The Hacker Pyramid | Invasion of Privacy! Big Brother and the Company Hackers

Almost every hacker I know claims they started hacking for two basic reasons.

Curiosity . They are curious and want to know how things work.
The Rush. That feeling you get from being somewhere you're not supposed to be.

Let's take a closer look at the hacker pyramid.

Figure 8.5: The hacker pyramid

Hollow Bunnies and Script Kiddies

As one rises from the bottom toward the top of the hacker pyramid, risk and illegality increase exponentially. The bottom of the pyramid is populated by hollow bunnies and script kiddies, curious newbies experimenting with the canned point-and-click hacking tools. Richard, a 28-year-old computer programmer who has been hacking since age 11, calls the Web generation of hackers "hollow bunnies, like gigantic chocolate Easter bunnies filled with nothing but hot air!" Says Richard, "Ten years ago, hackers respected information as well as other people's personal property and computers. You had to possess knowledge and skills to hack! Nowadays, a novice who uses hacking software without any understanding of its function is much more likely to wreak havoc!"

Figure 8.6: Hacking Tools Web site

Script kiddies are not generally malicious, but they can download buggy hacking tools that go awry or execute the wrong command and damage hundreds of computers or an entire network! Talk to any hacker over the age of 25, and he'll lament the passing of the good old days, when coding was an art form and learning how a computer system worked took patience, skill, and persistence.

Ankle Biters

Working our way up the hacker pyramid from the light into the gray shadows, you see the ankle biter. He possesses more hacking skills than his script kiddie cousin, and he crosses the line in terms of legality and danger. Canned denial-of-service attacks and paint-by-number Web site defacement are the ankle biter's forte. His intentions are malicious and may stem from boredom, curiosity, alienation, or anger. Although his motivation isn't necessarily criminal, his actions produce material and financial harm. Some ankle biters claim they're the Robin Hoods of cyberspace , righting a mighty wrong by creating graffiti on an offending Web site or bringing it to its knees with a denial-of-service attack. This behavior is diametrically opposed to the Original Hacker Credo, which dates back to the 1970s:

A hacker shall do no harm.

The real Robin Hoods of cyberspace are the white hat hackers like Dwain, whom you met at the beginning of this chapter.

Ankle biters have three options:

Evolve into a white hat
Get busted
Move up the hacker pyramid to become a cracker

Crackers

Crackers are the wise guys of cyberspace, skilled hackers who have crossed the line into criminality. Crackers work on their own or in teams , and sometimes they contract their services to organized crime, like digital hit men. Crackers are pure black hats who reside on the black side of the hacker pyramid.

Crackers come in two varieties ”master criminals and small-time cons. The small fries perpetrate petty scams like auction frauds on eBay. They hit and run ”if they're successful. Some victims turn the tables on these lowlifes! Eric Smith, a 21-year-old college student at the University of New Orleans, was swindled out of a brand new Macintosh PowerBook G4 on eBay last Christmas. Smith got so outraged that he tracked down his swindler, a con man living in Chicago. Smith set up his own sting and lured the con man into bidding on another computer. The con man took the bait and got an early visit from Santa Claus ”cops from the Markham, Illinois, Sheriff's Department, who gave him a one-way sleigh ride to jail. Eric Smith got his revenge , but did he ever get his PowerBook back? You'll have to wait until Chapter 11 to find out.

Some crackers are legendary criminals, like the Russian gang that siphoned $10 million from Citibank without their knowledge, or the Amsterdam Mafia chief who had crackers access the police department computer so he could keep one step ahead of the law. Jeff Moss of DEFCON and the Black Hat Briefings says, "Crime syndicates approached hackers several years ago to work for them, but with so many easy-to-use hacking tools available today, criminals hardly need hackers to do their dirty work!"

Kevin Mitnick's New Leaf

Kevin David Mitnick is arguably the most famous American cracker. He was busted for hacking several times in the 80s while still a teenager. His rap sheet boasts some impressive cracks:

Pacific Bell's COSMOS phone center in Los Angeles
University of Southern California, where he was discovered sitting at a computer terminal breaking into the Pentagon over the ARPANET
Digital Equipment's Palo Alto research laboratory
The Santa Cruz Operation, a California software company
California Department of Motor Vehicles
Sprint
TRW's credit reference computer

Mitnick went on the lam, eluding the FBI and cracking his way across America. But on Christmas Day, 1995, he made a fatal mistake. Mitnick hacked into the home computer of one of the world's most respected security experts, Tsutomu Shimomura, and then had the audacity to rub the crack in Shimomura's face. Shimomura tracked Mitnick down like a digital bounty hunter, first on the Internet and then to the closest cell phone transponder , resulting in Mitnick's arrest and incarceration. Their game of cat-and-mouse is the stuff of hacker legends and the subject of at least two books ”The Fugitive Game: Online with Kevin Mitnick (Little Brown & Co, 1997), by Jonathon Littman, and Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw ”By the Man Who Did It (Hyperion, 1996), coauthored by John Markoff and Shimomura.

