Hacking Into Cyberspace - Internet Security

Introduction

The earliest programmers and technical artists of the personal computer revolution in the 70’s were given the nickname “hackers.” Defined in the Discovery Channel Hacker’s Hall of Fame Glossary, a “hacker” is:

1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities.

2. One who programs enthusiastically.

3. A person who is good at programming quickly.

4. An expert at a particular program, as in 'a Unix hacker'.

5. [Deprecated] A malicious meddler who tries to discover sensitive information by poking around. The correct term for this sense is "cracker."

However, the term has hacker has been used to include both programmers that “hack” computers, networks and programs illegally and legally, maliciously and inquisitively, innocently and with exploitative intent. For the purposes of the this project, the term hacker will be reserved to the first 4 definitions given above while the term “cracker” will encompass the 5^th definition. It is important to note; however, that in most every article, book, and newspaper, the term hacker is used to define a “cracker”. In these cases, please take the definition in context with the article.

The art of hacking computers can be traced back to the late 1960s and 1970s when young adults like Bill Gates, Steve Jobs and Steve Wozniak were inventing the personal computer industry in their garages. From that start, the motley bunch of computer programmers and techie “nerds” began gathering together and sharing information on the computer, possibilities, ideas, innovations etc. The term hacker, back then, defined these types of people—individuals who programmed computers intensely, nerds that knew 3-4 computer languages, people that knew computers inside and out. It wasn’t until the personal computer revolution in the early 1980s, that the term hacker evolved into the infamous connotation. Personal computers became affordable and eventually necessary to the average consumer. With computers being distributed at an enormous rate, the concern of that time was new and innovative technology, not security. By the late 1980s and early 1990s, the average computer user became the consumer and was not quickly associated with “nerd.” This gave innovative, deceptive and creative individuals a whole new breed of people to scam, rip-off, threaten and hack—computer users who could not retaliate nor defend themselves with proper net/computer security. Thus, the evolution of the hacker came from the lack of security precautions taken while the personal computer revolution began. It is only much later in the 21^st century that computer and Internet security has gotten much attention. Computer users are growing exponentially, still, and the availability of security software and hardware is still slow to develop. Improvements have been made, but auxiliary precautions are still necessary to be able to safely use a computer and the Internet.
.

Can't Hack It

There are three major types of cyber crime. The Internet offers limitless communication, which crackers can use to establish connections with cohorts or with their victims. Net-based attacks disrupt information on the Internet and finally, the World Wide Web is a gold mine for information and tools that can be used to facilitate crime on and off of the Internet. Prefabricated programs, detailed instructions, maps, sensitive information, schedules, and addresses can be accessed over the web and make it extremely easy for an individual or group of individuals to remain anonymous, organized, and unseen by the public or by the proper authorities.

Communication allows one or more crackers to plan and coordinate attacks over the Internet or in a physical environment. The distribution of illegal materials (drugs) and pirated materials (programs, music) are also common cyber crimes. Death threats, extortion, and harassment are the more serious instance of cyber crime that can effect individuals or groups of individuals and wind up causing emotional or physical harm on them. Finally, each year thousands of people are scammed out of money over the Internet with a variety of get-rich quick pyramids, bogus college degrees, and email fraud. The Moldavian Web scam cost the crackers over $2.4 million in refunds to the over 38,000 customers scammed through long distance dial-ups of their computers. Consumer complaints increased 6x in 1999 from 1998 alone. The number of people that are potential victims increases as every computer is sold—the problem can only get worse unless serious action is taken.

Digital piracy of software and music has lead to big business screaming for regulation. As of 1994, over 1600 illegal software sites were being operated. The software and music industries claim to be losing $20 and $10 billion dollars (respectively) annually due to the distribution of these pirated materials alone. Again, the net offers the freedom of extortion and scam to anyone who knows what buttons to press. How many of us have illegal files saved onto our hard drives right now? I want my MP3.

As computer users, we all represent potential targets of web-based attacks. There are several targets in particular though, that we as net-savvy computer users should all be concerned about. Computers can be broken into, web sites can be hacked into and manipulated, Denial of Service (DoS) attacks, email bombings, viruses and worms, and eavesdropping. All of these vulnerabilities of a computer user can be used to the advantage of a cracker to gain access to your personal system, steal sensitive information, manipulate your computer in a DoS attack, infect your PC with a virus or worm that destroys files and spread across a network, or to establish open communication between you, the victim, and a potential physical threat. As of July 1999, there was a reported 1400 web hacks. Credit card theft alone has skyrocketed as more and more users are establishing business and making transactions across the net. Carlos Felipe Salgado Jr. stole almost 100,000 credit cards numbers and attempted to sell them on the Internet for $260,000 dollars before the FBI caught him in a sting operation. Salgado did not hack through security measures either, once the firewalls were bypassed; the numbers were available to him without even 40-bit encryption. Computer viruses such as Chernobyl (CIH) and the Melissa macro virus have spread worldwide infecting computers, erasing files and overwriting the BIOS. In China, over $120 million dollars were lost to the Chernobyl macro virus.

Businesses lost $7.6 billion in the 1^st 2Q of 1999 according to Computer Economics due to viruses. Over ¾ of the computers of business are infected, mainly through email, by these viruses. Clearly, crackers have the ability to write and distribute these viruses to one user, one firm, one country, or the entire system of computers connected to the Internet. As the rate of globalization increases, and as advances in communication outweighs the innovations in security, vulnerability lurks within every computer plugged into the wall.

To the amateur cracker, the Internet is a supermarket for information and tools regarding illegal computer hacking. There are “how to” guides on hacking, social engineering, making bombs, drugs, and evading law enforcement. The software available on the net provides crackers with the means to automate crimes and to hide any trace of illegality. The NY TIMES reported that in 1997, there were 1900 hacker web sites and more than 30 hacker publications.

The tools of the trade are available for free download on the net. Programs that serve as Network monitors are programs like Back Orifice, Netbus, and Backdoor-G—all of which allow the cracker to remotely gain control of the infected computer to excise sensitive information such as image, packets, keystrokes, and files. These programs can be hidden within another program like a game or the free trial of a utility. Password cracking programs like Crack, LOphtCrack, and John the Ripper are used, obviously, for breaking into password protected systems. Several different programs including Ping of Death, Smurf, SYN flood, Land, Teardrop, and FloodNet can initiate remote DoS attacks. Trojan horse programs by the likes of Trin00, Tribal Flood Network, Stacheldraht (used in the DoS attacks of Feb 2000) can also be distributed secretly and used to organize large-scale attacks on popular web sites like buy.com, yahoo.com and ebay.com. There are also a whole series of programs designed to find the vulnerabilities of computer systems over the Internet. Right behind that are sets of programs designed to exploit those specific weaknesses. Want to write a virus? There are even programs available on the net for those aspiring authors of computer viruses as well. Will one be a bestseller on your PC?

Update: 4/23/00

On April 17th, Canadian police arrested a 15 year old boy that goes by the name Mafiaboy online in conjunction with the February DoS attacks. It is claimed that Mafiaboy made several claims in online chat rooms of his involvement with the attacks and the FBI has reason to believe that the attacks came from an ISP in Montreal of which Mafiaboy holds two accounts. Currently, the boy is being charged under the Computer Fraud and Abuse Act, which was expanded in 1996 to cover all computers used in commerce. It prohibits the unauthorized access of information and the transmission of anything that causes damage or facilitates fraud and extortion. Mafiaboy could face 6 months to 10 years in prison for a repeat offender and twice the gross monetary loss to the victim.
..

Legal Schmegal

In 1998 there were 418 cases handed to federal prosecutors, up 43% from the previous year. Only 20% of those cases were filed with charge of cyber crime. Over 40% of the cases that are brought to the prosecutors do not have enough evidence for a successful trial. Of the 418 potential cases, only 47 of them resulted in conviction with the average sentence being 5 months in jail (half of those 47 cases resulted in no jail time). Since 1992, a total of 84 cyber criminals have been imprisoned. That’s it. The cost of cyber crime, estimated by CSI/FBI, is near $124 million for the 163 organizations surveyed. According to ASIS however, over $250 Billion have been lost in intellectual property theft. These numbers are merely estimates that do more than point to a problem, they scream at a need for a solution.

In light of the recent DoS attacks, President Bill Clinton held a summit at the White House calling in the leaders of the computer industry to try and formulate the problem in a manageable and solvable way. What came from the meaning was a need for increased security in the high-tech market. Cyber crime is one of the most critical issues in law enforcement with the rate of online crime escalating from 547 “computer-intrusion cases” in 1998 to 1,154 in 1999 according to the FBI. Louis Freeh, Director of the FBI, stated, “In short, even though we have markedly improved our capabilities to fight cyber intrusions the problem is growing even faster and we are falling further behind.”

Janet Reno has proposed a five-year plan to deal with the issue of cyber crime, which will work toward establishing uniformity in the tech industry that would regulate security features on computers and related equipment. The plan also intends to increase the penalty for cyber intrusions by making it a bigger offense to wreak havoc on the Internet. The objective of this plan is to increase awareness of cyber crime, to help regulate technology so that at least some collective effort can be made to securing cyberspace, and to discourage malicious hackers from committing a cyber crime by offering stiffer penalties. The issues at hand are being taken very seriously by both the FBI and the White House and illustrate one very important point: unless action is taken, the distance between a secured Internet and an unsecured Internet will only lengthen with time.

What does big business say about security? The e-comm bigwigs like ebay and yahoo deal with hacking, fraud and security breaches every day. Their systems are constantly under the strain of attempted cyber intrusion; however, only the most serious cases are even brought to attention of the FBI—yielding mostly limited results. The FBI and the federal courts do not have the technology to investigate and convict potential cyber criminals. Therefore, it is futile for these companies to rely on the law when there are simply no resources at hand to investigate these types of crimes. Instead, corporations that cannot afford to rely on the government for support invest billions of dollars into high-tech security measures. While funding for prosecutors remains static, computer crime has quadrupled over the past three years, according to a survey by the FBI and San Francisco's Computer Security Institute. Seventy-five percent of the hacking victims—most often corporations and government agencies—said it cost an average of $1 million per intrusion to investigate, repair, and secure their systems. Corporations spent $7.1 billion in 1999 on corporate security to protect themselves against cyber attacks and the bill could reach $17 billion by 2003, according to Internet analysts at Aberdeen Group in Boston, Mass. The evolution of the Internet has illustrated a very sensitive weakness, technology that outweighs it’s security and the economy and society that depends on it will be under constant strain until adequate security measures are taken into effect. The effects of security on business and e-commerce are analyzed in detail in another focus of this project.

Conclusion

Hacking, the essence of programming, has become one of the most potential disasters of the Internet. While everyone remains concerned with the Microsoft anti-trust case, the latest web browser, or the best place to buy a garden rake on the net, the silent but deadly art of hacking computer systems has gained a firm hold in cyberspace. It will take more effort than simply outfitting every computer with virus software. After all, the people designing virus software work in a reactionary response to the crackers, not proactively.

Is there a way to secure the Internet from hackers? Absolutely not. Here is an analogy. Is there anyway to stop speeding cars on the highway? No. Are there ways to regulate speeding and to keep it to a minimum? Yes, more than likely. In light of this rant on hacking the Internet, no, there is not a cure-all solution for safeguarding cyberspace. Technology is still an option in this country. The only way to assure one’s security over the Internet is to unplug it from your wall. Precautions can be taken; however, and that will be discussed upon in a later focus of this project.

Like all crime, the CSI/FBI need people to point fingers at. Right now, it is relatively impossible to trace the source and individuals responsible for cyber attacks. Programs facilitating the capture and conviction of cyber criminals should be initiated, many have been, and the seriousness of this issue needs to be released every time someone buys a computer.

Perhaps my dad isn’t so tech stupid after all. He hates computers, because he values his privacy and security more than anyone I know does. To him, a computer represents a portal right into someone’s house—vulnerability; a weak spot that can be exploited by the knowledgeable and the willing, unbeknownst to the typical computer user.

Maybe computers need a warning label on the box. It is up to the user to secure their computer. There is information out there. Tons of it. On the Internet, in the library, on the news, everywhere. To use the Internet safely, one must be aware of the problems out there. Hopefully this entire project has shed some light on the subject. If you’re sitting at a computer reading this right now, how many other people do you think know what site you are at, what you are looking at, and what your IP address is? They might know where you live, your email address or your favorite flavor of ice cream. Or they might not.
Back to Psybersite

This project was produced for PSY 380, Social Psychology of Cyberspace, Spring 2000, at Miami University. All graphics in these pages are used with permission or under fair use guidelines, are in the public domain, or were created by the authors. Last revised: Tuesday, March 11, 2014 at 17:34: %3 This document has been accessed 1 times since 1 May 2000.
Comments and Questions to R. Sherman.