Internal net saboteurs being brought to justice

An IS worker is scheduled to face federal criminal charges this week in U.S. District Court in Miami for allegedly downloading a virus into his employer's computer system, crashing the network for nearly two full days.

This case, which comes a little more than a year after the first federal criminal prosecution of computer sabotage, is just one in a growing number of insider-based network attacks, according to federal law enforcement agents. Another case is getting ready to go to trial in October in Las Vegas, and yet another was wrapped up with a guilty verdict this summer in New Hampshire.

The high price of computer crime
Ghost accounts: An open door to network sabotage
Network World, 08/27/01.

The U.S. Secret Service, which splits its focus between protecting heads of state and conducting criminal investigations, is handling twice as many cases that involve insider attacks as just a year ago, says Bruce Townsend, special agent in charge for the Secret Service's financial crimes division. Supervisory Special Agent Jim Hegarty of the FBI's computer crime squad says it is currently investigating four such cases in New England alone.

"Eighty percent of the cases we're seeing are from the inside or people who were formerly with the organization," Townsend says. "When you conduct an investigation, that's one of the first areas you need to look at now. . . . It's not if you're going to be attacked, but when you're going to be attacked."

Kenneth vanWyk, CTO for ParaProtect Services, a security portal in Centreville, Va., says 95% of the break-ins they're called in to handle are insider-based.

"An insider attack really gets the attention of the company because an insider has access to all the critical systems," vanWyk says. "If they want to do damage, they know how. . . . A company's decision to protect itself isn't just a technology decision. It's a business decision."

Grocer victimized

In the Miami case, Herbert Pierre-Louis, a hardware engineer who worked in the IS department at Purity Wholesale Grocers, is being charged with computer sabotage for the June 18, 1998, incident at the $1.5 billion national grocery outlet based in Boca Raton, Fla. Assistant U.S. Attorney Richard Boscovich says the damage was well over the $5,000 waterline that is one of the key factors making this a federal crime.

Boscovich will not release information until the trial gets under way on how the crime allegedly was perpetrated or why Pierre-Louis would want to attack his own employer.

The FBI's Hegarty says this is a time when companies should be particularly cautious.

"In light of the economy and the downturn and layoffs, companies should pay attention to this," he says. "These are not isolated events. There's an awful lot of trust they have in computer people in these companies."

That's a lesson Omega Engineering's Bridgeport, N.J., manufacturing plant learned the hard way. In the summer of 1996, a software time bomb went off in the plant's computer network, systematically eradicating all the programs that ran the company's manufacturing operations. Exacerbating the problem, Omega's only back-up tape was missing. The manufacturing plant was no longer able to manufacture. Company executives, during last year's trial in U.S. District Court in Newark, N.J., said the company had yet to fully recover. The incident caused $12 million in damages and led to Omega losing its footing in the high-tech instrument and measurement market and the eventual layoff of 80 employees.

Omega's former network administrator, Tim Lloyd of Wilmington, Del., was charged with sabotaging the network he helped build. He was found guilty after a four-week trial. The judge later set that verdict aside after a juror told the court she was unsure whether a piece of information she had heard on television news had been factored into her verdict.

The government appealed the judge's ruling, taking its case in front of the Third Circuit Court of Appeals in Philadelphia this past April. A ruling is pending.

Lloyd was charged under a relatively new statute that made computer sabotage a federal offense if it affected a computer used in interstate commerce and caused more than $5,000 worth of damage to the company over a 12-month span. That was the first federal criminal prosecution of computer sabotage.

Similar cases prosecuted

Now that same statute is being used in three other cases.

One of those cases charges network consultant Christopher Sandusky with sabotaging the computer network at one of his clients, Steinberg Diagnostic Medical Imaging in Las Vegas. Sandusky is charged with three counts of network intrusion for changing passwords in the network, which locked administrators out of their own system. Assistant U.S. Attorney Matthew Parrella notes in the indictment that Sandusky allegedly hacked the system on three different days between late February and early March of this year.

Sandusky, working with a partner, had been hired as a subcontractor by the medical imaging company, according to sources close to the investigation. Both the deal and the partnership fell through, and Sandusky's partner went to work for Steinberg Diagnostic as a system administrator. The government contends that Sandusky attacked the system to gain revenge.

The damage had to have added up to at least $5,000 for Sandusky to be charged with a federal offense. Further information won't be released until the trial, which is slated to start Oct. 15 in U.S. District Court in Las Vegas.

Earlier this summer, a former help desk worker at Bricsnet, a Portsmouth, N.H., application service provider for the construction and design industry, was found guilty on federal charges of network sabotage for hacking into Bricsnet's system after being fired last fall. Patrick McKenna of Hampton, N.H., pleaded guilty to breaking into the system twice using a supervisor's password - once the night he was fired and again the next morning - to delete a total of 675 files, change user access levels and send e-mails to Bricsnet clients saying the company's project center would be temporarily or permanently shut down.

The attack, which was discovered by another Bricsnet employee the next day, cost the company $13,614 in in-house repair costs, according to Arnold Huftalen, Assistant U.S. Attorney for the District of New Hampshire. Some of the destroyed files could not be restored.

"His activities were meant to cause as much damage as possible. It was malicious," says the FBI's Hegarty, who says putting a financial number on the loss is misleading. "How do you quantify the impact when customers receive these kind of damaging e-mails? You can't put a dollar on that. Would a company pay $13,000 not to have that happen?"

William Tucker, vice president of Bricsnet, says administrators took basic security precautions after firing McKenna, who had broken company rules against moonlighting and other activities. Tucker says they terminated McKenna's password, logon and user accounts. They also changed the code on their building's keypad and escorted McKenna from the building.

"There was no sense of foreboding," Tucker says. "These steps were routine for us. . . . Certainly, we had an extensive [security] system in place but we were always thinking of outside intrusion."

Tucker says the incident, which the FBI traced back to McKenna in less than a week, has changed the way the company evaluates its security needs. Since the attack, Bricsnet has re-evaluated its security system and limited network access.

"We're acutely aware of the damage a disgruntled employee can cause," he says. "I think people took it personally. For someone you've worked with on a daily basis, it certainly was an element of betrayal."

Internal net saboteurs being brought to justice

Grocer victimized

Similar cases prosecuted

Related Links