Figure 8.7: Kevin Mitnick arrest photo

Mitnick served five years in prison before being released on probation in 2000. One stipulation of his release was that Kevin was forbidden to touch a computer for the next three years.

Figure 8.8: Free Kevin Mitnick Web site

Kevin Mitnick's Release Conditions

The Ninth Circuit issued the release conditions in a three-page written opinion.

The conditions of Mitnick's release, as they appeared in United States v. Kevin David Mitnick, CR 96-881-MRP, before the United States District Court for the Central District of California can be found at http://www.techtv.com/ cybercrime /features/jump/0,23009,2110090,00.html.

He was not allowed to own, use, or touch a computer. He wasn't allowed to act as a consultant to anyone who did, or to own or use any altered telephone or wireless communication device.

Talk about the punishment fitting the crime! The most infamous hacker in American history wasn't able to lay a finger on a computer keyboard for almost eight years. On January 20, 2003, Mitnick was released from the conditions of supervised release, which prohibited him from using a computer and from acting as a consultant or advisor in computer- related matters. That day I watched Kevin log on to his girlfriend's website on Tech TV's "The Screensavers." The last time he touched a computer, it was a 486. Now he was surfing the Web on a Pentium 4. What a time warp! I was touched watching it. Kevin claims he turned over a new leaf, and I tend to believe him. He has a heck of a future as a security consultant and speaker, and Mitnick recently wrote a thought-provoking book entitled The Art of Deception: Controlling the Human Element of Security (John Wiley & Sons, 2002).

Figure 8.8: The reformed Kevin Mitnick (left) and Sean "Jinx" Gailey (right) at DEFCON XI ( courtesy Jinx Hackwear)

DEFCON XI Photo Gallery

Hacker Rap

Hacker Art

eBay's Evil Twin ”The Black Hat Cracker Auctions

Stolen creditcard numbers by the tens of thousands are sold on the Web every week, in a handful of membership-only Internet auctions that are a cross between eBay and the stock market. These auctions, in which credit-card prices fluctuate with supply and demand, cost financial institutions billions of dollars each year and indicate how readily personal information is stolen and traded. I didn't attend , but I have it on good authority ” The New York Times ”that an identity-theft convention for stolen creditcard resellers was held in Odessa, Ukraine, in late July 2001. According to one security expert who surreptitiously monitors the Internet creditcard market

It's straight out of Capitalism 101. There are even Web banner ads. The market price of credit cards fluctuates daily based on supply, which is copious . There appears to be an endless supply of stolen credit cards out there! In recent days, the cost of a single credit card has ranged between 40 cents to five dollars, depending on the level of authenticating information provided. But the credit-card numbers are typically offered in bulk, costing $100 for 250 cards to $1,000 for 5,000 cards, for example, with the sellers offering guarantees that the creditcard numbers are valid.

Security experts say the buyers of stolen card numbers hail from all over the world, but the hot spots are the former Soviet Union, Eastern Europe, and Asia ( specifically Malaysia). The buyers use the credit card numbers in a variety of fraudulent activities, including making purchases over the Internet, fencing them in the West, or even extracting cash advances directly from the creditcard accounts. Experts say residents of the former Soviet Union, often in Russia and Ukraine, operate the marketplaces and typically buy the card numbers from black-hat hackers. The crackers obtain the card numbers by breaking into the computer systems of online merchants and getting access to thousands of creditcard records at a time. According to Richard Power, editorial director of the Computer Security Institute, an association of computer security professionals that recently published a report with the Federal Bureau of Investigation on computer crime, "In the old days people robbed stagecoaches and armored trucks . Now they're knocking off servers!"

Registered users in the creditcard auctions generally number around 2,000. Operators frequently change their Web site addresses to avoid detection by law enforcement, but security professionals surreptitiously monitor the auctions anyway. That doesn't mean the bidders are easily caught because they don't use real names or reveal their whereabouts. Payments are made by secure wire transfers through Web sites like http://www.webmoney.ru in Russia. The electronic deposits are then transferred into overseas bank accounts that are extremely difficult to trace. If this whole setup reminds you a bit of eBay or PayPal, it's because they were the original model. There's even a feedback forum, which proves once and for all that there is honor among thieves !

