Fwd: Employees, Not Hackers, Greatest Computer Threat

From Flint Jones <flint@epa.secret.org>
Date Thu, 6 Jan 2000 10:18:23 -0500 (EST)

[: hacktivism :]

Employees, Not Hackers, Greatest Computer Threat

New Study Shows Unhappy Workers Steal Trade Secrets
Jan. 4, 2000

By David Noack

NEW YORK (APBnews.com) -- The greatest security threat to companies'
computer systems comes from disgruntled employees stealing confidential
information and trade secrets, according to a new study on

The survey, conducted by Michael G. Kessler & Associates Ltd., a New
York-based security firm, found that 35 percent of the theft of
proprietary information is perpetrated by discontented employees. Outside
hackers steal secrets 28 percent of the time; other U.S. companies 18
percent; foreign corporations 11 percent and foreign governments, 8
percent. The remaining 10 percent, according to the study, are listed as
miscellaneous crimes.

The financial losses caused by these cyber break-ins totaled $42 million
last year, which is up more than 100 percent from the 1997 figure of $20

'No such thing as a hacker's holiday'

"Computer crime is much more complex than bugs and viruses," said
President and CEO Michael G. Kessler. "Y2K enlightened business owners to
pitfalls and their systems, but there must also be heightened awareness
of the growing number and variety of computer security breaches that can
weaken a company's balance sheet."

The survey was done over the last six months, and written questions were
given to 300 of Kessler's clients and other companies. He said that
disgruntled employees could be capable of taking business records, trade
secrets and payroll information.

"It doesn't take a new millennium for corporate computer piracy to
occur," said Kessler. "There's no such thing as a hacker's holiday.
Internet invasions increase with growing computer and Internet popularity.
Codes an be cracked; systems will be sabotaged. Hacking is a reality, and
CEOs who have turned a deaf ear to its existence will be shocked when it
happens to their allegedly fail-safe network."

Kessler cautioned that now that Y2K is over, corporations shouldn't be
lulled into a false sense of security.

Hacker attacks not often reported

"Problems could just as easily occur on Jan. 30 as Jan. 1. Businesses
should brace for outbreaks of sophisticated viruses and hackings from
outside and in. Once a breach in computer security has occurred, our
research historically reveals much more -- a 'subplot' that can alert
corporations to the real root of some serious trouble," said Kessler.

He said companies fail to report computer break-ins for fear of bad
publicity, and that for every break-in reported, 400 do not.

The Kessler study mirrors previous reports showing that computer
security is one of the biggest challenges facing corporate America.

Computer-crime rates and information-security breaches continue to
increase, according to a joint study conducted last year by the Computer
Science Institute and the FBI.

Losses greater than $100 million

The 1999 Computer Crime and Security Survey, based in San Francisco,
polled 521 security professionals at U.S. corporations, government
agencies and universities.

The findings revealed that financial losses among 163 respondents
totaled $124 million, which was the third straight year the survey had
recorded losses greater than $100 million.

"It is clear that computer crime and other information security breaches
pose a growing threat to U.S. economic competitiveness and the rule of
law in cyberspace," said Richard Power, editorial director of the

"It is also clear that the financial cost is tangible and alarming."

System break-ins by outsiders were reported by 30 percent of
respondents, and unauthorized access by insiders was reported by 55

Technology not enough

Even though security measures, such as digital identification,
encryption and intrusion-detection systems are being used more frequently,
technology itself is not enough to stymie hackers.

The study also found that 98 percent of respondents said they use
anti-virus software, 90 percent reported incidents of virus contamination.
Also, system penetration from outside grew for the third straight year
despite 91 percent of respondents saying they used firewalls.

"The lesson to be learned is simple security technology does not equal a
security program," said Power, suggesting that well-trained, motivated
staff and smart procedures are just as important for security as

Justice Department stepping in

The problem of proprietary information being breached on computer
systems as prompted the Justice Department to devote an entire section to
computer crimes, called the Computer Crime and Intellectual Property
section. In addition, the Economic Espionage Act of 1996 is expected to be
used to prosecute foreign sources of computer crime.

Michael A. Vatis, director of the FBI's National Infrastructure
Protection Center, agrees that a "disgruntled insider" is the principal
source of computer crimes.

"Insiders do not need a great deal of knowledge about computer
intrusions, because their knowledge of victim systems often allows them to
gain unrestricted access to cause damage to the system or to steal system
data. The 1999 Computer Security Institute/FBI report notes that 55
percent of respondents reported malicious activity by insiders," Vatis
told a Congressional committee last year.

Coast Guard lost data

Recent cases of white-collar computer crimes include:

Shakuntla Devi Singla used her insider knowledge and another employee's
password and log-on identification to delete data from a U.S. Coast
Guard personnel database system. It took 115 agency employees over 1,800
hours to recover and re-enter the lost data. Singla was convicted and
sentenced to five months in prison and five months home detention and
ordered to pay $35,000 in restitution.
Software engineer William Gaed, working for a subcontractor to Intel
Corp., was convicted of illegally downloading secret data on the computer
giant's plans for a Pentium processor worth between $10 million and $20
million.  Authorities said Gaed also videotaped information on his
computer screen and planned to sell the tapes to a competitor. Gaed was
sentenced to 33 months in prison.
And, according to a General Accounting Office (GAO) report issued in
October, the federal government has been lax in protecting computer
networks used by government and businesses.

"At the federal level, these risks are not being adequately addressed,"
the report said.

U.S. unprepared for information threat

The report showcased concerns of some experts about threats to
private-sector systems that control energy, telecommunications,
financial services, transportation and other critical services.

"Few reports are publicly available about the effectiveness of controls
over privately controlled systems," GAO said.

Currently, there is no strategy to improve government information
security, the GAO report found. If the United States is faced with a
threat, the response could be "unfocused, inefficient and ineffective,"
wrote Jeffrey Steinhoff, the acting assistant comptroller general.

[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]