New Levels of Cyber-Badness

Nov 1, 2006 12:00 PM, By SANDRA KAY MILLER

In 1983, Hollywood put computer crime in the spotlight. Many might remember the computers at NORAD playing tic-tac-toe after being hacked in the hit movie “War Games.” But few recall Richard Pryor ripping off his company by writing a computer program that could harvest the fraction of a cent left over by the company's financial transactions in “Superman III.” Maybe it has something to do with the remainder of the plot, in which Pryor hacks a satellite to give his boss total control over the weather. In the 1980s, the idea of using computers to steal from employers was still fodder for fantasy flicks.

Fast-forward 25 years. Corporate cybercrime is now commonplace and rampant. In September 2006, the FBI put a $400 billion price tag on cybercrime, a virtual typhoon of criminal activity that includes corporate espionage, identity theft, phishing, botnets and money laundering. Furthermore, FBI officials contend that the numbers for corporate cybercrime are under-reported, as many organizations forgo reporting cybercrimes in an effort to stave off embarrassment and the financial repercussions that often follow public disclosure of security breaches.

In the opening session of the Institute for Applied Network Security forums, which are aimed at security professionals of Fortune 500 companies, government and educational institutions, institute founders Phil Gardner and Jack Phillips offer a concrete example of corporate losses caused by cybercrime. The pair point to Polo Ralph Lauren Corp., a publicly traded company that had a spike in trading volume combined with a drop from $38 to $35 dollars per share after revealing a corporate data breach. This resulted in a financial loss of $163 million. More typically, most corporate cybercrimes cannot be assigned hard numbers for data and intellectual property theft, the interruption in business continuity and when customers become the targets.

Virtual theft

When the assistant manager of an exclusive historic resort in southern California asked the resort's IT manager to export all the contact data and past information about groups who had booked meeting facilities from the property management system into an Access database, the IT manager accepted his superior's justification that it was for “backup purposes.” A sinking feeling overtook the IT manager when, less than a week later, the assistant manager suddenly left the company to head up the corporate meeting division for a competitor. Within weeks, it was revealed that the former employee was actively soliciting clients from his former employer's database. Since the resort had no access control or “non-compete” policies in place, it was forced to lower its rates and offer added incentives to gain back its original clients.

In addition to critical customer data, digital intellectual property theft can be financially devastating for the victim. During an Outdoor Retailer Expo's Winter Market in Utah, a laptop that belonged to a leading outdoor footwear company's executive was stolen from the company's booth. The executive did not bother to inform the IT department of the incident until returning from the convention, believing that the thief was only interested in the expensive hardware. Eventually, the person who stole the laptop began using it to dial into the corporate network through a terminal server, thus gaining complete access to company data. It was only when an Asian footwear manufacturer introduced an identical, less expensive version of the same line of footwear the U.S. company had planned to release, that the executive realized a crime had been committed.

In both instances, assigning a dollar amount to the losses is problematic. How much business did the resort really lose? What were the costs of retaining existing customers through reduced prices and added perks? In the case of the footwear retailer, there was the added twist of dealing with international trade laws and trying to determine how many sales it lost.

The U.S. Commerce Department estimates intellectual property theft at $250 billion each year. That is roughly the financial equivalent of repairing the damage from Hurricane Katrina four times. On a global scale, the International Chamber of Commerce lists fiscal loss from intellectual property theft in excess of $600 billion a year.

Outright attacks

Countless organizations of all sizes, especially those that operate exclusively online, have been brought to a grinding halt by Denial-of-Service (DoS) attacks. These attacks occur when a flood of fake requests is sent to an organization's server. The requests slow the system's performance and, ultimately, crash the system.

Though technologies such as firewalls are able to cut off an offending IP address generating a DoS attack, hackers will step up their assaults through distributed denial-of-service (DDoS) attacks. These are often launched through numerous systems compromised by malware such as MyDoom, a recent mass-mailing worm that carried the capacity to launch a 12-day DoS attack. According to the Mi2G Intelligence Unit, the MyDoom worm traversed 215 countries and left a financial impact on corporations by driving them to incur losses through help desk support, IT overtime, bandwidth clogging, productivity erosion and management time reallocation. Online giants including eBay, Amazon.com, Yahoo! and CNN.com have all reported DDoS attacks to the FBI. Despite relatively short outage times ranging from 30 minutes to three hours, it is a major interruption in business, especially for the online retailers whose revenue can be negatively affected.

Cyber criminals are also launching DDoS attacks at online gambling establishments for extortion. Jim Slaby, a senior analyst for the technology research and consulting firm, Yankee Group, Boston, says there is money to be made in extortion when it involves Internet gaming sites. As with corporate security breaches, extortion threats associated with DDoS attacks are rarely made public. “There is a lot at stake in preventing news of attacks from getting out,” Slaby says. “The knowledge of a threat alone is enough to drive customers away from a business.”

Security giant Symantec Corp., Cupertino, Calif., listed e-commerce as the most targeted industry for cyberattacks in a recent Internet Security Threat Report. Statistics showed an increase in DDoS botnet attacks from 2,000 per day in early 2004 to more than 30,000 per day by September of the same year. Cyber attackers are also using wireless networks and VoIP applications to launch DoS and DDoS attacks. “Anyone can launch a wireless DoS attack from a company's parking lot with $20 of equipment from Radio Shack and a laptop,” says Jai Rawat, vice president of product management for AirTight Networks, Mountain View, Calif., which has introduced a wireless firewall for mitigating DoS attacks against 802.11 networks.

Malware abounds

The Computer Crime and Security Survey, a joint report from the FBI and Computer Security Institute, reports that viruses and DoS attacks cause the most financial losses of any form of cybercrime.

Bob Bales, a long-time veteran of the security industry, has watched cyber criminals evolve from young, malcontent cyber-graffiti artists to internationally organized crime rings capable of stealing millions of dollars. In 1990, Bales founded the National Computer Security Association (NCSA), which morphed into the International Computer Security Society (ICSA) and then became TruSecure, which was eventually acquired by Cybertrust, Herndon, Va. He also founded PestPatrol in 2000, which was sold to Computer Associates, Islandia, N.Y., in 2004. Bales' latest venture, Exploit Prevention Labs, Marietta, Ga., (explabs.com) follows the trends cyber criminals have begun using in their latest methods for committing online crimes.

“There are different levels of ‘badness’ we're seeing today,” Bales says.

He explains that with PestPatrol, the primary target was adware, which he describes as “unethical.”

Exploit Prevention Labs officials address malicious code such as phishing, worms, spyware, rootkits and keyloggers — tools that are quickly becoming they keys to committing online financial crimes — as “strictly bad.”

Phishing, a combination of technology and social engineering capable of harvesting private data to be used to commit theft and fraud, is one of the latest manifestations of cybercrime. In 2005, eBay and PayPal were the top targets for phishing schemes. These fake sites target financial institutions and are usually hosted on machines in foreign countries that are only active for 24 to 48 hours, making them more difficult to locate and shut down.

Although consumers are the primary targets of phishing scams, many companies experience financial impact by dealing with the fallout from customers who have been targeted by cyber criminals. In today's globally connected environment, organizations need to be proactive in their provisions to protect themselves against cybercrime or risk becoming a statistic.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue