The Threat From Within

On Dec. 11, federal law enforcement agents conducted raids at several U.S.

universities and software companies in an apparently successful attempt to

break up a software piracy ring. More raids were conducted over the following

week and 150 computers were seized, according to a report in The New York

Times.

Officials from the Customs Service, which is leading the investigation, were

pressuring students and others believed to be involved in the ring to talk or

face prison time.

One such suspect, Christopher Tresco, 23, was working as a systems analyst at

the Massachusetts Institute of Technology, one of the schools raided on Dec.

11. According to the Boston Globe, Tresco is alleged to have been

operating near the top level of the piracy ring, dubbed DrinkOrDie. As a result

of his involvement, several MIT computers were seized, including at least one

server.

Think about that for a minute. Imagine federal law enforcement agents one day

burst into your data center, disconnect a server or two – no telling which

ones- and walk away with them. Then think about having the name of your

organization splashed all over the headlines of your local metropolitan

newspaper in connection with such a scandal, not to mention national news

vehicles. That’s exactly what happened to not only MIT but Duke University, the

University of California at Los Angeles and the Rochester Institute of

Technology.

A Gateway store in Pennsylvania also was involved in the raid, and one of its

employees was questioned. Additionally, employees at the companies that made

the pirated software are also under suspicion. The pirated goods include the

Windows XP operating system, computer games and even recent hit movies such as

“Harry Potter and the Sorcerer’s Stone.” In all, the investigation touched 27

cities and five countries.

In Tresco’s case, authorities allege he was using MIT computers to conduct at

least some of his illegal activies. What was he supposed to be doing?

Maintaining the security systems for MIT’s Economics Department.

You’ve heard this sort of story before, that it’s the insiders you have to

watch out for as much as outside intruders. But the DrinkOrDie episode brings

it to light in stark fashion.

What could MIT have done to detect Tresco’s allegedly illicit activities?

E-mail filtering software may have helped. Tools such as Baltimore

Technologies’ MIMEsweeper, SurfControl’s SuperScout and Marshal Software’s

MailMarshal scan the content of e-mail messages looking for predefined keywords

that indicate a potential security breach or simply non-business activity. In

this case, if the tool was programmed to flag “DrinkOrDie,” or the larger

“warez” ring, Tresco may have been caught.

The same vendors have products that scan the content of Web sites and monitor

the sites employees are visiting. Here again, such a tool may have alerted MIT

if Tresco was indeed up to no good, given the ring allegedly operated its own

site, www.drinkordie.com, which has since been shut down.