CyberWatch Column

 

Criminal Hacking

M. E. Kabay, PhD, CISSP-ISSMP

Professor of Computer Information Systems

Norwich University, Northfield, VT

This is another in a continuing series devoted to how ordinary people can protect themselves when using the Internet.

There is a flourishing subculture among children that is almost completely concealed from adults and that tricks kids into thinking that criminal hacking is a harmless hobby.

Going into a computer system and reading other people’s documents, other people’s e-mail, or information relating to national security in military computers are obvious breaches of confidentiality.  Such breaches can cause real problems.  For example, one thirteen-year-old kid in Florida got into the medical records of people at the clinic where her Mom worked one Saturday a few years ago.  The girl called a dozen people who had gotten blood tests the day before and she lied to them:  she told them they had AIDS.  The victims of her sick joke were terrified.  One teenager’s parents stopped her just as she was about to shoot herself with her dad’s pistol.  So you see, taking and using confidential information can lead to terrible consequences.

Changing accounting records, stealing money by making false bank transfers, altering prescriptions so the people can become sick, sending out bad e-mail using other people’s names – these breaches of integrity and authenticity are all obviously bad. 

One of the most popular forms of criminal hacking today is Web vandalism:  damaging Web sites by substituting often obscene pictures and offensive text for the original materials.  The CIA was renamed the Central Stupidity Agency; the Florida Supreme Court’s Web page was turned into an illustrated sex-manual – you get the idea. 

The people doing the damage are often children or young teenagers.  These cybervandals are just like the kids who throw rocks through people’s windows or who spray-paint curses and foul words on buildings.  Maybe they are expressing their rage and rebellion – or maybe they’re just trying to be liked by the crowd they hang around with.  From the point of view of the Webmasters, though, they’re childish nuisances who cause extra work for nothing.

Another group of criminal hackers claim to be noble political idealists; they call themselves or are called hacktivists and they deface Web sites that they think belong to political enemies.  In the recent Kosova war, both sides in the conflict damaged each others’ Web sites.  For example, hackers in China and in Taiwan have been attacking Web sites in each other’s countries for years.

The recent denial-of-service attacks that may have been launched by children have caused billions (yes, billions) of dollars of lost sales and costs of recovery.  These attacks used hundreds and perhaps thousands of computers to swamp the victims with requests for information.  Criminal hackers installed special slave or zombie programs on poorly-secured computer systems.  These slave programs were then ordered to attack the main victims using coded communications from the criminal hacker controlling them.  The slave programs made the computers they were on send out thousands of messages to the victims’ computers, swamping their communications.  No one else could get much of a response from the computers under attack

Part of the cost of cleaning up after the denial-of-service attacks came from having to pay employees to search out the slave programs and remove them.

Some criminal hackers claim that if they don’t alter information, they haven’t done anything wrong – or at least, they haven’t done anything really wrong, as they say.  This point of view is simply, flatly incorrect.  Any unauthorized penetration of a system on which people depend destroys the trusted computing base; that is, the users can no longer trust the compromised system.  System personnel have to spend long hours frantically checking data and programs and restoring them to a known-good state before being able to continue their work.  Such efforts can take days of exhausting, tedious work.

Other forms of hacking are more obviously wrong:  Criminal hackers sometimes take services from the telephone companies without paying for them.  For example, they use special phone numbers called teleconference bridges to talk to each other.   The company that rents the bridge ends up paying a lot of money per minute for those stolen phone calls.  Stealing telephone services is known as phreaking.  The shareholders, employees and customers of the victimized firms pay for this theft directly or indirectly.

Another game some kids are playing is denial of service.  Parents should be aware that their kids may be involved in the kind of amusement that brought down Amazon.com and eBay.com in February 2000:  denial-of-service (DoS) attacks.  Because hundreds or even thousands of infected computers can be involved in such attacks, the cumulative effect can be overwhelming. Some victims are completely off the Web or the Internet during the attacks.  For e-commerce sites, such unavailability may be catastrophic.

Practical Guidelines:

·        If your kids are interested in computers and want to know more about criminal hackers, they can learn a lot by joining the computer club at school, participating in discussion groups online, and reading. 

·        To help kids learn more about real computer security, make arrangements with computer system administrators at your school, local hospitals, offices and factories.  Ask them what happens if someone breaks into their systems. 

·        Get local system and network administrators to speak to your school computer club.

·        Contact your local FBI office and find out if they can send a speaker to your kids’ school for a discussion of computer crime.

·        If you or your kids want to visit Web sites that support criminal hacking, be sure to use a personal firewall (see next month’s article for details).

·        Campen, A. D., D. H. Dearth, & R. T. Goodden, eds. (1996).  Cyberwar:  Security, Strategy, and Conflict in the Information Age.  AFCEA International Press (Fairfax, VA).  ISBN 0-916159-26-4.  vii + 296.

·        Fialka, J. J. (1997).  War by Other Means:  Economic Espionage in America.  W. W. Norton (New York).  ISBN 0-393-04014-3.  xiv + 242.  Index.

·        Forester, T. & P. Morrison (1990).  Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing.  MIT Press (Cambridge, MA).  ISBN 0-262-06131-7.  vi + 193.  Index.

·        Freedman, D. H. & C. C. Mann (1997).  @Large: The strange case of the world’s biggest Internet invasion.  Simon & Schuster (New York).  ISBN 0-684-82464-7.  315 pp.  Index.

·        Garfinkel, S. (2000).  Database Nation:  The Death of Privacy in the 21st Century.  O’Reilly (Sebastopol, CA).  ISBN 1-56592-653-6.  vii + 312.  Index.

·        Goodell, J. (1996).  The Cyberthief and the Samurai:  The True Story of Kevin Mitnick--and the Man Who Hunted Him Down.  Dell (New York).  ISBN 0-440-22205-2.  xix + 328.

·        Gordon, S. (1993).  Inside the mind of Dark Avenger (abridged).  Originally published in Virus News International (January 1993).  http://www.research.ibm.com/antivirus/SciPapers/Gordon/Avenger.html

·        Gordon, S. (1994).  Technologically enabled crime: Shifting paradigms for the year 2000.  Originally published in Computers and Securityhttp://www.research.ibm.com/antivirus/SciPapers/Gordon/Crime.html

·        Gordon, S. (2000).  Virus writers:  The end of innocence?  Presented at the 10th International Virus Bulletin Conference.  http://www.research.ibm.com/antivirus/SciPapers/VB2000SG.htm and  http://www.research.ibm.com/antivirus/SciPapers/VB2000SG.pdf

·        Hafner, K. & J. Markoff (1991).  Cyberpunk:  Outlaws and Hackers on the Computer Frontier.  Touchstone Books, Simon & Schuster (New York).  ISBN 0-671-77879-X.  368.  Index.