Cyberswindle!Hackers seem to be outflanking corporations in the latest round of cyberspace swindling - just ask Citibank, MCI (1) (Media Control Interface) A high-level programming interface from Microsoft and IBM for controlling multimedia devices. It provides commands and functions to open, play and close the device. (2) (Microwave Communications Inc. , and America Online, With the security-lax Internet expanding and PCs packing more punch, catastrophe is lurking around the corner. Of the dozens of towering structures climbing from the concrete jungle of midtown Manhattan, among the most distinctive is the Citibank Building, a 58-story structure with a roof cut sharply at a 45-degree angle. Near the top of that building, in sessions involving Citicorp CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. John S. Reed For other persons of the same name, see John Reed. John Shepard Reed (born 1939) is the former Chairman of the New York Stock Exchange. He previously served as Chairman and CEO of Citicorp, Citibank, and post-merger, Citigroup. , bank officials huddled not long ago to plot a response to perhaps the world's most ambitious computer crime, a racket that could have been lifted straight from a James Bond movie or a Tom Clancy novel. The full implications of the scam have become clear only in the last several months. According to court documents and bank sources, a ring of computer hackers led by Vladimir Leonidovich Levin, a 28-year-old from St. Petersburg, Russia, tried to siphon siphon (sī`fən, –fŏn), tube through which a liquid is lifted over an elevation by the pressure of the atmosphere and is then emptied at a lower level. up to $10 million in 1994 from Citibank's cash-management system, an electronic network that allows its corporate clients to transfer money to any bank account around the globe. The digital mobsters Mobsters is a 1991 crime drama detailing the creation of the National Crime Syndicate/The Commission. Set in New York City during the Prohibition era, it's a somewhat fictionalized account of rise of Charles "Lucky" Luciano, Meyer Lansky, Frank Costello, and Benjamin "Bugsy" , with outposts in Russia, Tel Aviv, San Francisco, and other locations, had succeeded in stealing some $400,000 before federal agents and bank officials flushed them out and shut them down in a sting operation. In the wake of the incident - the first recorded violation of the supposedly impregnable systems that move trillions of dollars a day around the world's banks - several gang members have pleaded guilty to bank-fraud charges, while Levin is fighting extradition in London. Some CEOs flatly deny there's a problem with computer security. Many others accept the blandishments of technology chiefs who insist that alps well; Citicorp's Reed likely was one of them before the Russian wolves raided his chicken coop. But here's the real deal: Many experts insist that the growing ranks of computer hackers - often young, white males who zip around the Internet under the cover of cartoon-hero names such as "Phiber Optik" and "Dark Shadow" - are tipping the balance in battles with corporate technology chiefs and software experts. Consider Volkswagen, fleeced for $260 million through forged currency-exchange transactions. Or American Airlines, four-flushed by travel agents who electronically chalked up 50 million frequent-flier miles. Brink's Armored Car Service proved a letter-perfect practitioner of just-in-time delivery, dropping off 44 kilos of gold to a rogue-computer programmer who disappeared without a trace. And in recent months, MCI Communications, America Online, General Electric, and hundreds of smaller companies joined the list of victims in what has become arguably the fastest-growing game in town. Some observers liken lik·en tr.v. lik·ened, lik·en·ing, lik·ens To see, mention, or show as similar; compare. [Middle English liknen, from like, similar; see like2 digital desperadoes to private posses, maintaining that criminals are driven as much by a hatred of authority as a desire for illicit financial gain - a response that may accelerate as downsizing (1) Converting mainframe and mini-based systems to client/server LANs. (2) To reduce equipment and associated costs by switching to a less-expensive system. (jargon) downsizing proceeds apace, real income declines, and fingers continue to point at both government and big business. Others say the problem is exacerbated by more powerful personal computers that are capable of penetrating the security systems of even the largest companies. Certainly at risk are users of the Internet, a rapidly expanding, but loosely protected, corporate conduit of data and dollars. Think you're immune? Consider the statistics and think again. More than 98 percent of respondents to a recent survey of corporate security directors by