Saturday, September 29, 2007
Interview With A Convicted Hacker
Interview With A Convicted Hacker: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services
On his way to federal prison, the 23-year-old hacker says breaking into computers at telecom companies and major corporations was "so easy a caveman could do it."
By Sharon Gaudin, InformationWeek
Sept. 26, 2007
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=202101781
Convicted hacker Robert Moore, who is set to go to federal prison this week, says breaking into 15 telecommunications companies and hundreds of businesses worldwide was incredibly easy because simple IT mistakes left gaping technical holes.
Moore, 23, of Spokane, Wash., pleaded guilty to conspiracy to commit computer fraud and is slated to begin his two-year sentence on Thursday for his part in a scheme to steal voice over IP services and sell them through a separate company. While prosecutors call co-conspirator Edwin Pena the mastermind of the operation, Moore acted as the hacker, admittedly scanning and breaking into telecom companies and other corporations around the world.
"It's so easy. It's so easy a caveman can do it," Moore told InformationWeek, laughing. "When you've got that many computers at your fingertips, you'd be surprised how many are insecure."
Pena, who is charged with acting as a legitimate wholesaler of Internet-based phone services as part of what the government called a "sophisticated fraud," fled the country a year ago and is wanted as a fugitive. Assistant U.S. Attorney Erez Liebermann said Pena allegedly stole and then sold more than 10 million minutes of service at deeply discounted rates, netting more than $1 million from the scheme.
Acting as the operation's technical muscle only netted Moore $20,000 of the haul, according to Moore.
The government identified more than 15 VoIP service providers that were hacked into, adding that Moore scanned more than 6 million computers just between June and October of 2005. AT&T reported to the court that Moore ran 6 million scans on its network alone.
However, the names of the companies Moore and Pena hacked into don't appear in the court documents--aliases are used instead--and Moore said he wasn't at liberty to identify them publicly.
Liebermann noted that one small telecom went out of business because of expenses the company incurred during the break-in. The company legitimately routed its own VoIP traffic through a larger telecom and was forced to pay the other company for the calls that Pena and Moore fraudulently sent through their network. "They had to eat the bill and were unable to remain in business," added Liebermann.
Default Passwords: A Hacker's Dream
Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.
"I'd say 85% of them were misconfigured routers. They had the default passwords on them," said Moore. "You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. ... We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips." Keith Rhodes, chief technologist at the U.S. Government Accountability Office, said he's not surprised at all by what Moore says he found.
"Default passwords are a silly problem," said Rhodes, who is widely considered to be the federal government's top hacker. "But they were able to take a silly flaw and turn it into a business. ... It disappoints me, but I'm not surprised."
Kenneth van Wyk, principal consultant with KRvW Associates, said leaving default passwords up is a widespread and dangerous problem.
"It's a huge problem, but it's a problem the IT industry has known about for at least two decades and we haven't made much progress in fixing it," said van Wyk. "People focus on functionality when they're setting up a system. Does the thing work? Yes. Fine, move on. They don't spend the time doing the housework and cleaning things up."
It's also a problem for which the companies themselves are liable, Moore said.
"I think it's all their fault," he added. "They're using default passwords and their administrators don't even care. ... Anybody who has bad security, it's their fault. There are so many people out there who are malicious hackers who look for these vulnerable boxes. All this information is right on the Web and it's easy to find. They need to get more education and security in the VoIP industry. There were thousands of routers that were compromised in this, just from my scans alone."
Alan Paller, director of research at the SANS Institute, says it's not the companies' fault. He even says it's not IT's fault. The problem, he says, lies with the vendors.
"Products should be sold so the default password has to be changed first time they use it," said Paller. "It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do."
Rhodes, however, says until vendors make it necessary to change the default password before a system or product will work, IT departments need to be given the time and resources to get it done.
"I have nothing but empathy for all the security personnel I've ever worked with," he said. "I've never met one yet who had enough people, enough time, enough support. ... It would take nothing to change a default password, but you need to actually have people who have the job to do that."
The Break In
Moore, who describes himself as a "mega geek" more upset about being banned from using a computer than actually going to prison, said his job in the operation largely was to write software that ran scans and brute-force attacks against Cisco XM routers and Quintum Tenor VoIP gateways. To do it, he said he used 2 gigs of information on corporate IP ranges that they bought for $800. He explained that he would first scan the network looking mainly for the Cisco and Quintum boxes. If he found them, he would then scan to see what models they were and then he would scan again, this time for vulnerabilities, like default passwords or unpatched bugs in old Cisco IOS boxes. If he didn't find default passwords or easily exploitable bugs, he'd run brute-force or dictionary attacks to try to break the passwords.
"We would go to telecom forums and other telecom sites that list company names and where they're from," he explained. "We'd look at foreign countries first. We'd take the name and IP range and then dump it into the scanner. ... Some of the Cisco versions, like IOS, were old and easier to get into."
Liebermann, the prosecutor, also noted that while Moore broke into telecoms so they could steal the VoIP service, he also hacked into countless other businesses so they could use the hijacked company connections to disguise the calls they were sending to the telecoms. With the VoIP connections in place, they simply needed corporate connections to mask their trail.
"He wanted me to look for [a network] with lots of traffic," said Moore. "Even if it was not a telecom, they might be connected to a telecom and then you could move through that connection to the telecom. ... [Pena] was taking legit calls that he had customers for and then rerouting the calls through rogue boxes."
And Moore didn't just focus on telecoms. He said he scanned "anybody" -- businesses, agencies and individual users. "I know I scanned a lot of people," he said. "Schools. People. Companies. Anybody. I probably hit millions of normal [users], too."
Tips From The Hacker
Moore said it would have been easy for IT and security managers to detect him in their companies' systems ... if they'd been looking. The problem was that, generally, no one was paying attention.
"If they were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users. "If they had an intrusion detection system set up, they could have easily seen that these weren't their calls."
The hacker said IT technicians also could have set up access lists, telling the network to only allow their own IP addresses to get in. "We came across only two or three boxes that actually had access lists in place," he added. "The telecoms we couldn't get into had access lists or boxes we couldn't get into because of strong passwords."
The GAO's Rhodes said if companies don't fix the small problems, they can open up gaping holes that hackers are ready to jump through.
"All it takes is one bad access point and they're in," he noted. "The weak link -- you find that one point and all the security unravels. ... I'm not surprised that someone going to prison said 70% are at risk. You only have to have one default password and all your security is at risk."
On his way to federal prison, the 23-year-old hacker says breaking into computers at telecom companies and major corporations was "so easy a caveman could do it."
By Sharon Gaudin, InformationWeek
Sept. 26, 2007
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=202101781
Convicted hacker Robert Moore, who is set to go to federal prison this week, says breaking into 15 telecommunications companies and hundreds of businesses worldwide was incredibly easy because simple IT mistakes left gaping technical holes.
Moore, 23, of Spokane, Wash., pleaded guilty to conspiracy to commit computer fraud and is slated to begin his two-year sentence on Thursday for his part in a scheme to steal voice over IP services and sell them through a separate company. While prosecutors call co-conspirator Edwin Pena the mastermind of the operation, Moore acted as the hacker, admittedly scanning and breaking into telecom companies and other corporations around the world.
"It's so easy. It's so easy a caveman can do it," Moore told InformationWeek, laughing. "When you've got that many computers at your fingertips, you'd be surprised how many are insecure."
Pena, who is charged with acting as a legitimate wholesaler of Internet-based phone services as part of what the government called a "sophisticated fraud," fled the country a year ago and is wanted as a fugitive. Assistant U.S. Attorney Erez Liebermann said Pena allegedly stole and then sold more than 10 million minutes of service at deeply discounted rates, netting more than $1 million from the scheme.
Acting as the operation's technical muscle only netted Moore $20,000 of the haul, according to Moore.
The government identified more than 15 VoIP service providers that were hacked into, adding that Moore scanned more than 6 million computers just between June and October of 2005. AT&T reported to the court that Moore ran 6 million scans on its network alone.
However, the names of the companies Moore and Pena hacked into don't appear in the court documents--aliases are used instead--and Moore said he wasn't at liberty to identify them publicly.
Liebermann noted that one small telecom went out of business because of expenses the company incurred during the break-in. The company legitimately routed its own VoIP traffic through a larger telecom and was forced to pay the other company for the calls that Pena and Moore fraudulently sent through their network. "They had to eat the bill and were unable to remain in business," added Liebermann.
Default Passwords: A Hacker's Dream
Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.
"I'd say 85% of them were misconfigured routers. They had the default passwords on them," said Moore. "You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. ... We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips." Keith Rhodes, chief technologist at the U.S. Government Accountability Office, said he's not surprised at all by what Moore says he found.
"Default passwords are a silly problem," said Rhodes, who is widely considered to be the federal government's top hacker. "But they were able to take a silly flaw and turn it into a business. ... It disappoints me, but I'm not surprised."
Kenneth van Wyk, principal consultant with KRvW Associates, said leaving default passwords up is a widespread and dangerous problem.
"It's a huge problem, but it's a problem the IT industry has known about for at least two decades and we haven't made much progress in fixing it," said van Wyk. "People focus on functionality when they're setting up a system. Does the thing work? Yes. Fine, move on. They don't spend the time doing the housework and cleaning things up."
It's also a problem for which the companies themselves are liable, Moore said.
"I think it's all their fault," he added. "They're using default passwords and their administrators don't even care. ... Anybody who has bad security, it's their fault. There are so many people out there who are malicious hackers who look for these vulnerable boxes. All this information is right on the Web and it's easy to find. They need to get more education and security in the VoIP industry. There were thousands of routers that were compromised in this, just from my scans alone."
