Perlroth, Terminology, and Hyperbole

I finished reading “This Is How They Tell Me The World Ends” by Nicole Perlroth a few weeks ago but haven’t had time to write this blog, and likely another, based on specific aspects of the book. I have written two blogs on topics covered in the book after reading it already, but both written before completing the book.


Overall the book was an enjoyable read. It is clear that Perlroth covers the topic of zero-day exploits and the exploit market very well, based on a lot of research and interviews with key players. The book exposed some things that were new to me so I enjoyed some chapters very much. The book also gave me a sizable list of items to do further research on including several ideas for FOIA requests. Finally, I think the epilogue was especially well done and would serve as a great ~ 20 page primer on the topic and where the world is going in the realm of exploits and hacking campaigns. If you are interested in the topic I do recommend this book.


That said, this blog is about one issue I have with the content. Starting in the prologue and continuing throughout several chapters of the book, Perlroth uses language that is arguably one step past hyperbole, seemingly crossing the definition of “intensifier” and falling squarely into “extreme exaggeration“. This has been a problem for over twenty-five years in Information Security with one of our worst being “Cyber Pearl Harbor“, which is also used in this book. While such terms are dramatic and hook a reader they are counter-productive as they unfairly explain or refer to concepts that are not as serious or damaging as the terms used.

Equating two unrelated terms to explain one concept to an audience not familiar with it is common enough, and we all do it. But consider the definition on an analogy which is “a comparison of two otherwise unlike things based on resemblance of a particular aspect“. The key, I believe, is “resemblance of a particular aspect” which can really be interpreted differently. If I compare a rocket to an automobile to make a comparison about travel because they both can move and transport people, does that count? Sure, but it sucks as an analogy and doesn’t make the point very well. When that gets taken to an extreme, you have a logical fallacy known as a false analogy.

To me, that is where analogies or descriptions like “a Cyber Pearl Harbor” fall. Until a computer intrusion can routinely sink ships, destroy aircraft, kill over 2,300, and wound over 1,100 people in just over an hour, I don’t think that is an appropriate term to use. If such an event happens once, perhaps calling it “the Cyber Pearl Harbor” would be acceptable. Further, what part of the attack on Pearl Harbor resembles a computer attack? Until that can be answered, journalists and security professionals should endeavor to use more grounded analogies that can explain a concept without embellishing or incorrectly comparing something in the virtual computer domain to a kinetic real-world item or event. While Perlroth’s first use of this term was quoting “security experts”, she had the opportunity to temper that with a caveat or explanation, but did not.

Even calling exploits a “weapon” begins to push that boundary as most people think of a kinetic weapon like a knife or gun that has wounded or killed millions in the last 100 years. With that, here is a sampling of some of the analogies and terminology Perlroth used throughout her book to illustrate the problem. What is perhaps most unfortunate about this is that the book is well-written and did not need to do this to make it interesting. To me, it was actually a detraction and did not add to the topic.

  • xvi: Russian hackers made a blood sport of hacking anyone…
  • xvi: For five long years, they shelled Ukrainians with thousands of cyberattacks a day…
  • xviii: The very same Russian hackers that had been laying trapdoors and virtual explosives
  • xxi: .. is what happened when the NSA’s most powerful cyberweapons got into our adversary’s hands. So in March 2019 I went to Ukraine to survey the ruins for myself.
  • xxvi: If Snowden leaked the PowerPoint bullet points, the Shadow Brokers handed our enemies the actual bullets: the code
  • p8: In the process, “zero-day exploits” became the blood diamonds of the security trade.
  • P257: They were here to recruit, perhaps, or broker the latest and greatest in Argentine spy code.
  • p294: Russian hackers had been shelling Ukraine’s computer networks with cyberattacks, and the timing was ominous.
  • p295: And like those attacks, the KillDisk had a ticking time bomb.
  • p324: But nation-states could just as easily bolt digital bombs and data wipers onto the tools, detonate data, and take America’s government agencies, corporations, and critical infrastructure offline.
  • p334: Across the world, people started ripping their computers out of the wall.
  • p348: Nobody had even bothered to tell the mayor that the virus hitting his city had been traveling on a digital missile built by the nation’s premier intelligence agency.
  • p349: One assailant locked up its systems with ransomware; another detonated EternalBlue to steal data.
  • p381: It was Nakasone who played a critical role in leading Nitro Zeus, the U.S. operation to plant land mines in Iran’s grid.
  • p383: They – the hackers, the officials, the Ukrainians, the voices in the wilderness – had always warned me that a cyber-enabled cataclysmic boom would take us down.

One thing to note is that on rare occasion, Perlroth did temper such wording. One example can be found on page 49 where she says “Again, these weren’t weapons. They were gaping security holes that could be exploited to break into hardware and software, and the American taxpayer was being asked to bankroll the entire supply chain.” Unfortunately, this comes after several lines in the bullet points above and many more like it.

Similarly to using exaggerated terms for exploits and digital attacks, Perlroth does the same when describing hackers. While describing a complex world of zero-day exploits, brokering them, and the impact they can cause, she falls back on tired clichés to describe the people using these exploits. Here are a few examples:

  • xix: .. simply beyond that of any four-hundred-pound hacker working from his bed.
  • p22: .. he did not resemble the emaciated hackers and former intelligence types glued to their computer screens
  • p23: .. a little colorful for men who wore black T-shirts and preferred to work in windowless dungeons.
  • p23: .. their diet subsisted of sandwiches and Red Bull.
  • p28: Vendors didn’t want to deal with basement dwellers
  • p28: … pimply thirteen-year-olds in their parents’ basements
  • p28: … ponytailed coders from the web’s underbelly
  • p30: Hackers who barely made it out of their basements would get hammered…

If I used hyperbolic clichés to describe Nicole Perlroth, a New York Times reporter, I wonder how many journalists I would offend?

2013 Superdome Outage a Hack? The Value of Post-Incident Investigations.

[This was originally published on the OSVDB blog.]

As we approach the pinnacle of U.S. sportsball, I am reminded of the complete scandal from a past Superbowl. No, not the obviously-setup wardrobe malfunction scandal. No, not the one where we might have been subjected to a pre-recorded half-time show. The one in 2013 where hackers terrorism who-knows-why caused the stadium lights to go out for 34 minutes. That day, and the days after, everyone sure seemed to ‘know’ what happened. Since many were throwing around claims of ‘hacking’ or ‘cyber terrorism’ at the time, this incident caught my attention.

Here’s what we know, with selected highlights:

  • February 3, 2013: Superbowl happened.
  • February 3, 2013: Anonymous takes credit for the blackout.
  • February 3, 2013: Because theories of hacking or terrorism aren’t enough, Mashable comes up with 13 more things that may have caused it.
  • February 4, 2013: A day later, we’re once again reminded that “inside sources” are often full of it. Baltimore Sun initial report claimed a “power-intensive” halftime show might have been a factor.
  • February 4, 2013: The FBI makes a statement saying that terrorism was not a factor.
  • February 4, 2013: We learn that such a failure may have been predicted in 2012.
  • February 4, 2013: Of course the outage doesn’t really matter. A little game delay, and it is a “boon for super bowl ratings“, the most critical thing to the corrupt NFL.
  • February 4, 2013: By this point, people are pretty sure hackers didn’t do it. They probably didn’t, but they could have!
  • February 4, 2013: Oh sorry, it could still be hackers. The Christian Science monitor actually covers the likely reason, yet that isn’t sexy. Chinese hacker ploy seems more reasonable to cover…
  • February 4, 2013: Not only Anonymous, but ‘Rustle League’ claimed to hack the super bowl. A day later we learn that notorious Rustle League trolls were … wait for it … trolling.
  • February 5, 2013: Officials at Entergy, who provide power for that property clearly state “There was no Internet or remote computer access to the piece of equipment inside the stadium that sensed an abnormality in the electrical system and partially cut power to the Superdome…”
  • February 6, 2013: While the Superdome was not hacked on Sunday, the U.S. Federal Reserve was.
  • February 8, 2013: Multiple sources begin covering the real reason for the Superdome outage.
  • February 8, 2013: We now have a good idea what caused it, but let the blame game begin. Manufacturer error, or user error?
  • March 21, 2013: The official Entergy report is released (PDF), giving a very technical analysis and summary of what happened. Everyone but conspiracy theorists can sleep well.

