History of Computer Crime”  Notorious Worms and Viruses M

Topics  Why study historical records? History of  Trends  1960s / 70s – Sabotage Computer Crime  Impersonation  Phone Phreaking  Data Diddling CSH6 CSH6 Chapter 2  Logic Bombs Chapter 2  Trojan Horses “History of Computer Crime”  Notorious Worms and Viruses M. E. Kabay  Spam  Denial of Service With supplemental updates  Hacker Underground  Recent Developments

Why study historical Trends records?  Early days: sabotage, disgruntled/dishonest  Common body of knowledge employees  Distinguish amateurs from professionals  Physical damage prominent threat until 1980s  Shared history of significant events  Unauthorized access common  What has shaped development of field  Telecommunications subversion popular in 1960s/70s  Understand references from senior people  Malicious software developed in 1980s  Put new events and patterns into perspective  Fax-based fraud developed in 1980s (4-1-9)  Growth of Internet multiplied threats  Financial crime mediated by computers & networks grew in 1990s  New malware types developed in 1990s  Illegitimate uses of e-mail spawned spam, phishing, 4-1-9 e-mail fraud

Rough Guesses About 1960s / 70s – Sabotage Sources of Damage to IT Before 1993  Computers can be tools and targets of crime Also repositories of evidence  1969.02 – fire in computer center during student riot in Montréal, Québec, Canada Sir George Williams University (now Concordia) $2M damages & 97 people arrested

After 1993  In 2001, survey by Novatech showed ~¼ of all computers had been physically assaulted by owner (4,200 respondents) MORAL: remember this fuzzy graph and don’t trust precise statistics about computer crime!

 National Farmers Union Service Corporation  1970-1972  1970: Jerry Neal Schneider  Burroughs B3500 mainframe  1980-2003: Kevin Mitnick  56 hard disk head crashes in 2 years 8 hours average downtime  1970s-today: Credit Card Fraud  $500,000 electrical system repairs  Crashes continued  1990s-today: Identity Theft Rises  Suspicion fell on Albert the Operator  Loyal employee  Night shift for many years without letup  Secret video-tape revealed sabotage  Liked the excitement of having all those people around

1970: Jerry Neal Schneider 1980-2003: Kevin Mitnick (1)  Born 1963  Born c. 1951 As young teenager, stole bus rides by using special punch for bus transfers  1968: forms Creative Systems Enterprises Phone phreaking, pranks, breakins using Selling electronic communications equipment social engineering against DEC Dumpster® Diving for parts at PT&T  1981: social engineering to enter PacBell Found discarded (unshredded) procedures Juvenile court ordered psychological study manuals 1 year probation  1971: Ordered new equipment from PT&T by pretending to be employee involved in repairs  1987: arrested for penetrating USCA Then sold it -- ~$200K value Stored stolen VAX VMS code on disks  1972: Arrested and convicted of grand theft  1988: Arrested by FBI; sentenced 1989 to 1 year jail & 6 months rehabilitation 2 months + $500 fine!

Kevin Mitnick (2) Kevin Mitnick (3)

 1992: FBI tried to arrest him for stealing services  Became cause célèbre among criminal hackers from phone company computers FREE KEVIN defacements worldwide Went underground Funniest: FREE KEVIN on Mexican Web site  1994: Insults Tsutomu Shimomura after release of KM Physicist & Internet security expert  2000: released from prison Mitnick left rude messages on computer, voice- 3 years parole mail Restricted access to computers Shimomura helped FBI track Mitnick Profits from writing and speaking  1995: FBI arrests Mitnick about criminal career used to  1999: Convicted of wire fraud, computer fraud & reimburse victims illegal interception of wire communication Founded own computer-security firm Sentenced to 46 months federal prison Wrote books about defending against social engineering

