[Fair use for education and research purpose only] Sunday March 26, 2000

Title: Military warns of Y2K bug sabotage

Some 'consultants' hired without security check likely still have access to computer networks, classified report says

David Pugliese The Ottawa Citizen

Unscrupulous Y2K consultants may have installed "back doors" into the computer systems they worked on so they could later steal information from companies and government, warns a Canadian military intelligence report.

The report outlines one of the little- known threats from the millennium bug; that thousands of consultants brought in to do fixes on computer systems were hired without background security checks.

"Many Y2K consultants have been afforded the opportunity to install back doors in networks and thereby, facilitate unauthorized access for some time in the future," points out the report done for the Canadian Forces in November. "Individuals with malicious intents have had ample opportunity to insert themselves into infrastructure organizations.

"This has created opportunity for individuals to steal proprietary information, gain root access to networks, install back doors and implant malicious codes."

Further details on the issue have been censored from the report for national security reasons. The study was obtained by the Citizen through the Access to Information Act.

The Year 2000 problem, also known as the millennium bug, centred on a software glitch that caused the internal counters of many computers to read dates in only two digits. The concern at the time was that computers would read 2000 as 1900 and stop operating.

Analysts were predicting the problem would create worldwide havoc as computer systems crashed, but that never materialized. Some believe that the threat was hyped beyond proportion, while others say the massive effort by programmers and consultants to fix the problem saved the day.

But in that rush to fix computers in time for Jan. 1, 2000 the usual security precautions weren't followed by many companies.

"They were hiring people left, right and centre, and certainly a lot of precautions that might have been taken in other instances were not in this case," said Sam Porteous, director of intelligence for the corporate security company Kroll Associates Canada.

"It was certainly a great opportunity if you were a terrorist group or a criminal group or a government that wanted to be mischievous."

Mr. Porteous said that in the large numbers of computer consultants hired, many without proper checks, there is bound to be some representatives from criminal or terrorist groups or foreign governments intent on spying.

Other intelligence reports have warned that everyone from the Colombian drug cartel to China's spy agencies to average fraud artists have active programs to use computer systems for non-legal purposes.

Fixing the Year 2000 bug was extremely labour-intensive, as individual computer programs had to be methodically checked. It is estimated that companies and governments worldwide spent at least $500 billion in fixing the problem. Some estimates run as high as $1 trillion.

In October, the RCMP sounded a warning to businesses to be careful about who they were hiring to do Y2K consulting. RCMP Supt. Len Babin, speaking at a meeting of business executives sponsored by the Ottawa Centre for Research and Innovation, pointed out that in some cases companies have unwittingly exposed themselves to high security risks.

Supt. Babin gave one example of a "major hydro company" that hired a team of 50 contractors to fix its computer systems. It allowed the consultants virtually unlimited access to its networks without conducting background checks. The Mounties have declined to give the name of the hydro company that may have been compromised.

Thomas Welch, intelligence director for JAWS Technologies Inc., an international corporate security firm, said many of the programmers hired in the rush to deal with the Y2K problem came from countries such as India and China, where background and security checks are non-existent.

"No one knows what they did to those systems," said Mr. Welch, who teaches military and police how to deal with computer crime and hack attacks. "Is there the potential for harm there? Absolutely. You have the fox in the hen house."

Mr. Welch said it is simple to put a back door into a computer system, allowing access at a later date. "If that system is connected to a network then no one knows what's going to happen," he added. "They could be siphoning funds out, it could be anything."

He said such intrusions may not take place until years from now, and that they would be difficult to detect. Mr. Welch said he expects to see a rise in the number of forensic accounting audits over the years as companies realize their systems have been compromised.

The Canadian military, however, is not concerned about the problem. The consultants hired to work on its computers were put through strict security checks, said Col. Randy Alward, commander of the Canadian Forces Information Operations Group.

John Thompson, a terrorism specialist with the Mackenzie Institute, said it is unlikely terrorists would have infiltrated companies or government agencies. He said he believes the problem to be one more directed at private companies or government and involve criminals who would want to steal funds or sensitive corporate information.

There is also the possibility unscrupulous computer consultants may have introduced problems into systems that would materialize at a later date. "It would be a convenient way for them to drum up business later on," said Mr. Thompson.

The warnings about the rogue Y2K consultants originally came from a computer hacker who goes by the name of Mudge. He was able to determine such a threat exists first-hand after being hired by an electric company in Boston to do an audit on their systems.

Mudge, the Canadian military intelligence report points out, believes the large number of computer consultants who were hired without background checks poses an even greater threat to systems than do hackers.

The other problem with the installation of back doors is that they can be extremely difficult to detect.

Mr. Porteous said in late 1980s there were allegations that communications software provided to the World Bank and some international financial institutions had been modified and equipped with a back door so the U.S. intelligence group, the National Security Agency, could monitor the bank's sensitive discussions. In particular, the NSA was interested in the bank's negotiations with Latin American countries who were having financial problems and on the verge of defaulting on their loans. Such an event would have enormous consequences for the U.S. economy.

The altered software gave NSA direct access to the bank's computers that were running the program. Although it could never be proved conclusively, a 1992 investigation by the U.S. House of Representatives Judiciary Committee did determine that there was substantive evidence that the software was secretly modified with U.S. government approval.

In 1994, World Bank officials began to go through their computer systems to determine which ones were running the altered software so they could remove the bugged program.

Copyright 2000 Ottawa Citizen

http://www.ottawacitizen.com/national/000326/3821947.html

==============================

-- (Dee360Degree@aol.com), March 26, 2000

Answers

Excellent find, Dee. The Ottawa Citizen bears continued watch because it has consistently gone to the Freedom of Information Act to learn more about y2k.

-- Rachel Gibson (rgibson@hotmail.com), March 26, 2000.