sign in sign up
<<
Home , Bernd Fix, Black Hat Briefings, ClamTk, Comparison of firewalls, ContraVirus, Cryptovirology

Contents

1 Antivirus 1 1.1 History ...... 1 1.1.1 1949-1980 period (pre-antivirus days) ...... 1 1.1.2 1980-1990 period (early days) ...... 2 1.1.3 1990-2000 period (emergence of the antivirus industry) ...... 2 1.1.4 2000-2005 period ...... 3 1.1.5 2005 to ...... 3 1.2 Identification methods ...... 4 1.2.1 Signature-based detection ...... 4 1.2.2 Heuristics ...... 4 1.2.3 detection ...... 5 1.2.4 Real-time protection ...... 5 1.3 Issues of concern ...... 5 1.3.1 Unexpected renewal costs ...... 5 1.3.2 Rogue security applications ...... 5 1.3.3 Problems caused by false positives ...... 5 1.3.4 System and interoperability related issues ...... 6 1.3.5 Effectiveness ...... 6 1.3.6 New viruses ...... 6 1.3.7 ...... 6 1.3.8 Damaged files ...... 6 1.3.9 issues ...... 7 1.4 Performance and other drawbacks ...... 7 1.5 Alternative solutions ...... 7 1.5.1 Hardware and network ...... 7 1.5.2 Cloud antivirus ...... 7 1.5.3 Online scanning ...... 8 1.5.4 Specialist tools ...... 8 1.6 Usage and risks ...... 8 1.7 See also ...... 8 1.8 References ...... 8 1.9 Bibliography ...... 11

i ii CONTENTS

1.10 External links ...... 12

2 13 2.1 Methodology ...... 13 2.2 Threats, Attacks, Vulnerabilities, and Countermeasures ...... 13 2.3 Application Threats / Attacks ...... 13 2.4 Mobile application security ...... 13 2.5 Security testing for applications ...... 14 2.6 Security certifications ...... 15 2.7 Security standards and regulations ...... 15 2.8 See also ...... 16 2.9 References ...... 16 2.10 External links ...... 16

3 (computing) 17 3.1 Overview ...... 17 3.1.1 Examples ...... 17 3.1.2 Object code backdoors ...... 18 3.1.3 Asymmetric backdoors ...... 18 3.2 Compiler backdoors ...... 18 3.2.1 Occurrences ...... 19 3.2.2 Countermeasures ...... 19 3.3 List of known backdoors ...... 19 3.4 References ...... 20 3.5 External links ...... 20

4 Black hat 21 4.1 References ...... 21 4.2 See also ...... 21

5 Black Hat Briefings 22 5.1 History ...... 22 5.2 The conference ...... 22 5.3 Conference’s topics ...... 22 5.4 New conference goals ...... 22 5.5 Antics and disclosures ...... 22 5.6 See also ...... 23 5.7 References ...... 23 5.8 External links ...... 23

6 24 6.1 Types of ...... 24 6.1.1 Legal botnets ...... 24 CONTENTS iii

6.1.2 Illegal botnets ...... 24 6.2 Recruitment ...... 24 6.3 Organization ...... 24 6.4 Formation ...... 25 6.5 Types of attacks ...... 25 6.6 Countermeasures ...... 26 6.7 Historical list of botnets ...... 26 6.8 Trivia ...... 26 6.9 See also ...... 26 6.10 References ...... 27 6.11 External links ...... 28

7 Computer crime 29 7.1 Classification ...... 29 7.1.1 and financial crimes ...... 29 7.1.2 ...... 29 7.1.3 Cyberextortion ...... 30 7.1.4 ...... 30 7.1.5 Computer as a target ...... 30 7.1.6 Computer as a tool ...... 30 7.2 Documented cases ...... 32 7.3 Combating computer crime ...... 33 7.3.1 Diffusion of ...... 33 7.3.2 Investigation ...... 33 7.3.3 Legislation ...... 33 7.3.4 Penalties ...... 33 7.4 See also ...... 33 7.5 References ...... 34 7.6 Further reading ...... 35 7.7 External links ...... 36 7.7.1 Government resources ...... 36

8 37 8.1 Vulnerabilities ...... 37 8.1.1 Backdoors ...... 37 8.1.2 Denial-of-service attack ...... 38 8.1.3 Direct-access attacks ...... 38 8.1.4 Eavesdropping ...... 38 8.1.5 Spoofing ...... 38 8.1.6 Tampering ...... 38 8.1.7 Repudiation ...... 38 8.1.8 Information disclosure ...... 38 iv CONTENTS

8.1.9 Privilege escalation ...... 39 8.1.10 Exploits ...... 39 8.1.11 Social engineering and trojans ...... 39 8.1.12 Indirect attacks ...... 39 8.1.13 Computer crime ...... 39 8.2 Vulnerable areas ...... 39 8.2.1 Financial systems ...... 39 8.2.2 Utilities and industrial equipment ...... 39 8.2.3 Aviation ...... 39 8.2.4 Consumer devices ...... 40 8.2.5 Large corporations ...... 40 8.2.6 Automobiles ...... 40 8.2.7 Government ...... 40 8.3 Financial cost of security breaches ...... 40 8.3.1 Reasons ...... 41 8.4 Computer protection (countermeasures) ...... 41 8.4.1 Security and systems design ...... 41 8.4.2 Security measures ...... 41 8.4.3 Reducing vulnerabilities ...... 42 8.4.4 Security by design ...... 43 8.4.5 Security architecture ...... 43 8.4.6 Hardware protection mechanisms ...... 43 8.4.7 Secure operating systems ...... 44 8.4.8 Secure coding ...... 45 8.4.9 Capabilities and access control lists ...... 45 8.4.10 Hacking back ...... 45 8.5 Notable computer security attacks and breaches ...... 45 8.5.1 Robert Morris and the first ...... 46 8.5.2 Rome Laboratory ...... 46 8.5.3 TJX loses 45.7m customer credit card details ...... 46 8.5.4 attack ...... 46 8.5.5 Global surveillance disclosures ...... 46 8.5.6 Target And Home Depot Breaches by Rescator ...... 46 8.6 Legal issues and global regulation ...... 46 8.7 Government ...... 47 8.7.1 Public–private cooperation ...... 47 8.8 Actions and teams in the US ...... 47 8.8.1 Cybersecurity Act of 2010 ...... 47 8.8.2 International Cybercrime Reporting and Cooperation Act ...... 47 8.8.3 Protecting Cyberspace as a National Asset Act of 2010 ...... 48 8.8.4 White House proposes cybersecurity legislation ...... 48 CONTENTS v

8.8.5 White House Cybersecurity Summit ...... 48 8.8.6 Government initiatives ...... 48 8.8.7 Military agencies ...... 48 8.8.8 FCC ...... 49 8.8.9 Computer Emergency Readiness Team ...... 49 8.9 International actions ...... 49 8.9.1 ...... 50 8.9.2 South Korea ...... 50 8.9.3 India ...... 50 8.9.4 Canada ...... 51 8.10 National teams ...... 51 8.10.1 Europe ...... 51 8.10.2 Other countries ...... 51 8.11 Cybersecurity and modern warfare ...... 51 8.12 The cyber security job market ...... 52 8.13 Terminology ...... 52 8.14 Scholars ...... 54 8.15 See also ...... 54 8.16 Further reading ...... 55 8.17 References ...... 55 8.18 External links ...... 58

9 Computer worm 59 9.1 Worms with good intent ...... 59 9.2 Protecting against dangerous computer worms ...... 60 9.3 Mitigation techniques ...... 60 9.4 History ...... 60 9.5 See also ...... 61 9.6 References ...... 61 9.7 External links ...... 61

10 62 10.1 Examples ...... 62 10.2 Delivery vectors ...... 62 10.3 Concerns ...... 62 10.3.1 ...... 62 10.4 See also ...... 63 10.5 References ...... 63 10.6 External links ...... 63

11 64 11.1 General information ...... 64 vi CONTENTS

11.2 Examples of viruses with and ransom capabilities ...... 65 11.3 Creation of cryptoviruses ...... 65 11.4 Other uses of cryptography enabled ...... 65 11.5 References ...... 65 11.6 External links ...... 65

12 DEF CON 66 12.1 History ...... 67 12.2 Noteworthy incidents ...... 67 12.2.1 1999 ...... 67 12.2.2 2001 ...... 67 12.2.3 2005 ...... 67 12.2.4 2007 ...... 67 12.2.5 2008 ...... 67 12.2.6 2009 ...... 67 12.2.7 2011 ...... 67 12.2.8 2012 ...... 68 12.2.9 2013 ...... 68 12.3 List of venues and dates ...... 68 12.3.1 Upcoming venues and dates ...... 68 12.4 See also ...... 68 12.5 References ...... 69 12.6 Further reading ...... 69 12.7 External links ...... 69

13 Exploit (computer security) 70 13.1 Classification ...... 70 13.1.1 Types ...... 70 13.1.2 Pivoting ...... 70 13.2 See also ...... 71 13.3 References ...... 71

14 Firewall (computing) 72 14.1 History ...... 72 14.1.1 First generation: packet filters ...... 73 14.1.2 Second generation: “stateful” filters ...... 73 14.1.3 Third generation: application layer ...... 73 14.2 Types ...... 74 14.2.1 Network layer or packet filters ...... 74 14.2.2 Application-layer ...... 74 14.2.3 Proxies ...... 75 14.2.4 Network address translation ...... 75 CONTENTS vii

14.3 See also ...... 75 14.4 References ...... 75 14.5 External links ...... 76

15 77 15.1 History ...... 77 15.2 Examples ...... 78 15.3 See also ...... 78 15.4 Related literature ...... 78 15.5 References ...... 78

16 80 16.1 Technology ...... 80 16.2 Entertainment ...... 80 16.3 People ...... 80 16.3.1 Real ...... 80 16.3.2 Fictional ...... 80 16.4 Other ...... 81 16.5 See also ...... 81

17 Hacker (computer security) 82 17.1 History ...... 82 17.2 Classifications ...... 82 17.2.1 White hat ...... 82 17.2.2 Black hat ...... 82 17.2.3 Grey hat ...... 83 17.2.4 Elite hacker ...... 83 17.2.5 ...... 83 17.2.6 Neophyte ...... 83 17.2.7 Blue hat ...... 83 17.2.8 Hacktivist ...... 83 17.2.9 Nation state ...... 83 17.2.10 ...... 83 17.3 Attacks ...... 83 17.3.1 Security exploits ...... 84 17.3.2 Techniques ...... 84 17.4 Notable intruders and criminal ...... 85 17.5 Notable security hackers ...... 85 17.6 Customs ...... 86 17.6.1 Hacker groups and conventions ...... 86 17.7 Consequences for malicious hacking ...... 86 17.7.1 India ...... 86 viii CONTENTS

17.7.2 Netherlands ...... 86 17.7.3 United States ...... 86 17.8 Hacking and the media ...... 87 17.8.1 Hacker magazines ...... 87 17.8.2 Hackers in fiction ...... 87 17.8.3 Non-fiction books ...... 87 17.9 See also ...... 88 17.10References ...... 88 17.11Further reading ...... 89 17.12External links ...... 89

18 Hacker (term) 90 18.1 Hacker definition controversy ...... 90 18.2 Computer security hackers ...... 91 18.3 subculture of hackers ...... 92 18.4 Home computer hackers ...... 94 18.5 Overlaps and differences ...... 94 18.6 Filmography ...... 95 18.7 See also ...... 96 18.8 References ...... 96 18.9 Further reading ...... 96 18.9.1 Computer security ...... 97 18.9.2 /Open Source ...... 97

19 98 19.1 See also ...... 98 19.2 References ...... 98 19.3 External links ...... 98

20 99 20.1 In popular culture ...... 99 20.2 See also ...... 99 20.3 Related ...... 99 20.4 References ...... 99

21 Hacking tool 101 21.1 Worms ...... 101 21.2 Port Scanners ...... 101 21.3 Hacking ...... 101 21.4 References ...... 101 21.5 External links ...... 101

22 102 CONTENTS ix

22.1 Application ...... 102 22.1.1 Software-based keyloggers ...... 102 22.1.2 Hardware-based keyloggers ...... 103 22.2 History ...... 105 22.3 Cracking ...... 105 22.3.1 Trojan ...... 105 22.3.2 Use by police ...... 105 22.4 Countermeasures ...... 105 22.4.1 Anti keyloggers ...... 106 22.4.2 Live CD/USB ...... 106 22.4.3 Anti- / Anti-virus programs ...... 106 22.4.4 Network monitors ...... 106 22.4.5 Automatic form filler programs ...... 106 22.4.6 One-time passwords (OTP) ...... 106 22.4.7 Security tokens ...... 106 22.4.8 On-screen keyboards ...... 107 22.4.9 Keystroke interference software ...... 107 22.4.10 Speech recognition ...... 107 22.4.11 Handwriting recognition and mouse gestures ...... 107 22.4.12 Macro expanders/recorders ...... 107 22.4.13 Non-technological methods ...... 107 22.5 See also ...... 107 22.6 References ...... 108 22.7 External links ...... 109

23 List of computer criminals 110 23.1 Computer criminals ...... 111 23.2 See also ...... 111 23.3 References ...... 111 23.4 External links ...... 112

24 113 24.1 History ...... 113 24.1.1 Switch hook and tone dialer ...... 113 24.1.2 2600 hertz ...... 114 24.1.3 Multi frequency ...... 114 24.1.4 Blue boxes ...... 114 24.1.5 Computer hacking ...... 115 24.1.6 Toll fraud ...... 115 24.1.7 Diverters ...... 115 24.1.8 Voice mail boxes and bridges ...... 116 24.1.9 Cell phones ...... 116 x CONTENTS

24.1.10 End of multi-frequency ...... 116 24.2 2600 Hz ...... 116 24.3 See also ...... 117 24.4 References ...... 117 24.5 External links ...... 118

25 Rootkit 119 25.1 History ...... 119 25.1.1 Sony BMG copy protection rootkit scandal ...... 119 25.1.2 Greek wiretapping case 2004–05 ...... 120 25.2 Uses ...... 120 25.3 Types ...... 121 25.3.1 User mode ...... 121 25.3.2 Kernel mode ...... 121 25.3.3 Hypervisor level ...... 122 25.3.4 Firmware and hardware ...... 122 25.4 Installation and ...... 123 25.5 Detection ...... 123 25.5.1 Alternative trusted medium ...... 124 25.5.2 Behavioral-based ...... 124 25.5.3 Signature-based ...... 124 25.5.4 Difference-based ...... 124 25.5.5 Integrity checking ...... 124 25.5.6 Memory dumps ...... 125 25.6 Removal ...... 125 25.7 Public availability ...... 125 25.8 Defenses ...... 125 25.9 See also ...... 126 25.10Notes ...... 126 25.11References ...... 126 25.12Further reading ...... 128 25.13External links ...... 129

26 Script kiddie 130 26.1 Characteristics ...... 130 26.2 See also ...... 130 26.3 References ...... 130 26.4 Further reading ...... 131 26.5 External links ...... 131

27 Spyware 132 27.1 Routes of infection ...... 132 CONTENTS xi

27.2 Effects and behaviors ...... 133 27.3 Remedies and prevention ...... 133 27.3.1 Anti-spyware programs ...... 133 27.3.2 How anti-spyware software works ...... 133 27.3.3 Security practices ...... 134 27.4 Comparison of spyware, adware, and viruses ...... 134 27.4.1 Spyware, adware and trackers ...... 134 27.4.2 Spyware, viruses and worms ...... 134 27.4.3 “Stealware” and affiliate fraud ...... 134 27.4.4 and fraud ...... 135 27.4.5 Digital rights management ...... 135 27.4.6 Personal relationships ...... 135 27.4.7 Browser cookies ...... 135 27.4.8 Examples ...... 135 27.5 History and development ...... 136 27.6 Programs distributed with spyware ...... 137 27.6.1 Programs formerly distributed with spyware ...... 137 27.7 Rogue anti-spyware programs ...... 137 27.8 Legal issues ...... 137 27.8.1 Criminal law ...... 137 27.8.2 Administrative sanctions ...... 138 27.8.3 Civil law ...... 138 27.8.4 Libel suits by spyware developers ...... 138 27.8.5 WebcamGate ...... 138 27.9 See also ...... 139 27.10References ...... 139 27.11External links ...... 141 27.12Categories ...... 141

28 Timeline of computer history 142 28.1 1903 ...... 142 28.2 1930s ...... 142 28.2.1 1932 ...... 142 28.2.2 1939 ...... 142 28.2.3 1943 ...... 142 28.3 1960s ...... 142 28.3.1 1965 ...... 142 28.4 1970s ...... 142 28.4.1 1971 ...... 142 28.5 1980s ...... 142 28.5.1 1981 ...... 142 28.5.2 1983 ...... 143 xii CONTENTS

28.5.3 1984 ...... 143 28.5.4 1985 ...... 143 28.5.5 1986 ...... 144 28.5.6 1987 ...... 144 28.5.7 1988 ...... 144 28.5.8 1989 ...... 144 28.6 1990s ...... 144 28.6.1 1990 ...... 144 28.6.2 1992 ...... 144 28.6.3 1993 ...... 145 28.6.4 1994 ...... 145 28.6.5 1995 ...... 145 28.6.6 1996 ...... 145 28.6.7 1997 ...... 145 28.6.8 1998 ...... 145 28.6.9 1999 ...... 146 28.7 2000s ...... 146 28.7.1 2000 ...... 146 28.7.2 2001 ...... 146 28.7.3 2002 ...... 146 28.7.4 2003 ...... 147 28.7.5 2004 ...... 147 28.7.6 2005 ...... 147 28.7.7 2006 ...... 147 28.7.8 2007 ...... 147 28.7.9 2008 ...... 148 28.7.10 2009 ...... 148 28.8 2010s ...... 148 28.8.1 2010 ...... 148 28.8.2 2011 ...... 148 28.8.3 2012 ...... 148 28.8.4 2013 ...... 149 28.8.5 2014 ...... 149 28.9 References ...... 149 28.10Further reading ...... 151

29 (computing) 152 29.1 Purpose and uses ...... 152 29.2 Notable Trojan horses ...... 153 29.3 See also ...... 153 29.4 References ...... 153 29.5 External links ...... 154 CONTENTS xiii

30 Vulnerability (computing) 155 30.1 Definitions ...... 155 30.2 Vulnerability and risk factor models ...... 156 30.3 management system ...... 157 30.4 Classification ...... 157 30.5 Causes ...... 157 30.6 Vulnerability consequences ...... 158 30.7 Vulnerability disclosure ...... 158 30.7.1 Vulnerability inventory ...... 158 30.8 Vulnerability disclosure date ...... 158 30.9 Identifying and removing vulnerabilities ...... 159 30.10Examples of vulnerabilities ...... 159 30.10.1 Software vulnerabilities ...... 159 30.11See also ...... 160 30.12References ...... 160 30.13External links ...... 161

31 White hat (computer security) 162 31.1 History ...... 162 31.2 Tactics ...... 162 31.3 Legality in the UK ...... 163 31.4 Employment ...... 163 31.4.1 List of prominent white hat hackers ...... 163 31.5 See also ...... 163 31.6 References ...... 163

32 Hacker (programmer subculture) 164 32.1 Definition ...... 164 32.2 History ...... 164 32.3 Ethics and principles ...... 165 32.4 Use outside of computing ...... 166 32.5 Hack value ...... 166 32.6 See also ...... 166 32.7 References ...... 166 32.8 Further reading ...... 167 32.9 External links ...... 167

33 168 33.1 The hacker ethics ...... 168 33.1.1 Sharing ...... 169 33.1.2 Hands-On Imperative ...... 170 33.1.3 Community and collaboration ...... 170 xiv CONTENTS

33.2 Levy’s “true hackers” ...... 170 33.3 Other descriptions ...... 171 33.4 See also ...... 171 33.5 Footnotes ...... 171 33.6 References ...... 171 33.7 Further reading ...... 172 33.8 External links ...... 172 33.9 Text and image sources, contributors, and licenses ...... 173 33.9.1 Text ...... 173 33.9.2 Images ...... 187 33.9.3 Content license ...... 189 Chapter 1

Antivirus software

“Antivirus” redirects here. For the antiviral medication, 1.1.1 1949-1980 period (pre-antivirus see Antiviral drug. days) Antivirus or anti-virus software (often abbreviated Although the roots of the date back as early as 1949, when the Hungarian scientist John von Neumann published the “Theory of self-reproducing automata”,[3] the first known computer virus appeared in 1971 and was dubbed the "Creeper virus".[4] This computer virus infected Digital Equipment Corpora- tion's (DEC) PDP-10 mainframe computers running the TENEX .[5][6] The Creeper virus was eventually deleted by a program created by Ray Tomlinson and known as “The Reaper”.[7] Some people consider “The Reaper” the first ever written - it may be the case, but it is im- portant to note that the Reaper was actually a virus itself specifically designed to remove the Creeper virus.[7][8][9] ClamTk, an open source antivirus based on the ClamAV antivirus The Creeper virus was followed by several other engine, originally developed by Tomasz Kojm in 2001. viruses. The first known that appeared “in the wild” was "", in 1981, which infected Apple II as AV), sometimes known as anti-malware software, is [10][11][12] computer software used to prevent, detect and remove computers. malicious software. In 1983, the term “computer virus” was coined by Fred Cohen in one of the first ever published academic papers Antivirus software was originally developed to detect and [13] remove computer viruses, hence the name. However, on computer viruses. Cohen used the term “computer with the proliferation of other kinds of malware, antivirus virus” to describe a program that: “affect other computer programs by modifying them in such a way as to include software started to provide protection from other com- [14] puter threats. In particular, modern antivirus software a (possibly evolved) copy of itself.” (note that a more can protect from: malicious Browser Helper Objects recent, and precise, definition of computer virus has been (BHOs), browser hijackers, , keyloggers, given by the Hungarian security researcher Péter Szőr: “a code that recursively replicates a possibly evolved copy of backdoors, rootkits, trojan horses, worms, malicious [15][16] LSPs, dialers, fraudtools, adware and spyware.[1] Some itself” ) products also include protection from other computer The first IBM PC-compatible “in the wild” computer threats, such as infected and malicious URLs, spam, scam virus, and one of the first real widespread infections, was and attacks, online identity (privacy), online "" in 1986. From then, the number of viruses has banking attacks, social engineering techniques, Advanced grown exponentially.[17][18] Most of the computer viruses Persistent Threat (APT), botnets, DDoS attacks.[2] written in the early and mid-1980s were limited to self- reproduction and had no specific damage routine built into the code. That changed when more and more pro- 1.1 History grammers became acquainted with computer virus pro- gramming and created viruses that manipulated or even See also: Timeline of notable computer viruses and destroyed data on infected computers. worms Before connectivity was widespread, computer viruses were typically spread by infected floppy disks.

1 2 CHAPTER 1. ANTIVIRUS SOFTWARE

Antivirus software came into use, but was updated rel- later joined FRISK Software). Also Frans Veldman re- atively infrequently. During this time, virus checkers es- leased the first version of ThunderByte Antivirus, also sentially had to check executable files and the boot sectors known as TBAV (he sold his company to Norman Safe- of floppy disks and hard disks. However, as internet usage ground in 1998). In Czech Republic, Pavel Baudiš and became common, viruses began to spread online.[19] Eduard Kučera started ! (at the time ALWIL Soft- ware) and released their first version of avast! antivirus. In June 1988, in South Korea, Dr. Ahn Cheol-Soo re- 1.1.2 1980-1990 period (early days) leased its first antivirus software, called V1 (he founded AhnLab later in 1995). Finally, in the Autumn 1988, in There are competing claims for the innovator of the first United Kingdom, Alan Solomon founded S&S Interna- antivirus product. Possibly, the first publicly documented tional and created his Dr. Solomon’s Anti-Virus Toolkit removal of an “in the wild” computer virus (i.e. the “Vi- (although he launched it commercially only in 1991 - in enna virus”) was performed by Bernd Fix in 1987.[20][21] 1998 Dr. Solomon’s company was acquired by McAfee). At the end of the year, in the USA, Ross M. Greenberg In 1987, Andreas Lüning and Kai Figge founded G Data released his second antivirus program, called VirexPC. Software and released their first antivirus product for the Atari ST platform.[22] Later in the same year, also the Ul- Also in 1988, a mailing list named VIRUS-L[33] was timate Virus Killer (UVK) 2000 antivirus was released.[23] started on the BITNET/EARN network where new viruses and the possibilities of detecting and eliminating In 1987, in USA, John McAfee founded the McAfee viruses were discussed. Some members of this mailing company (now part of Intel Security[24]) and, at the end list were: Alan Solomon, Eugene Kaspersky (Kaspersky of that year, he released the first version of VirusScan.[25] Lab), Friðrik Skúlason (FRISK Software), John McAfee In the meanwhile, in Slovakia, Peter Paško and Miroslav (McAfee), Luis Corrons (), Mikko Hyp- Trnka created the first version of NOD32 antivirus (albeit pönen (F-Secure), Péter Szőr, Tjark Auerbach () they established ESET only in 1992). and Dr. Vesselin Bontchev (FRISK Software).[33] In 1987, Fred Cohen wrote that there is no algo- In 1989, in Iceland, Friðrik Skúlason created the rithm that can perfectly detect all possible computer first version of F-PROT Anti-Virus back in 1989 (he viruses.[26] founded FRISK Software only in 1993). In the mean- The first antivirus signatures were simply hashes of the while, in USA, Symantec (founded by Gary Hendrix in entire files or sequences of bytes that represented the par- 1982) launched its first Symantec antivirus for Macintosh ticular malware. (SAM).[34][35] SAM 2.0, released March 1990, incorpo- Finally, in the end of 1987, the first two heuristic an- rated technology allowing users to easily update SAM to tivirus utilities were released: FluShot Plus by Ross intercept and eliminate new viruses, including many that [36] Greenberg[27][28][29] and Anti4us by Erwin Lanting.[30][31] didn't exist at the time of the program’s release. However, the kind of heuristic they were using was totally In the end of the 1980s, in United Kingdom, Jan Hruska different from the one used today by many antivirus prod- and Peter Lammer founded the security firm and ucts. The first antivirus product with an heuristic engine began producing their first antivirus and prod- which resembles the ones used nowadays was F-PROT ucts. In the same period, in Hungary, also VirusBuster in 1991.[32] The early heuristic engines were based on di- was founded (which has recently being incorporated by viding the binary in different sections: data section, code Sophos). section (in legitimate binary it usually starts always from the same location). Indeed the initial viruses re-organise the layout of the sections, or override the initial portion 1.1.3 1990-2000 period (emergence of the of section in order to jump to the very end of the file antivirus industry) where malicious code was located and then, later on, go back to resume the execution of the original code. This In 1990, in Spain, Mikel Urizarbarrena founded Panda was a very specific pattern, not used at the time by any Security (Panda Software at the time). In Hungary, the legitimate software, that initially represented a very nice security researcher Péter Szőr released the first version of heuristic to catch where something was suspicious or not. Pasteur antivirus. In Italy, Gianfranco Tonello created the Later, in time, other kind of more advanced heuristics first version of VirIT eXplorer antivirus (he founded TG have been added, such as: suspicious sections name, in- Soft one year later).[37] Finally, in the end of the year, correct header size, wildcards and regular expressions and released its first antivirus software, named partial pattern in-mermory metching. PC-Cillin. In 1988, the growth of antivirus companies continued. In In 1990, the Computer Antivirus Research Organiza- Germany, Tjark Auerbach founded Avira (H+BEDV at tion (CARO) was founded. In 1991, CARO released the time) and released the first version of AntiVir (named the “Virus Naming Scheme”, originally written by Friðrik “Luke Filewalker” at the time). In Bulgaria, Dr. Vesselin Skúlason and Vesselin Bontchev.[38] Although this nam- Bontchev released his first freeware antivirus program (he ing scheme is now outdated, it remains the only existing 1.1. HISTORY 3 standard that most computer security companies and re- 1.1.5 2005 to present searchers ever attempted to adopt. CARO members in- cludes: Alan Solomon, Costin Raiu, Dmitry Gryaznov, As always-on broadband connections became the norm, Eugene Kaspersky, Friðrik Skúlason, Igor Muttik, Mikko and more and more viruses were released, it became es- Hyppönen, Morton Swimmer, Nick FitzGerald, Padgett sential to update antiviruses more and more frequently. Peterson, Peter Ferrie, Righard Zwienenberg and Dr. Even then, a new zero-day or next-generation malware Vesselin Bontchev.[39][40] could become widespread before antivirus firms released an update to protect against it. In 1991, in the USA, Symantec released the first ver- sion of Anti-Virus. In the same year, in In 2007, AV-TEST reported a number of 5,490,960 new Czechoslovakia, Jan Gritzbach and Tomáš Hofer founded unique malware samples (based on MD5) only for that AVG Technologies (Grisoft at the time), although they re- year.[45] In 2012 and 2013, antivirus firms reported a new leased the first version of their Anti-Virus Guard (AVG) malware samples range from 300.000 to over 500.000 per only in 1992. On the other hand, in Finland, F-Secure day.[53][54] (founded in 1988 by Petri Allas and Risto Siilasmaa - Slowly, in order to catch up with the malware productions, with the name of Data Fellows) released the first version antivirus firms have moved to more and more complex of their antivirus product. F-Secure claims to be the first algorithms. antivirus firm to establish a presence on the World Wide Web.[41] Over the years it has become necessary for antivirus soft- ware to use several different strategies (e.g. specific In 1991, the European Institute for Computer An- and network protection or low level modules) and detec- tivirus Research (EICAR) was founded to further an- tions algorithms, as well as to check an increasing variety tivirus research and improve development of antivirus of files, rather than just executables, for several reasons: software.[42][43]

In 1992, in Russia, Igor Danilov released the first version • Powerful macros used in word processor applica- [44] of SpiderWeb, which later became Dr. Web. tions, such as Word, presented a risk. In 1994, AV-TEST reported that there were 28,613 Virus writers could use the macros to write viruses unique malware samples (based on MD5) in their embedded within documents. This meant that database.[45] computers could now also be at risk from infec- tion by opening documents with hidden attached Over time other companies were been founded. In 1996, macros.[55] in Romania, was founded and released the first version of Anti-Virus eXpert (AVX).[46] In 1997, • The possibility of embedding executable objects in- in Russia, Eugene Kaspersky and Natalia Kaspersky co- side otherwise non-executable file formats can make founded security firm .[47] opening those files a risk.[56] In 1996, there was also the first “in the wild” Linux virus, • Later email programs, in particular Microsoft’s known as “Staog”.[48] Outlook Express and Outlook, were vulnerable to In 1999, AV-TEST reported that there were 98,428 viruses embedded in the email body itself. A user’s unique malware samples (based on MD5) in their computer could be infected by just opening or pre- database.[45] viewing a message.[57]

