Information Security News mailing list archives
Cyber-Extortion: When Data Is Held Hostage
From: InfoSec News <isn () C4I ORG>
Date: Wed, 23 Aug 2000 03:10:40 -0500
http://www.businessweek.com/bwdaily/dnflash/aug2000/nf20000822_308.htm AUGUST 22, 2000 By Alex Salkever Here's an issue facing more and more e-businesses -- malicious hackers who demand a payoff to keep their security breaches secret Under most circumstances, a business decision involving $200,000 wouldn't be important enough to require a personal appearance from the CEO of a $2 billion corporation, let alone a special trip to London from New York. But media titan Michael Bloomberg made such a trip Aug. 10. And he did it to prove that cyber-extortion will not go unpunished at his company. Bloomberg went to meet with two Kazahks named Oleg Zezov, 27, and Igor Yarimaka, 37, who were allegedly demanding $200,000 in "consulting" fees. For this, they would reveal how they had allegedly compromised the Byzantine Bloomberg computer systems, an exploit the Kazakhs allegedly proved by e-mailing Bloomberg the photograph from his own corporate ID badge. With thousands of financial institutions and other customers trading billions of dollars daily in stocks and bonds based on information from Bloomberg terminals, the threat of a hacked system could have proven catastrophic for both the media company and its Wall Street customers. KEEPING QUIET. Fortunately, this James Bond tale had a happy ending. Bloomberg reportedly brought two London police officers, one posing as a company executive and the other as a translator, to the meeting. They promptly arrested Zezov and Yarimaka, who have each been charged with three felony counts, including extortion and unauthorized computer intrusion, in the U.S. Despite the outcome, the incident requires a closer look. Although computer-security experts believe cyber-extortion remain relatively infrequent, incidents such as the Bloomberg case are becoming more common. "This happens all the time. We see this on a pretty periodic basis. I personally get called in to these once a month, and you usually don't hear about them," says Chris Rouland, the director of the special-response team at Internet Security Systems, a computer-security consulting firm. Rouland believes that the number of cyber-extortion cases around the globe could range in the low thousands each year. No statistics back that up, largely due to the fear companies have of revealing that their systems have been compromised. Companies aren't comfortable so far talking to the media about this, Rouland says. "It's indicative that the organization was compromised and could bring further attack. It could make customers uncomfortable using [the targeted companies'] technology," he says. That's a view voiced by most of the security professionals who have dealt with these cases, and it's one that remains unlikely to change in the near term, as the fear of bad PR increases. CAREFUL ENGAGEMENT. Dealing with cyber-extortion bears a remarkable resemblance to dealing with real-world kidnappings, experts say. First, a company needs to determine if it's facing a serious case before mounting a costly response effort and security audit. "We typically recommend to our clients that they weigh the value of the damage to themselves vs. the potential liabilities. A small incident that's a public embarrassment may very well not pay to prosecute," explains Tim Belcher, chief technology officer of information-security firm RIPTech. But when a company has determined that a cyber-extortion is real, it's crucial to quickly contact the organization's decisionmakers, a task often complicated by many companies' lack of experience with cyber-attacks and the speed with which they can occur. At that point, the company is advised to carefully engage the offending hackers while at the same time begin mounting a defense of their system. Ideally, that means backing up and isolating the compromised computer servers. In a case such as Bloomberg's, where the system comprises a massive network of computers, isolating the unauthorized point of entry can take months. For that reason, Bloomberg dragged out the negotiations over time -- much like a hostage negotiator might. "I think you're put in a particularly difficult position being contacted by a hacker who has already compromised your system. How you respond and react can lead to vastly different outcomes," says Belcher. Indeed, Bloomberg's closely controlled engagement might never have made the news if things had gone awry. For example, says Belcher, many systems administrators mistakenly destroy evidence when they try to fix problems in a computer system after a malicious hacker -- or cracker -- has altered code. CHICKEN RUN. Others anger crackers by eliminating only some of the "Trojan horses" used to ensure constant access to a system. "We have seen systems that have been 'backdoored' 10 different ways. And if you had missed No. 10 and gotten the first 9, the hacker would have come back in. And then the hacker has a reason to be upset," says Belcher. For a worst-case scenario, take what happened to online music store CD Universe in January. Angry crackers dumped tens of thousands of credit-card numbers from the store's customers onto the Web. In that instance, the information escaped, and the game of chicken ended in disaster. Even when the company prevails, revealing the encounter can potentially cost customers. In 1994, Citibank revealed a $10 million theft of funds by crackers who had hacked the bank's systems. The company recovered all but $400,000 of that loss, and the case resulted in a felony conviction of the primary cracker. Still, several computer-security consultants claim Citibank lost big customers as a result of the case. Citibank has flatly denied those charges. Hiding such cases creates the false illusion that no one gets caught for cyber-extortion. For now, it appears that Zezov and Yarimaka will receive a harsh but deserved lesson at the hands of a noted Wall Street tough guy. Were everyone as brave as Michael Bloomberg and Citibank, then potential crackers would clearly see the true consequences of their actions. Maybe then cyber-extortion would fade from an increasing concern to an insignificant event. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Cyber-Extortion: When Data Is Held Hostage InfoSec News (Aug 24)