A 19-year-old dealer from Odessa, Ukraine, known as "Script," is considered among the most reliable of the stolen creditcard auctioneers. Here's one of his typical listings: "I'm selling Visa and MC (American cards). The minimal deal size is $40." He also listed a higher price if the deal included the card's CVV2 code, a printed security code that appears on credit cards and is supposed to prevent fraud. Merchants are not supposed to record the code in their databases, but they sometimes do, which means that crackers can get access to this higher level of information.

On the online forum, Script noted that 100 cards with CVV2 codes cost $300. A discussion involving his former buyers then ensued, attesting to his reliability. One buyer wrote, "This guy's always slightly more expensive, but his stuff is good." Another wrote, "This guy is awesome ! He always gave me three times the number of cards I paid for." The endorsements are a surrealistic imitation of feedback forums on legitimate sites such as eBay and Amazon. Imitation is the sincerest form of flattery!

Cyber Terrorists

In April 2001, shortly after the collision between a U.S. spy plane and a Chinese jet fighter that crashed into the South China Sea, killing the Chinese pilot, an all out cyber war erupted between Chinese and American hackers. Following 11 tense days during which China held the 24-member crew of the U.S. surveillance plane in detention, U.S. crackers hacked hundreds of Chinese Web sites, leaving messages like, "We will hate China forever and hack its sites."

In response, the Honker Union (Chinese for Red Hackers ) launched its own electronic graffiti blitz. One Chinese message read, "Don't sell weapons to Taiwan, which is a province of China." A U.S. hacker named pr0phet responded, "I want President Bush to know he is supported in his decision to support Taiwan by almost all the hackers I know." Companies on both sides of the Pacific scrambled to patch security holes. By the time a truce was declared, thousands of Web sites were defaced , which cost millions of dollars to repair.

The top rung of the hacker pyramid is reserved for cyber terrorists. Here's a sobering thought. Each December research giant IDC presents an annual forecast of major technology developments it anticipates in the upcoming year. IDC predicted "a major cyber-terrorism event will disrupt the economy and bring the Internet to its knees for a day or two in 2003. The event could take the form of a denial-of-service attack, a network intrusion, or even a physical attack on key network assets." Only eight months into 2003, IDC's forecast was on the nose! A triple whammy consisting of Sobig.F, the worst mass-mailing computer virus in history, the MSBlast worm (that targets Windows), and Nachi, the so-called " fixer worm" aimed at repairing damage caused by MSBlast, brought the Web to its knees that August. IDC missed the mark on one minor (not so minor) point. The triple whammy brought the Internet to its knees not for a day or two, but for weeks! It caused irreparable damage to countless personal computers. Not only were the financial losses incalculable, as fate would have it, the triple whammy occurred right on the heels of the power grid failure. Make no mistake about it. Cyber terrorism is here! And it has been for a while.

According to a story written by Barton Gellman for the Washington Post in the fall of 2001, just before 9/11, Detective Chris Hsiung of the Mountain View, California police department began investigating a suspicious pattern of surveillance of computer systems in Silicon Valley. Hackers from the Middle East and Southern Asia were exploring the networks used to manage Bay Area utilities and government offices. Hsiung, a specialist in high-tech crime, alerted the FBI's San Francisco computer intrusion squad.

Working with experts at the Lawrence Livermore National Laboratory, the FBI uncovered a trail of much wider digital reconnaissance. A forensic summary of the investigation, prepared by the Defense Department, said the Bureau found "multiple stakeouts of sites nationwide routed through telecommunications switches in Saudi Arabia, Indonesia, and Pakistan." The intrusions included emergency telephone systems, electrical generation and transmission, water storage and distribution, nuclear power plants, and gas facilities. According to Gellman's article, U.S. officials said some probes suggested planning for a conventional attack, while others homed in on digital devices that allow remote control of services such as fire dispatch and equipment pipelines. More information about these devices ”and how to program them ”turned up on Al Qaeda computers seized in 2002, according to law enforcement and national security sources. Did the government overlook yet another piece of the jigsaw puzzle that led to 9/11? Unsettling signs of Al Qaeda's skills in cyberspace have led some security experts to conclude that terrorists are at the threshold of using the Internet as a direct instrument for bloodshed !