The reason for this blog is that Chris Sistrunk, a noted SCADA security researcher, pinged me the other day about the report. We were curious if the failure described could be considered a vulnerability by OSVDB standards. After reading the report and several questions for him, this seems like a simple case of device malfunction / failure. Quoting relevant bits from the report:

During the testing, behavior of the relay was not entirely consistent with the function described in the instruction manual. Under some circumstances, when the current exceeded the trip
setting and then decreased below the trip setting even after the timer had expired, the relay did not operate.

This instability was observed on all of the relays tested (during testing by this engineer, ENOI, and others in coordination with S&C at Vault 24 on March 1, 2013), including the subject
(Bay 8) relay and two identical (exemplar) relays. Behavior of the device in a manner contrary to the published functionality of the device constitutes a design defect.

Interesting read and glimpse into the world of SCADA / ICS. While the notion that the outage was due to hackers, the reality is far more mundane. We could certainly learn from this case, along with thousands of others… but who am I kidding. News covering the mundane and real doesn’t sell.

Convict them all! A new breed of ambulance chasers

[This is a rebuttal/rant in which I ‘reply’ to various parts of a news article, originally published on attrition.org. This version has been updated for style.]

Computer crime: Changing the public’s perception
12 Oct 2000
https://seclists.org/isn/2000/Oct/51

You remember Jonathan James? He made national news a couple of weeks ago. You know, he’s that nice 16-year-old young man convicted of hacking into computers at the Pentagon, NASA, BellSouth, the Miami-Dade school system and many other places. That’s pretty funny. Right?

Can you imagine that some nasty judge put him in jail? Young Jonathan put it so well when he said, “I don’t think they should be putting a kid in jail because he proved they don’t have very good security.”

Fortunately, poor misunderstood Jonathan didn’t delete files or infect any computers with viruses while he was engaged in his youthful mischief. As his father put it, “All he did was go look at top secret government information.”

Hey, you know what they say — values come from the home. I can see where Jonathan learned his.

Wrong or not, the point is valid. What morons running these systems are allowing even sensitive, let alone secret, let alone TOP SECRET to remain on public connected machines? Why aren’t the admins and managers who are violating US Law and military regulations being put in jail too? why do they continue to draw tax payer funded income when they are violating US Law, just like this hacker did? Yes, the hacker broke the law. Yes, he may deserve to be in jail. Yes, the people that put the sensitive information there in the first place should be sharing the cell with young Jonathan.

His father described his son as contrite. I guess that the obscene gesture he made at the courthouse to a photographer was yet another minor aberration.

Jonathan was lucky I wasn’t the judge.

Computer crime isn’t a joke. This attitude that he did them a favor by showing them that their security was bad is warped — absolutely and completely warped.

I suppose that Daddy James would be the first one thanking the burglar for breaking into his poorly secured home if the burglar only looked at his most private and personal possessions, but didn’t take anything.

We’re at a point where computers are an essential part of our society’s infrastructure. Any crime that touches the infrastructure of our society is by definition a significant crime.

Ok, so apply this same standard to all the people involved that made this crime possible. Apply the same standards to Jonathan, the admin of the system that did not secure it, the managers and the powers that be who determined the information should be online at all. It is a nice luxury for short sighted and malicious journalists to use double standards here. But wait.. this isn’t a journalist writing.. read on.

The “ILOVEYOU” virus a few months ago is yet another example of the types of problems that can come from computer crime. “ILOVEYOU” disrupted businesses, governments, and people worldwide. We cannot permit these sorts of things to happen.

“ILOVEYOU” demonstrates that every computer has the capability of being a weapon of mass disruption, even destruction. As we become even more dependent on computers, hackers will have even more opportunities to cause mass disruption or destruction.

Oh, this isn’t overly dramatic, no… It is amusing to see that you don’t point out that these ‘weapons of mass destruction’ were ALL Windows systems. Why don’t you hold the creators of Windows even marginally responsible? Oh can’t do that, gotta blame those evil hacker types. Great scape goat and all.

“Wasn’t it cool when I turned off the air traffic control system?” “Wasn’t it great when I turned off all the respirators in the hospital from home?” I assure you that it’s just a matter of time before the things hackers do become even more outrageous and dangerous.

Hey why not? As young Jonathan put it, “All the girls thought it was cool.” If you’re a male over about age 14, what more reason do you need to do something really stupid.

The problem with security, whether it’s hi-tech computer security or physical security is that “perfect” is an impossible goal. The goal is reasonable security.

Really? Seems to me people have proven computer systems can get pretty damn close to ‘perfect’. The problem is that the end user is naïve and scared of computers. They demand point and drool interfaces that require an IQ two points above a lemming. Because of this, security is sacrificed for the masses.

Everybody can and should implement three basic security concepts. You should start by controlling physical and logical access to sensitive information. Your methods could include passwords and encryption.

Wow. You just condemned the right person and didn’t even know it. Where was the good passwords and encryption on the sensitive files Jonathan accessed? Oops.

Next, you should require individual accountability for sensitive information and identify those with access. Finally, you need to have audit trails that show who accessed what information. Your audit trail should be able to answer the basic who, what, where, when, why, and how questions.

Wait, you condemned Jonathan for these break-ins, calling him a computer criminal who deserved jail time. Here you flat out say that the admins of the machines hacked should be accountable. Why don’t you mention this in your misguided and opinionated rant above?

All too often, we see computer crime as not that big a deal. While the Computer Abuse Act of 1984 imposes a $250,000 fine or a five-year prison sentence, or both, for each offense, it just doesn’t often work that way.

Much like the people that are convicted of murder or rape only serving four years in prison? But wait, that’s ok, just burn the hackers.

While I don’t have any formal study to cite, experience has taught me that computer crime is generally not sternly punished.

No formal study to cite? There is an abundance of computer crime statistics out there. Statistics on computer intrusion is easy to find (CERT, Attrition, etc.). Information on hacker cases and convictions is available (DOJ). Why can’t you cite a study to back your claims?

We need to have a basic change in attitude about computer crime. What we must do is use harsh punishment along with reasonable security as deterrents. We have to deliver the message that hacking and other computer crimes are so difficult to prevent and the dangers that come from them are so great that our society simply won’t tolerate them.

Computer crime is not difficult to prevent as a general rule. There are thousands of networks out there that have suffered no external intrusion to date. What, are thousands of competent admins all just lucky?

What Jonathan did wasn’t a childish prank. Saying that there were no horrible consequences from what he did is like justifying drunk driving by saying, “But I got home and I didn’t have an accident.”

If I’d been the judge in a world with perfect laws, Jonathan wouldn’t get out of jail until he was 21 and would never, never, never earn a living in any job involving computers or programming. That’s punishment. That’s a message to others.

Mark Grossman is a shareholder and chairs the Computer and E-Commerce Law Group of Becker & Poliakoff, P.A. His website is http://www.EcomputerLaw.com and his e-mail address is techlaw@ecomputerlaw.com. Research assistant is Andrew Chulock.

Ahh, the true motivation. Convict them all.. because I am a lawyer and get paid to do it. I hear sirens, better run Mark.

Hacking: A Game for the 90’s?

[This was originally published in Ex-Game Vol 1, a print magazine in Japan. Exact publish date not known, just the year.]

Friday night, you’ve been at it for three hours. Typing away at your computer, hitting one web site after another. Every ten minutes that passes, some large corporate network’s web page has been replaced with a new page of your own design. You drink more of your cola and get back to work, a list of vulnerable domains in front of you. For the past three weeks, you and a friend have defaced dozens of corporate web sites each Friday night, bending the original site to your own design.

You are part of what has seemingly become the latest trend or fad: that of computer hacking and web site defacing. The term ‘hacking’ once meant, “to find a clever solution to a difficult problem.” Over the years, journalists and security professionals have skewed the definition to mean “one who accesses other computers illegally.” Regardless of the variety of terms used to describe the activity, illegally accessing computers and altering web pages has exploded in the last twelve months. The frequency of defacements along with the messages left on these altered sites suggests that many participants see their activity as nothing more than a game for the 90’s.

Recent case history has shown that a majority of those defacing web sites are between 15 and 21 years old. Because of their relative young age, the lack of understanding of their actions often leads them into a world of problems with everyone from their parents to law enforcement. Putting these risks aside, defacing web pages seems to be as popular as ever.

