Today, criminals are using amped-up techniques to tap into a perpetual cycle of fraud and identity theft, reports Deb Radcliff.
Back in computing’s early days, security expert Winn Schwartau took a lot of flack for his warnings of a “digital Pearl Harbor,” even as he lived out his predictions. In 1994, a hacker, out to prove himself, had the power cut off to Schwartau’s home more than once, a truckload of Web TVs was delivered to his front porch, and a half dozen emergency services vehicles were diverted to his home.
These were the good old days, from the mid 1980s to the late 90s, when hackers’ motivations for breaking into early internet networks were to gain access to free computing, for learning, bragging rights or revenge. Then in the mid-2000s, the real criminals moved in.
“Computer crime is now a big, well-organized business enterprise. Its entire plan is to scam and defraud people and institutions,” says Schwartau, founder of Infowar Con, Interpact and The Security Awareness School.
Even before Schwartau delivered his warning to Congress in 1991, the Department of Defense had already experienced what would come to be known as the first case of spy-vs-spy cyberespionage.
This was in 1986, when Jim Christy, special agent, chief of the Air Force Office of Special Investigations computer crime unit, answered a phone call from Cliff Stoll. Stoll, an astronomer at the Lawrence Berkeley National Laboratory in California, had uncovered an intrusion into defense department networks, ultimately involving 400 MILNET (military network) computers across the United States, Germany and other countries. This network was part of the ARPANET internetwork designated for unclassified United States Department of Defense traffic.
“I’d never run a computer intrusion investigation in my life. But I was the IT guy so I got the call,” says Christy, now director of Future Exploration, a division of the state-of-the-art Department of Defense (DoD) Cyber Crime Center Labs in Lithicum, Md. “When we started our investigation, I understood quickly that these guys were spies after our Star Wars technology.”
The proof was in keyword searches that investigators captured, such as “nuclear,” and “chemical.”
The intrusion, subject of Cliff Stoll’s best selling book The Cuckoo’s Egg, published in 1989, was ultimately tracked to an entry point at a Mitre installation in Bedford, Mass. Mitre was one of the DoD’s contracting partners. The two 20-year-old intruders, run by the Soviet KGB, bounced their connections around the telephone networks in the United States and Europe before entering through the Mitre site, says Christy. Today, attackers obfuscate their location by hopping around international IP addresses rather than phone switches.
However, in those days, it wasn’t so easy to connect to the internet. The intruders actually had to hack into the DoD to get back out onto the internet from the Lawrence Livermore Labs.
Old school/new tricks
Today, information warfare is still happening, according to Christy and others. “Every country with any resources has developed cyberwarfare capabilities,” Christy says. “You’re always preparing the battlefield so that when the decision to attack comes, you’re ready.”
In 2008, information war was used in its truest sense when Russia launched a DDoS (distributed denial-of-service) attack against Georgia to befuddle and confuse the entire world while Russia moved its tanks across the line of departure, says Rick Howard (right), director of Verisign’s iDefense Intelligence.
DoS attacks are perhaps the oldest trick in the book for hackers. In the late 80s, Rob Clyde used the DoS tactic of sending too much data at server connections in a game he called “Take over the Computer.” Clyde was later one of five executives that co-founded AXENT, an IDS vendor that was acquired by Symantec.
As the internet opened up in the early 90s, hackers used DoS attacks against their hacking opponents’ servers, and then pointed their DoS attacks at web servers, such as in the case that blocked legitimate traffic to Amazon, eBay and others for several days in early 2000. “Hactivism” soon followed. In May 2001, Chinese and U.S. hackers were keeping score of the websites they blocked during a U.S. spy plane standoff These sites were mostly static and informational, so no real harm was done. But now, web servers are under a different type of attack – attacks aimed at customers or backend database servers, says Peter Tippett, vice president of innovation and technology, Verizon Business.
“In the olden days, we didn’t have databases connected to web servers, and our web pages were static informational placeholders,” he says. “Now with our highly interactive websites and backend connections, we’ve created new entry points where old attack methods are very effective.”
