Y2K fixes open door for electronic heists
By M.J. Zuckerman, USA TODAY
WASHINGTON - The top Y2K research firm predicts that the largest
single heist in history, an electronic theft exceeding $1 billion, will occur as
a direct result of the Year 2000 computer glitch.
The Gartner Group "would be surprised if there weren't at least one
publicly reported electronic theft exceeding $1 billion," says the
soon-to-be-released study of more than 1,000 of the firm's clients
worldwide.
Independent scientists, security professionals and others involved in Y2K
research have few quarrels with the Gartner Group's warning.
"That's certainly a safe prediction," says computer security expert Donn
Parker, author of Fighting Computer Crime. "Fixing Y2K has opened
up vulnerable business computer programs to attacks by a larger number
of people."
The biggest concern, Gartner says, is that employees hired to upgrade
systems might have left "trap doors" or other means through which they
can clandestinely take control of systems, including those that electronically
move $11 trillion a year among financial institutions, corporations,
governments and private organizations.
"We have basically had to open up every system we have to people we
may not know enough about," says Joe Pucciarelli, author of the study. It
urges scrutiny of "disgruntled or opportunistic employees."
"I have no way of determining that there is going to be a theft of that
magnitude. But I think the sentiment is quite correct," says Fred Schneider,
professor of computer science at Cornell University. He's one of several
scientists and policy analysts concerned that Y2K upgrades, designed to
repair systems that could misconstrue dates after Jan. 1, 2000, are
introducing new vulnerabilities.
Several security firms say they have found "trap doors" in Y2K
programming. Some were placed to provide reputable firms an entry for
future repairs, but others have been intentionally hidden.
"I'm aware of at least three such incidents," says Mike Higgins of the
consulting firm Para-Protect Services. "One was in a major information
technology company which used a Pakistani company to do (upgrades).
The company left a hidden trap door and has since gone out of business."
But Mark Graf of Sun Microsystems says he doesn't consider Y2K itself a
serious security problem: "If you had such poor security that you didn't
take prudent measures before, I don't see how Y2K really makes you any
less secure."
But Higgins, among others, notes that in many businesses, "normal due
diligence is lagging due to the breath of the (Y2K) work" that remains to
be completed. |