Alan Paller, director of research at the SANS Institute, says it's not the companies' fault. He even says it's not IT's fault. The problem, he says, lies with the vendors.
"Products should be sold so the default password has to be changed first time they use it," said Paller. "It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do."
Rhodes, however, says until vendors make it necessary to change the default password before a system or product will work, IT departments need to be given the time and resources to get it done.
"I have nothing but empathy for all the security personnel I've ever worked with," he said. "I've never met one yet who had enough people, enough time, enough support. ... It would take nothing to change a default password, but you need to actually have people who have the job to do that."
The Break In
Moore, who describes himself as a "mega geek" more upset about being banned from using a computer than actually going to prison, said his job in the operation largely was to write software that ran scans and brute-force attacks against Cisco XM routers and Quintum Tenor VoIP gateways. To do it, he said he used 2 gigs of information on corporate IP ranges that they bought for $800. He explained that he would first scan the network looking mainly for the Cisco and Quintum boxes. If he found them, he would then scan to see what models they were and then he would scan again, this time for vulnerabilities, like default passwords or unpatched bugs in old Cisco IOS boxes. If he didn't find default passwords or easily exploitable bugs, he'd run brute-force or dictionary attacks to try to break the passwords.
"We would go to telecom forums and other telecom sites that list company names and where they're from," he explained. "We'd look at foreign countries first. We'd take the name and IP range and then dump it into the scanner. ... Some of the Cisco versions, like IOS, were old and easier to get into."
Liebermann, the prosecutor, also noted that while Moore broke into telecoms so they could steal the VoIP service, he also hacked into countless other businesses so they could use the hijacked company connections to disguise the calls they were sending to the telecoms. With the VoIP connections in place, they simply needed corporate connections to mask their trail.
"He wanted me to look for [a network] with lots of traffic," said Moore. "Even if it was not a telecom, they might be connected to a telecom and then you could move through that connection to the telecom. ... [Pena] was taking legit calls that he had customers for and then rerouting the calls through rogue boxes."
And Moore didn't just focus on telecoms. He said he scanned "anybody" -- businesses, agencies and individual users. "I know I scanned a lot of people," he said. "Schools. People. Companies. Anybody. I probably hit millions of normal [users], too."
Tips From The Hacker
Moore said it would have been easy for IT and security managers to detect him in their companies' systems ... if they'd been looking. The problem was that, generally, no one was paying attention.
"If they were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users. "If they had an intrusion detection system set up, they could have easily seen that these weren't their calls."
The hacker said IT technicians also could have set up access lists, telling the network to only allow their own IP addresses to get in. "We came across only two or three boxes that actually had access lists in place," he added. "The telecoms we couldn't get into had access lists or boxes we couldn't get into because of strong passwords."
The GAO's Rhodes said if companies don't fix the small problems, they can open up gaping holes that hackers are ready to jump through.
"All it takes is one bad access point and they're in," he noted. "The weak link -- you find that one point and all the security unravels. ... I'm not surprised that someone going to prison said 70% are at risk. You only have to have one default password and all your security is at risk."
Labels: AT and T, Pena, Robert Moore, VoIP
US improperly releases threat details By TED BRIDIS and EILEEN SULLIVAN, Associated Press Writers
US improperly releases threat details By TED BRIDIS and EILEEN SULLIVAN, Associated Press Writers
Thu Sep 27, 5:45 PM ET
The Homeland Security Department improperly disclosed details about a serious threat to the U.S. electrical grid to industry researchers just days after it produced a video showing simulated hackers remotely seizing control over a $1 million diesel-electric generator.
The equipment self-destructed in a cloud of smoke and flying parts.
Worried that technical details could leak among terrorists or unfriendly foreign governments before equipment makers could fix the problem, the Bush administration contacted the small group of researchers afterward and urged them not to reveal anything they had been told. People familiar with the miscue described it on condition of anonymity because they were not authorized to discuss it publicly.
The disclosures — made by a Homeland Security employee without authorization from his supervisors — occurred during private briefings in Atlanta at a trade conference in March.
The video, obtained late Wednesday by The Associated Press, was marked "Official Use Only." It shows commands quietly triggered by simulated hackers having such a violent reaction that the enormous generator — obtained from Alaska's power grid for testing purposes — shudders as pieces fly apart and it belches black-and-white smoke.
The video was produced for top U.S. policymakers by the Idaho National Laboratory, which has studied the little-understood risks to the specialized electronic equipment that operates power, water and chemical plants.
The White House said Thursday it is working to improve cybersecurity with more coordination and cooperation among federal agencies, state and local governments and companies. "For example, with electrical grids, a lot of that security is handled by (the) private sector," White House spokeswoman Dana Perino said.
The electrical attack never actually happened.
The recorded demonstration, called the "Aurora Generator Test," was conducted in March by government researchers investigating a dangerous vulnerability in computers at U.S. utility companies known as supervisory control and data acquisition systems. The programming flaw was quietly fixed, and equipment makers urged utilities to take protective measures.
The technology industry has debated for years the timing of announcements that products may be vulnerable to attacks or break-ins. Disclosures made too quickly — before protective measures can be put in place — can increase risks by tipping off attackers. But warnings issued too slowly can leave utilities and customers unprotected.
The video was produced just days before the annual meeting of an organization of researchers, governments officials and equipment manufacturers. At invitation-only meetings at the conference, the Homeland Security Department described the threat and even aired the video showing the generator tearing itself apart, participants said. Realizing its mistake afterward, the government warned researchers not to discuss the threat and reminded them the video was intended for "Official Use Only."
There was no evidence any U.S. utility companies have suffered damage from hackers or terrorists using this technique, U.S. officials said. But these officials cautioned that affected systems are not monitored the same way that many modern corporate computer networks are, so there would be little forensic evidence to study after such a break-in.
President Bush's top telecommunications advisers concluded years ago that an organization such as a foreign intelligence service or a well-funded terror group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation."
The Idaho National Laboratory — which produced the new video — has described the risk ominously as "the invisible threat."
Thu Sep 27, 5:45 PM ET
The Homeland Security Department improperly disclosed details about a serious threat to the U.S. electrical grid to industry researchers just days after it produced a video showing simulated hackers remotely seizing control over a $1 million diesel-electric generator.
The equipment self-destructed in a cloud of smoke and flying parts.
Worried that technical details could leak among terrorists or unfriendly foreign governments before equipment makers could fix the problem, the Bush administration contacted the small group of researchers afterward and urged them not to reveal anything they had been told. People familiar with the miscue described it on condition of anonymity because they were not authorized to discuss it publicly.
The disclosures — made by a Homeland Security employee without authorization from his supervisors — occurred during private briefings in Atlanta at a trade conference in March.
The video, obtained late Wednesday by The Associated Press, was marked "Official Use Only." It shows commands quietly triggered by simulated hackers having such a violent reaction that the enormous generator — obtained from Alaska's power grid for testing purposes — shudders as pieces fly apart and it belches black-and-white smoke.
The video was produced for top U.S. policymakers by the Idaho National Laboratory, which has studied the little-understood risks to the specialized electronic equipment that operates power, water and chemical plants.
The White House said Thursday it is working to improve cybersecurity with more coordination and cooperation among federal agencies, state and local governments and companies. "For example, with electrical grids, a lot of that security is handled by (the) private sector," White House spokeswoman Dana Perino said.
The electrical attack never actually happened.
The recorded demonstration, called the "Aurora Generator Test," was conducted in March by government researchers investigating a dangerous vulnerability in computers at U.S. utility companies known as supervisory control and data acquisition systems. The programming flaw was quietly fixed, and equipment makers urged utilities to take protective measures.
The technology industry has debated for years the timing of announcements that products may be vulnerable to attacks or break-ins. Disclosures made too quickly — before protective measures can be put in place — can increase risks by tipping off attackers. But warnings issued too slowly can leave utilities and customers unprotected.
The video was produced just days before the annual meeting of an organization of researchers, governments officials and equipment manufacturers. At invitation-only meetings at the conference, the Homeland Security Department described the threat and even aired the video showing the generator tearing itself apart, participants said. Realizing its mistake afterward, the government warned researchers not to discuss the threat and reminded them the video was intended for "Official Use Only."
There was no evidence any U.S. utility companies have suffered damage from hackers or terrorists using this technique, U.S. officials said. But these officials cautioned that affected systems are not monitored the same way that many modern corporate computer networks are, so there would be little forensic evidence to study after such a break-in.
President Bush's top telecommunications advisers concluded years ago that an organization such as a foreign intelligence service or a well-funded terror group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation."
The Idaho National Laboratory — which produced the new video — has described the risk ominously as "the invisible threat."
Labels: Aurora Generator Test, Idaho National Laboratory, National Homeland Security
Fewer Companies Suffer Security Breaches, But They're Much More Severe
Fewer Companies Suffer Security Breaches, But They're Much More Severe
A CompTIA study also showed that one in four companies surveyed indicated that they have had an insider security breach or threat in the last year.
By Sharon Gaudin, InformationWeek
Sept. 21, 2007
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=202100132
The number of companies suffering security breaches has dropped over the last two years, but the severity of the breaches has doubled, according to a new study.
The Computing Technology Industry Association (CompTIA) released a study showing that 66% of the 1,070 organizations surveyed said they did not have a security breach in the previous 12 months. That's a slight improvement from the 61.8% who said the same thing last year and the 42% who said it two years ago.
However, while the number of incidents has dropped, the severity of those attacks has gone in the opposite direction.
CompTIA reported that respondents rated the severity level of their security breaches at a 4.8 on a 0 to 10 scale, where 0 is not at all severe and 10 is very severe. Last year the severity rating stood at 2.3 and the year before that it was 2.6.
