FBI Says Y2K Software Has Been Tampered With (Reuters)

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread

Suspect this kind of story will keep "surfacing" as the countdown continues.


FBI Says Y2K Software Has Been Tampered With
(10/01/99, 7:09 a.m. ET)
By Reuters


[Fair Use: For Educational/Research Purposes Only]

Malicious changes to computer code under the guise of year 2000 software fixes have begun to surface in some U.S. work undertaken by foreign contractors, the top U.S. cybercop said Thursday.

"We have some indications that this is happening" in a possible foreshadowing of economic and security headaches stemming from Y2K fixes, the FBI's Michael Vatis told Reuters.

Vatis heads the inter-agency National Infrastructure Protection Center (NPIC), responsible for detecting and deterring cyberattacks on networks that drive U.S. finance, transport, telecommunications, and other vital sectors.

A CIA officer assigned to the NIPC said recently that India and Israel appeared to be the "most likely sources of malicious remediation" of U.S. software.

"India and Israel appear to be the countries whose governments or industry may most likely use their access to implant malicious code in light of their assessed motive, opportunity, and means," the CIA officer, Terrill Maynard, wrote in the June issue of Infrastructure Protection Digest.

Significant amounts of Y2K repair is also being done for U.S. companies by contractors in Ireland, Pakistan, and the Philippines, according to Maynard.

But they appear among the "least likely" providers to jeopardize U.S. corporate or government system integrity, though the possibility cannot be ruled out, he wrote.

Thousands of companies in the United States and elsewhere have contracted out system upgrades to cope with the Y2K glitch, which could scramble computers starting Jan. 1 when 1999 gives way to 2000.

The CIA declined to comment on Maynard's article. Referring to it, Vatis said: "This is our effort to put out in the public information that hopefully can be useful to people."

Vatis said so far, "not a great deal" of Y2K-related tampering had turned up. "But that's largely because, number one, we're really dependent on private companies to tell us if they're seeing malicious code being implanted in their systems," he said.

In reporting evidence of possible Y2K-related sabotage of software, Vatis confirmed one of the worst long-term fears of U.S. national security planners. "A tremendous amount of remediation of software has been done overseas or by foreign companies operating within the United States," he said.

Vatis said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road.

This could expose a company to future "denial of service attacks," open it to economic espionage, or leave it vulnerable to malicious altering of data, Vatis said.

The Special Senate Y2K committee, in its final report last week, described the issue as "unsettling."

"The effort to fix the code may well introduce serious long-term risks to the nation's security and information superiority," said the panel headed by Robert Bennett, Republican of Utah, and Chris Dodd, Democrat of Connecticut.

The panel said the long-term consequences could include: increased foreign intelligence collection, increased espionage activity, reduced information security, loss of economic advantage, and increased infrastructure vulnerability.

Vatis, in testimony before the Y2K panel in July, warned that contractors could compromise systems by installing "trap doors" for anonymous access.

By implanting malicious code, he said, a contractor could stitch in a "logic bomb" or a time-delayed virus that would later disrupt operations. Another threat was insertion of a program that would compromise passwords or other system security, he said.

Copyright 1999 Reuters Limited.

-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999


Been trying to come up with a lead for Infrastructure Protection Digest but so far, no luck.

However did stumble across this interesting little links list to the intelligence community news and publications...

http://www.fas.org/ irp/news/sources.htm

-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999.

Somebody has to be the scapegoat!

-- Porky (Porky@in.cellblockD), October 03, 1999.

Yeah Porky... but Isreal? I find that "odd."

Background reading...

A blast from the past... CIA testimony...

24 June 1998

http://www.cia.gov/cia/public_affairs/ speeches/dci_testimony_062498.html


The Challenge to Act

Mr. Chairman, the concerns we raise today--although not yet on the front burner in the minds of many Americans--are, in fact, urgent. We have to focus on this threat now.

In fact, the approach of the year 2000 makes our work all the more critical. It is generally understood that the "Year 2000 Problem" poses inherent risks to our systems, but it is less understood that the Year 2000 also affords special opportunities for our adversaries. For example, our dependence on foreign software development is a cause for concern. It is possible foreign actors with hostile intent may try to exploit the Year 2000 Problem for their own ends. As we come upon that date, we have to do more than just ensure that our systems function on January 1, 2000, but that they function and that they are secure.

These are enormous challenges. As we all recognize, Information Warfare defies conventional and even many unconventional intelligence methods. Intelligence disciplines traditionally have focused on physical indicators of activity and on mechanized, industrially - based systems. With the advent of Information Operations, we are faced with the need to function in the medium of 'cyberspace' where we will conduct our business in new and challenging ways.

At the end of the day, the Intelligence Community must be positioned to provide warning of cyber - threats. This warning must go to national leaders and the military of course. But we also must develop ways and means to warn the private sector and the leaders of our economy.

