A World Wide Web of Organized Crime

An Eastern European ring may have lifted over a million credit-card numbers from the Net. The sirens are wailing for tougher security standards

By Alex Salkever

Until recently, cybercrime has largely been a sport for lone wolves or small groups with a taste for mischief and danger. Organized-crime groups largely left the Internet alone. Still, security experts worried that Net crime across borders would quickly proliferate. The reason: Low risk of apprehension and the potential for big rewards.

Now it appears those worries are finally starting to come true. On Mar. 8, the National Infrastructure Protection Commission (NIPC) -- a federal watchdog that works with the FBI to protect the U.S. national infrastructure -- took the unusual step of holding a press conference to warn businesses and the public about an ongoing investigation into what may be the largest case of organized crime online to date.

The NIPC alleges that in recent months, Eastern European hackers have infiltrated Web servers running versions of the Microsoft NT operating system, grabbing at least 1 million credit-card numbers and other personal information from 40 U.S. financial institutions and companies. After lifting this data, the gang has allegedly attempted to extort money from their victims by threatening to post the info on the Internet. Amazingly, to gain access, the intruders are using well-known security flaws that are easily fixed.

There's plenty of blame to go around for this crime wave. Companies clearly fell down in enforcing basic security policies for their Internet operations. Some never fixed vulnerabilities. Software vendors also deserve blame for pushing flawed products out the door.


  But this should serve as a wake-up call: It's time for the government to step in. Any company that takes a person's credit card over the Net and stores it in a database should be required by federal law to meet minimum security standards. Software companies should be forced to take legal responsibility for buggy products. If not, they should face real consequences -- legal liability. "The increasing reliance of our economy on information technology requires that we have software systems that have much higher levels of security," says John Gilligan, chief information officer for the U.S. Air Force's computer networks.

This is hardly the first attempt at extortion using information stolen over the Internet. In August, 2000, media mogul Michael Bloomberg helped police apprehend two Kazakhs who had snagged his personal information from his company's computer networks. And in January, 2000, a still-at-large Russian hacker dubbed "Maxus" posted for public consumption 25,000 credit-card numbers stolen from online music retailer CD Universe, after the company refused to pay his six-figure extortion. Malicious hackers have long had easy access to automated tools designed to find flaws in Web servers and other software exposed to the public Internet.

But the timing of the NIPC warning comes amidst a raft of bad Net-security news. The same week, hackers published a free program that makes it easy to compromise encrypted passwords on computers running older versions of e-commerce software from IBM, which expressed frustration that customers weren't applying readily available patches.

And on Mar. 12, the Computer Security Institute (CSI) released its annual survey, which showed that 64% of the 538 companies and large institutions it polled acknowledged suffering financial losses due to computer breaches in the past year. The majority of those breaches came over the Internet. Of those entities, the 186 that were willing to tally their losses admitted that the hacking had cost them $378 million, up 42% and the highest number since the CSI started these surveys four years ago.


  The CSI study likely lowballs the real figures. Many companies are loath to admit to anyone that they've been hacked. Likewise, the NIPC is probably understating the number of companies facing extortion threats. According to Alan Paller, director of research for the Systems Administration Networking & Security Institute, the actual number of extortion victims could be as high as 250. "This changes what people think about Web hacking. [It] used to be some kids. These guys are methodically looking at systems over the Internet, looking for the next target."

This should no longer come as a surprise. The amount of commerce and financial transactions now passing over the Internet means it's now a far more enticing environment for organized hackers looking to pick the low-hanging fruit. And that's precisely what the Eastern European ring appears to be doing.

Allegedly based in Russia and the Ukraine, the group was first detected last summer. It appears to use three well-known security holes to ransack systems and then come back with ransom demands. "We began to see a correlation between a number of investigations that we had been conducting. We had victims who had reported that their systems had been compromised, and there had been extortion demands being placed against them," says Shawn Henry, the chief of computer crime investigations for the NIPC.

Henry declined to reveal any names or elaborate on the types of information that had been stolen. But he did explain that the NIPC has never seen an effort this big. Although the commission says it's receiving cooperation from Russian and Ukrainian authorities, neither nation has a reputation for stellar law enforcement.


  What to do? First of all, software companies that fail to safeguard their products should be subject to legal action for damages, says Gilligan. At the same time, they should help create better solutions to the existing system of applying patches to flawed programs. Overwhelmed systems administrators often apply a dozen or more of these patches each week -- and the patches themselves often conflict with other critical software.

The complexities inherent in mixing and matching different software systems funds dozens of multibillion-dollar consulting companies. "Every systems administrator is the equivalent of the head of maintenance for an airline. His job is to not only maintain the planes, but create the blueprints for the planes, too. That's just insane," says Paller.

All of this cries out for big changes in the system -- changes that software and e-commerce companies fear would drop a heavy financial burden on them. But building in safety measures need not be so heavyhanded. Lawrence Livermore National Laboratory is already testing a system called SafePatch that would automate the patching process and smooth over many of the conflicts inherent in the process. Ongoing tallies of reported security flaws by organizations such as SecurityFocus.com (via it's BugTraq mailing list) should make benchmarking software security far easier. And credit-card company Visa is about to enforce a 12-point security policy that includes mandatory encryption and use of firewalls. Merchants that don't measure up could get fined.


  Meanwhile, software-industry efforts to obtain even stronger legal protections against lawsuits have ground to a halt, with only Maryland and Virginia agreeing to pass these oppressive statutes. That means companies seeking redress might have a chance in the courts and should avail themselves of this option. State-level courts can help shift this burden in the right direction, back toward the software companies.

But thus far, only baby steps have been taken. What's needed is a more focused effort to upgrade online safety and lock out organized crime. The Air Force's Gilligan likens the situation to the young auto industry. "We're seeing a parallel to the rapid growth in automobile ownership in the '50s and '60s. Safety and reliability were not the concern. Only after legislation that established tighter safety rules, as well as lawsuits, did the automobile manufacturers put emphasis on safety," he says.

With cars, the concern is the occupants' physical safety. But on the Internet, it's society's long-term economic safety, as we move more and more of our transactions to the Web. Now's the time to bring in a traffic cop and a traffic court to avoid more costly pile-ups down the road.

Salkever covers computer security issues twice a month in his Security Net column, only on BW Online

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.