"People have learned that any type of breach is a catastrophe in the making," said Steven Ostrowski, a spokesman for CompTIA, in an interview. "What we've seen is more attention being paid to securing information and networks and intellectual property."
The study comes out about a week after TD Ameritrade Holding disclosed that a hacker broke into one of its databases and stole personally identifying information for some of its 6.3 million customers. And just two days ago, the State of Connecticut announced it is suing its own computer consultant, Accenture, for losing personally identifying information on 58 residents and hundreds of state bank accounts and purchasing cards.
Ostrowski acknowledged that it certainly doesn't appear that companies and government agencies are having fewer security breaches. The issue, he added, is that before laws compelled companies to come clean about break-ins, the public simply wasn't always told that it happened.
"That's why you're seeing all these situations getting more publicity," he noted. "Maybe IT also is getting better at catching these things."
The survey also showed that nearly one in four companies indicated that they have had an insider security breach or threat in the last year. Ostrowski contends that insider risk is growing because more and more employees are working from home or on the road.
"The concern about internal breaches is growing greater, especially with the number of remote workers growing," he said. "Every time you have someone connecting from outside the organization's four walls, it's another risk."
As for the financial damage caused by all kinds of breaches, the average cost across all companies surveyed is $369,388, reported CompTIA. That cost, however, is driven upwards by a handful of companies that estimated security breach costs to be in excess of $10 million. This, noted the report, reflects the higher risk that larger companies face.
About half of respondents estimated the cost of their security breaches in the last 12 months to be $10,000 or less.
Here's how the companies broke down the costs of a security breach:
-- Employee productivity impact, 35%;
-- Server or network downtime, 35%;
-- Impact on revenue-generating activities, 20%;
-- Impact on physical assets, 17%, and
-- Legal fees and fines, 8%.
A CompTIA study also showed that one in four companies surveyed indicated that they have had an insider security breach or threat in the last year.
By Sharon Gaudin, InformationWeek
Sept. 21, 2007
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=202100132
The number of companies suffering security breaches has dropped over the last two years, but the severity of the breaches has doubled, according to a new study.
The Computing Technology Industry Association (CompTIA) released a study showing that 66% of the 1,070 organizations surveyed said they did not have a security breach in the previous 12 months. That's a slight improvement from the 61.8% who said the same thing last year and the 42% who said it two years ago.
However, while the number of incidents has dropped, the severity of those attacks has gone in the opposite direction.
CompTIA reported that respondents rated the severity level of their security breaches at a 4.8 on a 0 to 10 scale, where 0 is not at all severe and 10 is very severe. Last year the severity rating stood at 2.3 and the year before that it was 2.6.
"People have learned that any type of breach is a catastrophe in the making," said Steven Ostrowski, a spokesman for CompTIA, in an interview. "What we've seen is more attention being paid to securing information and networks and intellectual property."
The study comes out about a week after TD Ameritrade Holding disclosed that a hacker broke into one of its databases and stole personally identifying information for some of its 6.3 million customers. And just two days ago, the State of Connecticut announced it is suing its own computer consultant, Accenture, for losing personally identifying information on 58 residents and hundreds of state bank accounts and purchasing cards.
Ostrowski acknowledged that it certainly doesn't appear that companies and government agencies are having fewer security breaches. The issue, he added, is that before laws compelled companies to come clean about break-ins, the public simply wasn't always told that it happened.
"That's why you're seeing all these situations getting more publicity," he noted. "Maybe IT also is getting better at catching these things."
The survey also showed that nearly one in four companies indicated that they have had an insider security breach or threat in the last year. Ostrowski contends that insider risk is growing because more and more employees are working from home or on the road.
"The concern about internal breaches is growing greater, especially with the number of remote workers growing," he said. "Every time you have someone connecting from outside the organization's four walls, it's another risk."
As for the financial damage caused by all kinds of breaches, the average cost across all companies surveyed is $369,388, reported CompTIA. That cost, however, is driven upwards by a handful of companies that estimated security breach costs to be in excess of $10 million. This, noted the report, reflects the higher risk that larger companies face.
About half of respondents estimated the cost of their security breaches in the last 12 months to be $10,000 or less.
Here's how the companies broke down the costs of a security breach:
-- Employee productivity impact, 35%;
-- Server or network downtime, 35%;
-- Impact on revenue-generating activities, 20%;
-- Impact on physical assets, 17%, and
-- Legal fees and fines, 8%.
Labels: CompTIA
Gander Mountain Announces Possible Theft of Pennsylvania Store Computer
Gander Mountain Announces Possible Theft of Pennsylvania Store Computer; Customers of the PA Store Could Be Affected
September 10, 2007: 05:30 PM EST
ST. PAUL, Minn., Sept. 10 /PRNewswire-FirstCall/ -- Gander Mountain Company today announced that computer equipment, containing certain customer transaction information relating to a single store in Pennsylvania, is missing and may have been stolen. The transaction data relates only to customers who conducted business with the Gander Mountain store located in Greensburg, PA, during the period from July 2002 through June 2007.
The stored transaction information may have included:
-- Approximately 112,000 credit card numbers with expiration date but
without any other associated information.
-- Approximately 10,000 transaction records may have included the credit
card number, expiration date and customer name.
-- For the approximately 5,100 credit card customers who returned
merchandise or did a lay-away purchase at the store during this period,
the information also may have included an address.
-- For the approximately 650 customers who purchased by check and returned
merchandise without a receipt or put merchandise on lay-away by check
payment, the information may have contained a name, address, driver's
license number and date of birth.
The company has sent letters to the approximately 5,750 customers for whom address information is available informing them of this incident. The letter summarizes the steps the company has taken, including notifying the major credit card companies and the company's merchant card processing bank, establishing a customer toll-free helpline and Web site to answer questions, and working with authorities to locate the equipment. The letter also provides customers with recommended actions they can take to protect themselves, including telephone numbers for contacting the credit reporting agencies and carefully reviewing monthly statements and credit reports.
"Our primary goal is to prevent any harm to our customers affected by this situation," said Mark Baker, Gander Mountain president and CEO. "We have no evidence that any of this information has been misused, or that the missing equipment was stolen with intent to steal data. We take this matter very seriously and regret any inconvenience to our customers who shopped at our Greensburg, Pennsylvania, store."
Beginning September 11th, the company has established a toll-free helpline for affected customers at 866-986-2988, during the hours of 8:00 am to 5:00 pm CT, Monday through Friday. This number will be effective through September 28, 2007. Customers may contact the company at Gander Mountain, 180 E. Fifth St., Suite 1300, St. Paul, MN 55101, Attn: Customer Service, or by email at contact.us@gandermountain.com. Additional information is available on the company's website at http://www.gandermountain.com (click on "Important Customer Alert").
Gander Mountain's first priority in this situation is to reduce the harm and inconvenience this apparent theft of computer hardware may cause for its customers. The company is doing its utmost to work with affected customers in this regard. Because of the relatively small number of customers that might be affected, the company does not expect any material impact on its business from this event.
About Gander Mountain Company
Gander Mountain Company , headquartered in Saint Paul, Minnesota, is the nation's largest retail network of stores for hunting, fishing, camping, boats, marine and outdoor lifestyle products and services. Since 1960, the Gander Mountain brand has offered an expanding assortment of competitively priced outdoor equipment, technical apparel and footwear, as well as gunsmith, archery, ATV and marine services. The stores feature national, regional and local brands as well as the company's owned brands. Focused on a "We Live Outdoors(R)" culture, Gander Mountain dedicates itself to creating outdoor memories. There are currently 109 conveniently located Gander Mountain outdoor lifestyle stores in 22 states. For the nearest store location call 800-282-5993 or visit http://www.GanderMountain.com .
Cautionary Note Regarding Forward-Looking Statements
Any statements in this release that are not historical or current facts are forward-looking statements. All forward-looking statements in this release are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. These statements involve known and unknown risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from any future results, performances or achievements expressed or implied by the forward- looking statements. Certain of these risks and uncertainties are described in the "Risks and Factors Affecting Current and Future Results" section of the company's Annual Report on Form 10-K for fiscal 2006 and other required reports, as filed with the SEC, which are available at http://www.GanderMountain.com and at the SEC's website at http://www.sec.gov.
September 10, 2007: 05:30 PM EST
ST. PAUL, Minn., Sept. 10 /PRNewswire-FirstCall/ -- Gander Mountain Company today announced that computer equipment, containing certain customer transaction information relating to a single store in Pennsylvania, is missing and may have been stolen. The transaction data relates only to customers who conducted business with the Gander Mountain store located in Greensburg, PA, during the period from July 2002 through June 2007.
The stored transaction information may have included:
-- Approximately 112,000 credit card numbers with expiration date but
without any other associated information.
-- Approximately 10,000 transaction records may have included the credit
card number, expiration date and customer name.
-- For the approximately 5,100 credit card customers who returned
merchandise or did a lay-away purchase at the store during this period,
the information also may have included an address.
-- For the approximately 650 customers who purchased by check and returned
merchandise without a receipt or put merchandise on lay-away by check
payment, the information may have contained a name, address, driver's
license number and date of birth.
The company has sent letters to the approximately 5,750 customers for whom address information is available informing them of this incident. The letter summarizes the steps the company has taken, including notifying the major credit card companies and the company's merchant card processing bank, establishing a customer toll-free helpline and Web site to answer questions, and working with authorities to locate the equipment. The letter also provides customers with recommended actions they can take to protect themselves, including telephone numbers for contacting the credit reporting agencies and carefully reviewing monthly statements and credit reports.
