Information Security News: Worker vengeance makes its way online

[InfoSec News <isn () c4i org>]

http://www.boston.com/dailyglobe2/142/metro/Workers_vengeance_makes_its_way_on_Web+.shtml

By Thanassis Cambanis
Globe Staff
5/22/2003

Furious that he'd been fired from the travel agency where he worked, 
James O'Brien waited months before allegedly springing his carefully 
plotted revenge. Just before Christmas 2000, according to federal 
prosecutors, O'Brien hacked into his former employer's computer system 
and canceled 60 customers' airline tickets. 

The move cost the agency $96,000 and left dozens of would-be holiday 
vacationers stranded at airports.

O'Brien's alleged crime, according to federal law enforcement 
officials who brought charges against him last month, is the new face 
of hacking: Irate workers who in the old, low-tech days might have 
simmered or spread slander about their ex-bosses now instead are 
wreaking havoc on their former workplaces by infiltrating their 
computer systems.

''Ten years ago, almost all computer crime tended to be kids, seeing 
what they could do,'' said Assistant US Attorney Allison D. Burroughs, 
who heads the Computer Hacking and Intellectual Property unit in the 
US attorney's office in Boston. ''Now, it's disgruntled employees.''

Burroughs's unit is currently working on 10 other cases in the federal 
district of Massachusetts involving fired employees who allegedly 
struck back at their former bosses by hacking into company computers. 
About three-quarters of all federal hacking cases in Massachusetts, 
she said, involve disaffected employees, compared with a decade ago 
when that proportion of hacking cases stemmed from juveniles 
vandalizing computer systems.

The phenomenon not only marks a sea change in the criminal use of 
computer systems, but poses a costly threat to corporations, which can 
lose millions of dollars to hacker attacks by former insiders who know 
their systems' vulnerabilities.

''You don't have to be that sophisticated to cause a lot of harm,'' 
said US Attorney Michael Sullivan. A hacker with a grudge can bring a 
company to its knees, he said, causing as much damage with a few 
computer keystrokes as might be inflicted with a torch in a warehouse.

Three cases were brought in Boston in the last month alone that 
underscore the threat. In addition to O'Brien, who pleaded not guilty 
May 1 in US District Court in Worcester, federal prosecutors indicted

a Sutton man who allegedly broke into his Worcester employer's 
computer system, and a man who is accused of cooking up fake e-mail in 
a lawsuit against an Andover company. The potential for mischief is 
great. Robert Boule, a 29-year-old Framingham man, pleaded guilty in 
federal court in Boston in February to breaking into his former 
company's computer system to monitor its product lines so he could 
undercut its bids.

''Technical knowledge and a bad economy have given a certain class of 
people the means and the motive to commit crimes they would not have 
been able to commit,'' Burroughs said. ''There are people getting laid 
off who have a tremendous amount of knowledge about a company's 
security and systems.''

Many companies, federal authorities say, take great precautions to 
protect against outside hackers.

But increasingly, it's insiders who know passwords and have access to 
a company's computer system who have the ability and, at times, the 
desire to commit electronic sabotage. ''You used to send someone home 
and take away their keys,'' Burroughs said. ''Now, in Massachusetts in 
particular, you have sophisticated employees who know everything you 
can know about your computer system.''

In Burroughs's nightmare scenario, a former pharmacy employee hacks 
into the computer network that contains customer prescriptions and 
alters dosages -- not only hurting the pharmacy, but patients.

''You don't need a lot of physical courage to commit some of these 
crimes,'' Burroughs said. ''You can do it remotely and, people think, 
anonymously.''

Four full-time prosecutors work in the so-called CHIPs unit. In 
addition to hacking, the unit also prosecutes fraud, as well as theft 
of intellectual property and trade secrets.

The Boston office of the FBI has 13 agents assigned to high-tech crime 
-- one of the bureau's only growth areas other than terrorism. And the 
US Secret Service here has another six-agent team that investigates 
cyber-crime.

''It's kind of cowardly, and because of the anonymity people think 
they're not going to get caught,'' said Jonathan L. Kotlier, chief of 
Sullivan's economic crimes unit. ''That was so interesting about the 
Christmas ticket indictment -- he actually waited months to take his 
revenge.'' O'Brien, of Worcester, faces up to 10 years in prison and a 
$250,000 fine if convicted.

Thanassis Cambanis can be reached at tcambanis () globe com  



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.