Suspect this kind of story will keep "surfacing" as the countdown continues.
Diane
FBI Says Y2K Software Has Been Tampered With
(10/01/99, 7:09 a.m. ET)
By Reuters
http://www.techweb.com/wire/story/reuters/REU19991001S0001
[Fair Use: For Educational/Research Purposes Only]
Malicious changes to computer code under the guise of year 2000 software fixes have begun to surface in some U.S. work undertaken by foreign contractors, the top U.S. cybercop said Thursday.
"We have some indications that this is happening" in a possible foreshadowing of economic and security headaches stemming from Y2K fixes, the FBI's Michael Vatis told Reuters.
Vatis heads the inter-agency National Infrastructure Protection Center (NPIC), responsible for detecting and deterring cyberattacks on networks that drive U.S. finance, transport, telecommunications, and other vital sectors.
A CIA officer assigned to the NIPC said recently that India and Israel appeared to be the "most likely sources of malicious remediation" of U.S. software.
"India and Israel appear to be the countries whose governments or industry may most likely use their access to implant malicious code in light of their assessed motive, opportunity, and means," the CIA officer, Terrill Maynard, wrote in the June issue of Infrastructure Protection Digest.
Significant amounts of Y2K repair is also being done for U.S. companies by contractors in Ireland, Pakistan, and the Philippines, according to Maynard.
But they appear among the "least likely" providers to jeopardize U.S. corporate or government system integrity, though the possibility cannot be ruled out, he wrote.
Thousands of companies in the United States and elsewhere have contracted out system upgrades to cope with the Y2K glitch, which could scramble computers starting Jan. 1 when 1999 gives way to 2000.
The CIA declined to comment on Maynard's article. Referring to it, Vatis said: "This is our effort to put out in the public information that hopefully can be useful to people."
Vatis said so far, "not a great deal" of Y2K-related tampering had turned up. "But that's largely because, number one, we're really dependent on private companies to tell us if they're seeing malicious code being implanted in their systems," he said.
In reporting evidence of possible Y2K-related sabotage of software, Vatis confirmed one of the worst long-term fears of U.S. national security planners. "A tremendous amount of remediation of software has been done overseas or by foreign companies operating within the United States," he said.
Vatis said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road.
This could expose a company to future "denial of service attacks," open it to economic espionage, or leave it vulnerable to malicious altering of data, Vatis said.
The Special Senate Y2K committee, in its final report last week, described the issue as "unsettling."
"The effort to fix the code may well introduce serious long-term risks to the nation's security and information superiority," said the panel headed by Robert Bennett, Republican of Utah, and Chris Dodd, Democrat of Connecticut.
The panel said the long-term consequences could include: increased foreign intelligence collection, increased espionage activity, reduced information security, loss of economic advantage, and increased infrastructure vulnerability.
Vatis, in testimony before the Y2K panel in July, warned that contractors could compromise systems by installing "trap doors" for anonymous access.
By implanting malicious code, he said, a contractor could stitch in a "logic bomb" or a time-delayed virus that would later disrupt operations. Another threat was insertion of a program that would compromise passwords or other system security, he said.
Copyright 1999 Reuters Limited.
-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999
Answers
Been trying to come up with a lead for �Infrastructure Protection
Digest� but so far, no luck.
However did stumble across this interesting little links list to the
intelligence community �news� and publications...
http://www.fas.org/
irp/news/sources.htm
-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999.
Somebody has to be the scapegoat!
-- Porky (Porky@in.cellblockD), October 03, 1999.
Yeah Porky... but Isreal? I find that "odd."
Background reading...
A blast from the past... CIA testimony...
TESTIMONY BY
DIRECTOR OF CENTRAL INTELLIGENCE
GEORGE J. TENET
BEFORE THE SENATE COMMITTEE ON GOVERNMENT AFFAIRS
24 June 1998
http://www.cia.gov/cia/public_affairs/
speeches/dci_testimony_062498.html
[snip]
The Challenge to Act
Mr. Chairman, the concerns we raise today--although not yet on the
front burner in the minds of many Americans--are, in fact, urgent. We
have to focus on this threat now.
In fact, the approach of the year 2000 makes our work all the more
critical. It is generally understood that the "Year 2000 Problem"
poses inherent risks to our systems, but it is less understood that
the Year 2000 also affords special opportunities for our adversaries.
For example, our dependence on foreign software development is a cause
for concern. It is possible foreign actors with hostile intent may try
to exploit the Year 2000 Problem for their own ends. As we come upon
that date, we have to do more than just ensure that our systems
function on January 1, 2000, but that they function and that they are
secure.
These are enormous challenges. As we all recognize, Information
Warfare defies conventional and even many unconventional intelligence
methods. Intelligence disciplines traditionally have focused on
physical indicators of activity and on mechanized, industrially -
based systems. With the advent of Information Operations, we are faced
with the need to function in the medium of 'cyberspace' where we will
conduct our business in new and challenging ways.
At the end of the day, the Intelligence Community must be positioned
to provide warning of cyber - threats. This warning must go to
national leaders and the military of course. But we also must develop
ways and means to warn the private sector and the leaders of our
economy.
