Dr Crime's Terminal of Doom
- 08 July, 2002 11:00
- Comments
Reader ROI
- Learn why your biggest security risks are inside your organisation
- See how guarding against internal threats can protect against external ones too
- Discover how CIOs balance the need to trust workers with efforts to reduce risks
When John Michael Sullivan moved to Charlotte, North Carolina, to help develop a mobile computer program for Lance Incorporated, he hung up an old plaque. Inscribed "Dr Crime's Terminal of Doom", the memento celebrated Sullivan's youthful love of the movie Indiana Jones and the Temple of Doom - and his reputation as a computer hacker who went by the handle Dr Crime.
"I was a hacker long before being a hacker was cool," Sullivan wrote on a Web page the FBI later found on his hard drive, describing his affection for the plaque."More than once I was accused (falsely?) of perpetrating acts of computer crime against various systems and agencies. But regardless if I did or didn't, I never got caught . . . And although I have Â'settled in' to a real job, Dr Crime still lives . . . quietly, anonymously and discreet."
Or not. After Sullivan was demoted at snack-food maker Lance in May 1998, he planted a logic bomb. This malicious code, set to execute on September 23, 1998, the anniversary of his hire date, would destroy part of the program being written for the handheld computers for Lance's sales force. When the bomb went off - months after Sullivan had resigned - more than 700 salespeople who rove the Southeastern United States with truckloads of Captain's Wafers, Cape Cod Potato Chips and Toastchee crackers couldn't communicate electronically with headquarters for days, and Lance feared the attack might cost $US1 million.
The evidence Dr Crime left is unique, but the scenario? Hardly. Whether it's sabotage or the theft of trade secrets, a growing number of companies are learning the hard way that their biggest security risks are on the inside. Employees, contractors, temps and other insiders are trusted users. They know how a company works, and they understand its weaknesses - and that gives the occasional bad apple a chance to really make things rotten.
Rather than handling the situation internally as something to cover up, as do many companies faced with insider crime, Lance decided to act."We wanted to send the message that these types of actions were not accepted by senior management," said Rudy Gragnani, vice president of IS at the $US583 million company, in an interview that his edgy legal department allowed him to conduct only via e-mail."The livelihood of our sales representatives was being impacted, and we took this situation very seriously."
In April 2001, the then-40-year-old Sullivan - who also wrote on that Web page that he'd relocated from New York to North Carolina to give his family a better quality of life - was sentenced to two years in prison without parole and ordered to pay almost $US200,000 restitution. He lost an appeal in February 2002.
Damage by insiders such as Sullivan"is an incredibly fast-growing problem", says Patrick Gray, who worked for the FBI for 20 years until he retired in late 2001 to join Internet Security Systems, a managed security company based in Atlanta."It's a tough threat that CIOs are going to have to address. Whether you're a Fortune 100 company or a three or four person company, you still have to deal with that biosphere that sits between the keyboard and the chair."
Supposedly the wake-up calls came in 1996, in computer sabotage's most famous chapter, when a former systems administrator at New Jersey-based Omega Engineering unleashed malicious code that cost the company more than $US10 million; in February 2002, Tim Lloyd, 39, was sentenced to 41 months in federal prison and ordered to pay Omega more than $US2 million in restitution.
But the bells are still ringing.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Top seven firewall capabilities for effective application control
-
Pfizer's Future Depends on IT Transformation
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Oracle Exadata: Extreme Performance Lowest Cost
As organisations contend with escalating demands for greater quantities of information, more sophisticated data analysis, and a burgeoning user population, Oracle Exadata makes database workloads faster, easier to manage, and less expensive. Oracle Exadata is the world’s first database machine to provide extreme performance for both data warehousing and online transaction processing (OLTP) applications. -
CISO Guide to Next Generation Threats - Combating Advanced Malware, Zero-Day and Targeted APT Attacks
Over 95% of businesses unknowingly host compromised endpoints, despite their use of firewalls, intrusion prevention systems (IPS), antivirus and Web gateways.1 Today’s attacks look new and unknown to signature-based tools because the attacks employ advanced malware and zero-day vulnerabilities. To regain the upper hand against next-generation attacks, enterprises must turn to true next-generation protection: signature-less, proactive and real time. Read on. -
SOA Best Practices and Design Patterns
By learning from the experiences of those organisations that have been through the process and looking at the standard best practices of large‐scale technology implementations, success can come earlier and more dramatically. Read more now.
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Post new comment