Explaining the Popularity and Ease

Perhaps the largest contributing factor to web sites getting defaced is the simplicity behind it. Because of current web sites and available information, it is often a matter of minutes for someone to download the tools required to deface a web page. A wide variety of web sites dealing with both hacking and security offer the scripts and utilities required to commit these acts. Detailed information outlining the bug or vulnerability used to exploit a foreign network is plentiful.

Computer security sites make this information available under the policy of full disclosure. Unfortunately, this policy is a two sided blade of sorts. By making the information available for administrators and security consultants in order for them to patch the vulnerability, they are also making this information available to hackers and other assorted people with questionable motives and ethics. The information shared under full disclosure allows hackers to create tools that automate the exploitation of the vulnerability. Worse, they can easily write additional tools that automate the process of finding vulnerable hosts on the Internet. Rather than try one server at a time, their tools can scan thousands of machines in a matter of minutes.

Crime of the Times

In this world of automation, society strives to make life easier at every turn. More machines and more automation means less work for us. This mindset has carried over into the hacker world all the same. Looking at a recent example of this process, we can see how easy it is for a complete neophyte with little computer knowledge to successfully deface a web page.

Oct 20, 1999 – Several high profile domains are defaced. Each server is running on Windows NT, and exhibits signs of the MSADCS exploits. Most of the defacements were one or two lines of simple text that overwrote the existing page. Because of the way the script worked, it could only overwrite the existing page with simple text.
http://www.attrition.org/mirror/attrition/1999-10.html

Nov 3, 1999 – Rain Forest Puppy releases details of a vulnerability in the Microsoft MSADCS distributed library. The bug allows attackers to execute commands on a remote Windows NT server without legitimate access.
http://securityportal.com/list-archive/bugtraq/1999/Nov/0036.html

Nov 6, 1999 – Many defacers modify their scripts so they can overwrite pages with their own HTML. Several other defacers decide to append their messages to the existing pages rather than overwrite it.

Nov 10, 1999 – Updated versions of the MSADCS exploit code is released.
http://www.wiretrip.net/rfp/pages/security.asp?iface=2

Dec 17, 1999 – The time of this article, hundreds of systems have fallen victim to people exploiting this bug. On some days, thirty domains are reported as defaced due to the MSADCS and similar vulnerabilities.

The information in RFP’s advisory along with the public utilities for exploiting this bug make it easier than ever before to commit crime by illegally accessing and altering data on a web page. Along with these public resources, hackers pass additional tools and modified versions of the exploit utilities around to their friends. Some choose to make these improved tools available on private web sites where thousands of hackers know to look for them. This begs the obvious question “Why don’t sites protect themselves?”

Computer Security in the 90’s

With the pace of technology and new developments coming out on a per-second basis, one has to wonder why so many insecure sites can maintain such a poor security posture. Multi-million dollar companies like Mitsubishi and Kingston have fallen victim to web defacement this month. Government servers of the United States, United Kingdom, Brazil and Australia have suffered at the hands of attackers in December this year. How is it possible for hoards of teenagers to effectively control the content of such important and high profile servers?

Several factors lend to the insecurity of computers all over the world. These factors do not necessarily apply only to web sites that have been or will be defaced, rather they apply to any networked system. Regardless of technical steps that can be implemented to protect these systems, diligence and continued attention are the most effective resources you can throw at security. Spending fifteen minutes a day to stay updated on the latest security concerns and vulnerabilities will allow any system administrator to protect themselves against a great majority of would-be attackers.

The lack of time spent maintaining security on computer systems leads to several technical issues that become the Achilles Heel of any network.

Installing Security Patches. Software vendors release patches/fixes to address security problems that come to light. System administrators must install these patches, sometimes years after installing the operating system or software. Periodic monitoring of the vendor’s website or subscribing to their mail list is the best way to do this.

Lack of Budget. Perhaps one of the biggest complaint from system administrators is the lack of funding companies spend on maintaining security. There is no excuse for a company to do this, yet it is often done by management that do no realize the implications of security. Rather than maintain proactive security, they take a reactive stance and only see fit to distribute funding after horrible security incidents.

Abundance of Information. As absurd as this may sound, the vast amount of information resources available to administrators can be overwhelming. So overwhelming in fact, it becomes confusing which resources to follow and which to trust. Some sites recommend different courses of actions, different security policies and more. These cause confusion and conflicting advice which can lead to improper configuration of corporate resources.

Poorly Trained Staff. In an effort to maintain lower costs of operation, companies are looking for the lowest possible salary for their administrators to do their job. This leads to hiring undertrained and poorly skilled administrators that become responsible for large computer networks controlling incredible resources.

When several of these problems work in tandem, it becomes apparent how little security holes can be overlooked by even highly skilled administrators. Anything short of full attention and a comprehensive plan to protect corporate networks is begging for trouble.

Two Approaches

Most people don’t realize the logistics of attacking web sites. Until recently, one could not just magically change a web page without having complete access to the system. This meant breaking into the server that held the web pages, gaining the access required to edit the web page, then altering it. This is achieved a number of ways including remote exploits that gives the attacker access to the system, sniffing connections between two computers, or backdooring a utility used to access remote systems. This method is more in tune with the older way of ‘hacking’.

Recent vulnerabilities in web servers designed for more remote services now allow attackers to deface the page without gaining prior access to the server. As with the MSADCS exploit, the attacker simply utilizes a bug that overwrites or appends to the existing page. This is done without gaining a valid login and password combination or any other form of legitimate access. As such, the attacker can only overwrite or append to files on the system. Some may allow them to read any file but for the most part, do not grant the individual serious access to the machine.

Network Security in the New Millennium

If the state of security is in bad shape today, where will it go in the new year? Is security improving enough so that we can expect secure systems in the future? Are more vendors looking at security as a serious concern? Not enough to matter! While vendors are slowly realizing that security is a big concern of the consumers, most are not changing their ways to address the concerns. Rather than do proactive auditing of their products and more extensive testing, they still wait to hear about a bug and fix it down the road.

This means that hackers and web defacers will keep doing their thing into the new year! Even with fairly substantial leaps in security mechanisms, several inherent flaws will continue to plague systems around the world. A system is only as strong as its weakest link. For most outfits, this weak link is the human running the system. They are the ones prone to make mistakes, overlook the minor details or not keep up with the changing security field. Even with the most sophisticated security software available, it is only as good as the person who installs it.

This is the primary reason companies employ a high dollar consultant to come in and install vital parts of their networks. It is their hopes that by doing this, they will not run the risk of human error and ensure a correct setup. Unfortunately, that leaves another challenge of finding qualified professionals to hire as consultants. The last few years of hype surrounding computers, the Internet and Y2K have brought an influx of consultants that may not be adequately trained to perform the tasks you need. Yet another challenge companies must face in the years to come.

Hacking as It Stands Today

Five years ago, hacking was mostly rumor and legend. Tales and stories handed down from hacker to hacker, admin to admin. Web sites were unheard of so most system intrusions were never seen in a public manner. Often times only a handful of hackers, the system administrators and occasionally law enforcement knew about system intrusions or the level of skill involved. Hackers of old were people curious about networks and exploring. They wanted to press the system and see what else they could get it to do, especially if it hadn’t been documented before. For the most part, it was benign discovery of new computing resources and power.

Today’s “hackers” are a new breed unto themselves. Rather than learning and discovery, many seem to enjoy the fame and glory behind it. Instead of learning new aspects of how computers work with each other, they would rather vandalize web sites with poorly written rants backed by weak justifications for their actions. More and more of the web defacers today don’t even know the fundamental differences in the programming languages that make up their exploit utilities. Others can’t even find the web page once they break into a server and must ask others for advice on how to find it. Every first year unix admin knows that the find command is an easy built in utility that can perform this task.

Along with this lack of system knowledge comes a lack of understanding about the potential repercussions their actions could effect. Aside from breaking state or country laws and statutes, being busted for their crimes could have serious effects later in life. On top of losing all of their computer and telephone equipment, they jeopardize their career. Companies do not hire convicted criminals for the most part. Worse, computer and security firms will not hire ex-hackers openly. Unless the person keeps their past hidden and lies to their perspective employer, their past will catch up to them.

Today

Each day five to fifty sites are reported as hacked and defaced. These reports are often sent in by the person(s) who committed the crime, as a sort of bragging. They send the information to sites that mirror defaced web pages and monitor Internet crime. A few of these sites in turn pass on the information to interested third parties as well as law enforcement agencies. In any given week, there appear to be between ten and one hundred groups or individuals participating in web defacing. These people may deface one site a week if it is considered high profile, or dozens of low-key sites most of us have never heard of.

