[ISN] Tales of Cyber-Crime Running Rampant

[InfoSec News]

http://www.eweek.com/article2/0,1759,1597361,00.asp

By Dennis Fisher 
May 24, 2004   

When Donna Getgen opened a letter from her credit union in March, the
message within was anything but routine. Getgen was informed that she
had been the victim of a cyber-theft.

Getgen's account number, the letter read, was stolen from a database
at BJ's Wholesale Club Inc., where she shopped from time to time.

Stunned, Getgen, a business operations specialist for a high-tech
company from Owings, Md., would later learn that she was one of tens
of thousands of victims of one of the largest cyber-thefts in recent
history.

The BJ's security breach, which occurred over seven months from late
2003 to early this year and compromised thousands of debit and credit
cards, was just the latest example of the kind of large-scale
cyber-crime being perpetrated with greater frequency than ever in the
United States and around the world.

Ironically, as the number and scope of cyber-crimes proliferate,
local, state and federal authorities are scrambling for resources to
combat the threat. In many cases, the authorities are directing
resources away from cyber-crime cases.

"Most Americans would be surprised to know that thousands of credit
card numbers are sold online every day, and very little is done to
stop it," said Jim Melnick, director of threat intelligence at
iDefense Inc., in Reston, Va., and a former Defense Intelligence
Agency officer.

"The dirty little secret is that there's all this other stuff going on
that nobody is stopping. I'm not sure there's an understanding inside
Washington of how pervasive cyber-crime is."

Increasingly sophisticated schemes—from outright break-ins to
so-called phishing scams—are among the biggest problems facing
financial institutions today.

The number of phishing attacks alone has grown by 1,200 percent in the
past year, according to MessageLabs Inc., in New York. Phishing is the
practice of sending fraudulent e-mail purporting to come from a bank,
credit-card issuer or other trusted source to solicit account numbers,
Social Security numbers and other sensitive data.

A comprehensive study of the problem released last month by analysts
at Gartner Inc., of Stamford, Conn., shows that more than 57 million
Americans have received at least one phishing e-mail. The financial
losses suffered by banks and credit card issuers that ultimately pay
for these frauds amounted to $1.2 billion last year, the study said.

Despite the mounting research, bank officials contacted for this story
said they, along with credit card issuers, are doing most of the
education and prevention regarding cyber-crime without much help from
law enforcement or government regulators.

"The biggest risk right now for us is the loss of reputation," said
Michael Roberts, senior vice president and CIO of the Bank of Alameda,
in California. "We get a lot of people who have had their account
numbers or Social Security numbers stolen and come to us for help. We
can't have that.

"Identity theft is escalating, and it's moving offline. We see people
coming in here with stolen numbers trying to open accounts. It's
happening."

Actually, cyber-crime has been happening for years. It is only now
entering the public consciousness, thanks to high-profile incidents
like the BJ's theft and elsewhere, such as those perpetrated on Guess
Inc. and MTS Inc.'s Tower Records unit.

In fact, of the 500 companies that responded to a recent FBI survey,
90 percent said they'd had a computer security breach, and 80 percent
of those said they'd suffered financial loss as a result.

Today, online criminals use stolen credit card numbers as illicit
currency. The information is traded for other commodities, such as
Social Security numbers or access to networks of compromised PCs that
can be used in distributed-denial-of-service (DDoS) attacks.

But as the cyber-crime rate climbs, security experts, consumers and
even former government officials are questioning why federal lawmakers
and administration officials have devoted so few resources to
combating the menace. Many attribute the resource issue to the war on
terrorism.

"There were decisions made that things like credit card investigations
weren't worth it at that point," said one former federal law
enforcement agent who was involved in cyber-crime investigations for
more than a decade.

"Cyber-crime was put on the back burner. Pure investigations into
cyber-crime have diminished at the FBI and the Secret Service."

Indeed, in the months following the terrorist attacks of Sept. 11,
2001, counterterrorism became the highest priority for the FBI as well
as the Secret Service, the two federal agencies responsible for the
bulk of the government's cyber-crime investigations.

That shift took its toll on the computer crime units at both agencies,
and nearly 20 Secret Service agents who were working on cyber-crime at
the time of the attacks were transferred to terrorism investigations.

"There's a broken spirit in the government as far as cyber-crime," the
former agent said. "It's one of the most daunting tasks that law
enforcement has ever had to deal with."

For those investigators at the FBI and Secret Service still
responsible for handling cyber-crime—about 300 and 100,
respectively—many are often pulled away from their regular duties to
work on special details, which can lead to long delays in completing
investigations.

