THE DESTRUCTION OF PERSONAL ASSETS IN INFORMATION WARS

THE DESTRUCTION OF PERSONAL ASSETS IN INFORMATION WARS

The Mounties always get their man—or, when it comes to hackers, their boy. In 2000, Canadian cops announced the arrest of a Montreal-area 15-year-old for disabling CNN’s Web site. His father was also nabbed, on unrelated charges of plotting to assault a business associate. The teen suspect, who was identified only by the hacker handle “Mafiaboy,” allegedly bragged about his exploits in on-line chats. He was not what one would call a genius. Mafiaboy was charged with two counts of “mischief to data” and faces two years’ detention plus a $786 fine. While awaiting trial, he could not enter any public space that hosts networked computers.

The CNN.com incident was part of a rash of “denial of service” attacks that crippled Yahoo!, eBay, and other Internet titans, leading to a manhunt that stretched throughout the United States, Canada, and Germany. The international dragnet was spurred by damage and/or destruction of personal and corporate assets estimates ranging up to $2.3 billion (see sidebar, “Widespread Break-in by Crime Groups Cause Damage”).

The FBI recently disclosed it has launched 50 separate investigations into alleged hacking incidents by Eastern European organized crime groups that are believed to have stolen more than 2 million credit card numbers from e-commerce^[iii] and on-line finance Web sites powered by Windows NT servers. The break-ins have occurred in 30 U.S. states and are thought to be part of a systematic effort by crime syndicates in Russia and Ukraine to break into vulnerable Web servers. Estimated financial losses since the FBI’s National Infrastructure Protection Center (NIPC) issued an initial warning about the threat in December 2000 total as much as hundreds of millions of dollars.

But the figure could be much higher. The NIPC hasn’t been able to determine an exact damage amount. The agency, which is based at FBI headquarters in Wash

ington, released an advisory saying the hacking activities are continuing. The advisory reiterated a recommendation that systems administrators should check their Windows NT-based servers to make sure patches designed to fix several known security holes have been installed.

To date, the NIPC spokeswoman claimed that e-commerce sites across the country have failed to heed the warnings about the holes in Microsoft Corp.’s operating system software. This a public service announcement meant to urge companies to bolster the security of their Web sites by downloading the patches made available by Microsoft.

These organized crime groups have hit on these sites using known vulnerabilities for months now, and people are not heeding the warnings. Microsoft discovered and patched many of the vulnerabilities in NT as early as 1998. But until companies take the appropriate steps, the attacks are “not going to stop.”

Federal investigators have identified several different groups of hackers that they believe are responsible for the incidents. It’s national in scope and at a point that the FBI felt it was appropriate to let a wider audience know what is going on. The threat posed by the hackers is a serious impediment to public confidence in e-commerce.

There’s no way of knowing how widely the NT patches have been applied. Download rates are a poor indicator because a single download can be applied “an infinite number of times.” Conversely, the fact that a user has downloaded a patch doesn’t guarantee it will actually be applied. Still, it is clear that not enough users are installing patches.

The crime syndicates are targeting customer data, specifically credit card information, according to the FBI. In many cases, the attacks go on for several months before the company being hit discovers the intrusion.

After the attackers steal the data from a Web site, they often contact the victimized company by fax, e-mail, or telephone and make a veiled extortion threat by offering Internet-based security services that would protect the targeted server from other attackers. Federal investigators also believe that, in some instances, the credit card information is being sold to other organized crime groups. The NIPC’s advisories or warnings about the attackers list the vulnerabilities that are being exploited and provide links to bulletins issued by Microsoft about the relevant patches.

A lot of malicious hacking activity, including widescale probing of Web servers, is originating in Eastern Europe. Anything that gets plugged in to the Internet gets probed. It’s not a question of if, but when.

The SANS Institute, a Bethesda, Maryland-based research organization for systems administrators and security managers, and recently released an alert about the

FBI’s ongoing investigations that called the hacking incidents the largest criminal Internet attack to date. The alert added that the SANS-affiliated Center for Internet Security plans “within a day or two” to release a software tool that can be used to check NT servers for the vulnerabilities and to look for files found by the FBI on many compromised systems. The center’s tools are usually limited to its members, but SANS indicated this one will be made available on a widespread basis because of the importance of this problem.

The NIPC wouldn’t identify any of the Web sites that have been hit by attacks. But in December 2000, Creditcards.com, a Los Angeles-based company that has since changed its name to iPayment Technologies Inc., confirmed that about 66,000 credit-card numbers had been stolen from its Web site. More than 36,000 of the numbers were exposed on the Internet after the company ignored a $200,000 extortion attempt believed to have come from a Russian hacker.