With more and more media attention being focused on these public defacements, it skews the perception of the public. The masses perceive hackers to be mostly young kids intent on digital graffiti. While the hackers of old are still out there silently invading network after network, leaving little or no sign of their intrusion, law enforcement spends most of its time pursuing and investigating actions that barely consist of network compromise. Many web defacements allow the attacker to overwrite a file on the system (the web page), not gain full access to the machine. Every once in a while a story will come out about the hackers of old. A recent story on a group of hackers that were allegedly able to invade everything from phone systems to the US National Crime Information Center databases.

Almost once a month, law enforcement catches up to these hackers and makes a high profile bust. Groups like GlobalHell, Level Seven, and Team Spl0it have all had their run-ins with the law in recent months. Perhaps some of the most high profile web defacing groups in the last year, they have disappeared since federal authorities took interest in their action and served warrants on the alleged members of each group. In a matter of days these groups were replaced by new groups defacing more sites helping create and endless cycle of web defacement.

In the time it took to write this article, a site I help run has received word of fifteen web sites being defaced all around the world. Sites in Brazil, a US Army site, several commercial sites and more have fallen victim to these web defacers in a matter of one day. At an ever-increasing rate of sites being defaced, one could predict that over one thousand sites would be defaced each month next year. Based on the current rate of increase, that guess would be a fairly safe bet. Add to that the rate at which new servers are put up on the Internet along with the rate of new vulnerabilities being discovered and the ease of which they may be exploited. It spells out a future of hacking becoming more and more a game.

Securing your network; Your startup’s survival depends on it

[This was originally published on IBM Developer Works and is mirrored on attrition.org.]

Collecting customer demographics is good, and collecting payments online is good. But it isn’t good if this information is stolen from your company’s computers. Brian Martin examines how — and how often — this really happens, and what you can do to prevent it.

In the last twelve months, over one million consumers have been the victims of personal information theft. These ordinary Web surfers have found their credit card numbers and personal information have been surreptitiously stolen from e-commerce Web sites where they conducted business. Each incident has seen anywhere from a few hundred to a few hundred thousand cards leaked out to unauthorized persons. In some cases, the once-private information found its way onto public Web pages for anyone to see. Here are a few sites that experienced credit card theft in recent months:

Table 1. Sites from which credit card numbers
have been stolen recently

SiteCards Stolen
Promobility/Ltamedia   26,000
CD Universe300,000
7 Retailers 25,000
RealNames 10,000+
Thai E-Shop  5,000

(See Resources for sources for these figures.)

Other shops inadvertently expose consumer information above and beyond credit card numbers: Outpost.com revealed its customers’ billing and e-mail addresses, FAO Schwarz leaked consumer e-mail addresses and telephone numbers, and Northwest Airlines leaked both credit card and other personal information over the Web. (See Resources.)

In some cases the culprits were teenagers with a message that e-commerce is not safe, as with the recent Curador case (see Resources). Along with their rant about the evils of business on the Web came pilfered credit cards. Hung out on public Web pages for everyone to see.

Having this information pilfered would have been bad enough: the adverse media publicity turned it into a public relations nightmare — with a company just like yours at the center of it.

For the average net user who just had their credit card number dumped into the lap of a fifteen year old known on the Internet as “0wn j00”, this is a hassle that typically takes ten minutes to resolve on the phone. This assumes that the customer is aware of the intrusion and theft of information. (Most cases of credit card information theft are not reported to the customers, even if the information is known to be compromised.)

I recently became aware that my own credit card had fallen in the hands of computer intruders, leading me to call Mastercard. Hitting the option to “report a stolen credit card,” I was shocked when the friendly operator asked me if the theft occurred via the Internet. The fact that they ask this question first, as if they assume that is where the theft occurred startled me. Ten minutes later I had a new card number issued and I was ready to Web surf for more music and DVDs.

With fraud protection on all major credit cards, the end user is not liable for fraudulent purchases totaling more than $50. A ten-minute phone call will get your card number re-issued and your account flagged to watch for suspicious activity, alleviating you of future fraudulent purchases. With that in mind, it is easy to determine who really suffers over these information theft incidents.

Everyone must cough up some dough
The costs for reacting to and managing information theft incidents fall to the company with lax security as well as to the credit card companies. And the major credit card companies do not let this slide. Major credit card companies already categorize online retailers as “high-risk,” and, in recent months, Mastercard and Visa have announced measures that are not favorable to smaller online retailers (see Resources).

Given the nature of Americans and the frequency of lawsuits, it is probably only a matter of time before some angry net users file suit against insecure companies responsible for leaking out their private information. When a purchase is made on a business Web site, it is assumed that the transaction is secure. If a corner store were to hang all of their credit card receipts in the window, you can imagine the outcry and lawsuits that would result. This is effectively what some Web sites do with client information. Rather than voluntarily hang it in the window, they leave it in places that are almost as easy to find.

Don’t think you won’t be targeted
Being a nobody on the Internet is not going to save you. A new breed of attackers don’t even know your company name until after they break in. Utilizing intrusion programs that scan thousands of machines in minutes, they seek out a vulnerable server. To them, the machine may have a designation of “10.80.23.183” and be completely meaningless — until they break into the machine. Once compromised, these attackers will then see who it belongs to and act accordingly. A large percentage of public Web defacements are committed against arbitrary companies regardless of who they are, or how big their network is. (See Resources for a link to the Attrition mirror, which chronicles Web defacements.)

Simply having an Internet presence puts you in the line of fire. Because of this, you must not think of being attacked as a “what if” scenario. It is more appropriate to think of it as a “when it happens” event. When your corporate network is attacked, will it be able to repel the miscreants? If they manage to compromise your systems, what information is there to be pillaged and shared with the world? How will your customers react if their personal information and credit cards are shared with millions of people? A single incident involving information theft can devastate a company’s reputation and integrity. By planning ahead and incorporating good security from the start, companies have the power to avoid these incidents.

But fixing now is expensive!
No matter how large (or small) your company may be, regardless of what financial resources may be available, paying large amounts of money to implement a secure Internet presence can be difficult to justify. The powers that be don’t understand the need to spend money on a project with no tangible results: no product in hand, no new service or abilities; just the notion that the corporate network is now “secure,” whatever that means. Ironically these same money managers don’t blink when spending a million dollars on a secure corporate building. Large fences, extra lighting, biometric access devices, controlled access vaults and safes are a given. No one in their right mind would think of building a corporate headquarters without these security mechanisms. Yet when it comes to computer network security, administrators find themselves fighting to install a $1000 firewall.

A clear pattern exists in the last five years of public computer intrusion incidents. Once a company has been virtually molested and has had articles written about it, there tends to be a followup to the original breaking news that tells how the company is throwing unbelievable amounts of effort and money at prevention. It seems that it takes an embarrassing incident and a company being raked over the coals of public opinion for the notion of computer security to be considered seriously.

Preventive network security is cheap at any price: as with an old car, a twenty dollar oil change today can save you a three thousand dollar engine rebuild tomorrow.

The consequences if you don’t
If your company reported a $1.5 million loss over the intrusion and theft of your entire client database, would you be happy? As you laugh at my absurd question, consider that is not uncommon to see such high damage tags on computer intrusions.

Table 2. Recent damage reports

IncidentDamage
Kevin Mitnick299 Million
PhoneMasters1.85 Million
Citibank10 Million+

While I am often a critic of such high figures, these are the numbers you see in the headlines after an attack. Whether the damage was really worth one million or one thousand, millions of your potential clients will often see the more dramatic figure splashed across the news.

Besides: can you afford any needless damages, to your bottom line or to your reputation, from computer intrusions? Can you afford to lose the demographic information you’ve painstakingly collected, or your trade secrets, or the credit card numbers (and the trust) of your customers?

A bit of free advice
The fact that you will be broken into or at least targeted shouldn’t discourage you in the least. It is rather easy to arm yourself with the tools and techniques needed to prevent it from happening to you.

First and foremost, show due diligence by securing your networks now, before an incident occurs. Develop a security plan that will protect both you and your customers and implement it as fast as possible. If your network already enjoys some security, this is the time to give it a thorough review and consider additional defenses. Proactive security is the single most beneficial action one can take with any corporate resource, especially computer networks.

