Feds feel bite of cybercrime


Is cyberterrorism a real threat? Not everyone shares that opinion

What constitutes cyberterrorism?

Is it a serious threat, or does it just present a nuisance? Are companies selling hype, or do they actually offer security solutions that will protect government and industry from the effects of an attack?
These are some of the questions raised in the wake of a controversy that stirred attendees at the Techno Security 2005 conference in Myrtle Beach, S.C., earlier this month.
In one corner was Marcus Ranum, chief technology officer for Tenable Security Inc. of Columbia, Md., who accused the security industry of playing on fears of terrorism in order to close sales with companies and agencies.
'Pundits make a huge leap from messing with the electronic infrastructure to, 'You'll lose your mind and die,' ' Ranum said.

Malicious software

In the other corner, Chet Hosmer, president and chief executive officer of WetStone Technologies Inc. of Cortland, N.Y., pointed to the explosion of free hacking software, spyware, password crackers and other types of malicious software, and asked rhetorically whether anyone believes those programs are intended for benign use.
Someone could try to sabotage the computer-based train dispatching system in, say, Kansas City, by using a key logger and getting hold of a password, he said. A hacker then could introduce a virus or change lines of code, which could have a ripple effect on other services, Hosmer said.
The fact that there hasn't been a terrorist cyberattack shows that it is not easy and doesn't necessarily have a big payday, Ranum countered.
But Hosmer said there have been such attacks, citing one virus that spread throughout the Internet in about 15 minutes.
There was no agreement between the two men, or their supporters on either side of the aisle, and this is a debate that will likely continue for a while.

'Patience Wait

Glossary of cybercrime

Phishing. Scams that use e-mail or pop-up messages to trick people into disclosing sensitive information that can be used for fraudulent activities, including identity theft.

Pharming. This is a technique that 'poisons' a Domain Name System server by infusing false information into the server, resulting in a user's request being redirected elsewhere, even though the user's browser shows the correct address. Phishing targets victims one at a time; pharming targets large groups of people.

Spam. Electronic junk mail.

Spyware. Generally falls into one of two categories, advertising or surveillance, according to the Government Accountability Office:
Advertising spyware can collect information such as a user's IP address, Internet use, online buying habits and e-mail address.
Surveillance spyware usually is surreptitiously downloaded onto a person's computer specifically to steal information or monitor access. It can be as simple as a key-logging program that records each key stroke (making it easy to steal passwords, for instance), or as sophisticated as a capture program that will steal and transmit virtually everything done on a particular computer.

Trojan horse. An apparently useful and innocent program containing additional hidden code, which allows unauthorized collection, exploitation, falsification or destruction of data.

There is something about the Federal Deposit Insurance Corp. that seems to attract cybercrime.
Earlier this month the agency had to notify 6,000 current and former employees of a data breach that could put them at risk of fraud or identity theft.

The FDIC also has been used as a decoy in phishing schemes by con artists looking to separate consumers from their money. Spam e-mail claims to come from the agency, warning that user bank accounts are going to be frozen while the Homeland Security De-partment investigates violations of the U.S. Patriot Act.

But the financial agency is not alone. The FBI and other federal agencies have been used as decoys in other scams.

Despite these examples, government agencies apparently have been slow to realize that they, too, could be vulnerable to Internet scams, spoofs and spyware.

The Government Accountability Office recently weighed in on cybercrime, finding that federal agencies do not appreciate the dangers of phishing and other cyberthreats.

'Many agencies have not fully addressed the risks of emerging cybersecurity threats as part of their required agencywide information security programs,' auditors said in report released last month.

Of the 24 federal agencies surveyed by GAO, 19 identified the nonsecurity effects of spam, such as reduced system performance and the cost of filtering e-mail, as problems. When it came to phishing, 14 agencies said that the scam had limited or no effect on their systems and operations. As for spyware, 11 agencies said it caused a loss of employee productivity or required more help desk support. One agency 'stated that spyware was simply a nuisance to its users,' GAO said.

Phishing is the fastest-growing, largest fraud activity in U.S. history, according to a government expert speaking at the Techno Security 2005 conference in Myrtle Beach, S.C., earlier this month.

Stanley Crowder, a special agent with the Secret Service's Electronic Crimes Task Force section, told a standing-room-only audience that the agency estimates that phishing schemes raked in more than $3 billion since April 2003, by blasting out 57 million e-mails. It has grown 15 percent a month for the past 10 months, or close to 300 percent overall.


And phishing is not the only threat. A new Internet con, domain spoofing, called 'pharming''in which traffic going to a legitimate Web site is redirected to a fake site'is beginning to spread.
Then there's spam, spyware and malware'malicious software such as viruses, worms and Trojan horses.

He warned that malware is now in over 50 percent of phishing attacks. But 'malware is hard or impossible to detect via anti-spyware.'
Many of these schemes are originating in other countries, particularly Eastern Europe, Crowder said. 'In 2004, there was a 'how-to' conference in Kiev, Ukraine.'

Hostile interests

Addressing Techno Security attendees, Chet Hosmer, president and CEO of WetStone Technologies Inc. of Cortland, N.Y., also spoke about the dangers of cybercrime, and the possible connection to interests hostile to the United States. From September 2004 to May 2005 there were almost 3 million documented downloads of password-cracking software, more than 2 million downloads of key-logging software and more than 1.2 million downloads of spyware, Hosmer said. 'Those download numbers are only the tip of the iceberg. They're only collected from a handful of download sites willing to give us the data, [so] we're only looking at a small piece of the puzzle,' he said.

There are dozens, if not hundreds of other Web sites, that also provide these free tools, and their data is unavailable, he said.

The most common cybertool that could be used for illicit intent was password-cracking software, Hosmer said. In 2004 alone, almost 140 new applications used to crack passwords were released, most as downloadable freeware. While there are legitimate uses for this, such as systems administrators who need to gain access to files when a user has forgotten his password, Hosmer said, the illegal opportunities are obvious.

Much of these activities are related to the explosive growth of Internet-based crime, and it is reasonable'indeed, likely'to suspect that enemies of the country are participating, Hosmer said. While the bulk of these tools originate in the U.S., there has been significant growth in tools developed in Asian and European countries.

'Is it such a stretch to think that someone sees these as weapons that can be used against government systems?' he said. 'Because we haven't heard that it has happened yet is no reason to not guard against it.'

GAO recommended that agencies include emerging threats in their required risk assessments and planning required under the Federal Information Security Management Act. It also called upon the Office of Management and Budget, the Homeland Security Department and the attorney general to develop guidelines for comprehensive incident reporting.

GCN staff writer William Jackson contributed to this article.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.