RE: Y2K trojans, and outsourcing...

[Alan Lustiger <Alan.Lustiger () ey com>]

The news story was on the front page of USA Today last week. The information comes from the Gartnet Group. Judge for 
yourself.

-----------
Y2K fixes open door for electronic heists
By M.J. Zuckerman, USA TODAY 

WASHINGTON - The top Y2K research firm predicts that the largest single heist in history, an electronic theft exceeding 
$1 billion, will occur as a direct result of the Year 2000 computer glitch. 

The Gartner Group "would be surprised if there weren't at least one publicly reported electronic theft exceeding $1 
billion," says the soon-to-be-released study of more than 1,000 of the firm's clients worldwide. 

Independent scientists, security professionals and others involved in Y2K research have few quarrels with the Gartner 
Group's warning. 

"That's certainly a safe prediction," says computer security expert Donn Parker, author of Fighting Computer Crime. 
"Fixing Y2K has opened up vulnerable business computer programs to attacks by a larger number of people." 

The biggest concern, Gartner says, is that employees hired to upgrade systems might have left "trap doors" or other 
means through which they can clandestinely take control of systems, including those that electronically move $11 
trillion a year among financial institutions, corporations, governments and private organizations. 

"We have basically had to open up every system we have to people we may not know enough about," says Joe Pucciarelli, 
author of the study. It urges scrutiny of "disgruntled or opportunistic employees." 

"I have no way of determining that there is going to be a theft of that magnitude. But I think the sentiment is quite 
correct," says Fred Schneider, professor of computer science at Cornell University. He's one of several scientists and 
policy analysts concerned that Y2K upgrades, designed to repair systems that could misconstrue dates after Jan. 1, 
2000, are introducing new vulnerabilities. 

Several security firms say they have found "trap doors" in Y2K programming. Some were placed to provide reputable firms 
an entry for future repairs, but others have been intentionally hidden. 

"I'm aware of at least three such incidents," says Mike Higgins of the consulting firm Para-Protect Services. "One was 
in a major information technology company which used a Pakistani company to do (upgrades). The company left a hidden 
trap door and has since gone out of business." 

But Mark Graf of Sun Microsystems says he doesn't consider Y2K itself a serious security problem: "If you had such poor 
security that you didn't take prudent measures before, I don't see how Y2K really makes you any less secure." 

But Higgins, among others, notes that in many businesses, "normal due diligence is lagging due to the breath of the 
(Y2K) work" that remains to be completed.
---------------
-Alan Lustiger
Ernst & Young eSecurity Solutions
alan.lustiger () ey com


*******************************************************************************
Note:          The information contained in this message may be privileged and confidential and protected from 
disclosure.  If the reader of this message is not the intended recipient, or an employee or agent responsible for 
delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited. If you have received this communication in error, please notify 
us immediately by replying to the message and deleting it from your computer.  Thank you.  Ernst & Young LLP
*******************************************************************************