As I type this article, there is a significant effort under way to track down two individuals. Both “Maxus” and “Curador” are wanted by several law enforcement agencies, most notably the Federal Bureau of Investigation (FBI). Each person has committed a crime involving unauthorized computer access. Unlike many ‘hacker’ cases, the media has grabbed hold of these two stories because of the nature of the crimes. Most computer intruders silently break into large companies or deface government and military web pages. In these two cases, each has surreptitiously copied large credit card databases from commercial sites and posted pieces of the information to public web sites.
Each vandal has found a vulnerability in a major online site that handles financial transactions via customer credit cards. Online shoppers browse their virtual stores in search of good deals, enjoying the convenience of not leaving their home. As shoppers find what they are looking for, each takes the time to send in their credit card number, billing address and other personal information. The mechanism that carries this sensitive information from desktop to virtual store is almost always secure. Protected by casual encryption, it prevents would-be snoopers from seeing the information as it passes from one point to another in its travel to the store.
The real threat to your personal information comes after it has landed on the remote server. Once outside of the protected layer between desktop browser and remote web server, the information must be stored somewhere. A surprising number of these virtual stores are not aware of the ‘hacker’ threat, or choose to ignore it. This is seen on a daily basis as site after site is compromised and their web pages defaced. Ignoring this threat often leads to little or no protection of the sensitive data. Huge databases of personal credit information and private billing data are collected, and left in plain text format on the remote server. The first intruder gaining illicit access to the company’s server can read everything, just as fast as their modem can download it.
“Maxus” and “Curador” have done just that in recent weeks. Shortly after compromising these systems, each has turned to free web space providers like Geocities, Tripod and AntiOnline to post web pages that include thousands of these compromised credit cards. Their message? Essentially “Secure your sites, I’ve proven I hacked you.” Law enforcement and media outlets picked up on these events as they usually do. The problem is that each seem to have lost focus of where to place blame, and who is really guilty.
If you were to walk up to an ATM machine and find that with a few extra buttons you could display the account information for any bank customer, would you be surprised? Would you consider yourself a criminal for your actions? What if you posted an anonymous note next to the ATM for everyone to read, explaining what you had discovered and demanded that the bank take action? The FBI and the press would condemn you for your actions. If they stuck to the same principals for reporting the actions of “Maxus” and “Curador”, they would brand you a dangerous criminal guilty of millions of dollars of damage. Meanwhile the bank you exploited would cry to the FBI that they were under attack by unscrupulous individuals hellbent on hurting their institution.
I think it is safe to say that the ATM example would be treated quite differently. An FBI driven manhunt would not be underway to find you, the media would not be intent on discovering your identity. Yet in the virtual world, that is the primary focus of their attention. The disparity in response to virtual verse real world crime is not new by any means. Looking beyond the response to such crimes, one has to wonder why these vulnerable online sites are not held accountable for their negligent actions. By storing the sensitive information on vulnerable servers, without using any sort of encryption or protection, they are often making it so any casual Internet user can view it. In some cases, these vulnerabilities are nothing more than supplying the wrong information to the site.
Vulnerable online sites are costing credit card companies and citizens a considerable amount of money as well as being responsible for many a headache. I have no doubt that current damage estimates for these two incidents will climb into the millions of dollars. Despite this, there are no public outcries condemning these sites for their actions. There are few laws in place to protect the consumers doing business with these companies. There are no fines or penalties imposed on the negligent sites, and no guarantees they will fix the problems once the ‘hacker’ is caught.
Due to the slow pace of creating and passing new laws to protect consumers, we must turn to another mechanism in holding these companies responsible. The obvious solution to this problem is for the large credit card agencies like Visa, Mastercard and American Express to quit doing business with negligent companies. By cutting off a major revenue source, this would force companies to maintain secure web sites and better protect consumer privacy. The real incentive for such action is the prevention of similar incidents in the future. Having to change thousands of credit card numbers, deal with any resulting fraud, and loss of public confidence is a high price to pay.
