like code reviews."

The company sued the employee, but the damage already was done. One major oversight, Mr. Murphy says, was, "They trusted their employees."

Recently, he says, the most common acts of revenge involve damaging desktop computers and deleting hard drives.

So far, most of Mitretek's customers have been government agencies. Economic trends of recent months are changing the business climate.

"We're starting to see a lot more interest in the commercial entities, particularly the dot-coms," Mr. Murphy says. "With all the people being laid off, you find a lot more companies afraid. You can't stop a determined hacker."

A typical security tactic is to maintain critical information on a server, while allowing employees access only to software on their own desktop computers, he says. Other strategies involve policies that restrict access to trade secrets or computerized information to a few key employees. Regular reviews of computer code to ensure it has not been altered also are a good idea.

At many Silicon Valley companies, laid-off workers are immediately marched out of the building, with hardly enough time to collect personal property. Security guards stand by in case tempers flare.

Self-protection

Nevertheless, the FBI says many companies are not doing enough to guard their computer systems. Agents explain the risks in regular lectures at Silicon Valley companies, especially during layoffs.

They tell human resources managers to know not only who they just hired, but also who they just fired.

The U.S. Attorney's Office in San Jose, Calif., reports that it is prosecuting more cases involving thefts of trade secrets and break-ins to corporate networks by former employees.

Although Silicon Valley's economic downturn is one factor, more cases may be surfacing publicly because more companies are reporting the crimes to authorities.

In the Computer Security Institute report, 36 percent of the companies, schools and agencies hacked in the last year said they reported the crimes to law-enforcement agencies, up by one-fourth from the previous year.

Nearly all the companies that failed to report their hacking problems to law-enforcement agencies said they were concerned about negative publicity. Many prefer to file lawsuits against hackers.

The damage that hackers can do is potentially extreme.

The FBI still is investigating whether hackers played a role in California's recent energy crisis. From April 25 through May 11, hackers nearly gained access to critical parts of the power grid operated by California Independent System Operator before they were detected. Hackers had entered the system through servers in China's Guangdong province; Santa Clara, Calif., and Tulsa, Okla.

Cracking down

The risk computer hacking creates for companies individually and the economy as a whole has prompted law-enforcement agencies to ask Congress for more money and tougher laws to fight cyber-crime.

In testimony this month before the House subcommittee on crime, Justice Department lawyers mentioned the 1999 "Melissa" virus as an example of how weak laws fail to deter hackers.

"In that case, even though the defendant caused tens of millions if not billions of dollars of damage, the maximum penalty was five years in prison," says Michael Chertoff, head of the Justice Department's criminal division.

The punishment for computer crimes depends on the offense. Hacking computers containing national security information, for example, can get the culprit up to 20 years in prison. Accessing computers of financial institutions for purposes of corporate spying would get the offender up to one year in jail and a fine. Computer fraud, such as through theft of credit card information, can bring up to 10 years in prison.

The Justice Department just won its first federal conviction in New York City against a hacker. Jesus Oquendo, a computer security specialist for a financial services company, was sentenced to 27 months in prison two weeks ago and ordered to pay a $96,385 fine after he inserted commands into the company's software that e-mailed trade secrets to his home computer.

The Justice Department, which acts as the legal department of the FBI, still is trying to assess what might be one of the worst cases of cyber-crime in its history.

In February, FBI agents arrested Robert Hanssen, one of their own counterintelligence agents, on charges he spied for Russia since 1985. Mr. Hanssen was described in court documents as a skilled programmer who had access to the FBI's computer network. The FBI will neither confirm or deny whether Mr. Hanssen had access to Interlink, the highly secure network used by the CIA, the National Security Agency and others in the U.S. intelligence community.

If he did, the damage to U.S. security could be far-reaching, as well as difficult to trace.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide