Hackers are increasingly launching "targeted attacks" in which specific tools are used against specific cyber targets, instead of releasing worms and viruses that spread indiscriminately across the Internet. Statistics from security services provider Riptech show that 40% of attacks suffered by their client base were targeted, significantly above the expected 15%. (SANS NewsBites Vol. 5 Num. 20, 21 May 2003 and New.Com 13 May 2003)

A Deloitte Touche Tohmatsu (DTT) survey found that 39% of banks and financial services companies reported computer security breaches last year. 16% of those came from external sources, 10% from internal sources and 13% from both. 175 senior IT executives were surveyed. DTT's Simon Owen said the figures show that the biggest threat to companies is not from employees; cyber attacks are becoming increasingly sophisticated. (SANS NewsBites Vol. 5 Num. 20, 21 May 2003 and ZDNet UK 12 May 2003)

According to the Deloitte Touche 2003 Global Security Survey of worldwide financial services institutions, over a third of banks and financial services companies surveyed reported a security breach in the last year. Of the 39 per cent who admitted their systems had been compromised, 16 per cent were due to external attacks, 10 per cent internal breaches and 13 per cent both. (silicon.com and BNA's Internet Law News, 14 May 2003)

According to the UK's Sophos, one of the world's largest antivirus companies, about 1,000 viruses are created every month, and in almost all cases the perpetrators are computer-obsessed males between the ages of 14 and 34. "They have a chronic lack of girlfriends, are usually socially inadequate and are drawn compulsively to write self-replicating codes. It's a form of original graffiti to them," says Sophos CEO Jan Hruska. Virus writers tend to explore known bugs in existing software or look for vulnerabilities in new versions in order to create and spread their infections, and Hruska notes that the next target for the virus writing community could be Microsoft's .Net platform for Web services. To boost the impact of their creations, virus writers also tend to share information to create variants of the same infection, such as the infamous Klez worm, which has been among the world's most prolific viruses in the last year. (Reuters/CNet News.com and NewsScan Daily, 18 Mar 2003 )

A significant number of web sites are vulnerable to cross-site scripting attacks, despite warnings about the problem that have been out for six months. Crackers have exploited the vulnerabilities to publish phony press releases and to steal credit card information and cookies. Addressing the problem on each site can be complicated and time consuming. It is also possible that because the affected site is the party delivering the malicious code, it could be liable for damages. (SANS NewsBites Vol. 4 No. 39, 25 Sep 2002 and IT Week 16 Sep 2002)

Gartner analyst John Pescatore observes that the recent Office of Management and Budget (OMB) report detailing cyber security weaknesses throughout government agencies' systems found no correlation between quality of security and spending on security which confirms Gartner CEO Michael Fleisher's statement that spending more doesn't make for better security. The government must do much more to ensure the security of its information infrastructure--but just spending more isn't the answer. Government agencies should increase spending only in certain areas, including external security audits. OMB identified six areas of weakness: Lack of senior management attention; Lack of security education and awareness; Inadequate performance measurement; Failure to integrate security into capital planning and investment control; Poor security practices by outside contractors; Inadequate detection and reporting of vulnerabilities. (CNET News.com 22 Feb 2002 and SANS NewsBites Vol. 4 Num. 09, 27 Feb 2002 )

The 2001 Computer Crime and Security Survey from the Federal Bureau of Investigation and the Computer Security Institute makes it clear that cybercrime is on the rise. But for the first time, according to survey respondents, incidents precipitated by outside hackers outnumbered those originated by internal threats. (E-Commerce Times 05 Feb 2002 and GigaLaw.com Daily News, 06 Feb 2002)

According to a report released by the Computer Science and Telecommunications Board, US computer systems are increasingly vulnerable to cyberattacks, partly because companies are not implementing security measures already available. Experts estimate US corporations spent about $12.3 billion to clean up damage from computer viruses in 2001. Some predict viruses and worms could cause even more damage in 2002. To avert risks, the panel urged organizations to conduct more random tests of system security measures, implement better authentication systems and provide more training and monitoring to make information systems more secure. All these measures were possible without further research, it said. (Reuters 08 Jan 2002, BNA's Internet Law News and GigaLaw.com Daily News, 09 Jan 2002)

Some legal scholars are suggesting that a Web site vandalized by hacker attacks may itself be legally liable if its customers suffer damages and if the site was negligent in maintaining security. Law professor Margaret Jane Radin of Stanford University predicts: "A court is going to say it is negligent of you not to implement preventative measures if they are reasonably effective and affordable." No reported court decisions have dealt with the issue, but Radin says that lawsuits in the near future are highly likely to be lodged against companies and network providers targeted by "denial of service" attacks. (NewsScan Daily, 27 Aug 2001 and New York Times 24 Aug 2001)

At least 155 federal computer systems -- some containing sensitive research information or personal data on Americans -- were temporarily taken over by hackers last year, according to a government review. The report found numerous weaknesses that permitted unauthorized access to the medical information of Medicare recipients. Director of the FBI's National Infrastructure Protection Center, said there are currently 102 open investigations of computer intrusions into government systems, and the bureau is keenly aware of the rise of state-sponsored hacking. Only 5 to 10 percent of federal agencies use automatic security detection programs and 80 percent of incidents go unreported. The government's lack of safeguards against domestic and foreign attackers who struck 32 federal agencies last year is "chilling," one congresswoman said. (GigaLaw.com Daily News 06 Apr 2001 and The Nando Times 05 Apr 2001 )

A national poll of 1,400 CIOs reveals that 90% have confidence in their network security, despite estimates that billions of dollars are lost every year to cybercrime. The survey, conducted by RHI Consulting, has raised eyebrows among security experts who point out that it's generally in a CIO's best interest to keep quiet when security breaches occur. A recent survey conducted by the Computer Security Institute indicated that more than half of the respondents said they did not report the intrusions to law enforcement out of fear of negative publicity or that rival companies would use the information to competitive advantage. Meanwhile, a 1999 survey found that Fortune 1000 companies lost more than $45 billion in thefts of proprietary information that year. (InfoWorld 03 Jan 2001 and NewsScan Daily 04 Jan 2001)

A new study says credit card numbers and passwords stored on many "secure" Web servers are vulnerable to hacking. Eric Murray, an independent security consultant tested a random sample of 8,081 secure Web servers and found that 32 percent of them are "dangerously weak." (Salon.com Technology and BNA's Internet Law News 08 Aug 2000)

Most Canadian companies see online security as the biggest threat to e-commerce, but they are complacent and not prepared to deal with it, according to a new study by KPMG Investigation and Security. KPMG's efraud survey 2000, which was sent to 1,000 top Canadian companies, indicated that while Canadian businesses are aware of e-commerce fraud, 89% believe their company is less of a target than others. 'People seem to think their systems are fine, that e-commerce fraud is going to happen, but not to them,' says Gary Gill, Vancouver VP for KPMG. Some two-thirds of new and upcoming e-commerce platforms launched by Canadian companies lack the corresponding security improvements. (Silicon Valley North 07 Jun 2000)

The Yankee Group reports that losses attributable to last week's denial-of-service attacks on major U.S. Web sites could total more than $1.2 billion. The research firm says the attacks resulted in capitalization losses that exceeded $1 billion on the days of the attacks and losses in advertising and sales on those days are expected to exceed $100 million. The report calls for Web sites to beef up their security, and patch holes and vulnerabilities in their systems. It predicts that affected Web sites and their peers will spend an additional $100 million to $200 million on these upgrades. The report calls for websites to make use of security-assessment technologies to identify and patch the holes and vulnerabilities in their systems to prevent such attacks. The resulting damage to brand image, partnership, and future customers will have a further impact on all the companies, the report said. The Yankee Group predicts that Internet security breaches will get even worse, as attacks could be launched from any of the millions of homes with always-on cable and DSL connections. (InformationWeek 14 Feb 2000, NewsScan Daily 15 Feb 2000)

Companies engaged in iCommerce are 57 per cent more likely to suffer an information security breach than those that do not do business online, according to "The 1999 Information Security Industry Survey" published in the July '99 issue of the Information Security magazine. Overall, companies actually hit by an unauthorised access breach (hacking/cracking) was up almost 92 per cent from 1997 to 1998. A total of 745 organisations were polled in the survey and asked questions about their infosecurity software and hardware use, organisational budgets for security, the use and effectiveness of infosecurity policies, and salary and personnel issues affecting professionals engaged in securing their organisation's data, communications and technology. The survey showed that, while the number one type of breach experienced by most companies was employee or insider access abuse, the biggest increase was coming from outsider hacking (cracking), or outside access abuse. (Information Security, Jul 99)

A new public-private alliance to curb Internet crime will help teach children ``that hacking is the same as breaking and entering,'' Attorney General Janet Reno said Monday. Educating children about acceptable online behavior is among three initiatives under the Cybercitizen Partnership, an initiative of government and the high-tech industry to promote cyberspace ethics and help law enforcers track down online criminals. ``All children know it's wrong to break into a neighbor's house or read your best friend's diary. Unfortunately, fewer realize that it's wrong to break into their neighbor's computers and snoop through their computer files,'' Reno said. (Associated Press via InfoBeat, 15 Mar 99)