If your company operates a Web page that takes in customer information such as name, address, and credit card, develop a system that pushes that information to a secure machine until it can be moved offline. Once a transaction occurs, there is absolutely no need to keep this sensitive information online. At that point the information serves a single negative purpose: it’s a target for computer intruders. While it is convenient for customers to revisit a Web site and not have to type in that long sixteen-digit credit card number, is it really that much of a hassle compared to the threat of the information being publicly disseminated?

Keep your customers informed. Develop a privacy policy that is prominently displayed on your corporate Web page. Let visitors know that you consider security an important aspect of business and describe the measures you have taken to ensure that their information stays private. List a point of contact should customers have questions about security. Do not promise them miracles or guarantee their information will never get out, but assure them you have taken every step to help ensure their security.

It’s that easy?
Building and maintaining a secure network is not always an easy task. With any such goal, careful planning and devoting the correct resources to the security plan make all the difference in the world. There are sure to be potholes along the way, but with proper planning from day one, you can make sure that your computers are not the victims of credit card, or personal information, theft. And your customers will thank you for it.

Resources:

News sources for sites from which credit card numbers have been stolen recently (Table 1):

News sources for sites from which personal information has been stolen recently:

News sources for damage reports (Table 2):

Other resources mentioned in this article:

Related reading:

CERT Rides the Short Bus

[This was originally published on attrition.org.]

One of the resources Attrition.org provides is mirroring defaced web pages. One of the related services is running three mail lists revolving around defaced web pages. We offer three different mail lists to accommodate people wishing to stay abreast of the latest defacements:

	defaced - this list receives one piece of mail per domain hacked
		  and spans all TLDs regardless of country.

	defaced-gm - this list receives on piece of mail for each .gov
		  or .mil domain defaced. this caters to law enforcement,
		  security personnel, etc.

	defaced-alpha - this list contains the same traffic as
		  'defaced-gm', but sends it to alpha-numeric pagers. this
		  list caters to law enforcement.

The Attrition defacement mirror is fairly high profile. Articles from almost every online publication ranging from the New York Times to MSNBC to Slashdot have linked to our mirrors to show their readers what was defaced or list other defacements by the same individual. There are currently over one thousand subscribers to the various lists mentioned above, with more joining every day.

Despite this high profile resource that is directly related to computer crime, intrusion incidents and ‘hacking’ statistics, one of the most well known computer crime organizations is just catching wind of us. CERT was originally the Computer Emergency Response Team (www.cert.org) which tracks computer intrusions, hacking incidents and web page defacements. In doing so, they are essentially the government’s answer to generating statistics and responding to computer crime.

Almost six months after the creation of these mailing lists, even longer after the creation of the defacement mirror, CERT finally subscribes to one of the three lists. Rather than subscribe to ‘defaced’ to learn about ALL web page defacements, this CERT employee opted to subscribe to ‘defaced-gm’ to learn about government/military sites being defaced.

Perhaps it is just me, but when you have a site like Attrition offering these lists to everyone for free, it might be prudent to use those resources. In generating statistics or tracking computer crime, why leave out a bulk of the defacements that are occurring and only look at gov/mil?

Does this hint that CERT is not interested in the masses any longer? That only government and military sites deserve their attention? That lowly .com, .net or .edu people aren’t worthy of their attention? Ironic coming from a group based out of Carnegie Mellon University.

One of the reasons Attrition stands out is that web defacers will report their crimes to us. Obviously, they will not run to CERT or law enforcement and do the same. Does this not seem like the perfect resource for both to use? Judging from the amount of gov/mil subscribers to both lists, it seems that law enforcement has figured it out pretty quick. Yet CERT has not.

Who funds CERT?

   The CERT/CC is funded primarily by the U.S. Department of Defense and a
   number of Federal civil agencies. Other funding comes from the private
   sector.  As part of the Software Engineering Institute, some funds come
   from the primary sponsor of the SEI, the Office of the Under Secretary
   of Defense for Acquisition and Technology.

My tax dollars help fund CERT. Great. There is nothing more discouraging than seeing a citizen funded organization not using free resources at their disposal. Resources that would help them in their mission statement and be more effective at what they do. With organizations like CERT wearing blinders, computer criminals are a bit safer.

“It Is Good Beating Proud Folks..”

[This was originally published on attrition.org.]

It is good beating proud folks, for they will not complain

William Knowles pointed me to www.realspy.com today, as they had apparently changed their web page after a recent defacement.

Below is the message currently up on their server:

Due to hackers rewriting my pages from others websites, we will be down for 1 to 2 weeks to reconfigure a hardware firewall and newly designed web page.

We are sorry for this inconvenience

On another note, to all you harmfull hscker and crakers—YOU CAN KISS MY ASS!

I am a member of the FBI’s ANSIR program and I will be turning IP address from my server logs over to them to (5-15-2000) today.

Just remember, don’t pick up the soap!

This pathetic and unprofessional message demands several points be made.

Due to hackers rewriting my pages from others websites, we will be down for 1 to 2 weeks to reconfigure a hardware firewall and newly designed web page.

Perhaps this is how some companies reach exceptionally large damage figures. Rather than hiring a security consultant for one day of work, patching the hole and getting back to business, they use it as an excuse to redesign the site. The charges associated with web design no doubt get lumped into the ‘hacker damage’ figure. If the down time is 2 weeks to “reconfigure” a hardware firewall, this shows a complete lack of technical proficiency in applying basic security to a web site.

On another note, to all you harmfull hscker and crakers—YOU CAN KISS MY ASS!

Great encouragement here. I am sure a ‘real spy’ would say exactly this. You’ve already proven you are vulnerable and the computer criminals have one upped you. Challenging them to do it again can only serve to hurt you further and subject you to more attacks. Even if it is a trap with FBI agents lying in wait, it is still taking away from your business. When the next computer criminal breaches this site, do you think they will stop with a simple web page defacement?

I won’t even go into the whole ‘hscker vs craker’ debate.

I am a member of the FBI’s ANSIR program and I will be turning IP address from my server logs over to them to (5-15-2000) today.

This is an exceptional advertisement for the FBI ANSIR team, really. What is ANSIR exactly, and what do they do?

http://www.fbi.gov/programs/ansir/ansir.htm

The program is designed to provide unclassified national security threat and warning information to U.S. corporate security directors and executives, law enforcement, and other government agencies.

Looking at a few of their advisories:

99-002 Upcoming Significant Anniversary Dates
99-007 China Cyber Activity Advisory
99-010 Well-publicized Hacker Activity Against U.S. Government Sites

Wow, what a truly relevant program to tout to hackers. Why not proclaim your membership with a tennis club and threaten hackers with that too? In case you aren’t aware, ANYONE can report computer crime to the FBI. They make it quite simple really. Here is a list of all their field offices in case you’d like to report some crime yourself:

http://www.fbi.gov/fo/fo.htm

This of course begs the questions, why didn’t ANSIR warn him about the vulnerability used to exploit and deface the web site. Oh wait…

And the last comment from http://www.realspy.com:

Just remember, don’t pick up the soap!

This sounds like something straight off the ‘Happy Hacker’ web site. The vague threat that the computer criminal will not only be caught, but prosecuted and sentenced to time in prison where they will have less than pleasant relations with other prisoners. Given the rash of web defacers who have taunted the FBI and proclaimed they would never be caught, this hardly seems a deterent. More so that few of them ever see the inside of a jail or prison.

So what does this kind of message really accomplish? Absolutely nothing productive. It only serves to encourage more attacks, waste time and resources that should be spent on business, and generally make the owner look like a fool.

Why am I writing and picking on this site? Because in the course of mirroring over a thousand defaced web pages, I have seen this reaction before. What I haven’t seen is a productive result following this kind of obnoxious note being posted. I have only seen it cause further hassle, further embarassment, and further work for the FBI.

Please, swallow your pride and respond to these incidents in a better fashion. Starting pissing wars with people that know computer security better than you doesn’t seem too bright.

Ex-Game: (Untitled)

[This was the second article I did for Ex-Game magazine (print mag in Japan). It was titled as my name and labeled “Original Document”. It was subsequently mirrored on attrition.org.]

