The goal of this chapter is to raise the reader's attention to the extent of the phenomenon of computer criminality, as well as our vulnerability to these attacks.
Computer criminality is a large field whose borders are not always easy to define. Each country has a different legislation on this subject and reacted more or less quickly to this problem. In Europe, Sweden was the precursor, by instituting a law in 1973 which regarded the unauthorized acquisition of stored data as a crime [LAB90_1], whereas the Netherlands did not regard the intrusion (without damage) in a computer as a crime until after 1990 [LAB90_4].
David L Carter, professor at the Department of Criminal Justice of the University of Michigan, proposes a classification of data-processing criminality [CARTER92].
1. The computer as the target
This category includes actions such as:
2. The computer as the tool of a conventional crime
This category includes/understands the cases where the computer facilitates the work of the criminals, but is not essential to their activities.
3. The computer generates new types of crimes
This category includes/understands " traditional " crimes, adapted to the computer.
This classification is not exhaustive. Thereafter, I will concentrate on the first two categories.
Hacking is the activity of a hacker. The meaning given to the word hacker are very varied 2. Basically,a hacker is a person who is pleased to explore, in detail a programmable system and who seeks to extend to the maximum his knowledge in this field. Currently, the term is generally employed to designate persons illegally introduced into computer systems [STERLING92]. In this document the term hacker will be associated with this last definition, which also incorporates phreaking (telphone hacking) since this two activities are very close.
The goal of this chapter about hacking, is to discuss some cases to show the incredible vulnerability of computer systems. A study carried out in 1992 by the USA Research Inc showed that the number of intrusions in computer systems in the United States, had grown from 339' 000 in 1989 to 684' 000 in 1991 [ROUSH92]. These number are to be carefully interpreted, because very few cases are actually reported to the authorities. The NCCS estimates that less than 10 % of breakins are reported [ICOVE95]. The companies that are victims of hackers do not want bad publicity, by acknowledging their weaknesses.
In the Eighties, a hacker called Michael Sinergy, penetrated the computer system of the national agency of credit (TRW), which holds financial information for nearly 80 million Americans. Michael's aim was to consult the file of president Ronald Reagan. He discovered the file that he was looking for and saw that 63 other people had consulted same information the same day. He also noticed a group of 700 people who seemed to hold the same credit card and their account history was strange. They seemed not to have a past. He realized that he was doubtlessy consulting the history of the credit, as well as the names and addresses of people who worked within the Government witness protection program. As a good citizen, he quickly warned the FBI of this potential security hole of their protection program [CLOUGH93]
In France, a hacker had found the means of remotely reprogramming the rates of exchange of an ATM (Automated Teller Machine). He was granted, for example a rate of exchange of 5 dollars for 1 franc and he thus changed 100 francs. He carried out the opposite operation and the rate of exchange passed to 5 francs for 1 dollar and he turned over to change his dollars and thus received 2500 francs! [BLANCH95]
In 1988, seven criminals carried out an embezzlement in the First National Bank of Chicago. They transferred 70 million dollars belonging to 3 large companies, to an account in a bank of New York, then, from there, to two banks in Vienna. The transfers were ordered by telephone. The bank called its customers to require confirmation of the transfer, but the calls were diverted towards the residence of one of the criminals. The affected companies quickly discovered the embezzlement and an investigation was opened. With the help of the records of the confirmation calls, the investigators arrested the seven criminals before they could escape. [ICOVE95]
Fry Guy is a 17 year old hacker, living in Indiana (USA). In 1989, he became a master in the art of controlling the network of the local telephone company and found an easy means to get a little pocket money. He contacted a tradesman telling him that he is an employee of a credit card company. Fry Guy is able to make him give his customer number and his password. With this information, Fry Guy connected himself to the computer of the credit company to find the list of the tradesman customers. He then selected a "quite rich" customer, write down his telephone number and his credit card number .
