AP: Experts warn of new Y2K threat--the hired help

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread

[Some months ago I remarked on this forum that we might possibly expect some January 1 code timebombs planted in computers by disgruntled employees. There was some skepticism of that post--I think some of it might have come from Nigel. Um, looks as if I'm not the only one with a suspicious mind.]

Thursday July 29, 1999 12:29 PM

Experts Warn of New Y2K Threat: the Hired Help

WASHINGTON (AP) -- Two of the government's top computer security experts said today that some programmers hired to fix Year 2000 problems may be quietly installing malicious software codes to sabotage companies or gain access to sensitive information after the new year.

The alarms were sounded at a hearing on the ``Y2K glitch'' and cyberterrorism before the Senate Committee on the Year 2000 Technology Problem.

``Many of these (rogue programmers) have no security clearance, do not work for the government, and yet they have access to critical systems that if sabotaged could wreak havoc to our financial institutions and our economy,'' said Sen. Christopher Dodd, D-Conn., the committee's vice chairman.

A recent analysis by the Gartner Group predicted electronic thefts worth at least $1 billion, noting that the computer networks of financial institutions, corporations and governments handle transactions worth $11 trillion annually.

Michael Vatis, director of the FBI's National Infrastructure Protection Center, said experts hired by U.S. companies to fix their computers could secretly program ``trap doors'' - ways to let them gain access later - or add malicious codes, such as a logic bomb or time-delayed virus that could disrupt systems.

``While systems have been and will continue to be extensively tested, the probability of finding malicious code is extremely small,'' agreed Richard Schaeffer, director of the Defense Department's Infrastructure and Information Assurance program.

Neither expert suggested the possible scope of the problem.

Schaeffer said problems are complicated by the New Year's rollover, when some computers programmed to recognize only the last two digits of a year may mistake 2000 for a full century earlier.

``It may be difficult to distinguish between a true Y2K event and some other anomaly caused by a perpetrator with malicious intent,'' Schaeffer said.

Both experts said the risks were exacerbated by the amount of software repaired by companies overseas. Vatis called the situation ``a unique opportunity for foreign countries and companies to access, steal from or disrupt sensitive national and proprietary information systems.''

Vatis recommended that companies thoroughly check the backgrounds of companies they hire for software repairs. He also said they should test for the existence of trap doors after the repairs, possibly even hiring teams to try to electronically crack into their own networks.

The latest warnings come on the heels of new disclosures about White House plans to create a government-wide security network to protect the nation's most important computer systems from hackers, thieves, terrorists and hostile countries.

The 148-page proposal from the Clinton administration describes building an elaborate network of electronic obstacles, monitors and analyzers to prevent and watch for potentially suspicious activity on federal computer systems.

Sen. Robert Bennett, R-Utah, said today that the scope of the Y2K problem shows that a successful attack on a computer system - such as the network that controls the traffic lights or subway in New York - ``could have as much impact on the economy as if somebody actually dropped a bomb.''

Civil liberties groups complain that the security tools also would make possible unprecedented electronic monitoring, especially because of the increasingly widespread use of computers by the government in almost every aspect of its citizens' daily lives.

The White House defended the proposal.

``We are very concerned about protecting privacy rights,'' said Clinton's national security adviser, Sandy Berger. ``But there is also a privacy right in not having hostile entities attack systems. We're not only talking about 17-year-old kids in their basement. We're talking about governments that we know are developing systems to get access to our computer systems.''

The first 500 intrusion monitors would be installed on nonmilitary government computers next year, according to a draft copy of the proposal obtained by The Associated Press. The full system would be completed by May 2003.

The plan also suggests ways to convince private companies to monitor their corporate computer networks and share information about threats. But it said explicitly that the government will not force companies to permit federal monitoring of their systems.

By TED BRIDIS, Associated Press Writer



-- Old Git (anon@spamproblems.com), July 29, 1999

Answers

Old Git and others, The genesis of all of these explosive stories today (Other threads have posted other stories) was today's Senate Y2k hearing. I realize that actually watching a hearing or even reading a reporter's raw notes on such a hearing is about as exciting as watching paint dry, but if you want to understand how these stories developed, you can go to C-Span.org (be careful though, I got the dreaded "blue screen of death" when I went there just now)and watch the hearing on real video, or you can read my reporter's raw notes of the hearing at

A reporter's raw notes on July 29, 1999 Senate Y2k Hearing

Of course, you can also do neither. I make no recommendations here. Obviously, AP did some follow up. AP is big. We'll likely see this story picked up tonight and tomorrow by nationwide media. Bottom line: As a result of today's hearings, Y2k and Cyberterrorism (in one breath) could soon emerge--significantly--on the radar screen of public consciousness. 'Not sure the powers that be planned it that way. Then again. . . :)

-- FM (vidprof@aol.com), July 29, 1999.


Also see:

http://www.greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id= 0019pM



-- INVAR (gundark@sw.net), July 29, 1999.


The guv'mint has been playing the "blame game" for some time now. They tell us that the Fed will be 100%compliant. First, they blame local governments. They will be at fault for any failures (they will be to some degree). Then terrorists will take advantage of this situation (they will if possible, but this threat has always been looming). Then the public panic is more of a threat than Y2k (Y2k will be the initial cause for any public effect). Now the ones fixing the problem are vilified (even though there will probably be some to take advantage of any criminal opportunity in any situation).

There will be no Y2k problems-----it will all be blamed on something/someone else. What else can guv'mint do after all the lies they have told us for the last year. They sure as he*l can't tell us the truth now.

-- cb (cb@truth.com), July 29, 1999.


So what you're telling me here uncle sam, is that you and everyone else out there is completely able to solve the Y2K problem. However they're to freaking dumb to vet the people working the projects?

Or did they get desparate when there was no one around to do the work and let anyone at all in?

Maybe the DOD went down to the local 7 Eleven and recruited 15 year old Hassan and Quing Shen by giving them unlimited pepsis and cigarettes. Yeah, then we brought em in and gavem special clearances. It was a little hard to keep them focussed on the job and not surfing porn sites or playing doom, but somehow we managed.

And then the big banks probably put some flyers up around campus hoping to attrack some young hotshot hackers. The adds prob. went like this: Wanted Greedy Hackers to Remediate Code in Major Financial Institution Complete Access to all systems No background check required!

Come one come all!

Keep your eye on the ball SHEEPLE!

-- Gordon (g_gecko_69@hotmail.com), July 29, 1999.


Y2K Disruptions=Cyberterrorism=threat to critical infrastucture=National Security Emergency=Federal Response Plan under FEMA Command and Control=Executive Order 12148=Military Support to Civilian Authorities=????????

-- Y2K-OK (happy@risperdane.com), July 29, 1999.


y2k-ok = you got it...

-- Andy (2000EOD@prodigy.net), July 30, 1999.

Moderation questions? read the FAQ