"There just aren't enough agents to do what's required," the former
agent said. "The response from the government hasn't been commensurate
with the problem. The big investigations that you see on TV with the
press conferences were the exception, not the rule.

"They're just showpieces. Having a massive investigation every six
months is inconsequential when you have a crisis going on."

According to government and law enforcement officials, the lack of
interest in fighting cyber-crime comes from the top down and is traced
to the current and past presidential administrations.

Richard Clarke, chairman of Good Harbor Consulting LLC, in Herndon,
Va., and a former counterterrorism official in the Clinton and current
administration, often warned of the potential for a terrorist-based
computer attack that would take out portions of the U.S. power grid or
financial networks.

When the power grid that serves huge swaths of the Northeast, Midwest
and portions of Canada failed on a sweltering day last August, just
days after the outbreak of the infamous Blaster worm, many people
thought Clarke's oft-repeated prediction of a "digital Pearl Harbor"  
had come true.

Within hours of the blackout, CNN reported from the paralyzed streets
of Manhattan that U.S. officials were investigating the possibility
that Blaster had caused the outage.

It seemed to fit. Blaster was running rampant on the Internet,
infecting hundreds of thousands of machines. More to the point, other
recent worms had wreaked havoc with machines and networks not normally
thought to be vulnerable.

The SQL Slammer worm in January 2003 brought down the 911 dispatch
system in Bellevue, Wash., and disrupted the operation of Bank of
America's network of ATMs, angering customers and inciting fears that
so-called crackers had stumbled on a new attack vector. Then Blaster
arrived.

But in the 10 months after the blackout, no evidence linking Blaster
to the outage was found. In fact, an exhaustive report written by a
joint U.S.-Canadian committee formed to study the blackout's effects
determined there was no connection to any deliberate malicious attack
on the power companies' computers.

"The [Security Working Group] found no evidence that malicious actors
caused or contributed to the power outage, nor is there evidence that
worms or viruses circulating on the Internet ... had an effect on
power generation," the report concluded.

The report should have relegated Blaster to a footnote in the matter.  
But many security experts point to the incident as a perfect
illustration of how the specter of cyber-terrorism can obscure the
real problem of cyber-crime.

While examples of cyber-crime abound—from database theft to Nigerian
banking scams to the rigging of online gambling to worm attacks—no
current or former government officials, no law enforcement officers
and no security experts interviewed for this story could cite a single
example of cyber-terrorism.

"There haven't been any at all, to my knowledge," said Howard Schmidt,
chief security officer at eBay Inc., in San Jose, Calif., and former
chairman of the President's Critical Infrastructure Protection Board
and one of the first dedicated computer crime investigators in the
country, first with local law enforcement in Arizona, then with the
FBI and later with the Air Force Office of Special Investigations. "I
actually refrain from using that term [cyber-terror]."

That's not to say the possibility doesn't exist for a concerted,
targeted attack to bring down a critical banking network, utility grid
or other vital system.

Clarke, for one, sees the threat of cyber-terrorism as a serious
concern for the United States. "What we see today is just the tip of
the iceberg in terms of what's possible, especially if a nation-state
wanted to get in on this," he said. "As long as these things are
possible, we run the risk that someone will do them."

And while other observers claim terrorist groups are using the
Internet mainly for communications and fund-raising, Washington
insiders insist the government is not sitting by idly awaiting a
strike.

"Cyber-crime is an alarming trend and one we're actively [focused
on]," said Amit Yoran, director of the National Cyber Security
Division at the Department of Homeland Security, the nation's top
cyber-security post.

"It's a huge issue. The Department of Justice's top priority is this.  
We're trying to build a threat-independent approach to protection. We
don't care if it's a terrorist or a kid. If there's an impact, that's
what we care about."

Yoran said that relatively little data on cyber-crimes is flowing
between the different departments and agencies in federal, state and
local governments but that efforts are under way to change that.  
Another problem, he said, is the naivete of most Internet users.

"I think there's a lack of general awareness among consumers about how
vulnerable they are," Yoran said in Washington. "The issues right now
are overly complex, and the government has to simplify it."

Donna Getgen might agree, although it doesn't offer her much comfort.  
No fraudulent activity was found involving her debit card account in
March, and the Digital Federal Credit Union, in Marlborough, Md., went
ahead and canceled the card and was in the process of issuing her a
replacement by the time she received the letter. But Getgen is still
distressed by the incident.

"I really have lost trust," said Getgen. "I haven't been back to BJ's
since this happened, and I don't intend to go back. If I did, it would
be on a cash basis only."