Computer Crime Research Center

library/ihpower.jpg

Interview: Richard Power -How difficult is it to quantify the effects of cyber criminal activity?

Date: October 15, 2003
Source: Computer Crime Research Center


Page 1 2 3 Next
... a more serious look. . . .


You've been monitoring crime, probably more specifically than anybody else that I've talked to. Was there a case that sort of blew your socks off?


In the mid-1990s, there was a rumor about something called BlackNet. And the rumor was that there were these crackers online who were stealing and selling information, and you could ask them for whatever you wanted. They could go get it, email it to you, and it was all done with encrypted accounts and anonymous remailers, and all very cloak-and-dagger on the Net. Some people said this was real, some people said it was an FBI sting. Some people said it was a hoax. BlackNet itself turned out to be a hoax, perpetrated by a bright young "cyperpunk," as they're called.


But while that urban legend was passing around the internet, there was a real "BlackNet" operation going on. It was eventually called "Phonemasters" by the federal investigators. This was a gang of crackers, across the country, Philadelphia, Santiago, Dallas, and in Canada, Switzerland, and as far away as Sicily. They were involved in stealing credit card information and reselling that information. They had a menu of activities they could perform. They had Madonna's home phone number, they could hack into the FBI's national crime database. They hacked into a telephone company to find out where the federal wiretaps were for the Drug Enforcement Administration, beeped the dealers that were being tapped and said, "Hey, you're being tapped by the DEA." And that blew drug investigations out of the water. These guys were serious. . . . It took years to get a conviction and a sentence in that case.


Some of the groundbreaking work was done in terms of tapping data transmissions and all kinds of stuff, and it took a long time. But that is what we're talking about when we're talking about financial fraud, about cyber crime on the Net, the range of things that can happen. And you know, these guys were amateurs in the sense of criminal activity. So you can imagine what a serious criminal organization that takes that kind of hacking seriously could do. . . .



. . . We have a highway, this internet, this global cyberspace, but we don't have any yellow lines. We don't have any speed limits. We don't have any driver's license. We don't have any license plates. We barely have car insurance. It's not required. You get my analogy. We want this internet, this global cyberspace, to be completely free, completely open. Everyone does. I do. But we also want to conduct business there, and we want to relax there, and have our children be educated there, and seek entertainment there. Those kinds of activities require law enforcement, require international treaties, and require responsibility--corporate responsibility and personal responsibility. So we have a long way to go before cyberspace is as safe, even as safe as the interstate highways. And, as you know, the highways aren't all that safe. . . .



The Citibank case, where some Russian hackers, notably "Vladimir Lenin" operating in St. Petersburg in Russia hacked into Citibank in New York. They succeeded in committing wire fraud, basically, to the extent of $10 million before they were caught, arrested, tried, convicted and everything else. There are a lot of lessons in that case. Nobody wants to talk about the Citibank case much, because the bankers don't want you to think about problems with online banking and the internet. The dotcom companies don't want you to think about the consequences of cybercrime. . . . This wasn't even an internet crime. This was just a dial-in system where you made transactions to and from your account over the phone. And these systems were compromised early on. I suggest that that kind of activity on the internet is even easier, not harder. And in fact, Citibank, in order to deal with those vulnerabilities after the fact, instituted "smart cards"--cards for the customer to swipe and identify themselves, similar to an ATM card. My suggestion is, if you're conducting online banking, and you are using a password and user ID, you are not using adequate authentication to the network. You are exposing yourself to vulnerability.



Well, the Martin Luther King Day telephone crash, back in the early 1990s, affected the public switch network, the telephone system from coast to coast, for many hours. There was significant infrastructure collapse. . . . We hear a lot of talk about information warfare, and the preparation for information warfare, and the need to build up defenses against infrastructure attacks. And some of the doubters say, "Well, where is the evidence of infrastructure attacks?" And no one will talk about it, and maybe there hasn't been one. But the Martin Luther King Day crash in the early 1990s is an incident that I understand to be an infrastructure attack, although AT&T only acknowledges a software glitch. There was never any prosecution, any arrest or prosecution in the case. There is evidence that it was a single command issued by a hacker that brought down the public switch network that day. . . .



I think it will have to do with tort law, civil liability and exposure. And of course, no one wants to talk about government regulation. But I always point out to people that when they come into their office in the morning and switch on their lights and they get electricity, and they pick up their phone and they get a dial tone, to some extent, like it or not, the availability and the constancy of those utilities has to do with government regulation. If we are going to look at the internet as a place to do business, as something as vital as the phone system, or the power grid, or the air traffic control system itself, then you have to start looking at what you will require from those who want to be the bulwarks of that . . . .



In terms of criminal activity? Well, it ranges from petty theft, really, to state-sponsored terrorism. And you have everything in between. You have the cyberspace mugger who's going to steal your personal identity, and destroy your credit by committing fraud in your name, or stalk your children or your loved ones online. There are organized crime syndicates that are going to be engaged in stealing massive numbers of credit cards and selling them and using them for credit card fraud globally. There are governments and corporate entities, globally, that want to steal technology: cutting-edge technology, biotech, high-tech, and low-tech technology. They want to compress the arc of time for their economies to develop and catch up with the Big Eight economies. And somewhere out there there's a cyber Unabomber, who is concocting for his own bizarre motives some really unpleasant event that could impact the lives of thousands or millions.


And there are the cults. Aum Shinri Kyo is the cult that hacked aggressively into technology companies to steal technology that they were interested in. There are the Osama bin Ladens of the world. Some people mock that specter, but those folks have satellites, they use encryption, and they are on the Net, both to gather information and to disseminate information, to gather intelligence and conduct operations. And then, of course, there are governments. What will happen in the Straits of Taiwan between Taiwan and China, and all the hot spots in the world, is also taking place in cyberspace. They're looking at ways to attack each other's digital infrastructure



Some of the folks with green hair and body piercing are very bright kids who solve puzzles that people with computer engineering backgrounds can't solve. But the juvenile hackers and the young hackers get caught, and they end up in the headlines because they get caught. And the reason they get caught is that they're not professionals. They are out for the adventure. They are out for bragging rights. They are out for exploration. The professionals, the ex-KGB agents, or the ex-CIA agents, the person from German intelligence, or Israeli intelligence--they're not going to get caught. And when they are detected, the people who detect them are not going to want to acknowledge that they've been there.


Groups who are responsible to the public, even corporate groups, seem to be having a bit more difficulty because of this incredible brain drain from academia, from the military, and from the public sector. How serious a problem is that?


It's a big problem. Information security isn't really something that's inculcated by software engineers as they come out of graduate school. . . . You could count on the fingers of one hand the academic institutions that are doing serious research and development in computer security and internet security. And when those programs develop young people that are really gifted. . . . they don't stay in academia. . . . They get into the corporate world, and they are tempted away into the consulting end of things, into the accounting firms, and the security companies that are wanting to cash in on the threat. And on the government side, the government will take somebody from the military or law enforcement, train them on cutting-edge technology and computer forensics, how to detect and thwart cyber attacks and threats to the infrastructure, and all these critical issues of online espionage and information warfare. And then those people get tempted away by those corporate sector salaries, and they leave public service for the private sector. So there's a brain drain all the way down the line. . . .



The important point that the story of the Aum cult brings home is the plausibility of the cyber terrorist threat. We may never see a cyber attack, but it would be...
Page 1 2 3 Next
Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-08-25 20:19:58 - Your blog is realy very interesting.... Ivailo
Total 1 comments
Copyright © 2001-2024 Computer Crime Research Center
CCRC logo