He diverted the telephone line of his victim to a telephone box in the small town of Paducah, and the line of the cabin towards to one of his telephones. He called a bank to make a transfer in their agency of Paducah, by debiting the card of its victim. The bank called back to require the confirmation of the transfer and it is he who answers. Now he had just to restore both telephone lines and go recover the money [CLOUGH93]
Phreaking is the action of pirating telephone networks. This activity is related to computer hacking because hackers have to spend long hours to try to be connected by modem on the computers what they had chosen as targets. This can become very expensive. It is for this reason that the majority of the hackers are also phreakers. Moreover, since the modern telephone exchanges are computers, the hacking of the telephone is very close to the hacking of a "traditional " computer.
The first case of phreaking listed occured in 1961 and the first article on this subject was written in 1971 in Esquire magazine. At that time, phreaking was an activity primarily practiced by blind men who used the telephone as a means to breaking their insulation. To spoke to each other, they used the test lines used for the system maintenance. These test lines are characterized by the fact that each end has its own telephone number which is assigned to it and it's easy for two people, agreeing in advance on which line to use, to call each one one of the ends to be in contact for free.
Gradually, the techniques improved and it became possible for hackers to use all the functionalities of the network With the "blue box" 3, a device able to generate command dial tones, it bacame possible for phreakers to control the network as easily as an employee of the telephone company. [CLOUGH93]
Many hackers explore computer systems through simple curiosity and for intellectual challenge. "True" hackers have an ethical code prohibiting the destruction of any information. However, bad guys, understood that they could use this particular knowledge to gain advantages. The most traditional case is the theft of credit card numbers, but some of them found more original means, such as the hacker who mastered telephone hacking, and who won games organized by radio stations, because he blocked all the phone calls of the listeners and thus he was the first one to call the radio and win the price!
A much more serious hacker was Karl Koch, a member of famous Chaos Computer Club, who pirated American sites on behalf of the KGB, providing them various programs, password lists etc. [CLOUGH93] He did not act by ideology but rather for money (he was a drug addict) and also to practice his favorite passtime : hacking !
Dr. Frederick B Cohen proposes a list of motivations [COHEN95] which can incite people to enter the world of computer criminality.
The most banal motivation is money(see the two previous examples).
For challenge or to obtain to a certain social recognition (and to be able to form part of a group) a young hacker must always go further. Dr. Cohen quotes the case of a German club which requires its new members to create a new virus as membership fee.
The revenge of a laid off employee is often the reason for destruction of data and even hardware !
In a related field, we find self-defense. For example, take a programmer who introduces a logical bomb into his program in order to ensure that he will be paid 4.
Sometimes economic advantages requires one to use illegal means to obtain trade secrets of one's competitor. At the end of the Cold war, it was necessary to find new missions to justify the enormous infrastructures of the intelligence services, economic intelligence became one of the priorities of these agencies. The degree of implication varies from one country to another. It would seem that the French services, as well as American, are very active in this field, the French directly helping their companies by providing confidential information and with the Americans with discrediting the competitors [GUISNEL95]
A virus is a program that is able to reproduce in a computer, able to infect other programs and, thus, able to be transmitted from one computer to another, if we copy an infected program to another computer. If they only reproduced, the viruses would not worry anybody. However, the problem is that they can be programmed to be harmful; for example by erasing all of the machine's data on a precise date.
A worm differs from a virus by way that it transfers itself from one computer to the other through a network. The best known example and the most devasting is undoubtedly the worm of ARPANET, which paralyzed the network in 1988.
A Trojan horse is a program which is not what it seems to be. For example, let's say you receive by (snail) mail an advertisement, as a floppy disk featuring the demonstration version of a new word processing software. If, in addition to being a word processing program, its programmer decided to make it seek the list of all the applications contained in your computer and to erase all other word processing software, it is a Trojan horse. Under the auspice of an honest software hides a perfidious program! It is also possible to use a Trojan horse to introduce a virus on a computer. In this last case, the " ideal " Trojan horse is an antivirus software that the user installs in all confidence on his machine!