Michigan State University Michigan State University, at East Lansing; land-grant and state supported; coeducational; chartered 1855. It opened in 1857 as Michigan Agricultural College, the first state agricultural college. said their companies had been victims of computer-related crimes. Federal officials estimate annual losses from cybercrime cybercrime also known as computer crime Any use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy. in the U.S. at $10 billion. Reported instances may be the tip of the iceberg tip of the iceberg n. pl. tips of the iceberg A small evident part or aspect of something largely hidden: afraid that these few reported cases of the disease might only be the tip of the iceberg. . Fearing the reaction both of customers and investors, companies report as few as one in 10 episodes, according to the software engineers and securities experts called in to close corporate holes and snuff smoking guns. And here's a chilling thought: Many of your own information experts are approached regularly by your competitors, who ask them if they'd like to hack for hire, using their trusted status and expertise to compromise your databases. "Of course we're paranoid," says Mark Stavrou, product manager for Internet security at PSINet, a Fairfax, VA, Internet access and services provider. "Some software is Swiss cheese, and there's fraud everywhere." The only airtight solution, Stavrou adds, is not to network at all, though he concedes that's anathema in an era of electronic commerce, globalization globalization Process by which the experience of everyday life, marked by the diffusion of commodities and ideas, is becoming standardized around the world. Factors that have contributed to globalization include increasingly sophisticated communications and transportation , and open-technology platforms. "There's an enormous opportunity for fraud," observes Peter G. Neumann Peter G. Neumann is a researcher who has worked on the Multics operating system in the 1960s. He edits the Computer Risks columns for ACM Software Engineering Notes and Communications of the ACM. He founded ACM SIGSOFT and is a Fellow of the ACM, IEEE and AAAS. , principal scientist at Menlo Park, CA-based research institute SRI International and moderator of the Internet Risks Forum, an online newsgroup newsgroup Internet forum for discussion of specific subjects. Newsgroups are organized into subjects (e.g., automobiles); each typically has several subgroups (e.g., classic cars, Formula One racing cars). that attracts the brightest minds in systems protection. "But it's going to take a colossal break-in - tapping a trillion-dollar flow without being detected - before business gets the message." Enter Comrade Levin and company. Perhaps the most shocking aspect of the Citibank scam isn't that the crime involved a bank: A successful bank job remains as much a criminal badge of honor in the Information Age as in the era of Bonnie and Clyde Bonnie and Clyde in full Bonnie Parker and Clyde Barrow (born March 24, 1909, Telico, Texas, U.S.—died May 23, 1934, near Gibsland, La.) (born Oct. 1, 1910, Rowena, Texas, U.S.—died May 23, 1934, near Gibsland, La.) U.S. criminals. , with institutions ranging from First National Bank of Chicago to Ceska Sporitelna, the Czech Republic's biggest savings bank savings bank, financial institution that, until recently, performed only the following functions: receiving savings deposits of individuals, investing them, and providing a modest return to its depositors in the form of interest. , sporting multimillion-dollar scars to prove it. Most striking is that a main interbank artery apparently was punctured through the use of desktop technology. "In the many years I have been involved in funds transfer, this is the first time I can recall someone using a personal computer to perpetrate per·pe·trate tr.v. per·pe·trat·ed, per·pe·trat·ing, per·pe·trates To be responsible for; commit: perpetrate a crime; perpetrate a practical joke. a crime," says John Mohr, executive vice president of the New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of Clearing House, which runs the Chips interbank wire-transfer system. Indeed, today's more powerful PCs and workstations are capable of many more code-breaking calculations than the machines of 10 years ago, placing even the most fail-safe security methods at risk. Take Kerberos software, which generates a private, electronic key based on billions of random numbers for authorized users seeking access to a system. Developed a decade ago by the Massachusetts Institute of Technology Massachusetts Institute of Technology, at Cambridge; coeducational; chartered 1861, opened 1865 in Boston, moved 1916. It has long been recognized as an outstanding technological institute and its Sloan School of Management has notable programs