However, our efforts must extend beyond warning. As a nation, we will need to detect attack, withstand assault if launched successfully against us, and then aggressively prosecute action against the attackers. The Intelligence Community cannot do all this alone, nor can the Department of Defense, nor can the Department of Justice or private industry. In this new world of cyber - threats, we will need to work together in partnerships unlike any in our history.



I wonder if we're considered to be... "at war..." of the cyber kind... now?

Just curious.


-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999.

I think there will also be some instances of domestic sabotage from disgruntled employees as well. There are those who aren't psychotic enough to go postal but seek revenge nonetheless. It could be as simple as "overlooking" a Y2K glitch.

Remember that the definition of a passive-aggressive is someone who sees your car lights left on in the parking lot and doesn't tell you.

It's not just Y2K.

-- Old Git (anon@spamproblems.com), October 03, 1999.

This is disinformation. Period. "Don't blame us."

-- Zev Barak (zev@msn.com), October 03, 1999.

Your cyber war comment reaches below the tip of the Y2K iceberg. Somehow I think we will muddle through all the storm and hassle of Y2K and the after effects (assuming its between a 4 and a 6), but the longer term implications of cyber war are already manifesting themselves. Why should we be terribly surprised to find a few back door traps in remediated code. In our parent's and grand parent's generations "gentlemen did not read one another's mail"--not.

The need to update virus software a couple of times per month, the new CIA open presence in the valley. The hacking of US government sites during the last Sarajevo dust up. All of these point to a kind of warfare with a different kind of weapon.

Thanks for your usual quality of posts.

-- Nancy (wellsnl@hotmail.com), October 03, 1999.

The Emergency Response & Research Institute Year2000(Y2K) Resource Page
(Lots of links)...

http:// www.emergency.com/y2kpage.htm


30 Aug 99 - Y2K: From http://www.emergency.com/ennday.htm

At least two government agencies are developing a process to determine a Year 2000 glitch from a malicious hacker attack. The Defense Department and the FBI's National Infrastructure Protection (NIPC) are working separately to develop a "methodology," or triage system, that will help decipher a Y2K or hardware failure from a network intrusion, according to Anne Plummer, in the Defense Information and Electronics Report.

NIPC Director Michael Vatis said his center was working on a methodology with the Defense Department. "I expect that that methodology," Vatis said, "will include looking at certain signatures that we already see in intrusions now, what sort of activity there was up to and during the advent of an outage, whether there were pings or probes in the system . . . what types of protective firewalls or other security software were in place, and what the nature of the outage is. I think that's the general sense of what the methodology will contain, but the specifics we're formulating right now."


10 Aug 99: Y2K Remediation Warnings:

Both ERRI and government analysts continue to warn of potential problems with remediation efforts undertaken to fix the Y2K bug. Network and Information Technology (IT) professionals should be warned that there is a potential for "booby-traps" to be installed by foreign or little known programmers, who are being contracted to work on correcting software date errors relevant to Y2K.

"Some Y2K programmers with malicious intent may be quietly installing malicious software codes, such as a logic bomb or a time-delayed virus, to sabotage companies or gain access to sensitive information sometime in the new millennium," Rep. Constance Morella, R-Md., chairwoman of the Technology Subcommittee of the House Science Committee, said at the hearing. "Most troubling is that several security firms have already found trap doors in Y2K programming," http:// www.newsbytes.com/index-y2k.htmlaccording to the the Newsbytes News service.

ERRI analysts suggest a complete security check must be performed after the completion of Y2K remediation efforts to insure that additional malicious code, or secret "back doors" weren't added to software that was under repair.


-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999.

In its own way, this is one of the strongest pieces of evidence as to the real severity of Y2K -- the fact that the government is coming up with such outrageous crap in order to have a scapegoat WTSHTF. This is nothing more than "icing on the cake" when viewed against the last three years worth of Presidential executive orders that have to do with "cyberterrorism". Just a codeword for Y2K, folks. And we are being set up beautifully.

When it all goes to hell in a handbasket, just remember: "Its Y2K, Stupid."

-- King of Spain (madrid@aol.cum), October 03, 1999.

Donno KOS.

Think Im scaring myself again.

Was just starting to think... Well MAYBE we really will be Y2K-Okay in the U.S., or at least in Silicon Valley... and then I start digging again.


This is NOT a fun little page to peruse!

ERRI Counter-Terrorism Archives
A Summary of World-Wide Terrorism Events, Groups, and Terrorist Strategies and Tactics

http:// www.emergency.com/cntrterr.htm

Note a pdf file...

General Terrorism-Related Articles

09/21/99-10:00CDT--NEW WORLD COMING: AMERICAN SECURITY IN THE 21ST CENTURY MAJOR THEMES AND IMPLICATIONS;The Phase I Report on the Emerging Global Security Environment for the First Quarter of the 21st Century (.pdf document - requires reader)

http://www.nssg.gov/ Reports/NWR_A.pdf

You add all this to ABC Nightlines new BIOWAR series with Ted Koppel this week, and well... its clearly time for a walk, for smelling roses, and a sipping a steaming caffe latte! (But NOT near a large gathering of people!)