In the past few years, Japan has seen very few incidents of web sites being defaced. From 1995 to January of 2000, there were only 27 recorded defacements (http://www.attrition.org/mirror/attrition/jp.html) of Japanese web sites, very few of which were government owned. Beginning around January 24th, a brief but intensive wave of web defacements occurred on Japanese web servers, most owned and run by the government. Among these sites were Japan Science and Technology Agency (www.sta.go.jp), Japanese Management and Coordination Agency (www.somucho.go.jp), and Japanese Statistics Bureau (www.stat.go.jp). Shortly after the first few attacks, officials with the Japanese government responded by declaring the attacks a serious threat to the operation of their information infrastructure. Within days they had asked the United States government for assistance in dealing with the attacks. Not only did government officials ask for help in dealing with recovering from the attacks, they asked for assistance in preventing similar incidents from happening again.

Because of the small but intense wave of defacements plaguing the Japanese government, more and more people are questioning the skill required to perform such feats. Is the government facing computer masterminds intent on destroying the credibility and integrity of government information? Or are the intruders nothing more than unskilled malicious teenagers with a little luck and a lot of bravery (or is it stupidity?). Perhaps it is a little of each rolled into a less sinister and less proficient person or persons. Accomplished hackers intent upon exploration typically does nothing that would draw undue attention to their actions. Public, media or law enforcement scrutiny is often counterproductive to their goal of uninterrupted learning and discovery. Unskilled kids who run scripts they can barely comprehend typically have no message worth reading, and do not understand the potential consequences of their actions, or the seriousness of what they do.

What is now becoming an old and foolhardy debate is whether or not defacing a web page does damage to a company (or the government). Some argue that by changing a few lines of HTML, no real damage is done to the system. Since it does not disrupt the flow of information for more than a few hours, and since it does not prevent people from using the system, many say claims of damage are often inflated for selfish reasons such as financial gain or public sympathy. On the other hand, some argue that simply undermining the integrity and confidence in a system is damage enough unto itself. With the system intrusion comes the time required to assess and repair the damage, examine the security posture of the machine(s) compromised, reports to write detailing the incident and more. All of this adds up to lost time that administrators could have been working on projects that earn money for the company. Jumping back, some would argue that maintaining security was part of their duties in the first place, and that such incidents are the result of these administrators not performing their tasks in the first place.

How It Is Done

There are two basic methods for qualifying web defacements. The first involves vulnerabilities in the web server which allow a remote attacker to alter the content of the page without logging into the server. These exploits typically involve the intruder overwriting or appending to the existing web page. The second type of attack involves compromising the underlying operating system in order to gain full access to the machine, and therefore access to the web pages. Once this type of compromise has occurred, the intruder can interactively edit the existing web page, replace it with his/her own page, and a lot more. For the most part, most Windows NT servers that experience web defacements fall into the first category since NT isn’t designed around multiple users logging in via interactive interfaces. Most Unix (Solaris, Linux, BSD, etc.) defacements occur after the intruder has gained “root” access to the machine, giving them full administrative rights.

Windows NT comes with its own web server prepackaged for customer convenience. Internet Information Server (IIS) is the second most common web server found running on machines across the net (the most common on NT machines). According to Netcraft (www.netcraft.com/survey/), 22.92% machines surveyed in January 2000 are running Windows NT and IIS. In keeping with Microsoft’s tradition of buggy and insecure software, IIS is no exception.

One of the most widely exploited bugs found on Windows NT systems is called the RDS/MDAC vulnerability. Through this “feature”, a third party can easily execute remote commands on a target system. What makes this bug a real threat is that the attacker does not need initial access to the machine to begin with. Remote Data Service (RDS) is a component of Microsoft Data Access Components (MDAC) which is installed by default with the Windows NT 4.0 Option Pack. RDS components are designed to allow controlled access to remote data resources through Internet Information Server (IIS). One component of RDS called the DataFactory object is exploitable to untrusted attackers. The DataFactory object is originally designed as a server based object that handles client requests for information and provides read and write access to specific data sources.

Using exploit code widely available on the Internet, an attacker can use a single program to obtain all the information needed to exploit the vulnerability. This same script will then prompt the attacker with “Please type the NT commandline you want to run (cmd /c assumed):”, allowing them to easily execute the commands on the remote machine. Because of the ease of which this can be exploited, combined with a large amount of vulnerable servers, it is believed that the RDS/MDAC vulnerability is responsible for thousands of web pages being defaced in the last six months. Because of the ease of exploitation and the lack of knowledge required to utilize the attack, anyone and everyone that fancies himself a hacker has used this vulnerability to deface web pages. This is somewhat evident by the childish and lame web pages that are put up in place of the original pages.

For more information on the RDS/MDAC attack, Rain Forest Puppy has written an excellent advisory outlining explicit technical detail about the vulnerability (http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2). Microsoft has released two security advisories outlining details and patch information for the RDS/MDAC problem (http://www.microsoft.com/technet/security/bulletin/fq99-025.asp and http://www.microsoft.com/technet/security/bulletin/ms98-004.asp).

Protecting against attacks that allow direct access to a machine is rather simple for the most part. Staying abreast of newly discovered vulnerabilities is the single most important thing. As new bugs are found, the vendor should address the problem with patches or upgraded software. Staying up to date on these patches will typically keep you secure from a majority of the hackers poking around on the Internet. While this will keep you safe for the most part, there always exists a small chance that you will be exploited by a new vulnerability before you can patch the system. This is something that is virtually impossible to protect against, and something that all administrators must deal with.

Unix servers have been designed around the idea of allowing multiple users access the machine without losing any privileges or ability. There are few instances where an administrator must be sitting at the machine to effect any change or alter the configuration of the system. Because of this philosophy, users must log into the system to add or edit web pages (among other things). For intruders intent on defacing a web page, they must first find a way onto the system before they accomplish this. By exploiting bugs in the various services run by Unix systems, it is sometimes possible to gain remote access to the machine. Through remote buffer overflows (http://www.fc.net/phrack/files/p49/p49-14), sniffing attacks (http://www.robertgraham.com/pubs/sniffing-faq.html), or more crude attacks like brute forcing a login and password, attackers are able to spawn interactive shells on a target machine. In many cases, these shells are run with the highest privileges (‘root’ access), and the attacker has access to alter any file on the system. In some cases the privileges are those of a normal user causing the attacker to use additional exploits to gain more access to the machine.

In the past year, vulnerabilities in various Remote Procedure Call (RPC) services have been a consistent entry point into thousands of Unix servers. Some of the more commonly exploited RPC services include rpc.statd, rpc.mountd, and rpc.ttdb, one of which can be found on almost every flavor of Unix distributed today. Because security has only recently become a concern, it has taken software vendors over a decade to realize the seriousness of the problem and only in the last year or two begin to address these vulnerabilities. With the use of scripts readily available all over the Internet, even the most novice of hackers (often called script kiddies) can exploit these holes in systems worldwide.

Once interactive shell access has been gained to a Unix machine, even a rudimentary understanding of the Unix operating system is all it takes to find and edit the system web page. Using find and vi, a competent intruder can walk through the system and assume complete control over it. Changing a web page is actually the least of the damage that could be done to a vulnerable system. However, such defacements are typically the most publicly embarrassing incident a company can face. Because of this, security of a system is often focused on the web server and related components. This focus can quickly create gaping holes in the underlying operating system and allow intruders to waltz right in.

Protecting against intruders who target the operating system rather than the web servers are typically easy to deal with. The key to security is maintaining a consistent and proactive security posture. Rather than wait for an embarrassing incident to prompt your staff to implement better security measures, continual monitoring and updates should be performed since day one. Once the machine is setup, administrators should take steps to improve the default security posture of the machine, as most installations are notoriously insecure. Turning off unneeded remote services, removing extraneous permissions of SUID file, and setting up better group control are just a few things administrators should do. Once done, you should check the web site of the vendor of your operating system. These sites will contain updated information and security patches that address the latest vulnerabilities known and that have been made public.

Japan and the U.S.

Looking at the wave of recent Japanese Government defacements between January 24th and February 2nd, it is interesting to note that at least six of the servers were running Sun Microsystems Solaris Operating System while only a single instance of Microsoft Windows NT was found. At the time of the defacements, five of the machines could not be identified. Comparing this information with a list of United States Government servers that have been defaced (http://www.attrition.org/mirror/attrition/gov.html), and you can see the heavy use of Windows NT.

