U.S. Finds Malicious Code Changes in Y2K Fixes

[Guest guest]

U.S. FINDS MALICIOUS CODE CHANGES IN Y2K "FIXES"

By Reuters

Special to CNET News.com

October 1, 1999, 5:30 a.m. PT

 

WASHINGTON--Malicious changes to computer code under the guise of

Year 2000 software fixes have begun to surface in some U.S. work

undertaken by foreign contractors, the top U.S. cybercop said

yesterday.

 

"We have some indications that this is happening" in a possible

foreshadowing of economic and security headaches stemming from Y2K

fixes, Michael Vatis of the Federal Bureau of Investigation told

Reuters.

 

Vatis heads the interagency National Infrastructure Protection

Center (NIPC), responsible for detecting and deterring cyberattacks on

networks that drive U.S. finance, transport, telecommunications, and

other vital sectors.

 

A Central Intelligence Agency officer assigned to the NIPC said

recently that India and Israel appeared to be the "most likely sources

of malicious remediation" of U.S. software.

 

"India and Israel appear to be the countries whose governments or

industry may most likely use their access to implant malicious code in

light of their assessed motive, opportunity, and means," the CIA

officer, Terrill Maynard, wrote in the June issue of Infrastructure

Protection Digest.

 

A significant amount of Y2K repair is also being done for U.S.

companies by contractors in Ireland, Pakistan, and the Philippines,

according to Maynard. But they appear among the "least likely" providers

to jeopardize U.S. corporate or government system integrity, although

the possibility cannot be ruled out, he wrote.

 

Thousands of companies in the United States and elsewhere have

contracted out system upgrades to cope with the anticipated Y2K glitch,

which could scramble computers when 1999 gives way to 2000.

 

The CIA declined to comment on Maynard's article. Referring to it,

Vatis said, "This is our effort to [give] the public information that

hopefully can be useful to people."

 

Vatis, interviewed at FBI headquarters, said that so far "not a

great deal" of Y2K-related tampering had turned up.

 

"But that's largely because, No. 1, we're really dependent on

private companies to tell us if they're seeing malicious code being

implanted in their systems," he said.

 

In reporting evidence of possible Y2K-related sabotage of software,

Vatis confirmed one of the worst long-term fears of U.S. national

security planners.

 

"A tremendous amount of remediation of software has been done

overseas or by foreign companies operating within the United States,"

Vatis said.

 

He said it was "quite easy" for an outsider to code in ways of

gaining future access or causing something to "detonate" down the road.

This could expose a company to future "denial of service attacks," open

it to economic espionage, or leave it vulnerable to malicious altering

of data, Vatis said.

 

The Senate Y2K Committee, in its final report last week, described

the issue as "unsettling."

 

"The effort to fix the code may well introduce serious long-term

risks to the nation's security and information superiority," said the

panel headed by Sens. Robert Bennett (R-Utah) and Chris Dodd

(D-Connecticut).

 

Vatis, in testimony before the Y2K panel in July, warned that

contractors could compromise systems by installing "trap doors" for

anonymous access.

 

By implanting malicious code, he said, a contractor could stitch in

a "logic bomb" or a time-delayed virus that would later disrupt

operations. Another possible threat is the insertion of a program that

would compromise passwords or other system security, he said.

 

The Senate Y2K Committee said the long-term consequences could

include increased foreign intelligence collection and espionage

activity, reduced information security, a loss of economic advantage,

and increased infrastructure vulnerability.

 

http://news.cnet.com/news