While the need to punish those who publish private information exists, the real culprit in many of these cases gets to move on without so much as a stern lecture. In their quest for profit, they are willing to step on the customers and their privacy if needed. Until some form of accountability is placed on these companies, they will continue to get away with what should be a serious crime.
I began writing this article almost one year ago, after the onslaught of smurf attacks being launched against various networks throughout the Internet. At the time, the newly discovered Denial of Service (DoS) attack was a crippling tool designed for one purpose; remotely disabling machines by flooding them with more traffic than they could handle. The smurf attack was the first well known (and well abused) DoS attack that could effectively cripple any network, regardless of size or bandwidth. This presented a new problem to network administrators and security personnel worldwide.
Also known as Network Saturation Attacks or Bandwidth Consumption Attacks, the new breed of DoS attacks flood a remote network with an staggering amount of traffic. Routers and servers targeted would go into overdrive attempting to route or handle each packet as it came in. As the network receives more and more of these illegitimate packets, it quickly begins to cause legitimate traffic like web and mail to be denied. In minutes, all network activity is shut down as the attack consumes all available network resources.
Prior to bandwidth consumption attacks, most DoS attacks involved sending very few malformed packets to a remote server that would cause it to crash. This occurred because of bugs in the way many servers handled the malformed packets. Malformed packets (also known as Magic Packets) consisted of network protocol options that were out of sequence, improperly matched, or too large. As a result, a server receiving these packets had no rules or guidelines dictating how it should behave when processing the malformed packet. The result was a system panic or crash that would basically shut the machine down or force it to reboot. Perhaps the most well known example of this type of attack is the WinNuke attack.
Regardless of ethics or motives, Magic Packet DoS attacks showed an inkling of grace in their execution. A single packet sent from one server to another, causing it to crash or reboot was a targeted attack. The precision with which this type of attack is carried out is analogous to a scalpel in surgery. Network consumption attacks on the other hand involve millions of packets. Worse, once launched the attack was no respecter of those standing between the launch point and the target network. Often times thousands of customers sharing bandwidth with the target would be adversely affected as well. A single attack of this nature had the ability to knock thousands of machines off the Internet in a single swoop. Such attacks are the equivalent of using a broadsword to do surgery.
The Next Generation
Attacks like the smurf DoS have a cascading affect that can be seen as a virtual avalanche. The starting point is nothing more than a few pebbles and snowballs (packets). As they travel downhill (along the path of routers to the target), they accumulate more mass and trigger the release of more pebbles. By the time the falling material hits the bottom of the mountain (the target), it is swamped in large amounts of snow and rocks. Despite the effectiveness of this attack, there is a single point from which the attack is launched. If an attack is detected early enough, it is possible to filter out the offending packets before they leave the original network.
The next generation of Denial of Service attacks are known as Distributed Denial of Service (DDoS) attacks. Expanding on the idea of network saturation attacks, DDoS effectively does the same thing but utilizes several launch points. The philosophy and objective of this is twofold. First, if a single machine being used to launch an attack is discovered and disabled, the overall attack proceeds with near full force. Second, by utilizing several launch points on different networks, an attacker is able to shut down larger networks that might not otherwise be affected by a single flood.
Taking Down the Big Boys
Prior to launching this form of DDoS flood, the attacker must first compromise various hosts on different networks. The more networks and machines used as launch points, the more potent the attack. Once each host had been broken into, they would install a DDoS client program on the machine that would sit ready to attack. Once the network of compromised servers was configured with the new client program, the attacker could send a quick command from the DDoS server software triggering each machine to launch an attack.
Until this last wave of DDoS attacks, it was generally assumed that hosts residing on large pipes (connections with incredible bandwidth) could not be seriously affected by network saturation attacks. As large Internet Service Providers (ISPs) are finding out, this is no longer the case. By using several smaller network connections, an attacker can eventually saturate the biggest ISPs and consume all of their bandwidth. This was demonstrated most effectively with the three hour shutdown Yahoo, and subsequent attacks against eBay, Amazon, Buy.com and other large scale web sites.
Difficulty in Tracking
Neophytes to networking always seem to question why these attacks are not tracked down, and the legs of the perpetrator not broken. It is a rare case to see ISPs interested in tracking down the individual(s) behind these attacks. Rather than take the time and effort to perform an investigation (which is lengthy), most ISPs realize that a quick filter denying ALL traffic to the site being attacked is a better solution. In essence, the ISP does the job of the person launching the attack and does it much more efficiently. As you can imagine, that is not exactly a deterrent for those committing these attacks.
One of the primary reasons investigations of DoS attacks is lengthy is it involves tracking down the packets hitting the target. Rather than leave the launch point with the IP address of the machine actually being used, the packets are tagged with forged source IP addresses. Since the IP information in each packet varies wildly, and since the addresses cannot be trusted, a network administrator must trace the packets back to the source one router at a time. This involves connecting to the router (often times this must be done at the physical console for security reasons), setting up a filter or sniffer to detect where the packets are coming from before arriving at that particular router, and then move to the new offending router. This presents problems when you consider a single packet may cross as many as thirty routers owned by ten different companies.
The act of forging the source IP of a packet is called IP Spoofing and is the basis for a wide variety of network attacks. One of the original intentions of a Denial of Service attack was to knock a machine off the network in order for you to assume it’s identity. Once you masquerade as that machine, it is possible to intercept traffic intended for it as well as gain access to other machines on the target network via trusted host relationships. Attackers today seem to have lost all focus on the reason one would committ a DoS attack.
Save The Day Already!
Denial of Service attacks are not new. They have existed in one form or another since computers were invented. In the past they involved consuming resources like disk drive space, memory or CPU cycles. Those not familiar with how computers operate often scream for quick solutions to the various DoS attacks that plague our networks. Unfortunately, this is easier said than done.
Every weekday morning and afternoon millions of Americans go to and from work. They pile on to two and four lane freeways only to move at a crawl. Travelling ten miles in one hour is a common occurrence for those fighting rush hour traffic in heavily trafficked areas of business districts in cities across the nation. Every day they carry out this ritual, screaming and cursing the thousands of other drivers clogging the roads, and day after day the problem does not fix itself. Be it packets or cars, it is very well established that enough of either will overcrowd a road or network connection. At a given point, too many of either will bring all traffic to a standstill. Why isn’t the traffic problem solved? We all know the solution is bigger and better roads, more carpooling, diverse schedules, and more common sense when behind the wheel. Fat chance that will happen anytime soon. On the flip side, it is very unlikely that they will fix every router on every network and install mechanisms to help avoid network saturation attacks.
In the long run, it is a rather simple fix that could help eliminate these attacks. Any network device that accepts or passes network traffic can be designed to monitor activity better. If a web server is receiving too many hits, it starts rejecting new connections so that existing connections can still view pages or interact with the site. This practice is called throttling or bandwidth limiting and is designed to prevent excessive connections, conserve resources and keep things operating correctly. Unfortunately, this philosophy has not carried over to routers (the machines that pass all internet traffic) so network consumption attacks go on unchecked. A relatively few amount of networks have learned this is a good solution to flood attacks. As such, their routers are designed to monitor traffic and quit passing illegitimate traffic once detected. The problem with this approach is that once the flood of packets have hit the remote network, the damage is done. The downside to this mechanism is the added latency as the router checks each and every packet that passes through it. Because of this slowdown, ISPs hesitate implementing this solution.
In order to make connection throttling effective, every network router should have this mechanism implemented. This would allow a router close to the source of the attack to detect the illicit traffic and put up a filter that rejected it before it left the launch point. This invariably leads to the question “How do you know if traffic is illegitimate?” Looking back to the section on IP spoofing, we can easily create a quick solution to the problem. In fact, this mechanism is found in most Firewalls implemented today.
In the diagram above, we show a forged packet with the IP address of 220.127.116.11. It stands to reason that such a packet would not legitimately be travelling around a network designated by the 1.2.3.x subnet. Because of this, any router on that network (especially the one acting as a gateway to the outside world) receiving that packet should drop it. Instead of blindly passing the packet on without question, routers should discriminate against suspicious packets by refusing to pass them on to the next router and setting off some kind of alarm for the administrator.
A second mechanism can be put into place that would help cut down on these attacks. On any given day, there is an average amount of traffic passed through any router. By monitoring these averages and applying other common sense rules, routers could be made to throttle heavily increased traffic. For example, if a router detected a sudden surge in traffic to a destination machine in which every packet claims to originate from a different IP address, that is a good sign of a saturation attack using spoofed packets. Rather than pass that traffic down the network, the router should throttle the traffic to avoid the likely flood that will ensue.
As stated many times before, easier said than done. Implementing these features falls on the many vendors of routers. Using these routers on production networks on the open Internet is up to the tens of thousands of companies maintaining a presence on the Internet. These upgrades cost time and money, something companies hesitate to invest; until the first time they are on the receiving end of such an attack. Like most security incidents, companies tend to implement reactive security measures, rarely proactive measures.
Why Ask Why?
Somewhere along the way, everyone wants to know why such attacks are carried out. Using the recent series of attacks against Yahoo, eBay and others is just as good example as any. To quash the distant hopes of a reasonable explanation, “There is no good reason!“.
Consider that your typical DDoS attack affects hundreds (if not thousands) of machines, on a wide variety of networks. The single purpose of the attack is to cripple or shut down the target site so that it can not receive legitimate traffic. There are only a handful of reasons for doing it at all, none of which are reasonable or justifiable. In other words, DoS attacks are worthless and childish.
The first reason with perhaps the longest history is simple revenge. Some site out there wronged you in some way. Perhaps they spammed you, stopped hosting the free web pages they provided for you, fired your father or committed some other transgression. DoS attacks are a form of virtual revenge, especially against companies doing business over the Internet. The primary argument here is that these attacks cause problems for a number of ISPs, other customers who share bandwidth with the target, as well as the satisfied customers of the site. This goes back to the broadsword vs scalpel analogy.
The second reason has become rather trendy with novice script kiddies, second rate web page defacers, and those under the illusion they are part of the professional security community. “I did it to prove the system was vulnerable!” This is perhaps the most pathetic justification for launching a DoS attack. To many, this is no different than the attacker setting off a large nuclear device right next to a corporate server and then proclaiming “See! This can impact your operations!” Of course it can, this has been proven a hundred times over.
The third reason I can come up with falls back to playground rules. “If I can’t play kickball, I’ll throw the ball on the roof so no one else can play either!” This third grade mentality is far from justification of such attacks. Those wishing to exact some form of punishment against a site should consider the diminished intellect required to launch these attacks. There are better ways to deal with mean companies.
Three types of people deserve the brunt of harsh insults and petty name calling. Each are responsible for this problem plaguing Internet users, and each could do their part to help stop it.
Each individual that carries out a DoS attack does so knowing full well what it could result in if they are caught. Practically nothing. There is precious little to deter someone from carrying out such vicious attacks. The very few times administrators put effort into tracking down a malicious user it results in them getting ousted from the ISP. The next day, the offending user is back online accessing the Internet via another ISP. Until the attack against Yahoo, the Federal Bureau of Investigation (FBI) was not concerned over these attacks. To date, the FBI has not managed to apprehend the perpetrator of a devastating DoS attack against their own home page (www.fbi.gov). For one reason or another they were seen as an annoyance, not a reason for loss of business. Law Enforcement needs to take a bigger interest in DoS attacks and start to punish those responsible. These types of attacks should take any competent law enforcement agent a few hours of tracking and maybe a handful of legitimate warrants.
Like the FBI, ISPs receiving these attacks need to take more proactive steps in preventing DoS attacks. When they do occur, ISPs should also take more time in tracking down the offending users and passing on the information to appropriate law enforcement. Rather than silently kicking them off the Internet for a day, taking a more active and public stance showing that malicious activity will not be tolerated would have a better effect. Those ISPs scared of retaliation need to remember that they are in the best position to stop the attackers.
Last, the pathetic kids (literally and figuratively) committing these attacks. In many cases, these attacks are launched with mystical scripts written in foreign languages and just produce the desired affect. There is no grace, no skill, and no intellect behind these attacks. You are not a hacker and you do not deserve respect for your childish actions. You are no better than the twisted individuals who spray a crowd of innocent bystanders with a machine gun, only to nick your intended target. If you can’t express yourself better than a saturation attack, and can’t deal with being called a name or wronged somehow, seek help offline. You sorely need it.
As you read this, an unusual legal case history is being established around the prosecution of computer crime. Because computer crime is still a relatively new aspect in the arena of law and prosecution, each and every case sets important precedent that will be called on in upcoming cases. The growing concern by many people seems to be the drastic nature of punishments being levied against computer intrusions. Not only are the punishments not seeming to fit the crime, there is little consistency in the legal system’s application of punishment to these people.
Previous articles have pointed out the disturbing trends in damage figures which directly affect sentencing in these cases. Unfortunately, the emerging problem seems to go well beyond suspicious damage figures. It is difficult to say exactly why the punishment for computer crime is so severe. Some people speculate it is the public perception of hacking and the FUD (Fear, Uncertainty and Doubt) surrounding it while some think it is nothing more than sacrificial lambs taking the brunt of public outcry. Others feel it can’t be logically explained. I think the best answer is that computer crime is still shocking society, which overreacts in response.
The immediate disparity can be seen when comparing the sentencing between computer and non-computer crimes. While more traditional and material crimes like assault, burglary and murder are receiving what seems like light sentences, computer crime convicts are becoming the bearers of exceptionally stiff and smothering sentences. Not only are the prison sentences extraordinarily lengthy, the terms of probation are baffling and rough. Instead of a probation that encourages reform and nurtures a good life better than the previous life of crime, it thrusts the convicted into a life of poverty and despair.
Shortly after the new year, I was watching the news in a New York hotel and caught the follow-up of a story begun some two to three years prior. The news went on to say that a 21-year-old man convicted of killing his baby was being released after two years of prison. He and his wife and killed their infant some three years age, and his prison term was two years. Surely this is one case that slipped through our justice system and let these killers off easy? A quick search yields that this is not necessarily uncommon. Patrick Jack served a two-year sentence for manslaughter after stabbing Francis Sunjay Weber with a pair of scissors. Another article that discusses short sentences mentions yet another case in which a 17-year-old Marysville girl was shot and killed. Her killer was in turn sentenced to 27 months in prison for his crime. These cases make me wonder about the effectiveness of our legal system.
On the flip side, two recent computer crime cases perfectly illustrate the baffling seriousness and resulting prison time that now accompanies computer crime. Eric Burns recently pled guilty to ONE felony count of computer intrusion, and took the blame for the defacement of the White House web page. For his confessed crimes, he was sentenced to a $36,240 fine and 15 months in prison. A second longer story unfolded recently, telling us of a small group of hackers known as the Phone Masters who wielded amazing control of computers and phone networks. One of the individuals, Corey Lindsley, was sentenced to 41 months in prison for his 2 felony counts. The last comparison is the infamous Kevin Mitnick saga in which Mitnick spent a total of 5 years in jail and prison for what ended up being five felony counts of computer related crimes.
What should be noted is the comparison of crimes. Burns’ single felony is basically nothing more than high tech graffiti, a sort of digital spray paint on a federal building. What would that crime fetch for a sentence if done in the real world? Certainly not fifteen months of prison. Manslaughter can fetch as low as two years of prison time, while Lindsley and Mitnick sit in federal prison for four and five years respectively. This disparity is hard to believe considering the gruesome nature of manslaughter and killing a young baby as compared to altering the web page of an Internet web site.
Conditions of Probation
Even if you could dismiss the harsh penalty for relatively minor crimes, you would then face another practice that is becoming all too common with computer crime. After subjecting computer intruders to the long trial, large fines and lengthy jail terms, the real injustice occurs. It is not uncommon for people to be put on probation for one to five years for any felony conviction. I think it is fair to say that a probation term of two to three years is a sound average. Probation terms for most crimes are generally the same, preventing convicts from certain behavior and actions that are not appropriate. Some of these terms are not associating with known criminals, possessing weapons, use of drugs, and more. One thing about these terms are they tend to be generally the same with little variation based on crime.
For those convicted of computer crime, the probation guidelines are quite different. A quick review of the terms and conditions of Kevin Mitnick’s probation bring on a whole new set of computer crime specific terms:
Absent prior express written approval from the Probation Officer, the Petitioner shall not possess or use, for any purpose, the following: 1. any computer hardware equipment; 2. any computer software programs; 3. modems; 4. any computer related peripheral or support equipment; 5. portable laptop computer, ‘personal information assistants,’ and derivatives; 6. cellular telephones; 7. televisions or other instruments of communication equipped with online, Internet, World-Wide Web or other computer network access; 8. any other electronic equipment, presently available or new technology that becomes available, that can be converted to or has as its function the ability to act as a computer system or to access a computer system, computer network or telecommunications network (except defendant may possess a ‘land line’ telephone); B. The defendant shall not be employed in or perform services for any entity engaged in the computer, computer software, or telecommunications business and shall not be employed in any capacity wherein he has access to computers or computer related equipment or software; C. The defendant shall not access computers, computer networks or other forms of wireless communications himself or through third parties; D. The defendant shall not act as a consultant or advisor to individuals or groups engaged in any computer related activity; E. The defendant shall not acquire or possess any computer codes (including computer passwords), cellular phone access codes or other access devices that enable the defendant to use, acquire, exchange or alter information in a computer or telecommunications database system; F. The defendant shall not use any data encryption device, program or technique for computers; G. The defendant shall not alter or possess any altered telephone, telephone equipment or any other communications related equipment.
Reading these, one can begin to see how this limits a convicted computer intruder in life after prison. Some argue that as convicted felons, who cares? They are getting what they deserve. Perhaps that is true, but why don’t murderers and rapists receive special terms for their probation that might be deemed appropriate? Some of the few crimes that receive no special terms?
Forgery — Convicted forgers are not banned from pens, paper and other devices that help commit the crime. Vehicular Manslaughter and other crimes involving motor vehicles — These people do not lose their driver’s license or the ability to own and operate cars or trucks. Sex Crimes – Except in extreme cases of recidivistic offenders, convicted rapists and pedophiles are not forbidden from pornography or other stimuli said to influence or encourage their behavior. Counterfeiting — Convicted counterfeiters are not forbidden from using currency, nor forbidden from working jobs with cash or banned from a wide variety of activities that may influence them.
The purpose of incarceration and the following probation is to punish and rehabilitate the convict. Probation specifically is geared to help push the criminal into a structured life without influences that may lead to their return to a life of crime. However, in the case of computer crime the probation guidelines do a lot more than discourage further computer crime. Some of the few acts they will be banned from:
Sending a letter to a Senator via e-mail or using a word processor
Playing a video arcade game or personal entertainment system like Sega or Nintendo
Calling his family on a cellular telephone
Working in any industry (including fast food) as they all rely on computers, even for cash transactions (cash registers)
Working as a custodian in any business that has computers on premises
Working as a teacher, instructor, consultant, or advisor to any company that owns or operates a single computer device
Writing any type of computer software program (even using merely a pen and paper)
Accessing a public library’s computerized card catalog.
Using computerized information services found at airports and shopping malls that give directions and customer information
Accessing any information via phone and voice mail/prompt system (including bank account information, car insurance and more)
Surprising as it seems, all of the above become illegal to most people on probation for computer crimes. Imagine living for three years with those restrictions hovering over you. Is this really a good guideline to get you back on the right track and lead a good life without bad influence? Or is this a well lit path encouraging you to break the terms of probation and risk more prison time?