11 Copyright © 2014 M. E. Kabay. All rights reserved. 12 Copyright © 2014 M. E. Kabay. All rights reserved. 1970s-Today: Kevin Mitnick (4) Credit Card Fraud (1)  Readings about the Mitnick case  Credit cards developed after WWII in USA  Goodell, J. (1996). The Cyberthief and the Samurai: The True Story of Kevin Mitnick— 1950: Diners Club and the Man Who Hunted Him Down. Dell (New York). ISBN 0-440-22205-2. xix + 328. 1951: BankAmericard & MasterCard  Hafner, K. & J. Markoff (1991). Cyberpunk: 1958: American Express Outlaws and Hackers on the Computer Frontier. Touchstone Books, Simon &  1960s: aggressive marketing of credit cards Schuster (New York). ISBN 0-671-77879-X. 368. Index. Sending cards to unsuspecting consumers  Littman, J. (1996). The Fugitive Game: Online Mailbox theft → surprise bills on first invoice with Kevin Mitnick—The Inside Story of the Great Cyberchase. Little, Brown and  1974: Fair Credit Billing Act to reduce abuses Company (Boston). ISBN 0-316-5258-7. x + 383.  1970s-80s: expansion of electronic confirmation  Shimomura, T. & J. Markoff (1996). Takedown:  1980s: Refusal to improve security (no pictures) The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw—by the Man Who Did It. Hyperion (New York). ISBN 0-7868-6210-6. xii + 324. Index.

1990s-now: Identity Credit Card Fraud (2) Theft Rises  1990s: massive increase in credit card & online fraud  US Visa/MC: $110M in 1980 vs $1,630M in 1995  One of the fastest growing crimes in USA  More recent data*:  Identity Theft Resource Center  Unauthorized general-purpose credit card http://www.idtheftcenter.org/ transactions = 0.037% all card-present credit card Wealth of resources transactions in 2012 Victim resources  Fraud = 0.092% value of transactions)  0.118% all card-not-present transactions ID theft protection tips  0.114% value those transactions) Scams & alerts  Global fraud rates across Visa < $0.06/$100  FBI ID Theft Resources http://www.fbi.gov/about- us/investigate/cyber/identity_theft  Statistic Brain * < http://www.creditcards.com/credit-card-news/credit-card-industry-facts-personal-debt-statistics-1276.php > http://www.statisticbrain.com/identity-theft-fraud- or < http://tinyurl.com/6hdtv6 > statistics/

What ID Thieves Do Consequences for Victims

 Credit-card expenses relatively easy to correct IFF  Locate identifying data Victim checks statement immediately and Social Security Number Reports questionable transactions within time limit Driver's License  Bank-account thefts much more difficult to correct  Home address, telephone number Money stolen is client’s, not bank’s Mother's maiden name Client has great difficult recovering funds Or just misuse of handle (screen name) for  Bill-collectors hound victims relentlessly forged messages  Bad credit records difficult to correct, ruin plans, cause  Create new credit cards, bank accounts loss of jobs or interfere with hiring  Default on loans in victim's name  Criminal accusations put victims at serious risk of erroneous arrest or deportation  Ruin reputations, credit records  Victims may be nailed for child support of total strangers

17 Copyright © 2014 M. E. Kabay. All rights reserved. 18 Copyright © 2014 M. E. Kabay. All rights reserved. Preventing ID Theft Phone Phreaking  Phone + freak = phreak  Prevent theft: restrict access to your SSN  1950s: Single-frequency signals and other personal data communicated control instructions to SSN may be required by SSA, IRS central switches (computers) employer, financial institution, lender  Generating external tone could fool Corner store or video rental should NOT be switch given SSN  2600 Hz tone generated by whistling,  NEVER give out credit-card or other personal flute or whistle in Captain Crunch cereal box data over the phone to someone who has called you. Ask for written documents. Hence John Draper phreak became known as Cap’n Crunch  Shred papers that include confidential info before discarding. Able to initiate free long-distance Interviewed by Equire 1971 about  Destroy computer media before discarding. phreaking – arrested & convicted  Don’t use DEBIT cards to buy things Eventually jailed for wire fraud in John Draper 1977 then and now 19 Copyright © 2014 M. E. Kabay. All rights reserved. 20 Copyright © 2014 M. E. Kabay. All rights reserved.

Data Diddling: Data Diddling The Equity Funding Fraud  Unauthorized modification of data  Equity Funding Corporation of America  Changes can occur From early 1960s to 1973, immensely successful Before data input firm During data input Buy insurance + invest in mutual funds Before output  In 1964, computer problem prevented printing final figures  Records affected have included President ordered head of DP to falsify report with Bank records expected profit Payrolls Profit failed to materialize Inventory data Invented false insurance policies to make up Credit records difference Eventually “killed” nonexistent policy holders to School transcripts collect payouts ($MILLIONS) Telephone switch configurations….  Discovered 1972 by SEC; officers went to jail

