U.S. finds malicious code changes in Y2K "fixes"
By Reuters
October 1, 1999, 5:30 a.m. PT
home.cnet.com
WASHINGTON--Malicious changes to computer code under the guise of Year 2000 software fixes have begun to surface in some U.S. work undertaken by foreign contractors, the top U.S. cybercop said yesterday.
"We have some indications that this is happening" in a possible foreshadowing of economic and security headaches stemming from Y2K fixes, Michael Vatis of the Federal Bureau of Investigation told Reuters.
Vatis heads the interagency National Infrastructure Protection Center (NIPC), responsible for detecting and deterring cyberattacks on networks that drive U.S. finance, transport, telecommunications, and other vital sectors.
A Central Intelligence Agency officer assigned to the NIPC said recently that India and Israel appeared to be the "most likely sources of malicious remediation" of U.S. software.
"India and Israel appear to be the countries whose governments or industry may most likely use their access to implant malicious code in light of their assessed motive, opportunity, and means," the CIA officer, Terrill Maynard, wrote in the June issue of Infrastructure Protection Digest.
A significant amount of Y2K repair is also being done for U.S. companies by contractors in Ireland, Pakistan, and the Philippines, according to Maynard. But they appear among the "least likely" providers to jeopardize U.S. corporate or government system integrity, although the possibility cannot be ruled out, he wrote.
Thousands of companies in the United States and elsewhere have contracted out system upgrades to cope with the anticipated Y2K glitch, which could scramble computers when 1999 gives way to 2000.
The CIA declined to comment on Maynard's article. Referring to it, Vatis said, "This is our effort to [give] the public information that hopefully can be useful to people."
Vatis, interviewed at FBI headquarters, said that so far "not a great deal" of Y2K-related tampering had turned up.
"But that's largely because, No. 1, we're really dependent on private companies to tell us if they're seeing malicious code being implanted in their systems," he said.
In reporting evidence of possible Y2K-related sabotage of software, Vatis confirmed one of the worst long-term fears of U.S. national security planners.
"A tremendous amount of remediation of software has been done overseas or by foreign companies operating within the United States," Vatis said.
He said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road. This could expose a company to future "denial of service attacks," open it to economic espionage, or leave it vulnerable to malicious altering of data, Vatis said.
The Senate Y2K Committee, in its final report last week, described the issue as "unsettling."
"The effort to fix the code may well introduce serious long-term risks to the nation's security and information superiority," said the panel headed by Sens. Robert Bennett (R-Utah) and Chris Dodd (D-Connecticut).
Vatis, in testimony before the Y2K panel in July, warned that contractors could compromise systems by installing "trap doors" for anonymous access.
By implanting malicious code, he said, a contractor could stitch in a "logic bomb" or a time-delayed virus that would later disrupt operations. Another possible threat is the insertion of a program that would compromise passwords or other system security, he said.
The Senate Y2K Committee said the long-term consequences could include increased foreign intelligence collection and espionage activity, reduced information security, a loss of economic advantage, and increased infrastructure vulnerability.
|
