Digital Dillinger | Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)

I l @ ve RuBoard

For the information security professional who is attempting to keep systems available, and maintain the confidentiality and integrity of the information they contain, his or her view of these hackers is somewhat different. These are attacks against systems, networks, and information. They are attacks against the profits of the company and the productivity of its employees . There is nothing noble about it; they are criminal acts which require a judicial response.

Theft of Information

A hacker may want to steal information for himself, or to prove to someone that he can do it, or to sell the information for profit. Today, information is money. Every day more money changes hands electronically than in currency. The electronic funds transfer network is an inviting target but has remained very secure. Hackers will generally target easier systems. Criminals have found a variety of interesting ways to use computers to facilitate their access to financial information. They intercept bank card numbers and PIN numbers and acquire personal information, such as a Social Security number or mother's maiden name , and use this information to impersonate their victim to get access to their victim's accounts. This information can be converted directly into money.

Suzanne Scheller, while she was a financial institution employee, accessed the financial institution computer system and searched for potential customers for a friend who was starting a real estate business. After identifying prospects, she then provided the friend with the customer account information. She admitted that she knew her unauthorized access was against the policy of the financial institution. The investigation established that some of the information provided was actually used by another individual unknown to her as part of an identity theft scheme. Imposters used the customer account information to steal the identity of the customers and conduct transactions at the financial institution.

Two of the imposters in the identity theft/bank fraud scheme have previously pled guilty and have been sentenced. Scheller was sentenced to a term of thirty-six months probation, in connection with obtaining confidential customer account information and providing it to another individual outside the financial institution. ^[32]

^[32] "Former Financial Institution Employee Sentenced for Unauthorized Computer Access to Customer Account Information in Latest Bank Fraud/Identity Theft Prosecutions," U.S. Department of Justice Press Release , 30 November 2001.

Software Piracy

Theft of software, or software piracy as it is called, is a major concern for companies who are in the business of producing commercial software. However, this is only one aspect of software theft; many organizations that do not produce software commercially still produce software for internal use. The production of this software is expensive and represents a large number of jobs. Often this software offers a competitive advantage to a company by being part of the organization's processes that make it more efficient, profitable, or unique. Other companies are hindered by the costs of producing comparable software.

Many organizations' secrets are contained not only in the information they have, but are also imbedded in the software that they have created internally. Theft of an organization's proprietary software can disclose some of the organization's most private secrets. This theft may also deprive the organization of the ability to use the software if the original copy is destroyed in the process of the theft, leading to an inability to continue to do business.

Chung-Yuh Soong, a software engineer who worked for Kodak for a year before resigning, was accused of transmitting several large data files containing software programs used in Kodak digital cameras and other digital devices listed as "highly confidential" to a Xerox computer in California, just days before she left Kodak. According to court documents, the alleged theft was discovered because the data being transmitted was so large that it crashed a Kodak server and alerted the company's computer-security system.

Soong, 37, was charged in federal court with wire fraud related to interstate transfer of Kodak's software and has also been sued by Kodak in civil court for misappropriation of trade secrets. Kodak said it did not know who the files were intended for and where precisely they ended up. Soong's lawyer maintains she was sending them for safekeeping to her sister, who works for Xerox, and had no intention of passing them on to the copier company or anyone else. ^[33]

^[33] "Kodak Sues Former Employee," Counterintelligence News & Developments , September 1998.

Theft of software costs more than the cost of the software. It impacts the ability of the business to remain solvent and it affects jobs and people's lives.

Theft of Resources

Theft of resources may be difficult to prove to a court of law's satisfaction. There have been some cases where the hacker has been released because the prosecution was unable to prove the value of the lost resources. This is one of the hackers' favorite justifications. A hacker will say he is using only unused resources, and since they are spare and were not going to be used he did not actually steal anything since no one suffered any loss. There are many reasons that a hacker might have for wanting to use your resources. It is may be for personal gain, or to enable his hacking activities.

