[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The New White Collar Crime: Enemy Within?

<http://www.infosecnews.com/>

The New White Collar Crime: Enemy Within?

Picture it like a block-buster thriller down at the local multiplex:

Establishing Shot We see before us a control room, not unlike NASAÕs. Computer screens flicker on monitors mounted on dozens of long tables. Men in white shirts and black ties sit at keyboards. They are CRIMINAL HACKERS.

Medium Shot An eerie man with a pointed beard. He sits in a throne-like chair on a dais at the back of the room. His fingers are peaked as he watches, in total silence, while about him the Criminal Hackers prepare their systems.

He is the EVIL GENIUS, diabolic leader of the super-transnational techno-criminal underground.

He speaks:

Evil Genius

Now!

Instantly, all about, like pieces in a well-tuned machine, the Criminal Hackers leap into action. On their screens, flow charts and icons materialise. Their fingers fly across their keyboards.

Around the world, a dozen banks are attacked over the Internet. Funds flow to secret Swiss accounts. Computers whirr and click.

Smash Cut We have an extreme close up of the face of a SWEET LITTLE OLD LADY. She looks up from her bank statement. She is aghast.

In EXTREME CLOSE-UP we see a single tear roll down her cheek.

Okay. So maybe the script doesnÕt exactly have legs, as they say in Hollywood. In fact, maybe it canÕt even boast any knees. It is the picture which probably lurks deep down in the darkest recesses of most non-technical people, and not a few computer security professionals. We all of us share the slightly nightmarish image of a powerful, sophisticated and ruthless criminal organisation striking through the web at our economic well-being, and perhaps never being brought to justice for it.

But, how real is that threat? Just because it is dramatic, does that necessarily mean it exists? Or, conversely, just because it is melodramatic, does that mean it doesnÕt? The answer, maddeningly, seems to be yes É and no.

Careless Killers First, make no mistake about it, ruthless transnational criminal organisations really exist, and they really do present a serious security risk to major corporations and other enterprises. The break-up of the former Soviet Union and its empire in Eastern Europe, the collapse of economies in Asia, the failure of state systems in Africa and Europe, all these and more have made for boom times in crime. Gangsters, terrorists, warlords, and drug-barons now operate freely around the world, and with vastly more sophisticated tools than ever before.

"Mafia-like organisations are springing up like daisies," says Michael (M.J.) Roberts, editor and publisher of Threat Level, a newsletter devoted to corporate security issues, "all through what used to be the Warsaw pact." Many of these new groups, he notes, are directly linked to state security services. He argues that these are, in effect, informal channels for countries which might not otherwise be able to afford to obtain new technologies and products. "It is the old human intelligence gambit of not putting your own people in a situation where their discovery may point back to you," he says. A company, or the country in which it is based, can obtain information or goods through ÔcriminalsÕ who would never seem to be part of any official organisation.

Others groups donÕt have any government links, but theyÕre just as sophisticated, in some cases more so. Take, for instance, organised crime groups working out of West Africa, but which have links stretching from London to California. "The Nigerian groups are particularly sophisticated," notes Stephen Knox, program manager for TROY Systems Inc. Knox began his security career in government service protecting foreign diplomats. "We had a lot of problems with the Nigerian Mafia," he notes. "TheyÕre very prominent in the D.C. area." TheyÕll run protection operations, frauds, money-laundering operations, corporate and government espionage rings, and dozens of other scams ranging from the extremely clever to the downright diabolical.

And it gets worse. Regional criminal groups might sometimes mitigate their violence if only because they might encounter their victims in the street. But transnational crime groups, which can take refuge behind a dozen borders, have no hesitation about killing. "We thought the Mafia was bad," says Harvey C. Altes, CEO of the worldwide detective agency Falcon International. "But when they killed, they just killed each other. The new ones, particularly the Russian and the Haitian Mafias, there is no consideration for whoever gets in the way. For them, life is cheap."

And these groups are targeting your company or organisation. They want to steal your products at the shipping dock. They want to send them with fake invoices. They may want to kidnap top executives.

But do they want to get into your computers?

Shoot the Swordsman "We just donÕt see it," says Michael Anderson of New Technologies Inc., a computer forensics services and training firm. He says he just doesnÕt see the new organised gangs getting into computer crime in a big way. Among his clients, who are struggling with computer crime, he notes, "We see trade secret theft, we see embezzlement, but not super-Mafias."

Why not? Well, organised crime tends to use somewhat less subtle methods than hack attacks on bank computers. "There is a real threat [from such groups]," notes Threat LevelÕs Roberts. "But it tends to be much less sophisticated than that. Taking down a corporate infrastructure is usually not a matter of having Brainiac attack a node as it is having some guy with a back-hoe over the right nexus of a communication line."

As for theft, it is usually easier for a criminal to simply highjack one of your trucks than it is for him or her to learn enough hacking skills to fake an order firm or redirect a shipment. The same is true for industrial espionage, also known as Data Theft. In a single evening, you could probably learn a good deal more about a companyÕs Research and Development by buying a few engineers some stiff drinks than you could in months of more sophisticated computer-based espionage.

"Crude but effective seems to be what prevails when criminals really want something," notes Roberts. Given a choice between spending a year tickling a security system into opening up its locks and spending an hour wiring a door with plastic explosive, theyÕll take the blast every time. "ItÕs like Indiana Jones and the swordsman," he says. In the film, the hapless Indiana faces an expert fencer who challenges him to a duel with much dramatic flourishing of a scimitar. After a momentÕs hesitation, Indiana simply draws his six-shooter and shoots the man in anti-climatic cold blood. "After a while, theyÕre just going to draw and fire, and forget all the subtleties."

