Previous Page View
Printer FriendlyReprinted with permission from Horizon Air Magazine, January 2001 issue, copyright 2001. All rights reserved. No part of this article may be reproduced by any method or in any form without the prior written permission of the publisher.
Cyber Sleuths
Net experts trace and chase e-bandits
By Eric Lucas
Tyler Edwards is a pleasant 23-year-old with a particular aptitude—software engineering—and the chance to wreak a little havoc. Clicking a dialogue box on his computer, he executes a “characterization” program called “NAT,” which invades a nearby server and begins to scope it out: what applications are on it, what ports are open to outside traffic, what “holes” are in its software. All these are avenues for destruction. NAT is like an unwelcome periscope poking its head up into the shipping lanes of its target computer, which is named MrKnowItAll.
The intrusion is a quiet, unremarkable, almost undetectable process. No alarms ring; no lights flash; no glass breaks. Edwards sits back in his chair, watches a tracking chart on his screen and inspects the feedback NAT returns to his machine. This information can be used to design an actual attack on the other computer—a quick strike by a virus; invasion of databases; placement of a “worm” that burrows its way into the computer's software and sets off destructive actions, perhaps even seizure of the machine's identity.
Luckily for MrKnowItAll, it's a simulation. The attacking machine, and the target server, are offline—not connected to any network outside this room. Edwards is a programmer at Pacific Northwest National Laboratory in Richland, Washington, a federal facility where 15 computer experts are deliberately practicing the art of electronic attack so they can teach others how to fend it off—and recognize it and trace it when it does happen.
War games, in other words.
Edwards works in PNNL's CIPAL—Critical Infrastructure Protection Analysis Laboratory—started in 1999 as part of an $8 million effort designed to expose vulnerabilities and identify response techniques. It's the leading edge of a battle in which the entire globe is the arena; the weapons are couched in binary electronic impulses; and pathways and identities are almost always disguised. The tactics are new, and expanding along with the popularity of the Internet, and security experts and law enforcement officials are just now developing strategies to deal with them.
“We are just in the baby stages of figuring all this out,” says Lana Martuscelli, a Washington state prosecutor who last year filed the first criminal action undertaken by the Washington Attorney General's high-tech unit. The unit was formed just this past summer. The case is a felony stalking case, still in pre-trial stages, in which a barrage of e-mail is among various types of stalking being alleged.
In a statement before Senate and House crime subcommittees last February, Michael Vatis, director of the FBI's National Infrastructure Protection Center, said, “Whether we like it or not, cyber crime presents the most fundamental challenge for law enforcement in the 21st century.”
Since cyber assaults can threaten the economy, public safety and national security, it's critical that the country have programs and resources for investigating and deterring cyber crime, he said, noting that foreign militaries that can't match the United States' conventional-weapons power may see information warfare as a promising way to attack. “We know that several foreign nations are developing information-warfare doctrine, programs and capabilities.”
To fight foreign and domestic cyber crime, law enforcement must retool its work force, equipment and information infrastructure, he said. Just investigating a case can mean analyzing huge amounts of data. A recent network-intrusion espionage case required analyzing 17.5 terabytes of data, almost double the amount of information in the Library of Congress, which if digitized would comprise 10 terabytes, Vatis said.
In November, the FBI announced the opening in San Diego of the country's first multiagency Regional Computer Forensics Laboratory. The lab will be a prototype for regional labs across the country that bring together each area's best-trained computer-forensic examiners to fight techno crime in state-of-the-art facilities.
Because cyber offenses take place in a noncorporeal realm, they afford their practitioners physical invisibility, as well as instant global range. A hacker in the Philippines can reach out to computers around the world and cause havoc, utterly anonymously. That's what happened with last year's notorious “Love Bug.” When unwitting recipients opened an e-mail attachment that said “I love you,” the attachment unleashed a worm that overwrote computer files.
Although no one has a real handle on financial ramifications yet, 273 organizations responding to a 2000 Computer Security Institute survey said they had lost more than $265 million the prior year because of computer crime. Hundreds of low-level attacks take place every day and most major Web sites and computer networks are “scanned”—subjected to exploratory probes, usually rejected—dozens of times a day. Even Microsoft, a company that enforces stringent, elaborate security procedures, was hacked late last fall. The attacker ferreted his way into the Redmond, Washington, company's internal systems and helped himself to proprietary information. At press time, the culprit had not been caught, and Microsoft was insisting that crucial information had not been tapped.
In this case, as in all, the attack could have come from anywhere on Earth, from someone hidden behind a dozen illusory identities. If you have a computer and it is connected to any external network—such as the Internet or your company's computer network—then you're exposed.