As in the Army case, SQL injection was used in the early days merely to deface websites (many of which were posted at antionline.org), or as an inside attack method, according to Tippett and others. Then, in Jan. 2003, a worm-based SQL attack, SQL Slammer, affected a half-million web servers in its first few days.
Now, worms use SQL injections as the primary means of breaking into websites – surpassing cross-site scripting (XSS) attacks in 2008, according to the 2009 IBM/ISS X-Force Trend and Risk Report.
SQL injections were found inside compromised networks in the recent Heartland case, in which Albert Gonzalez pleaded guilty in September in New York federal court to 19 counts of aggravated identity theft, wire, consumer and access device fraud.
In addition to going after the valuable data inside the network, XSS and SQL injections are also used to overtake websites and load malicious iFrames, which then install password stealers, back doors and downloaders.
The payload delivered from the infected website to the browser – keyloggers, downloaders, botware and other malware – is often referred to as a trojan horse.
Trojans were used inside the network during the DoD intrusion, according to Stoll’s book. As computers with browsers started connecting to the internet in the mid-90s (coinciding with the arrival of Microsoft’s early renditions of Internet Explorer), trojan developers started creating ways to use the internet to inject malware into browsers.
For example, in the summer of 1996, a hacker named “Modify” showed a trojan to this reporter as it appeared on a dot-matrix printout. It was during a meeting at a food court just outside Fort Meade, Md., headquarters to the National Security Agency.
“This is really cool,” Modify said, while pointing at a block of code in the middle of a page. “It turns the security settings in the browser from ‘high’ to ‘none.’ With that, we can load anything onto the computer through the browser without notice.”
Oldest trick in the book
At the time, the prospect of setting up malicious websites and getting people to go to them on purpose seemed a little ridiculous. But it wouldn’t be long before naive, newbie users would fall victim to the online con.
The seeds for this were planted in the 1980s, when Kevin Mitnick practically invented the term “social engineering.” In his early life, he used wit and charm to gather information to get people to do things on their computers that they shouldn’t be doing.
“In 1987, I dialed the modem of a target system at Digital [DEC], which I had forehand knowledge of,” says Mitnick (left), who today is a security consultant and speaker through Mitnick Security, and author of The Art of Deception. “Next, I called the operator and asked her to execute a series of innocuous commands. When the commands executed, I was logged into the VMS development cluster with system privileges.”
Back then, Mitnick was doing with the phone network what criminals today are doing via the internet. Anonymous and able to reach thousands, then hundreds of thousands with a single “send” command, spam became the first and primary online vehicle for delivering social engineering attacks.
For example, as quickly as people migrated to using email, they were hit with the Nigerian scam (also known as 419 fraud). “Hello, I’m prince from Nigeria who needs help getting 4,000 [British] pounds out of country to ensure my freedom,” the email would say.
In addition to directly defrauding people over cyberspace, social engineering was used as a way to get people to click attachments or links that would infect their computers with viruses and worms.
Hurricane Katrina (2005) gave rise to another type of social engineering, the “issue du jour” trend, which follows the big headlines that would compel people to click links and then get infected.
At the same time, researchers had been monitoring a troubling new development in social engineering, called phishing, in which consumers were lured to fake logins and duped into giving away their account and access information. iDefense’s Howard considers this the tipping point where criminalization really took off after what Gartner estimated would become a $3.2 billion phishing industry in 2007.
“We liken the 2005-2006 period of criminal hacking activity to the drug cartels of the 80s: young, hungry and quick on their feet,” says Howard, who formerly led the U.S. Army Computer Emergency Response Team.
On the internet, early forms of phishing involved warning emails from what consumers thought were their banks claiming a problem with their accounts. Users would click links only to be taken to phony login screens that collected their credentials.
Now, phishing has moved directly to victim’s browsers, such as in the case of the Clampi virus, which was aimed at phishing business users of their institutional accounts. It was reported to have infected 500,000 business computers.
Criminals are also using browser attacks to get in the middle of authenticated user sessions, where the bad guys can transfer money and take over the account, according to Steve Dispensa, CTO of Phonefactor.com, which provides multifactor authentication schemes.