"Our primary goal is to prevent any harm to our customers affected by this situation," said Mark Baker, Gander Mountain president and CEO. "We have no evidence that any of this information has been misused, or that the missing equipment was stolen with intent to steal data. We take this matter very seriously and regret any inconvenience to our customers who shopped at our Greensburg, Pennsylvania, store."
Beginning September 11th, the company has established a toll-free helpline for affected customers at 866-986-2988, during the hours of 8:00 am to 5:00 pm CT, Monday through Friday. This number will be effective through September 28, 2007. Customers may contact the company at Gander Mountain, 180 E. Fifth St., Suite 1300, St. Paul, MN 55101, Attn: Customer Service, or by email at contact.us@gandermountain.com. Additional information is available on the company's website at http://www.gandermountain.com (click on "Important Customer Alert").
Gander Mountain's first priority in this situation is to reduce the harm and inconvenience this apparent theft of computer hardware may cause for its customers. The company is doing its utmost to work with affected customers in this regard. Because of the relatively small number of customers that might be affected, the company does not expect any material impact on its business from this event.
About Gander Mountain Company
Gander Mountain Company , headquartered in Saint Paul, Minnesota, is the nation's largest retail network of stores for hunting, fishing, camping, boats, marine and outdoor lifestyle products and services. Since 1960, the Gander Mountain brand has offered an expanding assortment of competitively priced outdoor equipment, technical apparel and footwear, as well as gunsmith, archery, ATV and marine services. The stores feature national, regional and local brands as well as the company's owned brands. Focused on a "We Live Outdoors(R)" culture, Gander Mountain dedicates itself to creating outdoor memories. There are currently 109 conveniently located Gander Mountain outdoor lifestyle stores in 22 states. For the nearest store location call 800-282-5993 or visit http://www.GanderMountain.com .
Cautionary Note Regarding Forward-Looking Statements
Any statements in this release that are not historical or current facts are forward-looking statements. All forward-looking statements in this release are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. These statements involve known and unknown risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from any future results, performances or achievements expressed or implied by the forward- looking statements. Certain of these risks and uncertainties are described in the "Risks and Factors Affecting Current and Future Results" section of the company's Annual Report on Form 10-K for fiscal 2006 and other required reports, as filed with the SEC, which are available at http://www.GanderMountain.com and at the SEC's website at http://www.sec.gov.
Labels: Gander Mountain
Computers stolen from welfare office
Computers stolen from welfare office
BY JAN MURPHY / Of The Patriot-News, 09/10/07 10:23 PM EDT
UPDATED: 09/11/07 12:08 AM EDT
Two computers containing the mental health histories of more than 300,000 medical-assistance recipients were stolen from a state Public Welfare Department office last month, a spokesman for Gov. Ed Rendell confirmed Monday.
The computer work stations were taken Aug. 22 during an overnight break-in at an office in the former Harrisburg State Hospital, said Rendell spokesman Chuck Ardo.
The mental health information on the computers identified people by codes and not by name, Ardo said. The information also was protected by multiple passwords, he said, but full names and Social Security numbers of nearly 2,000 people were also on the computers.
JAN MURPHY: 232-0668
or jmurphy@patriot-news.com
BY JAN MURPHY / Of The Patriot-News, 09/10/07 10:23 PM EDT
UPDATED: 09/11/07 12:08 AM EDT
Two computers containing the mental health histories of more than 300,000 medical-assistance recipients were stolen from a state Public Welfare Department office last month, a spokesman for Gov. Ed Rendell confirmed Monday.
The computer work stations were taken Aug. 22 during an overnight break-in at an office in the former Harrisburg State Hospital, said Rendell spokesman Chuck Ardo.
The mental health information on the computers identified people by codes and not by name, Ardo said. The information also was protected by multiple passwords, he said, but full names and Social Security numbers of nearly 2,000 people were also on the computers.
JAN MURPHY: 232-0668
or jmurphy@patriot-news.com
Labels: Dept of Public Welfare
Pennsylvania Commission on Crime and Delinquency News
Pennsylvania Commission on Crime and Delinquency News
PA Department of Public Welfare Begins Outreach to Medical Assistance Consumers Following Burglary at State Office Building
HARRISBURG, Pa., Sept. 11 PRNewswire-USNewswire — The Department of Public Welfare today began notifying medical assistance consumers in the behavioral health system whose personal information may have been contained on two computers that were stolen from a DPW office building in Harrisburg.
The burglary remains under investigation. There is no indication that any of the information on the stolen computers has been used inappropriately.
"The burglary was an unfortunate event and we sincerely apologize to all of those who may be affected by it," said Public Welfare Secretary Estelle B. Richman. "The department is taking all appropriate steps to prevent an incident like this from occurring in the future and is working with both state and local authorities and community partners to help those potentially affected."
The majority of information on the computers, which was protected by multiple security passwords, did not identify consumers by name and contained only coded information relating to the treatment of consumers in the behavioral health system. However, the information for approximately 1,819 consumers did include names and Social Security numbers.
DPW has begun mailing notification letters to the approximately 375,000 individuals in the behavioral health system that could potentially be affected in order to explain what has happened and to assist them with any steps they will need to take.
PA Department of Public Welfare Begins Outreach to Medical Assistance Consumers Following Burglary at State Office Building
HARRISBURG, Pa., Sept. 11 PRNewswire-USNewswire — The Department of Public Welfare today began notifying medical assistance consumers in the behavioral health system whose personal information may have been contained on two computers that were stolen from a DPW office building in Harrisburg.
The burglary remains under investigation. There is no indication that any of the information on the stolen computers has been used inappropriately.
"The burglary was an unfortunate event and we sincerely apologize to all of those who may be affected by it," said Public Welfare Secretary Estelle B. Richman. "The department is taking all appropriate steps to prevent an incident like this from occurring in the future and is working with both state and local authorities and community partners to help those potentially affected."
The majority of information on the computers, which was protected by multiple security passwords, did not identify consumers by name and contained only coded information relating to the treatment of consumers in the behavioral health system. However, the information for approximately 1,819 consumers did include names and Social Security numbers.
DPW has begun mailing notification letters to the approximately 375,000 individuals in the behavioral health system that could potentially be affected in order to explain what has happened and to assist them with any steps they will need to take.
Labels: Dept of Public Welfare
McKesson: Stolen Computers Contain Patient Information
McKesson: Stolen Computers Contain Patient Information
Execs at the health-care services company are unsure how much identifying information was contained on the patients documented in the missing machines.
By Sharon Gaudin, InformationWeek
Sept. 7, 2007
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=201804872
Health-care services company, McKesson, is alerting thousands of its patients that their personal information is at risk after two of its computers were stolen from an office.
The company, which helps pharmaceutical manufacturers set up assistance programs for patients in need, sent out a letter alerting patients that the computers were stolen on July 18. The names of the people being alerted were on one of the two PCs, but it's not known how much of their accompanying identifying information was also contained on the machines.
"Your personal information may have been on one of the two computers that were stolen from a McKesson office," wrote Patrick Blake, president of McKesson Specialty Pharmaceutical, in the letter to one patient. "At this point, we have not determined if your personal information was on either stolen computer. However, we are taking the precaution of notifying every patient whose information might have been on the computers, just to be safe."
A spokesman for McKesson did not return phone calls requesting comment, but a company representative on the McKesson hotline said "thousands" of patients were affected and letters were sent to everyone who had at least a name on one of the machines. It's possible that identifying information, including addresses, prescribed medications, dosages, Social Security numbers, and dates of birth, also were contained on the computers. The loss appears to affect both current and former patients.
The company representative said it's not clear if the data on the machines was encrypted. Local police and the FBI have been called in on the investigation.
Blake's letter suggested that those contacted put a fraud alert on their credit files. The representative on the McKesson hotline said the company would give customers a year of free credit reporting if they requested it.
"We also have taken steps to ensure this doesn't happen again by increasing and improving employee understanding and awareness of corporate security policies and procedures, policies for handling patient data, and company security processes," wrote Blake. "We deeply regret that this incident occurred."
The hotline number is: 866-554-6366.
The impact of data theft is usually severe when health-care companies are involved. Earlier this year, a laptop was stolen from a secure office in a Texas hospital group, putting identifying information on 7,800 patients without health insurance at risk. The Seton Family of Hospitals reported in February that a security camera captured video of a thief carrying out a laptop and a projector. The laptop contained identifying personal information such as Social Security numbers, dates of birth, and insurance program numbers.
Execs at the health-care services company are unsure how much identifying information was contained on the patients documented in the missing machines.
By Sharon Gaudin, InformationWeek
Sept. 7, 2007
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=201804872
Health-care services company, McKesson, is alerting thousands of its patients that their personal information is at risk after two of its computers were stolen from an office.
The company, which helps pharmaceutical manufacturers set up assistance programs for patients in need, sent out a letter alerting patients that the computers were stolen on July 18. The names of the people being alerted were on one of the two PCs, but it's not known how much of their accompanying identifying information was also contained on the machines.
"Your personal information may have been on one of the two computers that were stolen from a McKesson office," wrote Patrick Blake, president of McKesson Specialty Pharmaceutical, in the letter to one patient. "At this point, we have not determined if your personal information was on either stolen computer. However, we are taking the precaution of notifying every patient whose information might have been on the computers, just to be safe."
A spokesman for McKesson did not return phone calls requesting comment, but a company representative on the McKesson hotline said "thousands" of patients were affected and letters were sent to everyone who had at least a name on one of the machines. It's possible that identifying information, including addresses, prescribed medications, dosages, Social Security numbers, and dates of birth, also were contained on the computers. The loss appears to affect both current and former patients.
