Hacking Threat Rises With High-Tech Layoffs

[InfoSec News <isn () c4i org>]

http://ap.tbo.com/ap/breaking/MGAJV5G6JNC.html

By Brian Bergstein The Associated Press 
Published: Jun 3, 2001

HAYWARD, Calif. (AP) - When someone cracked Slip.net's computer
system, altered customer accounts and deleted important databases, the
Internet service provider didn't need to look far to find the
attacker.

It wasn't a criminal outfit seeking credit card numbers, and it wasn't
a scrawny whiz kid hacking away for a challenge in his dark bedroom.

It was Nicholas Middleton, a former computer administrator for
Slip.net, who had been unhappy at the San Francisco company and
recently quit. Middleton fought the resulting criminal charges on a
legal technicality but lost and got three years' probation.

Federal investigators say this type of computer crime is on the rise.
As layoffs become more common at technology companies, an increasing
number of disgruntled or fired employees are hacking their companies
in revenge.

"The whole nature of computer crimes has changed," said Agent Greg
Walton of the FBI's San Francisco-area computer intrusion squad. "The
problem at big companies is, the network administrator is probably the
last guy who finds out you got fired, and doesn't cut off your access.
Or it's the network administrator who gets fired, and he has access."

Walton and the nine other members of his squad - most of whom work out
of a small, nondescript suite in Hayward - have about 10 active
investigations involving allegations of hacking by disgruntled or
laid-off workers. It's a significant phenomenon, since the squad
usually works on 50 to 60 cases at a time.

The jury that convicted Middleton found he caused more than $40,000 in
damage to Slip.net, which spent days repairing its systems. Slip.net
was sold the next year.

Sometimes, the cost is not as problematic as the embarrassment a
former worker can create.

Take the case of Joseph Durnal, a former contract employee for Peak
Technologies in Columbia, Md. Durnal hacked its computer system and
sent e-mails purportedly from management - with a pornographic
attachment - telling workers the company was going out of business.
Durnal pleaded guilty and was ordered to pay $48,520 in restitution in
December.

Computer crimes of all kinds - by insiders and outsiders - are
increasing and getting more costly, according to a recent survey of
538 companies, universities and government agencies by the San
Francisco-based Computer Security Institute and the FBI.

Eighty-five percent said their networks were breached in the previous
year. The 186 respondents who were willing to quantify the damage they
suffered put their total losses at $378 million. In last year's
survey, 249 companies said they lost a total of $266 million.

Richard Power, the institute's editorial director, said former
employees need to be watched closely as firms downsize. "It is a known
fact, a rule of thumb, in (computer security) that you have got to pay
closer attention at times like these," he said.

At many Silicon Valley companies, laid-off workers are instantly
marched out of the building, with barely enough time to gather
personal belongings. Plainclothes and uniformed security guards are
usually on hand.

Still, the FBI worries that many companies aren't doing enough to keep
their computer systems secure. Agents emphasize the point in regular
lectures at Silicon Valley companies, especially ones going through
layoffs.

Walton often tells human resources managers: "Not only do you know who
you just hired, but do you know who you just fired?"

Ross Nadel, chief of the hacking and intellectual property unit in the
U.S. Attorney's Office in San Jose, said his team is also prosecuting
more cases involving thefts of trade secrets and break-ins at
corporate networks by former employees.

Though it makes sense that Silicon Valley's economic downturn is
responsible, more cases may be popping up simply because more
companies are reporting such crimes to authorities than in the past,
he said.

Indeed, in the report from the Computer Security Institute, 36 percent
of the companies, schools and agencies hacked in the previous year
said they reported the incident to law enforcement, up from 25 percent
the year before.

Nearly all the companies that didn't tell law enforcement about their
hacking problems said they feared negative publicity. Many file civil
suits against perpetrators instead.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.