If you are thrust into society after a lengthy prison sentence, stripped of opportunity to work in the one field you previously excelled in, what options does that leave? Unable to work in most modern and computerized jobs, unable to work near computers, it leaves the convict with several years of difficult living at below poverty level. Hardly the rehabilitation that was intended or needed.
The Tip of the Iceberg
The story of Chris Lamprecht still remains in the depths of news sites. In 1995 Lamprecht was sentenced to a 70-month prison sentence for money laundering. He did not plead to or get convicted of any computer related crimes. Despite this, Federal Judge Sam Sparks imposed the same “no computer” probation on Lamprecht at the request of the District Attorney. This seems to be an equivalent of being banned from restaurants because you ate dinner before breaking and entering.
Recouping Your Tax Dollars
It is well established that those caught and convicted of any crime are subjected to restitution. The amount is typically arrived at by calculating the damage figures against the victim(s). If a bike worth one hundred dollars was stolen, the criminal could be ordered to pay restitution that included the cost of the bike, court fees the victim paid for, emotional distress, etc. One thing that has not historically been factored in is the cost of the investigation or the time and effort of the officers involved in solving the crime. Apparently the money associated with the law enforcement efforts was not a factor for one reason or another.
Once again, when computer crime enters the equation, circumstances seem to change. In May of 1997, Wendell Dingus was sentenced by a federal court to six months of home monitoring for computer crime activity. Among the systems he admitted to attacking were the U.S. Air Force, NASA and Vanderbilt University. What is different about this case is the court’s order for Dingus to repay $40,000 in restitution to the Air Force Information Warfare Center (AFIWC) for their time and effort in helping to track him.
It is odd that the court systems are now levying punishments for computer crimes not based on the damage that was actually done, rather it is based on the amount of time, money and resources required to track down or fix the system’s vulnerability. Worse, they are then lumping on time and resources required to (belatedly) create pro-active preventative measures from future intrusions, something that should have been done in the first place. So the system intruder is now responsible for future intrusions, yet the administrators were not in the first place?
When the police or FBI catch up to a robber, defrauder or murderer, they are charged and punished for their crimes. It is generally unheard of for these criminals to receive punishments and fines based on the efforts of the law enforcement tracking them down. Think of how much time and resources the FBI put into tracking down a serial killer that has been roaming our country for years. How many air plane trips, car rentals, hotels, overtime, examination and forensic equipment, food reimbursement and who knows what else do our tax dollars go to pay for? Why aren’t these levied against the criminal like they are now starting to do with computer crime?
One difficult aspect that creeps back into computer crime cases is the blanket laws covering a wide variety of people and activities. As a computer crime investigator brought up in a conversation recently, a homicide typically affects a family, friends and perhaps a small community, while a concentrated computer attack could affect the lives of thousands of people or more. There are certainly exceptions to each type of crime but in general, that statement seems to be reasonable. The bottom line is that more consistency needs to be developed between traditional crimes and computer crimes.
In Texas, it is a Class B misdemeanor for graffiti if the damage is less than $500. In reality, most Web page defacements done today can be recovered from and dealt with for less than $500. Anyone saying otherwise is likely to be the consultant profiting heavily at your expense. So why is it that a young kid who spray paints a wall gets hit with a small fine, and a young kid who spray paints a Web site gets fifteen months in jail and tens of thousands of dollars in fines?
I think it is time for the media to quit hyping up computer crimes and introduce a dose of sanity to the Fear, Uncertainty and Doubt they love to bring to ‘hacker’ stories. The legal system needs to give a serious look at the disparity in how they handle various crimes. I think it is pretty obvious that something is wrong when a knife wielding murderer does less time than a keyboard wielding fourteen-year-old.
[This was originally published on eEye.com and mirrored on attrition.org.]
As a security consultant, I get a lot of e-mail about every topic in the security arena. Running a popular mail list, I tend to get more than most, especially with new product advertisements. For the most part I give them a once over before deleting them, just to keep up with the latest names in the field. Every once in a while one will strike me as odd or noteworthy for one reason or another. Some grate against every last nerve in my body and lead to rantings I call articles.