Data Diddling: Trojan Horses Vladimir Levin vs Citibank  Program with apparently useful function  In 1994, Russian programmer Vladimir Levin broke into But which has hidden harmful functions Citibank computers  Can be triggered by either Transferred ~$12M to various Change of state (logic bombs) international bank accounts E.g., removal of employee status for  Spotted after 1st $400,000 programmer transferred in July 1994 Date/Time (time bombs)  Citibank cooperated with FBI & Interpol  May provide for covert access  Levin & gang eventually arrested and tried Back door  Convicted 1998 to 3 years prison AKA trap door  Citibank hired banking industry’s first CISO, E.g., BackOrifice & BO2K released by Dildog, Stephen R. Katz criminal hacker in cDC (Cult of the Dead Cow)

23 Copyright © 2014 M. E. Kabay. All rights reserved. 24 Copyright © 2014 M. E. Kabay. All rights reserved. Early Notorious Worms and Logic Bombs Viruses  Jerusalem Virus of 1988  1987: Christmas Tree Worm Duplicated itself every Friday and on 13th  December e-mail with EBCDIC version of tree flooded IBM networks of month  Nov 2, 1988: The Morris Worm  th On every Friday 13 after May 13, 1988,  Robert T. Morris studying at Cornell corrupted all available disks on system  Released self-replicating autonomous code  PC Cyborg  Spread through Internet AIDS information diskette  Crashed systems all over USA (~6,000-9,000) Actually encrypted  Led to formation of Computer Emergency directories, filled C: drive, Response Team Coordination Center, CERT-CC® intercepted commands  Morris convicted  Violated Computer Fraud & Abuse Act of 1986, 18 USC Linked to extortion demand §1030(a) for money  3 years probation, $10K fines, expelled from Cornell  Now respected MIT professor

Stuxnet Worm Spam (not SPAM®)

  July 2010 1994: Green Card Lottery spam  Zero-day threat to SCADA Laurence A. Canter & Martha S. Siegel Attorneys Siemens Simatic WinCC & PCS7 Posted ad to 6,000 USENET groups Designed for industrial espionage But did not cross-post (1 copy/user) Also for sabotage Posted to EVERY GROUP (1 copy/group)  Thought to have been developed by USA and Israel by 2007 Response massive  Found in ~100,000 computers Complaints crashed their e-mail server ISP Iran, Indonesia, Inda Canter disbarred Iranian nuclear power program affected Never apologized – continue to spam Centrifuges ran too fast  TODAY: estimates of 75-85% all email = spam

Denial of Service Hacker Underground

 DoS = interference with availability of service  Criminal-Hacker Subculture Resource exhaustion or  Chaos Computer Club Destruction  Cult of the Dead Cow  Unamailer (1996)  2600 The Hacker Quarterly johnny [x] chaotic subscribed victims to 100s  LOD of e-mail lists  Phrack Led to practice of confirming subscriptions  MOD  MafiaBoy (2000)  Gray-Hat Hackers Massive attacks on Yahoo.com, Amazon.com, eBay.com, Buy.com, CNN.com – flooded  Anonymous  Lulz 15-year-old boy using modem in west end of Montréal did $M of lost business & depressed  Web Vandalism Classics stock prices

29 Copyright © 2014 M. E. Kabay. All rights reserved. 30 Copyright © 2014 M. E. Kabay. All rights reserved. Criminal-Hacker Criminal-Hacker Subculture Subculture (2)  Who?  Why? Children (sub-teens, teens) Defining peer-group,affiliation, status Adults (fewer after 18 years of age) Rebellion, power Amateurs Curiosity, learning “3133T” (elite) hackers Ideology, cant Professionals  Avoid stereotypes Organized crime Not all creepy adolescent geeks  What Varying levels of ethical reasoning, emotional development Publications, USENET groups, lists Local meetings, conventions Jargon (133T5p33k)

Classic Hacker Group: Chaos CDC – Cult of the Dead Cow Computer Club  Founded 1984 in Texas  1981: German group of computer enthusiasts  “Global Domination Through Radical politics Media Saturation” Demonstrated vulnerability in Bundespost Much satire – some very funny videotext service  Member Drunkfux founded Generally viewed as gray-hat (non-criminal) HoHoCon hacker conference hackers  Political action campaigns  1999: Opposed attempts by some computer hacker groups to disable Against censorship (Goolag computers in PRC Campaign against GOOGLE cooperation with PRC)  Chaos Communications Conferences popular with Attacks on Church of some legitimate security Scientology experts  Hacking tools BO & BO2K

