Enterprises Vulnerable To Y2K Hacks

By RUTRELL YASIN

Companies racing to meet Y2K deadlines may unwittingly be exposing their networks to hackers.

The changeover to the year 2000 presents an opportune time for computer hackers and writers of malicious code to launch attacks on enterprise networks that could be mistaken for Y2K glitches, according to security experts.

Meanwhile, the discovery of trap doors embedded in Y2K software, along with the rise of Y2K viruses, have heightened IT manager awareness of the need to safeguard networks from millennium attacks.

"Many companies are making sure that they are Y2K-compliant, but that doesn't mean the systems are secure," said Ernst and Young analyst Thomas Klevinsky, a member of the consultancy's penetration testing services.

In some cases companies that aren't yet Y2K-compliant are farming out programming work to contractors without completing a thorough background check, security experts noted. This is very risky, increasing the likelihood that trap doors can be installed on systems, thus enabling intruders to gain unauthorized access.

In fact, some companies have already uncovered attempts to sabotage systems.

Mark Gembicki, president of WarRoom Research, a security consultancy, said a few of his clients have found malicious code embedded in programs sent out for Y2K remediation that are associated with the years 2013 and 2017.

Essentially, the traps "open up a portal for organizations to see more proprietary information" once installed on systems, Gembicki said.

However, it is not yet clear whether the Year 2000 is an entry point, giving an intruder access for 13 years, or whether systems would be exposed in the year 2013, Gembicki added. "It may be a fluke, but it should be enough to make people paranoid," he said.

Ken Barksdale, program manager for Bell Atlantic's disaster recovery services, agreed. As Y2K project leader working for a Wall Street firm three years ago, he discovered traps in code that was farmed out to overseas contractors. The embedded code was set to cause systems to crash in 2015, he said.

Now, "people are still finding bugs [that would let intruders] get into applications without passwords," he said. Barksdale would not name companies that have discovered such traps. However, he advised companies to hire computer emergency response teams (CERTS) to test Y2K programs for trap doors.

IT managers also are increasingly concerned about back door programs that can be transmitted through e-mail or downloaded as executables from Web sites.

"A lot of these malicious code writers are going to take advantage of the Y2K situation, so the best thing to do is not get complacent," said Danny Slagle, computer support specialist at Breed Technology, a supplier of safety parts for automobiles.

That means continually updating antivirus software and security patches from the leading vendors, users said.

"The first step is to make sure you're totally up to snuff with all Y2K fixes from vendors," said Jim Constantine, manager of network services at Reed Technology, an electronic publisher. "Then you need to make sure you have the very latest in antivirus protection on all systems and servers."

The company is now completing a document that will detail safe e-mail practices to make users more aware of Y2K-related viruses such as the FIX2K worm dispatched last week, Constantine said.

The worm tricks users with a claim that its attachment is a Y2K fix. The message subject line reads, "Internet Problem year 2000." When launched, the worm copies some files into the Windows system directory, then displays the message, "Your Internet Connection is already Y2K, you don't need to upgrade it." When the system is rebooted, every outbound e-mail is followed by another message with the worm attached.

"We're hoping the safe e-mail practices document will protect against this," Constantine said. He is telling users to be suspicious of e-mail attachments, even if they are coming from an administrator. Users are now directed to verify that an administrator actually sent the e-mail.

To help businesses fortify their antivirus defenses, Network Associates last week unfolded its Y2K virus security initiative. The company's Millennium Support Program provides 24 x 7 access to more than 300 skilled engineers leading up to and beyond Jan. 1, 2000. NAI is also issuing updates to its ViruLogic scanning technology to speed the discovery of Y2K viruses.

"Many companies believe they are set for Y2K but want direct access to support and research," said Sal Viveros, NAI's product marketing manger for antivirus.

The company's AVERT research team has detected more than 90 Remote Access Trojans (RATs) such as Back Orifice 2000. Hackers are sending e-mail with RATs attached, "so it blurs the line between antivirus and intrusion detection," Viveros said.

As a result, intrusion detection and auditing will also play a big role in ferreting out intruders who may be hiding behind Y2K confusion.

The Internet is ripe with hacking tools that can be downloaded, said Breed's Slagle.

"There are those that will cause systems to malfunction by just pinging the server until it's overloaded or by exploiting certain known bugs. People not keeping up on patches may be susceptible to those types of attacks," Slagle said.

Sniffers that can monitor the network for these hacking tools will be crucial during the millennium change, as will auditing tools such as Blue Lance's LT Auditor, which detects suspicious activity in NetWare and NT systems, security experts noted.