Hacking up, disclosure down, FBI survey says

R. A. Hettinga rah at shipwright.com
Sun Apr 7 17:39:16 EDT 2002



Hacking up, disclosure down, FBI survey says
Copyright © 2002 AP Online

By D. IAN HOPPER, AP Technology Writer
WASHINGTON (April 7, 2002 12:18 a.m. EST) - Most large corporations and
government agencies have been attacked by computer hackers, but more often
and more frequently they do not inform authorities of the breaches, an FBI
survey finds.

The survey released Sunday found about 90 percent of respondents detected
computer security breaches in the past year but only 34 percent reported
those attacks to authorities.

Many respondents cited the fear of bad publicity about computer security.

"There is much more illegal and unauthorized activity going on in
cyberspace than corporations admit to their clients, stockholders and
business partners or report to law enforcement," said Patrice Rapalus,
director of the Computer Security Institute, which conducted the survey
with the FBI's San Francisco computer crime squad.

The seventh annual survey polled 503 American corporations, government
agencies, financial and medical institutions and universities. The names of
the organizations polled were not released.

Overall, there were more computer crimes than in last year's survey. But
fewer victims reported crimes to police than in 2001, reversing a trend
from earlier surveys.

A former Justice Department computer crimes prosecutor said there is
frequently little incentive for a company to report computer attacks or

"It tends not to help their bottom line, but hurt their bottom line," Mark
Rasch said. "What a company wants to do is solve the problem and move on."

When those companies are financial institutions or other parts of the
nation's critical technology infrastructure, however, more than the
company's bottom line is at stake.

The government is using partnership groups - such as the FBI's InfraGard
chapters in each field office - to persuade companies to report the attacks
directly to FBI agents without public disclosure.

"They need to use a mechanism to report these incidents and vulnerabilities
broadly so they can be fixed, but won't be attributable back to them,"
Rasch said.

The survey respondents said they lost at least $455 million as a result of
computer crime, compared with $377 million the previous year. In both
surveys, only about half chose to quantify their losses.

The most serious monetary losses came from the theft of money or
proprietary information, such as blueprints for computer programs, and
fraud, such as failure to deliver services or equipment that have been paid

Despite concerns that foreign governments would begin using computer
attacks as a method of terrorism or war, most attacks on American companies
still come from individual hackers and disgruntled employees, the report

The survey also addresses the increasing frequency of attacks on Internet
retailers. There have been several reports of thefts of credit card data
over the past year, including some instances in which the thief threatened
to release sensitive data unless the victim paid a ransom.

WorldCom, The New York Times and others have had holes exposed in their Web
security, leading to unwanted intruders.

Thirty-eight percent of the respondents said their Web sites have been
broken into over the past year, and 21 percent said they were not sure.
Eighteen percent reported some sort of theft of transaction information,
such as credit card numbers or customer data, or financial fraud.

Seventy percent of organizations reported online graffiti, usually the
simplest and least damaging type of attack. A graffiti hacker replaces the
Web site's front page with his or her own text and, sometimes, offensive

Companies are also seeing problems from within. Seventy-eight percent said
their employees abused Internet privileges, including downloading
pornography or pirated software.

R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list