In 2005, F-Secure was the first security firm that devel- 1.1.4 2000-2005 period oped an Anti-Rootkit technology, called BlackLight. Given the consideration that most of the people is nowa- In 2000, Rainer Link and Howard Fuhs started the days connected to the Internet round-the-, in 2008, first open source antivirus engine, called OpenAntivirus Jon Oberheide first proposed a Cloud-based antivirus Project.[49] design.[58] In 2001, Tomasz Kojm released the first version of In November 2009, Panda Security unveiled its first ClamAV, the first ever open source antivirus engine to Cloud-based antivirus technology, the first commercial be commercialised. In 2007, ClamAV was bought by CloudAV ever released. A year after, Sophos also Sourcefire,[50] which in turn was acquired by Cisco Sys- [51] added to its host-based antivirus product a Cloud-based tems in 2013. one. In the following years, many other antivirus In 2002, in United Kingdom, Morten Lund and Theis firms have added a CloudAV to their security products Søndergaard co-founded the antivirus firm BullGuard.[52] (see Comparison of antivirus software for a complete In 2005, AV-TEST reported that there were 333,425 overview). unique malware samples (based on MD5) in their In 2011, AVG introduced a similar cloud service, called database.[45] Protective Cloud Technology.[59] 4 CHAPTER 1. ANTIVIRUS SOFTWARE

Most recently, the industry has seen approaches to the 1.2.1 Signature-based detection problem of detecting and mitigating Zero-day attacks. One method from Bromium involves micro-virtualization Traditionally, antivirus software heavily relied upon sig- to protect desktops from malicious code execution initi- natures to identify malware. ated by the end user. Another approach from SentinelOne Substantially, when a malware arrives in the hands of an focuses on behavioral detection by building a full context antivirus firm, it is analysed by malware researchers or by around every process execution path in real time.[60] [61] dynamic analysis systems. Then, once it is sure it is actu- ally a malware, a proper signature of the file is extracted and added to the signatures database of the antivirus soft- 1.2 Identification methods ware. When a particular file has to be scanned, the an- tivirus engine compares the content of the file with all the One of the few solid theoretical results in the study of malware signatures in the signatures database. If the file computer viruses is Frederick B. Cohen’s 1987 demon- matches one signature, then the engine is able to know that there is no algorithm that can perfectly detect which malware it is and which procedure has to be per- all possible viruses.[26] However, using different layer of formed in order to clean the infection. defense, a good detection rate may be achieved. Signature-based detection technique can be very effec- There are several methods which antivirus engine can use tive but, clearly, cannot defend against malware unless to identify malware: some of its samples have already been obtained, a proper signatures generated and the antivirus product updated. • Signature-based detection: is the most common Signature-based detection system rely on the considera- method. To identify viruses and other malware, the tion that, generally speaking, the more infective a mal- antivirus engine compares the contents of a file to its ware is the faster arrives in the hands of security re- database of known malware signatures. searchers. Thus, even if it does not guarantee perfection, it guarantees the protection from the most widespread • Heuristic-based detection: is generally used to- threats. However, this approach is not really effective gether with signature-based detection. It detects against zero-day or next-generation malware, i.e. mal- malware based on characteristics typically used in ware that has not been yet encountered/analysed. known malware code. As new malware are being created each day, the • Behavioural-based detection: is similar to signature-based detection approach requires frequent up- heuristic-based detection and used also in Intrusion dates of the signatures database. To assist the antivirus Detection System. The main difference is that, firms, the software may automatically upload new mal- instead of characteristics hardcoded in the malware ware to the company or allow the user to manually do code itself, it is based on the behavioural fingerprint it, allowing the antivirus firms to dramatically shorten of the malware at run-time. Clearly, this technique the life of those threats. Some antivirus products in- is able to detect (known or unknown) malware cludes also advanced software to spot zero-day or next- only after they have starting doing their malicious generation malware. actions. Although the signature-based approach can effectively contain malware outbreaks, malware authors have tried • Sandbox detection: is a particular behavioural- to stay a step ahead of such software by writing based detection technique that, instead of detecting "oligomorphic", "polymorphic" and, more recently, the behavioural fingerprint at run time, it executes "metamorphic" viruses, which encrypt parts of them- the programs in a virtual environment, logging what selves or otherwise modify themselves as a method of actions the program performs. Depending on the ac- disguise, so as to not match virus signatures in the tions logged, the antivirus engine can determine if dictionary.[78] the program is malicious or not.[62] If not, then, the program is executed in the real environment. Al- beit this technique has shown to be quite effective, 1.2.2 Heuristics given its heaviness and slowness, it is rarely used in end-user antivirus solutions.[63] Some more sophisticated antivirus software uses heuristic • Data mining techniques: are one of the lat- analysis to identify new malware or variants of known est approach applied in malware detection. Data malware. mining and machine learning algorithms are used Many viruses start as a single infection and through ei- to try to classify the behaviour of a file (as ther mutation or refinements by other attackers, can grow either malicious or benign) given a series of into dozens of slightly different strains, called variants. file features, that are extracted from the file Generic detection refers to the detection and removal of itself.[64][65][66][67][68][69][70][71][72][73][74][75][76][77] multiple threats using a single virus definition.[79] 1.3. ISSUES OF CONCERN 5

For example, the Vundo trojan has several family mem- present subscription[85] while BitDefender sends notifi- bers, depending on the antivirus vendor’s classifica- cations to unsubscribe 30 days before the renewal.[86] tion. Symantec classifies members of the Vundo fam- Norton AntiVirus also renews subscriptions automati- ily into two distinct categories, Trojan.Vundo and Tro- cally by default.[87] jan.Vundo.B.[80][81] While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic 1.3.2 Rogue security applications signature or through an inexact match to an existing signa- ture. Virus researchers find common areas that all viruses Main article: in a family share uniquely and can thus create a single generic signature. These signatures often contain non- Some apparent antivirus programs are actually malware contiguous code, using wildcard characters where differ- masquerading as legitimate software, such as WinFixer, ences lie. These wildcards allow the scanner to detect MS Antivirus, and Mac Defender.[88] viruses even if they are padded with extra, meaningless code.[82] A detection that uses this method is said to be “heuristic detection.” 1.3.3 Problems caused by false positives

A “false positive” or “false alarm” is when antivirus soft- 1.2.3 Rootkit detection ware identifies a non-malicious file as malware. When this happens, it can cause serious problems. For exam- Main article: Rootkit ple, if an antivirus program is configured to immedi- ately delete or quarantine infected files, as is common on Anti-virus software can attempt to scan for rootkits; antivirus applications, a false posi- a rootkit is a type of malware that is designed to tive in an essential file can render the Windows operating [89] gain administrative-level control over a computer sys- system or some applications unusable. Recovering tem without being detected. Rootkits can change how from such damage to critical software infrastructure in- the operating system functions and in some cases can curs technical support costs and businesses can be forced [90][91] tamper with the anti-virus program and render it inef- to close whilst remedial action is undertaken. For fective. Rootkits are also difficult to remove, in some example, in May 2007 a faulty virus signature issued by cases requiring a complete re-installation of the operat- Symantec mistakenly removed essential operating system [92] ing system.[83] files, leaving thousands of PCs unable to boot. Also in May 2007, the executable file required by Mail on Windows was falsely detected by Norton An- 1.2.4 Real-time protection tiVirus as being a Trojan and it was automatically re- moved, preventing Pegasus Mail from running. Norton Real-time protection, on-access scanning, background AntiVirus had falsely identified three releases of Pega- guard, resident shield, autoprotect, and other synonyms sus Mail as malware, and would delete the Pegasus Mail refer to the automatic protection provided by most an- installer file when that happened.[93] In response to this tivirus, anti-spyware, and other anti-malware programs. Pegasus Mail stated: This monitors computer systems for suspicious activity such as computer viruses, spyware, adware, and other ma- In April 2010, McAfee VirusScan detected svchost.exe, licious objects in 'real-time', in other words while data a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop loaded into the computer’s active memory: when insert- [94][95] ing a CD, opening an email, or browsing the web, or when and loss of all network access. a file already on the computer is opened or executed.[84] In December 2010, a faulty update on the AVG anti-virus suite damaged 64-bit versions of , rendering it unable to boot, due to an endless boot loop created.[96] 1.3 Issues of concern In October 2011, Microsoft Security Essentials (MSE) removed the Chrome web browser, rival to Mi- 1.3.1 Unexpected renewal costs crosoft’s own Internet Explorer. MSE flagged Chrome as a Zbot banking trojan.[97] Some commercial antivirus software end-user license In September 2012, Sophos' anti-virus suite identified agreements include a clause that the subscription will be various update-mechanisms, including its own, as mal- automatically renewed, and the purchaser’s credit card ware. If it was configured to automatically delete de- automatically billed, at the renewal time without explicit tected files, Sophos Antivirus could render itself un- approval. For example, McAfee requires users to un- able to update, required manual intervention to fix the subscribe at least 60 days before the expiration of the problem.[98][99] 6 CHAPTER 1. ANTIVIRUS SOFTWARE

1.3.4 System and interoperability related nanced by criminal organizations.[112] issues In 2008, Eva Chen, CEO of Trend Micro, stated that the anti-virus industry has over-hyped how effective its prod- Running (the real-time protection of) multiple antivirus ucts are — and so has been misleading customers — for programs concurrently can degrade performance and years.[113] create conflicts.[100] However, using a concept called multiscanning, several companies (including G Data[101] Independent testing on all the major virus scanners con- and Microsoft[102]) have created applications which can sistently shows that none provide 100% virus detection. run multiple engines concurrently. The best ones provided as high as 99.9% detection for simulated real-world situations, while the lowest provided It is sometimes necessary to temporarily disable virus 91.1% in tests conducted in August 2013. Many virus protection when installing major updates such as Win- scanners produce false positive results as well, identify- [103] dows Service Packs or updating graphics card drivers. ing benign files as malware.[114] Active antivirus protection may partially or completely prevent the installation of a major update. Anti-virus Although methodologies may differ, some notable software can cause problems during the installation of independent quality testing agencies include AV- an operating system upgrade, e.g. when upgrading to a Comparatives, ICSA Labs, West Coast Labs, Virus newer version of Windows “in place” — without eras- Bulletin, AV-TEST and other members of the Anti- [115][116] ing the previous version of Windows. Microsoft recom- Malware Testing Standards Organization. mends that anti-virus software be disabled to avoid con- [104][105][106] flicts with the upgrade installation process. 1.3.6 New viruses The functionality of a few computer programs can be hampered by active anti-virus software. For example Anti-virus programs are not always effective against new TrueCrypt, a disk encryption program, states on its trou- viruses, even those that use non-signature-based methods bleshooting page that anti-virus programs can conflict that should detect new viruses. The reason for this is that with TrueCrypt and cause it to malfunction or operate the virus designers test their new viruses on the major very slowly.[107] Anti-virus software can impair the per- anti-virus applications to make sure that they are not de- formance and stability of games running in the Steam tected before releasing them into the wild.[117] platform.[108] Some new viruses, particularly ransomware, use Support issues also exist around antivirus application in- polymorphic code to avoid detection by virus scanners. teroperability with common solutions like SSL VPN re- Jerome Segura, a security analyst with ParetoLogic, mote access and network access control products.[109] explained:[118] These technology solutions often have policy assessment A proof of concept virus has used the Graphics Pro- applications which require that an up to date antivirus is cessing Unit (GPU) to avoid detection from anti-virus installed and running. If the antivirus application is not software. The potential success of this involves bypass- recognized by the policy assessment, whether because the ing the CPU in order to make it much harder for se- antivirus application has been updated or because it is not curity researchers to analyse the inner workings of such part of the policy assessment library, the user will be un- malware.[119] able to connect.

1.3.5 Effectiveness 1.3.7 Rootkits

Studies in December 2007 showed that the effective- Detecting rootkits is a major challenge for anti-virus pro- ness of antivirus software had decreased in the previous grams. Rootkits have full administrative access to the year, particularly against unknown or zero day attacks. computer and are invisible to users and hidden from the The computer magazine 't found that detection rates for list of running processes in the task manager. Rootk- its can modify the inner workings of the operating sys- these threats had dropped from 40-50% in 2006 to 20- [120] 30% in 2007. At that time, the only exception was the tem and tamper with antivirus programs. NOD32 antivirus, which managed a detection rate of 68 [110] percent. According to the tracker website the 1.3.8 Damaged files average detection rate for all variants of the well-known [111] ZeuS trojan is as low as 40%. Files which have been damaged by computer viruses, e.g. The problem is magnified by the changing intent of virus by ransomware, may be damaged beyond recovery. Anti- authors. Some years ago it was obvious when a virus virus software removes the virus code from the file dur- infection was present. The viruses of the day, written ing disinfection, but this does not always restore the file by amateurs, exhibited destructive behavior or pop-ups. to its undamaged state. In such circumstances, damaged Modern viruses are often written by professionals, fi- files can only be restored from existing backups or shadow 1.5. ALTERNATIVE SOLUTIONS 7 copies;[121] installed software that is damaged requires re- installation[122] (however, see System File Checker).

1.3.9 Firmware issues

Active anti-virus software can interfere with a firmware update process.[123] Any writeable firmware in the com- puter can be infected by malicious code.[124] This is a ma- jor concern, as an infected BIOS could require the ac- tual BIOS chip to be replaced to ensure the malicious code is completely removed.[125] Anti-virus software is not effective at protecting firmware and the motherboard [126] BIOS from infection. In 2014, security researchers The command-line virus scanner of Clam AV 0.95.2, an open discovered that USB devices contain writeable firmware source antivirus originally developed by Tomasz Kojm in 2001. which can be modified with malicious code (dubbed Here running a virus signature definition update, scanning a file "BadUSB"), which anti-virus software cannot detect or and identifying a Trojan. prevent. The malicious code can run undetected on the computer and could even infect the operating system prior to it booting up.[127][128] antivirus systems and make no attempt to identify or re- move anything. They may protect against infection from outside the protected computer or network, and limit 1.4 Performance and other draw- the activity of any malicious software which is present backs by blocking incoming or outgoing requests on certain TCP/IP ports. A firewall is designed to with broader system threats that come from network connections into Antivirus software has some drawbacks, first of which the system and is not an alternative to a virus protection [129] that it can impact a computer’s performance. system. Furthermore, inexperienced users can be lulled into a false sense of security when using the computer, consid- ering themselves to be invulnerable, and may have prob- lems understanding the prompts and decisions that an- tivirus software presents them with. An incorrect deci- 1.5.2 Cloud antivirus sion may lead to a security breach. If the antivirus soft- ware employs heuristic detection, it must be fine-tuned to Cloud antivirus is a technology that uses lightweight minimize misidentifying harmless software as malicious agent software on the protected computer, while of- (false positive).[130] floading the majority of data analysis to the provider’s [132] Antivirus software itself usually runs at the highly trusted infrastructure. kernel level of the operating system to allow it access to One approach to implementing cloud antivirus involves all the potential malicious process and files, creating a po- scanning suspicious files using multiple antivirus engines. tential avenue of attack.[131] This approach was proposed by an early implementation of the cloud antivirus concept called CloudAV. CloudAV was designed to send programs or documents to a network 1.5 Alternative solutions cloud where multiple antivirus and behavioral detection programs are used simultaneously in order to improve de- tection rates. Parallel scanning of files using potentially Installed antivirus solutions, running on an individual incompatible antivirus scanners is achieved by spawn- computers, although the most used, is only one method ing a virtual machine per detection engine and therefore of guarding against malware. Other alternative solutions eliminating any possible issues. CloudAV can also per- are also used, including: Unified Threat Management form “retrospective detection,” whereby the cloud detec- (UTM), hardware and network firewalls, Cloud-based an- tion engine rescans all files in its file access history when a tivirus and on-line scanners. new threat is identified thus improving new threat detec- tion speed. Finally, CloudAV is a solution for effective 1.5.1 Hardware and network Firewall virus scanning on devices that lack the computing power to perform the scans themselves.[133] Network firewalls prevent unknown programs and pro- Some examples of cloud anti-virus products are Panda cesses from accessing the system. However, they are not Cloud Antivirus and . 8 CHAPTER 1. ANTIVIRUS SOFTWARE

1.5.3 Online scanning to medium-sized business did not use antivirus protec- tion at that time, whereas more than 80% of home users Some antivirus vendors maintain websites with free on- had some kind of antivirus installed.[142] According to line scanning capability of the entire computer, critical a sociological survey conducted by G Data Software in areas only, local disks, folders or files. Periodic online 2010 49% of women did not use any antivirus program scanning is a good idea for those that run antivirus appli- at all.[143] cations on their computers because those applications are frequently slow to catch threats. One of the first things that malicious software does in an attack is disable any 1.7 See also existing antivirus software and sometimes the only way to know of an attack is by turning to an online resource • Anti-virus and anti-malware software that is not installed on the infected computer.[134] • CARO, the Computer Antivirus Research Organi- zation 1.5.4 Specialist tools • Comparison of antivirus software • EICAR, the European Institute for Computer An- tivirus Research • Firewall software • • Comparison of computer viruses • List of trojan horses • Quarantine technology The command-line rkhunter scanner, an engine to scan for Linux • Sandbox (computer security) rootkits. Here running the tool on . • Timeline of notable computer viruses and worms Virus removal tools are available to help remove stubborn • Virus hoax infections or certain types of infection. Examples include Trend Micro's Rootkit Buster,[135] and rkhunter for the detection of rootkits, Avira's AntiVir Removal Tool,[136] PCTools Threat Removal Tool,[137] and AVG's Anti-Virus 1.8 References Free 2011.[138] [1] lifehacker: The Difference Between Antivirus and Anti- A rescue disk that is bootable, such as a CD or USB stor- Malware (and Which to Use) age device, can be used to run antivirus software out- side of the installed operating system, in order to re- [2] “What is antivirus software?". Microsoft. move infections while they are dormant. A bootable [3] John von Neumann: “Theory of self-reproducing au- antivirus disk can be useful when, for example, the in- tomata” (1949) stalled operating system is no longer bootable or has malware that is resisting all attempts to be removed by [4] Thomas Chen, Jean-Marc Robert (2004). “The Evolution the installed antivirus software. Examples of some of of Viruses and Worms”. Retrieved 2009-02-16. these bootable disks include the Avira AntiVir Rescue Sys- [5] From the first email to the first YouTube video: a definitive [136] [139] tem, PCTools Alternate Operating System Scanner, internet history. Tom Meltzer and Sarah Phillips. The [140] and AVG Rescue CD. The AVG Rescue CD software Guardian. 23 October 2009 can also be installed onto a USB storage device, that is bootable on newer computers.[140] [6] IEEE Annals of the History of Computing, Volumes 27- 28. IEEE Computer Society, 2005. 74. Retrieved from Google Books on 13 May 2011. "[...]from one machine to another led to experimentation with the Creeper program, 1.6 Usage and risks which became the world’s first computer worm: a compu- tation that used the network to recreate itself on another node, and spread from node to node.” According to an FBI survey, major businesses lose $12 million annually dealing with virus incidents.[141] A sur- [7] John Metcalf (2014). “Core War: Creeper & Reaper”. vey by Symantec in 2009 found that a third of small Retrieved 2014-05-01. 1.8. REFERENCES 9

[8] Creeper - The Virus Encyclopedia [35] SAM Identifies Virus-Infected Files, Repairs Applica- tions, InfoWorld, May 22, 1989 [9] What was the First Antivirus Software? [36] SAM Update Lets Users Program for New Viruses, In- [10] “Elk Cloner”. Retrieved 2010-12-10. foWorld, Feb 19, 1990

[11] “Top 10 Computer Viruses: No. 10 - Elk Cloner”. Re- [37] TG Soft History trieved 2010-12-10. [38] Skúlason and Bontchev: “Virus Naming Scheme” (1991) [12] “List of Computer Viruses Developed in 1980s”. Re- trieved 2010-12-10. [39] “CARO Members”. CARO. Retrieved 6 June 2011.

[13] Fred Cohen: “Computer Viruses – Theory and Experi- [40] CAROids, 2003 ments” (1983) [41] “F-Secure Weblog : News from the Lab”. F-secure.com. [14] Fred Cohen 1988 “On the implications of Computer Retrieved 2012-09-23. Viruses and Methods of Defense” [42] “About EICAR”. EICAR official website. Retrieved 28 October 2013. [15] Péter Szőr: “The Art of Computer Virus Research and Defense” (2005) [43] David Harley, Lysa Myers & Eddy Willems. “Test Files and Product Evaluation: the Case for and against Mal- [16] VirusBulletin: “In memoriam: Péter Szőr 1970-2013” ware Simulation” (PDF). AVAR2010 13th Association of (2013) anti Virus Asia Researchers International Conference. Re- [17] History of viruses trieved June 30, 2011.

[18] Leyden, John (January 19, 2006). “PC virus celebrates [44] “Dr. Web LTD Doctor Web / Dr. Web Reviews, Best 20th birthday”. . Retrieved March 21, 2011. AntiVirus Software Reviews, Review Centre”. Review- centre.com. Retrieved 2014-02-17. [19] Panda Security (April 2004). "(II) Evolution of computer viruses”. Archived from the original on 2 August 2009. [45] [In 1994, AV-Test.org reported 28,613 unique malware Retrieved 2009-06-20. samples (based on MD5). “A Brief History of Malware; The First 25 Years"] [20] Kaspersky Lab Virus list [46] “BitDefender Product History”. [21] Wells, Joe (1996-08-30). “Virus timeline”. IBM. [47] “InfoWatch Management”. InfoWatch. Retrieved 12 Au- Archived from the original on 4 June 2008. Retrieved gust 2013. 2008-06-06. [48] Linuxvirus [22] G Data Software AG (2011). “G Data presents security firsts at CeBIT 2010”. Retrieved 22 August 2011. [49]

[23] Karsmakers, Richard (January 2010). “The ultimate [50] “Sourcefire acquires ClamAV”. ClamAV. 2007-09-17. Virus Killer UVK 2000”. Retrieved 22 August 2011. Retrieved 2008-02-12.

[24] “McAfee Becomes Intel Security”. McAfee Inc. Re- [51] “Cisco Completes Acquisition of Sourcefire”. cisco.com. trieved 15 January 2014. 2013-10-07. Retrieved 2014-06-18.

[25] Cavendish, Marshall (2007). Inventors and Inventions, [52] "(german) Interview with Morten Lund in Brandeins”. Volume 4. Paul Bernabeo. p. 1033. ISBN 0761477675. [53] “The digital detective: Mikko Hypponen’s war on mal- [26] Cohen, Fred, An Undetectable Computer Virus ware is escalating.” (March 2012, Wired) (Archived), 1987, IBM [54] James Lyne: “Everyday cybercrime – and what you can [27] Patricia A. Yevics:"Flu Shot for Computer Viruses” do about it” (February 2013, TED)

[28] How friends help friends on the Internet: The Ross Green- [55] Szor 2005, pp. 66–67 berg Story [56] “New virus travels in PDF files”. 7 August 2001. Re- [29] Anti-virus is 30 years old trieved 2011-10-29.

[30] A Brief History of Antivirus Software [57] Slipstick Systems (February 2009). “Protecting Microsoft Outlook against Viruses”. Archived from the original on [31] Antivirus software history 2 June 2009. Retrieved 2009-06-18.

[32] http://www.frisk.is/fyrirtaeki.html [58] Jon Oberheide: “CloudAV: N-Version Antivirus in the Network Cloud” (2008, Usenix) [33] VIRUS-L mailing list archive [59] “TECHNOLOGY OVERVIEW”. AVG Security. Re- [34] Symantec and Internet Security at PCM trieved 16 February 2015. 10 CHAPTER 1. ANTIVIRUS SOFTWARE

[60] NetworkWorld, Ellen Messmer, August 19, 2014:"Start- [85] Kelly, Michael (October 2006). “Buying Dangerously”. up offers up endpoint detection and response for behavior- Retrieved 2009-11-29. based malware detection” [86] Bitdefender (2009). “Automatic Renewal”. Retrieved [61] HSToday.US, Kylie Bull, June 19, 2014:"Bromium Re- 2009-11-29. search Reveals Insecurity In Existing Endpoint Malware [87] Symantec (2014). “Norton Automatic Renewal Service Protection Deployments” FAQ”. Retrieved 2014-04-09. [62] “Sandboxing against unknown zero day threats”. Re- [88] SpywareWarrior (2007). “Rogue/Suspect Anti-Spyware trieved 2015-01-30. Products & Web Sites”. Retrieved 2009-11-29.

[63] Szor 2005, pp. 474–481 [89] Emil Protalinski (November 11, 2008). “AVG incorrectly flags user32.dll in Windows XP SP2/SP3”. . [64] A Machine Learning Approach to Anti-virus System Retrieved 2011-02-24. [65] Data Mining Methods for Malware Detection [90] McAfee to compensate businesses for buggy update, re- [66] Data mining and Machine Learning in Cybersecurity trieved 2 December 2010 [91] Buggy McAfee update whacks Windows XP PCs, archived [67] Analysis of Machine learning Techniques Used in from the original on 13 January 2011, retrieved 2 Decem- Behavior-Based Malware Detection ber 2010 [68] A survey of data mining techniques for malware detection [92] Aaron Tan (May 24, 2007). “Flawed Symantec update using file features cripples Chinese PCs”. CNET Networks. Retrieved 2009- [69] Intelligent automatic malicious code signatures extraction 04-05. [93] David Harris (June 29, 2009). “January 2010 - Pegasus [70] Malware Detection by Data Mining Techniques Based on Mail v4.52 Release”. Pegasus Mail. Archived from the Positionally Dependent Features original on 28 May 2010. Retrieved 2010-05-21. [71] Data mining methods for detection of new malicious ex- [94] “McAfee DAT 5958 Update Issues”. 21 April 2010. ecutables Archived from the original on 24 April 2010. Retrieved [72] IMDS: Intelligent Malware Detection System 22 April 2010. [95] “Botched McAfee update shutting down corporate XP [73] Learning to Detect and Classify Malicious Executables in machines worldwide”. 21 April 2010. Archived from the the Wild original on 22 April 2010. Retrieved 22 April 2010. [74] Malware detection using statistical analysis of byte-level [96] John Leyden (December 2, 2010). “Horror AVG update file content ballsup bricks Windows 7”. The Register. Retrieved 2010- [75] An intelligent PE-malware detection system based on as- 12-02. sociation mining [97] MSE false positive detection forces Google to update Chrome, retrieved 3 October 2011 [76] Malware detection based on mining API calls [98] Sophos Antivirus Detects Itself as Malware, Deletes Bi- [77] “Andromaly": a behavioral malware detection framework naries, The Next Web, retrieved 5 March 2014 for android devices [99] Shh/Updater-B false positive by Sophos anti-virus prod- [78] Szor 2005, pp. 252–288 ucts, Sophos, retrieved 5 March 2014

[79] “Generic detection”. Kaspersky. Retrieved 2013-07-11. [100] Microsoft (January 2007). “Plus! 98: How to Remove McAfee VirusScan”. Archived from the original on 27 [80] Symantec Corporation (February 2009). September 2014. Retrieved 2014-09-27. “Trojan.Vundo”. Archived from the original on 9 April 2009. Retrieved 2009-04-14. [101] Robert Vamosi (May 28, 2009). “G-Data Internet Secu- rity 2010”. PC World. Retrieved 2011-02-24. [81] Symantec Corporation (February 2007). “Trojan.Vundo.B”. Archived from the original on [102] Kelly Jackson Higgins (May 5, 2010). “New Microsoft 27 April 2009. Retrieved 2009-04-14. Forefront Software Runs Five Antivirus Vendors’ En- gines”. Darkreading. Retrieved 2011-02-24. [82] “Antivirus Research and Detection Techniques”. Ex- tremeTech. Archived from the original on 27 February [103] Microsoft (April 2009). “Steps to take before you install 2009. Retrieved 2009-02-24. Windows XP Service Pack 3”. Archived from the original on 8 December 2009. Retrieved 2009-11-29. [83] Rootkit [104] “Upgrading from to Windows 7”. Re- [84] Kaspersky Lab Technical Support Portal Archived 13 trieved 24 March 2012. Mentioned within “Before you February 2011 at WebCite begin”. 1.9. BIBLIOGRAPHY 11

[105] “Upgrading to Microsoft Windows Vista recommended [126] “ Inc. Persistent BIOS Infection”. June 1, 2009. steps.”. Retrieved 24 March 2012. Archived from the original on 30 April 2011. Retrieved 2011-03-06. [106] “How to troubleshoot problems during installation when you upgrade from or Windows Millennium [127] “Turning USB peripherals into BadUSB”. Retrieved Edition to Windows XP”. Last Review: May 7, 2007. 2014-10-11. Retrieved 24 March 2012. Check date values in: |date= (help) Mentioned within “General troubleshooting”. [128] “Why the Security of USB Is Fundamentally Broken”. 2014-07-31. Retrieved 2014-10-11. [107] “Troubleshooting”. Retrieved 2011-02-17. [129] “How Antivirus Software Can Slow Down Your Com- [108] “Spyware, Adware, and Viruses Interfering with Steam”. puter”. Support.com Blog. Retrieved 2010-07-26. Retrieved 11 April 2013. Steam support page. [130] “Softpedia Exclusive Interview: Avira 10”. Ionut Ilascu. [109] Field Notice: FN - 63204 - Cisco Clean Access has Inter- Softpedia. 14 April 2010. Retrieved 2011-09-11. operability issue with Symantec Anti-virus - delays Agent [131] “Norton AntiVirus ignores malicious WMI instructions”. start-up Munir Kotadia. CBS Interactive. 21 October 2004. Re- [110] Dan Goodin (December 21, 2007). “Anti-virus protec- trieved 2009-04-05. tion gets worse”. Channel Register. Retrieved 2011-02- [132] Zeltser, Lenny (October 2010). “What Is Cloud Anti- 24. Virus and How Does It Work?". Archived from the orig- [111] inal on 10 October 2010. Retrieved 2010-10-26.