The company representative said it's not clear if the data on the machines was encrypted. Local police and the FBI have been called in on the investigation.
Blake's letter suggested that those contacted put a fraud alert on their credit files. The representative on the McKesson hotline said the company would give customers a year of free credit reporting if they requested it.
"We also have taken steps to ensure this doesn't happen again by increasing and improving employee understanding and awareness of corporate security policies and procedures, policies for handling patient data, and company security processes," wrote Blake. "We deeply regret that this incident occurred."
The hotline number is: 866-554-6366.
The impact of data theft is usually severe when health-care companies are involved. Earlier this year, a laptop was stolen from a secure office in a Texas hospital group, putting identifying information on 7,800 patients without health insurance at risk. The Seton Family of Hospitals reported in February that a security camera captured video of a thief carrying out a laptop and a projector. The laptop contained identifying personal information such as Social Security numbers, dates of birth, and insurance program numbers.
Labels: McKesson
Alum Charged With Hacking Into Texas A&M
Alum Charged With Hacking Into Texas A&M
By MONICA RHOR
The Associated Press
Thursday, September 6, 2007; 7:33 PM
HOUSTON -- A recent graduate of Texas A&M University is charged with hacking into the school's computer system and illegally accessing information on 88,000 current and former students, faculty and staff members.
Luis Castillo must appear before a magistrate judge Wednesday.
Federal prosecutors said Castillo, who graduated in December with a computer science degree, accessed the system in February and caused more than $5,000 in losses to the university. The school had to hire extra staff to minimize damage.
Castillo was charged with felony reckless damage to a protected computer and could face as many as five years in prison if convicted.
Castillo, who has not been arrested, couldn't immediately be reached for comment Thursday. A person at a listing for a Luis Castillo didn't return a message, and officials at the College Station campus said they didn't have a current address for him.
In late February, A&M officials detected a breach in a server that contains log-ins and passwords used by students, faculty and staff members, said Pierce Cantrell Jr., vice president and associate provost for information technology.
The passwords could be used to access e-mail, campus wireless access and a link where students can view their records online, Cantrell said. The log-ins are also used by faculty members for e-mail, course management and grade books.
Social Security numbers and bank account numbers were not accessed, and the breach did not allow entry into the school's financial system or payroll, officials said. No unauthorized changes to the records have been found.
The university has added safeguards to the system.
Meanwhile, the University of South Carolina was looking into what it called an "accidental disclosure" of private student information on the Internet, school spokesman Russ McKinney said Thursday.
The school in Columbia is trying to determine exactly what type of information was released, how long it was on the Web and who might have accessed it, he said. The breach involved 1,482 students, he said.
A year ago, the university warned 6,000 current and former students that some of their personal information might have been accessed by an intruder into the computer system in September 2005.
By MONICA RHOR
The Associated Press
Thursday, September 6, 2007; 7:33 PM
HOUSTON -- A recent graduate of Texas A&M University is charged with hacking into the school's computer system and illegally accessing information on 88,000 current and former students, faculty and staff members.
Luis Castillo must appear before a magistrate judge Wednesday.
Federal prosecutors said Castillo, who graduated in December with a computer science degree, accessed the system in February and caused more than $5,000 in losses to the university. The school had to hire extra staff to minimize damage.
Castillo was charged with felony reckless damage to a protected computer and could face as many as five years in prison if convicted.
Castillo, who has not been arrested, couldn't immediately be reached for comment Thursday. A person at a listing for a Luis Castillo didn't return a message, and officials at the College Station campus said they didn't have a current address for him.
In late February, A&M officials detected a breach in a server that contains log-ins and passwords used by students, faculty and staff members, said Pierce Cantrell Jr., vice president and associate provost for information technology.
The passwords could be used to access e-mail, campus wireless access and a link where students can view their records online, Cantrell said. The log-ins are also used by faculty members for e-mail, course management and grade books.
Social Security numbers and bank account numbers were not accessed, and the breach did not allow entry into the school's financial system or payroll, officials said. No unauthorized changes to the records have been found.
The university has added safeguards to the system.
Meanwhile, the University of South Carolina was looking into what it called an "accidental disclosure" of private student information on the Internet, school spokesman Russ McKinney said Thursday.
The school in Columbia is trying to determine exactly what type of information was released, how long it was on the Web and who might have accessed it, he said. The breach involved 1,482 students, he said.
A year ago, the university warned 6,000 current and former students that some of their personal information might have been accessed by an intruder into the computer system in September 2005.
Labels: Texas A and M
Report: Attacks on ISP Nets Intensifying
Report: Attacks on ISP Nets Intensifying
Gigabit-speed sustained attacks on the rise, and botnets are now the number one threat to ISP backbones
SEPTEMBER 17, 2007 | 10:00 AM
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Increasingly-intense distributed denial-of-service (DDOS) attacks on ISP backbones are surpassing providers' capacity and knocking customers offline, according to a new survey of service providers by Arbor Networks.
While most large ISPs have upgraded their backbones to 10-Gbit/s speeds over the past two years, three respondents said they have experienced sustained attacks from 20- to 22 Gbit/s, and one hosting services provider in the survey reported a 24-Gbit/s DNS-targeted attack. The most powerful sustained attack previously was 17 Gbit/s, which was reported in last year's survey by Arbor.
Thirty-six percent of the ISPs that responded to the survey -- which covers activity from July 2006 through June 2007 -- had suffered from sustained attacks of 1 Gbit/s or more over the past 12 months.
"There's been pretty significant growth in sustained attack size over a six-year period," says Danny McPherson, chief research officer for Arbor Networks. "Going from a 400-Mbit/s attack on Yahoo and Amazon in '01 to 24 Gbit/s [in one attack] in the last year."
McPherson says attacks that are two times the capacity of the ISP's backbone can hit enterprises and other customers hard. "That can cause a lot of collateral damage to the network. There are lots of other [organizations] upstream and on the same POP."
"Most enterprises have a less than 1-Gbit/s connection to the Internet, so this would overwhelm them," he says.
Nearly 60 percent of the ISPs in the survey said less than 10 attacks on their infrastructure per month actually affect their customers, and nearly 20 percent say anywhere from 10- to 100 of attacks do. Arbor expects that number to increase as more ISPs offer managed DDOS mitigation services, where ISPs more actively track attacks that affect their customers rather than relying on them to report problems.
And the number of ISPs surveyed who offer managed security services jumped from six last year to 40 this year, McPherson notes. Most of these services basically filter attack traffic and "clean" pipes, he says.
Not surprisingly, ISPs say botnets are the number one threat to their networks, and that these malicious networks are growing in size and sophistication. Botnets are used for DOS attacks (71 percent), sending spam (64 percent), as open proxies (34 percent), for storing ID theft information (16 percent), and as part of phishing systems (37 percent), according to respondents.
DDOS attacks fell from number one to a close second, according to the survey. Around 65 percent said DDOS attacks went after commercial services their customers offer on the Net, including Web server, portal, and email services. Nearly 35 percent said DDOSes were aimed at their network services such as DNS and NTP.
ISPs said the main vulnerability used for attacking their infrastructures were external password attacks (41 percent), host compromise (31 percent), and insider threat (21 percent). "The insider threat number was high," Arbor's McPherson says. "But also included there are [employee] mobile devices that are infected."
There are a couple of vulnerable hotspots on service provider backbones: More than half said they had no way to detect or mitigate DNS attacks, and nearly 90 percent don't have the ability to protect VOIP.
Gigabit-speed sustained attacks on the rise, and botnets are now the number one threat to ISP backbones
SEPTEMBER 17, 2007 | 10:00 AM
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Increasingly-intense distributed denial-of-service (DDOS) attacks on ISP backbones are surpassing providers' capacity and knocking customers offline, according to a new survey of service providers by Arbor Networks.
While most large ISPs have upgraded their backbones to 10-Gbit/s speeds over the past two years, three respondents said they have experienced sustained attacks from 20- to 22 Gbit/s, and one hosting services provider in the survey reported a 24-Gbit/s DNS-targeted attack. The most powerful sustained attack previously was 17 Gbit/s, which was reported in last year's survey by Arbor.
Thirty-six percent of the ISPs that responded to the survey -- which covers activity from July 2006 through June 2007 -- had suffered from sustained attacks of 1 Gbit/s or more over the past 12 months.
"There's been pretty significant growth in sustained attack size over a six-year period," says Danny McPherson, chief research officer for Arbor Networks. "Going from a 400-Mbit/s attack on Yahoo and Amazon in '01 to 24 Gbit/s [in one attack] in the last year."
McPherson says attacks that are two times the capacity of the ISP's backbone can hit enterprises and other customers hard. "That can cause a lot of collateral damage to the network. There are lots of other [organizations] upstream and on the same POP."
"Most enterprises have a less than 1-Gbit/s connection to the Internet, so this would overwhelm them," he says.
Nearly 60 percent of the ISPs in the survey said less than 10 attacks on their infrastructure per month actually affect their customers, and nearly 20 percent say anywhere from 10- to 100 of attacks do. Arbor expects that number to increase as more ISPs offer managed DDOS mitigation services, where ISPs more actively track attacks that affect their customers rather than relying on them to report problems.
And the number of ISPs surveyed who offer managed security services jumped from six last year to 40 this year, McPherson notes. Most of these services basically filter attack traffic and "clean" pipes, he says.
Not surprisingly, ISPs say botnets are the number one threat to their networks, and that these malicious networks are growing in size and sophistication. Botnets are used for DOS attacks (71 percent), sending spam (64 percent), as open proxies (34 percent), for storing ID theft information (16 percent), and as part of phishing systems (37 percent), according to respondents.
