Internal Hackers | Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)

I l @ ve RuBoard

Attacks from the inside are the most common attack which causes financial loss. The internal hacker is someone who has valid access to a system but decides for whatever reason to perform unauthorized acts. This is often a disgruntled or dishonest employee. This is the type of hacker who can cause the most damage to a company's computers and data.

Internal hackers should be the information security officer's number one concern. They have both access to and knowledge of the organization's computing resources. The motives of in-house hackers will vary, but generally they are either trying to profit from their actions or seeking revenge on the company or an individual. The methods used to gain profit from hacking can range from directly manipulating financial information to selling information to competitors or convincing the company to pay the hacker as a consultant to repair the system he has destroyed . Attacks to seek revenge can take almost any form, depending on what the hacker thinks will damage the company or individual the most.

Disgruntled Employee

Disgruntled employees are the most dangerous type of hacker. This person may be anyone from an end user , who has access to the company's data, to a system programmer, who knows the system inside and out and has the ability to turn the system upside down. Disgruntled employees will not be stopped because the effort outweighs the value of the information. Often their goal is much more personal than financial.

Their intimate knowledge of the inner workings of the organization will be used to cause the most damage possible. They may understand how to go unnoticed and avoid being caught. Often internal hackers already have been given privileges which they will abuse to attack the system.

Patrick McKenna hacked into his former employer's computer server on two occasions over the Internet. On these occasions he deleted approximately 675 computer files, modified computer user accounts, altered billing records and transmitted e-mails, which purported to have originated from an authorized representative of the victim corporation, to over one hundred clients . Those e- mails contained false statements about business activities of the corporation.

McKenna was convicted for "unauthorized computer intrustion" and sentenced to serve six months in federal prison and ordered to pay $13,614.11 in restitution for the damage he caused. ^[2]

^[2] "Major Investigations: Patrick McKenna," National Infrastructure Protection Center .

Contracted Employee

Today, many positions within a company are outsourced to contractors or consultants . These people have a different relationship with the company from its employees and therefore need different controls.

Definitions of appropriate behavior and the scope of their duties should be made contractually. Contractors are not bound by employee policies and procedures. The contract with the contractor defines what he/she can and cannot do.

Contracted employees are often granted access to systems like regular employees, but they often lack the commitment to the employer. They may find that hacking a system is a way to make a fast buck, or they may be unhappy with their job and just want to cause trouble. They are also targets of competitors who want to gather internal company information. Sometimes, just being refused a raise is enough to set them off.

A former subcontractor named Robert M. Abarbanel had worked for several years as an instructor for Dan Keller Technical Services, a technical training business. In the spring of 1998, he asked for an increase in his billing rate, which was refused.

Abarbanel attempted to hack his way into the company network and bombarded it with literally hundreds of e-mails, many containing threats. Other activities by Abarbanel included supplying Dan Keller's e-mail address to a variety of Internet sign-up lists for e-mail from retailers, alumni associations, etc., the purpose being, presumably, to cause a flood of junk e-mail. He also forged an e-mail message in which Keller "confessed" to owing him a lot of money.

Abarbanel's six-month rampage finally ended when the court granted a restraining order. He seems finally to have gotten the message and hasn't contacted Keller since. ^[3]

^[3] Keller, Dan, "Hackers on the Internet: The Threat Is Real!, " www.keller.com/attack/, September 1999.

Indirectly Contracted Employee

Most companies are located in a building which is shared by other tenants. The building will often provide certain shared services such as building security, office cleaning, business equipment repair, and utilities maintenance. Building owners will contract out these services to companies with which your company has no association.

Your company has very little control over these indirect contractors. There is a legal, contractual relationship with the facilities owner who in turn has a contract with them, but any actions have to follow this indirect path .

However, these indirectly contracted employees will require access to your facilities to provide their services, usually outside of regular business hours. In fact, these people may come and go so regularly that their presence is not noticed and without going through the normal security process.

These type of services companies often express their trustworthiness by being bonded and insured. This may offer some financial relief, but rarely is it useful in response to a computer crime. Their employees are often low-paid workers, who are targeted by computer criminals.

A U.S. defense contractor, subcontracted with a foreign firm for onsite contractors. These foreign contractors were allowed access only to the areas of the premises that were necessary to their duties. However, they used their knowledge of the company's computer system to access other areas of the company's computer network, which were off limits to non-U.S. employees. The foreign contractors were able to access proprietary and potentially classified information regarding the U.S. company's government contracts. Their activities jeopardized the competitiveness of the company and posed a potential threat to U.S. national security. ^[4]

^[4] "Statement of Louis J. Freeh, Director Federal Bureau of Investigation," Senate Select Committee on Intelligence , 28 January 1998.

I l @ ve RuBoard