See thread...

ABC Report on Bio-Terrorist Attack

http://www.greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id= 001VYX



-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999.

Old news Diane, various companies have been complaining about backdoors in the foreign code for some time now. Lots of work came back home because of that, and a bunch of stuff underwent IV&V here because of such concerns.

-- Paul Davis (davisp1953@yahoo.com), October 03, 1999.

Personally, I think it's a setup...oh, gee, it's not OUR fault, we didn't factor in malicious changes to code...

-- Mara Wayne (MaraWayne@aol.com), October 03, 1999.

Ma Fellow Americans: We were ready on time, all of the systems were fixed. But then we learned that the programers we hired did not really fix the code, in fact some of them actually placed new bugs in the code. Therefore today I am declaring Martial Law untill such time as I deam that the problems facing America are fixed. I project that with hard work and a little bit of luck we can have these problems fixed in time for the 2008 election cycle.

Nightmares...Nightmares.. and more nightmares.....

Things will get worse before they get better.

-- Helium (Heliumavid@yahoo.com), October 03, 1999.

Old News, Paul?

10/01/99 -- Reuters! AND ABC Nightline's BIOWAR series?

Why the resurgence then?

Make the connection Paul... if your brain cells can wrap around the concept... Y2K does NOT happen in a vacuum!


-- Diane J. Squire (sacredspaces@yahoo.com), October 03, 1999.

The real nightmare is that both will happen. Real Y2k problems and cyber-war. While everyone is effectively playing the "blame game" and running around trying to figure out who the one person to string up should be, energy will be wasted and few things, if any, will get fixed.

The immediate concern should be fixing what's broken. THEN you start worrying about who's fault it was. If we loose sight of that, then we really are toast.

-- Bokonon (bok0non@my-Deja.com), October 03, 1999.

At the same time, I have read that programmer unemployment, and no increase in contract programmer's fees in the U.S., is further evidence that Y2K is not as bad as we thought it was. It does make me wonder what the real price tag for our nation's y2k remediation would have been if we had done it all domestically and not placed our national security at risk.

-- RUOK (RUOK@yesiam.com), October 03, 1999.

This reminds me of what I understand was the way that the FBI put people on their 10 Most Wanted List, in the early days when the agency was just starting out: The suspects put on the list were ones that the FBI had pretty much cornered as to their whereabouts, and could close in on easily. Thus the FBI got great press when they made their captures after their speedy "manhunts".

I would not consider this obvious disinformation campaign to necessarily indicate that the Powers That Be believe that Y2K is going to be disasterous, but rather than they simply look upon it as an insurance policy. If there are big problems (as personally I believe there will be), then the position will be that it was due to foreign sabotage, not the reality that the code was broken and never fixed and adequately tested.

89 days.


-- Jack (jsprat@eld.~net), October 03, 1999.

We've played this game ourselves. When the Polish phone system wanted to upgrade in the 1980's our government got the suppliers to plant a little trap door in the equipment. If war had broken out with the Warsaw pact the trap would have cut all phone communication. Since communication with Warsaw pact troops in Germany ran through Poland it would have placed a major crimp in their com plans. Rumor has it that much of the military equipment supplied to foriegn countries contain similar little tricks which could make them quite useless in a war with the US.

-- kozak (kozak@formerusaf.guv), October 03, 1999.

I am with Diane. I was feeling like my preps were enough, but after the last few days of fun posts about the economy, petroleum, Russia, Herstatt syndrome, and the like I stopped and picked up a water barrel and a recycled 5 gallon bucket with lid and handle from a donut shop ($1.50 and can be used to store the ever popular rice and beans).

Its probably not PC to point fingers at the Israelis or the mythical 200+ programmers in India just waiting to subcontract (you can probably tell I have been there and done that with customized applications). It could well be anyone who has a double agenda.

The Chinese curse about "May you live in interesting times" is alive and well.

-- Nancy (wellsnl@hotmail.com), October 03, 1999.

Ruok: when you say "...if we had done it all (y2k remediation work) domestically and not placed our national security at risk..."

and Jack: When you say "...due to foreign sabotage..."

you are both presuming that American workers would not sabotage the y2k fixes. Yea right...like we are a nation of like thinking patriots!

-- Frankie (fransmak@prodigy.net), October 03, 1999.

Also see thread from October 1, when the FBI made false accusations about India:

FBI accuses India

-- @ (@@@.@), October 03, 1999.

I wonder how many of you IT types will,when asked next year what your profession is,say "I'm a computer programmer"..... could be the equivalent of saying,back in the Old West "I'm a horse rustler"...

-- matt (matt@somewhere.nz), October 03, 1999.

Moderation questions? read the FAQ