Going full circle, Mitnick has been demonstrating a phishing process that starts with an email convincing account holders to call a phone number to their bank, but then phishes their data over that phone line.
“In this hack, you’re not asking them to go to a website or fill out a form, which they’re suspicious of. You’re asking them to call a phone number, which is a real working number to their bank…only I happen to have control over that number,” he says.
Because it’s man-in-the-middle, users never know they’ve been hustled. Once he’s gathered the credentials, victims can simply forward on through the legitimate banking phone tree to check their balances and log out.
Over time, social engineering attacks have evolved and gotten more difficult to detect because recipients grew wise to unsolicited emails/IM and even social networking worms trying to get them to fill out forms or to click links and attachments, says Mitnick.
“Criminals are also doing more clever stuff with Google Adwords to bring targets to their sites for exploitation,” Mitnick adds. “It’s easy enough to use a fraudulent or prepaid credit card to mask your tracks and pay for a Google Ad.”
Taking down the net
In lieu of social engineering to draw their victims, criminals have also developed ways to automatically direct victims to their sites – the roots of which go back to domain hijacking, squatting and manipulation techniques of the 1990s.
In 2008, researcher Dan Kaminsky released information on a vulnerability in DNS that could be used to reroute users going to search engines, social networks, banks and other sites, for example.
However, an even more sinister way to reroute people to illicit sites is through the manipulation of BGP (border gateway protocol), which supports the routing infrastructure of the entire internet, explains Peiter Zatko, known as “Mudge” in hacker research circles.
“By attacking BGP, you can reroute traffic destined to blocks of addresses, you can take over blocks of addresses and inject them into the internet, or you can just drop the packets and shut things down,” says Zatko (left), who was de facto leader of the L0pht hacking group in the 90s. “If you do this intelligently, you control the major data flows of the internet and can do what you want with those flows.”
In 1998, Zatko testified before the U.S. Senate on how to take down the internet in 30 minutes by exploiting BGP. Today, he adds, it would probably take an hour and a half. BGP has since been known for multiple routing and hijacking problems, even though multiple patches have been applied.
Back in the 90s, Mudge, along with such other colleagues known as Hobbit, Weld Pond and Kingpin, operated in a loft on the outskirts of Boston using computers built from recycled parts collected from street corners and trash bins. In 1997, as techno music thumped in the background, Mudge, with his long, wavy dark hair and John Lennon-like glasses, released L0phtcrack to a standing ovation at HOPE (Hackers on Planet Earth). It was the first commercial password cracker with a point-and-click GUI.
L0phtcrack could take days to crack all network passwords stored in the LAN Manager hash, one of the formats used to store user passwords that are fewer than 15 characters, Mudge noted at the time. Now, L0phtcrack has become a commercial testing tool that only takes seconds to crack open passwords collected from compromised networks and endpoints.
Criminals are also using these techniques in distributed ways. For example, brute force password cracking was most recently used in a massive attack on Yahoo! Mail accounts, which, many say, doesn’t bode well for cloud services providers. And, according to Verizon’s report, password guessing is the most frequent means of gaining control of compromised systems.
In 1999, when Back Orifice, a computer program designed for remote system administration, was released to a packed crowd, with a rockstar performance, at DEFCON, the long-running underground hacking conference in Las Vegas, it brought remote system administration capabilities to all these formerly disparate hacker tools. After its upgrade release at DEFCON 2000 (same fanfare), Back Orifice quickly became the de facto backdoor/remote management toolkit, pulling together sniffers, crackers, rootkits and polymorphic techniques to hide the signature and behavioral tracks that would normally be detected by anti-virus tools.
With Back Orifice, hacker gangs were able to start controlling computers remotely, making it the ancestor of today’s botnet industry, says Richard Wang, Sophos Lab Manager, U.S. “We started to see botnets get big in 2004,” explans Wang. “That’s when they discovered IRC (internet relay chat) as a channel to control large botnets – usually with about 20,000 bots.”
This was also a big break for researchers, who, that same year, formed the Shadowserver Foundation to sniff out malware and monitor botnet command and control communications over IRC channels. Even then, bots were updatable, dynamic and able to be put to work for any purpose – another coup for organized crime.
