Week 6 Blog – Security
Find a story about a security snafu that took down a web site, corrupted the database, caused user data to be stolen, etc. Describe what happened, how it happened, and the cost.
I found this a bit depressing research, since so many unsolved stories come to mind, and so many barriers to prosecuting criminals exist as criminals find hostage in countries that choose not to share information, or even suspend criminal ISP activity. In my E-Commerce, a Managerial Prospective 2008 book by Efraim Turban, the Group of Eight (G8) international forum comprises governments that work together to prosecute and stop cybercrimes. As of the writing of the book, the G8 countries included Canada, France,Germany, Italy, Japan, Russia, the United Kingdom and the US.
This situation helps explain why a huge majority of the hackers (some estimate about 95 percent) reside in Turkey, China, Romania, or Brazil.
UBS Paine Webber
Electronic Commerce, a Managerial Prospective 2008 also included a 2002 ‘insider’ crime against UBS Paine Webber by a disgruntled former employee. I started this assignment researching the continuing story from this particular crime and found myself uncovering more stories – which I will list later in this article.
A former systems administrator at UBS PaineWebber was charged with designing software that would delete all files in the host server at the main data center and in every US branch office. Within hours of quitting his job, in 2002, he bought stock in UBS PaineWebber that would only pay out if the company’s stock plunged within 11 days. The company’s servers went down the next day and approximately 17000 brokers across the country could not make trades. Backups went down within minutes of being run and files were deleted. An employee trying to fix the main server discovered a line of code that seemed to hang up the system. She renamed this line to ‘hide’ it from the logic bomb/software which was key to stopping further destruction and led to restoring servers one at a time (30 minutes to 2 hours each). This affected nearly 400 branch offices, and cost the company $3.1 million in assessing and restoring the network – calling in 200 IBM technicians to expedite the recovery. The company never divulged the amount of money lost in business during the disruption – between 6 hours, a day and a half for most, and weeks for some branches depending on complications at different servers.
In 2006, despite finding parts of the logic bomb code at the house and on 2 of 4 home computers of this former employee, and a forensics expert testifying that the password and user account information of this person were used to gain remote access to the insertion point of the malicious code, the defense lawyer kicked in to suggest reasonable doubt to the jury. He was able to show that UBS computer security had flaws and holes – backdoors in the system (such as allowing more than one person to be logged into the system at the same time with the same username/password); how could the jury be certain that someone with this employee’s password and username wasn’t retaliating and setting him up; and a claim that evidence was destroyed when starting to work together on the incident – UBS and @Stake, the first computer forensic company on the scene, were mentioned in an Information Week article that the company @Stake hired hackers and further quoted the defense lawyer:
”Are hackers good people?” he asked. ”Are hackers reliable?”
The trial moved on, turning to blame other companies, bringing up the accused employee’s statements of wanting to get even and eventually taking a possible 30 yr jail sentence and $1 million fine down to a possible 78 to 97 months in federal prison with no parole. This was all of the information I was able to uncover online.
- Information Week article – UBS Trial
- Dept. of Justice on UBS
- Electronic Commerce,A Managerial Prospective 2008, Turban – which also reminds everyone that the Monday after Thanksgiving is one of the biggest target dates for online scams as they try to take our hard earned Christmas shopping money
More Security Stories in the News
Here I list some information online, and elsewhere encountered on the subject of security.
- High Profile Breaches in Security, reminded me that earlier this year the FAA sent its employees and retirees a free credit reporting service after lists of personal information were hacked into. Actually, the FAA was pretty quick to do this, but found that its first list was incomplete, and sent a second list along with an apology to those that were included months down the road. I was impressed that they did not blame anyone but themselves for the breach and the late list, as well as the quick action that they took with the first list of possible victims. This information would have been used for id theft and to my knowledge was never used against anyone….so far.
- Forbes Slideshow of Recent examples in the news of Phishing,Stock Scams, Swatting, Insider data theft, Identity Theft, Adware, Counterfeit Software. The interesting thing here, is that the phishing story has the first extradition from Romania to the US since the accused was vacationing in another country when arrested.
- A friends business website has been hacked several times, the hacker has been traced to Romania. My friends site is made in Joomla, and they are still trying to discover the security leak.
- ZDNet article – NASA hacker who hacked into 97 military and NASA computers is being extradited from the UK to the US. The accused claims he was looking for UFO information….
- MD5 Hash database has compiled several stories from Harvard, and other stories. The neat thing about THIS site is the encouraging essay on Securing your joomla website
- PDF File – CSI 2008 Survey Report that mentions cybercrimes are dropping in numbers, but this is because of the firewalls and security in place. It admits a better picture than reality, since the crimes that are caught before they do much damage don’t really reflect in the numbers. Basically it takes every ounce of work AFTER the site has been compromised as well as every ounce of work DEVELOPING more secure sites as we try to run legitimate businesses online. (By the way, students enrolled in a security type class can get membership to CSI at a reduced rate of $99/yr)