Welcome to the Internet age in Russia. Like many other pursuits in this land, Web surfing has been tainted by fraud. As the Russian Internet-user community -- now about one million strong -- grows, so do the ranks of hackers wreaking havoc. Hackers aren't just stealing passwords and taking joy rides on other users' surfing time: They take credit-card fraud -- already endemic in Russia. According to the Russian police, the fraud costs consumers and companies tens of millions of dollars annually. The proliferation of Trojan horse-type software has made life easier for hackers. They insert highly intelligent "bugs" in seemingly innocent programs that Internet surfers can download. The bugs search for stored passwords; when the user logs on, the information is transmitted back to the hacker via the Internet. With the password, the hacker can log on to the victim's account. Hackers so disrupted business that America Online Inc. pulled out of the Russian market about two years ago. (Dow Jones News, 22 Feb 99)

Corporate networks are coming under attack from an army of amateur crackers working unwittingly for professional thieves, security experts have warned. They have identified signs that organized criminals and "professional" crackers are using trick software that lets teenage enthusiasts -- known as "script kiddies" -- attack networks for amusement. The software then secretly sends the findings of these surveys to experienced crackers. Professional gangs could use this trick to build massive databases of network insecurities for thieves to exploit. Consultants cited the hacking group New Order's Aggressor network-attack software, which invites amateurs to register for a full copy on the promise that they will receive hidden tools to mount stronger attacks on their victims. The growth of Java programming skills lies behind another new trick, where crackers build Java cracking software into websites. When surfers browse the site, the program returns the surfer's IP address to network security tools' logs, leaving the cracker's real location a secret. Canadian hacking group HackCanada is encouraging crackers to rewrite the Python network-scanning script Phf in Java so it can be loaded into Web surfers' browsers during a visit to an innocuous-looking site. (Tech Web - CMP, 16 Feb 99)

Security systems firms say Russia's economic crisis could turn information technology experts into a threat to any firm in the world that uses a computer system. Growing layoffs and low salaries mean they could soon follow the path taken by many before them into Russia's flourishing world of hacking, software theft and piracy. The number of Russian Web sites on the Internet offering pirate software and hacking tools had risen this year. Experts say that Russia's computer specialists could turn to sinister crimes to reap profitable rewards. (Reuters, 04 Jan 99)

The information technology research company, GartnerGroup, reports that 90% of organizations that have undergone external security assessment have discovered significant vulnerabilities in their Internet systems. Eighty per cent of GartnerGroup's research clients have - or suspect they have - suffered security breaches. More and more organizations are linking networks with sensitive data to the Internet where there are a lot of potential threats. Most ecommerce today is business to business. Opening your system to suppliers could also leave you open to competitors accessing your database. (Australian Financial Review, 13 NOV 98, p. 5)

More Canadian businesses are becoming the target of Internet-related computer crimes, according to a report by a professional services firm. The Ernst & Young/CIO Canada Global Information Security Survey reported hacking attempts via the Internet have doubled from 4 percent in 1997 to 8 percent in 1998. (Reuters via CNet, 22 Sep 98)

Two recently conducted studies report that losses experienced by Fortune 1000 companies as a result of computer break-ins were higher last year than ever before, despite increased spending on computer security measures.  A study by the Computer Security Institute and the FBI estimates 1997 losses from computer crime at $136 million, up 36% from 1996.  About half the respondents cited the Internet as a frequent point-of-attack, with the remainder citing internal corporate networks as the favored break-in point. Meanwhile, a study by WarRoom Research LLC found that a large majority of Fortune 1000 companies have experienced a break-in by an outsider in the past 12 months, with more than half reporting more than 30 security breaches during that time period.  Nearly 60% reported losses of $200,000 or more for each intrusion. (Internet Week 23 Mar 98, Edupage, 24 Mar 98)

Three-quarters of UK companies have not tested the security of their Internet sites.  KPMG, in its second Information Security Survey, said fewer than half of companies have any security procedures governing their sites' use, and more than half require no user ID or password for external access into systems.  In the event of a security breach being detected, there is a 50% chance no action will be taken against the offender. (Computer Weekly, 26 Feb 98)

Fifty-three percent of federal government computer security managers reported unauthorized use of their systems last year, and "This year, the number is more like 60%," says a Computer Security Institute analyst. (Wall Street Journal, 26 Feb 98; Edupage, 26 Feb 98)

78% of respondants in a recent survey of 1,300 IS managers suffered a loss related to data security in the past two years. More than a quarter of these suffered losses of up to $250,000. In 1998, the Computer Emergency Response Team (CERT) reported six security breach incidents; in 1995, there were 2,412 incidents. Over 70% of computer security breaches are from internal sources.

A recent FBI/Computer Security Institute report found that only 16.9% of companies that detect network intrusions actually report them. The NYPD Computer Investigations and Technology unit puts the figure at 1%. "Unless required to, there are few incentives to report cyberintrusions," notes Alan Fedeli, a project team manager from IBM's Internet Emergency Response Team.  (Software Magazine, November 1997, p. 23)

During the first round of testing in August 1997, every one of the corporate Web sites tested by NCSA as a part of their security audit services was penetrated and compromised.  Vendor products fared only slightly better. The firewall lab began testing a year ago and, since then, two-thirds of firewalls have failed their first attempts at certification. Meanwhile, virus scanning tools, the most mature of these technologies, failed 25% of the time on first run. In these cases, the NCSA tosses the tools back to vendors for repairs or patches and tests them again until they pass. (Software Magazine, October 1997, pp. 37-47)

In a joint survey of Fortune 500 corporations conducted by the FBI and the U.S.-based Computer Security Institute (CSI), 42 per cent of respondents said they had experienced unauthorized use of their computer systems within the last year. And although companies are often reluctant to report security breaches and their associated dollar losses, 32 per cent admitted to losses totalling close to $100 million. (Computing Canada, 5 August 97)

A study conducted by Deloitte & Touche on behalf of the European Commission estimates that international fraud has cost the European Union anywhere from 6 billion to 60 billion European currency units, with much of that fraud perpetrated over the Internet. "At its simplest, the Internet allows a fraudster to set out a site on the World Wide Web which claims to be the site of a reputable company or organization. Victims are then induced to part with funds via credit card payments, or induced to reveal valuable information. At least one major international bank is known, confidentially, to have suffered from this although details of losses are not available," says the study. And while encryption can help ameliorate some of the problems, it is a "double-edged sword" says the study, because it can also shield the nefarious doings of crooks on the Net. The study calls for international cooperation among governments in apprehending electronic fraudsters, and says the issue poses "huge" challenges to law enforcement and civil agencies: "The traditional sources of forensic and other evidence will become rarer, and a range of new types of evidence will need to be acceptable to the courts." (BNA Daily Report for Executives, 5 May 97)

Dan Farmer, author of SATAN software, which is designed to find holes in Web site security systems, has conducted a nonscientific survey of about 2,200 Web sites, and found about 70% to 80% had "serious security flaws." The survey consisted of 1,700 "high profile" sites, and another 500 that were selected at random. The high profile sites were found to have security problems at about twice the rate of the random sample. "Many of the really interesting sites are juggling," explains Farmer. "They offer a bunch of services -- electronic mail, Internet news, user accounts and the like. Any one of these isn't that difficult to keep up in the air. But put enough "balls" up there and you start losing track... It's simply difficult to manage all this stuff over a long time. And often employees are being screamed at just to keep things running -- not necessarily secure. System administrators almost never get the proper budget or training to do security properly." Of the 660 banks surveyed, about 68% had sites that Farmer considered highly vulnerable. (Investor's Business Daily, 20 Jan 97 A6)

A report from the U.S. General Accounting Office describing an information war games exercise developed for the Defense Department by the Rand Corporation says that more than 120 countries have some form of computer attack capabilities. (Atlanta Journal-Constitution 22 Jun 96 F1) Meanwhile, the FBI's special agent in charge of the San Francisco division says that in a recent survey of companies, "42% of those who responded said they'd experienced some unauthorized intrusion into their computer system in the last 12 months. Also, it found that 47% of those surveyed felt it could have been a foreign competitor or foreign government. We feel that's a very significant problem, one the FBI is particularly interested in." (Investor's Business Daily, 24 Jun 96 A6)

Dissertation thesis by Dr. John D. Howard based on the data from the CERT/CC archive (http://www.cert.org/research/JHThesis/index.html).