But while cyber-crime methods are novel, cyber-crime motives are nothing new. Most of the attacks are for ends as old as human enterprise: stealing money, information or identities; vandalizing property or time; invasion of privacy; diversion of commerce. And, fascinatingly enough, many cyber criminals make the same mistakes that “yeggs” did a century ago. Bragging, for instance. Cops will tell you that even the canniest burglar can't resist recounting his exploits in a bar somewhere. Modern-day hackers do the same, posting their exploits on hacker Web sites. In either case, the tales eventually lead authorities to the perpetrators.
Because cyber criminals brag under assumed identities, security experts don't trace names. “They're all false anyway, obviously,” says Bill Orvis, a network-security expert at Lawrence Livermore National Laboratory east of San Francisco. “We trace packets [the bundles of digital data encoded and decoded via computer software every time information travels the Net], and as soon as they start bragging about their exploits online, we begin tracking that packet, and we or law enforcement personnel will find them.”
Orvis is a member of the U.S. Department of Energy's Computer Incident Advisory Capability Team. Like many cyber detectives, he's a hip, wired version of Sherlock Holmes. “I've always been a puzzler,” he says. “I enjoy taking a machine that we think has been hacked and searching through it to find out where the hacker put his files and what he did while he was using the machine. Like in the Hardy Boys books, I get to do sleuthing, but without having to leave my desk (at least, not very often).”
Orvis is actually a physicist by training. Originally an expert in computer modeling, he became interested in computer viruses when they began to appear in the late 1980s. He came to the attention of the DOE response team in 1989 when he discovered a security hole in a federal computer system.
The seven-member DOE team was called in when the famed Melissa virus crashed networks around the country in the spring of 1999. Those who trace hackers are loath to discuss the details of how they do so, lest they give criminals an edge, but several accounts report the following about how the Melissa malefactor was caught:
Melissa, the first widely disseminated e-mail virus, was sent via a stolen America Online account that was used to post a message with an attachment to a newsgroup. AOL logs recorded the telephone line used for the posting, and that line led to the culprit's own Internet service provider, where logs showed the original telephone from which the calls were made. In addition, Melissa's author had used Microsoft Word to create the attachment, and unknown to the author, Microsoft had embedded in Word a function that tacked the same I.D. number onto every document written with a particular copy of the software, according to Larry Bridwell, content security program manager for TruSecure Corp., which helped the federal government determine that the virus caused more than $80 million worth of damage. Authorities decoded the number; called Microsoft to see if that copy of Word had been registered by anyone; and sure enough, discovered the identity of the buyer. David Smith of New Jersey pled guilty in a plea agreement and faces five to 10 years in prison. Sentencing is expected to take place next month.
So, just as real-world criminals have long been caught because sooner or later they do something stupid (rob a bank and drop their driver's license on the way out), electronic criminals are keeping that tradition alive. Even the attacks, while new in detail, bear similarities to longstanding traditions. Database destruction, for instance, dates back to ancient times. The famed library at Alexandria, Egypt, was burned multiple times. Among the more notable: Julius Caesar set it to flames in 48 B.C.; Theodosius I burned it in 391; and the Caliph of Baghdad ignited it in 642.
Then there's social engineering, the wry term for the human element of criminal activity. World War I spy Mata Hari was a “social engineer,” using the oldest of all human impulses to steal secrets.
Most security experts suspect password theft is more often accomplished sociologically—by worming it out of coworkers, or simply checking unwatched desk drawers—than electronically. And unguarded computers are sitting ducks, never mind how much security has been loaded in them. “If I can get my hands on a machine,” says Bill Orvis, “it's mine. I've never encountered one yet I couldn't get past the security. If nothing else, I'll open up the back and mess with the chips.”
If no machine is impregnable, then true security cannot be a mechanical matter. “The human element is a key, persistent facet of this problem,” says security expert Bruce Schneier, author of the book Secrets & Lies: Digital Security in a Networked World, and founder of a San Jose company, Counterpane Internet Security Inc., devoted to digital-security systems. Convenience is one reason computers are vulnerable—security often imposes disciplines that are time-consuming and inefficient. Consider the current case in which a former CIA director allegedly transported federal secrets home on his laptop, and even stored in disks he stuck in his coat pocket.
Given human nature, Schneier and other experts believe there needs to be a balance between security and usability—a balance we already accept in many circumstances. Take a bank, for instance. If you wanted to safeguard cash on hand or safety-deposit boxes, you could put them in an impregnable concrete structure with no doors or windows—but you couldn't get at them. How much use would that be— The same principle applies to electronic security.
Another banking example: Bank robberies would drop dramatically if everyone who entered a bank were subjected to a thorough body search. But legitimate customers would object mightily, and banking would slow to a crawl.
In the electronic arena, encryption, while providing increased security, also slows down traffic. Let's say you buy flowers from an online company. The merchant's Web server sends a message to your browser telling it to go into a secure mode and encrypt your order information. The vendor's server then decrypts the information when it's received. Anybody with rudimentary hacking skills may be able to intercept the data before it gets to the florist, but they'll have a harder time decoding it.
