Feds feel bite of cybercrime

Featured eBooks
A New Era of Social Media Regulation
Making AI Work for Government
Strengthening State and Local Cyber Defenses
Insights & Reports
Short-term rentals and state legislation for local governments
Presented By Granicus
Download Now
The State of AI-powered Business Transformation in Government
Presented By ServiceNow
Download Now
By Patience Wait
 

Connecting state and local government leaders

By Patience Wait

|

There is something about the Federal Deposit Insurance Corp. that seems to attract cybercrime.

There is something about the Federal Deposit Insurance Corp. that seems to attract cybercrime.Earlier this month the agency had to notify 6,000 current and former employees of a data breach that could put them at risk of fraud or identity theft.The FDIC also has been used as a decoy in phishing schemes by con artists looking to separate consumers from their money. Spam e-mail claims to come from the agency, warning that user bank accounts are going to be frozen while the Homeland Security De-partment investigates violations of the U.S. Patriot Act.But the financial agency is not alone. The FBI and other federal agencies have been used as decoys in other scams.Despite these examples, government agencies apparently have been slow to realize that they, too, could be vulnerable to Internet scams, spoofs and spyware.The Government Accountability Office recently weighed in on cybercrime, finding that federal agencies do not appreciate the dangers of phishing and other cyberthreats.'Many agencies have not fully addressed the risks of emerging cybersecurity threats as part of their required agencywide information security programs,' auditors said in report released last month.Of the 24 federal agencies surveyed by GAO, 19 identified the nonsecurity effects of spam, such as reduced system performance and the cost of filtering e-mail, as problems. When it came to phishing, 14 agencies said that the scam had limited or no effect on their systems and operations. As for spyware, 11 agencies said it caused a loss of employee productivity or required more help desk support. One agency 'stated that spyware was simply a nuisance to its users,' GAO said.Phishing is the fastest-growing, largest fraud activity in U.S. history, according to a government expert speaking at the Techno Security 2005 conference in Myrtle Beach, S.C., earlier this month.Stanley Crowder, a special agent with the Secret Service's Electronic Crimes Task Force section, told a standing-room-only audience that the agency estimates that phishing schemes raked in more than $3 billion since April 2003, by blasting out 57 million e-mails. It has grown 15 percent a month for the past 10 months, or close to 300 percent overall.XXXSPLITXXX-And phishing is not the only threat. A new Internet con, domain spoofing, called 'pharming''in which traffic going to a legitimate Web site is redirected to a fake site'is beginning to spread.Then there's spam, spyware and malware'malicious software such as viruses, worms and Trojan horses.He warned that malware is now in over 50 percent of phishing attacks. But 'malware is hard or impossible to detect via anti-spyware.'Many of these schemes are originating in other countries, particularly Eastern Europe, Crowder said. 'In 2004, there was a 'how-to' conference in Kiev, Ukraine.'Addressing Techno Security attendees, Chet Hosmer, president and CEO of WetStone Technologies Inc. of Cortland, N.Y., also spoke about the dangers of cybercrime, and the possible connection to interests hostile to the United States. From September 2004 to May 2005 there were almost 3 million documented downloads of password-cracking software, more than 2 million downloads of key-logging software and more than 1.2 million downloads of spyware, Hosmer said. 'Those download numbers are only the tip of the iceberg. They're only collected from a handful of download sites willing to give us the data, [so] we're only looking at a small piece of the puzzle,' he said.There are dozens, if not hundreds of other Web sites, that also provide these free tools, and their data is unavailable, he said.The most common cybertool that could be used for illicit intent was password-cracking software, Hosmer said. In 2004 alone, almost 140 new applications used to crack passwords were released, most as downloadable freeware. While there are legitimate uses for this, such as systems administrators who need to gain access to files when a user has forgotten his password, Hosmer said, the illegal opportunities are obvious.Much of these activities are related to the explosive growth of Internet-based crime, and it is reasonable'indeed, likely'to suspect that enemies of the country are participating, Hosmer said. While the bulk of these tools originate in the U.S., there has been significant growth in tools developed in Asian and European countries.'Is it such a stretch to think that someone sees these as weapons that can be used against government systems?' he said. 'Because we haven't heard that it has happened yet is no reason to not guard against it.'GAO recommended that agencies include emerging threats in their required risk assessments and planning required under the Federal Information Security Management Act. It also called upon the Office of Management and Budget, the Homeland Security Department and the attorney general to develop guidelines for comprehensive incident reporting.

Is cyberterrorism a real threat? Not everyone shares that opinion

What constitutes cyberterrorism?

Is it a serious threat, or does it just present a nuisance? Are companies selling hype, or do they actually offer security solutions that will protect government and industry from the effects of an attack?
These are some of the questions raised in the wake of a controversy that stirred attendees at the Techno Security 2005 conference in Myrtle Beach, S.C., earlier this month.
In one corner was Marcus Ranum, chief technology officer for Tenable Security Inc. of Columbia, Md., who accused the security industry of playing on fears of terrorism in order to close sales with companies and agencies.
'Pundits make a huge leap from messing with the electronic infrastructure to, 'You'll lose your mind and die,' ' Ranum said.

Malicious software

In the other corner, Chet Hosmer, president and chief executive officer of WetStone Technologies Inc. of Cortland, N.Y., pointed to the explosion of free hacking software, spyware, password crackers and other types of malicious software, and asked rhetorically whether anyone believes those programs are intended for benign use.
Someone could try to sabotage the computer-based train dispatching system in, say, Kansas City, by using a key logger and getting hold of a password, he said. A hacker then could introduce a virus or change lines of code, which could have a ripple effect on other services, Hosmer said.
The fact that there hasn't been a terrorist cyberattack shows that it is not easy and doesn't necessarily have a big payday, Ranum countered.
But Hosmer said there have been such attacks, citing one virus that spread throughout the Internet in about 15 minutes.
There was no agreement between the two men, or their supporters on either side of the aisle, and this is a debate that will likely continue for a while.

'Patience Wait

Glossary of cybercrime

Phishing. Scams that use e-mail or pop-up messages to trick people into disclosing sensitive information that can be used for fraudulent activities, including identity theft.


Pharming. This is a technique that 'poisons' a Domain Name System server by infusing false information into the server, resulting in a user's request being redirected elsewhere, even though the user's browser shows the correct address. Phishing targets victims one at a time; pharming targets large groups of people.


Spam. Electronic junk mail.


Spyware. Generally falls into one of two categories, advertising or surveillance, according to the Government Accountability Office:
Advertising spyware can collect information such as a user's IP address, Internet use, online buying habits and e-mail address.
Surveillance spyware usually is surreptitiously downloaded onto a person's computer specifically to steal information or monitor access. It can be as simple as a key-logging program that records each key stroke (making it easy to steal passwords, for instance), or as sophisticated as a capture program that will steal and transmit virtually everything done on a particular computer.


Trojan horse. An apparently useful and innocent program containing additional hidden code, which allows unauthorized collection, exploitation, falsification or destruction of data.




















(Continued)










Hostile interests













GCN staff writer William Jackson contributed to this article.

NEXT STORY: Justice served with IT systems, services from SRA

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.