Interior Secretary Gale Norton and Assistant Secretary for Indian affairs Neal McCaleb have been found in contempt of court for failing to adequately address vulnerable computer systems that manage Indian trust fund accounts. Norton and McCaleb committed four counts of fraud and one of litigation misconduct for a range of actions that include making false and misleading statements about computer security for IIM data, the judge concluded. The entire Interior department was taken off line late last year when it became clear that its computer systems lacked adequate security. (SANS NewsBites Vol. 4 No. 39, 25 Sep 2002 and Federal Computer Week 17 Sep 2002)

Government investigators hacked into the Internal Revenue Service computer system last year and gained access to Social Security numbers and other sensitive information from electronically filed tax returns, a congressional report said. "We had the ability to access virtually everything that was included in an electronically filed return," said the report's author, Bob Dacey, director of information security issues for the General Accounting Office. The IRS is not the only agency grappling with computer security problems, Dacey said. "We have found similar types of problems in a number of agencies," he said. A GAO report released in September said a fourth of the government's major agencies had computer security problems. (GigaLaw.com Daily News and The Washington Post 16 Mar 2001)

Government sites in the U.S., U.K., and Australia were the victims of hack attacks over the weekend. In Australia alone, over a dozen government sites were hit. (Internet Law News and Fairfax IT 22 Jan 2001)

A hacker claims to have exposed a major security hole in an Australian government tax site, obtaining personal bank information for thousands of businesses. A man calling himself Kelly rang ABC radio in Sydney and said he had discovered the lack of security on the website of the government's Start-up Assistance Office. "They didn't have any security - there was none,'' Kelly said. He said he had sent up to 17,000 emails to people and companies whose details he had accessed. The details would allow the hacker to masquerade as another individual if he so chose, the Institute of Chartered Accountants of Australia (ICAA) said. "Our members are extremely agitated,'' ICAA executive director Stephen Harrison said. The break-in was a timely warning of the importance of Internet security, he said. "Organisations that collect this information have a responsibility to make sure their systems are safe.'' (Internet Law News, 29 Jun 2000, Fairfax IT 29 Jun 2000)

JAPAN has called an emergency meeting today to boost computer security after humiliating raids on Government websites by hackers. The hackers linked one Government website to a pornographic site and attacked Japan's war record on another. The site at the Science and Technology Agency had been penetrated twice in two days, and key data on another site, including census information, had been erased. The hacking came just days after a Government meeting at which officials decided to bring Japan up to US standards of computer security by 2003 and to draw up a plan to fight cyber-terrorism by the end of this year. The newest hacker entry left a second message in Chinese - this time on the agency home page - and again assailed the stand by some ultra-rightist Japanese groups that the 1937 Nanjing massacre never happened, the Mainichi newspaper said. Chief government spokesman Mikio Aoki said on today several ministers would hold a meeting later in the day to discuss the hacker raids, which have made Japan's computer vulnerability painfully clear. The Government has responded with anger to the wave of raids, calling them "deplorable''. It has vowed to conduct stringent investigations, possibly calling on the US Government - more experienced in combating hackers - for help. (AAP, Fairfax IT 26 Jan 2000)

Computer hackers reportedly penetrated and vandalized one of the US government's most popular Websites on Monday, denying visitors the ability to search for congressional information. The hackers altered the library's "Thomas" Website, a hot destination among journalists and researchers seeking immediate information on bills under consideration. The AP report said that the vandals claimed to be "four hackers from a little country in Europe," and changed the site to read: "U.S. Congress Web site - defeated!" The group also published the formula they claimed to have used to penetrate the site, and left a software log that included part of a user's identification number, but it was partially masked, the report said. The attack follows intrusions last year against FBI, Senate, US Army and White House Websites. (Newsbytes 18 Jan 2000)

Canada'a central security agency, the Canadian Security Intelligence Service (CSIS) has issued a warning against global terrorism, citing hackers and crackers, those who penetrate secure computer systems, as a growing threat. In a background paper, CSIS admits that crackers entered their Website in 1996 and altered their logo by changing the word "Intelligence" to "Illegal." In this first public disclosure of the incident, the agency says the event serves as an example of how cyber-savvy terrorists may be able to tamper with mission-critical systems. Since then, there have been several instances of federal and provincial government Websites being cracked. (Newsbytes 18 Aug 99)

Computer hackers invaded and disabled the Web site of the National Oceanic and Atmospheric Administration's Storm Prediction Center yesterday, forcing weather trackers to look elsewhere for storm data. "The Internet is an unofficial way to distribute that information, but a lot of people have come to rely on it," says the Center's director. Last week the U.S. Army's main Internet site was temporarily disabled. The FBI is investigating the incidents. (AP/Los Angeles Times 30 Jun 99, NewsScan Daily 30 Jun 99)

Two new attacks have been made against government Web sites. The new targets were an Interior Department site and a federal supercomputer laboratory site in Idaho. The person claiming responsibility for the intrusions says that he lives in Portugal and belongs to a group called F0rpaxe. A note left by the vandals on the Interior Department site reads, "Now it's our turn to hit them where it hurts by going after every computer on the Net with a .gov. We'll keep hitting them until they get down on their knees and beg." An Interior Department official says, "These are the perils of open government. We try to make as much of the materials of the Interior Department as open and available as possible. The consequence of that is, those who choose to do damaging things can do that." (New York Times 1 Jun 99, Associated Press/NYT 1 Jun 99, NewsScan Daily, 1 June 1999)

Computer vandals were successful this week in overloading the FBI's Web site with requests for information and in posting pictures and obscene messages on the site maintained for the U.S. Senate. No classified or personal information was compromised, but Jack L. Brock of the government's General Accounting Office called the vulnerability of government computer systems "a critical risk" and said that most agencies have weak computer security systems in place: "Controls are all management issues and most agencies are not addressing them. There is no magic bullet for this; it's a continuing process." (New York Times 29 May 99, NewsScan Daily, 31 May 1999)

Protests over NATO's bombing of the embassy in Belgrade have spilled into cyberspace. Enraged Chinese hackers apparently attacked the official Web site of the U.S. embassy in China and took over the Web sites of the Departments of Energy and the Interior. The Department of Interior Web site displayed pictures of the Chinese journalists killed. The Department of Energy site read "Protest USA's Nazi action" and also had a message that read, "We are Chinese hackers that takes no cares about politics, but we can not stand by seeing our Chinese reporters been killed." One message posted on attacked sites read "Down with the Yanks." According to Chinese news reports, hackers also launched attacks on the official White House site. The hackers' own site at killusa.abc.yesite.com, a repository of hacking strategies, had nearly 1,000 messages Sunday, either reporting sites being hacked or expressing anti-American sentiments. A contributor to the page also suggests manning a full-scale attack on American Web sites, disseminating computer viruses, and attacking the sites continuously in a method the hackers term "machine-gunning." Another suggests targeting financial sites. (ABCNEWS.com, 9 May 99)

A computer hacker has upset a police investigation into last month's riot near the campus of Michigan State University. The hacker broke into the East Lansing police computer through a Web site and apparently stole confidential information from nearly 200 tipsters. The tipsters were trying to help police catch rioters who smashed windows and burned a police car after MSU's basketball team lost in the NCAA tournament. (UPn 8 Apr 99)

A new report on national security, titled "CyberCrime, CyberTerrorism and CyberWarfare," calls for a complete overhaul of U.S. national security agencies and policies in order to avoid crippling sabotage of the nation's and corporate America's information infrastructure. The report, which is the product of the Center for Strategic and International Studies' Global Organized Crime project headed up by former FBI and CIA director William Webster, chronicles the results of a recent joint chief of staff exercise code-named "Eligible Receiver." The exercise involved a group of security experts, known as a "red team," that used software widely available from cracker Web sites to demonstrate the capability to penetrate and disable major portions of the U.S. electric power grid and deny computer systems to the entire Pacific military command and control operation. The report recommends the establishment of private sector-organized groups that would evaluate and endorse information security standards in various industries, coupled with increased government support for such efforts and the development of a national security policy for the Information Revolution. "The private sector cannot sit back and wait for government to lead," says Sen. Charles Robb (D-Va.), a member of the Senate Select Committee on Intelligence. (InternetWeek 16 Dec 98; Edupage 17 Dec 98)

Public Info Hackers can access sensitive medical and financial information on individuals because of widespread security weaknesses in agency computer systems, officials told the Senate Governmental Affairs Committee. Outside and internal auditors at the Social Security Administration and the Department of Veterans Affairs found security shortcomings in agency systems, leaving data vulnerable to exposure or manipulation, according to the General Accounting Office. Both agencies defended their security practices but also admitted that the audits uncovered security shortcomings they were not aware of. The audit of SSA revealed security breaches involving passwords, unprotected modems, lax implementation of audit trails and the vulnerability of the e-mail systems. (Computer Week, 23 Sep 98).

