Motiviation of malicious intruder goes beyond information threat

Botnet attack cripples hospital's systems and networks

Tuesday, May 23, 2006

AUSTIN, TX – The motivation of malicious intruders for breaking and entering corporate computer networks goes way beyond information theft. In fact, many breaches in security go unnoticed because the attacker wants to remain hidden and purposefully tries to mask their presence as long as possible. To understand why an attacker doesn't always opt for a hit and run and to prevent long-term hacking and abuse of a company's systems and networks, requires insight into the mind of a malicious intruder and their motivations. For most companies, this is a difficult panacea to reach because they employ hard working, law abiding citizens that don't wake up every day thinking of ways to steal, run scams and break things. It's difficult to know how to prevent crime if you don't know what it is you are trying to prevent.

Following is a recent example of hacker motivation you may not be aware of:

A twenty year old and two other accomplices allegedly launched an attack that hit tens of thousands of computers and crippled the network of Northwest Hospital and Medical Center in north Seattle, a 187-bed nonprofit facility in January 2005. Their motivation was not to steal information. Nor was it to bring down the networks. Their motivation was to install unwanted software that displays advertisements on computers, a job that earned the alleged attackers about $100,000 in fraudulent commissions.

Beginning around July of 2004, the alleged attackers systematically gained control of an estimated total of 13,000 to 50,000 computers to create what is commonly termed as a "botnet," a network of computers infected with software that turns them into an army of zombies, doing what ever their master tells them to do. You would think that botnets would only be created with the millions of consumer computers connected to the Internet and left on overnight, silently leading a life of crime under the unsuspecting nose of their owners. Not so. In addition to Northwest Hospital, these alleged attackers hacked into powerful servers at California State University, Northridge; and, the University of Michigan and the University of California, Los Angeles. They also hacked into a server at the Planet, an Internet service provider, and installed "Internet Relay Chat" server software using the machine as a home base for a botnet.

Evidently the hospital staff was not fully aware of what was happening until it was too late. The attack on and use of their systems and networks resulted in the following:

• Shut down of computers in the intensive care unit
• Prevented doctor's pagers from working
• Slowed down the hospital's computer network
• Caused delays in scheduling surgery
• Caused delays in processing lab tests
• Manual backup procedures had to be put into place

It is interesting to note that the attack did not result in the loss of information. The Hospital did however estimate that the direct cost of repairing its system was approximately $150,000. Indirect losses to organizations that experience a breach of this magnitude have proven to be much higher. Things like loss of reputation, loss of patient or customer confidence and future business are far reaching, longer lasting and require more marketing and public relations costs to repair.

This particular case may have a happy ending however. One of the alleged attackers has been indicted on charges of conspiracy to damage a protected computer and conspiracy to commit computer fraud. If convicted, the attackers faces up to 10 years in prison, a $250,000 fine, and could be ordered to pay restitution. The two other attackers are also facing similar charges.

Find out if this is happening within your systems and networks:

Frank Harrill, a special agent in the FBI's computer crimes section, was recently quoted by the Associated Press that there are tens of thousands of botnets circulating through cyberspace at any given time. Your staff may not be aware or even know how to detect them if your systems have been infected. To find out requires time, tools and talent that may not be at your ready disposal.

NetAUDIT(TM) security assessment services developed by Spohn and Associates, Inc. provide a feasible option for identifying if your systems have been assimilated into a botnet. NetAUDIT Network Security Assessment inspects a company's internal networks and systems for all types of malicious code that can provide malicious intruders unauthorized access to and control of servers and work stations. Many other more common types of malicious code are identified as well, such as trojans, spyware, adware and others. Misconfiguration and faulty applications that create other types of vulnerabilities are identified and ranked from highest to lowest threat to the company.

NetAUDIT Network Assessment also inspects Internet-facing devices using multiple tools and "hacker" methods for identifying points of entry into an organization that could provide unauthorized access into the network.

NetAUDIT services provide authorized technicians that utilize proven tools and processes to see a system from an attacker's perspective so it can be fixed or the risk of an intrusion minimized through commercially reasonable improvements. NetAUDIT identifies weaknesses in security controls and provides recommendations for remediation..

In summary

The motivations of today's attackers goes well beyond what you or your law-abiding staff could ever dream of. Not having this hacker mentality makes it difficult to know what to look for or even prevent from happening. NetAUDIT Network Security Assessment provides the resources, tools and talent to inspect and test your systems for most known vulnerabilities and provide remedy recommendations and guidance for fixing them.

For more information on the botnet case visit:
http://www.montereyherald.com/mld/montereyherald/13843462.htm

About Spohn

Spohn Consulting, Inc. is a professional services firm specializing in security assessment for small, medium and large businesses in the United States. Spohn is privately held with corporate offices in Austin, Texas and regional sales offices in California, Chicago, Maryland, New Jersey, New York, and Texas.

About NetAUDIT™

NetAUDIT is a complete suite of assessment services based on Spohn's proven methodology for identifying vulnerabilities and misconfigurations in administrative, physical and technical security controls. NetAUDIT assessments assist companies in preventing unauthorized access to information, systems, networks and facilities and lower risk of loss to the organization.