BOSTON—Gathered in the subterranean confines of a decommissioned vault in the basement of the Boston Stock Exchange, a panel of IT security experts told the assembled crowd that short of locking all their proprietary information in such a contraption, there may be little hope for securing their data.
Brought together on May 12 for imaging giant Xeroxs 2006 Security Summit, the group of technology, intellectual property and law enforcement specialists painted a dreary picture of the current state of information security in enterprise companies, and even U.S. government agencies.
Their warnings and anecdotes left little doubt among attendees that much work remains to be done in fighting the growing threat of so-called cyber-crimes.
Among the perils that stalk enterprises and seek to spirit away their trade secrets, customer information and money, are a new breed of organized criminals, a lack of proper tools for detecting the most advanced forms of computer attacks and legions of unsuspecting workers who leave their employers most valuable information assets available for the taking.
One of the fastest growing areas of IT-related felonies is trade secret theft, carried out by everyone from legitimate business to electronic crime syndicates and even foreign governments, said Craig Morford, the first assistant U.S. Attorney for the Northern District of Ohio.
"Five or ten years ago companies recruited one of your employees to steal data, and its much scarier to think that today someone doesnt even need to break into your building to get the same information," he said.
"Theres a twenty-something-year-old guy in the Ukraine in a run-down apartment who is entering your company where the information is kept so he can sell it, and this sort of thing is happening on a regular basis."
Morford, who has won national acclaim for his work fighting both traditional organized criminals and emerging cyber-criminals, said that people who formerly sold stolen credit card accounts have advanced their operations into "eBay-like" businesses where they instead market malware such as polymorphic virus code to others, who in turn use the code to carry out their own schemes.
The attorney said that it may be even harder to trace the reach of such criminals since, unlike the Mafia of old, those individuals specializing in IT attacks are able to hide themselves behind layers of technological barriers and often work together with large numbers of people they have never even met, who may be spread anywhere around the world.
"Were seeing the growth of a large number of criminal entities targeting U.S. organizations for cyber-crimes, and its sort of like the atmosphere around organized crime here in the U.S. in the 1950s as it seems that were only just scratching the surface of this type of activity," he said.
Among the recent examples of such attacks that Morford and other experts highlighted was a failed attempt by one hacker to extort $200,000 from financial news giant Bloomberg.
The 22 year-old individual, who hailed from Kazakhstan, was reportedly able to break into the companys network and steal the account information of some of the firms largest customers, as well as the detailed personal information of founder and New York City Mayor Michael Bloomberg, including his address and social security number.
While the plot was foiled when the FBI arrested the hacker in London trying to accept his ransom, said Morford, it stands as evidence of the type of sophisticated attack that can be launched by one individual alone.
In an even scarier scenario, Dan Verton, executive editor of the monthly newsmagazine Homeland Defense Journal, described how security workers at an unnamed government agency caught an employee communicating with outsiders via the organizations IT network.
The worker was reportedly communicating with other people regarding plans to support the Middle East-based terrorist group Al Qaeda, which is believed to be responsible for the attacks of September 11, 2001.