Computer hackers in Australia targeted the ruling party's website for some mischievous re-wording, changing Australian premier John Howard's title to ``Prime Minister for Pain, Suffering and Inequity''. The cyberspace pranksters also altered Australian Treasurer Peter Costello's portfolio to ``Minister for the Rich, Stomping the Poor and Wrecking the Economy,'' the Daily Telegraph reported. Foreign Minister Alexander Downer was termed ``Minister for Foreign Humiliation.'' Downer's site was also linked to Disneyland.com, while Workplace Relations Minister Peter Reith became ``Minister for Destruction of Workplace Fairness, the Gestapo and Propaganda.'' Other minister's names were linked to websites displaying explicit pornography. (AP, USA Today, 98.09.01)

Computer vandals who monitored Internet traffic in order to "sniff" (intercept) a password to the Stanford Linear Accelerator Center were able to gain access to more than 30 of the federal research center's most important Unix servers. No permanent damage was done to programs or data, but the facility was closed down for a week, as a precaution meant to protect the lab's computing infrastructure. (San Jose Mercury News 10 Jun 98; Edupage 11 Jun 98)

The U.S. Department of Energy has issued a bulletin warning that two new computer attack tools, known as Teardrop and Land, are being used maliciously by crackers intent on breaking into computer systems and networks.  The software sniffs out vulnerable servers and launches attacks based on the "denial-of-service" strategy that overwhelms servers with bogus messages, blocking out legitimate traffic.  "They hit the button and go down to the cinema with their girlfriends," says a senior systems consultant with the Defense Information Systems Agency.  "They come back and see that they have looked at 200,000 systems."  (TechWeb 24 Dec 97)

U.S. Attorney General Janet Reno and counterparts in Canada, France, Germany, Italy, Japan, Russia and the United Kingdom have agreed to work together to police the "new frontier of crime" represented by computers and computer networks.  Reno says:  "We know now that a criminal can sit in one country and disrupt a computer system in another country thousands of miles away.  If we are to keep up with cybercrime, we must work together as never before... Each nation has committed to develop faster ways to trace attacks coming through computer networks so that we can quickly identify the hacker or criminal who is responsible."  (AP, December 11, 1997)

Electronic communications from the highest level of government revealed when pager messages to and from President Clinton's entourage were published on the Internet in September (www.inch.com/~esoteric/pam_suggestion/formal.html).   An unidentified hacker intercepted the messages when the President traveled to Philadelphia last spring. They were released on the net by Pam Finkel, a New York City-based computer consultant and member of the hacker's group "2600." The embarrasing release of the material was timed to coincide with discussion of a controversial domestic encryption control amendment to the Security and Freedom through Encryption (SAFE) bill.  The information details every step of the President's journey from his departure from Andrews Air Force Base to his arrival at the convention center where he was to speak -- clearly a breach of his personal security.  (Software Magazine, November 1997, p. 34)

Robert Marsh, the chairman of  the Commission on Critical Infrastructure Protection says that neither government nor industry now has the means to protect the United States against computer attacks that could shut down communications and power grid.  As examples of cyber attacks already experienced, Marsh cited incidents at Langley Air Force Base in Virginia and Griffis Air Force Base in Rome, N.Y.  "A flood of e-mail messages originating in Australia and Estonia -- and routed through the White House computer system -- virtually shut down Langley air base's e-mail for hours," he said.  Also, someone in England routing messages through Latvia, Colombia and Chile and commercial Internet service providers gained access to computers at Rome Laboratory at Griffis and ``launched attacks against a wide array of defense and government computer systems,'' said Marsh.  (Montreal Gazette, The Associated Press, 8 Oct 97)

Delaware law enforcement officers seized the personal computer of a teenager charged with invading Web site of NASA, the National Aeronautics and Space Agency in Huntsville, Alabama, and posting the message: "We own you. Oh, what a tangled web we weave, when we practice to deceive," and calling the NASA site administrators "extremely stupid." A NASA statement described the teen's hacking as "a cracking spree" and said, "We live in an information environment vastly different than 20 years ago. Hackers are increasing in number and in frequency of attack." (USA Today, 3 Jun 97)

Unidentified hackers gained access to the United States Justice Department's Web site (http://www.usdoj.gov) on Aug. 16 and replaced it with a hate-filled diatribe labeled the "Department of Injustice" that included a swastika and a picture of Adolf Hitler. Justice officials quickly pulled the plug on the vandalized page, but the security flaws that allowed hackers to gain entry likely exist in thousands of other corporate and government web sites, security experts said. "The vast majority of sites are vulnerable," said Richard Power, senior analyst at the Computer Security Institute. "There's all kinds of measures you can take. Most corporations and institutions don't take them simply because nothing bad has happened to them yet.Hackers make 250,000 attempts annually to break into U.S. military computers, according to a General Accounting Office report. Relying on security holes that had been documented by software manufacturers months earlier, Windows Magazine's specialists were able to gain various degrees of unauthorized access at the different sites. (Calgary Herald, August 20, 1996)

Maine Public Broadcaster's list of thousands of members was hacked, providing the hacker with the names and credit card numbers of 63,000 people. Representatives announced the breach so members would be aware that fund-raising data may have been compromised. The station has tried to shut all electronic doors to its server, located in Bangor, Maine, and it is taking added precautions to prevent future attacks. Federal authorities also have been notified, though the company was told there is no need for an investigation unless there is proof of financial damage. (Associated Press, 11 May 2000, Internet Law News, 12 May 2000)

The American Civil Liberties Union site on America Online was violated by a person with a stolen password. The vandal had called AOL's customer service department for help changing an account's password, and the customer service representative failed to verify the caller's identity. AOL has fired the customer service representative and alerted its employees to watch for copycat break-in attempts by other vandals. (Atlanta Journal-Constitution 31 May 98, Edupage 31 May 98)

The National Collegiate Athletic Association (NCAA), victimized by a vandal who cracked into the NCAA's Web site to post racial slurs there, is turning over to the FBI all details of the malicious entry. The Kansas City Star says it has identified the vandal as a 14-year-old high school freshman. (AP, 12 Mar 97)

Last weekend, a computer cracker aimed a "cancelbot" computer program at Usenet -- an Internet bulletin board system -- and wiped out more than 25,000 messages. "Whoever did this has the potential to bring Usenet to its knees and remove all the articles from Usenet in a given day," says one software engineer. "That's Internet terrorism." "It's a stupid 'net trick,'" says a Lucent Technologies security expert. "It's virtually trivial to generate these cancel messages. Any doofus without much programming experience can do this, and we're going to see this kind of thing all the time." The cracker's account on Oklahoma-based Cottage Software Inc. was canceled immediately and the FBI has been notified. (Wall Street Journal, 27 Sep 96 A13A)

A computer intruder broke into a Seattle area hospital and downloaded thousands of private medical records. Files on 4000 cardiology and 700 physical rehabilitation patients were pilfered. The hacker took command of large portions of the University of Washington Medical Center's internal network and downloaded computerized admissions records for four thousand heart patients. All the data from these computers was taken over the Internet. All the machines were exposed without any firewalls of any kind. The files catalogs the name, address, birth date, social security number, height and weight of patients, along with each medical procedure they underwent. (Securityfocus.com 06 Dec 2000)

A hacker broke into MIT's computer system and altered the grades of students in a biology class. (Internet Law News 09 Mar 2000)

A malicious hacker using a computer in the University of California at Berkeley's mathematics department this summer has managed to crack 47,642 passwords of computer users around the world, using a software program called "John the Ripper," according to a report by the CERT Coordination Center at Carnegie Mellon University. "This is a very large attack," says Calvin Moore, chairman of Berkeley's mathematics department. "This is obviously somebody who invested a lot of time." The Federal Bureau of Investigation is investigating the attack. Some of the affected computers are located at U.S. universities, including the California Institute of Technology, Harvard University, and the University of California at Los Angeles.(Chronicle of Higher Education 11 Sep 98, Edupage 10 Sep 98)

U.S. law enforcement agencies are hunting a computer vandal who broke into companies and academic institutions around the world (including universities such as UCLA and Harvard) and stole about 48,000 encrypted passwords, which he or she then decoded with a program called "John the Ripper." The vandal, who is thought to be operating in Europe, first came to police attention when a graduate student at the University of California, Berkeley, told officials his computer account had been compromised. (AP 13 Aug 98, Edupage 16 Aug 98)

A new study of 30 hacker attacks and other computer problems, conducted by researchers at the University of Michigan, found the cost of the attacks varied widely, depending on the incident. Most of the attacks affected few people and cost less than $15,000 each to fix, but in a few severe cases, repair costs topped $100,000 and service was disrupted for more than 1,000 users. The study's leader, Virginia Rezmierski, says the data provide a starting point for more research that could lead to guidelines on how a university should react to such threats. (Chronicle of Higher Education 17 Jul 98, Edupage 14 Jul 98)

University of Colorado police have arrested a freshman for allegedly providing pilfered passwords and access codes to an unidentified Israeli hacker who broke into the school's computer system earlier this month. Joshua Gregory Pearson, 18, a computer science major, was arrested Thursday in a renewed CU police crackdown on online crime, authorities said. Authorities believe Pearson used a "sniffer'' program, downloaded off the Internet, to intercept passwords and access codes needed to sign on to university computers. Those codes then were passed on to a hacker known only as "Heavy Metal.'' CU computer experts traced the hacker back to Israel. Campus officials said the damage could run into the thousands of dollars and that the break-in could leave the university's computer security system vulnerable for months. (Denver Post, 22 Mar 98)

Prosecutors in Fairfax County, Virginia, have filed criminal charges against two Georgia Mason University students for hacking their way into university computers and sending derogatory e-mail under the names of random students and staff members. Altering computer data is a felony and willfully using a computer network without authorization is a misdemeanor. (Washington Post, 8 Aug 97)

Russia and China appear to be developing computer-based tools with the potential to do long-lasting harm to the U.S. economy, a top intelligence official told Congress. Such arms will give future foes new leverage over the United States, including a way to ratchet up pressure and the prospect of anonymity, said Lawrence Gershwin, the national intelligence officer for science and technology. (GigaLaw.com Daily News 22 Jun 2001 and ZDNet News 21 Jun 2001)