[112] Dan Illett (July 13, 2007). “Hacking poses threats to busi- [133] Jon Erickson (August 6, 2008). “Antivirus Software ness”. Computer Weekly. Retrieved 2009-11-15. Heads for the Clouds”. Information Week. Retrieved 2010-02-24. [113] Tom Espiner (June 30, 2008). “Trend Micro: Antivirus industry lied for 20 years”. ZDNet. Retrieved 2014-09- [134] Brian Krebs (March 9, 2007). “Online Anti-Virus Scans: 27. A Free Second Opinion”. Washington Post. Retrieved 2011-02-24. [114] AV Comparatives (December 2013). “Whole Prod- [135] Ryan Naraine (February 2, 2007). “Trend Micro ships uct Dynamic “Real World” Production Test” (PDF). free 'rootkit buster'". ZDNet. Retrieved 2011-02-24. Archived (PDF) from the original on 2 January 2013. Re- trieved 2 January 2014. [136] Neil J. Rubenking (March 26, 2010). “Avira AntiVir Per- sonal 10”. PC Magazine. Retrieved 2011-02-24. [115] Guidelines released for antivirus software tests [137] Neil J. Rubenking (September 16, 2010). “PC Tools Spy- [116] Harley, David (2011). AVIEN Malware Defense Guide for ware Doctor with AntiVirus 2011”. PC Magazine. Re- the Enterprise. Elsevier. p. 487. ISBN 9780080558660. trieved 2011-02-24. Retrieved 2013-06-10. [138] Neil J. Rubenking (October 4, 2010). “AVG Anti-Virus [117] Kotadia, Munir (July 2006). “Why popular antivirus apps Free 2011”. PC Magazine. Retrieved 2011-02-24. 'do not work'". Retrieved 14 April 2010. [139] Neil J. Rubenking (November 19, 2009). “PC Tools In- [118] The Canadian Press (April 2010). “Internet scam uses ternet Security 2010”. PC Magazine. Retrieved 2011-02- adult game to extort cash”. CBC News. Archived from the 24. original on 18 April 2010. Retrieved 17 April 2010. [140] Carrie-Ann Skinner (March 25, 2010). “AVG Offers Free [119] Researchers up evilness ante with GPU-assisted malware Emergency Boot CD”. PC World. Retrieved 2011-02-24. - Coming to a PC near you, by Dan Goodin [141] “FBI estimates major companies lose $12m annually from [120] GIBSON RESEARCH CORPORATION SERIES: Secu- viruses”. 30 January 2007. Retrieved 20 February 2011. rity Now! [142] Michael Kaiser (April 17, 2009). “Small and Medium [121] “Cryptolocker Ransomware: What You Need To Know”. Size Businesses are Vulnerable”. National Cyber Security Retrieved 2014-03-28. Alliance. Retrieved 2011-02-24.

[122] “How Anti-Virus Software Works”. Retrieved 2011-02- [143] “Nearly 50% of women don't use antivirus”. SPAM- 16. fighter. [123] “BT Home Hub Firmware Upgrade Procedure”. Re- trieved 2011-03-06. 1.9 Bibliography [124] “The 10 faces of computer malware”. July 17, 2009. Re- trieved 2011-03-06. • Szor, Peter (2005), The Art of Computer Virus Re- [125] “New BIOS Virus Withstands HDD Wipes”. 27 March search and Defense, Addison-Wesley, ISBN 0-321- 2009. Retrieved 2011-03-06. 30454-3 12 CHAPTER 1. ANTIVIRUS SOFTWARE

1.10 External links

• Antivirus software at DMOZ Chapter 2

Application security

Application security (short: AppSec) encompasses • Asset. A resource of value such as the data in a measures taken throughout the code’s life-cycle to prevent database or on the file system, or a system resource. gaps in the security policy of an application or the under- • lying system (vulnerabilities) through flaws in the design, Threat. Anything that can exploit a vulnerability development, deployment, upgrade, or maintenance of and obtain, damage, or destroy an asset. the application. • Vulnerability. A weakness or gap in security pro- Applications only control the kind of resources granted to gram that can be exploited by threats to gain unau- them, and not which resources are granted to them. They, thorized access to an asset. in turn, determine the use of these resources by users of • Attack (or exploit). An action taken to harm an as- the application through application security. set. Open Web Application Security Project (OWASP) and • Web Application Security Consortium (WASC) updates Countermeasure. A safeguard that addresses a on the latest threats which impair web based applications. threat and mitigates risk. This aids developers, security testers and architects to fo- cus on better design and mitigation strategy. OWASP Top 10 has become an industrial norm in assessing Web 2.3 Application Threats / Attacks Applications. According to the patterns & practices Improving Web Ap- plication Security book, the following are classes of com- 2.1 Methodology mon application security threats / attacks:[1]

According to the patterns & practices Improving Web Ap- plication Security book, a principle-based approach for 2.4 Mobile application security application security includes:[1] Main article: Mobile security • Knowing your threats. OWASP, a leading application security industry author- • Securing the network, host and application.. ity, has acknowledged and prioritized the need for mobile application security, and recommended binary protection • Incorporating security into your software develop- to mitigate the business and technical risks that mobile ment process apps face. See Mobile Security Project - Top Ten Mobile Risks for Top Ten Mobile Risks based on new vulnera- Note that this approach is technology / platform indepen- bility statistics in the field of mobile applications. dent. It is focused on principles, patterns, and practices. The proportion of mobile devices providing open plat- form functionality is expected to continue to increase in future. The openness of these platforms offers significant 2.2 Threats, Attacks, Vulnerabili- opportunities to all parts of the mobile eco-system by de- livering the ability for flexible program and service deliv- ties, and Countermeasures ery options that may be installed, removed or refreshed multiple times in line with the user’s needs and require- According to the patterns & practices Improving Web Ap- ments. However, with openness comes responsibility and plication Security book, the following terms are relevant unrestricted access to mobile resources and APIs by ap- to application security:[1] plications of unknown or untrusted origin could result in

13 14 CHAPTER 2. APPLICATION SECURITY damage to the user, the device, the network or all of these, commercially versus trying to trace every possible path if not managed by suitable security architectures and net- through a compiled code base to find the root cause level work precautions. Application security is provided in vulnerabilities. some form on most open OS mobile devices (Symbian [2] [3] The two types of automated tools associated with ap- OS, Microsoft, BREW, etc.). Industry groups have plication vulnerability detection (application vulnerabil- also created recommendations including the GSM Asso- [4] ity scanners) are Penetration Testing Tools (often catego- ciation and Open Mobile Terminal Platform (OMTP). rized as Black Box Testing Tools) and static code analy- There are several strategies to enhance mobile application sis tools (often categorized as White Box Testing Tools). security including Tools for Black Box Testing include IBM Rational App- Scan, HP Application Security Center[5] suite of appli- [6] • Application white listing cations (through the acquisition of SPI Dynamics ), N- Stalker Web Application Security Scanner (original de- • Ensuring transport layer security velopers of N-Stealth back in 2000), Nikto (open source), and NTObjectives. • Strong authentication and authorization [7][8] Static code analysis tools include Coverity,[9] • Encryption of data when written to memory Polyspace,[10] ECLAIR,[11] GrammaTech,[12] Fortify Software, Klocwork,[13] Parasoft,[14] and Veracode.[15] • Sandboxing of applications According to Gartner Research,[16] "...next-generation • Granting application access on a per-API level modern Web and mobile applications requires a com- bination of SAST and DAST techniques, and new in- • Processes tied to a user ID teractive application security testing (IAST) approaches • have emerged that combine static and dynamic tech- Predefined interactions between the mobile applica- [17] tion and the OS niques to improve testing...”, including: Contrast™ and Quotium Technologies.[18] Because IAST combines • Requiring user input for privileged/elevated access SAST and DAST techniques, the results are highly ac- tionable, can be linked to the specific line of code, and • Proper session handling can be recorded for replay later for developers. Banking and large E-Commerce corporations have been the very early adopter customer profile for these types 2.5 Security testing for applica- of tools. It is commonly held within these firms that tions both Black Box testing and White Box testing tools are needed in the pursuit of application security. Typically sited, Black Box testing (meaning Penetration Testing Security testing techniques scour for vulnerabilities or se- tools) are ethical hacking tools used to attack the appli- curity holes in applications. These vulnerabilities leave cation surface to expose vulnerabilities suspended within applications open to exploitation. Ideally, security testing the source code hierarchy. Penetration testing tools are is implemented throughout the entire software develop- executed on the already deployed application. White Box ment life cycle (SDLC) so that vulnerabilities may be ad- testing (meaning Source Code Analysis tools) are used dressed in a timely and thorough manner. Unfortunately, by either the application security groups or application testing is often conducted as an afterthought at the end of development groups. Typically introduced into a com- the development cycle. pany through the application security organization, the Vulnerability scanners, and more specifically web appli- White Box tools complement the Black Box testing tools cation scanners, otherwise known as penetration testing in that they give specific visibility into the specific root tools (i.e. ethical hacking tools) have been historically vulnerabilities within the source code in advance of the used by security organizations within corporations and source code being deployed. Vulnerabilities identified security consultants to automate the security testing of with White Box testing and Black Box testing are typi- http request/responses; however, this is not a substitute cally in accordance with the OWASP taxonomy for soft- for the need for actual source code review. Physical code ware coding errors. White Box testing vendors have re- reviews of an application’s source code can be accom- cently introduced dynamic versions of their source code plished manually or in an automated fashion. Given the analysis methods; which operates on deployed applica- common size of individual programs (often 500,000 lines tions. Given that the White Box testing tools have dy- of code or more), the human brain can not execute a com- namic versions similar to the Black Box testing tools, both prehensive data flow analysis needed in order to com- tools can be correlated in the same software error detec- pletely check all circuitous paths of an application pro- tion paradigm ensuring full application protection to the gram to find vulnerability points. The human brain is client company. suited more for filtering, interrupting and reporting the The advances in professional Malware targeted at the outputs of automated source code analysis tools available 2.7. SECURITY STANDARDS AND REGULATIONS 15

Internet customers of online organizations has seen a • ISO/IEC 9798-2:1999 Information technology -- change in Web application design requirements since Security techniques -- Entity authentication -- Part 2007. It is generally assumed that a sizable percentage 2: Mechanisms using symmetric encipherment algo- of Internet users will be compromised through malware rithms and that any data coming from their infected host may • be tainted. Therefore application security has begun to ISO/IEC 9798-3:1998 Information technology -- Se- manifest more advanced anti-fraud and heuristic detec- curity techniques -- Entity authentication -- Part 3: tion systems in the back-office, rather than within the Mechanisms using techniques [19] client-side or Web server code. • ISO/IEC 9798-4:1999 Information technology -- Se- curity techniques -- Entity authentication -- Part 4: Mechanisms using a cryptographic check function 2.6 Security certifications • ISO/IEC 9798-5:2004 Information technology -- Se- curity techniques -- Entity authentication -- Part 5: There are a number of certifications available for secu- Mechanisms using zero-knowledge techniques rity professionals to demonstrate their knowledge in the subject matter (e.g. Certified Information Systems Se- • ISO/IEC 9798-6:2005 Information technology -- Se- curity Professional, Certified Information Security Man- curity techniques -- Entity authentication -- Part 6: ager, etc.), however the usefulness of security certifica- Mechanisms using manual data transfer tions and certifications in general typically receives mixed reviews by experienced professionals. • ISO/IEC 14888-1:1998 Information technology - - Security techniques -- Digital signatures with ap- pendix -- Part 1: General 2.7 Security standards and regula- • ISO/IEC 14888-2:1999 Information technology - tions - Security techniques -- Digital signatures with ap- pendix -- Part 2: Identity-based mechanisms • Sarbanes-Oxley Act (SOX) • ISO/IEC 14888-3:2006 Information technology - • Health Insurance Portability and Accountability Act - Security techniques -- Digital signatures with ap- (HIPAA) pendix -- Part 3: Discrete logarithm based mecha- nisms • IEEE P1074 • ISO/IEC 27001:2005 and ISO/IEC 27001:2013 In- formation technology -- Security techniques -- Infor- • ISO/IEC 7064:2003 Information technology -- Se- mation security management systems -- Requirements curity techniques -- Check character systems • • ISO/IEC 9796-2:2002 Information technology -- Se- ISO/IEC 27002:2005 Information technology -- Se- curity techniques -- Digital signature schemes giv- curity techniques -- Code of practice for information ing message recovery -- Part 2: Integer factorization security management based mechanisms • ISO/IEC 24762:2008 Information technology -- Se- • ISO/IEC 9796-3:2006 Information technology -- Se- curity techniques -- Guidelines for information and curity techniques -- Digital signature schemes giving communications technology disaster recovery ser- message recovery -- Part 3: Discrete logarithm based vices - now withdrawn. mechanisms • ISO/IEC 27006:2007 Information technology -- Se- • ISO/IEC 9797-1:1999 Information technology -- Se- curity techniques -- Requirements for bodies provid- curity techniques -- Codes ing audit and certification of information security (MACs) -- Part 1: Mechanisms using a block management systems • ISO/IEC 9797-2:2002 Information technology -- Se- curity techniques -- Message Authentication Codes • ISO/IEC 27031:2011 Information technology -- Se- (MACs) -- Part 2: Mechanisms using a dedicated curity techniques -- Guidelines for ICT readiness for hash-function Business Continuity

• ISO/IEC 9798-1:1997 Information technology -- Se- • ISO/IEC 27034-1:2011 Information technology — curity techniques -- Entity authentication -- Part 1: Security techniques — Application security -- Part 1: General Overview and concepts 16 CHAPTER 2. APPLICATION SECURITY

• ISO/IEC TR 24772:2013 Information technology — [12] http://www.grammatech.com/products/codesonar Gram- Programming languages — Guidance to avoiding maTech CodeSonar vulnerabilities in programming languages through [13] http://www.klocwork.com/products Klocwork Insight language selection and use [14] http://www.parasoft.com/parasoft_security Parasoft Ap- • Gramm-Leach-Bliley Act plication Security Solution [15] http://www.veracode.com/solutions Veracode Security • PCI Data Security Standard (PCI DSS) Static Analysis Solutions

[16] http://www.gartner.com/technology/reprints.do? id=1-1GT3BKT&ct=130702&st=sb&mkt_tok= 2.8 See also 3RkMMJWWfF9wsRokvazAZKXonjHpfsX76% 252B4qX6WylMI%252F0ER3fOvrPUfGjI4CTsRmI% • Countermeasure 252BSLDwEYGJlv6SgFTbnFMbprzbgPUhA%253D

• Data security [17] http://www.ContrastSecurity.com [18] http://www.quotium.com • Database security [19] “Continuing Business with Malware Infected Customers”. • Information security Gunter Ollmann. October 2008. • Trustworthy Computing Security Development Lifecycle 2.10 External links • Web application • Open Web Application Security Project OWASP • Web application framework • The Web Application Security Consortium • XACML • The Microsoft Security Development Lifecycle • HERAS-AF (SDL) • patterns & practices Security Guidance for Applica- 2.9 References tions • Advantages of an integrated security solution for [1] Improving Web Application Security: Threats and Coun- HTML and XML termeasures, published by Microsoft Corporation. • patterns & practices Application Security Method- [2] “Platform Security Concepts”, Higginson. ology [3] Windows Phone 8.1 Security Overview • Understanding the Windows Mobile Security [4] Application Security Framework, Open Mobile Terminal Model, Windows Mobile Security] Platform • Application Security, Building Business Agreement [5] Application security: Find web application security vul- nerabilities during every phase of the software develop- ment lifecycle, HP center

[6] HP acquires SPI Dynamics, CNET news.com

[7] http://www.securityweek.com/ web-application-scanners-challenged-modern-web-technologies

[8] http://www.ntobjectives.com/security-software/ ntospider-application-security-scanner/

[9] http://www.coverity.com/products Coverity Static Anal- ysis

[10] http://www.mathworks.com/products/polyspace/index. Polyspace Static Analysis

[11] http://bugseng.com/products/eclair ECLAIR Software Verification Platform Chapter 3

Backdoor (computing)

A backdoor in a computer system (or (software whose source code is not or algorithm) is a method of bypassing normal publicly available) is not widely credited, they are never- authentication, securing unauthorized remote ac- theless frequently exposed. have even suc- cess to a computer, obtaining access to plaintext, and ceeded in secretly installing large amounts of benign code so on, while attempting to remain undetected. The as Easter eggs in programs, although such cases may in- backdoor may take the form of a hidden part of a volve official forbearance, if not actual permission. program,[1] a separate program (e.g., Back Orifice) may subvert the system through a rootkit[2] Default passwords can function as backdoors if they are 3.1.1 Examples not changed by the user. Some debugging features can also act as backdoors if they are not removed in the release Many computer worms, such as and , in- version.[3] stall a backdoor on the affected computer (generally a PC on broadband running Microsoft Windows and Microsoft Outlook). Such backdoors appear to be installed so that spammers can send junk e-mail from the infected ma- 3.1 Overview chines. Others, such as the Sony/BMG rootkit distributed silently on millions of music CDs through late 2005, are The threat of backdoors surfaced when multiuser and net- intended as DRM measures—and, in that case, as data worked operating systems became widely adopted. Pe- gathering agents, since both surreptitious programs they tersen and Turn discussed computer subversion in a pa- installed routinely contacted central servers. per published in the proceedings of the 1967 AFIPS [4] A sophisticated attempt to plant a backdoor in the Linux Conference. They noted a class of active infiltration at- kernel, exposed in November 2003, added a small and tacks that use “trapdoor” entry points into the system to subtle code change by subverting the revision control sys- bypass security facilities and permit direct access to data. tem.[6] In this case, a two-line change appeared to check The use of the word trapdoor here clearly coincides with root access permissions of a caller to the sys_wait4 func- more recent definitions of a backdoor. However, since tion, but because it used assignment = instead of equality the advent of public key cryptography the term trapdoor checking ==, it actually granted permissions to the sys- has acquired a different meaning (see trapdoor function), tem. This difference is easily overlooked, and could even and thus the term “backdoor” is now preferred. More be interpreted as an accidental typographical error, rather generally, such security breaches were discussed at length than an intentional attack.[7] in a RAND Corporation task force report published under ARPA sponsorship by J.P. Anderson and D.J. Edwards in In January 2014, a backdoor was discovered in certain 1970.[5] Samsung Android products, like the Galaxy devices. The Samsung proprietary Android versions are fitted with a A backdoor in a login system might take the form of a backdoor that provides remote access to the data stored hard coded user and password combination which gives on the device. In particular, the Samsung Android soft- access to the system. A famous example of this sort ware that is in charge of handling the communications of backdoor was used as a plot device in the 1983 film with the modem, using the Samsung IPC protocol, im- WarGames, in which the architect of the "WOPR" com- plements a class of requests known as remote file server puter system had inserted a hardcoded password (his dead (RFS) commands, that allows the backdoor operator to son’s name) which gave the user access to the system, perform via modem remote I/O operations on the device and to undocumented parts of the system (in particular, hard disk or other storage. As the modem is running Sam- a video game-like simulation mode and direct interaction sung proprietary Android software, it is likely that it of- with the artificial intelligence). fers over-the-air remote control that could then be used Although the number of backdoors in systems using to issue the RFS commands and thus to access the file

17 18 CHAPTER 3. BACKDOOR (COMPUTING)

system on the device.[8] tem, and can be inserted during the system booting pro- cess; these are also mentioned in Karger & Schell (1974), and now exist in the form of boot sector viruses.[9] 3.1.2 Object code backdoors

Harder to detect backdoors involve modifying object 3.1.3 Asymmetric backdoors code, rather than source code – object code is much harder to inspect, as it is designed to be machine- A traditional backdoor is a symmetric backdoor: anyone readable, not human-readable. These backdoors can be that finds the backdoor can in turn use it. The notion of inserted either directly in the on-disk object code, or in- an asymmetric backdoor was introduced by Adam Young serted at some point during compilation, assembly link- and in the Proceedings of Advances in Cryp- ing, or loading – in the latter case the backdoor never ap- tology: Crypto '96. An asymmetric backdoor can only be pears on disk, only in memory. Object code backdoors used by the attacker who plants it, even if the full im- are difficult to detect by inspection of the object code, plementation of the backdoor becomes public (e.g., via but are easily detected by simply checking for changes publishing, being discovered and disclosed by reverse en- (differences), notably in length or in checksum, and in gineering, etc.). Also, it is computationally intractable some cases can be detected or analyzed by disassembling to detect the presence of an asymmetric backdoor un- the object code. Further, object code backdoors can be der black-box queries. This class of attacks have been removed (assuming source code is available) by simply termed ; they can be carried out in soft- recompiling from source. ware, hardware (for example, smartcards), or a combi- Thus for such backdoors to avoid detection, all extant nation of the two. The theory of asymmetric backdoors copies of a binary must be subverted, and any valida- is part of a larger field now called cryptovirology. No- tion checksums must also be compromised, and source tably, NSA inserted a kleptographic backdoor into the [2][10][11] must be unavailable, to prevent recompilation. Alterna- Dual_EC_DRBG standard. tively, these other tools (length checks, diff, checksum- There exists an experimental asymmetric backdoor in ming, disassemblers) can themselves be compromised to RSA key generation. This OpenSSL RSA backdoor was conceal the backdoor, for example detecting that the sub- designed by Young and Yung, utilizes a twisted pair of verted binary is being checksummed and returning the elliptic curves, and has been made available.[12] expected value, not the actual value. To conceal these fur- ther subversions, the tools must also conceal the changes in themselves – for example, a subverted checksummer 3.2 Compiler backdoors must also detect if it is checksumming itself (or other subverted tools) and return false values. This leads to ex- tensive changes in the system and tools being needed to A sophisticated form of black box backdoor is a com- conceal a single change. piler backdoor, where not only is a compiler subverted (to insert a backdoor in some other program, such as Because object code can be regenerated by recompiling a login program), but it is further modified to detect (reassembling, relinking) the original source code, mak- when it is compiling itself and then inserts both the back- ing a persistent object code backdoor (without modify- door insertion code (targeting the other program) and ing source code) requires subverting the compiler itself the code modifying self-compilation, like the mechanism – so that when it detects that it is compiling the pro- how retroviruses infect their host. This can be done by gram under attack it inserts the backdoor – or alterna- modifying the source code, and the resulting compro- tively the assembler, linker, or loader. As this requires mised compiler (object code) can compile the original subverting the compiler, this in turn can be fixed by re- (unmodified) source code and insert itself: the exploit has compiling the compiler, removing the backdoor insertion been boot-strapped. code. This defense can in turn be subverted by putting a source meta-backdoor in the compiler, so that when it This attack was originally presented in Karger & Schell detects that it is compiling itself it then inserts this meta- (1974, p. 52, section 3.4.5: “Trap Door Insertion”), backdoor generator, together with the original backdoor which was a security analysis of generator for the original program under attack. After Multics, where they described such an attack on a PL/I this is done, the source meta-backdoor can be removed, compiler, and call it a “compiler trap door"; they also and the compiler recompiled from original source with mention a variant where the system initialization code is the compromised compiler executable: the backdoor has modified to insert a backdoor during booting, as this is complex and poorly understood, and call it an “initializa- been bootstrapped. This attack dates to Karger & Schell [9] (1974), and was popularized in Thompson (1984), enti- tion trapdoor"; this is now known as a boot sector virus. tled “Reflections on Trusting Trust"; it is hence colloqui- This attack was then actually implemented and popu- ally known as the “Trusting Trust” attack. See compiler larized by Ken Thompson in Thompson (1984), in his backdoors, below, for details. Analogous attacks can tar- Turing Award acceptance speech in 1983 (published get lower levels of the system, such as the operating sys- 1984), “Reflections on Trusting Trust”, which points out 3.3. LIST OF KNOWN BACKDOORS 19 that trust is relative, and the only software one can truly is very hard for the “rightful” user to regain control of trust is code where every step of the bootstrapping has the system – typically one should rebuild a clean system been inspected. This backdoor mechanism is based on and transfer data (but not executables!) over. However, the fact that people only review source (human-written) several practical weaknesses in the Trusting Trust scheme code, and not compiled machine code (object code). A have been suggested. For example, a sufficiently moti- program called a compiler is used to create the second vated user could painstakingly review the machine code from the first, and the compiler is usually trusted to do an of the untrusted compiler before using it. As mentioned honest job. above, there are ways to hide the Trojan horse, such as subverting the disassembler; but there are ways to counter Thompson’s paper describes a modified version of the Unix C compiler that would: that defense, too, such as writing your own disassembler from scratch. • Put an invisible backdoor in the Unix login com- A generic method to counter trusting trust attacks is mand when it noticed that the login program was called Diverse Double-Compiling (DDC). The method being compiled, and as a twist requires a different compiler and the source code of the compiler-under-test. That source, compiled with both • Also add this feature undetectably to future compiler compilers, results in two different stage-1 compilers, versions upon their compilation as well. which however should have the same behavior. Thus the same source compiled with both stage-1 compilers Because the compiler itself was a compiled program, must then result in two identical stage-2 compilers. A users would be extremely unlikely to notice the machine formal proof is given that the latter comparison guaran- code instructions that performed these tasks. (Because of tees that the purported source code and executable of the second task, the compiler’s source code would appear the compiler-under-test correspond, under some assump- “clean”.) What’s worse, in Thompson’s proof of concept tions. This method was applied by its author to verify that implementation, the subverted compiler also subverted the C compiler of the GCC suite (v. 3.0.4) contained no the analysis program (the disassembler), so that anyone trojan, using icc (v. 11.0) as the different compiler.[16] who examined the binaries in the usual way would not ac- tually see the real code that was running, but something In practice such verifications are not done by end users, else instead. except in extreme circumstances of intrusion detection and analysis, due to the rarity of such sophisticated at- An updated analysis of the original exploit is given in tacks, and because programs are typically distributed in Karger & Schell (2002, Section 3.2.4: Compiler trap binary form. Removing backdoors (including compiler doors), and a historical overview and survey of the liter- backdoors) is typically done by simply rebuilding a clean ature is given in Wheeler (2009, Section 2: Background system. However, the sophisticated verifications are of and related work). interest to operating system vendors, to ensure that they are not distributing a compromised system, and in high- security settings, where such attacks are a realistic con- 3.2.1 Occurrences cern. Thompson’s version was, officially, never released into the wild. It is believed, however, that a version was dis- tributed to BBN and at least one use of the backdoor 3.3 List of known backdoors was recorded.[13] There are scattered anecdotal reports [14] of such backdoors in subsequent years. • Back Orifice was created in 1998 by hackers from This attack was recently (August 2009) discovered by group as a remote adminis- Sophos labs: The W32/Induc-A virus infected the pro- tration tool. It allowed Windows computers to be re- gram compiler for Delphi, a Windows programming lan- motely controlled over a network and exploited the guage. The virus introduced its own code to the com- name similarity with Microsoft BackOffice. pilation of new Delphi programs, allowing it to infect and propagate to many systems, without the knowledge • The Dual_EC_DRBG cryptographically secure of the software programmer. An attack that propagates pseudorandom number generator was revealed in by building its own Trojan horse can be especially hard to 2013 to possibly have a kleptographic backdoor de- discover. It is believed that the Induc-A virus had been liberately inserted by NSA, who also had the private propagating for at least a year before it was discovered.[15] key to the backdoor.[2][11]

• Several backdoors in the pirated copies of 3.2.2 Countermeasures WordPress plug-ins were discovered in March 2014.[17] They were inserted as obfuscated Once a system has been compromised with a backdoor JavaScript code and silently created, for exam- or Trojan horse, such as the Trusting Trust compiler, it ple, an admin account in the website database. 20 CHAPTER 3. BACKDOOR (COMPUTING)

The similar scheme was later exposed in Joomla [18] Sinegubko, Denis. “Joomla Plugin Constructor Back- plugin.[18] door”. Securi. Retrieved 13 March 2015.

• Borland Interbase versions 4.0 through 6.0 had a [19] “Vulnerability Note VU#247371”. Vulnerability Note hard-coded backdoor, put there by the developers. Database. Retrieved 13 March 2015. The server code contains a compiled-in backdoor [20] “Interbase Server Contains Compiled-in Back Door Ac- account (username: politically, password: correct), count”. http://www.cert.org/''. Retrieved 13 March 2015. which could be accessed over a network connec- tion, and once a user logged in with it, he could • Karger, Paul A.; Schell, Roger R. (June 1974). take full control over all Interbase databases. The Multics Security Evaluation: Vulnerability Analysis backdoor was detected in 2001 and the patch was (PDF). Vol II (ESD-TR-74-193). released.[19][20] • Karger, Paul A.; Schell, Roger R. (September 18, 2002). Thirty Years Later: Lessons from 3.4 References the Multics Security Evaluation (PDF). Com- puter Security Applications Conference, 2002. Proceedings. 18th Annual (IEEE): 119–126. [1] Chris Wysopal, Chris Eng. “Static Detection of Appli- cation Backdoors” (PDF). Veracode. Retrieved 2015-03- doi:10.1109/CSAC.2002.1176285. Retrieved 14. 2014-11-08. • [2] .wired.com: “How a Crypto ‘Backdoor’ Pitted the Tech Thompson, Ken (August 1984). “Reflections on World Against the NSA” (Zetter) 24 Sep 2013 Trusting Trust”. Communications of the ACM 27 (8): 761–763. doi:10.1145/358198.358210. Re- [3] http://blog.erratasec.com/2012/05/ trieved 2014-11-08. bogus-story-no-chinese-backdoor-in.html • Wheeler, David A. (7 December 2009). Fully [4] H.E. Petersen, R. Turn. “System Implications of Infor- Countering Trusting Trust through Diverse Double- mation Privacy”. Proceedings of the AFIPS Spring Joint Compiling (Ph.D.). Fairfax, VA: George Mason Computer Conference, vol. 30, pages 291–300. AFIPS University. Retrieved 2014-11-09. Press: 1967.