However, our efforts must extend beyond warning. As a nation, we will
need to detect attack, withstand assault if launched successfully
against us, and then aggressively prosecute action against the
attackers. The Intelligence Community cannot do all this alone, nor
can the Department of Defense, nor can the Department of Justice or
private industry. In this new world of cyber - threats, we will need
to work together in partnerships unlike any in our history.
[snip]
###
I wonder if we're considered to be... "at war..." of the cyber
kind... now?
Just curious.
Diane
-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999.
I think there will also be some instances of domestic sabotage from
disgruntled employees as well. There are those who aren't psychotic
enough to go postal but seek revenge nonetheless. It could be as
simple as "overlooking" a Y2K glitch.
Remember that the definition of a passive-aggressive is someone who
sees your car lights left on in the parking lot and doesn't tell you.
It's not just Y2K.
-- Old Git (anon@spamproblems.com), October 03, 1999.
This is disinformation. Period. "Don't blame us."
-- Zev Barak (zev@msn.com), October 03, 1999.
Your cyber war comment reaches below the tip of the Y2K iceberg.
Somehow I think we will muddle through all the storm and hassle of
Y2K and the after effects (assuming its between a 4 and a 6), but the
longer term implications of cyber war are already manifesting
themselves. Why should we be terribly surprised to find a few back
door traps in remediated code. In our parent's and grand parent's
generations "gentlemen did not read one another's mail"--not.
The need to update virus software a couple of times per month, the
new CIA open presence in the valley. The hacking of US government
sites during the last Sarajevo dust up. All of these point to a kind
of warfare with a different kind of weapon.
Thanks for your usual quality of posts.
-- Nancy (wellsnl@hotmail.com), October 03, 1999.
The Emergency Response & Research Institute Year2000(Y2K) Resource
Page
(Lots of links)...
http://
www.emergency.com/y2kpage.htm
[snip]
30 Aug 99 - Y2K: From
http://www.emergency.com/ennday.htm
At least two government agencies are developing a process to determine
a Year 2000 glitch from a malicious hacker attack. The Defense
Department and the FBI's National Infrastructure Protection (NIPC) are
working separately to develop a "methodology," or triage system, that
will help decipher a Y2K or hardware failure from a network intrusion,
according to Anne Plummer, in the Defense Information and Electronics
Report.
NIPC Director Michael Vatis said his center was working on a
methodology with the Defense Department. "I expect that that
methodology," Vatis said, "will include looking at certain signatures
that we already see in intrusions now, what sort of activity there was
up to and during the advent of an outage, whether there were pings or
probes in the system . . . what types of protective firewalls or other
security software were in place, and what the nature of the outage is.
I think that's the general sense of what the methodology will contain,
but the specifics we're formulating right now."
[snip]
10 Aug 99: Y2K Remediation Warnings:
Both ERRI and government analysts continue to warn of potential
problems with remediation efforts undertaken to fix the Y2K bug.
Network and Information Technology (IT) professionals should be warned
that there is a potential for "booby-traps" to be installed by foreign
or little known programmers, who are being contracted to work on
correcting software date errors relevant to Y2K.
"Some Y2K programmers with malicious intent may be quietly installing
malicious software codes, such as a logic bomb or a time-delayed
virus, to sabotage companies or gain access to sensitive information
sometime in the new millennium," Rep. Constance Morella, R-Md.,
chairwoman of the Technology Subcommittee of the House Science
Committee, said at the hearing. "Most troubling is that several
security firms have already found trap doors in Y2K programming," http://
www.newsbytes.com/index-y2k.htmlaccording to the the Newsbytes
News service.
ERRI analysts suggest a complete security check must be performed
after the completion of Y2K remediation efforts to insure that
additional malicious code, or secret "back doors" weren't added to
software that was under repair.
[snip]
-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999.
In its own way, this is one of the strongest pieces of evidence as to the real severity of Y2K -- the fact that the government is coming up with such outrageous crap in order to have a scapegoat WTSHTF. This is nothing more than "icing on the cake" when viewed against the last three years worth of Presidential executive orders that have to do with "cyberterrorism". Just a codeword for Y2K, folks. And we are being set up beautifully.
When it all goes to hell in a handbasket, just remember: "Its Y2K, Stupid."
-- King of Spain (madrid@aol.cum), October 03, 1999.
Donno KOS.
Think I�m scaring myself again.
Was just starting to think... �Well MAYBE we really will be Y2K-Okay
in the U.S., or at least in Silicon Valley...� and then I start
digging again.
*Sigh*
This is NOT a fun little page to peruse!
ERRI Counter-Terrorism Archives
A Summary of World-Wide Terrorism Events, Groups, and Terrorist
Strategies and Tactics
http://
www.emergency.com/cntrterr.htm
Note a pdf file...
