THE PROBLEMS OF THE PRESENT

An IT worker faced federal criminal charges recently in U.S. District Court in Miami for allegedly downloading a virus into his employer’s computer system, crashing the network for nearly two full days. This case, which comes a little more than a year after the first federal criminal prosecution of computer sabotage, is just one in a growing number of insider-based network attacks, according to federal law enforcement agents. Another case is getting ready to go to trial in Las Vegas, and yet another was wrapped up with a guilty verdict in New Hampshire (see sidebar, “Insider Accounts”).

It’s a scary indicator of a spiraling economy that in 2001, 4.4 million workers were laid off, according to the U.S Department of Labor. Even scarier is the question of how many of those workers still have active accounts on the networks of their former employers.

So-called ghost accounts, those not closed when workers leave, can include access to mainframes, databases, file servers, intranets, and e-mail. There are also remote access holes with VPN passwords and dial-in accounts. All open “back doors” into a network.

A recent series of high-profile network sabotage cases show that vengeful employees can wreak high-tech havoc. Disgruntled employees are a significant threat. Security experts recommend a combination of procedures, policies, and automation to combat the threat.

Automation is key and is being made available in a class of products known as provisioning software, which can automatically activate and deactivate user accounts. If you are a CIO and are currently using a manual process, fundamentally you have no way to know the process (of deprovisioning) worked. With provisioning software, that is the opposite. You know that the process was completed.

Just, recently, Access360, Novell, and Waveset Technologies announced provisioning products. Business Layers also has a product called eProvision Day One.

Access 360 released Version 4.0 of its EnRole provisioning software, which is now integrated with corporate directories to centralize user account information. Novell released its Employee Provisioning System, which is intended to create a single user identity across a corporate network. Waveset Technologies is offering for free its Inactive Account Scanner, which ferrets out dormant accounts.

However, the process must include social engineering. That means teaching employees not to share passwords and administrators not to reactivate closed accounts.

For example, there was one case where a former Coast Guard employee was able to hack into a database using a password given to her by an unsuspecting coworker. The result: A bill of $50,000 and 2,900 staff hours to repair the damage.

The U.S. Secret Service, who splits its focus between protecting heads of state and conducting criminal investigations, is handling twice as many cases that involve insider attacks than occurred in 2001. And the FBI is currently investigating four such cases in New England alone.

Eighty percent (80%) of the cases are from the inside or people who were formerly with an organization. When you conduct an investigation, that’s one of the first areas you need to look at now. It’s not if you’re going to be attacked, but when you’re going to be attacked.”

Ninety five percent (95%) of the break-ins they’re called in to handle are insider-based. An insider attack really gets the attention of the company, because an insider has access to all the critical systems. If they want to do damage, they know how. A company’s decision to protect itself isn’t just a technology decision. It’s a business decision.

Grocer Victimized

In the Miami case previously mentioned, Herbert Pierre-Louis, a hardware engineer who worked in the IT department at Purity Wholesale Grocers, is being charged with computer sabotage for the June 18, 1998, incident at the $2.6 billion national grocery outlet based in Boca Raton, Fla. The Assistant U.S. Attorney indicated the damage was well over the $6,000 waterline that is one of the key factors making this a federal crime.

The FBI warns that this is a time when companies should be particularly cautious. In light of the economy and the downturn and layoffs, companies should pay attention to this. These are not isolated events. They have an awful lot of trust in computer people in these companies.

That’s a lesson Omega Engineering’s Bridgeport, New Jersey, manufacturing plant learned the hard way. In the summer of 1997, a software timebomb went off in the plant’s computer network, systematically eradicating all the programs that ran the company’s manufacturing operations. Exacerbating the problem, Omega’s only back-up tape was missing. The manufacturing plant was no longer able to manufacture. Company executives, in a 2001 trial in U.S. District Court in Newark, New Jersey, indicated that the company had yet to fully recover. The incident caused $23 million in damages and led to Omega losing its footing in the high-tech instrument and measurement market and the eventual layoff of 90 employees.

Omega’s former network administrator was charged with sabotaging the network he helped build. He was found guilty after a four-week trial. The judge later set that verdict aside after a juror told the court she was unsure whether a piece of information she had heard on television news had been factored into her verdict.

The government appealed the judge’s ruling, taking its case in front of the Third Circuit Court of Appeals in Philadelphia this past April. A ruling is pending.

The employee was charged under a relatively new statute that made computer sabotage a federal offense if it affected a computer used in interstate commerce and caused more than $5,000 worth of damage to the company over a 12-month span. That was the first federal criminal prosecution of computer sabotage.

Similar Cases Prosecuted

Now that same statute is being used in three other cases. One of those cases charges a network consultant with sabotaging the computer network at one of his clients, Steinberg Diagnostic Medical Imaging in Las Vegas. The consultant is charged with three counts of network intrusion for changing passwords in the network, which locked administrators out of their own system. The Assistant U.S. Attorney notes in the indictment that the consultant allegedly hacked the system on three different days between late February and early March of 2001.

The consultant, working with a partner, had been hired as a subcontractor by the medical imaging company, according to sources close to the investigation. Both the deal and the partnership fell through, and the consultant’s partner went to work for Steinberg Diagnostic as a system administrator. The government contends that the consultant attacked the system to gain revenge. The damage had to have added up to at least $5,000 for the consultant to be charged with a federal offense.

In the summer of 2001, a former help desk worker at Bricsnet, a Portsmouth, New Hampshire, application service provider for the construction and design industry, was found guilty on federal charges of network sabotage for hacking into Bricsnet’s system after being fired in the fall of 2000. The worker pleaded guilty to breaking into the system twice using a supervisor’s password (once the night he was fired and again the next morning) to delete a total of 786 files, change user access levels, and send e-mails to Bricsnet clients saying the company’s project center would be temporarily or permanently shut down.

The attack, which was discovered by another Bricsnet employee the next day, cost the company $24,725 in in-house repair costs. Some of the destroyed files could not be restored.

His activities were meant to cause as much damage as possible. It was malicious. And putting a financial number on the loss is misleading. How do you quantify the impact when customers receive these kind of damaging e-mails? You can’t put a dollar on that. Would a company pay $24,000 not to have that happen?

Administrators took basic security precautions after firing the worker, who had broken company rules against moonlighting and other activities. They terminated the worker’s password, log-on, and user accounts. They also changed the code on their building’s keypad and escorted the worker from the building.

There was no sense of foreboding. These steps were routine. Certainly, Bricsnet had an extensive security system in place, but they were always thinking of outside intrusion.

The incident, which the FBI traced back to the worker in less than a week, has changed the way the company evaluates its security needs. Since the attack, Bricsnet has re-evaluated its security system and limited network access.

Bricsnet is acutely aware of the damage a disgruntled employee can cause. People took it personally. For someone you’ve worked with on a daily basis, it certainly was an element of betrayal for them.

Finally, let’s examine the latest outlook for the future. This chapter will end by taking a look at a new breed of hackers: The drive-by hackers.