[5] Security Controls for Computer Systems, Technical Report R-609, WH Ware, ed, Feb 1970, RAND Corp. 3.5 External links [6] Larry McVoy (November 5, 2003) Linux-Kernel Archive: Re: BK2CVS problem. ussg.iu.edu • Three Archaic Backdoor Trojan Programs That Still Serve Great Pranks [7] Thwarted Linux backdoor hints at smarter hacks; ; SecurityFocus, 6 November 2003. • Backdoors removal — List of backdoors and their removal instructions. [8] replicant.us: “Samsung Galaxy Back-door” 28 Jan 2014 • FAQ Farm’s Backdoors FAQ: wiki question and an- [9] Karger & Schell 2002. swer forum [10] G+M: “The strange connection between the NSA and an • List of backdoors and Removal — Ontario tech firm” 20 Jan 2014 • David A. Wheeler’s Page on “Fully Counter- [11] nytimes.com: “N.S.A. Able to Foil Basic Safeguards of ing Trusting Trust through Diverse Double- Privacy on Web” (Perlroth et al) 5 Sep 2013 Compiling”—Author’s 2009 Ph.D. thesis at George [12] cryptovirology.com page on OpenSSL RSA backdoor Mason University

[13] Jargon File entry for “backdoor” at catb.org, describes Thompson compiler hack

[14] Mick Stute’s answer to "What is a coder’s worst night- mare?", Quora – describes a case in 1989.

[15] Compile-a-virus — W32/Induc-A Sophos labs on the dis- covery of the Induc-A virus

[16] Wheeler 2009.

[17] “Unmasking “Free” Premium WordPress Plugins”. Sucuri Blog. Retrieved 3 March 2015. Chapter 4

Black hat

“Blackhat” redirects here. For the 2015 film, see Blackhat (film).

A black hat hacker is a hacker who “violates computer security for little reason beyond maliciousness or for per- sonal gain” (Moore, 2005).[1] Black hat hackers form the stereotypical, illegal hacking groups often portrayed in popular culture, and are “the epitome of all that the public fears in a computer criminal”.[2] Black hat hackers break into secure networks to destroy, modify, or steal data; or to make the network unusable for those who are autho- rized to use the network. Black hat hackers are also re- ferred to as the “crackers” within the security industry and by modern programmers. Crackers keep the awareness of the vulnerabilities to themselves and do not notify the general public or the manufacturer for patches to be ap- plied. Individual freedom and accessibility is promoted over privacy and security. Once they have gained control over a system, they may apply patches or fixes to the sys- tem only to keep their reigning control. invented the definition to express the maliciousness of a criminal hacker versus a white hat hacker who performs hacking duties to identify places to repair.[3]

4.1 References

[1] Moore, Robert (2005). Cybercrime: Investigating High Technology Computer Crime. Matthew Bender & Com- pany. p. 258. ISBN 1-59345-303-5.Robert Moore

[2] Moore, Robert (2006). Cybercrime: Investigating High- Technology Computer Crime (1st ed.). Cincinnati, Ohio: Anderson Publishing. ISBN 978-1-59345-303-9.

[3] O'Brien, Marakas, James, George (2011). Management Information Systems. New York, NY: McGraw-Hill/ Ir- win. pp. 536–537. ISBN 978-0-07-752217-9.

4.2 See also

• Hacker (computer security)

21 Chapter 5

Black Hat Briefings

hosted the 's information assur- ance manager course, and various courses by Cisco Sys- tems, Offensive Security, and others.[5][6] The Briefings are composed of tracks, covering various topics including reverse engineering, identity and privacy, and hacking. The briefings also contain keynote speeches from leading voices in the information security field, in- cluding , Robert Lentz Chief Security Of- ficer, United States Department of Defense; Michael Lynn; Amit Yoran, former Director of the National Cy- ber Security Division of the Department of Homeland Security;[2][7] and General Keith B. Alexander, former Director of the National Security Agency and former commander of the United States Cyber Command.[8] Michael Lynn presenting a briefing in 2005

Black Hat Briefings is a computer security confer- 5.3 Conference’s topics ence that brings together a variety of people inter- ested in information security. Representatives of gov- USA : ernment agencies and corporations attend, along with hackers. The Briefings take place regularly in Las Ve- July - August 2009 : MCS-ATL vulnerabilities // attack gas, Barcelona, Amsterdam, Abu Dhabi and, occasion- against MD2 - Breaking SSL ... validation certificate ...[9] ally, Tokyo.[1] An event dedicated to the US federal agen- [2] July - August 2010 : Cloudcracker ... such as cies is organized in Washington, D.C. (wpacracker.com service)[10] July 27 - August 1, 2013 : Android hacking : application and root 5.1 History

Black Hat was founded in 1997 by Jeff Moss, who also 5.4 New conference goals founded DEF CON. Today, Moss is the Conference [3] Chair of the Black Hat Review Board. These are con- There is now more focus on tools that can be used or pro- sidered the premier information security conferences in tected, so a new type of conferences called Black Hat Ar- the world. Black Hat started as a single annual confer- senal Briefings has been added since 2011.[11] See here ence in Las Vegas, Nevada and is now held in multiple [4] Blackhat Arsenal Archives since 2011 on ToolsWatch locations around the world. website.[12]

5.2 The conference 5.5 Antics and disclosures

The conference is composed of two major sections, the Black Hat is known for the antics of its hacker contingent, Black Hat Briefings, and Black Hat Trainings. Training is and the disclosures brought in its talks. Conference atten- offered by various computer security vendors, in effort to dees have been known to hijack wireless connections of keep the conference vendor-neutral. The conference has the hotels, hack hotel TV billing systems, and even hack

22 5.8. EXTERNAL LINKS 23 the automated teller machine in a hotel lobby. In 2009, [11] https://www.blackhat.com/html/bh-us-11/ web sites belonging to a handful of security researchers bh-us-11-arsenal.html and groups were hacked and passwords, private e-mails, [12] https://www.toolswatch.org/category/arsenal/ IM chats, and sensitive documents were exposed on the vandalized site of Dan Kaminsky, days before the con- [13] “Hanging with hackers can make you paranoid”. CNN. 4 ference. During Black Hat 2009, a USB thumb drive that August 2009. was passed around among attendees was found to be in- fected with the Conficker virus, and in 2008, three men [14] “Security Expert: PC Media Players Full of Holes”. . 3 August 2007. were expelled for packet sniffing the press room local area network.[13] [15] “Microsoft Dares Security Experts to Find Holes in Win- In the past, companies have attempted to ban researchers dows Vista”. Fox News. 4 August 2006. from disclosing vital information about their products. [16] “Microsoft Challenges Hackers On Vista”. CBS News. 3 At Black Hat 2005, tried to stop Michael August 2006. Lynn from speaking about a vulnerability that he said could let hackers virtually shut down the Internet.[2] How- [17] Associated Press (2 August 2009). “Hackers expose ever, in recent years, researchers have worked with ven- weakness in trusted sites - Technology & science - Secu- rity”. NBC News. Retrieved 2014-10-09. dors to resolve issues, and some vendors have challenged hackers to attack their products.[14][15][16][17] 5.8 External links 5.6 See also • Official website • Hacker conference

• Chaos Communication Congress

• Positive Hack Days

5.7 References

[1] https://www.blackhat.com/html/archives.html

[2] “Computer Security Conferences Attract Both Hackers, Anti-Hackers”. Fox News. 4 August 2006.

[3] http://www.blackhat.com/review-board.html

[4] http://www.blackhat.com/html/bh-about/about.html

[5] http://www.blackhat.com/html/bh-dc-09/ train-bh-dc-09-index.html

[6] http://www.blackhat.com/html/bh-europe-09/ train-bh-eu-09-index.html

[7] http://news.prnewswire.com/ViewContent.aspx? ACCT=109&STORY=/www/story/07-10-2009/ 0005057983&EDATE=

[8] “Commander of U.S. Cyber Command and National Se- curity Agency Director, General Keith Alexander, To Keynote Day One of Black Hat USA 2013” (Press re- lease). WWBT-TV NBC 12, WorldNow (Gannaway). May 14, 2013. Retrieved June 13, 2013.

[9] http://blogs.cisco.com/security/black_hat_usa_2009_ summary/

[10] http://blogs.cisco.com/security/black_hat_usa_2010_ summary1/ Chapter 6

Botnet

A botnet is a number of Internet-connected computers running a Trojan horse program, which may come from communicating with other similar machines in an effort an email attachment. This malware will typically install to complete repetitive tasks and objectives. This can be modules that allow the computer to be commanded and as mundane as keeping control of an controlled by the botnet’s operator. Many computer users (IRC) channel, or it could be used to send spam email or are unaware that their computer is infected with bots.[2] participate in distributed denial-of-service attacks. The Depending on how it is written, a Trojan may then delete word botnet is a combination of the words robot and itself, or may remain present to update and maintain the network. The term is usually used with a negative or ma- modules. licious connotation. The first botnet was first acknowledged and exposed by Earthlink during a lawsuit with notorious spammer Khan C. Smith[3] in 2001 for the purpose of bulk spam account- 6.1 Types of botnets ing for nearly 25% of all spam at the time.

6.1.1 Legal botnets 6.3 Organization The term botnet is widely used when several IRC bots have been linked and may possibly set channel modes on other bots and users while keeping IRC channels free While botnets are often named after the malware that cre- from unwanted users. This is where the term is originally ated them, multiple botnets typically use the same mal- from, since the first illegal botnets were similar to legal ware, but are operated by different entities.[4] botnets. A common bot used to set up botnets on IRC is A botnet’s originator (known as a "bot herder" or “bot eggdrop. master”) can control the group remotely, usually through IRC, and often for criminal purposes. This server is known as the command-and-control (C&C) server. 6.1.2 Illegal botnets Though rare, more experienced botnet operators pro- gram command protocols from scratch. These proto- Botnets sometimes compromise computers whose secu- cols include a server program, a client program for op- rity defenses have been breached and control conceded eration, and the program that embeds the client on the to a third party. Each such compromised device, known victim’s machine. These communicate over a network, as a "bot", is created when a computer is penetrated by using a unique encryption scheme for stealth and protec- software from a malware (malicious software) distribu- tion against detection or intrusion into the botnet. tion. The controller of a botnet is able to direct the ac- tivities of these compromised computers through com- A bot typically runs hidden and uses a covert channel munication channels formed by standards-based network (e.g. the RFC 1459 (IRC) standard, , or IM) to protocols such as IRC and Hypertext Transfer Protocol communicate with its C&C server. Generally, the per- (HTTP).[1] petrator has compromised multiple systems using vari- ous tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their en- vironment and propagate themselves using vulnerabilities 6.2 Recruitment and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable Computers can be co-opted into a botnet when they ex- it becomes to a botnet controller community. The pro- ecute malicious software. This can be accomplished by cess of stealing computing resources as a result of a sys- luring users into making a drive-by download, exploiting tem being joined to a “botnet” is sometimes referred to web browser vulnerabilities, or by tricking the user into as “scrumping.”

24 6.5. TYPES OF ATTACKS 25

Botnet servers are typically redundant, linked for greater mining bitcoins, , and the theft of application redundancy so as to reduce the threat of a takedown. Ac- serial numbers, login IDs, and financial information such tual botnet communities usually consist of one or sev- as credit card numbers. eral controllers that rarely have highly developed com- The botnet controller community features a constant and mand hierarchies; they rely on individual peer-to-peer [5] continuous struggle over who has the most bots, the high- relationships. est overall bandwidth, and the most “high-quality” in- Botnet architecture evolved over time, and not all bot- fected machines, like university, corporate, and even gov- nets exhibit the same topology for command and control. ernment machines.[8] Advanced topology is more resilient to shutdown, enu- meration or discovery. However, some topologies limit the marketability of the botnet to third parties.[6] Typical 6.5 Types of attacks botnet topologies are Star, Multi-server, Hierarchical and Random. • In distributed denial-of-service attacks, multiple To thwart detection, some botnets are scaling back in size. systems submit as many requests as possible to a As of 2006, the average size of a network was estimated single Internet computer or service, overloading it at 20,000 computers.[7] and preventing it from servicing legitimate requests. An example is an attack on a victim’s phone num- ber. The victim is bombarded with phone calls by 6.4 Formation the bots, attempting to connect to the Internet. • Adware advertises a commercial offering actively This example illustrates how a botnet is created and used and without the user’s permission or awareness, for to send . example by replacing banner ads on web pages with those of another advertiser.

• Spyware is software which sends information to its creators about a user’s activities – typically pass- words, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate net- work can be worth more to the bot herder, as they can often gain access to confidential corporate in- formation. Several targeted attacks on large corpo- rations aimed to steal sensitive information, such as the Aurora botnet.[9]

• E-mail spam are e-mail messages disguised as mes- sages from people, but are either advertising, annoy- ing, or malicious. How a botnet works • occurs when the user’s computer visits websites without the user’s awareness to create false 1. A botnet operator sends out viruses or worms, in- web traffic for personal or commercial gain. fecting ordinary users’ computers, whose is a malicious application—the bot. • Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever- 2. The bot on the infected PC logs into a particular changing network of compromised hosts acting as C&C server. proxies. 3. A spammer purchases the services of the botnet • Brute-forcing remote machines services such as from the operator. FTP, SMTP and SSH. 4. The spammer provides the spam messages to the op- • Worms. The botnet focuses on recruiting other erator, who instructs the compromised machines via hosts. the control panel on the web server, causing them to send out spam messages. • Scareware is software that is marketed by creating fear in users. Once installed, it can install malware Botnets can be exploited for various other purposes, in- and recruit the host into a botnet. For example users cluding denial-of-service attacks, creation or misuse of can be induced to buy a rogue anti-virus to regain SMTP mail relays for spam (see ), click fraud, access to their computer.[10] 26 CHAPTER 6. BOTNET

• Exploiting systems by observing users playing online tempts to investigate them, reacting perhaps with a DDoS games such as poker and see the players’ cards.[11] attack on the IP address of the investigator. Researchers at Sandia National Laboratories are analyz- ing botnets’ behavior by simultaneously running one mil- 6.6 Countermeasures lion Linux kernels—a similar scale to a botnet—as virtual machines on a 4,480-node high-performance computer cluster to emulate a very large network, allowing them The geographic dispersal of botnets means that each re- to watch how botnets work and experiment with ways to cruit must be individually identified/corralled/repaired stop them.[14] and limits the benefits of filtering. Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain towards an IRC server that harbors the bots. While these free DNS ser- 6.7 Historical list of botnets vices do not themselves host attacks, they provide refer- ence points (often hard-coded into the botnet executable). • Removing such services can cripple an entire botnet. Researchers at the University of , Santa Some botnets implement custom versions of well-known Barbara took control of a botnet that was six times protocols. The implementation differences can be used smaller than expected. In some countries, it is com- for detection of botnets. For example, Mega-D features a mon that users change their IP address a few times slightly modified SMTP protocol implementation for test- in one day. Estimating the size of the botnet by the ing spam capability. Bringing down the Mega-D's SMTP number of IP addresses is often used by researchers, [37] server disables the entire pool of bots that rely upon the possibly leading to inaccurate assessments. same SMTP server.[12] The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, finding one 6.8 Trivia server with one botnet channel can often reveal the other servers, as well as their bots. A botnet server structure On ’s technology board, the term botnet is often that lacks redundancy is vulnerable to at least the tempo- used to indicate proprietary software, bloatware, and even rary disconnection of that server. However, recent IRC online services with dubious privacy practices. server software includes features to mask other connected servers and bots, eliminating that approach. Security companies such as Afferent Security Labs, Symantec, Trend Micro, FireEye, Umbra Data, Cyren, 6.9 See also and Damballa have announced offerings to counter bot- nets. Norton AntiBot was aimed at consumers, but most • Anti-spam techniques (e-mail) target enterprises and/or ISPs. Host-based techniques use heuristics to identify bot behavior that has bypassed con- • Command and control (malware) ventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down • Computer worm C&C servers, nullrouting DNS entries, or completely shutting down IRC servers. BotHunter is software, devel- • DoSnet oped with support from the U.S. Army Research Office, that detects botnet activity within a network by analysing • E-mail address harvesting network traffic and comparing it to patterns characteristic of malicious processes. • E-mail spam Some newer botnets are almost entirely P2P. Command and control is embedded into the botnet rather than re- • List poisoning lying on external servers, thus avoiding any single point of failure and evading many countermeasures.[13] Com- • Spambot manders can be identified just through secure keys, and all data except the binary itself can be encrypted. For • example, a spyware program may encrypt all suspected passwords with a public key that is hard-coded into it, or • Timeline of notable computer viruses and worms distributed with the bot software. Only with the private key (known only by the botnet operators) can the data • computer captured by the bot be read. Some botnets are capable of detecting and reacting to at- • 4chan 6.10. REFERENCES 27

6.10 References [18] “Calculating the Size of the Downadup Outbreak — F- Secure Weblog : News from the Lab”. F-secure.com. [1] Ramneek, Puri (2003-08-08). “Bots &; Botnet: An 2009-01-16. Retrieved 24 April 2010. Overview” (PDF). SANS Institute. Retrieved 12 Novem- [19] “Cómo detectar y borrar el rootkit TDL4 ber 2013. (TDSS/)". kasperskytienda.es. 2011-07-03. Retrieved 11 July 2011. [2] Teresa Dixon Murray. “Banks can't prevent cyber attacks like those hitting PNC, Key, U.S. Bank this week”. Cleve- [20] “America’s 10 most wanted botnets”. Networkworld.com. land.com. Retrieved 2 September 2014. 2009-07-22. Retrieved 10 November 2011.

[3] Credeur, Mary. “Atlanta Business Chronicle, Staff [21] “Pushdo Botnet — New DDOS attacks on major web sites Writer”. bizjournals.com. Retrieved 22 July 2002. — Harry Waldron — IT Security”. Msmvps.com. 2010- 02-02. Retrieved 30 July 2010. [4] Many-to-Many Botnet Relationships, Damballa, 8 June 2009. [22] “: Story of a Peer-to-Peer Viral Network” (PDF). Symantec. 2011-08-03. Retrieved 12 January 2012. [5] “what is a Botnet trojan?". DSL Reports. Retrieved 7 April 2011. [23] “Research: Small DIY botnets prevalent in enterprise net- works”. ZDNet. Retrieved 30 July 2010. [6] Botnet Communication Topologies, Damballa, 10 June [24] Warner, Gary (2010-12-02). “Oleg Nikolaenko, Mega-D 2009. Botmaster to Stand Trial”. CyberCrime & Doing Time. [7] “Hackers Strengthen Malicious Botnets by Shrinking Retrieved 6 December 2010. Them” (PDF). Computer; News Briefs (IEEE Computer [25] “New Massive Botnet Twice the Size of Storm — Secu- Society). April 2006. Retrieved 12 November 2013. The rity/Perimeter”. DarkReading. Retrieved 30 July 2010. size of bot networks peaked in mid-2004, with many using more than 100,000 infected machines, according to Mark [26] “Technology | Spam on rise after brief reprieve”. BBC Sunner, chief technology officer at MessageLabs.The av- News. 2008-11-26. Retrieved 24 April 2010. erage botnet size is now about 20,000 computers, he said. [27] “Symantec.cloud | Email Security, Web Security, End- [8] “Trojan horse, and Virus FAQ”. DSLReports. Retrieved point Protection, Archiving, Continuity, Instant Messag- 7 April 2011. ing Security” (PDF). Messagelabs.com. Retrieved 2014- 01-30. [9] “Operation Aurora — The Command Structure”. Damballa.com. Retrieved 30 July 2010. [28] Chuck Miller (2009-05-05). “Researchers hijack con- trol of botnet”. SC Magazine US. Retrieved 10 [10] Larkin, Erik (2009-02-10). “Fake Infection Warnings November 2011. Can Be Real Trouble”. PCWorld. Retrieved 10 Novem- [29] “Storm Worm network shrinks to about one-tenth of its ber 2011. former size”. Tech.Blorge.Com. 2007-10-21. Retrieved [11] 8 Jul 2010 (2010-07-08). “Korean Poker Hackers Ar- 30 July 2010. rested”. Poker.gamingsupermarket.com. Retrieved 10 [30] Chuck Miller (2008-07-25). “The spams November 2011. again”. SC Magazine US. Retrieved 30 July 2010. [12] C.Y. Cho, D. Babic, R. Shin, and D. Song. Inference and [31] “Spam Botnets to Watch in 2009 | Dell SecureWorks”. Analysis of Formal Models of Botnet Command and Con- Secureworks.com. Retrieved 16 January 2012. trol Protocols, 2010 ACM Conference on Computer and Communications Security. [32] “Discovered: Botnet Costing Display Advertisers over Six Million Dollars per Month”. Spider.io. 2013-03-19. Re- [13] Wang, Ping et al (2010). “Peer-to-peer botnets”. In trieved 21 March 2013. Stamp, Mark & Stavroulakis, Peter. Handbook of In- formation and Communication Security. Springer. ISBN [33] “ 'decimated' by MS takedown”. The Reg- 9783642041174. ister. 2010-03-16. Retrieved 23 April 2011. [34] Gregg Keizer (2008-04-09). “Top botnets control 1M hi- [14] “Researchers Boot Million Linux Kernels to Help Botnet jacked computers”. Computerworld. Retrieved 23 April Research”. IT Security & News. 2009- 2011. 08-12. Retrieved 23 April 2011. [35] “Botnet sics zombie soldiers on gimpy websites”. The [15] http://phys.org/news/ Register. 2008-05-14. Retrieved 23 April 2011. 2015-02-eu-police-malicious-network.html [36] “New Zealand teenager accused of controlling botnet of [16] “Infosecurity (UK) - BredoLab downed botnet linked with 1.3 million computers”. The H security. 2007-11-30. Re- Spamit.com”. .canada.com. Retrieved 10 November trieved 12 November 2011. 2011. [37] Espiner, Tom (2011-03-08). “Botnet size may be exag- [17] “How FBI, police busted massive botnet”. theregis- gerated, says Enisa | Security Threats | ZDNet UK”. Zd- ter.co.uk. Retrieved 3 March 2010. net.com. Retrieved 10 November 2011. 28 CHAPTER 6. BOTNET

6.11 External links

• Wired.com How-to: Build your own botnet with open source software • The Honeynet Project & Research Alliance, “Know your Enemy: Tracking Botnets”.

• The Shadowserver Foundation - An all volunteer security watchdog group that gathers, tracks, and reports on malware, botnet activity, and electronic fraud.

• NANOG Abstract: Botnets - John Kristoff’s NANOG32 Botnets presentation.

• Mobile botnets - An economic and technological as- sessment of mobile botnets.

• Lowkeysoft - Intrusive analysis of a web-based proxy botnet (including administration screenshots).

• EWeek.com - Is the Botnet Battle Already Lost?. • Attack of the Bots at Wired

• Dark Reading - Botnets Battle Over Turf. • ATLAS Global Botnets Summary Report - Real- time database of malicious botnet command and control servers.

• FBI LAX Press Release DOJ - FBI April 16, 2008 • Milcord Botnet Defense - DHS-sponsored R&D project that uses machine learning to adaptively de- tect botnet behavior at the network-level

• A Botnet by Any Other Name - SecurityFocus col- umn by Gunter Ollmann on botnet naming.

• Botnet Bust - SpyEye Malware Mastermind Pleads Guilty, FBI Chapter 7

Computer crime

Computer crime, or cybercrime, is any crime that in- 7.1 Classification volves a computer and a network.[1] The computer may have been used in the commission of a crime, or it Computer crime encompasses a broad range of activities. may be the target.[2] Netcrime is criminal exploitation of the Internet, inherently a cybercrime.[3] Dr. Debarati Halder and Dr. K. Jaishankar (2011) define 7.1.1 Fraud and financial crimes as: “Offences that are committed against individuals or groups of individuals with a criminal motive to intention- Computer fraud is any dishonest misrepresentation of fact ally harm the reputation of the victim or cause physical or intended to let another to do or refrain from doing some- mental harm, or loss, to the victim directly or indirectly, thing which causes loss. In this context, the fraud will using modern telecommunication networks such as In- result in obtaining a benefit by: ternet (Chat rooms, , notice boards and groups) [4] and mobile phones (SMS/MMS)". Such crimes may • Altering in an unauthorized way. This requires little [5] threaten a nation’s security and financial health. Issues technical expertise and is common form of theft by surrounding these types of crimes have become high- employees altering the data before entry or entering profile, particularly those surrounding hacking, copyright false data, or by entering unauthorized instructions infringement, child pornography, and child grooming. or using unauthorized processes; There are also problems of privacy when confidential in- formation is intercepted or disclosed, lawfully or oth- • Altering, destroying, suppressing, or stealing output, erwise. Dr.Debarati Halder and Dr.K.Jaishankar(2011) usually to conceal unauthorized transactions. This is further define cybercrime from the perspective of gender difficult to detect; and defined 'cybercrime against women' as "“Crimes tar- • geted against women with a motive to intentionally harm Altering or deleting stored data; the victim psychologically and physically, using modern • telecommunication networks such as internet and mobile phones”.[4] Other forms of fraud may be facilitated using computer An Australian nationwide survey conducted in 2006 systems, including bank fraud, identity theft, extortion, found that two in three convicted cybercriminals were be- and theft of classified information. tween the ages of 15 and 26. A variety of internet scams, many based on phishing and Internationally, both governmental and non-state actors social engineering, target consumers and businesses. engage in cybercrimes, including , financial theft, and other cross-border crimes. Activity crossing in- ternational borders and involving the interests of at least 7.1.2 Cyberterrorism one nation state is sometimes referred to as cyberwarfare. The international legal system is attempting to hold actors Main article: Cyberterrorism accountable for their actions through the International Criminal Court.[6] Government officials and Information Technology secu- A report (sponsored by McAfee) estimates the annual rity specialists have documented a significant increase damage to the global economy at $445 billion;[7] how- in Internet problems and server scans since early 2001. ever, a Microsoft report shows that such survey-based es- But there is a growing concern among federal officials timates are “hopelessly flawed” and exaggerate the true that such intrusions are part of an organized effort by losses by orders of magnitude.[8] Approximately $1.5 bil- cyberterrorists, foreign intelligence services, or other lion was lost in 2012 to online credit and debit card fraud groups to map potential security holes in critical systems. in the US.[9] A cyberterrorist is someone who intimidates or coerces a

29 30 CHAPTER 7. COMPUTER CRIME government or organization to advance his or her political through several recent events of geo-strategic signifi- or social objectives by launching a computer-based attack cance. Among those are included, the attack on Estonia's against computers, networks, or the information stored on infrastructure in 2007, allegedly by Russian hackers. “In them. August 2008, Russia again allegedly conducted cyberat- Cyberterrorism in general, can be defined as an act of ter- tacks, this time in a coordinated and synchronized kinetic rorism committed through the use of cyberspace or com- and non-kinetic campaign against the country of Georgia. puter resources (Parker 1983). As such, a simple pro- Fearing that such attacks may become the norm in future paganda in the Internet, that there will be bomb attacks warfare among nation-states, the concept of cyberspace operations impacts and will be adapted by warfighting during the holidays can be considered cyberterrorism. As [12] well there are also hacking activities directed towards in- military commanders in the future. dividuals, families, organized by groups within networks, tending to cause fear among people, demonstrate power, 7.1.5 Computer as a target collecting information relevant for ruining peoples’ lives, [10] robberies, blackmailing etc. These crimes are committed by a selected group of crim- inals. Unlike crimes using the computer as a tool, these crimes requires the technical knowledge of the perpetra- 7.1.3 Cyberextortion tors. These crimes are relatively new, having been in ex- istence for only as long as computers have - which ex- Cyberextortion occurs when a website, e-mail server, or plains how unprepared society and the world in general computer system is subjected to repeated denial of ser- is towards combating these crimes. There are numerous vice or other attacks by malicious hackers, who demand crimes of this nature committed daily on the internet: money in return for promising to stop the attacks. Ac- cording to the Federal Bureau of Investigation, cyberex- Crimes that primarily target computer networks or de- tortionists are increasingly attacking corporate websites vices include: and networks, crippling their ability to operate and de- manding payments to restore their service. More than 20 • Computer viruses cases are reported each month to the FBI and many go • unreported in order to keep the victim’s name out of the Denial-of-service attacks public domain. Perpetrators typically use a distributed • Malware (malicious code) denial-of-service attack.[11] An example of cyberextortion was the attack on Sony Pic- tures of 2014. 7.1.6 Computer as a tool

When the individual is the main target of cybercrime, 7.1.4 Cyberwarfare the computer can be considered as the tool rather than the target. These crimes generally involve less techni- cal expertise. Human weaknesses are generally exploited. The damage dealt is largely psychological and intangible, making legal action against the variants more difficult. These are the crimes which have existed for centuries in the offline world. Scams, theft, and the likes have ex- isted even before the development in high-tech equip- ment. The same criminal has simply been given a tool which increases his potential pool of victims and makes him all the harder to trace and apprehend.[13] Crimes that use computer networks or devices to advance other ends include:

• Fraud and identity theft (although this increasingly Sailors analyze, detect and defensively respond to unauthorized uses malware, hacking and/or phishing, making it activity within U.S. Navy information systems and computer net- an example of both “computer as target” and “com- works puter as tool” crime)

Main article: Cyberwarfare • Information warfare

• Phishing scams The U.S. Department of Defense (DoD) notes that the cyberspace has emerged as a national-level concern • Spam 7.1. CLASSIFICATION 31