Computer attacks against the Pentagon are increasing, due largely to unpatched security holes, poor security practices, and increasingly sophisticated tools available on the Internet. 99% of the successful attacks can be attributed to known vulnerabilities that have gone unfixed and poor security practices by defense agencies, said Navy Capt. Robert West, the deputy commander of the Pentagon's Joint Task Force for Computer Network Defense. In addition to weak security practices by Defense Department (DOD) network administrators, the increase in the number of attacks can be attributed to the greater availability of sophisticated hacker tools on the Internet. Someone with a very limited amount of computer skills can do a lot of damage. All of our various layers of networks are connected," said West. "Regardless of classification, there are connections and you are dependent on that infrastructure." (Computerworld and SANS NewsBites 14 Dec 2000)

The US DoD reports that it was the target of 22,000 hack attempts in 1999 and 14,000 in the first seven months of 2000. Most of the DoD's problems arise from vulnerabilities in off-the-shelf software. In a few cases, hackers believed to be working for foreign countries have broken into unclassified computer systems and downloaded large amounts of information, said Arthur Money, the assistant secretary of defense for command, control, communications and intelligence. Money predicted that the number of attacks is only "going to increase" in the future. "There is hardly any way to prevent" vulnerabilities from creeping into the millions of lines of commercial computer code written not only in the United States, but also in India, Ireland, Israel and other countries. Many of the vulnerabilities are unintentional, but some appear to be "trapdoors" deliberately left by software writers to allow intrusions, and others are "backdoors" that were designed to help systems administrators but have been "discovered by kids and hackers and used to harass the systems." The Defense Department has roughly 10,000 computer systems and 1.5 million individual computers. "We are probed on a daily basis by those who are trying, or planning, to disrupt our nation's military capabilities," he said. (Washington Post 8 Dec 2000)

Attacks on Defense Department computer systems increased nearly four-fold between 1998 and 1999 when over 22,000 were reported; despite pleas to hackers to relent, nearly 14,000 "events" (probes, scans, virus incidents, and intrusions) have been reported in 2000 as of August 4th. Pentagon spokesperson attributed the jump in reported attacks partly to improved intrusion-detection procedures and technology, along with stepped-up awareness and reporting. But the "sophistication" of attacks was also increasing, and he says the "noise floor" from hackers creates an environment in which more serious threats become harder to detect. (SANS NewsBites 16 Aug 2000, CNN.com 9 Aug 2000)

A federal judge criticized the U.S. Army's efforts to keep its public World Wide Web site secure after a 20-year-old man said it was easy to hack into it. ``The Army didn't do its homework in the first instance,'' U.S. District Judge J.P. Stadtmueller said Tuesday. The judge commented as Chad D. Davis said pleaded guilty Tuesday to gaining unauthorized access to the site and altering its contents. Davis said he had hacked into the Army computer using information freely available on the Internet. He replaced the Army's opening Web page with the ``signature page'' of Global Hell, a nationwide group of hackers to which he belonged. Stadtmueller said the Army's effort, or lack of it, to keep its Web site secure could affect the amount of restitution Davis is ordered to pay. (AP, 5 Jan 2000)

The Pentagon says that defense analysts have successfully thwarted new and recent attempts to break into open Pentagon networks on the Internet. A Pentagon spokesman admits, "There are literally hundreds of attempts weekly to break into the computers. It's a constant because there's a certain cachet to getting into the Pentagon system." The Department of Defense insists that 99.95% of hacking attempts fail to penetrate beyond the open networks and pose no national security threat. (New York Times 5 Mar 99; Edupage, 7 March 99)

U.S. Department of Defense security experts on Friday warned that hackers have a new weapon in their arsenal -- coordinated attacks on government and private networks from multiple locations around the world. Discovered just this month, the attacks are hard to detect since they involve sending two to three malicious data packets among millions of friendly packets from multiple Internet locations around the globe simultaneously in an effort to intrude into a network. (InfoWorld, 25 Sep 98)

Having become aware that some military Web sites were offering "too much detail on Defense Department capabilities, infrastructure, personnel and operation procedures," the Pentagon has ordered the elimination from those sites of all information that might compromise national security or endanger Defense Department personnel. A senior government official says: "One of the things we're finding over time is that, in this new environment, the distinction between classified and unclassified information in some respects is diminishing." (Washington Post 26 Sep 98; Edupage, 27 Sep 98)

A shadowy group of computer hackers has apparently succeeded in breaking into a U.S. computer system that controls military satellites, officials and security experts said Tuesday. The group, calling itself MOD or Masters of Downloading, has proof of its electronic snooping -- secret files allegedly pirated from the Defense Information Systems Network (DISN), computer security expert John Vranesevich said. The group of about 15, which includes Americans, Britons and Russians, said it accessed the Defense Information Systems Agency in October and stole key operating software they say controls everything from military communications networks to GPS satellites and receivers. MOD members said the stolen software, known as the Defense Information Systems Network Equipment Manager (DEM), was the key to the U.S. network of military Global Positioning System (GPS) satellites -- used to pinpoint missile strikes, guide troops and assess ground conditions. (Reuters 21 Apr 98)

Learning of numerous vulnerabilities in the security of the computers accessed by its 2.1 million users worldwide, the Department of Defense is formulating new plans to tighten security systems. In a recent military exercise called "Eligible Receiver," cyber attacks were able to access the military's command and control structure e in the Pacific (and could have shut it down); the attacks also could have turned off the entire electrical power grid in the U.S. (Washington Times 17 Apr 98; Edupage, 19 Apr 98)

An Israeli teen-ager accused of infiltrating the Pentagon computer system and others in Israel was questioned Wednesday and placed under house arrest, Israeli police said. The U.S. investigation has so far led to the arrest of three West Coast suspects and three Israeli teens. Investigators are still looking for another hacker, thought to be a Massachusetts teen who goes under the code name "FAC." Known as "The Analyzer," the young Israeli is suspected of being the mentor of two U.S. teen-agers who have been questioned by the FBI in connection with unauthorized entries into the Pentagon's computer system and into university research computers. In Washington, the Justice Department identified the arrested hacker as Ehud Tenebaum. "This arrest should send a message to would-be computer hackers all over the world that the United States will treat computer intrusions as serious crimes," said Attorney General Janet Reno. Deputy Defense Secretary John Hamre said earlier this year that although the intrusions appeared to have been aimed at systems that contained unclassified personnel and payroll records, it was "the most organized and systematic attack the Pentagon has seen to date." (AP, 18 Mar 98, UPI, 20 Mar 98)

The FBI is hunting an Israeli master hacker who orchestrated the penetration of military and university research computers. Deputy Defense Secretary John Hamre said last month that it was "the most organized and systematic attack the Pentagon has seen to date." The computer whiz, who uses the Internet name "Analyzer," boldly gave an interview with an online magazine. Analyzer supporters have threatened retaliation if the FBI cracks down on the hackers responsible for the electronic break-ins. Those threats should be taken seriously, warns computer expert Dane Jasper. Most government and university computers are woefully unprotected, he says. "If these systems are so important to the federal government, why isn't someone paying attention to patch the security?" (AP, 07 Mar 98)

The FBI is investigating a "fairly heavy" series of attempted break-ins on unclassified military computer networks over the past couple of weeks.  The hackers entered the networks and placed "trap doors" in them, enabling information to be retrieved later.  It was widespread, and it was modestly sophisticated," says the Pentagon's No. 2 official.   The vandals responsible for hacking their way into 11 military computer systems and a number of university and federal research facilities (including Oak Ridge National Laboratory, Brookhaven National Laboratories, UC-Berkeley and the MIT fusion labs) have been identified as two Northern California teenage boys and some friends.  On the advice of FBI agents, the Internet service provider used by the boys continued to allow their break-ins while their activities were surreptitiously monitored:  "We decided to take a little risk.  We let them play for a little while.  We gave them enough rope and let them hang themselves." (Wall Street Journal, 26 Feb 98; Washington Post 28 Feb 98; Edupage, 26 Feb and 1 Mar 98)

A computer specialist with the Pentagon's general accounting office told the senate subcommittee that there were an estimated 250,000 hacker attacks on Defense Department computers over the last year, a rate expected to double annually. (Computing Canada, 5 August 97)

During the Gulf War, computer vandals working from Eindhoven in the Netherlands cracked into U.S. government computers at 34 military sites to steal information about troop movements, missile capabilities, and other secret information; they then offered it to the Iraquis, but the Iraquis rejected it because they considered the information a hoax. Dr. Eugene Schultz, former head of computer security at the U.S. Department of Energy, has told the British Broadcasting Company: "We realized that these files should not have been stored on Internet-capable machines. They related to our military systems, they related to Operation Desert Shield at the time, and later Operation Desert Storm. This was a huge mistake." (London Telegraph, 23 Mar 97)