The C compiler designed by Ken Thompson and Dennis Ritchie with the aim of rewriting the core of the UNIX system was a Trojan horse, since it didn't just compile the desired program. If the program to be compiled was the UNIX source code, the compiler modified the login function code, in order to introduce a back door, thereby allowing Ken and Dennis to enter the system thanks to a default password.
As this back door could be easily seen during a compiler's source code review, Thompson added a function in the compiler which detected if the program to be compiled was a C compiler, and if it was, it added the first Trojan horse there. All that was left was for him to remove from the source code the traces, and from there, the back door became undetectable [COHEN93] [THOMP84]
This story was revealed in 1984 by Ken Thompson. We will never know if it is true or not. However, he told it with the aim of making us aware of the following:
In December 1989, 20' 000 floppy disks containing an AIDS information software were sent to the four corners of the world, in packaging making believe that it came from WHO. Uper execution of the program, the traditional text of the license is displayed, warning the user against the fraudulent use of the software and inviting him to pay for the software. Generally, nobody reads this text, but this time, it would have been preferable to have done so. It was specified in the terms of the contract that in the event of non-payment, measures would be taken against other software in the computer! Many people quickly tested this software and after a few times, the Trojan horse destroyed their files. We will never know the exact extent of the damage [DORAN96]
November 2, 1988, Robert Morris Jr, graduate of the University of Harvard, released a worm on ARPANET 5. The worm was transmitted from machine to machine exploiting a bug in the electronic mail system . The worm saturated the machines contaminated, while reproducing. Very quickly, the all networl communications were very strongly slowed down. The system administrators had no other choice but to disconnect their machines from the network. The following day, the worm was neutralized and it was the center of attention. The ARPANET network designed to be used for military communications in the event of nuclear attack, " had been brought to its knees " by a simple program written by a student! [CLOUGH93]
If there is a weak link in the computer security chain, it's man. The majority of intrusions into password protected computer systems are carried out using dictionaries of commonly-used terms. How many among us use for ATM codes , or as a computer password, a date of birth (ours or that of a close relation) a wife's name, our children's names, banal terms like "secret ", " Star Trek", etc? There are also employees, fearing to forget a complicated (and thus much more secure for the system) password, who write it on a bit of paper and stick it on the edge of their computer screen!
The term "human engineering" (or social engineering ) is used to indicate the fact of manipulating a person without his knowledge while pretending to be someone else and using psychology and adequate jargon to make him naturally reveal information that he holds. This is the technique used by Fry Guy in one of the previous examples. It should not be believed that it was an isolated case.During the research phase prior to writing this document, I had the chance to notice many such cases, even in circles which should be sensitized to the problems of safety measures, such as the US army. Matthew G. Devost quotes the example of Susan a hacker [DEVOST1]:
As Susan later told the story, a team of military brass...from three services sat at a long conference table with a computer terminal, a modem, and a telephone. When Susan entered the room, they handed her a sealed envelope containing the name of computer system and told her to use any abilities or resources that she had to get into that system. Without missing a beat, she logged on to an easily accessible military computer directory to find out where the system was. Once she found the system in the directory, she could see what operating system it ran and the name of the officer in charge of that machine. Next, she called the base and put her knowledge of military terminology to work to find out who the commanding officer was at the SCIF, a secret compartmentalized information facility. Oh yes, Major Hastings. She was chatty, even kittenish. Casually, she told the person she was talking to that she couldn't think of Major Hasting's secretary's name. "Oh" came the reply. "You mean Specialist Buchanan." With that, she called the data center and switching from nonchalant to authoritative, said, "This is Specialist Buchanan calling on behalf of Major Hastings. He's been trying to access his account on the system and hasn't been able to get through and he'd like to know why" ...Within twenty minutes she had what she later claimed was classified information up on the screen. Susan argued "I don't care how many millions of dollars you spend on hardware, if you don't have people trained properly I'm going to get in if I want to get in.".
Next page
Previous page
Contents
Lexicon
Please, send your comments to
Patrick Galley (Patrick.Galley@theoffice.net)
Last updated: July 1, 1998