[ISN] FBI looks into possible hacking

InfoSec News isn at c4i.org
Wed Jun 29 01:05:15 EDT 2005

Forwarded from: William Knowles <wk at c4i.org>


rbarrett [at] journalsentinel.com
June 28, 2005

The FBI is investigating whether a former P&H Mining Equipment 
employee hacked into the company's computer system from his home and 
copied files of projects he had worked on.

The FBI has seized about a dozen computers from the suspect's 
Milwaukee home and is analyzing them for evidence that could result in 
criminal charges. The former employee, a computer systems 
administrator, has not been charged with a crime and is not being 
named for this article. 

"It takes us a while to work these cases to fruition," said Mike 
Johnson, cyber crimes supervisor for the Milwaukee office of the FBI.

"They are time consuming, depending on how much data we find in the 
computers," he said. "Computer hard drives keep getting bigger, and 
the bigger they are, the longer it takes for us to get through them."

P&H Mining Equipment, a division of Joy Global Inc., makes some of the 
world's largest mining shovels and draglines. One shovel alone can 
move about 360 tons of coal in 90 seconds. The company has operations 
in 46 countries.

In a search warrant affidavit, FBI investigators said the former P&H 
employee was a systems administrator with the company before he was 
fired on April 1. 

Systems administrators have "root level" access to the computer 
systems they manage, which effectively gives them master keys to open 
any account and to read any file on their systems, according to the 

About six weeks after the P&H employee was fired, someone accessed the 
company's computer system from a remote location and turned off the 
monitoring programs on a company server, according to the FBI. The 
former employee was intimately familiar with the server because he 
built the system, FBI officials noted.

The same day, about 3 gigabytes of data were copied from a computer 
folder with the former employee's name on it, to a computer with his 
home Internet address, according to the FBI.

The files were then deleted and purged from the company system. Only a 
systems administrator would have the privileges to purge the files, 
which permanently removes them from the system, the FBI said. P&H had 
a backup tape of the former employee's folder, which indicated it 
contained about 3 gigabytes worth of data.

The FBI subpoenaed the former employee's Internet service provider, in 
an effort to track the copied information. It also sought a search 
warrant to seize his personal computers, along with other computer 
equipment, disks, magazines and papers.

Joy Global officials did not return Journal Sentinel calls asking 
about the alleged computer break-in and whether any damage was done to 
P&H computer systems.

The former employee might have had help accessing the system, 
according to the FBI. The computer intrusion cost the company more 
than $5,000 in manpower, the agency noted in the search warrant 

Randall Kaiser is a Milwaukee attorney representing the former 

"This is definitely not a situation where he was trying to do any 
damage," Kaiser said of his client. "It's an unfortunate situation 
that we are trying to resolve."

As many as half of all businesses experience break-ins from computer 
hackers, also called crackers, but most don't report it to law 
enforcement, according to a government report. As many as 70% of 
businesses included in a Computer Security Institute survey said they 
didn't report computer intrusions to the FBI because they didn't want 
negative publicity.

About 85% of all computer break-ins are done by company insiders, said 
Michael Higgins, managing director of TekSecure Labs, a Woodbridge, 
Va., technologies firm that helps large companies protect their data.

Higgins was not familiar with this particular FBI investigation. But 
he said it's not unusual for people to try and steal something from 
their former employers' computers, either for personal gain or as 
revenge for being fired.

A fired computer administrator can cause a great deal of harm.

"If you fire the guy with the keys to the kingdom, you had better do 
it very carefully," Higgins said. "There have been numerous cases 
where fired employees knew the back doors to get inside the company, 
and destroying data is one of the ways they use to get revenge."

Companies should have a plan that spells out what steps to take when a 
computer systems manager leaves his employment, according to Higgins.

Some plans can be thwarted if the former employee has personal 
contacts in the company willing to assist in a computer break-in. But 
any employee who offers help puts himself at tremendous risk, Higgins 

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list