http://www.canoe.com/TechNews0003/27_y2k.html

Link

Monday, March 27, 2000

Military warns of sabotage

Some Y2K 'consultants' hired without security check could still have access to computer networks

By DAVID PUGLIESE -- The Canadian Press

OTTAWA (CP) -- Unscrupulous Y2K consultants may have installed "back doors" into the computer systems they worked on so they could later steal information from companies and government, warns a Canadian military intelligence report.

The report outlines a little-known threats from the millennium bug. It says thousands of Y2K consultants brought in to do fixes on computer systems were hired without security checks.

"Individuals with malicious intents have had ample opportunity to insert themselves into infrastructure organizations," says a report done for the Canadian Forces in November and obtained by the Ottawa Citizen through the Access to Information Act.

"This has created opportunity for individuals to steal proprietary information, gain root access to networks, install back doors and implant malicious codes."

The Year 2000 problem, also known as the millennium bug, centred on a software glitch that caused the internal counters of many computers to read dates in only two digits. The concern was that computers would read 2000 as 1900 and stop operating.

Some analysts had predicted the problem would create worldwide havoc as computer systems crashed, but that never materialized. Some believe that the threat was hyped beyond proportion, while others say the massive effort by programmers and consultants to fix the problem saved the day.

But in that rush to fix computers in time for Jan. 1, 2000, many companies didn't follow the usual security precautions.

"They were hiring people left, right and centre, and certainly a lot of precautions that might have been taken in other instances were not in this case," said Sam Porteous, director of intelligence for the corporate security company Kroll Associates Canada.

"It was certainly a great opportunity if you were a terrorist group or a criminal group or a government that wanted to be mischievous."

Other intelligence reports warned that everyone from the Colombian drug cartel and China's spy agencies to average fraud artists have active programs to use computer systems for non-legal purposes.

Fixing the Year 2000 bug was extremely labour-intensive, as individual computer programs had to be methodically checked. It is estimated that companies and governments worldwide spent at least $500 billion to fix the problem. Some estimates run as high as $1 trillion.

In October, the RCMP sounded a warning to businesses to be careful about who they hired to do Y2K consulting.

RCMP Supt. Len Babin told a meeting of business executives sponsored by the Ottawa Centre for Research and Innovation that in some cases companies unwittingly exposed themselves to high security risks.

Babin gave one example of a "major hydro company" that hired a team of 50 contractors to fix its computer systems. It allowed the consultants virtually unlimited access to its networks without conducting background checks. The Mounties have declined to give the name of the hydro company that may have been compromised.

Thomas Welch, intelligence director for JAWS Technologies Inc., an international corporate security firm, said many of the programmers hired in the rush to deal with the Y2K problem came from countries where background and security checks are non-existent.

"No one knows what they did to those systems," said Welch, who teaches the military and police how to deal with computer crime and hack attacks. "Is there the potential for harm there? Absolutely. You have the fox in the hen house."

Welch said it is simple to put a back door into a computer system, allowing access at a later date. "If that system is connected to a network then no one knows what's going to happen," he added. "They could be siphoning funds out, it could be anything."

The Canadian military, however, is not concerned about the problem.

The consultants hired to work on its computers were put through strict security checks, said Col. Randy Alward, commander of the Canadian Forces Information Operations Group.

(Ottawa Citizen)

-- (in@the.news), March 28, 2000