General Terrorism-Related Articles
09/21/99-10:00CDT--NEW WORLD COMING: AMERICAN SECURITY IN THE 21ST
CENTURY MAJOR THEMES AND IMPLICATIONS;The Phase I Report on the
Emerging Global Security Environment for the First Quarter of the 21st
Century (.pdf document - requires reader)
http://www.nssg.gov/
Reports/NWR_A.pdf
You add all this to ABC Nightline�s new BIOWAR series with Ted Koppel
this week, and well... it�s clearly time for a walk, for smelling
roses, and a sipping a steaming caffe latte! (But NOT near a large
gathering of people!)
See thread...
ABC Report on Bio-Terrorist Attack
http://www.greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id=
001VYX
;-(
Diane
-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999.
Old news Diane, various companies have been complaining about
backdoors in the foreign code for some time now. Lots of work came
back home because of that, and a bunch of stuff underwent IV&V here
because of such concerns.
-- Paul Davis (davisp1953@yahoo.com), October 03, 1999.
Personally, I think it's a setup...oh, gee, it's not OUR fault, we
didn't factor in malicious changes to code...
-- Mara Wayne (MaraWayne@aol.com), October 03, 1999.
Ma Fellow Americans: We were ready on time, all of the
systems were fixed. But then we learned that the programers
we hired did not really fix the code, in fact some of them
actually placed new bugs in the code. Therefore today I
am declaring Martial Law untill such time as I deam that
the problems facing America are fixed. I project that with
hard work and a little bit of luck we can have these problems
fixed in time for the 2008 election cycle.
Nightmares...Nightmares.. and more nightmares.....
Things will get worse before they get better.
-- Helium (Heliumavid@yahoo.com), October 03, 1999.
Old News, Paul?
10/01/99 -- Reuters! AND ABC Nightline's BIOWAR series?
Why the resurgence then?
Make the connection Paul... if your brain cells can wrap around the
concept... �Y2K does NOT happen in a vacuum!�
Diane
-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999.
The real nightmare is that both will happen. Real Y2k problems and
cyber-war. While everyone is effectively playing the "blame game" and
running around trying to figure out who the one person to string up
should be, energy will be wasted and few things, if any, will get
fixed.The immediate concern should be fixing what's broken. THEN
you start worrying about who's fault it was. If we loose sight of
that, then we really are toast.
-- Bokonon (bok0non@my-Deja.com), October 03, 1999.
At the same time, I have read that programmer unemployment, and no
increase in contract programmer's fees in the U.S., is further
evidence that Y2K is not as bad as we thought it was. It does make me
wonder what the real price tag for our nation's y2k remediation would
have been if we had done it all domestically and not placed our
national security at risk.
-- RUOK (RUOK@yesiam.com), October 03, 1999.
This reminds me of what I understand was the way that the FBI put people on their 10 Most Wanted List, in the early days when the agency was just starting out: The suspects put on the list were ones that the FBI had pretty much cornered as to their whereabouts, and could close in on easily. Thus the FBI got great press when they made their captures after their speedy "manhunts".
I would not consider this obvious disinformation campaign to necessarily indicate that the Powers That Be believe that Y2K is going to be disasterous, but rather than they simply look upon it as an insurance policy. If there are big problems (as personally I believe there will be), then the position will be that it was due to foreign sabotage, not the reality that the code was broken and never fixed and adequately tested.
89 days.
-- Jack (jsprat@eld.~net), October 03, 1999.
We've played this game ourselves. When the Polish phone system
wanted to upgrade in the 1980's our government got the suppliers to
plant a little trap door in the equipment. If war had broken out
with the Warsaw pact the trap would have cut all phone communication.
Since communication with Warsaw pact troops in Germany ran through
Poland it would have placed a major crimp in their com plans.
Rumor has it that much of the military equipment supplied to foriegn
countries contain similar little tricks which could make them quite
useless in a war with the US.
-- kozak (kozak@formerusaf.guv), October 03, 1999.
I am with Diane. I was feeling like my preps were enough, but after
the last few days of fun posts about the economy, petroleum, Russia,
Herstatt syndrome, and the like I stopped and picked up a water
barrel and a recycled 5 gallon bucket with lid and handle from a
donut shop ($1.50 and can be used to store the ever popular rice and
beans).
Its probably not PC to point fingers at the Israelis or the mythical
200+ programmers in India just waiting to subcontract (you can
probably tell I have been there and done that with customized
applications). It could well be anyone who has a double agenda.
The Chinese curse about "May you live in interesting times" is alive
and well.
-- Nancy (wellsnl@hotmail.com), October 03, 1999.
Ruok: when you say "...if we had done it all (y2k remediation work)
domestically and not placed our national security at risk..."
and Jack: When you say "...due to foreign sabotage..."
you are both presuming that American workers would not sabotage the
y2k fixes. Yea right...like we are a nation of like thinking
patriots!
-- Frankie (fransmak@prodigy.net), October 03, 1999.
Also see thread from October 1, when the FBI made false accusations
about India:
FBI accuses India
-- @ (@@@.@), October 03, 1999.
I wonder how many of you IT types will,when asked next year what your
profession is,say "I'm a computer programmer"..... could be the
equivalent of saying,back in the Old West "I'm a horse rustler"...
-- matt (matt@somewhere.nz), October 03, 1999.
Moderation questions? read the FAQ