DDOS attacks fell from number one to a close second, according to the survey. Around 65 percent said DDOS attacks went after commercial services their customers offer on the Net, including Web server, portal, and email services. Nearly 35 percent said DDOSes were aimed at their network services such as DNS and NTP.
ISPs said the main vulnerability used for attacking their infrastructures were external password attacks (41 percent), host compromise (31 percent), and insider threat (21 percent). "The insider threat number was high," Arbor's McPherson says. "But also included there are [employee] mobile devices that are infected."
There are a couple of vulnerable hotspots on service provider backbones: More than half said they had no way to detect or mitigate DNS attacks, and nearly 90 percent don't have the ability to protect VOIP.
Offshore Worker Nabbed for Caterpillar Data Theft
Offshore Worker Nabbed for Caterpillar Data Theft
Jaikumar Vijayan Today’s Top Stories or Other Security Stories
Comments (3) Recommendations: 51 — Recommend this article
Endpoint Security Deep Dive
What You Don't Secure Could Hurt You
Symantec Endpoint Security
More Lessons Learned - Practical Tips for Avoiding Payment Card Industry (PCI) Audit Failure
A Pathway to PCI Compliance
Endpoint Security - More secure. Less complex. Less costs...More control.
Sold on SOA
Computerworld Technology Briefing: Optimizing Branch File Management with File Area Networks
Speeding the time to intelligence
Sign up to receive Security Resource Alerts
September 17, 2007 (Computerworld) -- An IT worker at Caterpillar Inc.’s engineering design center in India allegedly used another employee’s username and password earlier this year to access and steal about 4,000 confidential documents from one of the company’s servers in the U.S.
A Caterpillar spokeswoman in China confirmed that the incident took place and said that a now-former employee at the company’s facility in Chennai, India, had been arrested in connection with the alleged data theft.
“We are doing everything possible to cooperate with the authorities to ensure a full and timely investigation,” the spokeswoman said. She declined to disclose any further information about the system hack, saying, “The matter is in the hands of local authorities.”
According to reports published in Indian newspapers, the alleged perpetrator, identified as 37-year-old M.S. Ramasamy, was arrested by the Cyber Crime Cell of India’s Criminal Investigations Department in late July. He has been charged under the country’s Information Technology Act with hacking into a server and stealing confidential data.
Ramasamy had left Peoria, Ill.-based Caterpillar and was working for an unidentified IT company in India at the time of his arrest, which took place near Bangalore, according to the newspaper reports.
He is accused of hacking into Caterpillar’s Research and Engineering Documents Inquiry system, known as REDI, on multiple occasions in January and February. A recording from a closed- circuit camera and system logs connected Ramasamy to the intrusions, and police in India have since recovered tapes and disks that are said to contain the downloaded documents.
Jaikumar Vijayan Today’s Top Stories or Other Security Stories
Comments (3) Recommendations: 51 — Recommend this article
Endpoint Security Deep Dive
What You Don't Secure Could Hurt You
Symantec Endpoint Security
More Lessons Learned - Practical Tips for Avoiding Payment Card Industry (PCI) Audit Failure
A Pathway to PCI Compliance
Endpoint Security - More secure. Less complex. Less costs...More control.
Sold on SOA
Computerworld Technology Briefing: Optimizing Branch File Management with File Area Networks
Speeding the time to intelligence
Sign up to receive Security Resource Alerts
September 17, 2007 (Computerworld) -- An IT worker at Caterpillar Inc.’s engineering design center in India allegedly used another employee’s username and password earlier this year to access and steal about 4,000 confidential documents from one of the company’s servers in the U.S.
A Caterpillar spokeswoman in China confirmed that the incident took place and said that a now-former employee at the company’s facility in Chennai, India, had been arrested in connection with the alleged data theft.
“We are doing everything possible to cooperate with the authorities to ensure a full and timely investigation,” the spokeswoman said. She declined to disclose any further information about the system hack, saying, “The matter is in the hands of local authorities.”
According to reports published in Indian newspapers, the alleged perpetrator, identified as 37-year-old M.S. Ramasamy, was arrested by the Cyber Crime Cell of India’s Criminal Investigations Department in late July. He has been charged under the country’s Information Technology Act with hacking into a server and stealing confidential data.
Ramasamy had left Peoria, Ill.-based Caterpillar and was working for an unidentified IT company in India at the time of his arrest, which took place near Bangalore, according to the newspaper reports.
He is accused of hacking into Caterpillar’s Research and Engineering Documents Inquiry system, known as REDI, on multiple occasions in January and February. A recording from a closed- circuit camera and system logs connected Ramasamy to the intrusions, and police in India have since recovered tapes and disks that are said to contain the downloaded documents.
Labels: Caterpillar Inc.
Names, contact info on 6M TD Ameritrade customers compromised
Names, contact info on 6M TD Ameritrade customers compromised
Jaikumar Vijayan
September 14, 2007 (Computerworld) Brokerage firm TD Ameritrade Holding Corp. today disclosed that the names, addresses, phone numbers and "miscellaneous trading" information of potentially all of its more than 6 million retail and institutional customers have been compromised by an intrusion into one of its databases.
But Social Security numbers, account numbers and dates of birth, all of which were stored in the same hacked database, appear to have been left untouched, the company said today.
The intrusion was discovered during an internal investigation into stock-related spam being reported by TD Ameritrade customers, said Kim Hillyer, a company spokeswoman. According to Hillyer, the investigation revealed the presence of unauthorized code, which has since been removed, on a database containing customer information.
TD Ameritrade has hired fraud detection firm ID Analytics Inc. to investigate the compromise and to help monitor for fraud, she said. So far, neither TD Ameritrade nor ID Analytics has been able to unearth any evidence to show that the information was accessed for any reason other than to send spam, she said.
"We do apologize for that and we do understand there may be added concern" for customers because of the incident, she said.
In a statement, company CEO Joe Moglia apologized for the breach, but tried to downplay its impact. "While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them," Moglia said. "We sincerely apologize for that and any added concern this may have caused."
The statement also informed customers that no "special actions" were required of them with regard to their accounts as a result of the breach.
The company will start notifying all its customers via postal and e-mail over the next few days, Hillyer said.
Robert Ellis, an analyst at Celent, a Boston-based financial research firm, called the breach a "particularly egregious and scary" one.
"The idea that someone could hack into TD Ameritrade's system sufficiently to extract contact information such as phone numbers, e-mail and home addresses, and to bury the code so deeply that the breach was only noted after phishers attempted to utilize the data is quite alarming," he said. "Either the contact information was behind a less-strong level of security, or TD Ameritrade dodged a major bullet."
Jaikumar Vijayan
September 14, 2007 (Computerworld) Brokerage firm TD Ameritrade Holding Corp. today disclosed that the names, addresses, phone numbers and "miscellaneous trading" information of potentially all of its more than 6 million retail and institutional customers have been compromised by an intrusion into one of its databases.
But Social Security numbers, account numbers and dates of birth, all of which were stored in the same hacked database, appear to have been left untouched, the company said today.
The intrusion was discovered during an internal investigation into stock-related spam being reported by TD Ameritrade customers, said Kim Hillyer, a company spokeswoman. According to Hillyer, the investigation revealed the presence of unauthorized code, which has since been removed, on a database containing customer information.
TD Ameritrade has hired fraud detection firm ID Analytics Inc. to investigate the compromise and to help monitor for fraud, she said. So far, neither TD Ameritrade nor ID Analytics has been able to unearth any evidence to show that the information was accessed for any reason other than to send spam, she said.
"We do apologize for that and we do understand there may be added concern" for customers because of the incident, she said.
In a statement, company CEO Joe Moglia apologized for the breach, but tried to downplay its impact. "While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them," Moglia said. "We sincerely apologize for that and any added concern this may have caused."
The statement also informed customers that no "special actions" were required of them with regard to their accounts as a result of the breach.
The company will start notifying all its customers via postal and e-mail over the next few days, Hillyer said.
Robert Ellis, an analyst at Celent, a Boston-based financial research firm, called the breach a "particularly egregious and scary" one.
"The idea that someone could hack into TD Ameritrade's system sufficiently to extract contact information such as phone numbers, e-mail and home addresses, and to bury the code so deeply that the breach was only noted after phishers attempted to utilize the data is quite alarming," he said. "Either the contact information was behind a less-strong level of security, or TD Ameritrade dodged a major bullet."
Labels: TD Ameritrade Holding Corp.
Medco Sys Admin Pleads Guilty To Computer Sabotage
Medco Sys Admin Pleads Guilty To Computer Sabotage
New Jersey man tells the court he planted the logic bomb on the prescription manager's network when he suspected he was going to be laid off.
By Sharon Gaudin, InformationWeek
Sept. 19, 2007
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=201807613
A former systems administrator at Medco Health Solutions pleaded guilty in federal court Wednesday to writing and planting malicious code that could have crippled a network that maintains customer health care information.
Yung-Hsun Lin, of Montville, N.J., pleaded guilty in U.S. District Court in Newark, N.J. to the charge of transmitting code that would cause damage to a protected computer. The charge carries a maximum sentence of 10 years, but the plea deal sets a guideline of 30 to 37 months. The judge, who will levy the sentence on Jan. 8, is not bound to the guidelines.
"Had this gone off, the damage to Medco's reputation could have been catastrophic," Assistant U.S. Attorney Erez Liebermann told InformationWeek. "I look at this as one of the most significant [computer sabotage] cases because it could have done more than financial damage."
Lin admitted to creating and planting the malicious code, or logic bomb, on Medco's computer network because he feared he would lose his job in an expected round of layoffs. Another systems administrator at the company, however, foiled his plan when he discovered the logic bomb before it went off.