The Stench of Cyber Terrorism

Our air traffic control system, banking, Wall Street, and much more are vulnerable to cyber attack. You don't have to be a member of Al Qaeda to be a cyber terrorist, either. You can have financial motivations like the terrorists in the movie Die Hard. Gellman's Post article details a "for-profit" cyber-terrorism plot that's becoming urban legend.

On April 23, 2000, the police stopped a car on the road to Deception Bay in Queensland, Australia. Inside, they discovered a stolen computer and radio transmitter in the possession of the driver, one Vitek Boden. Using commercially available technology, Boden had turned his vehicle into a pirate command center for the entire sewage treatment system spanning Australia's Sunshine Coast. His arrest solved a mystery that had plagued the Maroochy Shire wastewater system for months. Hundreds of thousands of gallons of putrid sludge had leaked into parks, rivers, and the manicured grounds of a Hyatt Regency hotel. Marine life died, the creek water turned black, and the stench was unbearable! The red-faced managers at the sewage treatment facility had no explanation and no control. They were powerless, helpless, and clueless, until the day of Boden's capture!

The Boden case is cited as one of the few documented cases of cyber terrorism, the use of digital controls to damage a physical infrastructure. Security experts around the world have scrutinized it. It turns out Boden had recently quit his job at Hunter Watertech, the supplier of Maroochy Shire's remote control and telemetry equipment. Evidence at his trial suggests Boden was angling for a consulting contract to solve the very problem he caused! This is a tried and true hacker technique. How did he do it? The software on Boden's laptop identified itself as Pumping Station 4, and then suppressed all of the internal system alarms. Boden was the central control system during his intrusions, with unlimited command of 300 SCADA (Supervisory Control And Data Acquisition) nodes governing both sewage and drinking water. Like thousands of other utilities worldwide, Maroochy Shire allows its technicians to remotely operate the facility via digital controls. As an insider, Boden knew how the system worked and the software he used conformed to international standards. Of course, detailed manuals with step-by-step instructions on how to operate SCADA nodes by remote control are also available on the Internet.

Identical SCADA nodes run oil, gas, manufacturing, power, dams, and assorted American utilities. But perhaps the most vulnerable target is the North American power grid, described by Massoud Amin, a mathematician and security consultant, as "the most complex machine ever built!" Electricity has no substitute. Every other infrastructure depends on it. At a security conference hosted by the Commerce Department in April 2002, government and industry scientists agreed they have no idea how the North American power grid would stand up to a cyber attack. What they do know is that white hat mock intrusion teams from the Energy Department's four national labs have devised "eight scenarios for SCADA attack on an electrical power grid." All of them worked! To date, 18 such exercises have been conducted against large regional utilities. Prior to his resignation in 2002, Richard A. Clarke, the Bush Administration's cyber-security advisor, stated bluntly that, "the intruders have always succeeded." U.S. analysts believe that by taking command of an electrical power substation or the floodgates of a reservoir, cyber terrorists could use virtual tools to destroy lives and property in concert with "kinetic weapons" such as explosives. According to Ronald Dick, director of the FBI's National Infrastructure Protection Center, "The event I fear most is a physical attack in conjunction with a successful cyber attack on the responders' 911 system or the power grid!"

Where Were You When the Lights Went Out?

On August 14, 2003 a cascading power grid failure knocked more than 100 power plants, including 22 nuclear reactors, offline. The blackout blanketed 50 million people spanning a 9,300-square-mile radius that stretched from Canada to New England. The lights went out in all five boroughs of New York City and 80 percent of New York State. A million people in New Jersey, 1.4 million Ohioans, 2.4 million customers in Michigan, and tens of millions of Canadians were also in the dark. The chauvinistic cable news networks made Manhattan the epicenter of the story, perhaps because they all have street-level broadcast studios there. I'm certain that victims from Rochester, Cleveland, and Detroit would be appalled by the sort shrift they received if only they could have watched the reportage.

After the restoration of power, President Bush swaggered up to a microphone on his ranch down in Crawford, Texas and called the power grid failure "a wake-up call." Unfortunately, it takes a calamity to wake up most politicians ! Bush apparently didn't heed Richard Clarke, his cyber-security advisor, when Clarke expressed public concerns about the vulnerability of the North American power grid in 2002, 16 months prior to the blackout.

There is still no definitive consensus on why the lights went out that day. After all is said and done, I'll be surprised if it isn't computer related. I'm not inferring it was malicious. It might've been a computer glitch.

Just because it wasn't cyber terrorism doesn't mean it couldn't have been! That's the conclusion most security experts have already drawn from the "Blackout of '03." It was the best "dry run" cyber terrorists could have gotten. If they planned it themselves , they couldn't have planned it better!