Hacking up, disclosure down, FBI survey says

[InfoSec News <isn () c4i org>]

http://www.nandotimes.com/technology/story/347520p-2853392c.html

By D. IAN HOPPER, AP Technology Writer 

WASHINGTON (April 7, 2002 12:18 a.m. EST) - Most large corporations
and government agencies have been attacked by computer hackers, but
more often and more frequently they do not inform authorities of the
breaches, an FBI survey finds.

The survey released Sunday found about 90 percent of respondents
detected computer security breaches in the past year but only 34
percent reported those attacks to authorities.

Many respondents cited the fear of bad publicity about computer
security.

"There is much more illegal and unauthorized activity going on in
cyberspace than corporations admit to their clients, stockholders and
business partners or report to law enforcement," said Patrice Rapalus,
director of the Computer Security Institute, which conducted the
survey with the FBI's San Francisco computer crime squad.

The seventh annual survey polled 503 American corporations, government
agencies, financial and medical institutions and universities. The
names of the organizations polled were not released.

Overall, there were more computer crimes than in last year's survey.  
But fewer victims reported crimes to police than in 2001, reversing a
trend from earlier surveys.

A former Justice Department computer crimes prosecutor said there is
frequently little incentive for a company to report computer attacks
or crimes.

"It tends not to help their bottom line, but hurt their bottom line,"  
Mark Rasch said. "What a company wants to do is solve the problem and
move on."

When those companies are financial institutions or other parts of the
nation's critical technology infrastructure, however, more than the
company's bottom line is at stake.

The government is using partnership groups - such as the FBI's
InfraGard chapters in each field office - to persuade companies to
report the attacks directly to FBI agents without public disclosure.

"They need to use a mechanism to report these incidents and
vulnerabilities broadly so they can be fixed, but won't be
attributable back to them," Rasch said.

The survey respondents said they lost at least $455 million as a
result of computer crime, compared with $377 million the previous
year. In both surveys, only about half chose to quantify their losses.

The most serious monetary losses came from the theft of money or
proprietary information, such as blueprints for computer programs, and
fraud, such as failure to deliver services or equipment that have been
paid for.

Despite concerns that foreign governments would begin using computer
attacks as a method of terrorism or war, most attacks on American
companies still come from individual hackers and disgruntled
employees, the report said.

The survey also addresses the increasing frequency of attacks on
Internet retailers. There have been several reports of thefts of
credit card data over the past year, including some instances in which
the thief threatened to release sensitive data unless the victim paid
a ransom.

WorldCom, The New York Times and others have had holes exposed in
their Web security, leading to unwanted intruders.

Thirty-eight percent of the respondents said their Web sites have been
broken into over the past year, and 21 percent said they were not
sure. Eighteen percent reported some sort of theft of transaction
information, such as credit card numbers or customer data, or
financial fraud.

Seventy percent of organizations reported online graffiti, usually the
simplest and least damaging type of attack. A graffiti hacker replaces
the Web site's front page with his or her own text and, sometimes,
offensive pictures.

Companies are also seeing problems from within. Seventy-eight percent
said their employees abused Internet privileges, including downloading
pornography or pirated software.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.