in business, and IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) , the system is used by large financial institutions and government agencies for critical strategic information or accounts. Yet two Purdue University students recently picked the Kerberos lock, establishing a method of penetrating corporate networks that takes just 5.8 seconds. Of course, a new-and-improved version of Kerberos has plugged this hole. Similarly, Citibank has adopted state-of-the-art encryption software, and NYCH's Mohr argues that given the immense amounts of capital moving safely around the world, the industry's track record is pretty good. But SRI's Neumann argues the other side of the coin: The volume of transactions, including electronic commerce, is increasing exponentially, he says. And barring a major shift in the competitive balance between the good and bad guys, big business eventually will come up craps craps: see dice. craps Gambling game in which each player in turn throws two dice, attempting to roll a winning combination. The term derives from a Louisiana French word, crabs, which means “losing throw. . "Look at the situation," Neumann says. "Somebody publishes a flaw in a system, and within minutes, every system in the world using that algorithm is [vulnerable]. But it's the old story. Business only acts sanely as long as there's a strong financial reason to do so." From a distance, the cinder cin·der n. 1. a. A burned or partly burned substance, such as coal, that is not reduced to ashes but is incapable of further combustion. b. A partly charred substance that can burn further but without flame. block building near North Carolina's Piedmont Triad International Airport Piedmont Triad International Airport (IATA: GSO, ICAO: KGSO, FAA LID: GSO) (commonly referred to as "PTIA" or just "PTI") is an airport just west of Greensboro, serving Greensboro, High Point and Winston-Salem in North Carolina. appears an unlikely epicenter for one of the largest computer crimes in history. From this low-slung structure, Ivy James Lay, a switching technician formerly employed by MCI Communications, used simple software to capture online 60,000 telephone calling-card numbers and sell them to a criminal network stretching from its Cary, NC, base to Los Angeles and Bonn, Germany. Before he was apprehended by the Secret Service, tried, and sentenced to four years in prison, Lay - known in hacker circles as the "Knight Shadow" - bilked MCI, Sprint, AT&T, GTE GTE General Telephone & Electronics GTE Génie Thermique et Énergie (French) GTE Gas Turbine Engine GTE Global Tropospheric Experiment GTE Geothermal Energy GTE Gas Turbine Efficiency plc (Sweden & USA) , and others out of an estimated $28 million. The scare reportedly pushed GTE to scale back its international telephone business and may have even affected the balance of trade between the U.S. and Europe by artificially inflating the volume of costly overseas calls. MCI responded by beefing up security, changing password procedures, and training employees in security procedures, says Stephen Von Rump, vice president of data services marketing. Such efforts are well placed, figures Rusty Capps, formerly national coordinator of an FBI program to combat industrial espionage. "The bottom-line on insider crime is that somebody always saw somebody doing something suspicious," says Capps, now deputy director of counterintelligence coun·ter·in·tel·li·gence n. The branch of an intelligence service charged with keeping sensitive information from an enemy, deceiving that enemy, preventing subversion and sabotage, and collecting political and military information. at Aegis Research, a private security firm in Arlington, VA. Capps estimates that insiders are responsible for about 80 percent of all computer violations. Telephone and credit-card companies are among the most frequent targets of computer crime, he says, because of the bounty of easy-to-fence calling- or credit-card numbers that move across networks. But industry risk may accelerate amid deregulation Deregulation The reduction or elimination of government power in a particular industry, usually enacted to create more competition within the industry. Notes: Traditional areas that have been deregulated are the telephone and airline industries. as government oversight is relaxed, experts maintain. Also driving uncertainty may be rapid telecom privatization privatization: see nationalization. privatization Transfer of government services or assets to the private sector. State-owned assets may be sold to private owners, or statutory restrictions on competition between privately and publicly owned overseas, where Capps says corporate rivals and "counterintelligence states" cut no corners in snooping for secrets. Security protocols, too, often are far less comprehensive offshore. Consider Netscape, which saw its browser software violated by a French hacker, who cracked its 40-bit encryption scheme. (Federal regulations on technology transfer prohibit Netscape from using offshore the more-rigorous 128-bit software it employs in the U.S.) In any case, experts warn that for the right hacker, it's a short jump from an offshore system into core stateside state·side adj. 1. Of or in the continental United States. 