Without more statistics showing the amount of machines running in each government, it is difficult to draw accurate conclusions that suggest if one operating system is more secure than another. The figures above do begin to paint a picture of each government’s preference in operating platforms. The wide scale deployment of Windows NT servers through the United States Government has left it vulnerable to attackers, as evident from the long list of defaced servers.

What may be more important is the reaction from the administrators of each system as well as the reaction from Government officials. Public statements about U.S. servers being hacked and defaced were slow to come. It took over a year of repeated embarrassing defacements before president William Clinton took a firm stance, calling for more security in government and military web sites as well as a better response from the Federal Bureau of Investigation (www.fbi.gov) in tracking these online vandals. Throughout the past year or more, several different U.S. agencies have asked Congress for more funds in order to put a stop to these attacks. Despite additional funding being granted, virtually nothing has changed and U.S. servers continue to be defaced. As recently as February 19th, three more U.S. government servers (all running Windows NT) were defaced. NOAA Nauticus site (www.nauticus.noaa.gov), National Ocean Service Map Finder (mapfinder.nos.noaa.gov), and the Office of the Speaker of the House (www.speaker.gov) were the latest casualties.

Unlike the slow U.S. reaction, Japanese Government officials quickly met with law enforcement as well as requested help from the U.S. Government (http://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_619000/619139.stm). This call for help is ironic in that the U.S. has demonstrated repeatedly that it can not protect its own information assets and web sites. Lucky for both governments, attacks on their web sites has slowed down in the last few weeks. The question now, is will it continue?

Placing the Blame

This was originally published on Newstrolls and subsequently mirrored on attrition.org.]

As I type this article, there is a significant effort under way to track down two individuals. Both “Maxus” and “Curador” are wanted by several law enforcement agencies, most notably the Federal Bureau of Investigation (FBI). Each person has committed a crime involving unauthorized computer access. Unlike many ‘hacker’ cases, the media has grabbed hold of these two stories because of the nature of the crimes. Most computer intruders silently break into large companies or deface government and military web pages. In these two cases, each has surreptitiously copied large credit card databases from commercial sites and posted pieces of the information to public web sites.

Each vandal has found a vulnerability in a major online site that handles financial transactions via customer credit cards. Online shoppers browse their virtual stores in search of good deals, enjoying the convenience of not leaving their home. As shoppers find what they are looking for, each takes the time to send in their credit card number, billing address and other personal information. The mechanism that carries this sensitive information from desktop to virtual store is almost always secure. Protected by casual encryption, it prevents would-be snoopers from seeing the information as it passes from one point to another in its travel to the store.

The real threat to your personal information comes after it has landed on the remote server. Once outside of the protected layer between desktop browser and remote web server, the information must be stored somewhere. A surprising number of these virtual stores are not aware of the ‘hacker’ threat, or choose to ignore it. This is seen on a daily basis as site after site is compromised and their web pages defaced. Ignoring this threat often leads to little or no protection of the sensitive data. Huge databases of personal credit information and private billing data are collected, and left in plain text format on the remote server. The first intruder gaining illicit access to the company’s server can read everything, just as fast as their modem can download it.

“Maxus” and “Curador” have done just that in recent weeks. Shortly after compromising these systems, each has turned to free web space providers like GeocitiesTripod and AntiOnline to post web pages that include thousands of these compromised credit cards. Their message? Essentially “Secure your sites, I’ve proven I hacked you.” Law enforcement and media outlets picked up on these events as they usually do. The problem is that each seem to have lost focus of where to place blame, and who is really guilty.

If you were to walk up to an ATM machine and find that with a few extra buttons you could display the account information for any bank customer, would you be surprised? Would you consider yourself a criminal for your actions? What if you posted an anonymous note next to the ATM for everyone to read, explaining what you had discovered and demanded that the bank take action? The FBI and the press would condemn you for your actions. If they stuck to the same principals for reporting the actions of “Maxus” and “Curador”, they would brand you a dangerous criminal guilty of millions of dollars of damage. Meanwhile the bank you exploited would cry to the FBI that they were under attack by unscrupulous individuals hellbent on hurting their institution.

I think it is safe to say that the ATM example would be treated quite differently. An FBI driven manhunt would not be underway to find you, the media would not be intent on discovering your identity. Yet in the virtual world, that is the primary focus of their attention. The disparity in response to virtual verse real world crime is not new by any means. Looking beyond the response to such crimes, one has to wonder why these vulnerable online sites are not held accountable for their negligent actions. By storing the sensitive information on vulnerable servers, without using any sort of encryption or protection, they are often making it so any casual Internet user can view it. In some cases, these vulnerabilities are nothing more than supplying the wrong information to the site.

Vulnerable online sites are costing credit card companies and citizens a considerable amount of money as well as being responsible for many a headache. I have no doubt that current damage estimates for these two incidents will climb into the millions of dollars. Despite this, there are no public outcries condemning these sites for their actions. There are few laws in place to protect the consumers doing business with these companies. There are no fines or penalties imposed on the negligent sites, and no guarantees they will fix the problems once the ‘hacker’ is caught.

Due to the slow pace of creating and passing new laws to protect consumers, we must turn to another mechanism in holding these companies responsible. The obvious solution to this problem is for the large credit card agencies like Visa, Mastercard and American Express to quit doing business with negligent companies. By cutting off a major revenue source, this would force companies to maintain secure web sites and better protect consumer privacy. The real incentive for such action is the prevention of similar incidents in the future. Having to change thousands of credit card numbers, deal with any resulting fraud, and loss of public confidence is a high price to pay.

While the need to punish those who publish private information exists, the real culprit in many of these cases gets to move on without so much as a stern lecture. In their quest for profit, they are willing to step on the customers and their privacy if needed. Until some form of accountability is placed on these companies, they will continue to get away with what should be a serious crime.

The Crime of Punishment

[This was originally published on The Synthesis and mirrored on attrition.org.]

As you read this, an unusual legal case history is being established around the prosecution of computer crime. Because computer crime is still a relatively new aspect in the arena of law and prosecution, each and every case sets important precedent that will be called on in upcoming cases. The growing concern by many people seems to be the drastic nature of punishments being levied against computer intrusions. Not only are the punishments not seeming to fit the crime, there is little consistency in the legal system’s application of punishment to these people.

Previous articles have pointed out the disturbing trends in damage figures which directly affect sentencing in these cases. Unfortunately, the emerging problem seems to go well beyond suspicious damage figures. It is difficult to say exactly why the punishment for computer crime is so severe. Some people speculate it is the public perception of hacking and the FUD (Fear, Uncertainty and Doubt) surrounding it while some think it is nothing more than sacrificial lambs taking the brunt of public outcry. Others feel it can’t be logically explained. I think the best answer is that computer crime is still shocking society, which overreacts in response.

The immediate disparity can be seen when comparing the sentencing between computer and non-computer crimes. While more traditional and material crimes like assault, burglary and murder are receiving what seems like light sentences, computer crime convicts are becoming the bearers of exceptionally stiff and smothering sentences. Not only are the prison sentences extraordinarily lengthy, the terms of probation are baffling and rough. Instead of a probation that encourages reform and nurtures a good life better than the previous life of crime, it thrusts the convicted into a life of poverty and despair.

Jail Time

Shortly after the new year, I was watching the news in a New York hotel and caught the follow-up of a story begun some two to three years prior. The news went on to say that a 21-year-old man convicted of killing his baby was being released after two years of prison. He and his wife and killed their infant some three years age, and his prison term was two years. Surely this is one case that slipped through our justice system and let these killers off easy? A quick search yields that this is not necessarily uncommon. Patrick Jack served a two-year sentence for manslaughter after stabbing Francis Sunjay Weber with a pair of scissors. Another article that discusses short sentences mentions yet another case in which a 17-year-old Marysville girl was shot and killed. Her killer was in turn sentenced to 27 months in prison for his crime. These cases make me wonder about the effectiveness of our legal system.

On the flip side, two recent computer crime cases perfectly illustrate the baffling seriousness and resulting prison time that now accompanies computer crime. Eric Burns recently pled guilty to ONE felony count of computer intrusion, and took the blame for the defacement of the White House web page. For his confessed crimes, he was sentenced to a $36,240 fine and 15 months in prison. A second longer story unfolded recently, telling us of a small group of hackers known as the Phone Masters who wielded amazing control of computers and phone networks. One of the individuals, Corey Lindsley, was sentenced to 41 months in prison for his 2 felony counts. The last comparison is the infamous Kevin Mitnick saga in which Mitnick spent a total of 5 years in jail and prison for what ended up being five felony counts of computer related crimes.

