U.S. Cyber Cop Cites Y2K Software Tampering

Click on our sponsors! Updated 6:51 PM ET September 30, 1999 By Jim Wolf WASHINGTON (Reuters) - Malicious changes to computer code under the guise of Year 2000 software fixes has begun to surface in some U.S. work undertaken by foreign contractors, the top U.S. cyber cop said Thursday.

"We have some indications that this is happening" in a possible foreshadowing of economic and security headaches stemming from Y2K fixes, Michael Vatis of the Federal Bureau of Investigation told Reuters.

Vatis heads the interagency National Infrastructure Protection Center (NPIC), responsible for detecting and deterring cyber attacks on networks that drive U.S. finance, transport, telecommunications and other vital sectors.

A Central Intelligence Agency officer assigned to the NIPC said recently that India and Israel appeared to be the "most likely sources of malicious remediation" of U.S. software.

"India and Israel appear to be the countries whose governments or industry may most likely use their access to implant malicious code in light of their assessed motive, opportunity and means," the CIA officer, Terrill Maynard, wrote in the June issue of Infrastructure Protection Digest.

Significant amounts of Y2K repair is also being done for U.S. companies by contractors in Ireland, Pakistan and the Philippines, according to Maynard.

But they appear among the "least likely" providers to jeopardize U.S. corporate or government system integrity, although the possibility cannot be ruled out, he wrote.

Thousands of companies in the United States and elsewhere have contracted out system upgrades to cope with the Y2K glitch, which could scramble computers starting Jan. 1 when 1999 gives way to 2000.

The CIA declined comment on Maynard's article. Referring to it, Vatis said: "This is our effort to put out in the public information that hopefully can be useful to people."

Vatis, interviewed in his 11th floor office at FBI headquarters, said that so far "not a great deal" of Y2K-related tampering had turned up. "But that's largely because, number one, we're really dependent on private companies to tell us if they're seeing malicious code being implanted in their systems," he said.

In reporting evidence of possible Y2K-related sabotage of software, Vatis confirmed one of the worst long-term fears of U.S. national security planners.

"A tremendous amount of remediation of software has been done overseas or by foreign companies operating within the United States," Vatis said.

He said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road.

This could expose a company to future "denial of service attacks," open it to economic espionage or leave it vulnerable to malicious altering of data, Vatis said.

The Special Senate Y2K committee, in its final report last week, described the issue as an "unsettling."

"The effort to fix the code may well introduce serious long-term risks to the nation's security and information superiority," said the panel headed by Robert Bennett, Republican of Utah, and Chris Dodd, Democrat of Connecticut.

The panel said the long-term consequences could include:

-- increased foreign intelligence collection

-- increase espionage activity

-- reduced information security

-- loss of economic advantage

-- increase in infrastructure vulnerability

Vatis, in testimony before the Y2K panel in July, warned that contractors could compromise systems by installing "trap doors" for anonymous access.

By implanting malicious code, he said, a contractor could stitch in a "logic bomb" or a time-delayed virus that would later disrupt operations. Another threat was insertion of a program that would compromise passwords or other system security, he said.

I

-- franko (franko@home.com), September 30, 1999

Answers

Link please franko.

If verified, this story requires attention by media and preparation groups to heighten awareness of vulnerability of us all. This should be the *straw*.

I'm ready to put a few miles between us and that 7-11!

What companies have reported such incidents? Is any company safe, even if they have not had foiegn contractors working on remediation?

-- Michael (mikeymac@uswest.net), September 30, 1999.

This is the link the information came from... scary, huh?

http://news.excite.com/news/r/990930/18/tech-yk-code

-- franko (franko@home.com), September 30, 1999.

Thanks franco, (I think) I just printed it off for educational/research purposes for my friends that keep hoping for the silver bullet. This *should* be the last time I ask them to prepare, but it probably won't be. (SIGH)

-- Michael (mikeymac@uswest.net), September 30, 1999.

"Yes Senator, we had all our systems completely renovated prior to the changeover, but one of our software engineers placed some code that crashed our systems intentionally."

"Yes Senator, we were all done, but we had some hackers break in right on January 3rd, and brought the system down.

"Yes Mr. Chairman, we'd finished renovating everything, but one of our contractors put in a time-bomb which brought the system down."

"Yes Your Honor, Pacific Power & Light was completely finished, unfortunately, a programmer placed a back-door to our systems, allowing someone to break into our system, rendering it unable to supply power to Los Angeles on January 1."

Yep, laying the groundwork for both failures, and for blame shifting. By the time the people have heard 10,000 times that the US is just fine, and everybody else is not, then we can certainly blame everything on programmers and their kindred - hackers.

That group, of course, is the cause of this problem in the first place, so it's only true justice after all.

Jolly

-- Jollyprez (jolly@prez.com), September 30, 1999.

Yeah, but it's cheaper to contract it out to India. Gotta watch that bottom line! :-)

-- A (A@AisA.com), October 01, 1999.