If it had been detonated, prosecutors say the code would have eliminated pharmacists' ability to know if a new prescription would dangerously interact with a patient's current prescriptions. They also say it would have caused widespread financial damages to the company. Even though it didn't go off, Medco reported that it cost them between $70,000 and $120,000 to clean up the problem.
"What this individual did was severely threaten a critical infrastructure -- healthcare," said Liebermann. "The only way to make sure all the drugs you've received don't conflict is to have something like Medco doing an across-the-board check. ... This could have led to the damage of people trying to get their prescriptions filled. It's a new level of risk. It's not just a financial crime. It could have damaged life and limb. It shows the impact of cyber crime."
Lin, who is known as Andy Lin, had access to the company's network of about 70 HP Unix servers, according to the indictment. The network handled Medco's billing, corporate financial, and employee payroll information, as well as the Drug Utilization Review, a database of patient-specific information on conflicting drug interactions.
Lin, created the logic bomb early on Oct. 3, 2003, just days before a planned layoff was due to happen. Medco had just spun off from Merck & Co. and was going through a restructuring. The Medco Unix group was merging with the e-commerce group to form a corporate Unix group, the government reported.
Several systems administrators were laid off on Oct. 6. Lin was not one of them. The indictment pointed out that the month before the layoffs were made, Lin sent out e-mails discussing the anticipated layoffs. In one e-mail, he indicated he was unsure whether he would survive the downsizing, according to government documents.
The logic bomb was set to automatically deploy on April 23, 2004, which was Lin's birthday. The code was triggered that day, prosecutors report, but it failed to take down the servers because of a coding error. The government says Lin later modified the code in September of 2004, correcting the error and resetting it to go off on April 23, 2005.
Lin told the court he retriggered the logic bomb because of continued pressure from the layoffs.
Liebermann said Lin designed the logic bomb so it would shut off access to other administrators while it was running. He also changed the time date on each file so if anyone found the code, it would look like it was created and modified at different times and on different days -- maybe not correlating to times that he was on the system.
"It was very clever, though he couldn't change the backup logs that showed otherwise," said Liebermann.
Soraya Balzac, a spokeswoman for Medco, pointed out in an interview that the company detected and neutralized the threat. "As a company, we're vigilant in protecting our systems and data," she added. "We view the defendant's guilty plea and expected high sentence as a strong message that there is zero tolerance for this type of conduct -- any threat to our system."
Liebermann praised Medco for contacting and working with law enforcement in this case. "This represents a successful partnership between private industry and law enforcement, and we need more such partnerships if we are to successfully deter and prosecute these saboteurs."
New Jersey man tells the court he planted the logic bomb on the prescription manager's network when he suspected he was going to be laid off.
By Sharon Gaudin, InformationWeek
Sept. 19, 2007
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=201807613
A former systems administrator at Medco Health Solutions pleaded guilty in federal court Wednesday to writing and planting malicious code that could have crippled a network that maintains customer health care information.
Yung-Hsun Lin, of Montville, N.J., pleaded guilty in U.S. District Court in Newark, N.J. to the charge of transmitting code that would cause damage to a protected computer. The charge carries a maximum sentence of 10 years, but the plea deal sets a guideline of 30 to 37 months. The judge, who will levy the sentence on Jan. 8, is not bound to the guidelines.
"Had this gone off, the damage to Medco's reputation could have been catastrophic," Assistant U.S. Attorney Erez Liebermann told InformationWeek. "I look at this as one of the most significant [computer sabotage] cases because it could have done more than financial damage."
Lin admitted to creating and planting the malicious code, or logic bomb, on Medco's computer network because he feared he would lose his job in an expected round of layoffs. Another systems administrator at the company, however, foiled his plan when he discovered the logic bomb before it went off.
If it had been detonated, prosecutors say the code would have eliminated pharmacists' ability to know if a new prescription would dangerously interact with a patient's current prescriptions. They also say it would have caused widespread financial damages to the company. Even though it didn't go off, Medco reported that it cost them between $70,000 and $120,000 to clean up the problem.
"What this individual did was severely threaten a critical infrastructure -- healthcare," said Liebermann. "The only way to make sure all the drugs you've received don't conflict is to have something like Medco doing an across-the-board check. ... This could have led to the damage of people trying to get their prescriptions filled. It's a new level of risk. It's not just a financial crime. It could have damaged life and limb. It shows the impact of cyber crime."
Lin, who is known as Andy Lin, had access to the company's network of about 70 HP Unix servers, according to the indictment. The network handled Medco's billing, corporate financial, and employee payroll information, as well as the Drug Utilization Review, a database of patient-specific information on conflicting drug interactions.
Lin, created the logic bomb early on Oct. 3, 2003, just days before a planned layoff was due to happen. Medco had just spun off from Merck & Co. and was going through a restructuring. The Medco Unix group was merging with the e-commerce group to form a corporate Unix group, the government reported.
Several systems administrators were laid off on Oct. 6. Lin was not one of them. The indictment pointed out that the month before the layoffs were made, Lin sent out e-mails discussing the anticipated layoffs. In one e-mail, he indicated he was unsure whether he would survive the downsizing, according to government documents.
The logic bomb was set to automatically deploy on April 23, 2004, which was Lin's birthday. The code was triggered that day, prosecutors report, but it failed to take down the servers because of a coding error. The government says Lin later modified the code in September of 2004, correcting the error and resetting it to go off on April 23, 2005.
Lin told the court he retriggered the logic bomb because of continued pressure from the layoffs.
Liebermann said Lin designed the logic bomb so it would shut off access to other administrators while it was running. He also changed the time date on each file so if anyone found the code, it would look like it was created and modified at different times and on different days -- maybe not correlating to times that he was on the system.
"It was very clever, though he couldn't change the backup logs that showed otherwise," said Liebermann.
Soraya Balzac, a spokeswoman for Medco, pointed out in an interview that the company detected and neutralized the threat. "As a company, we're vigilant in protecting our systems and data," she added. "We view the defendant's guilty plea and expected high sentence as a strong message that there is zero tolerance for this type of conduct -- any threat to our system."
Liebermann praised Medco for contacting and working with law enforcement in this case. "This represents a successful partnership between private industry and law enforcement, and we need more such partnerships if we are to successfully deter and prosecute these saboteurs."
Labels: Medco Health Solutions Inc.
Friday, September 21, 2007
Chinese military hacked into Pentagon
Chinese military hacked into Pentagon
By Demetri Sevastopulo in Washington
Published: September 3 2007 19:00 | Last updated: September 3 2007 20:53
The Chinese military hacked into a Pentagon computer network in June in the most successful cyber attack on the US defence department, say American officials.
The Pentagon acknowledged shutting down part of a computer system serving the office of Robert Gates, defence secretary, but declined to say who it believed was behind the attack.
ADVERTISEMENT
Current and former officials have told the Financial Times an internal investigation has revealed that the incursion came from the People’s Liberation Army.
One senior US official said the Pentagon had pinpointed the exact origins of the attack. Another person familiar with the event said there was a “very high level of confidence...trending towards total certainty” that the PLA was responsible. The defence ministry in Beijing declined to comment on Monday.
Angela Merkel, Germany’s chancellor, raised reports of Chinese infiltration of German government computers with Wen Jiabao, China’s premier, in a visit to Beijing, after which the Chinese foreign ministry said the government opposed and forbade “any criminal acts undermining computer systems, including hacking”.
“We have explicit laws and regulations in this regard,” said Jiang Yu, from the ministry. “Hacking is a global issue and China is frequently a victim.”
George W. Bush, US president, is due to meet Hu Jintao, China’s president, on Thursday in Australia prior to the Apec summit.
The PLA regularly probes US military networks – and the Pentagon is widely assumed to scan Chinese networks – but US officials said the penetration in June raised concerns to a new level because of fears that China had shown it could disrupt systems at critical times.
“The PLA has demonstrated the ability to conduct attacks that disable our system...and the ability in a conflict situation to re-enter and disrupt on a very large scale,” said a former official, who said the PLA had penetrated the networks of US defence companies and think-tanks.
Hackers from numerous locations in China spent several months probing the Pentagon system before overcoming its defences, according to people familiar with the matter.
The Pentagon took down the network for more than a week while the attacks continued, and is to conduct a comprehensive diagnosis. “These are multiple wake-up calls stirring us to levels of more aggressive vigilance,” said Richard Lawless, the Pentagon’s top Asia official at the time of the attacks.
The Pentagon is still investigating how much data was downloaded, but one person with knowledge of the attack said most of the information was probably “unclassified”. He said the event had forced officials to reconsider the kind of information they send over unsecured e-mail systems.
John Hamre, a Clinton-era deputy defence secretary involved with cyber security, said that while he had no knowledge of the June attack, criminal groups sometimes masked cyber attacks to make it appear they came from government computers in a particular country.
The National Security Council said the White House had created a team of experts to consider whether the administration needed to restrict the use of BlackBerries because of concerns about cyber espionage.
Additional reporting by Richard McGregor in Beijing
To contact the reporter email demetri.sevastopulo@ft.com
By Demetri Sevastopulo in Washington
Published: September 3 2007 19:00 | Last updated: September 3 2007 20:53
The Chinese military hacked into a Pentagon computer network in June in the most successful cyber attack on the US defence department, say American officials.
The Pentagon acknowledged shutting down part of a computer system serving the office of Robert Gates, defence secretary, but declined to say who it believed was behind the attack.
ADVERTISEMENT
Current and former officials have told the Financial Times an internal investigation has revealed that the incursion came from the People’s Liberation Army.