The U.S. military is taking the threat of information warfare seriously, with a report from the Defense Science Board predicting that by the year 2005, attacks on U.S. information systems by terrorists and foreign espionage agents will be widespread. Even scarier is the threat from home-grown crackers, who are responsible for most of the assaults on U.S. information and communications systems. An innovative software program developed at the Defense Information Systems Agency's Information Warfare Division can tag suspected interlopers with an unerasable identification number, and then follow them back to their home or office. Once there, the number can be used to target the intruder with an offensive volley (a virus, for instance) that scrambles the attacker's system. "You have to view security as buying you time," says the chief of the Information Warfare Division. "It's not protection, it's delay." (Popular Science Jul 97)

Conducting a security audit of 15,000 Pentagon systems in which vulnerabilities had previously been pointed out to systems managers for correction, the Information Warfare Division of the Defense Information Agency found that it was able to gain access to almost nine out 10 of the systems simply by using publicly available techniques. A top agency administrator says that security managers need to focus less on preventing outside penetration and more on detecting intrusions and reacting with immediate shutdowns. "You have to view security as buying you time. It's not protection. It's delay." (Computerworld, 3 Mar 97)

Clothing retailer Guess, Inc., has agreed to settle Federal Trade Commission charges that it exposed consumers' personal information, including credit card numbers, to computer hackers, contrary to the company's claims. Guess' online statements reassured consumers that their personal information would be secure and protected. (internetnews.com and GigaLaw.com Daily News, 19 Jun 2003)

Republic Bank, a large commercial bank in Florida, has announced that a hacker penetrated the security of its systems earlier this month and grabbing a file containing 3,600 online-banking customer names and addresses. According to bank officials, the hacker did not access account balances or transactions of its online banking customers. (Newsbytes 18 Apr 2002 and BNA's Internet Law News 19 Apr 2002)

Playboy.com has alerted customers that an intruder broke into its Web site and obtained some customer information, including credit card numbers. Playboy.com has also told customers that it had reported the incident to law enforcement officials and hired a security expert to audit its computer systems and analyze the incident. (CNET News.com 20 Nov 2001 and BNA's Internet Law News 21 Nov 2001)

More than 20 Australian banks were hit by hackers last year, with money disappearing from at least one bank's customer accounts. The security breach occurs on the end-user's computer, and has nothing to do with the bank's own security. Banks are aware of the problem: the trade-off between having an useable system or a totally secure one. In all previous hacking incidents the banks have refunded customers' money. The Commonwealth Bank's banking solution software, which keeps information about the client on a database, needs to be downloaded to activate the service. Hackers can decrypt code and obtain passwords by cracking into the downloaded software on the end-user's computer. The hacker can then log onto the Internet banking service and redirect money from their accounts. (securitynews-news@list.weburb.dk, 19 Jul 2001)

A hacker reportedly managed to gain unauthorized access to Warner Bros. computer systems and then sent emails to many of the company's subscribers offering a pyramid-type investment scheme. The company sent out an apology e-mail Friday, admitting "someone gained unauthorized access to our computer system" and, as a result, "many subscribers" received e-mails offering a pyramid-type investment scheme. "Notwithstanding the appearance of the message, Warner Bros. Online was not in fact the author of this e-mail." Warner Bros. would not comment however on whether other information might have been taken. (MSNBC 10 Apr 2001 and BNA's Internet Law News 11 Apr 2001)

A hacker claims to have stolen personal information on 46,000 customers from Web hosting company ADDR.com. Several victims have reported finding thousands of dollars in fraudulent charges on the credit cards in recent weeks. The company meanwhile has been slow to respond on the incident. ADDR.com has an "unsatisfactory" record according to the Better Business Bureau of San Jose, Calif., where it was once based. According to the Better Business Bureau Web site, "our records show a pattern of non-response to consumer complaints brought to its attention by the Bureau." (MSNBC 02 Apr 2001 and BNA's Internet Law News 04 Apr 2001)

Twenty-one year old Chad Horton has pleaded guilty to a felony charge of computer access fraud. The aspiring actor had cracked into the computer system at Breakdown Services to steal lists of acting jobs. He has been sentenced to 180 days in county jail and three years supervised probation. He must also pay $92,111 in restitution to the company. (Newsbytes 09 Mar 2001 and BNA's Internet Law News 12 Mar 2001)

The FBI has issued a warning regarding an Internet extortion scheme originating in the former Soviet Union. The scheme has reportedly resulted in 40 banks and businesses having their computers broken into with the theft of millions of credit card numbers and personal information. Once information from the computers is stolen, the businesses owning the machines are blackmailed into paying money to keep the attacks from happening again. (Dow Jones News Service and BNA's Internet Law News 09 Mar 2001)

The FBI is looking for a hacker who put thousands of stolen credit-card numbers on the Internet after a $100,000 extortion demand was ignored. More than 55,000 numbers were stolen from creditcards.com, which processes credit transactions for online companies. About 25,000 of them were posted online when the extortion payment was not made. The site containing the numbers has since been taken down by the FBI. No arrests have been made. An executive with a creditcards.com merchant said "I put my trust in creditcards.com to have a secure system. Nobody told me these credit cards were stolen.'' The incident is the latest in a string of attacks against companies that deal with credit card information. Last year, a hacker stole about 300,000 credit card numbers from online music retailer CD Universe and posted about 25,000 of them on the Internet when a demand for $100,000 was not met. The hacker remains at large. Hackers stole thousands of credit card numbers from SalesGate.com earlier this year. RealNames, an Internet search service with as many as 20,000 card numbers on file, learned of a hacker infiltration in February. Western Union shut its Web site for five days in September after hackers stole the card numbers of more than 15,000 customers. (Associated Press and BNA's Internet Law News 14 Dec 2000)

Two Kazakhstan nationals were arrested in London after hacking into the Bloomberg computer. The arrest was made in a sting when they met with the founder of Bloomberg to make extortion demands in return for information on how the hack was done. (USA Today 14 Aug 2000, BNA's Internet Law News 15 Aug 2000)

What responsibility ISPs ought to bear for security hacking and computer viruses. (The Standard 14 Aug 2000, BNA's Internet Law News 15 Aug 2000)

The discovery of stolen credit cards online in British Columbia last week, has led one analyst to suggest that fewer than ten percent of such incidents get reported since companies fear disclosure will be too damaging. (The Globe and Mail 15 Aug 2000, BNA's Internet Law News 15 Aug 2000)

A Web site owner is threatening legal action against Nike over Nike's site getting hacked. Apparently, the hacked site redirected to this person's servers, causing lost time and money. The owner argues Nike is partly responsible for the hack due to lax security it used when registering the Nike.com name. (Internet Law News, 29 Jun 2000)

A Web site registered to RSA Security Inc [NASDAQ:RSAS] has been defaced early Sunday, with the front page altered and messages left by the hackers. RSA Security, whose marketing phrase is "The Most Trusted Name in e-Security," is one of the world's leading commercial encryption, public key management and electronic authentication solutions companies. Internet users who loaded http://www.rsa.com early Sunday morning were met with the defaced page. Alongside RSA Security's logo were the words: "RSA Security inc. Hacked. Trust us with your data! Praise Allah! The most trusted name in e-Security has been owned. Big things are coming," and "Owned by Coolio" with "Things aren't always what they seem." The title of the corporate release - "RSA Laboratories Unveils Innovative countermeasure to recent 'Denial of Service" Hacker Attacks," was followed by an addition on the defaced page: "Keep your data safe with us! Our security is the best." (Newsbytes 13 Feb 2000, Internet Law News 14 Feb 2000)

Real Names, an Internet search tool company, have been the victim of an intruder who obtained thousands of credit card numbers and passwords. (CNET News 11 Feb 2000, Internet Law News 14 Feb 2000)

One day after Yahoo was grounded for several hours, leading Web sites, including eBay, Amazon, CNN, and Buy.com were the subject of denial of service attacks that shut down each site for varying periods of time (Internet Law News 9 Feb 2000)

The Yahoo.com Web site was shut down for three hours on Tuesday because it was flooded by torrent of data maliciously rerouted from other computers, in what is known as a "distributed denial of service attack." The attackers did not penetrate the Yahoo network and did not gain access to any internal data, but the enforced shutdown cost Yahoo an estimated half million dollars in lost advertising revenue. Noting that the Yahoo site has a high level of protection, security expert Elias Levy says, "The fact that Yahoo was taken down means nobody is really safe." (New York Times 8 Feb 2000, NewsScan Daily 8 Feb 2000)

A grand jury in the United States has indicted a 22-year-old former Princeton University student, alleging he stole about 1800 credit card numbers from an electronic-commerce company in Palo Alto, California. Peter Iliev Pentchev broke into the company's computers and installed programs that also enabled him to steal user names and passwords, Assistant US Attorney Mavis K. Lee said. The incidents, which authorities say occurred in November and December 1998, underscore the growing concern about the vulnerability of websites to Internet crime, as consumers have become more confident about using their credit cards to shop online. Pentchev's actions allegedly brought down one of the company's websites for about a week and caused the company to lose about three weeks of data, Lee added. Pentchev was believed to have fled the country and remained at large, Lee said. There is an outstanding warrant for his arrest. (Bloomberg, Fairfax IT 1 Feb 2000)