Raymond Torricelli admitted that he was a computer hacker, known as "rolex," and a member of a hacking organization known as "#conflict." Operating from his residence, he used his personal computer to run programs designed to search the Internet, and seek out computers that were vulnerable to intrusion. Once such computers were located, he obtained unauthorized access to the computers by uploading a program that allowed him to gain complete access to all of a computer's functions.

Torricelli accessed computers owned by National Aeronautics and Space Administration (NASA), Jet Propulsion Laboratory (JPL), and San Jose State University. After gaining unauthorized access to the computers and loading a hostile program, he used many of the computers to host chat-room discussions. Torricelli admitted that in these discussions, he invited other chat participants to visit a website that enabled them to view pornographic images and that he earned 18 cents for each visit a person made to that website. Torricelli earned approximately $300-400 per week from this activity. ^[34]

^[34] "Hacker Sentenced for Breaking into Computer Maintained by NASA," NASA Office of Inspector General News Release , 18 September 2001.

Compromising Systems

The earliest illegal conduct was gaining access to systems without permission. Often these hackers think it's harmless since they usually don't "do" anything besides go in and look around. However, they do consume resources, such as network bandwidth and computing power, and can inadvertently cause damage. Most of the time hackers will leave a back door into the system so they can return at any time without concern for security measures.

Compromised systems cost organizations even if the hacker did not cause any damage. The organizations have to spend resources determining the extent of the damage whether there is any damage or not. They have to determine how the system was compromised and repair the system to prevent further compromises. All of these activities take a great deal of time and manpower.

Today, it is rare that a compromised system has no damage. Most hackers immediately apply a "rootkit" which changes the system's software so that it does not report the presence of the hacker or his tools. Even the most benign hackers want to "own" the system (i.e., to have super user privileges so they can completely control the system). Many of these are "collectors" wanting to "own" as many systems as possible to prove their power. These hackers may also have motives which are not as friendly.

Jason Allen Diekman, who had already pled guilty to hacking into NASA computers and using stolen credit card numbers to purchase electronic equipment, was arrested a few months later for hacking into more computers and attempting to commit wire fraud.

Diekman used his personal computer at home to gain unauthorized access to computers at Oregon State University (OSU) in Corvallis, Oregon. He hacked into the university's computers 33 times in three months. Using the account of an OSU student to gain access to the school's computer system, he stored computer programs on the school's computer to control Internet Relay Chat channels. Additionally, individuals afffiliated with him attempted to make three wire transfers to him through Western Union, but Western Union stopped the transactions. ^[35]

^[35] "Hacker Sentenced", NASA Office of Inspector General News Release , 5 February 2002.

Website Vandalism

Website vandalism has become the most visible of attacks. Dozen of websites are defaced daily. Stolen passwords account for most, but software vulnerabilities are also a significant cause. Compromised websites are often used as bragging rights. Both the number of sites and the visibility of the website are important to the prestige of the compromise. Sometimes website attacks are launching points to other systems or an attempt to compromise an e-commerce site, but most times defacing the website is the goal.

Websites are generally selected because of the ability to exploit the system, but websites are also targeted because of their visibility or because of the organization whose site it is. Hactivism, which includes defacing websites of organizations with whom the hactivist has issues or posting political or social messages on compromised websites, is becoming more common. Website vandalism has been growing by leaps and bounds.

One of the most predominant sections of the Attrition.com website has been the defacement mirror. What began as a small collection of website defacement mirrors soon turned into a near 24/7 chore of keeping it up to date. In one month, the company experienced single days of mirroring over 100 defaced websites, over three times the total for 1995 and 1996 combined. With the rapid increase in web defacement activity, there are times when it requires them to take mirrors for four or five hours straight to catch up. Add to that the scripts and utilities needed to keep the mirror updated, statistics generated, and mail lists maintained, and the time required for basic functionality is immense. ^[36]

^[36] "ATTRITION: Evolution," Attrition.org Press Rlease, 21 May 2001.

I l @ ve RuBoard