One senior US official said the Pentagon had pinpointed the exact origins of the attack. Another person familiar with the event said there was a “very high level of confidence...trending towards total certainty” that the PLA was responsible. The defence ministry in Beijing declined to comment on Monday.
Angela Merkel, Germany’s chancellor, raised reports of Chinese infiltration of German government computers with Wen Jiabao, China’s premier, in a visit to Beijing, after which the Chinese foreign ministry said the government opposed and forbade “any criminal acts undermining computer systems, including hacking”.
“We have explicit laws and regulations in this regard,” said Jiang Yu, from the ministry. “Hacking is a global issue and China is frequently a victim.”
George W. Bush, US president, is due to meet Hu Jintao, China’s president, on Thursday in Australia prior to the Apec summit.
The PLA regularly probes US military networks – and the Pentagon is widely assumed to scan Chinese networks – but US officials said the penetration in June raised concerns to a new level because of fears that China had shown it could disrupt systems at critical times.
“The PLA has demonstrated the ability to conduct attacks that disable our system...and the ability in a conflict situation to re-enter and disrupt on a very large scale,” said a former official, who said the PLA had penetrated the networks of US defence companies and think-tanks.
Hackers from numerous locations in China spent several months probing the Pentagon system before overcoming its defences, according to people familiar with the matter.
The Pentagon took down the network for more than a week while the attacks continued, and is to conduct a comprehensive diagnosis. “These are multiple wake-up calls stirring us to levels of more aggressive vigilance,” said Richard Lawless, the Pentagon’s top Asia official at the time of the attacks.
The Pentagon is still investigating how much data was downloaded, but one person with knowledge of the attack said most of the information was probably “unclassified”. He said the event had forced officials to reconsider the kind of information they send over unsecured e-mail systems.
John Hamre, a Clinton-era deputy defence secretary involved with cyber security, said that while he had no knowledge of the June attack, criminal groups sometimes masked cyber attacks to make it appear they came from government computers in a particular country.
The National Security Council said the White House had created a team of experts to consider whether the administration needed to restrict the use of BlackBerries because of concerns about cyber espionage.
Additional reporting by Richard McGregor in Beijing
To contact the reporter email demetri.sevastopulo@ft.com
Labels: China, Chinese hackers, Chinese military, Pentagon
Beware: enemy attacks in cyberspace
Beware: enemy attacks in cyberspace
By Demetri Sevastopulo in Washington
Published: September 3 2007 19:00 | Last updated: September 3 2007 19:00
Lieutenant General Robert Elder, senior Air Force officer for cyberspace issues, recently joked that North Korea “must only have one laptop” to make the more serious point that every potential adversary – except Pyongyang – routinely scans US computer networks.
North Korea may be impotent in cyberspace, but its neighbour is not. The Chinese military sent a shiver down the Pentagon’s spine in June by successfully hacking into an unclassified network used by the top policy advisers to Robert Gates, the defence secretary.
While the People’s Liberation Army has been probing Pentagon networks hundreds of times a day for the past few years, the US is more alarmed at the growing frequency and sophistication of the attacks.
The Pentagon spent several months deflecting the recent onslaught before the PLA penetrated its system, which was shut down for more than a week for diagnosis.
While officials are concerned that it downloaded information, they are more concerned about the strategic ramifications.
“The PLA has demonstrated the ability to conduct attacks that disable our system . . . and the ability in a conflict situation to re-enter and disrupt on a very large scale,” said a former official, who added that the PLA has also penetrated the networks of US defence companies and think-tanks.
One senior US official said there was “no doubt” that China was now monitoring email traffic on unclassified government networks.
Intelligence professionals say China has found a simple way to compensate for its lack of expertise in recruiting non-Chinese spies in the US.
China has also come under scrutiny outside Washington. At a recent press conference with the German chancellor Angela Merkel, Wen Jiabao, the Chinese premier, expressed “grave concern” over reports that the PLA had used “Trojan Horse” programs to insert spyware into German government networks.
While Chinese military doctrine stresses the importance of cyberspace, many other countries, including the US, engage in electromagnetic trespassing.
This year, for example, Estonia accused Russia of orchestrating a massive attack that temporarily crippled government networks.
The Defence Science Board, an independent Pentagon advisory group, will soon publish a study on non-conventional military challenges that will examine cyber threats.
A former senior US official said while the US had made headway, much more needed to be done.
The US Air Force will soon create a cyber war-fighting command aimed at improving defensive and offensive capabilities to counter such asymmetric threats. “We want to ensure that we can operate freely in the domain,” says Major General Charles Ickes, another senior Air Force official involved with cyberspace issues. “On the other hand . . . it is seen by everybody in the defence department as a war-fighting domain and you must have offensive capability.”
Gen Ickes says the military must ensure that its actions do not inadvertently impact on US civilian computer systems. Michael Green, former senior Asia adviser to President George W. Bush, points to an example where the Pentagon had to consider the legal ramifications of blasting a virus back at a hacker.
In an increasingly networked world, governments must consider an even wider range of cyber threats, including terrorist attacks on critical infrastructure, commercial espionage, and old-fashioned spying.
France and Germany have imposed restrictions on senior officials using BlackBerries out of concerns that US intelligence agencies could intercept sensitive emails.
Voicing similar concerns, the White House has also imposed a ban on officials using the devices in some countries, including China. It is also examining whether to restrict domestic use, in a move to panic large swaths of Washington’s BlackBerry-addicted officialdom.
Sami Saydjari, chief executive of Cyber Defense Agency and a former Pentagon cyber expert, warns of the potential for terrorist groups, such as al-Qaeda, to attack the financial, telecoms, and power sectors.
To underscore the threat, he notes that no cyber red team – hackers enlisted to attack systems to help identify weaknesses – has ever failed to meet its objective.
Gregory Garcia, the assistant secretary for cyber security at the department of Homeland Security, says the number of cyber incidents reported to the department’s computer readiness team so far this year is 35,000. That compares to 4,100 for the whole of 2005.
To contact the reporter email demetri.sevastopulo@ft.com
By Demetri Sevastopulo in Washington
Published: September 3 2007 19:00 | Last updated: September 3 2007 19:00
Lieutenant General Robert Elder, senior Air Force officer for cyberspace issues, recently joked that North Korea “must only have one laptop” to make the more serious point that every potential adversary – except Pyongyang – routinely scans US computer networks.
North Korea may be impotent in cyberspace, but its neighbour is not. The Chinese military sent a shiver down the Pentagon’s spine in June by successfully hacking into an unclassified network used by the top policy advisers to Robert Gates, the defence secretary.
While the People’s Liberation Army has been probing Pentagon networks hundreds of times a day for the past few years, the US is more alarmed at the growing frequency and sophistication of the attacks.
The Pentagon spent several months deflecting the recent onslaught before the PLA penetrated its system, which was shut down for more than a week for diagnosis.
While officials are concerned that it downloaded information, they are more concerned about the strategic ramifications.
“The PLA has demonstrated the ability to conduct attacks that disable our system . . . and the ability in a conflict situation to re-enter and disrupt on a very large scale,” said a former official, who added that the PLA has also penetrated the networks of US defence companies and think-tanks.
One senior US official said there was “no doubt” that China was now monitoring email traffic on unclassified government networks.
Intelligence professionals say China has found a simple way to compensate for its lack of expertise in recruiting non-Chinese spies in the US.
China has also come under scrutiny outside Washington. At a recent press conference with the German chancellor Angela Merkel, Wen Jiabao, the Chinese premier, expressed “grave concern” over reports that the PLA had used “Trojan Horse” programs to insert spyware into German government networks.
While Chinese military doctrine stresses the importance of cyberspace, many other countries, including the US, engage in electromagnetic trespassing.
This year, for example, Estonia accused Russia of orchestrating a massive attack that temporarily crippled government networks.
The Defence Science Board, an independent Pentagon advisory group, will soon publish a study on non-conventional military challenges that will examine cyber threats.
A former senior US official said while the US had made headway, much more needed to be done.
The US Air Force will soon create a cyber war-fighting command aimed at improving defensive and offensive capabilities to counter such asymmetric threats. “We want to ensure that we can operate freely in the domain,” says Major General Charles Ickes, another senior Air Force official involved with cyberspace issues. “On the other hand . . . it is seen by everybody in the defence department as a war-fighting domain and you must have offensive capability.”
Gen Ickes says the military must ensure that its actions do not inadvertently impact on US civilian computer systems. Michael Green, former senior Asia adviser to President George W. Bush, points to an example where the Pentagon had to consider the legal ramifications of blasting a virus back at a hacker.
In an increasingly networked world, governments must consider an even wider range of cyber threats, including terrorist attacks on critical infrastructure, commercial espionage, and old-fashioned spying.
France and Germany have imposed restrictions on senior officials using BlackBerries out of concerns that US intelligence agencies could intercept sensitive emails.
Voicing similar concerns, the White House has also imposed a ban on officials using the devices in some countries, including China. It is also examining whether to restrict domestic use, in a move to panic large swaths of Washington’s BlackBerry-addicted officialdom.
Sami Saydjari, chief executive of Cyber Defense Agency and a former Pentagon cyber expert, warns of the potential for terrorist groups, such as al-Qaeda, to attack the financial, telecoms, and power sectors.
To underscore the threat, he notes that no cyber red team – hackers enlisted to attack systems to help identify weaknesses – has ever failed to meet its objective.
Gregory Garcia, the assistant secretary for cyber security at the department of Homeland Security, says the number of cyber incidents reported to the department’s computer readiness team so far this year is 35,000. That compares to 4,100 for the whole of 2005.
To contact the reporter email demetri.sevastopulo@ft.com
Labels: China, cyberspace, Pentagon, People's Liberation Army, US Army