• Propagation of illegal obscene or offensive content, sentence according to the U.S. Sentencing Guidelines including harassment and threats Manual §2G1.3(b)(3)[17] for his use of a cell phone to “persuade, induce, entice, coerce, or facilitate the travel The unsolicited sending of bulk email for commercial of, the minor to engage in prohibited sexual conduct.” purposes (spam) is unlawful in some jurisdictions. Kramer argued that this claim was insufficient because his charge included persuading through a computer de- Phishing is mostly propagated via email. Phishing emails vice and his cellular phone technically is not a computer. may contain links to other websites that are affected by [14] Although Kramer tried to argue this point, U.S. Sen- malware. Or, they may contain links to fake online tencing Guidelines Manual states that the term computer banking or other websites used to steal private account “means an electronic, magnetic, optical, electrochemical, information. or other high speed data processing device performing logical, arithmetic, or storage functions, and includes Obscene or offensive content any data storage facility or communications facility di- rectly related to or operating in conjunction with such [18] The content of websites and other electronic communica- device.” tions may be distasteful, obscene or offensive for a variety Connecticut was the first state to pass a statute making of reasons. In some instances these communications may it a criminal offense to harass someone by computer. be legal. Michigan, Arizona, and Virginia and South Carolina[19] Over 25 jurisdictions within the USA place limits on cer- have also passed laws banning harassment by electronic [20][21] tain speech and ban racist, blasphemous, politically sub- means. versive, libelous or slanderous, seditious, or inflammatory Harassment as defined in the U.S. computer statutes is material that tends to incite hate crimes. typically distinct from cyberbullying, in that the former The extent to which these communications are unlawful usually relates to a person’s “use a computer or computer varies greatly between countries, and even within nations. network to communicate obscene, vulgar, profane, lewd, It is a sensitive area in which the courts can become in- lascivious, or indecent language, or make any suggestion volved in arbitrating between groups with strong beliefs. or proposal of an obscene nature, or threaten any illegal or immoral act,” while the latter need not involve anything One area of Internet pornography that has been the target of a sexual nature. of the strongest efforts at curtailment is child pornogra- phy. Threats Harassment Whereas content may be offensive in Main article: Intimidation a non-specific way, harassment directs obscenities and derogatory comments at specific individuals focusing for example on gender, race, religion, nationality, sexual ori- Although freedom of speech is protected by law in most entation. This often occurs in chat rooms, through news- democratic societies (in the US this is done by the First groups, and by sending hate e-mail to interested par- Amendment), it does not include all types of speech. In ties (see cyberbullying, cyberstalking, hate crime, online fact spoken or written “true threat” speech/text is crim- predator, and stalking). Any comment that may be inalized because of “intent to harm or intimidate”, that found derogatory or offensive is considered harassment. also applies for online or any type of network related [22] Harassment targeting women and children in the in- threats in written text or speech. The US Supreme ternet also includes revenge pornography. Dr.Debarati Court definition of “true threat” is “statements where the Halder and Dr.K.Jaishankar (2013) defined online re- speaker means to communicate a serious expression of an venge pornography as “an act whereby the perpetrator intent to commit an act of unlawful violence to a partic- [22] satisfies his anger and frustration for a broken relation- ular individual or group”. ship through publicising false, sexually provocative por- trayal of his/her victim, by misusing the information that Drug trafficking he may have known naturally, and that he may have stored in his personal computer, or may have been conveyed to “Drug traffickers are increasingly taking advantage of the his electronic device by the victim herself, or may have Internet” according to cyber authorities and personnel.” been stored in the device with the consent of the victim to sell their illegal substances through encrypted e-mail herself; and which may essentially have been done to pub- [15][16] and other Internet Technology. Some drug traffickers licly defame the victim.”. arrange deals at internet cafes, use courier Web sites to There are instances where committing a crime, which in- track illegal packages of pills, and swap recipes for am- volves the use of a computer, can lead to an enhanced phetamines in restricted-access chat rooms. The deep sentence. For example, in the case of United States web site Silk Road was a major online marketplace for v. Neil Scott Kramer, Kramer was served an enhanced drugs before it was shut down by law enforcement (then 32 CHAPTER 7. COMPUTER CRIME

reopened under new management, and then shut down by bad”.[25] It offers web hosting services and internet ac- law enforcement again). cess to all kinds of criminal and objectionable activities, The rise in Internet drug trades could also be attributed to with an individual activities earning up to $150 million in the lack of face-to-face communication. These virtual ex- one year. It specialized in and in some cases monopolized changes allow more intimidated individuals to more com- personal identity theft for resale. It is the originator of fortably purchase illegal drugs. The sketchy effects that MPack and an alleged operator of the now defunct Storm are often associated with drug trades are severely mini- botnet. mized and the filtering process that comes with physical On 2 March 2010, Spanish investigators arrested 3 in in- interaction fades away. fection of over 13 million computers around the world. The “botnet” of infected computers included PCs inside more than half of the Fortune 1000 companies and more 7.2 Documented cases than 40 major banks, according to investigators. In August 2010 the international investigation Operation One of the highest profiled banking computer crime oc- Delego, operating under the aegis of the Department curred during a course of three years beginning in 1970. of Homeland Security, shut down the international The chief teller at the Park Avenue branch of New York’s pedophile ring Dreamboard. The website had approx- Union Dime Savings Bank embezzled over $1.5 million imately 600 members, and may have distributed up to from hundreds of accounts.[23] 123 terabytes of child pornography (roughly equivalent to 16,000 DVDs). To date this is the single largest U.S. A hacking group called MOD (), prosecution of an international child pornography ring; allegedly stole passwords and technical data from Pacific 52 arrests were made worldwide.[26] Bell, Nynex, and other telephone companies as well as several big credit agencies and two major universi- On March 1, 2011 at Lassiter High School, two students ties. The damage caused was extensive, one company, were accused of impersonation of a staff member via cy- Southwestern Bell suffered losses of $370,000 alone.[23] bercrime, but both claimed they were uninvolved. The offense was made a felony in the Cobb County School In 1983, a nineteen-year-old UCLA student used his PC District two months after the impersonation had hap- to break into a Defense Department international com- [23] pened. Shortly afterwards, the head of the LHS School munications system. Board said “The teacher just wouldn't do this at all”. The Between 1995 and 1998 the Newscorp satellite pay to case ended on May 9, and no evidence was found. view encrypted SKY-TV service was hacked several In June 2012 LinkedIn and eHarmony were attacked, times during an ongoing technological arms race between compromising 65 million password hashes. 30,000 pass- a pan-European hacking group and Newscorp. The orig- words were cracked and 1.5 million EHarmony pass- inal motivation of the hackers was to watch Star Trek re- words were posted online.[27] runs in Germany; which was something which Newscorp did not have the copyright to allow.[24] December 2012 Wells Fargo website experienced a de- nial of service attack. Potentially compromising 70 mil- On 26 March 1999, the worm infected a docu- lion customers and 8.5 million active viewers. Other ment on a victim’s computer, then automatically sent that banks thought to be compromised: , J. document and a copy of the virus spread via e-mail to P. Morgan U.S. Bank, and PNC Financial Services.[28] other people. In January 2012 Zappos.com experienced a security In February 2000, an individual going by the alias of breach after as many as 24 million customers’ credit card MafiaBoy began a series denial-of-service attacks against numbers, personal information, billing and shipping ad- high profile websites, including Yahoo!, Amazon.com, dresses had been compromised.[29] Dell, Inc., E*TRADE, eBay, and CNN. About fifty com- puters at Stanford University, and also computers at the April 23, 2013 saw the Associated Press’ Twitter ac- University of California at Santa Barbara, were amongst count’s hacking to release a hoax tweet about fictional the zombie computers sending pings in DDoS attacks. attacks in the White House that left President Obama [30] On 3 August 2000, Canadian federal prosecutors charged injured. This erroneous tweet resulted in a brief plunge MafiaBoy with 54 counts of illegal access to computers, of 130 points from the Dow Jones Industrial Average, re- [31] plus a total of ten counts of mischief to data for his at- moval of $136 billion from S&P 500 index, and the tacks. temporary suspension of their Twitter account. The Dow Jones later restored its session gains. The (RBN) was registered as an internet site in 2006. Initially, much of its activity was legitimate. But apparently the founders soon discovered that it was more profitable to host illegitimate activities and started hiring its services to criminals. The RBN has been described by VeriSign as “the baddest of the 7.4. SEE ALSO 33

7.3 Combating computer crime United States by offering them work with this company. Upon completion of the interview, the suspects were ar- 7.3.1 Diffusion of Cybercrime rested outside of the building. Clever tricks like this are sometimes a necessary part of catching cybercriminals when weak legislation makes it impossible otherwise.[36] The broad diffusion of cybercriminal activities is an is- sue in computer crimes detection and prosecution. Ac- President Barack Obama released in an executive order cording to Jean-Loup Richet (Research Fellow at ESSEC in April 2015 to combat cybercrime. The executive order ISIS), technical expertise and accessibility no longer act allows the United States to freeze assets of convicted cy- as barriers to entry into cybercrime.[32] Indeed, hacking is bercriminals and block their economic activity within the much less complex than it was a few years ago, as hack- United States. This is some of the first solid legislation ing communities have greatly diffused their knowledge that combats cybercrime in this way.[37] through the Internet. Blogs and communities have hugely contributed to information sharing: beginners could ben- efit from older hackers’ knowledge and advice. Further- 7.3.4 Penalties more, Hacking is cheaper than ever: before the cloud computing era, in order to spam one needed a dedicated Penalties for computer related crimes in New York State server, skills in server management, network configu- can range from a fine and a short period of jail time for ration and maintenance, knowledge of Internet service a Class A misdemeanor such as unauthorized use of a provider standards, etc. By comparison, a mail software- computer up to computer tampering in the first degree as-a-service is a scalable, inexpensive, bulk, and transac- which is a Class C felony and can carry 3 to 15 years in [38][39] tional e-mail-sending service for marketing purposes and prison. [33] could be easily set up for spam. Jean-Loup Richet ex- However, some hackers have been hired as information plains that cloud computing could be helpful for a cyber- security experts by private companies due to their in- criminal as a way to leverage his attack - brute-forcing a side knowledge of computer crime, a phenomenon which password, improve the reach of a botnet, or facilitating a theoretically could create perverse incentives. A possi- [34] campaign. ble counter to this is for courts to ban convicted hack- ers from using the internet or computers, even after they have been released from prison – though as computers 7.3.2 Investigation and the internet become more and more central to every- day life, this type of punishment may be viewed as more A computer can be a source of evidence (see digital foren- and more harsh and draconian. However, nuanced ap- sics). Even where a computer is not directly used for proaches have been developed that manage cyberoffender criminal purposes, it may contain records of value to behavior without resorting to total computer and/or In- criminal investigators in the form of a logfile. In most ternet bans.[40] These approaches involve restricting indi- countries Internet Service Providers are required, by law, viduals to specific devices which are subject to computer to keep their logfiles for a predetermined amount of time. monitoring and/or computer searches by probation and/or For example; a European wide directive[35] (applicable to parole officers.[41] all EU member states) states that all E-mail traffic should be retained for a minimum of 12 months. 7.4 See also 7.3.3 Legislation

Due to easily exploitable laws, cybercriminals use devel- oping countries in order to evade detection and prosecu- tion from law enforcement. In developing countries, such • Computer trespass as the Philippines, laws against cybercrime are weak or • sometimes nonexistent. These weak laws allow cyber- Cyber- criminals to strike from international borders and remain • Cyberbullying undetected. Even when identified, these criminals avoid being punished or extradited to a country, such as the • Cyberdefamation law United States, that has developed laws that allow for pros- ecution. While this proves difficult in some cases, agen- • Cyberheist cies, such as the FBI, have uses deception and subterfuge • Cyberterrorism to catch criminals. For example, two Russian hackers had been evading the FBI for some time. The FBI set • Economic and Industrial Espionage up a fake computing company based in Seattle, Washing- ton. They proceeded to lure the two Russian men into the • Federal Bureau of Investigation (FBI) 34 CHAPTER 7. COMPUTER CRIME

• Hacking [8] “Sex, Lies and Cybercrime Surveys” (PDF). Microsoft. 2011-06-15. Retrieved 2015-03-11. • Immigration and Customs Enforcement (ICE) [9] "#Cybercrime— what are the costs to victims - North • Internet homicide Denver News”. North Denver News. Retrieved 16 May 2015. • Internet stalking [10] “Future Crimes”. Retrieved 8 March 2015. • Internet suicide [11] http://www.ere-security.ca/PDF/Cyberextortion% • Internet War 20by%20DoS,%20Risk%20Magazine%20June% 202006.pdf • INTERPOL [12] http://www.carlisle.army.mil/DIME/documents/War% • Legal aspects of computing 20is%20War%20Issue%20Paper%20Final2.pdf

• List of computer criminals [13] “Cyber Crime definition”.

• Metasploit Project [14] “Save browsing”. google.

• Online predator [15] • Halder, D., & Jaishankar, K. (2013) Revenge Porn by Teens in the United States and India: A Socio- • Organized crime legal Analysis. International Annals of Criminol- ogy, 51(1-2), 85-111. • Penetration test • [16] “Revenge Porn by Teens in the United States and India: A Personal Jurisdiction over International Defendants Socio-Legal Analysis”. Retrieved 16 May 2015. in US Courts [17] “2011 U.S. Sentencing Guidelines Manual § • Police National E-Crime Unit 2G1.3(b)(3)".

• Protected computer [18] “United States of America v. Neil Scott Kramer”. Re- trieved 2013-10-23. • Techno-thriller [19] “South Carolina”. Retrieved 16 May 2015. • United States Secret Service [20] • White collar crime [21] “Section 18.2-152.7:1”. Code of Virginia. Legislative In- formation System of Virginia. Retrieved 2008-11-27.

7.5 References [22] Susan W. Brenner, Cybercrime: Criminal Threats from Cyberspace, ABC-CLIO, 2010, pp. 91 [1] Moore, R. (2005) “Cyber crime: Investigating High- Technology Computer Crime,” Cleveland, Mississippi: [23] Weitzer, Ronald (2003). Current Controversies in Crimi- Anderson Publishing. nology. Upper Saddle River, New Jersey: Pearson Edu- cation Press. p. 150. [2] Warren G. Kruse, Jay G. Heiser (2002). Computer foren- sics: incident response essentials. Addison-Wesley. p. [24] David Mann And Mike Sutton (2011-11-06). 392. ISBN 0-201-70719-5. ">>Netcrime”. Bjc.oxfordjournals.org. Retrieved 2011-11-10. [3] David Mann And Mike Sutton (2011-11-06). “Netcrime”. Bjc.oxfordjournals.org. Retrieved 2011-11- [25] “A walk on the dark side”. The Economist. 2007-09-30. 10. [26] “DHS: Secretary Napolitano and Attorney General Holder [4] • Halder, D., & Jaishankar, K. (2011) Cyber crime Announce Largest U.S. Prosecution of International and the Victimization of Women: Laws, Rights, Criminal Network Organized to Sexually Exploit Chil- and Regulations. Hershey, PA, USA: IGI Global. dren”. Dhs.gov. Retrieved 2011-11-10. ISBN 978-1-60960-830-9 [27] Salvador Rodriguez (June 6, 2012). “Like LinkedIn, [5] Internet Security Systems. March-2005. eHarmony is hacked; 1.5 million passwords stolen”. Los Angeles Times. [6] “Cyber Warfare And The Crime Of Aggression: The Need For Individual Accountability On Tomorrow’S Bat- [28] Rick Rothacker (Oct 12, 2012). “Cyber attacks against tlefield”. Law.duke.edu. Retrieved 2011-11-10. Wells Fargo “significant,” handled well: CFO”. Reuters.

[7] “Cyber crime costs global economy $445 billion a year: [29] DAVID K. LI (January 17, 2012). “Zappos cyber attack”. report”. Reuters. 2014-06-09. Retrieved 2014-06-17. New York Post. 7.6. FURTHER READING 35

[30] “AP Twitter Hack Falsely Claims Explosions at White • Fafinski, S. (2009) Computer Misuse: Response, reg- House”. Samantha Murphy. April 23, 2013. Retrieved ulation and the law Cullompton: Willan April 23, 2013. • Glenny, Misha, DarkMarket : cyberthieves, cyber- [31] “Fake Tweet Erasing $136 Billion Shows Markets Need cops, and you, New York, NY : Alfred A. Knopf, Humans”. Bloomberg. April 23, 2013. Retrieved April 23, 2013. 2011. ISBN 978-0-307-59293-4

[32] Richet, Jean-Loup (2013). “From Young Hackers to • Grabosky, P. (2006) Electronic Crime, New Jersey: Crackers”. International Journal of Technology and Hu- Prentice Hall man Interaction 9 (1). • Halder, D., & Jaishankar, K. (2011) Cyber crime [33] Richet, Jean-Loup (2011). “Adoption of deviant behav- ior and cybercrime ‘Know how’ diffusion”. York Deviancy and the Victimization of Women: Laws, Rights, and Conference. Regulations. Hershey, PA, USA: IGI Global. ISBN 978-1-60960-830-9 [34] Richet, Jean-Loup (2012). “How to Become a Black Hat Hacker? An Exploratory Study of Barriers to Entry Into • Jaishankar, K. (Ed.) (2011). Cyber Criminology: Cybercrime.”. 17th AIM Symposium. Exploring Internet Crimes and Criminal behavior. [35] Data Retention (EC Directive) Regulations SI 2007/2199 Boca Raton, FL, USA: CRC Press, Taylor and Fran- cis Group. [36] Kshetri, Nir. “Diffusion and Effects of Cyber Crime in Developing Countries”. • McQuade, S. (2006) Understanding and Managing Cybercrime, : Allyn & Bacon. [37] Northam, Jackie. “U.S. Creates First Sanctions Program Against Cybercriminals”. • McQuade, S. (ed) (2009) The Encyclopedia of Cy- [38] Kenniff, Raiser. “New York Internet Crimes Laws”. bercrime, Westport, CT: Greenwood Press.

[39] Computer fraud charges in New York. May 2011. Bukh • Parker D (1983) Fighting Computer Crime, U.S.: Law Firm, PC - 14 Wall St, New York NY 10005 - (212) Charles Scribner’s Sons. 729-1632. New York computer fraud lawyer

[40] Managing the Risks Posed by Offender Computer • Pattavina, A. (ed) Information Technology and the Use, Perspectives, December 2011,http://appaweb.csg. Criminal Justice System, Thousand Oaks, CA: Sage. org/Perspectives/Perspectives_V35_N4_P40.pdf • Paul Taylor. Hackers: Crime in the Digital Sublime [41] Bowker, Art (2012). The Cybercrime Handbook for Com- (November 3, 1999 ed.). Routledge; 1 edition. p. munity Corrections: Managing Risk in the 21st Century. 200. ISBN 0-415-18072-4. Springfield: Thomas. ISBN 9780398087289. • Robertson, J. (2010, March 2). Authorities bust 3 in infection of 13m computers. Retrieved March 26, 7.6 Further reading 2010, from Boston News: Boston.com

• Balkin, J., Grimmelmann, J., Katz, E., Kozlovski, • Walden, I. (2007) Computer Crimes and Digital In- N., Wagman, S. & Zarsky, T. (2006) (eds) Cyber- vestigations, Oxford: Oxford University Press. crime: Digital Cops in a Networked Environment, New York University Press, New York. • Rolón, Darío N. Control, vigilancia y respuesta pe- nal en el ciberespacio, Latin American’s New Secu- • Bowker, Art (2012) “The Cybercrime Handbook rity Thinking, Clacso, 2014, pp. 167/182 for Community Corrections: Managing Risk in the 21st Century” Charles C. Thomas Publishers, Ltd. • Richet, J.L. (2013) From Young Hackers to Crack- Springfield. ers, International Journal of Technology and Human Interaction (IJTHI), 9(3), 53-62. • Brenner, S. (2007) Law in an Era of Smart Technol- ogy, Oxford: Oxford University Press • Wall, D.S. (2007) Cybercrimes: The transformation • Csonka P. (2000) Internet Crime; the Draft council of crime in the information age, Cambridge: Polity. of Europe convention on cyber-crime: A response • to the challenge of crime in the age of the internet? Williams, M. (2006) Virtually Criminal: Crime, De- Computer Law & Security Report Vol.16 no.5. viance and Regulation Online, Routledge, London.

• Easttom C. (2010) Computer Crime Investigation • Yar, M. (2006) Cybercrime and Society, London: and the Law Sage. 36 CHAPTER 7. COMPUTER CRIME

7.7 External links

• Centre for Cyber Victim Counselling (CCVC)

• The American Society of & eDis- covery - Cybercrime Information

• A Guide to Computer Crime from le- gal.practitioner.com • International Journal of Cyber Criminology

• Virtual Forum Against Cybercrime • High Technology Crime Investigation Association

• Computer Crime Research Center • CyberCrime Asia Research Center - Information about computer crime, and CyberT- errorism in Asia

• Information and Research Center for Cybercrime Germany

7.7.1 Government resources

• Cybercrime.gov from the United States Department of Justice

• National Institute of Justice Electronic Crime Pro- gram from the United States Department of Justice

• FBI Cyber Investigations home page • US Secret Service Computer Fraud

• Australian High Tech Crime Centre Chapter 8

Computer security

Computer security, also known as cybersecurity or IT A large number of vulnerabilities are documented in the security, is security applied to computing devices such Common Vulnerabilities and Exposures (CVE) database. as computers and smartphones, as well as computer net- Vulnerability management is the cyclical practice of iden- works such as private and public networks, including the tifying, classifying, remediating, and mitigating vulnera- whole Internet. The field includes all the processes and bilities. This practice generally refers to software vulner- mechanisms by which digital equipment, information and abilities in computing systems. services are protected from unintended or unauthorized access, change or destruction, and is of growing impor- A security risk may be classified as a vulnerability. The tance due to the increasing reliance of computer systems use of vulnerability with the same meaning of risk can in most societies.[1] It includes physical security to pre- lead to confusion. The risk is tied to the potential of a vent theft of equipment and information security to pro- significant loss. There can also be vulnerabilities with- tect the data on that equipment. Those terms generally out risk, like when the asset has no value. A vulnerability do not refer to physical security, but a common belief with one or more known (publicly or privately) instances among computer security experts is that a physical secu- of working and fully implemented attacks is classified as rity breach is one of the worst kinds of security breaches an exploitable vulnerability- a vulnerability for which an as it generally allows full access to both data and equip- exploit exists. To exploit those vulnerabilities, perpetra- ment. tors (individual hacker, criminal organization, or a nation state) most commonly use malware (malicious software), Cybersecurity is the process of applying security mea- worms, viruses, and targeted attacks. sures to ensure confidentiality, integrity, and availability of data. Cybersecurity attempts to assure the protection Different scales exist to assess the risk of an attack. In the of assets, which includes data, desktops, servers, build- United States, authorities use the Information Operations ings, and most importantly, humans. The goal of cyber- Condition (INFOCON) system. This system is scaled security is to protect data both in transit and at rest. Coun- from 5 to 1 (INFOCON 5 being an harmless situation termeasures can be put in place in order to increase the and INFOCON 1 representing the most critical threats). security of data. Some of these measures include, but are To understand the techniques for securing a computer not limited to, access control, awareness training, audit system, it is important to first understand the various and accountability, risk assessment, penetration testing, types of “attacks” that can be made against it. These vulnerability management, and security assessment and threats can typically be classified into one of the cate- [2] authorization. gories in the section below.

8.1 Vulnerabilities 8.1.1 Backdoors A backdoor in a computer system, a cryptosystem or an Main article: Vulnerability (computing) algorithm, is a method of bypassing normal authentica- tion, securing remote access to a computer, obtaining ac- A vulnerability is a weakness which allows an attacker to cess to plaintext, and so on, while attempting to remain reduce a system’s information assurance. Vulnerability is undetected. A special form of asymmetric encryption at- the intersection of three elements: a system susceptibility tacks, known as kleptographic attack, resists to be useful or flaw, attacker access to the flaw, and attacker capability to the reverse engineer even after it is detected and ana- to exploit the flaw. To exploit a vulnerability, an attacker lyzed. must have at least one applicable tool or technique that The backdoor may take the form of an installed program can connect to a system weakness. In this frame, vulner- (e.g., Back Orifice), or could be a modification to an exist- ability is also known as the attack surface. ing program or hardware device. A specific form of back-

37 38 CHAPTER 8. COMPUTER SECURITY

door is a rootkit, which replaces system binaries and/or An unauthorized user gaining physical access to a com- hooks into the function calls of an operating system to puter (or part thereof) can perform many functions or hide the presence of other programs, users, services and install different types of devices to compromise secu- open ports. It may also fake information about disk and rity, including operating system modifications, software memory usage. worms, keyloggers, and covert listening devices. The at- tacker can also easily download large quantities of data onto backup media, like CD-R/DVD-R or portable de- 8.1.2 Denial-of-service attack vices such as flash drives, digital cameras or digital audio players. Another common technique is to boot an oper- ating system contained on a CD-ROM or other bootable Main article: Denial-of-service attack media and read the data from the harddrive(s) this way. The only way to prevent this is to encrypt the storage me- Unlike other exploits, denial of service attacks are not dia and store the key separate from the system. Direct- used to gain unauthorized access or control of a system. access attacks are the only type of threat to air gapped They are instead designed to render it unusable. Attack- computers in most cases. ers can deny service to individual victims, such as by de- liberately entering a wrong password enough consecutive times to cause the victim account to be locked, or they may overload the capabilities of a machine or network 8.1.4 Eavesdropping and block all users at once. These types of attack are, in practice, difficult to prevent, because the behaviour of Eavesdropping is the act of surreptitiously listening to a whole networks needs to be analyzed, not just the be- private conversation, typically between hosts on a net- haviour of small pieces of code. Distributed denial of work. For instance, programs such as Carnivore and service (DDoS) attacks, where a large number of compro- NarusInsight have been used by the FBI and NSA to mised hosts (commonly referred to as "zombie comput- eavesdrop on the systems of internet service providers. ers", used as part of a botnet with, for example, a worm, Even machines that operate as a closed system (i.e., with trojan horse, or backdoor exploit to control them) are no contact to the outside world) can be eavesdropped used to flood a target system with network requests, thus upon via monitoring the faint electro-magnetic transmis- attempting to render it unusable through resource exhaus- sions generated by the hardware; TEMPEST is a specifi- tion, are common. Another technique to exhaust victim cation by the NSA referring to these attacks. resources is through the use of an attack amplifier, where the attacker takes advantage of poorly designed protocols on third-party machines, such as NTP or DNS, in order to 8.1.5 Spoofing instruct these hosts to launch the flood. Some vulnerabil- ities in applications or operating systems can be exploited Spoofing of user identity describes a situation in which to make the computer or application malfunction or crash one person or program successfully masquerades as an- to create a denial-of-service. other by falsifying data.

8.1.3 Direct-access attacks 8.1.6 Tampering

Tampering describes an intentional modification of prod- ucts in a way that would make them harmful to the con- sumer.

8.1.7 Repudiation

Repudiation describes a situation where the authenticity of a signature is being challenged.

8.1.8 Information disclosure

Information disclosure (privacy breach or data leak) de- Common consumer devices that can be used to transfer data sur- scribes a situation where information, thought to be se- reptitiously. cure, is released in an untrusted environment. 8.2. VULNERABLE AREAS 39

8.1.9 Privilege escalation 8.1.12 Indirect attacks

Privilege escalation describes a situation where an at- An indirect attack is an attack launched by a third-party tacker gains elevated privileges or access to resources that computer. By using someone else’s computer to launch were once restricted to them. an attack, it becomes far more difficult to track down the actual attacker. There have also been cases where attack- ers took advantage of public anonymizing systems, such as the onion system. 8.1.10 Exploits 8.1.13 Computer crime Main article: Exploit (computer security) Computer crime refers to any crime that involves a com- puter and a network.[4] An exploit is a software tool designed to take advantage of a flaw in a computer system. This frequently includes gaining control of a computer system, allowing privilege 8.2 Vulnerable areas escalation, or creating a denial of service attack. The code from exploits is frequently reused in trojan horses and computer viruses. In some cases, a vulnerability can Computer security is critical in almost any industry which [5] lie in certain programs’ processing of a specific file type, uses computers. such as a non-executable media file. Some security web sites maintain lists of currently known unpatched vulner- 8.2.1 Financial systems abilities found in common programs. Web sites that accept or store credit card numbers and bank account information are prominent hacking targets, because of the potential for immediate financial gain from 8.1.11 Social engineering and trojans transferring money, making purchases, or selling the in- formation on the black market. In-store payment sys- Main article: Social engineering (security) tems and ATMs have also been tampered with in order See also: Category:Cryptographic attacks to gather customer account data and PINs.

