Former hacker testifies to Congress about computer security

[InfoSec News <isn () c4i org>]

http://www.nandotimes.com/technology/story/839724p-5904624c.html

By DAVID HO, Associated Press
 
WASHINGTON (April 3, 2003 7:11 p.m. EST) - A convicted computer hacker
told lawmakers Thursday that many attacks on companies that hold
consumer financial information go undetected because of poor security.

Kevin Mitnick, whose federal probation on hacking charges ended in
January, said businesses need to better protect their computers from
newly discovered security flaws and train employees to spot the tricks
of identity thieves.

"The bad guys are going to look for the weakest link in the security
chain," said Mitnick, who served five years in federal prison for
stealing software and altering data at Motorola, Novell, Nokia, Sun
Microsystems and the University of Southern California. He now runs a
business to help companies guard against computer attacks.

Prompted by three recent cases of information theft involving the
accounts of millions of people, two subcommittees of the House
Financial Services Committee heard from law enforcement and corporate
officials on the growing vulnerability of consumers' most sensitive
financial information.

"Consumers will quickly lose confidence in our nationwide credit
system if we don't do everything practical to improve security and
protect sensitive data," said Rep. Michael Oxley, R-Ohio, chairman of
the full committee. He said computer information thefts cost U.S.  
businesses $400 million each year

The weak links were different in the three recent incidents.

Authorities say an identity theft scheme involving Teledata
Communications in New York came from the inside when an employee sold
passwords for downloading consumer credit reports. Prosecutors said in
November that more than 30,000 people were victimized with losses of
more than $2.7 million.

In December, thieves physically broke into an office of TriWest
Healthcare Alliance in Phoenix and stole computer hard drives
containing Social Security numbers and addresses of about 562,000
military personnel and their families. The company, which posted a
$100,000 reward for information, said no identity thefts have been
reported.

Last month, a hacker broke into the computers of Data Processors
International, a company based in Omaha, Neb. that handles
transactions for catalog companies and other direct marketers. The
Secret Service said the hacker accessed more than 10 million credit
card numbers.

"The cyber threat is rapidly expanding," said James Farnan, deputy
assistant director of the FBI's cyber division. "Using a simple
Internet search, a 12-year-old could locate a variety of hacker tools,
then download and implement them."

Farnan said the FBI has devoted more resources and training to counter
the growing problem of cyber crime, which includes information theft
and terrorist threats against sensitive computer networks.

"Many intrusions are never reported because companies fear a loss of
business from reduced consumer confidence in their security measures
or from fear of lawsuits," Farnan said.

Beginning next month, the Federal Trade Commission will require many
financial institutions to better protect consumer information.  
Companies must have written security plans and train employees to
protect sensitive data.

The FTC will watch companies to make sure they follow the rules, said
Howard Beales, chief of the agency's consumer protection bureau.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.