2600 Legion of Doom (LOD) The Hacker Quarterly  Editor Eric Corley aka  1984: Phone phreakers and criminal “Emmanuel Goldstein” hackers founded LOD  http://www.2600.com/ Named after enemies of DC Comics superheroes  Founded in 1984 Published findings in LOD Technical  Longest running & most popular Journal hacking ‘zine  Chris Goggans (Eric Bloodaxe) one of  Detailed instructions on best known Stealing telephone services Editor of Phrack Lock-picking Became member of MOD Penetration techniques  Mark Abene (Phiber Optik) also member  Analysis of security issues who moved to MOD  History of hacking  Conflict with MOD = The Great Hacker Chris Goggans  Political ideology War Then & Now

35 Copyright © 2014 M. E. Kabay. All rights reserved. 36 Copyright © 2014 M. E. Kabay. All rights reserved. Phrack Masters of Deception (MOD)  http://www.phrack.com/  1989-1992 New York criminal hacker group  1st edition Nov 1985 Phiber Optik (Mark Abene)  Originally focused on phreaking Highly visible in media  Entirely electronic on BBS Harper’s systems Esquire  Eds: Knight Lightning New York Times (Craig Neidorf) & Taran TV (Geraldo) King (Randy Tischler) Eventually arrested,  Phrack 24 involved in Operation Sundevil (1990) Tried for violation of CFA [18 USC §1030(a)] Published E911 docs Sentenced to 1 year in prison Actually public docs! Craig Neidorf

Gray-Hat Hackers (1) Gray-Hat Hackers (2)  Gray-Hats: professionals with black-hat backgrounds and  Black-Hats: criminal hackers attitudes  May have been members of criminal-hacking organizations Ignore laws  May continue to use hacker handles (pseudonyms) Test for and exploit vulnerabilities without  2000-01: L0pht members join @Stake authorization  8 members of L0pht Heavy Industries Publicize vulnerabilities without delay for  Continued to use hacker handles (e.g., Mudge, Weld Pond, repair Brian Oblivion, Dildog…) Sometimes amateurish; may be experts  Described in glowing terms by some reputable experts  White-Hats: penetration testers  NTBugtraq's Russ Cooper: "The eight brilliant geniuses down at the L0pht. . . .” Authorized to test by owners of systems  Other commentators not impressed Maintain confidentiality and professionalism  John Taschek of PC Week: “. . . L0pht's history shows that Sometimes hide-bound; may be imaginative the group is not ethical, maintained practices that bordered on being illegal and is simply downright scary. . . .”

Web Vandalism Classics CIA (1996.09)

 CIA (1996.09)  USAF (1996.12)  NASA (1997.03)  AirTran (1997.09)  UNICEF (1998.01)  US Dept Commerce (1998.02)  New York Times (1998.09)  SETI site (1999)  Fort Monmouth (1999)  Senate of the USA (twice)(1999)  DEFCON 1999 (!)

AirTran (1997.09) UNICEF (1998.01)

US Dept Commerce New (1998.02) York Times (1998. 09)

Senate of Senate of the USA the USA (1) (1999) (2) (1999.06)

DEFCON (1999.07) Hacker Conventions

 Blackhat < http://www.blackhat.com/ >  DefCon < http://www.defcon.org/ >  HOPE (Hackers on Planet Earth) < http://www.hopenumbernine.net/ >

53 Copyright © 2014 M. E. Kabay. All rights reserved. 54 Copyright © 2014 M. E. Kabay. All rights reserved. Criminal Hacking Gets Chinese Cyberwar Organized  Profitable, low risk  Significant increase in industrial espionage  International gangs successful by PRC Russian Business Network (RBN)  Full-time hackers employed by state Bradley Guinen (NU BSCSIA 2013)  Log off during weekend! CJ341 paper published in Network World  Attacks, penetration, infiltration, IP theft Security Strategies with Kabay  See Chapter 14 from CSH6.

http://www.mekabay.com/nwss/866_russian_cybercrime_(guinen)_part_1.pdf http://www.mekabay.com/nwss/867_russian_cybercrime_(guinen)_part_2.pdf http://www.mekabay.com/nwss/868_russian_cybercrime_(guinen)_part_3.pdf

DISCUSSION