The Threat From Within

By Paul Desmond

(Back to article)

On Dec. 11, federal law enforcement agents conducted raids at several U.S. universities and software companies in an apparently successful attempt to break up a software piracy ring. More raids were conducted over the following week and 150 computers were seized, according to a report in The New York Times.

Officials from the Customs Service, which is leading the investigation, were pressuring students and others believed to be involved in the ring to talk or face prison time.

One such suspect, Christopher Tresco, 23, was working as a systems analyst at the Massachusetts Institute of Technology, one of the schools raided on Dec. 11. According to the Boston Globe, Tresco is alleged to have been operating near the top level of the piracy ring, dubbed DrinkOrDie. As a result of his involvement, several MIT computers were seized, including at least one server.

Think about that for a minute. Imagine federal law enforcement agents one day burst into your data center, disconnect a server or two - no telling which ones- and walk away with them. Then think about having the name of your organization splashed all over the headlines of your local metropolitan newspaper in connection with such a scandal, not to mention national news vehicles. That's exactly what happened to not only MIT but Duke University, the University of California at Los Angeles and the Rochester Institute of Technology.

A Gateway store in Pennsylvania also was involved in the raid, and one of its employees was questioned. Additionally, employees at the companies that made the pirated software are also under suspicion. The pirated goods include the Windows XP operating system, computer games and even recent hit movies such as "Harry Potter and the Sorcerer's Stone." In all, the investigation touched 27 cities and five countries.

In Tresco's case, authorities allege he was using MIT computers to conduct at least some of his illegal activies. What was he supposed to be doing? Maintaining the security systems for MIT's Economics Department.

You've heard this sort of story before, that it's the insiders you have to watch out for as much as outside intruders. But the DrinkOrDie episode brings it to light in stark fashion.

What could MIT have done to detect Tresco's allegedly illicit activities? E-mail filtering software may have helped. Tools such as Baltimore Technologies' MIMEsweeper, SurfControl's SuperScout and Marshal Software's MailMarshal scan the content of e-mail messages looking for predefined keywords that indicate a potential security breach or simply non-business activity. In this case, if the tool was programmed to flag "DrinkOrDie," or the larger "warez" ring, Tresco may have been caught.

The same vendors have products that scan the content of Web sites and monitor the sites employees are visiting. Here again, such a tool may have alerted MIT if Tresco was indeed up to no good, given the ring allegedly operated its own site, www.drinkordie.com, which has since been shut down.

Another way to potentially find wayward insiders is to monitor for the tools they use to hack into other sites. The latest version of Tally Systems' Census line of PC inventory and auditing software is designed to detect tools used by hackers. The company added more than 400 fingerprints to Census, enabling it to detect various categories of tools, including those used to launch Trojans and denial-of-service attacks, crack passwords, break into networks and write viruses.

Still, the MIT case is a particularly daunting one, given that Tresco was himself a security administrator. Presumably he would know how to cover his tracks, even if it meant shutting down some of the security tools designed to catch him.

In a recent conversation about cyberterrorism, John Pescatore, research director for Internet security at Gartner Inc., said one of the lessons learned from the Sept. 11 terrorist attacks is that the terrorists were living among us. His point was that you don't know who someday one day could do you harm. Given that, Pescatore says companies need to do more in the way of background checking, for their own IT employees as well as their outsourcing providers.

"In the rush to hire people, a year and a half to two years ago, you were just happy if somebody would agree to work for you, be it in your security group, your IT system administrators or whatever, let alone who you're outsourcing to," Pescatore says. "So the whole issue of background checking, bonding, personnel type security, I think not enough attention has been paid to that."

Whether such a check would have flagged Tresco is far from clear. By all accounts, he appears to be the sort of die-hard computer enthusiast that any firm would covet. How, why or if he got involved in the DrinkOrDie group is another question. But it once again points to the need to be on the lookout for insiders conducting surreptitious activity on your organization's computers, lest the feds one day walk off with one of your servers.

Paul Desmond is a writer and editor based in Framingham, Mass. He serves as editor of ecomSecurity.com, a source of practical security information for IT managers, CIOs and business executives. E-mail him at paul_desmond@king-content.com

Editor's note: This column first appeared on Datamation, an internet.com site.