On November 26, 1999 I received mail about a new Windows NT security scanner. I shared this with a colleague who quickly shared his frustration in reading product announcements like this. We both see eye to eye on marketing hype, especially hype revolving around the hysteria that hackers will invade your server, delete your files, and kick your dog. The solution is always the product being advertised which always seems to have been invented by ethical hackers or anti-hacker experts. Nothing is invented by ‘security professionals’ anymore. Looking at the email, something jumped out: (names have been left out as this is a bigger problem than a single company)
xxxxxxx SOFTWARE - xxxx: NT VULNERABILITY SCANNER ~~~~
Ever had that feeling of ACUTE PANIC that a hacker has invaded your
Plug NT's holes before they plug you. There are many hundreds of known
NT vulnerabilities. New ones are found daily. You just have to protect
your LAN _before_ it gets attacked. xxxx is a new tool that solves your
NT security exposure in a completely unique fashion. xxxx is not just a
shrink-wrap product. It comes with a responsive web-update service and
a dedicated Pro xxxx team that helps you to hunt down and kill Security
holes. Originally built by anti-hacker experts for Secure Government
sites. Download a demo copy before you become a statistic.
One line jumped out at me:
“Originally built by anti-hacker experts for Secure Government sites.”
This one simple line says so much more. Unfortunately for them, it says many a negative thing and leads to more questions and harder earned trust. What seemed like a good marketing line then often ends up doing more damage than they could imagine. Security professionals are often cynical and skeptics by nature. As such, they read into the small details as their profession often demands. Sentences like this make us wonder if they are just lying about a product’s origin, or do they realize this undermines the integrity of their product. Either way, the company loses.
“Originally built by” leads to an obvious question. Who builds and maintains it now if not the ‘anti-hacker experts’ that originally did? A common tactic adopted by many companies in and out of the security field is to hire well known and highly respected professionals to build a team/practice/product/company. Once a solid name and positive reputation are built, they move on to bigger and better pastures. The minute they leave, a new world evolves leaving the team-product in different hands. Often times the deep impact of the salary or fee required to bring in the big names is seen in the low pay of the second wave. That low pay often translates into low skill as well.
“anti-hacker experts” makes you wonder if they mean experts in anti-hacker ways such as firewalls and security mechanisms. Or perhaps they mean experts on hackers which in turn makes them ‘anti hacker’ and this is just the blend of words to convey that idea. The use of “anti-hacker” suggests they mean something other than “security experts” so we can conclude their original product designers were “anti-hacker” in the sense that they knew hackers, their techniques, their philosophy and more. Anyone with passing familiarity of hackers and security would quickly doubt this claim. Every group or article or company that claims to be an expert on hackers tend to disagree with one another. A general lack of information or ability to adequately address the problem suggests these people are far from experts when it comes to hackers.
“for Secure Government sites” is a very curious conclusion to the sentence. Why is ‘Secure Government’ capitalized? Is it some indication they are referring to specific machines with a particular named designation? That seems to make no sense. Perhaps the marketing department was over anxious in emphasis of their product. Running with that idea, we can assume they mean “secure government sites”. Once again, this is a curious claim. If they are talking about proven secure machines utilized by our government, why not call them by name? “for SIPRnet” has a much better sound and at least makes it sound more legitimate. But they can’t claim that if it isn’t true, because it is a specific network with a well documented trail of who worked on it. So they must mean secure government servers in general. This claim is purely absurd as we see dozens of government and military computers compromised each week. The illusion that the government must run secure servers has been resigned to nothing more than jokes told by hackers and security consultants alike. This claim is more amusing when looking at a list of the government servers that have been defaced, along with what operating system they were running at the time.
Yes, this seems like an awful lot to read into a single line of some product advertisement. However, for those involved in the security field who are tired of hype and mystique being built around old illusions, it becomes a personal insult.