Cyber-Extortion: When Data Is Held Hostage

[InfoSec News <isn () C4I ORG>]

http://www.businessweek.com/bwdaily/dnflash/aug2000/nf20000822_308.htm

AUGUST 22, 2000

By Alex Salkever

Here's an issue facing more and more e-businesses -- malicious hackers
who demand a payoff to keep their security breaches secret

Under most circumstances, a business decision involving $200,000
wouldn't be important enough to require a personal appearance from the
CEO of a $2 billion corporation, let alone a special trip to London
from New York. But media titan Michael Bloomberg made such a trip Aug.
10. And he did it to prove that cyber-extortion will not go unpunished
at his company.

Bloomberg went to meet with two Kazahks named Oleg Zezov, 27, and Igor
Yarimaka, 37, who were allegedly demanding $200,000 in "consulting"
fees. For this, they would reveal how they had allegedly compromised
the Byzantine Bloomberg computer systems, an exploit the Kazakhs
allegedly proved by e-mailing Bloomberg the photograph from his own
corporate ID badge.

With thousands of financial institutions and other customers trading
billions of dollars daily in stocks and bonds based on information
from Bloomberg terminals, the threat of a hacked system could have
proven catastrophic for both the media company and its Wall Street
customers.

KEEPING QUIET.  Fortunately, this James Bond tale had a happy ending.
Bloomberg reportedly brought two London police officers, one posing as
a company executive and the other as a translator, to the meeting.
They promptly arrested Zezov and Yarimaka, who have each been charged
with three felony counts, including extortion and unauthorized
computer intrusion, in the U.S.

Despite the outcome, the incident requires a closer look. Although
computer-security experts believe cyber-extortion remain relatively
infrequent, incidents such as the Bloomberg case are becoming more
common. "This happens all the time. We see this on a pretty periodic
basis. I personally get called in to these once a month, and you
usually don't hear about them," says Chris Rouland, the director of
the special-response team at Internet Security Systems, a
computer-security consulting firm.

Rouland believes that the number of cyber-extortion cases around the
globe could range in the low thousands each year. No statistics back
that up, largely due to the fear companies have of revealing that
their systems have been compromised. Companies aren't comfortable so
far talking to the media about this, Rouland says. "It's indicative
that the organization was compromised and could bring further attack.
It could make customers uncomfortable using [the targeted companies']
technology," he says. That's a view voiced by most of the security
professionals who have dealt with these cases, and it's one that
remains unlikely to change in the near term, as the fear of bad PR
increases.

CAREFUL ENGAGEMENT.  Dealing with cyber-extortion bears a remarkable
resemblance to dealing with real-world kidnappings, experts say.
First, a company needs to determine if it's facing a serious case
before mounting a costly response effort and security audit. "We
typically recommend to our clients that they weigh the value of the
damage to themselves vs. the potential liabilities. A small incident
that's a public embarrassment may very well not pay to prosecute,"
explains Tim Belcher, chief technology officer of information-security
firm RIPTech.

But when a company has determined that a cyber-extortion is real, it's
crucial to quickly contact the organization's decisionmakers, a task
often complicated by many companies' lack of experience with
cyber-attacks and the speed with which they can occur. At that point,
the company is advised to carefully engage the offending hackers while
at the same time begin mounting a defense of their system. Ideally,
that means backing up and isolating the compromised computer servers.

In a case such as Bloomberg's, where the system comprises a massive
network of computers, isolating the unauthorized point of entry can
take months. For that reason, Bloomberg dragged out the negotiations
over time -- much like a hostage negotiator might. "I think you're put
in a particularly difficult position being contacted by a hacker who
has already compromised your system. How you respond and react can
lead to vastly different outcomes," says Belcher.

Indeed, Bloomberg's closely controlled engagement might never have
made the news if things had gone awry. For example, says Belcher, many
systems administrators mistakenly destroy evidence when they try to
fix problems in a computer system after a malicious hacker -- or
cracker -- has altered code.

CHICKEN RUN.  Others anger crackers by eliminating only some of the
"Trojan horses" used to ensure constant access to a system. "We have
seen systems that have been 'backdoored' 10 different ways. And if you
had missed No. 10 and gotten the first 9, the hacker would have come
back in. And then the hacker has a reason to be upset," says Belcher.
For a worst-case scenario, take what happened to online music store CD
Universe in January. Angry crackers dumped tens of thousands of
credit-card numbers from the store's customers onto the Web. In that
instance, the information escaped, and the game of chicken ended in
disaster.

Even when the company prevails, revealing the encounter can
potentially cost customers. In 1994, Citibank revealed a $10 million
theft of funds by crackers who had hacked the bank's systems. The
company recovered all but $400,000 of that loss, and the case resulted
in a felony conviction of the primary cracker. Still, several
computer-security consultants claim Citibank lost big customers as a
result of the case. Citibank has flatly denied those charges.

Hiding such cases creates the false illusion that no one gets caught
for cyber-extortion. For now, it appears that Zezov and Yarimaka will
receive a harsh but deserved lesson at the hands of a noted Wall
Street tough guy. Were everyone as brave as Michael Bloomberg and
Citibank, then potential crackers would clearly see the true
consequences of their actions. Maybe then cyber-extortion would fade
from an increasing concern to an insignificant event.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".