Recently, Bibliofind.com, an on-line marketplace for rare and hard-to-find books that’s owned by Amazon.com Inc., disclosed that a malicious hacker had compromised the security of credit-card data for about 109,000 users of its Web site. The intrusions began in October 2000, and weren’t discovered until recently.

Egghead.com Inc. in Menlo Park, California, was also hit by an intrusion late in 2000. The on-line technology retailer’s CEO said recently that an internal investigation showed that no customer data had been compromised. But some Egghead users claimed that their credit-card numbers had, in fact, been stolen, with one saying her card was debited for a charge to a fraudulent Web site in Russia.

Critics charge that companies and prosecutors regularly inflate such numbers and that the Mafiaboy case is no exception. If you’re a law enforcement organization, it makes the crime look more serious. If you’re a company, it allows you to get more money from insurance (see sidebar, “Hacker Insurance”). And if you’re the press, it makes the story more sensational.”

In the increasingly competitive hacker insurance market, American International Group is making an offer it hopes prospective clients won’t refuse—a free, comprehensive security assessment. AIG, the largest commercial insurance underwriter in the United States, hopes the free on-site security check—which ordinarily can cost tens of thousands of dollars—will encourage more companies to buy insurance coverage from it. AIG is one of the biggest players in a swarm of underwriters and

brokers who are rushing into the hacker insurance market, a sector that the Insurance Information Institute estimates could generate $3.6 billion in annual premiums by 2006.

The insurers’ sales efforts are being aided by highly publicized events such as the assault on Microsoft’s Web site in January and the more recent “Anna Kournikova” worm that tied up mail servers around the world. Insurance industry officials indicate their business is doubling every 7 to 13 months, as worries about hacking increase and more information technology professionals realize their companies’ standard insurance policies don’t cover risks incurred by their Internet-based businesses.

Cyber masses aren’t used to spending money on this. The cost of the insurance application in the past included (for almost everyone) an on-site security assessment that would cost upward of $30,000, regardless of whether you bought the insurance.

To help convince qualified prospects (applicants must be seeking $6 million or more in coverage) to buy insurance, AIG will pay independent security firms Global Integrity and Unisys to do the on-site assessments. The firms will do external probes and “ethical hacking” of a prospect’s Web site, as well as perform a three-day, on-site analysis to determine what types of security problems the company faces.

At the end of the assessment, if a prospect decides not to buy AIG’s coverage, the company can keep the security report and assessments as AIG’s gift. Although AIG’s assessment is free, some competitors expressed skepticism. AIG’s offer may create a false sense of security among insurance buyers. Security is not a product; it’s a process.

What’s Covered

Companies interested in hacker insurance can buy coverage either as a package or a la carte. Some policies only pay for risks associated with loss or misuse of intellectual property. Others cover liability for misuse of a company’s site by a third party, or damage caused by an outside hacker.

Premiums are generally based on a company’s revenue, as well as the type and amount of coverage being sought. Rates vary. A package policy that covers a range of risks, including liability, loss of revenue, errors and omissions, and virus protection, can cost from $7,000 to $21,000 per year (or more) for each million dollars of coverage in the policy.

Given the range of costs and coverage, industry officials warn potential buyers to be wary. Some policies cover only the amount of net income lost due to hacking. A better choice for some companies may be coverage for lost revenue.

Numerous variables can affect premiums. Just as a buyer of auto insurance can choose a high dollar deductible to lower the premium, hacker insurance buyers can choose different waiting periods before coverage begins. For instance, a policy that begins paying for business losses just four hours after a hacker shuts down a site may cost more than a policy that begins paying after 24 hours of downtime. These waiting periods, called “time element deductibles,” are variable and depend on the kind of business being covered and the amount of risk a business may face.

Companies can also get substantial discounts on their policies if they have managed service contracts with an insurer-certified security firm. Security assessments are critically important for both insurers and insurance buyers. Hacker insurance is such a new product that there are no reliable actuarial tables to determine rates. Therefore, insurance companies rely heavily on the assessments to help them determine the amount of risk they are taking on with a given company. For the companies seeking insurance, assessments should help them find (and immediately fix) holes in their defense systems.

Stiff Competition

Underwriters competing with AIG (the Chubb Group, Fidelity and Deposit Companies, St. Paul Companies, Lloyd’s of London and Wurzler) are rolling out a fleet of new products and alliances to help them gain market share. Chubb recently announced new coverage designed for on-line banks, brokerages, and insurance companies. Wurzler has joined with Hewlett-Packard to market its products to a select group of HP’s clients.

Insurance brokers and security firms are teaming up to sell branded products and services. Marsh & McClennan Companies, the world’s largest insurance brokerage, is selling insurance provided by AIG, Chubb and Lloyd’s. The brokerage relies on internet security systems to do its security assessments. Counterpane Internet Security has allied with brokers Safeonline and Frank Crystal & Co. to provide its clients with special policies underwritten by Lloyd’s.