Disgruntled So, are you never going to encounter the Evil Genius of our little thriller? Well, that doesnÕt seem to be true, either. In fact, you may already know him. Or her. She, or he, is probably already on your payroll.

Peter Stephenson, Principal Consultant for the Intrusion Management and Forensics Group (and long-time columnist for this magazine), puts it very bluntly. "IÕm sure the threat [of transnational criminal organisations using computers] is real. But the threat has been, and still remains, inside the corporation."

In other words, not transnational crime, but White Collar Crime, the sort of crime committed not by shadowy multinational conspiracies, but accountants and clerks and IT managers. TheyÕre not ex-KBG spy chiefs or colourful xenophobic stereotypes, but rather men and women in good suits, who went to the best schools, drink the better scotch, and play golf with you regularly at the Club É but who seem to be quietly emptying Accounts Payable into a numbered account at a bank in the Cayman Islands through a shell company located in Panama thatÕs sending your firm faked invoices by way of a P.O. Box in Monaco.

"The Internet has sizzle," explains Stephenson. "And it is really cool to talk about spies and things that go bump in the night É but the reality is that organisations lose far more to disgruntled employees than to competitors."

Or, to put it another way, says Avi Fogel, president and CEO of security software vendor Network-1 Security Solutions, "God help me with my friends. IÕll deal with my enemies." Fogel says that his numbers show that at least 80 per cent of all attacks on corporate computers come from internal sources. "Usually, it isnÕt the Big Bad Wolf. ItÕs people with access."

What this means, he says, is that while it is important for security people to keep an eye on externally organised crime, it is far more important for them to create internal defences - internal firewalls that separate different subnets, internal policy managers that automatically limit access to sensitive data, internal intrusion detection software that looks for attacks from within the corporation, and so on. "What people need," he concludes, "is technology that provides policies for internal cyberwalling,." This is a term promoted by the market analysis and research firm, Aberdeen Group, to mean this sort of inside internal security. (It is also the name of a product of FogelÕs, Cyberwallplus.)

Very similar words come from networking OS vendor supreme Novell. "Companies really need to focus on whatÕs happening in the internal boundaries of their network," says Patrick Harr, product line manager for Novell. In fact, he notes, his own policy management products are meant to allow companies to do just that. "We define a policy based on the user, regardless of whether that user is inside or outside the network."

In fact, even on those relatively rare occasions when you do have a computer-related crime committed by an organised crime group, youÕll probably find itÕs an inside job. "We always assume that the theft of trade secrets, for instance, is by someone from outside," says Peter Stephenson. "But, the strong probability is that it is someone outside conspiring with someone inside."

DonÕt Expect Help "White collar crime is on the rise," warns FalconÕs Altes. "There is evidence all around you. It just doesnÕt make it into the statistics."

Very similar words come from Mark Willard, Head of the Technology Litigation Section of the law firm Eckert, Semans, Cherin and Mellott LLC., which deals with computer crime for its clients. "I think it is increasing," he notes. "People are becoming more sophisticated. TheyÕre finding out that rather than taking a gun down to a gas station and robbing it of a few hundred dollars, they can steal millions with a few strokes of their keyboard."

The rub? You, as a security person in the industry, cannot expect much help. "It is hard to get the major police services involved in something like this," says Altes. "Some elements in our government are É how to put this? É well, they only attack the weak. Their aim is to get convictions. Their resources are usually directed to those cases they can win."

It is very hard to convict a white collar criminal - particularly when the victim, the company that gets taken - may have everything to lose from a public trial. Suddenly, everyone in the world knows that youÕve got a security problem - including your customers. Which means that the public police forces know that your stockholders, CEO and Board may decline to co-operate with their investigation.

Then there is the issue of the law itself, which is notoriously vague on white collar crime, particularly when a computer is in the picture. "The law is trying to catch up," he notes. "But it isnÕt there yet."

So, the traditional forces of law and order may not be a resource for you. Instead, you will have to prevent or at least mitigate the crimes though the intelligent implementation of security policies. "Until the government catches up," concludes Threat LevelÕs Roberts, "it is going to be up to private industry.

Which is, of course, to say, to you.

Evil Genius Revisited Just because organised, transnational criminal groups may not be planning on hacking into your bank account É today É doesnÕt mean that you can ignore them. In fact, their activity may shape your future more than anyone would care to admit.

The threat they represent is usually a physical threat - that is, they are looting goods, diverting profits, kidnapping executives, and so on. But, thereÕs the rub. Sometimes it can be hard to tell the difference between cybercrime and the more regular sort. "The trend weÕve been seeing is that the wall between physical security and data security is beginning to come down," says Stephen Knox of TROY. "CEOs are beginning to realise that the two are so intertwined that you canÕt really have one without the other."

Thus, for example, a denial of service attack can be either ping-flood or the Ôman with a back-hoeÕ over the phone line. But, it takes the same person - i.e., someone who knows what a ping-flood is, and who knows where that phone line is buried - to defend against either kind of attack. "WeÕre doing some work for one company that has us looking at their houses, and the cars of their senior executives," notes Leonard I. Holmes, deputy director of the information assurance division of Troy. "For instance, if they work from home, then they can be attacked there by a third party." Their phone lines could be bugged. Their home computers could be hacked. Or their children could be held hostage. Regardless of the method, life and commerce are at risk.

Troy flatly says that there is no difference between physical and data security. It sells both.

This is an increasingly common viewpoint. In fact, it may be that the computer security professional will find him or herself increasingly involved with, or in charge of, many other forms of corporate security. "You canÕt hire a retired cop with no ambition and make him your security chief anymore," warns Clay Higgins, a Maryland-based certified protection professional and a spokesperson for the security trade association, the American Society for Industrial Security (ASIS). "The reality is that security is squirming away from that guy." Where it is squirming to, increasingly, is the data security professional.