2. Alaska Of or in the 48 contiguous states of the United States. adv. Informal 1. systems. It's the ability to jump from one network to another that frequently draws hackers to attack the Internet itself - Main Street in an electronic community comprising millions of side streets and dark back alleys. For similar reasons, other popular targets include access providers to the Net, online services, and Net-linked corporate computers. According to Carnegie Mellon University's Computer Emergency Response Team, which monitors Internet security, the number of break-ins reported in 1995 on the World Wide Web reached 2,412, up from just 252 five years earlier. Cyberspace is such an interconnected world, says Jim Bidzos, chief executive of RSA (1) (Rural Service Area) See MSA. (2) (Rivest-Shamir-Adleman) A highly secure cryptography method by RSA Security, Inc., Bedford, MA (www.rsa.com), a division of EMC Corporation since 2006. It uses a two-part key. Data Security in Redwood City, CA, that the theft of a single password can give a criminal access to many unprotected areas. Ask Net-pioneer America Online about its comfort level in the wake of a string of recent incidents. In perhaps the most serious, marauders reportedly set up accounts tinder assumed names with fraudulent credit-card numbers. America Online, a $1 billion company with more than 2 million subscribers, declined to comment on the matter. But Bob Massey, CEO of CompuServe, the nation's second-largest on-line service after AOL (A division of Time Warner, Inc., New York, NY, www.aol.com) The world's largest online information service with access to the Internet, e-mail, chat rooms and a variety of databases and services. , acknowledges that security is an industrywide problem. AOL reported that the hackers assumed some administrative powers on the network, but insisted that general credit information on individual subscribers remained safe behind software "firewalls," virtual barriers that block unauthorized users. Stavrou of PSINet, which competes with AOL's Internet service, questions the certainty behind that claim: "Once a company has been penetrated, there's no way to tell how far the crooks have advanced or what information they've gained access to." Reaction to the latest round of computer crimes has been predictable, with corporate America muscling up on encryption software and other security products. Villains are keeping pace with exotic, Buck Rogers technology, including a microwave-antenna-like dish that can drain data from a PC several hundred yards away, claims Frank James, CEO of Technical Assistance Group, a computer- and telephone-security firm in New York. Other wrinkles are beginning to emerge, including some potentially thorny legal issues. Ray Kaplan, the head of Richfield, MN-based Security Services, predicts the emergence of lawsuits against software companies or network providers whose foul-ups place users in jeopardy. The Big Six consulting firms also smell a cash cow Cash Cow 1. One of the four categories (quadrants) in the BCG growth-share matrix that represents the division within a company that has a large market share within a mature industry. 2. : Price Waterhouse, for example, employs hackers in white hats to test the integrity of corporate systems. Meanwhile, cutting-edge Cassandras pace the corridors of cyberspace, warning about the end of the world. Would we even hear about a major meltdown? One member of the computer underground alleges that large corporations cut deals with successful hackers to keep their mouths shut, and security professionals say many large corporations funnel significant time and money into covering up transgressions. "There's never been an adequate explanation [of the Citibank incident]," notes the NYCH's John Mohr. While allowing that security is strengthening - particularly at larger companies - and that law enforcement deserves above-average marks for corralling criminals and recovering pilfered funds, SRI's Neumann and others nonetheless anticipate a Chernobyl-like catastrophe with shock waves that simply cannot be suppressed. "It's going to take something like that for people to wake up," says Neumann, who speculates that Citibank and other firms skirted disaster by margins narrower than they have led the public to believe. "In time, somebody's likely to pull it off." |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion