The Enemy Within

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/itresources/rcstory/0,4167,STO61983_KEY73,00.html

By DAN VERTON 
July 09, 2001

It's January 2000, and the world hasn't imploded under the weight of
the Y2k problem. Planes aren't falling out of the sky, and trains
aren't careening off their tracks. But in a few short months, Craig
Goldberg's start-up will come face to face with a more sinister threat
that will take it to the brink of disaster: cybercrime.

The CEO of Internet Trading Technologies Inc. (ITTI), a New York-based
technology subsidiary of stock trade regulator LaBranche & Co., had
just completed a second round of funding that helped fuel an expansion
of the company's IT staff. Within two months, Goldberg hired a
half-dozen more software developers and tapped a CIO with 15 years of
experience to take on the role of chief operating officer.

Trouble lurked beneath the surface, however. Two of the company's
software developers approached ITTI's new COO and demanded that the
company "pay them a lot of money or they will resign immediately and
not provide any assistance to the development team," according to
Goldberg, who eventually succumbed to the demands.

But that wasn't enough for the two developers, who left the premises,
demanded more money and stock options and threatened to let the
development work founder. "It felt like we were being held up," says
Goldberg. Faced with the equivalent of a cyberhijacking, he refused to
budge, and the developers were dismissed.

The first denial-of-service attack hit the next morning, a Thursday,
and crashed the company's application server. Somebody sitting at a
computer in a downtown Manhattan Kinko's had gained access to ITTI's
server using an internal development password. The server was brought
back online, only to be hit again two minutes later, says Goldberg.
Passwords were changed, and development systems were air-gapped -
physically disconnected - from the Internet. But the attacks continued
through the weekend.

The situation soon became critical. "If the attacks continued to go
on, we would go out of business," Goldberg says. He called in a
security consulting firm and the Secret Service.

The last attack, which occurred Monday morning, hit as federal
authorities were installing monitoring equipment on ITTI's networks.
Authorities traced the attacker to a computer at Queens College in
Flushing, N.Y., where one of the former employees was a student.
Witnesses placed the individual at the specific computer at the
precise time of the attack. Within an hour, the Secret Service
officials had their man. No evidence or charges were brought against
the other former employee.

Stress Points

Experts agree that cybercrimes, such as the one perpetrated against
ITTI, are often the result of a combination of factors that are unique
to the modern IT workplace. Although most managers believe, as
Goldberg says, that "security is both about risk management and hiring
honest people," experts in criminal psychology say the onus is often
on managers to take action to prevent current and former employees
from lashing out in the form of cybercrime.

Jerrold Post, a professor of psychiatry at The George Washington
University in Washington, developed the "Camp David profiles," which
focus on understanding the psychology of terrorism and political
violence. They were developed for then-President Jimmy Carter. Post
says cybercrime can be seen as a subset of workplace violence, where
employees become frustrated but have no way to mitigate the stress.

"In almost every case, the act which occurs in the information system
era is the reflection of unmet personal needs that are channeled into
the area of expertise," says Post. "Almost all of these people are
loyal at the time of hiring, so this isn't a matter of screening them
out."

Post acknowledges that only a small percentage of IT workers who share
a common set of personality traits actually commit crimes. However,
for those who do become cyberoffenders, their actions are often the
result of not having skilled managers who can alleviate workplace
stressors, he says.

Post suggests several approaches that managers can take to both
identify and alleviate those stressors for employees, including
providing more distinct career paths. He also says managers need to
acquire better leadership skills to help people feel like they really
matter to an organization.

Bill Tafoya has spent the better part of the past 25 years profiling
criminals. A former special agent at the FBI and now a professor of
criminal justice at Governors State University in University Park,
Ill., Tafoya says many IT workers today sometimes feel browbeaten by
their employers.

"Most of the time, however, they merely become cynics who infect
co-workers with their misanthropic view and undertake career-long,
one-person work slowdowns," he says.

Managers often mishandle difficult situations, he says. "In some
organizations, when personnel falter and are subsequently disciplined,
the records department is a favorite reassignment [that] management
uses for purposes of punishing the miscreant," Tafoya says. "I ask
you, who is being punished?" Career paths need to be developed for IT
personnel who handle a company's crown jewels - its information, he
adds.

Obviously, not all cybercrimes occur as a result of frustrated
employees. Many computer security breaches are the acts of dishonest
people who crack into systems from the outside using the Internet.

Sometimes, they get a little indirect help from unsuspecting
employees.

In February, a major bank in the Northeast whose name is being
withheld for security purposes discovered that unauthorized purchases
were being made on the Internet using its customers' information. The
bank called the Emergency Response Team (ERT) at Internet Security
Systems Inc. (ISS), an Atlanta-based security firm. After 131 hours of
forensics processing, both ISS and bank officials suspected that a
mole in the company was helping the attacker.

"The client was convinced there was a collaborator and was ready to
terminate a number of individuals, as well as contractors," said Allan
Fideli, director of the ERT and the former chief of worldwide security
at IBM. However, Fideli and another analyst eventually narrowed down
the perpetrator to a contractor in Europe who had stolen passwords
from his mother-in-law, who was an employee of the bank.

Scott Christie, an assistant attorney at the U.S. Attorney's Office
for the District of New Jersey in Newark, says a lack of oversight is
a key enabler in many cybercrime cases.

"Without any oversight, [criminals] can do what they want without fear
of being caught," says Christie.

Richard Hunter, an analyst at Stamford, Conn.-based Gartner Inc., says
management inattention can be a contributing factor. "Some managers
are inattentive to the point that they do not even check resumes for
people being hired into positions where sensitive data is available,"
says Hunter.

Although Post acknowledges that the majority of hackers are little
more than garden-variety criminals, the world of cybercrime does have
its share of Lee Harvey Oswalds, he says. The most recent example is
Abraham Abdallah, a 32-year-old Brooklyn busboy who in March managed
to pull off the biggest Internet identity heist in history by stealing
the online identities of 200 of the richest people in America.

There is little difference in motivation between criminals like
Abdallah and Oswald, says Post. "To steal somebody's identity is to
escape from one's place of insignificance. It's a special species of
assassination," he says.

For Tafoya, the assassination metaphor goes too far. "Those who have
been so victimized see the theft of their identity as more akin to
rape," he says.

According to ITTI's Goldberg, however, cybercrime is about greed. "We
talked and negotiated in good faith, but at a certain point in time,
it becomes extortion," he says.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.