A BRITISH group of hackers has broken into the computer systems of at least 12 multinational companies and stolen confidential files. It has issued ransom demands of up to £10m and is also suspected of hiring out its services. Scotland Yard is now investigating the attacks, which computer experts have described as the most serious systematic breach ever of companies' security in Britain. Visa confirmed last week that it had received a ransom demand last month. "We were hacked into in mid-July last year," said a company spokesman. "They gained access to some corporate material". It is understood the hackers stole computer "source codes" and threatened to crash the entire system. If Visa's system crashed for just one day, the company could lose tens of millions of pounds. "These are professionals and there is some evidence that suggests some of the activity was contracted and paid for," said a computer expert involved in the investigation. The internet company CD Universe last week confirmed it had called in the FBI after being blackmailed by a hacker who had copied more than 300,000 of its customer credit card files. (The Sunday Times 16 Jan2000)

On Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored by seven small e-commerce Web sites within a few minutes, using elementary instructions provided by a source. In all cases, a list of customers and all their personal information was connected to the Internet and either was not password-protected or the password was viewable directly from the Web site. Given the speed required to succeed in the fast-paced Internet economy, companies are in a big hurry to publish working Web sites and often skimp on security measures. At all seven sites, MSNBC was able to view a wide selection of personal data including billing addresses, phone numbers and in some cases, employee Social Security numbers. "We used a developer, and obviously the developer didn't take that flaw into consideration," said a spokesperson for the sites. "The flaw could have lied within the software, but maybe the developer should have taken that into consideration ... and one thing we didn't do, we didn't hire a security company to come in and test our Web site." Getting a second opinion when building an e-commerce site is a good idea, said security expert Russ Cooper, who maintains the popular NTBugTraq mailing list. "Make a condition of the contract that it has to pass scrutiny of another individual who tests the site," Cooper recommended. The fundamental problem, he said, is that developers have no liability for flaws they leave behind in e-commerce sites. Merchants are responsible for the cost of any stolen merchandise, while most developer contracts make clear they are not responsible for what happens with a site they build. "So a lot of people end up with a working site but not a secure site." As for consumers, there isn't much they can do to ascertain how well a Web site is guarding their personal information. Some experts suggest using only one card online, and religiously checking credit card bills. While consumers are liable for at most $50 of fraudulent purchases, they are responsible for catching them and alerting their bank. (MSNBC 14 Jan 2000)

A 16-year-old hacker, one of a group calling themselves Global Hell, infiltrated Pacific Bell's Internet service and lifted codes to the accounts of 200,000 subscribers. When Eldorado, Calif., detectives checked his bedroom last week, they found that he'd decrypted 63,000 of those accounts, causing PacBell to advise those subscribers to change their passwords. Authorities found the boy after he broke into the computers of an Eldorado Hills Internet service provider and began bragging about his exploits in a chat room. According to a sheriff's detective, the same teenager hacked into 26 other sites, including a master computing system at Harvard, before he was arrested Dec. 14. Authorities expect to charge him with unlawful computer access and grand theft next month. (Los Angeles Times 12 Jan 2000, NewsScan Daily 12 Jan 2000)

In what may be the largest credit card heist on the Internet, an 18-year-old Russian cracker claims to have stolen thousands of credit card numbers from an online store and dispensed them to visitors of his Web site. Before it was taken offline early Sunday morning, the rogue site, a page of which has been captured here, had doled out more than 25,000 stolen card numbers. Also included with the numbers were expiration dates and cardholder names and addresses. With the click of a button, visitors could launch a script that purportedly obtained a valid credit card "directly from the biggest online shop database," according to a message at the site. The cracker, who goes by the nickname Maxus, claimed in an email to InternetNews.com to have breached the security of CDuniverse.com, an online music store operated by eUniverse, Inc. of Wallingford, Conn. Maxus said he had defeated a popular credit card processing application called ICVerify, from CyberCash (CYCH) and obtained a database containing more than 300,000 customer records from CDuniverse. One of the victims confirmed that he had shopped at the online music store over a year ago. According to Wilson, he was contacted by his credit card company's fraud division last week after someone had attempted to make an authorized charge to his card. Maxus said that he decided to set up the site, titled Maxus Credit Cards Datapipe, and to give away the stolen customer data after officials at CDuniverse failed to pay him $100,000 to keep quiet about the security hole. Maxus claims the company agreed to the payment last month, but subsequently balked at initiating a wire transfer to a secret bank account because it might be noticed by auditors. After a week passed with no further contact from the company, Maxus said he put up his site and announced its presence Dec. 25th on an Internet Relay Chat group devoted to stolen credit cards. Soon after launching his site, Maxus said it became so popular with credit card thieves that he had to implement a cap to limit visitors to one stolen card at a time. Apprehending Maxus will not be easy, said Richard M. Smith, an online security expert in Brookline, Mass., who helped federal agents track down the author of the Melissa virus, David L. Smith. Maxus appears to move about online using stolen accounts and relays his email through other sites to conceal the originating Internet protocol address, said Smith. "I think he's pretty free and clear and it's near zero that they will catch him," Smith said. (InternetNews.com 9 Jan 2000, New York Times 10 Jan 2000)

Staples Inc. has filed a federal lawsuit against the unidentified hacker who illegally accessed its Web site and re- routed buyers to to the online site of the company's major competitor, the Office Depot. Staples' spokeswoman Shannon Lapierre said the "John Doe" hacker damaged the company by stealing electronic commerce business. "Staples' own e-commerce site was intentionally and maliciously converted into a vehicle benefiting one of its competitors, causing further damage to Staples," the suit filed Monday in U.S. District Court in Boston said. It added that additional damage was caused because of the personnel and time required to correct the invasion. (UPI, 30 Nov 1999)

Moore Publishing, an investigative information research firm based in Wilmington Delaware, filed an amended complaint in U.S. District Court, alleging that Steptoe & Johnson conspired to repeatedly hack into certain internet domains as well as the computer systems hosting the targeted internet sites owned by the company. The lawsuit represents the first time a top U.S. law firm is accused of hacking into another company's computer systems. The case is also believed to represent one of the first documented cases or corporate versus corporate computer hacking in the U.S. The case seeks more than $10 million in damages. According to the suit, Steptoe & Johnson hacked into the domains and the system servers more than 750 times, while at the same time used a stolen password and e-mail identity of a Virginia businesswoman during the attacks, apparently to cloak the law firm's electronic attacks. Steptoe & Johnson is one of the largest 100 law firms in the U.S. Steptoe attorneys have been hand-selected by President Clinton to serve on Presidential committee's dealing with internet, computer, and encryption security. (PRNewswire, 11 Nov 1999)

A hacker group known as the United Loan Gunmen (ULG) cracked into the corporate Web site of The Associated Press (AP) last Sunday. The hackers -- who were recently credited with attacks on Nasdaq, the American Stock Exchange, C-Span and ABC -- replaced content on AP's site with a Halloween greeting along with a poem by Edgar Allen Poe. (Security Wire Digest, 8 Nov 1999)

In the aftermath of multiple ransom demands from hackers who forged their way into the systems of several UK banks, GCHQ, the government's electronic surveillance center, will oversee general banking security. Investigations reveal that last year, the systems of three London banks were compromised within three months, with a total ransom demand in excess of Stg 1 million. On a global stage, at least 30 banks were found to have lost over Stg 5 million to ransom demands from hackers. German Noris Verbraucherbank was forced to pay a Stg 300,000 ransom last year to a hacker who claimed to have stolen bank access codes from the system. (Andover News 21 Sep 1999)

A new General Accounting Office survey into online banking has found 44 per cent of financial institutions to have no apparent protection against perpetrators targeting their Web platforms. Given that Internet banking in the US has almost tripled within 12 months, the GAO is understandably anxious that technological advances do not cause the US banking system to be compromised. This finding is worrying in view of the 8.6 million US customers tracking their finances through the Web, with 3.3 million of these using transaction-enabled platforms to pay bills and move funds. (Wired 3 Aug 1999)

A large public sector bank in India was electronically molested recently by hackers who allegedly transferred cash to the tune of Rs 60 lakh by invading the banks' network. "This is just the tip of the iceberg. Majority of companies and people are not aware that somewhere, someone is spying on them," says Vipin Nair, president, HCL Comnet. Despite the horror stories, majority of the companies have not installed rudimentary defences. A step-by-step guide on hacking through various Websites has already opened up avenues for software savvy Indians, making their profession exotic. With a dozen ways to steal passwords - Trojan horses password cracker and file scavengers cyberpranksters, the cyberpolice are having a tough time protecting security on the Net. (The Times of India 6 Apr 99)