It’s a wildly growing market, and its primary underwriters are AIG, Fidelity and Deposit, and Wurzler. Hacker insurance has been a small market because people were waiting for e-commerce to hit. Well, now e-commerce has hit.

Insurers are finding a ready market for their products, because companies with Internet operations are increasingly under attack. A survey done in 2000 by the Federal Bureau of Investigation and the Computer Security Institute, an association of computer security personnel from the private and public sectors, found that from March 1999 to March 2000, 29% of the 752 governmental agencies and businesses that responded indicated that they experienced denial-of-service attacks. Viruses are also wrecking havoc. Losses from 2000’s “Love Bug” virus were estimated to be as high as $20 billion.

AIG’s move to lower the cost of obtaining hacker insurance shows the market is beginning to mature, according to industry experts. And security analysts hope it will encourage more Net companies to get insurance coverage.

Companies need to understand that getting hacked is not only an inconvenience. Anything Internet-facing is a point of vulnerability. Companies can be attacked directly or they can be used to attack someone else. There’s real exposure and liability. They need to reduce their risk, and the only way to do that is through proper insurance.

Pricing cyberintrusions is pretty much a guessing game. If a burglar steals your television set, you know what its replacement value might be. But what’s the value of the time of all the people who had to drop their work and deal with this hacker nonsense? More tangential costs are also often tabulated; the $2.3 billion figure associated with recent attacks, calculated by the Yankee Group, includes the expense of security upgrades, consulting fees, and losses in market capitalization from tumbling stock prices.

The implication is that companies wouldn’t have had to spend the money if they never had a problem. That’s like saying you don’t need to get a lock for your front door unless somebody breaks in.

Fair Punishment

Inflated estimates can skew jail terms. A formula should be devised to calculate the severity of hacks. The question is, how serious a societal harm has been done in the hands of these companies, without any real check or balance? If the FBI is going to punish somebody by sending them to prison, they probably don’t want to send them to prison for something that’s just a nuisance.

In one famous case, an editor at the computer-security webzine Phrack was charged with publishing a document stolen from BellSouth’s network. Prosecutors valued the 13-page paper at $80,550, which included the $42,000 cost of the computer it was typed on, $7,000 for the printer, and $7,300 for a “project manager.” It was revealed at trial, however, that BellSouth sold a nearly identical document to the public for just $14 per copy.

Short-and Long-Term Personal Economic Impact on Cyber Citizens

Cyberattacks cost U.S. organizations and their cyber citizens $377 million in 2000—more than double the average annual losses for the previous three years. The study, released by the San Francisco-based Computer Security Institute (CSI) and the San Francisco FBI Computer Intrusion Squad, found that 92% of survey respondents detected some form of security breach in 2000.

Based on information from 384 of CSI’s member organizations, 72% reported serious security attacks, including theft of proprietary information, financial fraud, system penetration from outsiders, denial-of-service attacks, and sabotage of data or networks. This figure, up from 64% in 1998, didn’t include data from common security problems caused by computer viruses, laptop theft, and abuse of Internet access by employees.

According to the report, 76% of respondents confirmed that they sustained financial losses due to security attacks, but only 44% said they were willing and able to quantify these costs. The figures are based on responses from 754 computer security practitioners in 384 U.S. corporations, government agencies, financial institutions, medical institutions, and universities.

The $377 million in verifiable losses claimed by respondents was more than twice the average annual total of $140 million reported from 1998 to 2000. Seventy-seven respondents reported $77.8 million in losses from theft of proprietary information and 64 organizations listed $67 million in losses from financial fraud.

CSI indicates a continuing trend in the study—that computer security threats to large corporations and government agencies come from both inside and outside the organization. Whereas media reports often focus on outside computer crackers, 82% of respondents were worried about disgruntled employees. Sixty-two respondents indicated that they suffered $28 million in damages from sabotage of data or networks, compared to a combined total of $32 million for previous years.

For the third consecutive year, 60% of respondents identified their Internet connection as a frequent point of attack, compared with 39% who cited internal systems as the target. The short- and long-term personal economic impact on cyber citizens continues to be staggering.

Unauthorized access and security attacks are widespread. The private sector and government organizations must increase their focus on sound security practices, deployment of sophisticated defensive technology, and adequate training and staffing of security managers.

Next, let’s take look at why corporations are mobilizing against the threat of a federal Internet privacy-protection law, which violates the privacy of their employees during the onset of information warfare.

^[iii]John R. Vacca, Electronic Commerce, Third Edition, Charles River Media, 2001.