A computer system is no more secure than the persons 8.2.2 Utilities and industrial equipment responsible for its operation. Malicious individuals have regularly penetrated well-designed, secure computer sys- Computers control functions at many utilities, includ- tems by taking advantage of the carelessness of trusted ing coordination of telecommunications, the power grid, individuals, or by deliberately deceiving them, for exam- nuclear power plants, and valve opening and closing in ple sending messages that they are the system administra- water and gas networks. The Internet is a potential attack tor and asking for passwords. This deception is known as vector for such machines if connected, but the Stuxnet social engineering. worm demonstrated that even equipment controlled by In the world of information technology there are different computers not connected to the Internet can be vulner- types of cyber attack–like code injection to a website or able to physical damage caused by malicious commands utilising malware (malicious software) such as virus, tro- sent to industrial equipment (in that case uranium enrich- jans, or similar. Attacks of these kinds are counteracted ment centrifuges) which are infected via removable me- managing or improving the damaged product. But there dia. In 2014, the Computer Emergency Readiness Team, is one last type, social engineering, which does not di- a division of the Department of Homeland Security, in- [6] rectly affect the computers but instead their users, which vestigated 79 hacking incidents at energy companies. are also known as “the weakest link”. This type of at- tack is capable of achieving similar results to other class 8.2.3 Aviation of cyber attacks, by going around the infrastructure es- tablished to resist malicious software; since being more The aviation industry is especially important when ana- difficult to calculate or prevent, it is many times a more lyzing computer security because the involved risks in- efficient attack vector. clude human life, expensive equipment, cargo, and trans- The main target is to convince the user by means of psy- portation infrastructure. Security can be compromised chological ways to disclose secrets such as passwords, by hardware and software malpractice, human error, and card numbers, etc. by, for example, impersonating a faulty operating environments. Threats that exploit com- bank, a contractor, or a customer.[3] puter vulnerabilities can stem from sabotage, espionage, 40 CHAPTER 8. COMPUTER SECURITY

industrial competition, terrorist attack, mechanical mal- and fictional assassination of supreme leader Kim Jong- function, and human error.[7] un. The consequences of a successful deliberate or inadver- tent misuse of a computer system in the aviation industry 8.2.6 Automobiles range from loss of confidentiality to loss of system in- tegrity, which may lead to more serious concerns such With physical access to a car’s internal controller area net- as exfiltration (data theft or loss), network and air traffic work, hackers have demonstrated the ability to disable control outages, which in turn can lead to airport closures, the brakes and turn the steering wheel.[13] Computerized loss of aircraft, loss of passenger life. Military systems engine timing, cruise control, anti-lock brakes, seat belt that control munitions can pose an even greater risk. tensioners, door locks, airbags and advanced driver assis- A proper attack does not need to be very high tech or tance systems make these disruptions possible, and self- well funded; for a power outage at an airport alone can driving cars go even further. Connected cars may use wifi cause repercussions worldwide.[8] One of the easiest and, and bluetooth to communicate with onboard consumer arguably, the most difficult to trace security vulnerabili- devices, and the cell phone network to contact concierge ties is achievable by transmitting unauthorized commu- and emergency assistance services or get navigational or nications over specific radio frequencies. These trans- entertainment information; each of these networks is a missions may spoof air traffic controllers or simply dis- potential entry point for malware or an attacker.[13] Re- rupt communications altogether.[9] Controlling aircraft searchers in 2011 were even able to use a malicious over oceans is especially dangerous because radar surveil- compact disc in a car’s stereo system as a successful at- lance only extends 175 to 225 miles offshore. Beyond the tack vector,[14] and cars with built-in voice recognition radar’s sight controllers must rely on periodic radio com- or remote assistance features have onboard microphones munications with a third party. [10] Another attack vector which could be used for eavesdropping. A 2015 report of concern is onboard wifi systems.[11] by U.S. Senator Edward Markey criticized manufactur- ers’ security measures as inadequate and also highlighted privacy concerns about driving, location, and diagnostic 8.2.4 Consumer devices data being collected, which is vulnerable to abuse by both manufacturers and hackers.[15] Desktop computers and laptops are commonly infected with malware, either to gather passwords or financial account information, or to construct a botnet to attack 8.2.7 Government another target. Smart phones, tablet computers, smart watches, and other mobile devices have also recently be- Military installations have been the target of hacks; vital come targets for malware. government infrastructure such as traffic light controls, Many smartphones have cameras, microphones, GPS police and intelligence agency communications, and fi- receivers, compasses, and accelerometers. Many nancial systems are also potential targets as they become Quantified Self devices, such as activity trackers, and computerized. mobile apps collect personal information, such as heart- beat, diet, notes on activities (from exercise in public to sexual activities), and performance of bodily functions. 8.3 Financial cost of security Wifi, Bluetooth, and cell phone network devices can be used as attack vectors, and sensors might be remotely ac- breaches tivated after a successful attack. Many mobile applica- tions do not use encryption to transmit this data, nor to Serious financial damage has been caused by security protect usernames and passwords, leaving the devices and breaches, but because there is no standard model for es- the web sites where data is stored vulnerable to monitor- timating the cost of an incident, the only data available is ing and break-ins.[12] that which is made public by the organizations involved. “Several computer security consulting firms produce es- Hacking techniques have also been demonstrated against timates of total worldwide losses attributable to virus and home automation devices such as the Nest thermostat.[12] worm attacks and to hostile digital acts in general. The 2003 loss estimates by these firms range from $13 billion 8.2.5 Large corporations (worms and viruses only) to $226 billion (for all forms of covert attacks). The reliability of these estimates is of- ten challenged; the underlying methodology is basically Data breaches at large corporations have become com- [16] mon, largely for financial gain through identity theft. No- anecdotal.” tably, the 2014 Sony Pictures Entertainment hack was al- However, reasonable estimates of the financial cost of legedly carried out by the government of North Korea or security breaches can actually help organizations make its supporters, in retaliation for an unflattering caricature rational investment decisions. According to the clas- 8.4. COMPUTER PROTECTION (COUNTERMEASURES) 41 sic Gordon-Loeb Model analyzing the optimal invest- dure, or technique that reduces a threat, a vulnerability, ment level in information security, one can conclude that or an attack by eliminating or preventing it, by minimiz- the amount a firm spends to protect information should ing the harm it can cause, or by discovering and reporting generally be only a small fraction of the expected loss it so that corrective action can be taken.[19][20] An alter- (i.e., the expected value of the loss resulting from a cy- nate meaning of countermeasure from the InfosecToday ber/information security breach).[17] glossary[21] is: Insecurities in operating systems have led to a massive black market for rogue software. An attacker can use a The deployment of a set of security services to security hole to install software that tricks the user into protect against a security threat. buying a product. At that point, an affiliate program pays the affiliate responsible for generating that installation about $30. The software is sold for between $50 and $75 8.4.1 Security and systems design per license.[18] Although there are many aspects to take into consider- ation when designing a computer system, security can 8.3.1 Reasons prove to be very important. According to Symantec, in 2010, 94 percent of organizations polled to im- There are many similarities (yet many fundamental dif- plement security improvements to their computer sys- tems, with 42 percent claiming cyber security as their top ferences) between computer and physical security. Just [22] like real-world security, the motivations for breaches of risk. computer security vary between attackers, sometimes At the same time, many organizations are improving se- called hackers or crackers. Some are thrill-seekers or curity and many types of cyber criminals are finding ways vandals (the kind often responsible for defacing web to continue their activities. Almost every type of cyber at- sites); similarly, some web site defacements are done to tack is on the rise. In 2009 respondents to the CSI Com- make political statements. However, some attackers are puter Crime and Security Survey admitted that malware highly skilled and motivated with the goal of compromis- infections, denial-of-service attacks, password sniffing, ing computers for financial gain or espionage. An ex- and web site defacements were significantly higher than ample of the latter is Markus Hess (more diligent than in the previous two years.[23] skilled), who spied for the KGB and was ultimately caught because of the efforts of Clifford Stoll, who wrote a mem- oir, The Cuckoo’s Egg, about his experiences. 8.4.2 Security measures

For those seeking to prevent security breaches, the first A state of computer “security” is the conceptual ideal, step is usually to attempt to identify what might motivate attained by the use of the three processes: threat pre- an attack on the system, how much the continued opera- vention, detection, and response. These processes are tion and information security of the system are worth, and based on various policies and system components, which who might be motivated to breach it. The precautions re- include the following: quired for a home personal computer are very different for those of banks' Internet banking systems, and differ- • ent again for a classified military network. Other com- User account access controls and cryptography can puter security writers suggest that, since an attacker using protect systems files and data, respectively. a network need know nothing about you or what you have • Firewalls are by far the most common prevention on your computer, attacker motivation is inherently im- systems from a network security perspective as they possible to determine beyond guessing. If true, blocking can (if properly configured) shield access to inter- all possible attacks is the only plausible action to take. nal network services, and block certain kinds of at- tacks through packet filtering. Firewalls can be both hardware- or software-based. 8.4 Computer protection (counter- • Intrusion Detection Systems (IDSs) are designed to measures) detect network attacks in progress and assist in post- attack forensics, while audit trails and logs serve a There are numerous ways to protect computers, includ- similar function for individual systems. ing utilizing security-aware design techniques, building • “Response” is necessarily defined by the assessed se- on secure operating systems and installing hardware de- curity requirements of an individual system and may vices designed to protect the computer systems. cover the range from simple upgrade of protections In general, a countermeasure is a measure or action taken to notification of legal authorities, counter-attacks, to counter or offset another one. In computer security and the like. In some special cases, a complete de- a countermeasure is defined as an action, device, proce- struction of the compromised system is favored, as it 42 CHAPTER 8. COMPUTER SECURITY

may happen that not all the compromised resources cost of technology, such as DNA testing, and im- are detected. proved forensics mean less money for other kinds of law enforcement, so the overall rate of criminals not Today, computer security comprises mainly “preventive” getting dealt with goes up as the cost of the technol- measures, like firewalls or an exit procedure. A firewall ogy increases. In addition, the identification of at- can be defined as a way of filtering network data between tackers across a network may require logs from vari- a host or a network and another network, such as the ous points in the network and in many countries, the Internet, and can be implemented as software running release of these records to law enforcement (with on the machine, hooking into the network stack (or, in the exception of being voluntarily surrendered by a the case of most UNIX-based operating systems such as network administrator or a system administrator) re- Linux, built into the operating system kernel) to provide quires a search warrant and, depending on the cir- real time filtering and blocking. Another implementation cumstances, the legal proceedings required can be is a so-called physical firewall which consists of a separate drawn out to the point where the records are either machine filtering network traffic. Firewalls are common regularly destroyed, or the information is no longer amongst machines that are permanently connected to the relevant. Internet. However, relatively few organisations maintain computer systems with effective detection systems, and fewer still 8.4.3 Reducing vulnerabilities have organised response mechanisms in place. As result, as Reuters points out: “Companies for the first time re- Computer code is regarded by some as a form of port they are losing more through electronic theft of data mathematics. It is theoretically possible to prove the than physical stealing of assets”.[24] The primary obstacle correctness of certain classes of computer programs, to effective eradication of cyber crime could be traced to though the feasibility of actually achieving this in large- excessive reliance on firewalls and other automated “de- scale practical systems is regarded as small by some with tection” systems. Yet it is basic evidence gathering by us- practical experience in the industry; see Bruce Schneier ing packet capture appliances that puts criminals behind et al. bars. It is also possible to protect messages in transit (i.e., communications) by means of cryptography. One method of encryption—the one-time pad—is unbreak- Difficulty with response able when correctly used. This method was used by the during the Cold War, though flaws in Responding forcefully to attempted security breaches (in their implementation allowed some ; see the the manner that one would for attempted physical security Venona project. The method uses a matching pair of breaches) is often very difficult for a variety of reasons: key-codes, securely distributed, which are used once- and-only-once to encode and decode a single message. • Identifying attackers is difficult, as they are often For transmitted computer encryption this method is dif- in a different jurisdiction to the systems they at- ficult to use properly (securely), and highly inconvenient tempt to breach, and operate through proxies, tem- as well. Other methods of encryption, while breakable in porary dial-up accounts, wireless con- theory, are often virtually impossible to directly break by nections, and other anonymising procedures which any means publicly known today. Breaking them requires make backtracing difficult and are often located in some non-cryptographic input, such as a stolen key, stolen yet another jurisdiction. If they successfully breach plaintext (at either end of the transmission), or some other security, they are often able to delete logs to cover extra cryptanalytic information. their tracks. Social engineering and direct computer access (physical) • The sheer number of attempted attacks is so large attacks can only be prevented by non-computer means, that organisations cannot spend time pursuing each which can be difficult to enforce, relative to the sensitivity attacker (a typical home user with a permanent (e.g., of the information. Even in a highly disciplined environ- cable modem) connection will be attacked at least ment, such as in military organizations, social engineering several times per day, so more attractive targets attacks can still be difficult to foresee and prevent. could be presumed to see many more). Note how- ever, that most of the sheer bulk of these attacks Trusting code to behave securely has are made by automated vulnerability scanners and been pursued for decades. It has proven difficult to deter- computer worms. mine what code 'will never do.' Mathematical proofs are illusive in part because it is so difficult to define secure • Law enforcement officers are often unfamiliar with behavior even notionally, let alone mathematically. In information technology, and so lack the skills and practice, only a small fraction of computer program code interest in pursuing attackers. There are also bud- is mathematically proven, or even goes through compre- getary constraints. It has been argued that the high hensive information technology audits or inexpensive but 8.4. COMPUTER PROTECTION (COUNTERMEASURES) 43 extremely valuable computer security audits, so it is usu- 8.4.5 Security architecture ally possible for a determined hacker to read, copy, alter or destroy data in well secured computers, albeit at the The Open Security Architecture organization defines IT cost of great time and resources. Few attackers would security architecture as “the design artifacts that describe audit applications for vulnerabilities just to attack a sin- how the security controls (security countermeasures) are gle specific system. It is possible to reduce an attacker’s positioned, and how they relate to the overall information chances by keeping systems up to date, using a security technology architecture. These controls serve the pur- scanner or/and hiring competent people responsible for pose to maintain the system’s quality attributes: confiden- security. The effects of data loss/damage can be reduced tiality, integrity, availability, accountability and assurance by careful backing up and insurance. However software- services".[25] based strategies have not yet been discovered for protect- Techopedia defines security architecture as “a unified se- ing computers from adequately funded, dedicated mali- curity design that addresses the necessities and potential cious attacks. risks involved in a certain scenario or environment. It also specifies when and where to apply security controls. 8.4.4 Security by design The design process is generally reproducible.” The key attributes of security architecture are:[26] Main article: Secure by design • the relationship of different components and how they depend on each other. Security by design, or alternately secure by design, means that the software has been designed from the ground up • the determination of controls based on risk assess- to be secure. In this case, security is considered as a main ment, good practice, finances, and legal matters. feature. • the standardization of controls. Some of the techniques in this approach include:

• The principle of least privilege, where each part of 8.4.6 Hardware protection mechanisms the system has only the privileges that are needed for its function. That way even if an attacker gains See also: Computer security compromised by hardware access to that part, they have only limited access to failure the whole system. While hardware may be a source of insecurity, such • Automated theorem proving to prove the correct- as with microchip vulnerabilities maliciously introduced ness of crucial software subsystems. during the manufacturing process,[27][28] hardware-based • Code reviews and unit testing, approaches to make or assisted computer security also offers an alterna- modules more secure where formal correctness tive to software-only computer security. Using devices proofs are not possible. and methods such as dongles, trusted platform modules, intrusion-aware cases, drive locks, disabling USB ports, • Defense in depth, where the design is such that more and mobile-enabled access may be considered more se- than one subsystem needs to be violated to compro- cure due to the physical access (or sophisticated backdoor mise the integrity of the system and the information access) required in order to be compromised. Each of it holds. these is covered in more detail below.

• Default secure settings, and design to “fail secure” • USB dongles are typically used in software licens- rather than “fail insecure” (see fail-safe for the ing schemes to unlock software capabilities,[29] but equivalent in safety engineering). Ideally, a se- they can also be seen as a way to prevent unautho- cure system should require a deliberate, conscious, rized access to a computer or other device’s soft- knowledgeable and free decision on the part of le- ware. The dongle, or key, essentially creates a se- gitimate authorities in order to make it insecure. cure encrypted tunnel between the software appli- • Audit trails tracking system activity, so that when cation and the key. The principle is that an encryp- a security breach occurs, the mechanism and extent tion scheme on the dongle, such as Advanced En- of the breach can be determined. Storing audit trails cryption Standard (AES) provides a stronger mea- remotely, where they can only be appended to, can sure of security, since it is harder to hack and repli- keep intruders from covering their tracks. cate the dongle than to simply copy the native soft- ware to another machine and use it. Another se- • Full disclosure of all vulnerabilities, to ensure that curity application for dongles is to use them for ac- the "window of vulnerability" is kept as short as pos- cessing web-based content such as cloud software or sible when bugs are discovered. Virtual Private Networks (VPNs).[30] In addition, a 44 CHAPTER 8. COMPUTER SECURITY

USB dongle can be configured to lock or unlock a security policies are absolutely enforced in an operating computer.[31] environment. An example of such a Computer security policy is the Bell-LaPadula model. The strategy is based • Trusted platform modules (TPMs) secure devices on a coupling of special microprocessor hardware fea- by integrating cryptographic capabilities onto ac- tures, often involving the memory management unit, to cess devices, through the use of microprocessors, or a special correctly implemented operating system kernel. so-called computers-on-a-chip. TPMs used in con- This forms the foundation for a secure operating system junction with server-side software offer a way to de- which, if certain critical parts are designed and imple- tect and authenticate hardware devices, preventing mented correctly, can ensure the absolute impossibility unauthorized network and data access.[32] of penetration by hostile elements. This capability is en- abled because the configuration not only imposes a secu- rity policy, but in theory completely protects itself from • Computer case intrusion detection refers to a push- corruption. Ordinary operating systems, on the other button switch which is triggered when a computer hand, lack the features that assure this maximal level of case is opened. The firmware or BIOS is pro- security. The design methodology to produce such secure grammed to show an alert to the operator when the systems is precise, deterministic and logical. computer is booted up the next time. Systems designed with such methodology represent the • Drive locks are essentially software tools to encrypt state of the art of computer security although products hard drives, making them inaccessible to thieves.[33] using such security are not widely known. In sharp con- Tools exist specifically for encrypting external drives trast to most kinds of software, they meet specifications as well.[34] with verifiable certainty comparable to specifications for size, weight and power. Secure operating systems de- signed this way are used primarily to protect national se- • Disabling USB ports is a security option for pre- curity information, military secrets, and the data of in- venting unauthorized and malicious access to an ternational financial institutions. These are very power- otherwise secure computer. Infected USB don- ful security tools and very few secure operating systems gles connected to a network from a computer in- have been certified at the highest level (Orange Book A- side the firewall are considered by Network World 1) to operate over the range of “Top Secret” to “unclas- as the most common hardware threat facing com- [35] sified” (including Honeywell SCOMP, USAF SACDIN, puter networks. NSA Blacker and Boeing MLS LAN). The assurance of security depends not only on the soundness of the design • Mobile-enabled access devices are growing in pop- strategy, but also on the assurance of correctness of the ularity due to the ubiquitous nature of cell phones. implementation, and therefore there are degrees of se- Built-in capabilities such as Bluetooth, the newer curity strength defined for COMPUSEC. The Common Bluetooth low energy (LE), Near field communica- Criteria quantifies security strength of products in terms tion (NFC) on non-iOS devices and biometric val- of two components, security functionality and assurance idation such as thumb print readers, as well as QR level (such as EAL levels), and these are specified in a code reader software designed for mobile devices, Protection Profile for requirements and a Security Target offer new, secure ways for mobile phones to con- for product descriptions. None of these ultra-high assur- nect to access control systems. These control sys- ance secure general purpose operating systems have been tems provide computer security and can also be used produced for decades or certified under Common Crite- for controlling access to secure buildings.[36] ria. In USA parlance, the term High Assurance usually sug- 8.4.7 Secure operating systems gests the system has the right security functions that are implemented robustly enough to protect DoD and DoE Main article: Security-focused operating system classified information. Medium assurance suggests it can protect less valuable information, such as income tax in- formation. Secure operating systems designed to meet One use of the term “computer security” refers to tech- medium robustness levels of security functionality and nology that is used to implement secure operating sys- assurance have seen wider use within both government tems. Much of this technology is based on science devel- and commercial markets. Medium robust systems may oped in the 1980s and used to produce what may be some provide the same security functions as high assurance se- of the most impenetrable operating systems ever. Though cure operating systems but do so at a lower assurance level still valid, the technology is in limited use today, primarily (such as Common Criteria levels EAL4 or EAL5). Lower because it imposes some changes to system management levels mean we can be less certain that the security func- and also because it is not widely understood. Such ultra- tions are implemented flawlessly, and therefore less de- strong secure operating systems are based on operating pendable. These systems are found in use on web servers, system kernel technology that can guarantee that certain 8.5. NOTABLE COMPUTER SECURITY ATTACKS AND BREACHES 45 guards, database servers, and management hosts and are 8.4.9 Capabilities and access control lists used not only to protect the data stored on these systems but also to provide a high level of protection for network Main articles: Access control list and Capability (com- connections and routing services. puters)

Within computer systems, two of many security mod- els capable of enforcing privilege separation are access control lists (ACLs) and capability-based security. Using 8.4.8 Secure coding ACLs to confine programs has been proven to be inse- cure in many situations, such as if the host computer can be tricked into indirectly allowing restricted file access, an Main article: Secure coding issue known as the confused deputy problem. It has also been shown that the promise of ACLs of giving access If the operating environment is not based on a secure to an object to only one person can never be guaranteed operating system capable of maintaining a domain for in practice. Both of these problems are resolved by ca- its own execution, and capable of protecting application pabilities. This does not mean practical flaws exist in all code from malicious subversion, and capable of protect- ACL-based systems, but only that the designers of cer- ing the system from subverted code, then high degrees of tain utilities must take responsibility to ensure that they security are understandably not possible. While such se- do not introduce flaws. cure operating systems are possible and have been imple- Capabilities have been mostly restricted to research mented, most commercial systems fall in a 'low security' operating systems, while commercial OSs still use ACLs. category because they rely on features not supported by Capabilities can, however, also be implemented at the secure operating systems (like portability, and others). In language level, leading to a style of programming that is low security operating environments, applications must essentially a refinement of standard object-oriented de- be relied on to participate in their own protection. There sign. An open source project in the area is the E language. are 'best effort' secure coding practices that can be fol- lowed to make an application more resistant to malicious The most secure computers are those not connected to subversion. the Internet and shielded from any interference. In the real world, the most secure systems are operating systems In commercial environments, the majority of software where security is not an add-on. subversion vulnerabilities result from a few known kinds of coding defects. Common software defects include buffer overflows, format string vulnerabilities, integer overflow, and code/command injection. These defects can be used to cause the target system to execute puta- tive data. However, the “data” contain executable instruc- 8.4.10 Hacking back tions, allowing the attacker to gain control of the proces- sor. There has been a significant debate regarding the legality Some common languages such as C and C++ are vulner- of hacking back against digital attackers (who attempt to able to all of these defects (see Seacord, “Secure Coding or successfully breach an individual’s, entity’s, or nation’s in C and C++").[37] Other languages, such as Java, are computer). The arguments for such counter-attacks are more resistant to some of these defects, but are still prone based on notions of equity, active defense, vigilantism, to code/command injection and other software defects and the Computer Fraud and Abuse Act (CFAA). The which facilitate subversion. arguments against the practice are primarily based on the legal definitions of “intrusion” and “unauthorized access”, Another bad coding practice occurs when an object is as defined by the CFAA. As of October 2012, the debate deleted during normal operation yet the program neglects is ongoing.[39] to update any of the associated memory pointers, poten- tially causing system instability when that location is ref- erenced again. This is called dangling pointer, and the first known exploit for this particular problem was pre- sented in July 2007. Before this publication the problem was known but considered to be academic and not prac- 8.5 Notable computer security at- [38] tically exploitable. tacks and breaches Unfortunately, there is no theoretical model of “secure coding” practices, nor is one practically achievable, in- sofar as the code (ideally, read-only) and data (generally Some illustrative examples of different types of computer read/write) generally tends to have some form of defect. security breaches are given below. 46 CHAPTER 8. COMPUTER SECURITY

8.5.1 Robert Morris and the first computer 8.5.5 Global surveillance disclosures worm Main article: Global surveillance disclosures (2013– Main article: present)

In early 2013, thousands of thousands of classified In 1988, only 60,000 computers were connected to the [49] Internet, and most were mainframes, and documents were disclosed by NSA contractor . Called the “most significant leak in U.S. professional workstations. On November 2, 1988, many [50] started to slow down, because they were running a mali- history” it also revealed for the first time the mas- cious code that demanded processor time and that spread sive breaches of computer security by the NSA, includ- ing deliberately inserting a backdoor in a NIST standard itself to other computers - the first internet "computer [51] [40] for encryption and tapping the links between Google's worm". The software was traced back to 23 year old [52] Cornell University graduate student Robert Tappan Mor- data centres. ris, Jr. who said 'he wanted to count how many machines were connected to the Internet'.[40] 8.5.6 Target And Home Depot Breaches by Rescator

8.5.2 Rome Laboratory In 2013 and 2014, a Russian/Ukrainian hacking ring known as “Rescator” broke into Target Corporation computers in 2013, stealing roughly 40 million credit In 1994, over a hundred intrusions were made by uniden- cards,[53] and then Home Depot computers in 2014, steal- tified crackers into the Rome Laboratory, the US Air ing between 53 and 56 million credit card numbers.[54] Force’s main command and research facility. Using Warnings were delivered at both corporations, but ig- trojan horses, hackers were able to obtain unrestricted nored; physical security breaches using self checkout ma- access to Rome’s networking systems and remove traces chines are believed to have played a large role. “The mal- of their activities. The intruders were able to obtain ware utilized is absolutely unsophisticated and uninterest- classified files, such as air tasking order systems data ing,” says Jim Walter, director of threat intelligence op- and furthermore able to penetrate connected networks of erations at security technology company McAfee - mean- National Aeronautics and Space Administration's God- ing that the heists could have easily been stopped by ex- dard Space Flight Center, Wright-Patterson Air Force isting antivirus software had administrators responded to Base, some Defense contractors, and other private sec- the warnings. The size of the thefts has resulted in major tor organizations, by posing as a trusted Rome center [41] attention from state and Federal United States authorities user. and the investigation is ongoing.

8.5.3 TJX loses 45.7m customer credit 8.6 Legal issues and global regula- card details tion

In early 2007, American apparel and home goods com- Conflict of laws in cyberspace[55] has become a ma- pany TJX announced that it was the victim of an jor cause of concern for computer security community. unauthorized computer systems intrusion[42] and that Some of the main challenges and complaints about the the hackers had accessed a system that stored data on antivirus industry are the lack of global web regulations, credit card, debit card, check, and merchandise return a global base of common rules to judge, and eventually transactions.[43] punish, cyber crimes and cyber criminals. There is no global cyber law[56] and cyber security treaty[57] that can be invoked for enforcing global cyber security issues. International legal issues of cyber attacks[58] are really 8.5.4 Stuxnet attack tricky and complicated in nature.[59] For instance, even if an antivirus firm locates the cyber criminal behind The computer worm known as Stuxnet reportedly ruined the creation of a particular virus or piece of malware almost one-fifth of Iran’s nuclear centrifuges[44] by dis- or again one form of cyber attack, often the local au- rupting industrial programmable logic controllers (PLCs) thorities cannot take action due to lack of laws under in a targeted attack generally believed to have been which to prosecute.[60][61] This is mainly caused by the launched by Israel and the United States[45][46][47][48] al- fact that many countries have their own regulations re- though neither has publicly acknowledged this. garding cyber crimes. Authorship attribution for cyber 8.8. ACTIONS AND TEAMS IN THE US 47

crimes and cyber attacks has become a major problem 8.7.1 Public–private cooperation for international law enforcement agencies.[62] "[Computer viruses] switch from one country to another, The cybersecurity act of 2010 establishes the creation of from one jurisdiction to another — moving around the an advisory panel, each member of this panel will be ap- world, using the fact that we don't have the capability to pointed by the President of the United-States. They must represent the private sector, the academic sector, the pub- globally police operations like this. So the Internet is as [68] if someone [had] given free plane tickets to all the on- lic sector and the non-profit organisations. The pur- line criminals of the world.”[60] (Mikko Hyppönen) Use pose of the panel is to advise the government as well as of dynamic DNS, fast flux and bullet proof servers have help improve strategies. added own complexities to this situation.[63] Businesses are eager to expand to less developed coun- 8.8 Actions and teams in the US tries due to the low cost of labor, says White et al. (2012). However, these countries are the ones with the least amount of Internet safety measures, and the Inter- 8.8.1 Cybersecurity Act of 2010 net Service Providers are not so focused on implementing those safety measures (2010). Instead, they are putting The “Cybersecurity Act of 2010 - S. 773” was intro- their main focus on expanding their business, which ex- duced first in the Senate on April 1, 2009 by Senator Jay poses them to an increase in criminal activity.[64] Rockefeller (D-WV), Senator Evan Bayh (D-IN), Sena- tor Barbara Mikulski (D-MD), Senator Bill Nelson (D- In response to the growing problem of cyber crime, the FL), and Senator Olympia Snowe (R-ME). The revised European Commission established the European Cyber- version was approved on March 24, 2009.[68] crime Centre (EC3).[65] The EC3 effectively opened on The main objective of the bill is to increase collaboration 1 January 2013 and will be the focal point in the EU’s between the public and the private sector on the issue of fight against cyber crime, contributing to faster reaction cybersecurity. But also to online crimes. It will support member states and the EU’s institutions in building an operational and analytical capacity for investigations, as well as cooperation with “to ensure the continued free flow of commerce international partners.[66] within the United States and with its global trading partners through secure cyber commu- nications, to provide for the continued devel- opment and exploitation of the Internet and in- 8.7 Government tranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve The role of the government is to make regulations to force and maintain effective cybersecurity defenses companies and organizations to protect their system, in- against disruption, and for other purposes.”[68] frastructure and information from any cyber attacks, but also to protect its own national infrastructure such as the The act also wants to instate new higher standards, pro- national power-grid. cesses, technologies and protocols to ensure the security The question of whether the government should intervene of the “critical infrastructure”. or not in the regulation of the cyberspace is a very polem- ical one. Indeed, for as long as it has existed and by definition, the cyberspace is a virtual space free of any 8.8.2 International Cybercrime Reporting government intervention. Where everyone agree that an and Cooperation Act improvement on cybersecurity is more than vital, is the government the best actor to solve this issue? Many gov- On March 25, 2010, Representative Yvette Clarke (D- ernment officials and experts think that the government NY) introduced the “International Cybercrime Report- should step in and that there is a crucial need for regula- ing and Cooperation Act - H.R.4962”[69] in the House tion, mainly due to the failure of the private sector to solve of Representatives; the bill, co-sponsored by seven other efficiently the cybersecurity problem. R. Clarke said dur- representatives (among whom only one Republican), was ing a panel discussion at the RSA Security Conference referred to three House committees.[70] The bill seeks in San Francisco, he believes that the “industry only re- to make sure that the administration keeps Congress in- sponds when you threaten regulation. If industry doesn't formed on information infrastructure, cybercrime, and respond (to the threat), you have to follow through.”[67] end-user protection worldwide. It also “directs the Presi- On the other hand, executives from the private sector dent to give priority for assistance to improve legal, judi- agree that improvements are necessary but think that the cial, and enforcement capabilities with respect to cyber- government intervention would affect their ability to in- crime to countries with low information and communi- novate efficiently. cations technology levels of development or utilization in 48 CHAPTER 8. COMPUTER SECURITY

their critical infrastructure, telecommunications systems, • onguardonline.gov : The mission of this website is to and financial industries”[70] as well as to develop an action provide practical tips from the federal government plan and an annual compliance assessment for countries and the technology industry to help the end user be of “cyber concern”.[70] on guard against internet fraud, secure their comput- ers, and protect their private personal information. 8.8.3 Protecting Cyberspace as a National • csrc.nist.gov : The Computer Security Divi- Asset Act of 2010 sion (Computer Security Resource Center) of the National Institute of Standards and Technology. Its On June 19, 2010, United States Senator Joe Lieberman mission is to provide assistance, guidelines, spec- (I-CT) introduced a bill called “Protecting Cyberspace as ifications, minimum information security require- a National Asset Act of 2010 - S.3480”[71] which he co- ments... wrote with Senator Susan Collins (R-ME) and Senator Thomas Carper (D-DE). If signed into law, this contro- 8.8.7 Military agencies versial bill, which the American media dubbed the "Kill switch bill", would grant the President emergency pow- Homeland Security ers over the Internet. However, all three co-authors of the bill issued a statement claiming that instead, the bill The Department of Homeland Security has a dedicated "[narrowed] existing broad Presidential authority to take division responsible for the response system, risk man- over telecommunications networks”.[72] agement program and requirements for cyber security in the United States called the National Cyber Security Divi- 8.8.4 White House proposes cybersecurity sion.[75][76] The division is home to US-CERT operations legislation and the National Cyber Alert System. The goals of those team is to : On May 12, 2011, the White House sent Congress a pro- • posed cybersecurity law designed to force companies to help government and end-users to transition to new do more to fend off , a threat that has been cyber security capabilities reinforced by recent reports about vulnerabilities in sys- • R&D[76] tems used in power and water utilities.[73] Executive order 13636 Improving Critical Infrastructure In October 2009, the Department of Homeland Security Cybersecurity was signed February 12, 2013. opened the National Cybersecurity and Communications Integration Center. The center brings together govern- ment organizations responsible for protecting computer 8.8.5 White House Cybersecurity Summit networks and networked infrastructure.[77]

