OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[ISN] Dot-Com firms are hacking each other -- expert

From: William Knowles (wkC4I.ORG)
Date: Sat Feb 19 2000 - 01:17:54 CST

http://www.theregister.co.uk/000218-000018.html

Posted 18/02/2000 1:59pm by Thomas C. Greene in Washington

All this talk of fifteen-year-old kids vandalising the Web is a smoke
screen behind which dangerous, professional crackers are pleased to
take cover, security expert Mark Rasch revealed during testimony
before a Senate hearing on Internet security earlier this week.

The lure of big, fast-money scores in virtual commerce is making it
common for skilled hackers to attack competitors in search of free
intellectual property, Rasch said before the Senate Appropriations
Subcommittee.

The present era of "dot-com millionaires and IPO frenzies and the ease
of starting your own business" on the Web is creating "a tremendous
amount of competition to acquire intellectual property" by any means
at hand, Rasch, a vice president with security outfit Global
Integrity, explained.

"We see sophisticated attacks against computer systems in order to
steal intellectual property which can be used in competition with
other companies," he added.

Info tech companies may be willing to report a nuisance attack such as
the recent DDoS campaign, where no company assets are compromised. But
Rasch believes that serious, costly, compromising attacks are rarely
reported to the authorities.

This is because such companies, which own nothing of substance but are
valued principally according to the information they possess, depend
heavily on consumer confidence. A prosecution and trial, Rasch
observes, would make public the security vulnerability that was
exploited, hence the company's hopelessly inadequate security
measures, he implied.

An info tech company will typically lose between ten and one hundred
times more money from shaken consumer confidence than the hack attack
itself represents if they decide to prosecute the case, he estimated.

Further impediments to accurate cyber-crime reporting come from "a
fundamental distrust" of law enforcement among the info tech industry.
One common fear is that a crucial piece of equipment, like a main
server, say, might be impounded for evidence by over-zealous
investigators, thereby shutting the company down.

It's hardly a surprise, then, that Rasch cited an estimate claiming
that fewer than one in ten serious intrusions are ever reported to the
authorities.

We can safely assume that the few which are reported tend to be those
least likely to shake consumer confidence. This explains why the
public has been misled into believing that graffiti attacks and other
nuisance intrusions by teenagers account for most of the cyber-crime
going on.

In fact, because it is to a company's advantage to suffer in silence,
the real malicious hacking, which would involve the compromising of
crucial data and intellectual property by rival tech firms -- and
which probably represents the lion's share of online criminal activity
-- is kept as a closely-guarded, dirty little secret.

---------------------------------------------------
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*=================================================*

ISN is sponsored by Security-Focus.COM