Modern Internet commerce systems use 128-bit encryption systems to code transactions. This is not impossible to break, but doing so would generally take months of time, significant knowledge and extensive computing power. Many experts figure there aren't many cyber crooks with all three. However, other experts note that some companies make the keys to their codes easy to get to by protecting them with easy-to-crack passwords. There's even a password-cracking program that tests passwords against an 8-megabyte dictionary of popular passwords—in a matter of seconds.
And the complicated encryption process is what slows online buying—and makes it difficult for those who don't have high-speed processors and phone lines.
Firewalls, another defense, work by restricting computer-system access to specified parties for specified purposes. They're designed to keep people out unless you let them in.
Even with firewalls and encoding, Schneier believes that unfailing technological security is impossible. “I used to think you could write an encryption program that would be unbreakable. I was wrong,” he says. “Firewalls are good, but not perfect. In the electronic world, security will truly rely on the same thing it does in the real world: detection and response.”
In the electronic world, however, some important questions are still being answered: What's a crime? How do you prove it? Where do you do so?
“Obviously, theft is a crime,” says Paula Selis, an attorney in the Washington state Attorney General's high-tech unit. “But let's say a Seattle resident uses an auction site to buy an antique marble table from someone in Chechnya, and it turns out to be a fake. We'd have great difficulty prosecuting it, and the buyer would have to figure out if it was worth the time and money to pursue legal redress over there.”
Consider distributed denial-of-service attacks. Here a hacker writes a program that invades thousands of other computers and programs them to start calling on a particular Web site at a designated time. The traffic demand becomes too great, and the Web site crashes. This was done to sites such as Yahoo!, Amazon and eBay last year, shutting the various sites down for hours. The impact on the targeted companies was $1.2 billion, according to the Yankee Group.
Is denial-of-service a crime? Yes, malicious mischief, says Martuscelli, the prosecutor assigned to Washington's high-tech unit. Any time an action causes more than $1,500 in monetary damage, it's a Class B felony. But “mischief” seems much too light a word for an attack that causes such huge paralysis; theoretically, it would be possible (although very, very difficult) to bring down the entire Internet. And, of course, if the attacker is in say, Mongolia, identification and prosecution will be difficult.
Another example: Last year a hacker broke into a popular music-sales Web site and stole 300,000 credit card numbers on file there. Although the attack was discovered quickly, and there's no evidence any of the numbers were used illegitimately, the company lost customers. What crime is that?
In Washington state, it would be a new one, described in a 1998 law, called computer trespass—entering another person's computer without his permission. It's a gross misdemeanor. Idaho, Montana, Oregon and California have similar laws.
But other states, and certainly other countries, lack such a law. Perhaps there should be a global code governing electronic commerce. “Believe me, this is something that's being discussed intensely worldwide,” says Martuscelli. “And these sorts of problems are not entirely new. Think of the extradition problems that crop up when criminals flee the United States, or even to other states.”
Then there are differences in criminal codes. About a dozen states, including Washington, now forbid unwanted and deceptive e-mail. Other states have restrictions on how unsolicited e-mail is sent. For example, in California, the subject line for promotional e-mail must say it's an advertisement. Delaware forbids unwanted bulk e-mail whether it's deceptive or not. What if an e-mail sender is in a state that doesn't have such a statute? “Well, our principle has always been that if the recipient of such things is in Washington, the crime has been committed in this state,” says Martuscelli.
Unfortunately, deceptive e-mails and other scams are now endemic on the Internet. The Federal Trade Commission publicized its “Top 10 dot.cons” last fall, with phony auctions at the top of the list. And Internet-related stock fraud costs investors $10 billion a year, says the North American Securities Administrators Association. Most scams are best addressed by advising individual Internet users to practice common sense, but experts are working on behind-the-scenes problems, too.
Bryan McMillan, manager of information technology at Richland's Pacific Northwest National Laboratory, points out that software can contain 35 million to 50 million lines of code—an immense block of digital script that may have potential “holes”—places in the software where new code can be slipped in or where existing code can be manipulated or replaced. CIPAL, the computer-security lab, is working on ways to make software more immune to attack.
The lab also runs attack simulations designed to reveal flaws in existing systems: Agencies and companies interested in vetting their systems can actually bring them to the lab, and CIPAL programmers will set up an experimental attack. The lab has done this for some clients already, but McMillan isn't at liberty to discuss the cases.
“Let me put it this way: We can simulate just about anything,” he says.
In a world where just about anything seems possible—including the rather horrific possibility that an expert major attack might bring the whole system down—getting ready for the worst seems prudent. And while the worst may not happen, lesser crimes can be plenty troublesome. As the experts say, better secure than sorry.
Security is one of the reasons freelancer Eric Lucas does not print his e-mail address on his business card.
 |
 |
 |