President Obama called for a cybersecurity summit, held at Stanford University in February 2015.[74] FBI

The third priority of the Federal Bureau of Investiga- 8.8.6 Government initiatives tion(FBI) is to:

The government put together several different websites to Protect the United States against cyber-based at- inform, share and analyze information. Those websites tacks and high-technology crimes[78] are targeted to different “audiences": According to the 2010 Internet Crime Report, 303,809 • the government itself: states, cities, counties complaints were received via the IC3 website. The • the public sector Internet Crime Complaint Center, also known as IC3, is a multi-agency task force made up by the FBI, the National • the private sector White Collar Crime Center (NW3C), and the Bureau of [79] • the end-user Justice Assistance (BJA). According to the same report,[80] here are the top 10 re- Here are a few examples : ported offense in the United States only :

• msisac.org : the Multi-State Information Sharing • 1. Non-delivery Payment/Merchandise 14.4% and Analysis Center. The mission of the MS-ISAC • 2. FBI-Related Scams 13.2% is to improve the overall cyber security posture of state, local, territorial and tribal governments. • 3. Identity Theft 9.8% 8.9. INTERNATIONAL ACTIONS 49

• 4. Computer Crimes 9.1% DoD civilians and contractors, who oversee the com- mand’s operationally focused global strategic mission. • 5. Miscellaneous Fraud 8.6% The United States Cyber Command, also known as US- CYBERCOM, is a sub-unified command subordinate to • 6. Advance Fee Fraud 7.6% USSTRATCOM. Its mission are to plan, coordinate, in- • 7. Spam 6.9% tegrate, synchronize and conduct activities to: direct the operations and defense of specified Department of De- • 8. Auction Fraud 5.9% fense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace op- • 9. Credit Card Fraud 5.3% erations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the • 10. Overpayment Fraud 5.3% same to our adversaries.”[84]

In addition to its own duties, the FBI participates in non- profit organization such as InfraGard. InfraGard is a pri- 8.8.8 FCC vate non-profit organization serving as a public-private partnership between U.S. businesses and the FBI. The or- The U.S. Federal Communications Commission's role in ganization describes itself as an information sharing and cyber security is to strengthen the protection of critical analysis effort serving the interests and combining the communications infrastructure, to assist in maintaining knowledge base of a wide range of members.[81] Infra- the reliability of networks during disasters, to aid in swift Gard states they are an association of businesses, aca- recovery after, and to ensure that first responders have demic institutions, state and local law enforcement agen- access to effective communications services.[85] cies, and other participants dedicated to sharing informa- tion and intelligence to prevent hostile acts against the United States.[82] 8.8.9 Computer Emergency Readiness Team

Department of Justice Computer Emergency Response Team is a name given to expert groups that handle computer security incidents. In In the criminal division of the United States Department the US, two distinct organization exist, although they do of Justice operates a section called the Computer Crime work closely together. and Intellectual Property Section. The CCIPS is in charge of investigating computer crime and intellectual prop- • US-CERT: the United States Computer Emergency erty crime and is specialized in the search and seizure of Response Team is part of the National Cyber Se- digital evidence in computers and networks. curity Division of the United States Department of As stated on their website: Homeland Security.[86]

“The Computer Crime and Intellectual Prop- • CERT/CC: The Computer Emergency Response erty Section (CCIPS) is responsible for im- Team Coordination Center is a major coordina- plementing the Department’s national strate- tion center created by the Defense Advanced Re- gies in combating computer and intellectual search Projects Agency (DARPA) and is run by the property crimes worldwide. The Computer Software Engineering Institute (SEI). Crime Initiative is a comprehensive program designed to combat electronic penetrations, data thefts, and cyberattacks on critical in- 8.9 International actions formation systems. CCIPS prevents, inves- tigates, and prosecutes computer crimes by A lot of different teams and organisations exists, mixing working with other government agencies, the private and public members. Here are some examples: private sector, academic institutions, and for- eign counterparts.”[83] • The Forum of Incident Response and Secu- rity Teams (FIRST) is the global association of [87] USCYBERCOM CSIRTs. The US-CERT, AT&T, Apple, Cisco, McAfee, Microsoft are all members of this interna- [88] The United States Strategic Command (USSTRAT- tional team. COM) is one of the nine Unified Combatant Commands of the United States Department of Defense (DoD). The • The Council of Europe helps protect societies Command, including components, employs more than worldwide from the threat of cybercrime through 2,700 people, representing all four services, including the Convention on Cybercrime and its Protocol 50 CHAPTER 8. COMPUTER SECURITY

on Xenophobia and Racism, the Cybercrime Con- 8.9.2 South Korea vention Committee (T-CY) and the Project on Cybercrime.[89] Following cyberattacks in the first half of 2013, whereby government, news-media, television station, and bank websites were compromised, the national government • The purpose of the Messaging Anti-Abuse Work- committed to the training of 5,000 new cybersecurity ex- ing Group (MAAWG) is to bring the messaging in- perts by 2017. The South Korean government blamed its dustry together to work collaboratively and to suc- northern counterpart on these attacks, as well as incidents cessfully address the various forms of messaging that occurred in 2009, 2011, and 2012, but Pyongyang abuse, such as spam, viruses, denial-of-service at- denies the accusations.[91] tacks and other messaging exploitations. To accom- Seoul, March 7, 2011 - South Korean police have con- plish this, MAAWG develops initiatives in the three tacted 35 countries to ask for cooperation in tracing the areas necessary to resolve the messaging abuse prob- origin of a massive cyber attack on the Web sites of key lem: industry collaboration, technology, and pub- government and financial institutions, amid a nationwide lic policy.[90] France Telecom, , AT&T, cyber security alert issued against further threats. The Apple, Cisco, Sprint are some of the members of Web sites of about 30 key South Korean government the MAAWG.[90] agencies and financial institutions came under a so-called distributed denial-of-service (DDoS) attack for two days from Friday, with about 50,000 “zombie” computers in- • ENISA : The European Network and Information fected with a virus seeking simultaneous access to se- Security Agency (ENISA) is an agency of the Eu- lected sites and swamping them with traffic. As soon as ropean Union. It was created in 2004 by EU the copies of overseas servers are obtained, the cyber in- Regulation No 460/2004 and is fully operational vestigation unit will analyse the data to track down the since September 1, 2005. It has its seat in Heraklion, origin of the attacks made from countries, including the Crete (Greece). United States, Russia, Italy and Israel, the NPA noted.[92] In late September 2013, a computer-security competition The objective of ENISA is to improve network and jointly sponsored by the defense ministry and the Na- information security in the European Union. The agency tional Intelligence Service was announced. The winners has to contribute to the development of a culture of net- will be announced on September 29, 2013 and will share [91] work and information security for the benefit of the citi- a total prize pool of 80 million won (US$74,000). zens, consumers, enterprises and public sector organisa- tions of the European Union, and consequently will con- tribute to the smooth functioning of the EU Internal Mar- 8.9.3 India ket. India has no specific law for dealing with cyber secu- rity related issues.[93] Some provisions for cyber security have been incorporated into rules framed under the In- 8.9.1 Germany formation Technology Act 2000 but they are grossly in- sufficient. Further, the National Cyber Security Policy starts National Cyber Defense Initiative 2013 has remained ineffective and non-implementable until now.[94] The cyber security trends and developments On June 16, 2011, the German Minister for Home Af- in India 2013 have listed the shortcomings of Indian cyber security policy in general and Indian cyber security ini- fairs, officially opened the new German NCAZ (Na- [95] tional Center for Cyber Defense) Nationales Cyber- tiatives in particular. Indian cyber security policy has also failed to protect civil liberties of Indians including Abwehrzentrum, which is located in Bonn. The NCAZ [96] closely cooperates with BSI (Federal Office for Infor- privacy rights. Civil liberties protection in cyberspace mation Security) Bundesamt für Sicherheit in der In- has been blatantly ignored by Indian government and e- surveillance projects have been kept intact by the Naren- formationstechnik, BKA (Federal Police Organisation) [97] Bundeskriminalamt (Deutschland), BND (Federal Intel- dra Modi government. As a result Indian cyber secu- ligence Service) Bundesnachrichtendienst, MAD (Mili- rity efforts are inadequate and not up to the mark. There is also no legal obligation for cyber security breach dis- tary Intelligence Service) Amt für den Militärischen Ab- [98] schirmdienst and other national organisations in Germany closures in India as well. taking care of national security aspects. According to However, the Indian Companies Act 2013 has introduced the Minister the primary task of the new organisation cyber law[99] and cyber security obligations[100] on the founded on February 23, 2011, is to detect and prevent part of Indian directors. Cyber security obligations for attacks against the national infrastructure and mentioned e-commerce business in India have also been recognised incidents like Stuxnet. recently.[101] 8.11. CYBERSECURITY AND MODERN WARFARE 51

8.9.4 Canada protect network security. February 27, 2014, the Chinese network security and information technology leadership On October 3, 2010, Public Safety Canada unveiled team is established. The leadership team will focus on na- Canada’s Cyber Security Strategy, following a Speech tional security and long-term development, co-ordination from the Throne commitment to boost the security of of major issues related to network security and informa- Canadian cyberspace.[102][103] The aim of the strategy is tion technology economic, political, cultural, social, and to strengthen Canada’s “cyber systems and critical in- military and other fields of research to develop network frastructure sectors, support economic growth and pro- security and information technology strategy, planning tect Canadians as they connect to each other and to the and major macroeconomic policy promote national net- world.”[104] Three main pillars define the strategy: se- work security and information technology law, and con- curing government systems, partnering to secure vital cy- stantly enhance security capabilities. ber systems outside the federal government, and helping Canadians to be secure online.[104] The strategy involves multiple departments and agencies across the Govern- 8.10.1 Europe ment of Canada.[105] The Cyber Incident Management Framework for Canada outlines these responsibilities, CSIRTs in Europe collaborate in the TERENA task and provides a plan for coordinated response between force TF-CSIRT. TERENA's Trusted Introducer service government and other partners in the event of a cyber provides an accreditation and certification scheme for incident.[106] The Action Plan 2010-2015 for Canada’s CSIRTs in Europe. A full list of known CSIRTs in Eu- Cyber Security Strategy outlines the ongoing implemen- rope is available from the Trusted Introducer website. tation of the strategy.[107] Public Safety Canada’s Canadian Cyber Incident Re- 8.10.2 Other countries sponse Centre (CCIRC) is responsible for mitigating and responding to threats to Canada’s critical infrastructure • CERT Brazil, member of FIRST (Forum for Inci- and cyber systems. The CCIRC provides support to dent Response and Security Teams) mitigate cyber threats, technical support to respond and recover from targeted cyber attacks, and provides on- • CARNet CERT, Croatia, member of FIRST line tools for members of Canada’s critical infrastruc- ture sectors.[108] The CCIRC posts regular cyber security • AE CERT, United Arab Emirates bulletins on the Public Safety Canada website.[109] The • SingCERT, Singapore CCIRC also operates an online reporting tool where indi- [110] viduals and organizations can report a cyber incident. • CERT-LEXSI, France, Canada, Singapore Canada’s Cyber Security Strategy is part of a larger, inte- grated approach to critical infrastructure protection, and functions as a counterpart document to the National Strat- egy and Action Plan for Critical Infrastructure.[105] 8.11 Cybersecurity and modern On September 27, 2010, Public Safety Canada part- warfare nered with STOP.THINK.CONNECT, a coalition of non-profit, private sector, and government organizations Main article: Cyberwarfare dedicated to informing the general public on how to pro- [111] tect themselves online. On February 4, 2014, the Cybersecurity is becoming increasingly important as Government of Canada launched the Cyber Security Co- [112] more information and technology is being made avail- operation Program. The program is a $1.5 million able on cyberspace. There is growing concern among five-year initiative aimed at improving Canada’s cyber governments that cyberspace will become the next the- systems through grants and contributions to projects in [113] atre of warfare. As Mark Clayton from the Christian Sci- support of this objective. Public Safety Canada aims ence Monitor described in article titled, “The New Cyber to begin an evaluation of Canada’s Cyber Security Strat- Arms Race.”: egy in early 2015.[105] Public Safety Canada administers and routinely updates the GetCyberSafe portal for Cana- dian citizens, and carries out Cyber Security Awareness In the future, wars will not just be fought Month during October.[114] by soldiers with guns or with planes that drop bombs. They will also be fought with the click of a mouse a half a world away that unleashes carefully weaponized computer programs that 8.10 National teams disrupt or destroy critical industries like utili- ties, transportation, communications, and en- Here are the main computer emergency response teams ergy. Such attacks could also disable military around the world. Every country have their own team to networks that control the movement of troops, 52 CHAPTER 8. COMPUTER SECURITY

the path of jet fighters, the command and con- Security Administrator trol of warships.[115] Installs and manages organization-wide security sys- tems. May also take on some of the tasks of a secu- This has lead to new terms such as, “cyberwarfare” and rity analyst in smaller organizations. “cyberterrorism.” More and more critical infrastructure is being controlled via computer programs that, while in- Chief Information Security Officer creasing efficiency, exposes new vulnerabilities. The test will be to see if governments and corporations that con- A high-level management position responsible for the trol critical systems such as energy, communications and entire information security division/staff. The posi- other critical information will be able to prevent attacks tion may include hands-on technical work. before they occur. As Jay Cross, the chief scientist of the Security Consultant/Specialist/Intelligence Internet Time Group remarked, “Connectedness begets vulnerability.”[116] Broad titles that encompass any one or all of the other roles/titles, tasked with protecting computers, net- works, software, data, and/or information systems 8.12 The cyber security job market against viruses, worms, spyware, malware, intrusion detection, unauthorized access, denial-of-service at-

[117] tacks, and an ever increasing list of attacks by hack- Cyber Security is a fast-growing field of IT concerned ers acting as individuals or as part of organized with reducing organizations’ risk of hack or . crime or foreign governments. Commercial, government and non-governmental all em- ploy cybersecurity professional, but the use of the term Student programs are also available to people interested “cybersecurity” is government job descriptions is more [120][121] prevalent than in non-government job descriptions, in in beginning a career in cybersecurity. Mean- part due to government “cybersecurity” initiatives (as op- while, a flexible and effective option for information posed to corporation’s “IT security” initiatives) and the security professionals of all experience levels to keep studying is online security training, including establishment of government institutions like the US Cy- [122][123][124] ber Command and the UK Defence Cyber Operations webcasts. Group.[118] Typical cybersecurity job titles and descriptions 8.13 Terminology include:[119]

The following terms used with regards to engineering se- Security Analyst Analyzes and assesses vulnerabilities cure systems are explained below. in the infrastructure (software, hardware, networks), investigates available tools and countermeasures to • remedy the detected vulnerabilities, and recom- Access authorization restricts access to a computer mends solutions and best practices. Analyzes and to group of users through the use of authentication assesses damage to the data/infrastructure as a re- systems. These systems can protect either the sult of security incidents, examines available recov- whole computer – such as through an interactive ery tools and processes, and recommends solutions. login screen – or individual services, such as an Tests for compliance with security policies and pro- FTP server. There are many methods for identi- cedures. May assist in the creation, implementation, fying and authenticating users, such as passwords, and/or management of security solutions. identification cards, and, more recently, smart cards and biometric systems. Security Engineer • Anti-virus software consists of computer programs Performs security monitoring, security and data/logs that attempt to identify, thwart and eliminate analysis, and forensic analysis, to detect security computer viruses and other malicious software incidents, and mounts incident response. Investi- (malware). gates and utilizes new technologies and processes • Applications with known security flaws should not to enhance security capabilities and implement im- be run. Either leave it turned off until it can be provements. May also review code or perform other or otherwise fixed, or delete it and replace it security engineering methodologies. with some other application. Publicly known flaws Security Architect are the main entry used by worms to automatically break into a system and then spread to other sys- Designs a security system or major components of a se- tems connected to it. The security website Secunia curity system, and may head a security design team provides a search tool for unpatched known flaws in building a new security system. popular products. 8.13. TERMINOLOGY 53

• Authentication techniques can be used to ensure that • Cryptographic techniques can be used to defend communication end-points are who they say they data in transit between systems, reducing the prob- are. ability that data exchanged between systems can be intercepted or modified. • Automated theorem proving and other verification tools can enable critical algorithms and code used in • Cyberwarfare is an Internet-based conflict that in- secure systems to be mathematically proven to meet volves politically motivated attacks on information their specifications. and information systems. Such attacks can, for ex- ample, disable official websites and networks, dis- • Backups are a way of securing information; they are rupt or disable essential services, steal or alter clas- another copy of all the important computer files kept sified data, and criple financial systems. in another location. These files are kept on hard • disks, CD-Rs, CD-RWs, tapes and more recently on Data integrity is the accuracy and consistency of the cloud. Suggested locations for backups are a fire- stored data, indicated by an absence of any alteration [126] proof, waterproof, and heat proof safe, or in a sep- in data between two updates of a data record. arate, offsite location than that in which the original files are contained. Some individuals and companies also keep their backups in safe deposit boxes inside bank vaults. There is also a fourth option, which involves using one of the file hosting services that backs up files over the Internet for both business and individuals, known as the cloud. Cryptographic techniques involve transforming information, • Backups are also important for reasons other scrambling it so it becomes unreadable during transmission. The than security. Natural disasters, such as earth- intended recipient can unscramble the message; ideally, eaves- quakes, hurricanes, or tornadoes, may strike droppers cannot. the building where the computer is located. The building can be on fire, or an explosion may occur. There needs to be a recent backup • Encryption is used to protect the message from the at an alternate secure location, in case of such eyes of others. Cryptographically secure are kind of disaster. Further, it is recommended designed to make any practical attempt of breaking that the alternate location be placed where the infeasible. Symmetric-key ciphers are suitable for same disaster would not affect both locations. bulk encryption using shared keys, and public-key Examples of alternate disaster recovery sites encryption using digital certificates can provide a being compromised by the same disaster that practical solution for the problem of securely com- affected the primary site include having had a municating when no key is shared in advance. primary site in World Trade Center I and the recovery site in 7 World Trade Center, both of • Endpoint security software helps networks to pre- which were destroyed in the 9/11 attack, and vent exfiltration (data theft) and virus infection at having one’s primary site and recovery site in network entry points made vulnerable by the preva- the same coastal region, which leads to both lence of potentially infected portable computing de- being vulnerable to hurricane damage (for ex- vices, such as laptops and mobile devices, and ex- ample, primary site in New Orleans and re- ternal storage devices, such as USB drives.[127] covery site in Jefferson Parish, both of which were hit by Hurricane Katrina in 2005). The • Firewalls are an important method for control and backup media should be moved between the security on the Internet and other networks. A net- geographic sites in a secure manner, in order work firewall can be a communications processor, to prevent them from being stolen. typically a router, or a dedicated server, along with firewall software. A firewall serves as a gatekeeper • Capability and access control list techniques can be system that protects a company’s intranets and other used to ensure privilege separation and mandatory computer networks from intrusion by providing a fil- access control. This section discusses their use. ter and safe transfer point for access to and from the Internet and other networks. It screens all network • Chain of trust techniques can be used to attempt to traffic for proper passwords or other security codes ensure that all software loaded has been certified as and only allows authorized transmission in and out authentic by the system’s designers. of the network. Firewalls can deter, but not com- pletely prevent, unauthorized access (hacking) into • Confidentiality is the nondisclosure of information computer networks; they can also provide some pro- except to another authorized person.[125] tection from online intrusion. 54 CHAPTER 8. COMPUTER SECURITY

• Honey pots are computers that are either intention- • L. Jean Camp ally or unintentionally left vulnerable to attack by • crackers. They can be used to catch crackers or fix Lance Cottrell vulnerabilities. • Lorrie Cranor • Intrusion-detection systems can scan a network for • Cynthia Dwork people that are on the network but who should not be there or are doing things that they should not be • Deborah Estrin doing, for example trying a lot of passwords to gain • access to the network. Joan Feigenbaum • • A microkernel is the near-minimum amount of soft- Ian Goldberg ware that can provide the mechanisms to implement • Shafi Goldwasser an operating system. It is used solely to provide very low-level, very precisely defined machine code • Lawrence A. Gordon upon which an operating system can be developed. • A simple example is the early '90s GEMSOS (Gem- Peter Gutmann ini Computers), which provided extremely low-level • Paul Kocher machine code, such as “segment” management, atop which an operating system could be built. The the- • Monica S. Lam ory (in the case of “segments”) was that—rather • than have the operating system itself worry about Brian LaMacchia mandatory access separation by means of military- • Kevin Mitnick style labeling—it is if a low-level, indepen- dently scrutinized module can be charged solely • Bruce Schneier with the management of individually labeled seg- • ments, be they memory “segments” or file system Dawn Song “segments” or executable text “segments.” If soft- • Gene Spafford ware below the visibility of the operating system is (as in this case) charged with labeling, there is no • Joseph Steinberg theoretically viable means for a clever hacker to sub- vert the labeling scheme, since the operating system • Moti Yung per se does not provide mechanisms for interfering • Rakshit Tandon with labeling: the operating system is, essentially, a client (an “application,” arguably) atop the micro- • Matt Blaze kernel and, as such, subject to its restrictions.

• Pinging The ping application can be used by poten- tial crackers to find if an IP address is reachable. If 8.15 See also a cracker finds a computer, they can try a port scan to detect and attack services on that computer. • Attack tree

• Social engineering awareness keeps employees • CAPTCHA aware of the dangers of social engineering and/or • CERT having a policy in place to prevent social engineer- ing can reduce successful breaches of the network • CertiVox and servers. • Cloud computing security

• Comparison of antivirus software 8.14 Scholars • Computer insecurity • Ross J. Anderson • Computer security model

• Annie Anton • Content security

• Adam Back • Countermeasure (computer)

• Daniel J. Bernstein • Cyber security standards

• Stefan Brands • Dancing pigs 8.16. FURTHER READING 55

• Data loss prevention products 8.16 Further reading • Data security • Chwan-Hwa (John) Wu and J. David Irwin, In- troduction to Computer Networks and Cybersecu- • Differentiated security rity (Boca Raton: CRC Press, 2013), ISBN 978- • Disk encryption 1466572133. • Newton Lee, Counterterrorism and Cybersecu- • Exploit (computer security) rity: Total Information Awareness (Second Edi- tion) (Switzerland: Springer International Publish- • Fault tolerance ing, 2015), ISBN 978-3-319-17243-9. • Human-computer interaction (security) • P. W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know (Ox- • Identity Based Security ford: Oxford University Press, 2014), ISBN 978- 0199918119. • Identity management • Peter Kim, The Hacker Playbook: Practical Guide • Identity theft To Penetration Testing (Seattle: CreateSpace In- dependent Publishing Platform, 2014), ISBN 978- • Information Leak Prevention 1494932633. • Information Security Awareness

• Internet privacy 8.17 References

• ISO/IEC 15408 [1] “Reliance spells end of road for ICT amateurs”, May 07, 2013, The Australian • IT risk [2] http://www.evolllution.com/opinions/ • List of Computer Security Certifications cybersecurity-understanding-online-threat/ [3] Arcos Sergio. “Social Engineering” (PDF). • Mobile security [4] Moore, R. (2005) “Cybercrime: Investigating High- • Network security Technology Computer Crime,” Cleveland, Mississippi: Anderson Publishing. • Network Security Toolkit [5] J. C. Willemssen, “FAA Computer Security”. GAO/T- • Next-Generation Firewall AIMD-00-330. Presented at Committee on Science, House of Representatives, 2000. • Open security [6] Pagliery, Jose. “Hackers attacked the U.S. energy grid 79 times this year”. CNN Money. Cable News Network. Re- • OWASP trieved 16 April 2015. • Penetration test [7] P. G. Neumann, “Computer Security in Aviation,” pre- sented at International Conference on Aviation Safety and • Physical information security Security in the 21st Century, White House Commission on Safety and Security, 1997. • Presumed security [8] J. Zellan, Aviation Security. Hauppauge, NY: Sci- ence, 2003, pp. 65–70. • Privacy software [9] http://www.securityweek.com/ • Proactive Cyber Defence air-traffic-control-systems-vulnerabilities-could-make-unfriendly-skies-black-hat

• Risk cybernetics [10] http://www.npr.org/blogs/ alltechconsidered/2014/08/04/337794061/ • Sandbox (computer security) hacker-says-he-can-break-into-airplane-systems-using-in-flight-wi-fi

• [11] http://www.reuters.com/article/2014/08/04/ Separation of protection and security us-cybersecurity-hackers-airplanes-idUSKBN0G40WQ20140804

• Software Defined Perimeter [12] http://www.npr.org/blogs/ alltechconsidered/2014/08/06/338334508/ • Cyber Insurance is-your-watch-or-thermostat-a-spy-cyber-security-firms-are-on-it 56 CHAPTER 8. COMPUTER SECURITY

[13] http://www.vox.com/2015/1/18/7629603/ [35] “Top 10 vulnerabilities inside the network”. Network car-hacking-dangers World. 2010-11-08. Retrieved 2014-03-20.

[14] http://www.autosec.org/pubs/cars-usenixsec2011.pdf [36] “Forget IDs, use your phone as credentials”. Fox Business Network. 2013-11-04. Retrieved 2014-03-20. [15] http://www.markey.senate.gov/imo/media/doc/ 2015-02-06_MarkeyReport-Tracking_Hacking_ [37] “Secure Coding in C and C++, Second Edition”. Cert.org. CarSecurity%202.pdf Retrieved 2013-09-25.

[16] Cashell, B., Jackson, W. D., Jickling, M., & Webel, B. [38] New hacking technique exploits common programming (2004). The Economic Impact of Cyber-Attacks. Con- error. SearchSecurity.com, July 2007 gressional Research Service, Government and Finance Division. Washington DC: The Library of Congress. [39] Justin P. Webb (16 October 2012). “Hacking Back - are you authorized? A discussion of whether it’s an invita- [17] Gordon, Lawrence; Loeb, Martin (November 2002). tion to federal prison or a justified reaction/strategy?". “The Economics of Information Security Investment”. Cybercrime Review. Cybercrime Review. Retrieved 24 ACM Transactions on Information and System Security 5 September 2013. (4): 438-457. doi:10.1145/581271.581274. [40] Jonathan Zittrain, 'The Future of The Internet', Penguin [18] Krebs, Brian. “Massive Profits Fueling Rogue Antivirus Books, 2008 Market”. Washington Post. Retrieved 13 June 2014. [41] Information Security. United States Department of De- [19] RFC 2828 Internet Security Glossary fense, 1986

[20] CNSS Instruction No. 4009 dated 26 April 2010 [42] “THE TJX COMPANIES, INC. VICTIMIZED BY COMPUTER SYSTEMS INTRUSION; PROVIDES IN- [21] InfosecToday Glossary FORMATION TO HELP PROTECT CUSTOMERS” (Press release). The TJX Companies, Inc. 2007-01-17. [22] Symantec. (2010). State of Enterprise Security 2010. Retrieved 2009-12-12.

[23] Richardson, R. (2010). 2009 CSI Computer Crime & Se- [43] Largest Customer Info Breach Grows. MyFox Twin curity Survey. Computer Security Institute. Computer Cities, 29 March 2007. Security Institute. [44] “The Stuxnet Attack On Iran’s Nuclear Plant Was 'Far [24] “Firms lose more to electronic than physical theft”. More Dangerous’ Than Previously Thought”. Business In- Reuters. sider. 20 November 2013.

[25] Definitions: IT Security Architecture. SecurityArchitec- [45] Reals, Tucker (24 September 2010). “Stuxnet Worm a ture.org, Jan, 2006 U.S. Cyber-Attack on Iran Nukes?". CBS News.

[26] Jannsen, Cory. “Security Architecture”. Techopedia. [46] Kim Zetter (17 February 2011). “Cyberwar Issues Likely Janalta Interactive Inc. Retrieved 9 October 2014. to Be Addressed Only After a Catastrophe”. Wired. Re- trieved 18 February 2011. [27] The Hacker in Your Hardware: The Next Security Threat August 4, 2010 Scientific American [47] Chris Carroll (18 October 2011). “Cone of silence sur- rounds U.S. cyberwarfare”. Stars and Stripes. Retrieved [28] Waksman, Adam; Sethumadhavan, Simha (2010), 30 October 2011. “Tamper Evident Microprocessors” (PDF), Proceedings of the IEEE Symposium on Security and Privacy (Oakland, [48] John Bumgarner (27 April 2010). “Computers as California) Weapons of War” (PDF). IO Journal. Retrieved 30 Octo- ber 2011. [29] “Sentinel HASP HL”. E-Spin. Retrieved 2014-03-20. [49] Seipel, Hubert. “Transcript: ARD interview with Edward [30] “Token-based authentication”. SafeNet.com. Retrieved Snowden”. La Foundation Courage. Retrieved 11 June 2014-03-20. 2014.