What should be noted is the comparison of crimes. Burns’ single felony is basically nothing more than high tech graffiti, a sort of digital spray paint on a federal building. What would that crime fetch for a sentence if done in the real world? Certainly not fifteen months of prison. Manslaughter can fetch as low as two years of prison time, while Lindsley and Mitnick sit in federal prison for four and five years respectively. This disparity is hard to believe considering the gruesome nature of manslaughter and killing a young baby as compared to altering the web page of an Internet web site.

Conditions of Probation

Even if you could dismiss the harsh penalty for relatively minor crimes, you would then face another practice that is becoming all too common with computer crime. After subjecting computer intruders to the long trial, large fines and lengthy jail terms, the real injustice occurs. It is not uncommon for people to be put on probation for one to five years for any felony conviction. I think it is fair to say that a probation term of two to three years is a sound average. Probation terms for most crimes are generally the same, preventing convicts from certain behavior and actions that are not appropriate. Some of these terms are not associating with known criminals, possessing weapons, use of drugs, and more. One thing about these terms are they tend to be generally the same with little variation based on crime.

For those convicted of computer crime, the probation guidelines are quite different. A quick review of the terms and conditions of Kevin Mitnick’s probation bring on a whole new set of computer crime specific terms:

Absent prior express written approval from the Probation Officer, the Petitioner shall not possess or use, for any purpose, the following: 1. any computer hardware equipment; 2. any computer software programs; 3. modems; 4. any computer related peripheral or support equipment; 5. portable laptop computer, ‘personal information assistants,’ and derivatives; 6. cellular telephones; 7. televisions or other instruments of communication equipped with online, Internet, World-Wide Web or other computer network access; 8. any other electronic equipment, presently available or new technology that becomes available, that can be converted to or has as its function the ability to act as a computer system or to access a computer system, computer network or telecommunications network (except defendant may possess a ‘land line’ telephone); B. The defendant shall not be employed in or perform services for any entity engaged in the computer, computer software, or telecommunications business and shall not be employed in any capacity wherein he has access to computers or computer related equipment or software; C. The defendant shall not access computers, computer networks or other forms of wireless communications himself or through third parties; D. The defendant shall not act as a consultant or advisor to individuals or groups engaged in any computer related activity; E. The defendant shall not acquire or possess any computer codes (including computer passwords), cellular phone access codes or other access devices that enable the defendant to use, acquire, exchange or alter information in a computer or telecommunications database system; F. The defendant shall not use any data encryption device, program or technique for computers; G. The defendant shall not alter or possess any altered telephone, telephone equipment or any other communications related equipment.


Reading these, one can begin to see how this limits a convicted computer intruder in life after prison. Some argue that as convicted felons, who cares? They are getting what they deserve. Perhaps that is true, but why don’t murderers and rapists receive special terms for their probation that might be deemed appropriate? Some of the few crimes that receive no special terms?

Forgery — Convicted forgers are not banned from pens, paper and other devices that help commit the crime.
Vehicular Manslaughter and other crimes involving motor vehicles — These people do not lose their driver’s license or the ability to own and operate cars or trucks.
Sex Crimes – Except in extreme cases of recidivistic offenders, convicted rapists and pedophiles are not forbidden from pornography or other stimuli said to influence or encourage their behavior.
Counterfeiting — Convicted counterfeiters are not forbidden from using currency, nor forbidden from working jobs with cash or banned from a wide variety of activities that may influence them.

The purpose of incarceration and the following probation is to punish and rehabilitate the convict. Probation specifically is geared to help push the criminal into a structured life without influences that may lead to their return to a life of crime. However, in the case of computer crime the probation guidelines do a lot more than discourage further computer crime. Some of the few acts they will be banned from:

  • Sending a letter to a Senator via e-mail or using a word processor
  • Playing a video arcade game or personal entertainment system like Sega or Nintendo
  • Calling his family on a cellular telephone
  • Working in any industry (including fast food) as they all rely on computers, even for cash transactions (cash registers)
  • Working as a custodian in any business that has computers on premises
  • Working as a teacher, instructor, consultant, or advisor to any company that owns or operates a single computer device
  • Writing any type of computer software program (even using merely a pen and paper)
  • Accessing a public library’s computerized card catalog.
  • Using computerized information services found at airports and shopping malls that give directions and customer information
  • Accessing any information via phone and voice mail/prompt system (including bank account information, car insurance and more)

Surprising as it seems, all of the above become illegal to most people on probation for computer crimes. Imagine living for three years with those restrictions hovering over you. Is this really a good guideline to get you back on the right track and lead a good life without bad influence? Or is this a well lit path encouraging you to break the terms of probation and risk more prison time?

If you are thrust into society after a lengthy prison sentence, stripped of opportunity to work in the one field you previously excelled in, what options does that leave? Unable to work in most modern and computerized jobs, unable to work near computers, it leaves the convict with several years of difficult living at below poverty level. Hardly the rehabilitation that was intended or needed.

The Tip of the Iceberg

The story of Chris Lamprecht still remains in the depths of news sites. In 1995 Lamprecht was sentenced to a 70-month prison sentence for money laundering. He did not plead to or get convicted of any computer related crimes. Despite this, Federal Judge Sam Sparks imposed the same “no computer” probation on Lamprecht at the request of the District Attorney. This seems to be an equivalent of being banned from restaurants because you ate dinner before breaking and entering.

Recouping Your Tax Dollars

It is well established that those caught and convicted of any crime are subjected to restitution. The amount is typically arrived at by calculating the damage figures against the victim(s). If a bike worth one hundred dollars was stolen, the criminal could be ordered to pay restitution that included the cost of the bike, court fees the victim paid for, emotional distress, etc. One thing that has not historically been factored in is the cost of the investigation or the time and effort of the officers involved in solving the crime. Apparently the money associated with the law enforcement efforts was not a factor for one reason or another.

Once again, when computer crime enters the equation, circumstances seem to change. In May of 1997, Wendell Dingus was sentenced by a federal court to six months of home monitoring for computer crime activity. Among the systems he admitted to attacking were the U.S. Air Force, NASA and Vanderbilt University. What is different about this case is the court’s order for Dingus to repay $40,000 in restitution to the Air Force Information Warfare Center (AFIWC) for their time and effort in helping to track him.

It is odd that the court systems are now levying punishments for computer crimes not based on the damage that was actually done, rather it is based on the amount of time, money and resources required to track down or fix the system’s vulnerability. Worse, they are then lumping on time and resources required to (belatedly) create pro-active preventative measures from future intrusions, something that should have been done in the first place. So the system intruder is now responsible for future intrusions, yet the administrators were not in the first place?

When the police or FBI catch up to a robber, defrauder or murderer, they are charged and punished for their crimes. It is generally unheard of for these criminals to receive punishments and fines based on the efforts of the law enforcement tracking them down. Think of how much time and resources the FBI put into tracking down a serial killer that has been roaming our country for years. How many air plane trips, car rentals, hotels, overtime, examination and forensic equipment, food reimbursement and who knows what else do our tax dollars go to pay for? Why aren’t these levied against the criminal like they are now starting to do with computer crime?

One difficult aspect that creeps back into computer crime cases is the blanket laws covering a wide variety of people and activities. As a computer crime investigator brought up in a conversation recently, a homicide typically affects a family, friends and perhaps a small community, while a concentrated computer attack could affect the lives of thousands of people or more. There are certainly exceptions to each type of crime but in general, that statement seems to be reasonable. The bottom line is that more consistency needs to be developed between traditional crimes and computer crimes.

In Texas, it is a Class B misdemeanor for graffiti if the damage is less than $500. In reality, most Web page defacements done today can be recovered from and dealt with for less than $500. Anyone saying otherwise is likely to be the consultant profiting heavily at your expense. So why is it that a young kid who spray paints a wall gets hit with a small fine, and a young kid who spray paints a Web site gets fifteen months in jail and tens of thousands of dollars in fines?

I think it is time for the media to quit hyping up computer crimes and introduce a dose of sanity to the Fear, Uncertainty and Doubt they love to bring to ‘hacker’ stories. The legal system needs to give a serious look at the disparity in how they handle various crimes. I think it is pretty obvious that something is wrong when a knife wielding murderer does less time than a keyboard wielding fourteen-year-old.