The last message posted to "the WWWAC," New York's Silicon Alley's most prolific and notorious mailing list, came last Tuesday morning at 1:47 a.m. Since then, the 3,500-plus members of the World Wide Web Artists' Consortium list have not received a single message on a list known for producing thousands of messages a month, and countless flame wars and controversies. According to WWWAC board member Larry Aronson, a hacker obtained root access to the servers at ECHO, the WWWAC's Internet service provider. The hacker deleted files, brought down a number of systems, and damaged some drives according to Aronson. He added that ECHO is working on restoring from backups. Echo had hoped to have things up and running by last Friday, but it is still working on the problem. (Silicon Alley Daily, 29 Mar 99)

eBay (nasdaq: EBAY), the hot one-to-one auction site, was hacked on March 13 by a 22-year old college student who goes by the handle MagicFX. The hacker has "root" access to eBay's computers, the same kind the legitimate administrators enjoy. This means he could change prices or place fake ads, divert traffic to other sites or even take down the entire network. This was starkly illustrated to the reporter, when the hacker took down eBay's home page for two minutes and replaced it with the message: "... do you know who has YOUR credit card information?" MagicFX modified the system's software so that instead of providing administrators with a secure way to work from a remote machine, it logged that information to a hidden file, so that not only could he intercept passwords and log in names, but actually watch everyone's keystrokes. MagicFX says he hacked eBay, which has a market cap of more than $18 billion, because he wanted to see how a large e-commerce site worked from the inside. Once there, he discovered an added bonus: eBay uses a proprietary system to do its trading, he says, and the source code is highly prized in the hacker world. As a result, a number of hackers have approached him for a copy, but he has not complied, since he hasn't had a chance to sift through it yet. (Forbes, 19 Mar 99)

An 18-year-old high school dropout has been charged with computer tampering after hacking into the internal computers of America Online and altering some programs. Jay Satiro was arrested and his computer confiscated Wednesday night after AOL officials contacted authorities. The teenager altered AOL data and programs that would cost about $50,000 to repair. (Associated Press via USA Today, 19 Mar 99)

Police are inundated with complaints about computer hackers who infiltrate files while victims are logged on to the Internet. The so-called trojan horse hackers can access highly sensitive information from companies and individuals. Computer crime investigation squad head Det. Sen-Sgt David Caldwell told the Herald Sun police had received more than 100 complaints in recent months involving infiltration of Windows software. Many of the victims had received huge Internet usage bills after the hackers got their account details and created other log-on sites. "It's becoming an everyday occurrence and it gives the hackers total rein over the computer system," he said. A program is installed into the victim's logged-on computer, which can be remote-controlled. The trojan programs, such as Back Orifice and Netbus, have been delivered through chat rooms, e-mail file attachments and security holes in Web browsers. A group called Privacy Software Corporation said Netbus had been found inside electronic greeting cards, games and fraudulent software downloads. (Herald Sun, 06 Jan 99)

On the morning of January 12, intruders attacked and defaced the popular software download site Tucows. The attack was by a group of Russian hackers who are trying to bring attention to the Russian Federal Security Server (successor to the KGB). The hackers replaced the Tucows home page with a link to their Web site. According to the linked Web site, Russia is developing a system that lets investigators tap into computer networks and sensitive telecom company records. The hackers feel this bypasses their constitutional rights. (WNTMag Security UPDATE, 13 Jan 99)

A hacker broke into a Taiwan bank's computer system and successfully transferred NT$50 million (approx US$1.5M) to a foreign savings account, according to the United Evening News, but the bank in question did not report the theft, fearing its credit rating would suffer or depositors would panic. The discovery was made a day after the transfer. (China News 01 Dec 98)

Slut Puppy and his partner-in-crime Master Pimp hacked the New York Times on September 13 because they were bored. Brotherhood members replaced the NYT welcome screen with one tinged with nudity and obscenity. When New York Times people discovered the hacked page and were unable to restore their own news content, they were forced to shut down the site for nine hours. When Times technicians tried to replace the hacked page with standard news content, they discovered that the hackers were still able to slip the hacked page back. This went back and forth until the Times took its site off-line. On August 7, [the same hackers had penetrated an ISP Rt66 Internet, and] made off with the whole customer credit-card file - 1749 numbers. The ISP shut down for 60 hours and was forced to rebuild its security from scratch. Even though it is now one of the most secure ISPs in New Mexico it has lost 15% of its 5000 or so members since the August hack. (Business Review Weekly 11 Nov 98; reprinted from Forbes)

A hacker broke into a hosting service in the United States, holding Web sites belonging to customers of New Zealand Internet service provider (ISP), I-Hug, and deleted almost 5,000 Web sites. An attack was made via a security hole in a CGI script on one user's site. An ISP could be liable for substantial losses if the site owners believe the company was negligent in the security precautions it took to protect customer files. (Newsbytes, 20 NOV 98)

Results from a survey by The Knowledge Group (TKG), published today, suggest that Internet security breaches in the UK are mainly due to apathy by boards of directors. According to company officials, this lack of board-level buy-in to information technology (IT) security is a major contributor to Internet based security breaches. The research found that a third of UK IT and network managers believe that failure of directors to prioritize on Internet security issues and to develop a cohesive security strategy is a key threat to the network. (Newsbytes, 30 Oct 98)

Warning that banks face serious threats from computer hackers and employee theft, regulators and anti-fraud experts are urging the industry to bolster its guard against criminals. "No system is immune," said H.S. "Tuck" Ackerman, senior program administrator for examiner education at the Federal Financial Institutions Examination Council, which sponsored a risk-management conference here last week. Herman W. Kelley, a Boston security consultant, said hackers are increasingly focusing on financial institutions' Web sites. He said that only government and military computers are more popular targets. (American Banker, 22 Oct 98)

Hundreds and perhaps thousands of credit card numbers, home addresses, and phone numbers were exposed for months through a gaping security hole on many small Internet auction sites, raising serious questions about the effectiveness of online safeguards. Security experts said the problem was especially alarming because, unlike more technically complicated software problems, this one left records exposed to virtually anyone who happened to click on the right Web page listings. (CNET News.com 24 Sep 98).

A 28-year-old computer expert is under investigation for computer fraud, having allegedly diverted 2,585 U S West computers to assist him in his effort to solve a 350-year-old math problem -- the search for a new prime number. The man, who has not been charged, is a contract computer consultant working for a vendor for U S West. "I've worked on this (math) problem for a long time," he told investigators. "When I started working at U S West, all that computational power was just too tempting for me." Investigators estimate that during a very short period he used 10.63 years worth of computer processing time -- while the computers should have been hard at work retrieving telephone numbers for U S West customers. (AP 16 Sep 98, Edupage, 17 Sep 98)

The New York Times web site, host to 150,000 Sunday visitors, was disconnected yesterday when hackers took control of the site and displayed insults and offensive pictures. When the original site was restored, the hackers were apparently able to re-establish the hacked front page at the web site, an indication that the hacking group did indeed have "root" control over the New York Times site www. nytimes.com. The New York Times site apparently had a thorough security review two years ago. Recent ICSA research shows that over 70% of large and medium size internet-connected organizations have serious security flaws despite having capable versions of the right tools, like firewalls, in place. The top five problems for web sites include: 1) lack of a continuous program to maintain the site securely, 2) use of inappropriate CGI scripts, 3) poor maintenance of operating systems running web services, 4) the running of inappropriate and unused services on web servers and related machines, 5) lack of knowledge by network managers about new vulnerabilities and threats. (ICSA Press Release, 14 Sep 98)

A computer hacker in Thunder Bay who virtually shut down a local Internet provider's system was sentenced yesterday to six months in jail. Justin Davis, 19, was convicted of fraud for using a computer decrypting program and two counts of fraudulently using a computer password. Judge F.A. Sargent said NorLink Communications and Consulting was forced to spend thousands of dollars purchasing new equipment after the incident. Judge Sargent placed Mr. Davis on probation for two years and ordered him to make $10,000 restitution to NorLink. Defence lawyer Christopher Watkins said his client believed he was being challenged to break a code to gain entry into the NorLink system. (The Globe and Mail; September 1998)

Security at the Warner Bros' Web site was breached when a cracker, seeming going by the name of "vORt" changed main web page to display a message containing a greeting to a number of other hackers including a group from Russia. 7am News took a screen capture of the site before it was restored. Cracked Site is at http://7am.com/wires/news/tech/pics/crack.gif (7am News FreeWire, 25 Jul 98)

A 30-year-old man was charged with criminal damage in Melbourne, Australia on Friday in connection with what could be well over one thousand attacks on Windows servers connected to the Internet. Over the last three weeks, a hacker with the nickname "Number Cruncher" had been gaining access to Net-connected workstations running the Windows desktop operating system, and deleting enough vital system files to make the servers unbootable. The hacked servers had the contents of their root directories deleted, many executable programs and DLL files removed from their "C:\windows" directory, and many directories and files were added--including a picture of the Unabomber. Police estimated the cost of rebuilding drives at up to AUS$15,000 (US$9,300) each, with at least 30 businesses known to have been affected. (InternetNews.com - Real-Time Internet News, 20 Jul 98)

Probably with nothing better to do on a summer evening, a 14-year-old hacker who calls himself "Digphreak" socially engineered his way into the account of a local Fox Television affiliate's Web site in Chicago last night and posted a message in support of infamous mass-hacker Kevin Mitnick. Fox affiliate WFLD's Web site was down for about 15 hours. "We haven't been hacked before," said Gavin Maliska, WFLD's managing editor. "I think all it makes us do is to talk to our service provider to talk about security and how to improve it." (CNET NEWS.COM, 8 Jul 98)

Lloyds of London is forming an alliance with two other insurance firms to provide companies insurance against computer viruses and computer sabotage, offering policies up to $50 million on compute