In 2006, many of the bot traffic streams were including private personal and financial data gathered from phishing and keylogger operations within their botnets. Most often, this data was traveling unencrypted over the channel, says Shadowserver co-founder André Di Mino.
Even in 2006, botnet operators were already catching onto the monitoring operations by Shadowserver and others. Botnet operators reacted by encrypting bot traffic and/or moving to different protocols more difficult to monitor.
And then, Conficker
The best example today is the Conficker worm, which originated last year using HTTP to update its bots.
“We corralled a lot of the domain names being used for updates on Conficker A and B, which ran bot traffic over HTTP. Then the C variant came out, which is primarily peer-to-peer,” says Di Mino, whose group was one of the founding members of the Conficker Working Group in 2008.
Conficker is not causing any real harm and is mostly being used to update itself on infected computers, he adds. But it represents what he calls an enormous risk because the worm continues to spread and hold open a backdoor that criminals can hijack and use for any conceivable purpose.
“Conficker still has more than six million unique IPs operating in a given day,” he says. “What troubles us is the lack of remediation we see, and the tremendous potential of these continually infected systems to do distributed harm.”
So, there’s a lot to worry about nowadays: The power of tens of thousands of remote-controlled computers aiming their SQL injections at web servers, as well as the power to take down entire blocks of the infrastructure by attacking BGP. Not to mention this critical infrastructure is mostly owned and operated by the private sector and running all of the country’s public services.
“What’s changed since the 1980s is that we, as a nation, are entirely dependent on the internet,” Christy says. “Our infrastructure, which is run by private companies, is at risk now. This is the Achilles heel of every civilized society.”
New laws: Crime & punishment
At the time of the release of the first commercial password cracker, L0phtcrack, at hacker conference HOPE 97, Kevin Mitnick, along with another hacker folk hero, Kevin Poulsen, were in federal lockup for wire fraud. So Mudge and attendees were a little nervous about how the feds would react to the release of their tools and exploits.
“Back then, no one was going to jail for releasing tools,” says Scott Charney, first director of the new Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice. “We were looking at two issues that needed protection: The right to publication – you want to encourage good security research – and the issue of intent.”
The issue of intent to do harm was something Charney, along with his principal deputy,
Martha Stansell-Gamm, grappled with when, in 1996, they crafted amendments to the 1984 Computer Crime Act.
When Charney left in 1999 to work for the private sector (where he’s now VP of Trustworthy Computing and other programs at Microsoft), Stansell-Gamm headed the agency for eight years, leading criminal enforcement through constant change as technology and criminal tradecraft evolved.
“The section and their colleagues in the U.S. attorneys’ offices nationwide prosecuted cases of commercial data theft, distributed DoS attacks, botnets and the global online trade in stolen identity data,” says Stansell-Gamm, now chair of the Commission on Cybersecurity for the 44th Presidency under the Center for Strategic and International Studies.
As crime changed, so too law enforcement’s ability to prosecute computer crimes continues to improve through training, legislation and international cooperation, including the first multilateral treaty on cybercrime. Today, CCIPS, under the leadership of Michael DuBose, handles a large load – with 23 actions between June 26 and Sept. 21, involving wire fraud, access device fraud, aggravated identity theft, system sabotage, espionage and other type of computer-related crimes. – Deb Radcliff
New tactics: Early computer abuse
In 1989, security expert Winn Schwartau warned that criminals using a High Energy Radio Frequency or HERF gun could, through electronic interference, essentially erase and destroy the computers of banks and critical infrastructure organizations.
This actually did happen in 1996, sort of. According to an article in London’s Sunday Times, on June 2 of that year, financial institutions paid out more than 400 million pounds in extortion money to prevent “international gangs of cyberterrorists” from aiming HERF guns and electromagnetic pulses at their computers. The story, first attributed to the NSA, which denied any knowledge, was later discredited. The possibility of a HERF gun erasing a hard drive, however, is feasible, say experts. – Deb Radcliff
Illustrations by Brad Hamann