From rpower@mfi.com Thu May 16 04:44:12 1996 Received: from whiz.mfi.com (whiz.mfi.com [198.71.19.34]) by suburbia.net (8.7.4/Proff-950810) with SMTP id EAA25765 for ; Thu, 16 May 1996 04:44:05 +1000 Received: from ccmail.mfi.com by whiz.mfi.com (AIX 3.2/UCB 5.64/4.03) id AA20783; Wed, 15 May 1996 11:31:27 -0700 Received: from ccMail by mfi.com id AA832184473 Wed, 15 May 96 11:21:13 PST Date: Wed, 15 May 96 11:21:13 PST From: "Power, Richard" Encoding: 8174 Text Message-Id: <9604158321.AA832184473@mfi.com> To: best-of-security@suburbia.net Subject: data on crime & preparedness in cyberspace FBI Survey Reveals Growth of Cybercrime By Rory J. O'Connor, San Jose Mercury News, Calif. Knight-Ridder/Tribune Business News May 6--Intruders are breaking into the nation's computer systems at an increasing rate and often with more nefarious motives than in the past, according to a survey co-sponsored by the FBI and a private group of computer security professionals. With more attacks made by people outside an organization, security experts and civil libertarians are renewing their call for fewer government restrictions on encryption technology that protects information. If computer crime keeps growing, security experts said, it could suffocate the burgeoning growth of commerce on the Internet. "What this shows is that the ante has been upped in cyberspace," said Richard Power, senior analyst of the Computer Security Institute in San Francisco, which conducted the survey. "As all manner of commerce moves into cyberspace, all manner of crime is moving there as well. It's no longer just vandalism." More than 40 percent of the 428 corporate, university and government sites that responded to the FBI survey reported at least one unauthorized use of their computers within the last 12 months, with some institutions reporting as many as 1,000 attacks in the period. The attacks range from "data diddling," where some information on the compromised computer is changed, to wholesale attempts to steal passwords or prevent legitimate users from gaining access to the systems. The increase in cybercrime doesn't pose much danger to individuals using computers at home. It is the corporate databases that attract cyber-thieves. While more than half the organizations surveyed reported that some attacks came from inside the organization itself, more than a third said they had been attacked via the Internet, a disconcerting statistic for businesses that want to conduct commerce in cyberspace. About 75 percent of the executives who responded to the survey said they feared attacks from independent hackers and "information brokers." Nearly 60 percent said they consider their domestic competitors just as likely to try to break into their computers. Organizations could protect themselves by using technology that encrypts the storage and transmission of computer data. The strongest such technology would make it nearly impossible for an unauthorized person to read or misuse data -- yet it is not widely deployed because the U.S. government won't allow its export. Companies, therefore, don't include it with many of their products. "The No. 1 reason why computer crime happens is because we have a totally backward encryption policy in this country," said Daniel Weitzner of the Center for Democracy and Technology in Washington. Computer security experts said that any significant growth in computer crime could make consumers and businesses doubt that an honest transaction would take place on the Internet, instead fearing they would be vulnerable to theft of information, services or money. "It's important not to sensationalize things, because if you do you trivialize them," said Power. "But there is definitely a trend across the board of increased unauthorized use of computers from both the inside as well as the outside." His organization conducted the survey at the request of the FBI, using questions based on information supplied by the agency. The FBI has stepped up its investigations of computer crime in the past year, assembling special groups in San Francisco, New York and Washington to combat it. And agency director Louis B. Freeh testified before Congress earlier this year about what he considers the growing danger to U.S. businesses from information spies, including some in the employ of foreign governments or competitors. The report doesn't mean, however, that computer users everywhere should panic. Computer security experts note that individual personal computers, especially at home, are far less likely to be attacked than larger systems used by corporations and government agencies. The information those computers contain isn't nearly as valuable as a corporate database -- and the computers themselves make less-tempting targets for hackers because they are much simpler than large systems, offering fewer technical security holes to exploit. They also say the likelihood that a given individual will suffer from a computer-related crime -- for example, having a credit card number purloined by a hacker during an on-line purchase -- is fairly small, and that existing laws cap an individual's responsibility to pay. "As an individual, your liability is low," said Steven M. Bellovin, a computer security expert with AT&T Bell Laboratories. Computer crime statistics have also been notoriously unreliable in the past few years. Predictions that the so-called Michelangelo virus would wreak wholesale destruction on the world's PCs turned out to be laughably hyperbolic; only a handful of machines were ever infected. And much of the nation's hysteria over computer crime revolves around media accounts of just a few well-known "hackers" -- such as Kevin Mitnick and Robert Tappan Morris Jr. -- whose exploits turned out to be far less damaging than the publicity surrounding them. "Mitnick is often portrayed as a technical wizard," said Bellovin of the hacker who was arrested last year after a decade-long chase and then became the subject of at least three books. "Well, he's OK, but he's really a good con artist." Bellovin said Morris, the son of a National Security Agency programming expert who created a "worm" program that shut down parts of the Internet in 1988, had just been trying to draw attention to its security flaws. "He had a horrible lapse in judgment," he said. Many hacker "crimes" have just been the equivalent of "juveniles cruising cyberspace with virtual spray paint marking things," Power said. The most malevolent incidents of computer crime in the past have been committed by disgruntled employees against their employers; those incidents have usually resulted in the greatest financial losses. Perhaps because of that, however, law enforcement officials are growing concerned about their ability to sniff out -- and snuff out -- computer crimes. What worries law enforcement officials is that institutional victims of computer break-ins or other cybercrimes rarely report the incidents to police. The study bears that out: the respondents said they reported just 16.9 percent of suspected computer crimes. The overwhelming reason: They don't want the negative publicity that can come from a press account that their computer system was vulnerable. Only 8 percent of the more than 4,000 institutions who were mailed the survey responded at all, according to the FBI. But that may be a moot issue: according to Bellovin, the very complex nature of software and the imprecision with which it is written means that "computer security is very hard to solve." He called the Internet notably vulnerable because it was never designed to be secure in the first place. The worst security risk on the Internet is also its most popular aspect: the World Wide Web, because its complexity makes it "easy to (program) it wrong," Bellovin said. Some of the most troubling results of the survey, according to Power: the most frequent kind of computer crime at medical and financial institutions involves data diddling, meaning that "someone is changing people's medical records and financial histories," he said. It also appears that there's more computer crime for hire occurring, Power said, exploiting mainly older hackers who have graduated to making money off the skill they once used simply to establish bragging rights with their peers. He suggested that some of the hiring is being done by intelligence services of various governments, although he offered no proof. "You can't document it," he said, "but it's a no-brainer, as far as I'm concerned."