[31] “Lock and protect your Windows PC”. TheWindows- [50] by Pentagon Papers leaker Daniel Ellsberg Club.com. Retrieved 2014-03-20. [51] “Can You Trust NIST?". [32] James Greene (2012). “Intel Trusted Execution Technol- ogy: White Paper” (PDF). Intel Corporation. Retrieved [52] “New Snowden Leak: NSA Tapped Google, Yahoo Data 2013-12-18. Centers”, Oct 31, 2013, Lorenzo Franceschi-Bicchierai, mashable.com [33] “SafeNet ProtectDrive 8.4”. SCMagazine.com. 2008-10- 04. Retrieved 2014-03-20. [53] “Missed Alarms and 40 Million Stolen Credit Card Num- bers: How Target Blew It” [34] “Secure Hard Drives: Lock Down Your Data”. PC- Mag.com. 2009-05-11. [54] “Home Depot says 53 million emails stolen” 8.17. REFERENCES 57

[55] “Conflict Of Laws In Cyberspace, Internet And Computer [71] Era”. Conflict Of Laws In Cyberspace, Internet And Com- puter Era. 9 October 2013. Retrieved 6 September 2014. [72] “Senators Say Cybersecurity Bill Has No Kill Switch”. In- formationweek.com. June 24, 2010. Retrieved June 25, [56] “International Cyber Law Treaty Is Required”. 2010. Perry4Law Organisation’s Blog – An Exclusive And Global Techno Legal Knowledge Base. 10 October 2012. [73] Declan McCullagh, CNET. "White House proposes cy- Retrieved 6 September 2014. bersecurity legislation.” May 12, 2011. Retrieved May 12, 2011. [57] “International Cyber Security Treaty Is Required” (PDF). Centre Of Excellence For Cyber Security Research And De- [74] http://www.usatoday.com/story/tech/2015/02/13/ velopment In India (CECSRDI). 9 January 2014. Retrieved obama-cybersecurity-summit-stanford/23328123/ 6 September 2014. [75] “National Cyber Security Division”. U.S. Department of [58] “International Legal Issues Of Cyber Attacks, Cyber Ter- Homeland Security. Retrieved June 14, 2008. rorism, Cyber Espionage, Cyber Warfare And Cyber [76] “FAQ: Cyber Security R&D Center”. U.S. Department Crimes”. International And Indian Legal Issues Of Cyber of Homeland Security S&T Directorate. Retrieved June Security. 11 March 2014. Retrieved 6 September 2014. 14, 2008. [59] “International Legal Issues Of Cyber Attacks And Indian [77] AFP-JiJi, “U.S. boots up cybersecurity center”, October Perspective”. Centre Of Excellence For Cyber Security Re- 31, 2009. search And Development In India (CECSRDI). 22 March 2014. Retrieved 6 September 2014. [78] “Federal Bureau of Investigation - Priorities”. Federal Bu- reau of Investigation. [60] “Mikko Hypponen: Fighting viruses, defending the net”. TED. [79] Internet Crime Complaint Center

[61] “Mikko Hypponen - Behind Enemy Lines”. Hack In The [80] “2010 Annual Report - Internet Crime Complaint Center” Box Security Conference. (PDF). IC3.

[62] “Cross Border Cyber Attacks, Authorship Attribution [81] “Robert S. Mueller, III -- InfraGard Interview at the 2005 And Cyber Crimes Convictions”. Centre Of Excellence InfraGard Conference”. Infragard (Official Site) -- “Media For Cyber Security Research And Development In India Room”. Retrieved 9 December 2009. (CECSRDI). 29 March 2013. Retrieved 6 September 2014. [82] “Infragard, Official Site”. Infragard. Retrieved 10 September 2010. [63] “Dynamic DNS, Fast Flux, Bullet Proof Servers And Bot- net: A Paradise For Cyber Criminals”. Centre Of Excel- [83] “CCIPS”. lence For Cyber Security Research And Development In In- dia (CECSRDI). 27 April 2013. Retrieved 6 September [84] U.S. Department of Defense, Cyber Command Fact 2014. Sheet, May 21, 2010 http://www.stratcom.mil/factsheets/ Cyber_Command/ [64] White, G., & Long, J. (2010). Global information secu- rity factors. International Journal of Information Secu- [85] “FCC Cyber Security”. FCC. rity and Privacy (IJISP), 4(2), 49-60. doi:10.4018/jisp. [86] Verton, Dan (January 28, 2004). “DHS launches national 2010040104 cyber alert system”. Computerworld (IDG). Retrieved 2008-06-15. [65] “European Cybercrime Centre set for launch”. VirusBul- letin. [87] “FIRST website”.

[66] “European Cybercrime Centre (EC3)". Europol. [88] “First members”.

[67] Kirby, Carrie (June 24, 2011). “Former White House aide [89] “European council”. backs some Net regulation / Clarke says government, in- dustry deserve 'F' in cybersecurity”. The San Francisco [90] “MAAWG”. Chronicle. [91] Kwanwoo Jun (23 September 2013). “Seoul Puts a Price [68] Cybersecurity Act of 2010 - http://www.opencongress. on Cyberdefense”. Wall Street Journal. Dow Jones & org/bill/111-s773/text Company, Inc. Retrieved 24 September 2013.

[69] “Text of H.R.4962 as Introduced in House: Interna- [92] “South Korea seeks global support in cyber attack probe”. tional Cybercrime Reporting and Cooperation Act - U.S. BBC Monitoring Asia Pacific. 7 March 2011. Congress”. OpenCongress. Retrieved 2013-09-25. [93] “Cyber Security Laws In India Needed”. Centre Of Ex- [70] H.R.4962 - International Cybercrime Reporting and Co- cellence For Cyber Security Research And Development In operation Act, OpenCongress.org. Retrieved on June 26, India (CECSRDI). 9 March 2014. Retrieved 6 September 2010. 2014. 58 CHAPTER 8. COMPUTER SECURITY

[94] “National Cyber Security Policy Of India 2013 (NCSP [110] “Report a Cyber Security Incident”. Public Safety 2013)". Centre Of Excellence For Cyber Security Re- Canada. Government of Canada. Retrieved 3 November search And Development In India (CECSRDI). 26 Decem- 2014. ber 2013. Retrieved 6 September 2014. [111] “Government of Canada Launches Cyber Security Aware- [95] “Cyber Security Trends And Developments In India ness Month With New Public Awareness Partnership”. 2013” (PDF). Perry4Law’s Techno Legal Base (PTLB). 30 Market Wired (Government of Canada). 27 September December 2013. Retrieved 6 September 2014. 2012. Retrieved 3 November 2014.

[96] “National Cyber Security Policy Of India Has Failed To [112] “Cyber Security Cooperation Program”. Public Safety Protect Privacy Rights In India”. Centre Of Excellence For Canada. Retrieved 1 November 2014. Cyber Security Research And Development In India (CEC- [113] “Cyber Security Cooperation Program”. Public Safety SRDI). 4 July 2013. Retrieved 6 September 2014. Canada.

[97] “Civil Liberties Protection In Cyberspace”. Human Rights [114] “GetCyberSafe”. Get Cyber Safe. Government of Canada. Protection In Cybersapce. 20 June 2009. Retrieved 6 Retrieved 3 November 2014. September 2014. [115] Clayton, Mark. “The new cyber arms race”. The Christian [98] “Indian Government Is Planning A Legislation Mandating Science Monitor. Retrieved 16 April 2015. Strict Cyber Security Disclosure Norms In India”. Centre Of Excellence For Cyber Security Research And Develop- [116] Clayton, Mark. “The new cyber arms race”. The Christian ment In India (CECSRDI). 27 March 2013. Retrieved 6 Science Monitor. Retrieved 16 April 2015. September 2014. [117] “The Growth of Cybersecurity Jobs”. Mar 2014. Re- [99] “Cyber Law Obligations Of Directors Of Indian Compa- trieved 24 April 2014. nies Under Indian Companies Act, 2013”. Cyber Laws In [118] de Silva, Richard (11 Oct 2011). “Government vs. Com- India And Technology Laws And Regulations In India. 7 merce: The Cyber Security Industry and You (Part One)". April 2014. Retrieved 6 September 2014. Defence IQ. Retrieved 24 Apr 2014. [100] “Cyber Security Obligations Of Directors Of Indian Com- [119] “Department of Computer Science”. Retrieved April 30, panies Under Indian Companies Act, 2013”. Centre Of 2013. Excellence For Cyber Security Research And Development In India (CECSRDI). 6 April 2014. Retrieved 6 Septem- [120] "(Information for) Students”. NICCS (US National Ini- ber 2014. tiative for Cybercareers and Studies). Retrieved 24 April 2014. [101] “Cyber Security Issues Of E-Commerce Business In In- dia”. E-Retailing Laws And Regulations In India. 13 Au- [121] “Current Job Opportunities at DHS”. U.S. Department of gust 2014. Retrieved 6 September 2014. Homeland Security. Retrieved 2013-05-05.

[102] (Press Release) “Government of Canada Launches [122] “Cybersecurity Training & Exercises”. U.S. Department Canada’s Cyber Security Strategy”. Market Wired. 3 Oc- of Homeland Security. Retrieved 2015-01-09. tober 2010. Retrieved 1 November 2014. [123] “Cyber Security Awareness Free Training and Webcasts”. [103] “Canada’s Cyber Security Strategy”. MS-ISAC (Multi-State Information Sharing & Analysis Center. Retrieved 9 January 2015. [104] “Canada’s Cyber Security Strategy”. Public Safety Canada. Government of Canada. Retrieved 1 November [124] “Security Training Courses”. LearnQuest. Retrieved 2014. 2015-01-09. [125] “Confidentiality”. Retrieved 2011-10-31. [105] “Action Plan 2010-2015 for Canada’s Cyber Security Strategy”. Public Safety Canada. Government of Canada. [126] “Data Integrity”. Retrieved 2011-10-31. Retrieved 3 November 2014. [127] “Endpoint Security”. Retrieved 2014-03-15. [106] “Cyber Incident Management Framework For Canada”. Public Safety Canada. Government of Canada. Retrieved 3 November 2014. 8.18 External links [107] “Action Plan 2010-2015 for Canada’s Cyber Security Strategy”. Public Safety Canada. Government of Canada. • Computer security at DMOZ Retrieved 1 November 2014.

[108] “Canadian Cyber Incident Response Centre”. Public Safety Canada. Retrieved 1 November 2014.

[109] “Cyber Security Bulletins”. Public Safety Canada. Re- trieved 1 November 2014. Chapter 9

Computer worm

This article is about malware. For the data storage de- Many worms that have been created are designed only vice, see Write Once Read Many. For other uses, see to spread, and do not attempt to change the systems they worm (disambiguation). pass through. However, as the Morris worm and Mydoom A computer worm is a standalone malware computer showed, even these “payload free” worms can cause ma- jor disruption by increasing network traffic and other un- intended effects. A "payload" is code in the worm de- signed to do more than spread the worm—it might delete files on a host system (e.g., the ExploreZip worm), en- files in a cryptoviral extortion attack, or send doc- uments via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" computer under control of the worm author. Networks of such machines are often re- ferred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their web- site’s address.[3] Spammers are therefore thought to be a source of funding for the creation of such worms,[4][5] Hex dump of the worm, showing a message left for and the worm writers have been caught selling lists of IP Microsoft CEO Bill Gates by the worm programmer addresses of infected machines.[6] Others try to blackmail companies with threatened DoS attacks.[7] Users can minimize the threat posed by worms by keeping their computers’ operating system and other software up-to-date, avoiding opening unrecognized or unexpected emails, and running firewall and antivirus software.[8] Backdoors can be exploited by other malware, including worms. Examples include Doomjuice, which can spread using the backdoor opened by Mydoom, and at least one instance of malware taking advantage of the rootkit and backdoor installed by the Sony/BMG DRM software uti- lized by millions of music CDs prior to late 2005.[9]

Spread of Conficker worm 9.1 Worms with good intent

program that replicates itself in order to spread to other Beginning with the very first research into worms at computers.[1] Often, it uses a to spread Xerox PARC, there have been attempts to create useful itself, relying on security failures on the target computer worms. Those worms allowed testing by John Shoch and to access it. Unlike a computer virus, it does not need to Jon Hupp of the Ethernet principles on their network of attach itself to an existing program.[2] Worms almost al- Xerox Alto computers. The Nachi family of worms tried ways cause at least some harm to the network, even if only to download and install patches from Microsoft’s website by consuming bandwidth, whereas viruses almost always to fix vulnerabilities in the host system—by exploiting corrupt or modify files on a targeted computer. those same vulnerabilities.[10] In practice, although this

59 60 CHAPTER 9. COMPUTER WORM may have made these systems more secure, it generated • Packet-filters considerable network traffic, rebooted the machine in the course of patching it, and did its work without the con- • TCP Wrapper/libwrap enabled network service sent of the computer’s owner or user. Regardless of their daemons payload or their writers’ intentions, most security experts • Nullrouting regard all worms as malware. Several worms, like XSS worms, have been written to re- search how worms spread. For example, the effects of 9.4 History changes in social activity or user behavior. One study proposed what seems to be the first computer worm that operates on the second layer of the OSI model (Data link Layer), it utilizes topology information such as Content-addressable memory (CAM) tables and Span- ning Tree information stored in switches to propagate and probe for vulnerable nodes until the enterprise network is covered.[11]

9.2 Protecting against dangerous computer worms

Worms spread by exploiting vulnerabilities in operating systems. Vendors with security problems supply regular security updates[12] (see "Patch Tuesday"), and if these are installed to a machine then the majority of worms are unable to spread to it. If a vulnerability is disclosed be- fore the security patch released by the vendor, a zero-day attack is possible. Users need to be wary of opening unexpected email, and should not run attached files or programs, or visit web sites that are linked to such emails. However, as with the ILOVEYOU worm, and with the increased growth and efficiency of phishing attacks, it remains possible to trick the end-user into running malicious code. Morris Worm source code disk at the Computer History Museum Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern files at least ev- The actual term “worm” was first used in John Brunner's ery few days. The use of a firewall is also recommended. 1975 novel, The Shockwave Rider. In that novel, Nich- las Haflinger designs and sets off a data-gathering worm In the April–June, 2008, issue of IEEE Transactions on in an act of revenge against the powerful men who run Dependable and Secure Computing, computer scientists a national electronic information web that induces mass describe a potential new way to combat internet worms. conformity. “You have the biggest-ever worm loose in the The researchers discovered how to contain the kind of net, and it automatically sabotages any attempt to moni- worm that scans the Internet randomly, looking for vul- tor it... There’s never been a worm with that tough a head nerable hosts to infect. They found that the key is for or that long a tail!"[16] software to monitor the number of scans that machines on a network sends out. When a machine starts sending On November 2, 1988, Robert Tappan Morris, a Cornell out too many scans, it is a sign that it has been infected, University computer science graduate student, unleashed allowing administrators to take it off line and check it for what became known as the Morris worm, disrupting a malware.[13][14] In addition, machine learning techniques large number of computers then on the Internet, guessed [17] can be used to detect new worms, by analyzing the be- at the time to be one tenth of all those connected Dur- havior of the suspected computer.[15] ing the Morris appeal process, the U.S. Court of Appeals estimated the cost of removing the virus from each in- stallation was in the range of $200–53,000, and prompt- ing the formation of the CERT Coordination Center[18] 9.3 Mitigation techniques and Phage mailing list.[19] Morris himself became the first person tried and convicted under the 1986 Computer • ACLs in routers and switches Fraud and Abuse Act.[20] 9.7. EXTERNAL LINKS 61

9.5 See also [16] Brunner, John (1975). The Shockwave Rider. New York: Ballantine Books. ISBN 0-06-010559-3. • Computer and network surveillance [17] “The Submarine”. • Computer virus [18] “Security of the Internet”. CERT/CC. • Helpful worm [19] “Phage mailing list”. securitydigest.org. • Spam [20] Dressler, J. (2007). “United States v. Morris”. Cases • Timeline of notable computer viruses and worms and Materials on Criminal Law. St. Paul, MN: Thom- son/West. ISBN 978-0-314-17719-3. • Trojan horse (computing) • XSS Worm 9.7 External links

9.6 References • Malware Guide – Guide for understanding, re- moving and preventing worm infections on Ver- nalex.com. [1] Barwise, Mike. “What is an internet worm?". BBC. Re- trieved 9 September 2010. • “The 'Worm' Programs – Early Experience with [2] “Difference between a computer virus and a computer a Distributed Computation”, John Shoch and Jon worm”. USCB SicienceLine. Hupp, Communications of the ACM, Volume 25 Is- sue 3 (March 1982), pages 172–180. [3] Ray, Tiernan (February 18, 2004). “Business & Technol- ogy: E-mail viruses blamed as spam rises sharply”. The • “The Case for Using Layered Defenses to Stop Seattle Times. Worms”, Unclassified report from the U.S. National Security Agency (NSA), 18 June 2004. [4] McWilliams, Brian (October 9, 2003). “Cloaking Device Made for Spammers”. Wired. • Worm Evolution, paper by Jago Maniscalchi on Dig- [5] “Unavailable”. ital Threat, 31 May 2009.

[6] “Uncovered: Trojans as Spam Robots”. hiese online. 2004-02-21. Archived from the original on 2009-05-28. Retrieved 2012-11-02.

[7] “Hacker threats to bookies probed”. BBC News. February 23, 2004.

[8] “Computer Worm Information and Removal Steps”. Ve- racode. Retrieved 2015-04-04.

[9] “Sony Ships Sneaky DRM Software”. Pcworld.com. 2005-11-01. Retrieved 2012-06-10.

[10] “Virus alert about the Nachi worm”. Microsoft.

[11] Al-Salloum, Z. S.; Wolthusen, S. D. (2010). “A link-layer-based self-replicating vulnerability discovery agent”. The IEEE symposium on Computers and Communi- cations. p. 704. doi:10.1109/ISCC.2010.5546723. ISBN 978-1-4244-7754-8.

[12] “USN list”. Ubuntu. Retrieved 2012-06-10.

[13] Sellke, S. H.; Shroff, N. B.; Bagchi, S. (2008). “Modeling and Automated Containment of Worms”. IEEE Transac- tions on Dependable and Secure Computing 5 (2): 71–86. doi:10.1109/tdsc.2007.70230.

[14] “A New Way to Protect Computer Networks from Inter- net Worms”. Newswise. Retrieved July 5, 2011.

[15] Moskovitch R., Elovici Y., Rokach L. (2008), Detection of unknown computer worms based on behavioral classifi- cation of the host, Computational Statistics and Data Anal- ysis, 52(9):4544–4566, DOI 10.1016/j.csda.2008.01.028 Chapter 10

Crimeware

Crimeware is a class of malware designed specifically to • Vulnerabilities in Web applications. The Bankash.G automate cybercrime.[1] Trojan, for example, exploited an Internet Explorer Crimeware (as distinct from spyware and adware) is de- vulnerability to steal passwords and monitor user in- put on webmail and online commerce sites.[3] signed to perpetrate identity theft through social engi- neering or technical stealth in order to access a com- • Targeted attacks sent via SMTP. These social- puter user’s financial and retail accounts for the purpose engineered threats often arrive disguised as a valid of taking funds from those accounts or completing unau- e-mail messages and include specific company in- thorized transactions that enrich the cyberthief. Alter- formation and sender addresses. The malicious e- natively, crimeware may steal confidential or sensitive mails use social engineering to manipulate users to corporate information. Crimeware represents a grow- open the attachment and execute the payload.[4] ing problem in network security as many malicious code threats seek to pilfer confidential information. • Remote exploits that exploit vulnerabilities on servers and clients 10.1 Examples 10.3 Concerns Criminals use a variety of techniques to steal confidential data through crimeware, including through the following methods: Crimeware can have significant economic impact due to loss of sensitive and proprietary information and associ- ated financial losses. One survey estimates that in 2005 • Surreptitiously install keystroke loggers to collect organizations lost in excess of $30 million due to the theft sensitive data—login and password information for of proprietary information.[5] The theft of financial or online bank accounts, for example—and report confidential information from corporate networks often them back to the thief.[2] places the organizations in violation of government and • Redirect a user’s web browser to a counterfeit web- industry-imposed regulatory requirements that attempt to site controlled by the thief even when the user types ensure that financial, personal and confidential. the website’s proper domain name in the address bar. • [3] Steal passwords cached on a user’s system. 10.3.1 United States • Hijack a user session at a financial institution and drain the account without the user’s knowledge. US laws and regulations include: • Enable remote access into applications, allowing • criminals to break into networks for malicious pur- Sarbanes-Oxley Act poses. • Health Insurance Portability and Accountability Act • Encrypt all data on a computer and require the user (HIPAA) to pay a ransom to decrypt it (ransomware.) • Gramm-Leach-Bliley Act

10.2 Delivery vectors • Family Educational Rights and Privacy Act • California Senate Bill 1386 Crimeware threats can be installed on victims’ computers through multiple delivery vectors, including: • Payment Card Industry Data Security Standard

62 10.6. EXTERNAL LINKS 63

10.4 See also

• Malware

• Metasploit Project • Targeted attacks

• Phishing

• Spyware

10.5 References

[1] “Crimeware: Understanding New Attacks and Defenses”. informit.

[2] "Cyberthieves Silently Copy Your Password" []

[3] Symantec Internet Security Report, Vol. IX, March 2006, p. 71

[4] "Protecting Corporate Assets from E-mail Crimeware" Avinti, Inc., p.1,

[5] CSI/FBI Computer Crime and Security Survey 2005, p.15

10.6 External links

• Symantec Internet Security Threat Report

• Computer Security Institute • Real-Time Hackers Foil Two-Factor Security (Technology Review September 18, 2009)

• Cyber Crooks Target Public & Private Schools (Washington Post September 14, 2009)

• Crimeware gets worse - How to avoid being robbed by your PC (Computerworld September 26, 2009) Chapter 11

Cryptovirology

Cryptovirology is a field that studies how to use to include the analysis of cryptographic algorithms used cryptography to design powerful malicious software. The by malware writers, attacks on these algorithms using au- field was born with the observation that public-key cryp- tomated methods (such as X-raying[3]) and analysis of tography can be used to break the symmetry between viruses’ and packers’ encryptors. Also included is the what a malware analyst sees regarding malware and what study of cryptography-based techniques (such as “delayed the malware creator sees. The former sees a public key code”[4]) developed by malware writers to hamper mal- in the malware whereas the latter sees the public key as ware analysis. well as the corresponding private key since the malware A “questionable encryption scheme”, which was intro- designer created the key pair for the attack. The public duced by Young and Yung, is an attack tool in cryptovi- key allows the malware to perform trapdoor one-way op- rology. Informally speaking, a questionable encryption erations on the victim’s computer that only the malware scheme is a public key cryptosystem (3-tuple of algo- creator can undo. rithms) with two supplementary algorithms, forming a 5- The first attack that was identified in the field is called tuple of algorithms. It includes a deliberately bogus yet “cryptoviral extortion”.[1] In this attack a virus, worm, carefully designed key pair generation algorithm that pro- or trojan hybrid encrypts the victim’s files and the vic- duces a “fake” public key. The corresponding private key tim must pay the malware author to receive the needed (witness of non-encryption) cannot be used to decipher session key (which is encrypted under the malware cre- data “encrypted” using the fake public key. By supplying ator’s public key that is contained in the malware). The the key pair to an efficient verification predicate (the 5th victim needs the session key if the files are needed and algorithm in the 5-tuple) it is proven whether the public there are no backups of them. key is real or fake. When the public key is fake, it fol- The field also encompasses covert attacks in which the at- lows that no one can decipher data “enciphered” using tacker secretly steals private information such as private the fake public key. A questionable encryption scheme keys. An example of the latter type of attack are asym- has the property that real public keys are computationally indistinguishable from fake public keys when the private metric backdoors. An asymmetric backdoor is a back- door (e.g., in a cryptosystem) that can be used only by the key is not available. The private key forms a poly-sized witness of decipherability or indecipherability, whichever attacker, even after it is found. This contrasts with the tra- ditional backdoor that is symmetric, i.e., anyone that finds may be the case. it can use it. Kleptography, a subfield of cryptovirology, An application of a questionable encryption scheme is a is the study of asymmetric back doors in key generation trojan that gathers plaintext from the host, “encrypts” it algorithms, digital signature algorithms, key exchanges, using the trojan’s own public key (which may be real or and other cryptographic algorithms. The NIST Dual EC fake), and then exfiltrates the resulting “”. In DRBG random bit generator has an alleged asymmetric this attack it is thoroughly intractable to prove that data backdoor in it. The EC-DRBG algorithm utilizes the theft has occurred. This holds even when all core dumps discrete-log kleptogram from Kleptography. There is a of the trojan and all the information that it broadcasts is misconception that cryptovirology is mostly about extor- entered into evidence. An analyst that jumps to the con- tion attacks (overt attacks). In fact, the vast majority of clusion that the trojan “encrypts” data risks being proven cryptovirology attacks are covert in nature. wrong by the malware author (e.g., anonymously). When the public key is fake, the attacker gets no plain- text from the trojan. So what’s the use? A spoofing at- tack is possible in which some trojans are released that 11.1 General information use real public keys and steal data and some trojans are released that use fake public keys and do not steal data. Cryptovirology was born in academia.[1][2] However, Many months after the trojans are discovered and ana- practitioners have recently expanded the scope of the field lyzed, the attacker anonymously posts the witnesses of

64 11.4. OTHER USES OF CRYPTOGRAPHY ENABLED MALWARE 65 non-encryption for the fake public keys. This proves that 11.4 Other uses of cryptography those trojans never in fact exfiltrated data. This casts enabled malware doubt on the true nature of future strains of malware that contain such “public keys”, since the keys could be real or fake. This attack implies a fundamental limitation on Apart from cryptoviral extortion, there are other poten- [2] proving data theft. tial uses of cryptoviruses. They are used in deniable password snatching, used with cryptocounters, used with There are many other attacks in the field of cryptovirology private information retrieval and used in secure com- that are not mentioned here. munication between different instances of a distributed cryptovirus.

11.2 Examples of viruses with 11.5 References

cryptography and ransom [1] A. Young, M. Yung. “Cryptovirology: Extortion-Based capabilities Security Threats and Countermeasures”. IEEE Symposium on Security & Privacy, May 6–8, 1996. pp. 129–141. IEEEExplore: Cryptovirology: extortion-based security While viruses in the wild have used cryptography in the threats andcountermeasures past, the only purpose of such usage of cryptography [2] A. Young, M. Yung (2004). Malicious Cryptography: Ex- was to avoid detection by antivirus software. For exam- posing Cryptovirology. Wiley. ISBN 0-7645-4975-8. ple, the tremor virus[5] used polymorphism as a defensive technique in an attempt to avoid detection by anti-virus [3] F. Perriot, P. Ferrie (2004). “Principles and Practise of software. Though cryptography does assist in such cases X-Raying” (PDF). Virus Bulletin Conference. to enhance the longevity of a virus, the capabilities of [4] Z0mbie (2000). ""DELAYED CODE” technology (ver- cryptography are not used in the payload. The One-half sion 1.1)". white paper. Netlux: Delayed code technology virus[6] was amongst the first viruses known to have en- crypted affected files. However, the One_half virus was [5] F-Secure virus descriptions: Tremor not ransomware, that is it did not demand any ransom for [6] Symantec security response: One_Half decrypting the files that it has encrypted. It also did not use public key cryptography. An example of a virus that [7] Sophos security analyses: Troj_Ransom.A informs the owner of the infected machine to pay a ran- som is the virus nicknamed Tro_Ransom.A.[7] This virus [8] Viruslist: Virus.Win32.Gpcode.ag asks the owner of the infected machine to send $10.99 to [9] A. Young. “Cryptoviral Extortion Using Microsoft’s a given account through Western Union. Crypto API”. International Journal of Information Se- Virus.Win32.Gpcode.ag is a classic cryptovirus.[8] This curity, Volume 5, Issue 2, April 2006. pp. 67–76. virus partially uses a version of 660-bit RSA and en- SpringerLink: Cryptoviral extortion using Microsoft’s crypts files with many different extensions. It instructs Crypto API the owner of the machine to email a given mail ID if the owner desires the decryptor. If contacted by email, the user will be asked to pay a certain amount as ransom in 11.6 External links return for the decryptor. • Cryptovirology Labs - site maintained by Adam Young and Moti Yung

• Cryptography and cryptovirology articles at VX 11.3 Creation of cryptoviruses Heavens • Cryzip Trojan Encrypts Files, Demands Ransom To successfully write a cryptovirus, a thorough knowl- edge of the various cryptographic primitives such as • Can a virus lead an enterprise to court? random number generators, proper recommended ci- • A student report entitled Superworms and Cryptovi- pher text chaining modes etc. are necessary. Wrong rology choices can lead to poor cryptographic strength. So, us- age of preexisting routines would be ideal. Microsoft's • Next Virus Generation: an Overview (cryp- Cryptographic API (CAPI), is a possible tool for the toviruses) by Angelo P. E. Rosiello same. It has been demonstrated that using just 8 different calls to this API, a cryptovirus can satisfy all its encryp- tion needs.[9] Chapter 12

DEF CON

This article is about the computer security convention. several tracks of speakers about computer- and cracking- For other uses, see Defcon (disambiguation). related subjects, as well as social events and contests in DEF CON (also written as DEFCON or Defcon) is everything from creating the longest Wi-Fi connection and cracking computer systems to who can most effec- tively cool a beer in the Nevada heat. Other contests include lockpicking, robotics-related contests (discontin- ued), art, slogan, coffee wars (not currently running), scavenger hunt and Capture the Flag. Capture the Flag (CTF) is perhaps the best known of these contests. It is a hacking competition where teams of crackers attempt to attack and defend computers and networks using certain software and network structures. CTF has been emulated at other cracking conferences as well as in academic and military contexts. Conference founder Jeff Moss contends that the quality of submitted talks has diminished since DEF CON’s incep- A team participating in a CTF competition at DEFCON 17 tion because security researchers have found companies and government agencies to pay for the research, leaving the researchers less willing to unveil their zero-day vul- nerability research “for free” at DEF CON.[1] Addition- ally, the conference has gone from one track to five and accepting speaker proposals for five times the research lowers the density of “elite” speeches. Since DEF CON 11, fundraisers have been conducted for the Electronic Frontier Foundation. The first fundraiser was a dunk tank and was an “official” event. The EFF now has an event named “The Summit” hosted by the Vegas 2.0 crew that is an open event and fundraiser. DefCon 18 (2010) hosted a new fundraiser called MohawkCon. In 2010, over 10,000 people attended DEF CON 18. Federal law enforcement agents from the FBI, DoD, United States Postal Inspection Service, and other agen- cies regularly attend DEF CON.[2][3] A DEFCON 13 “human” badge DEF CON was also portrayed in the The X-Files episode "Three of a Kind" featuring an appearance by The Lone one of the world’s largest annual hacker conventions, held Gunmen. DEF CON was portrayed as a United States every year in Las Vegas, Nevada. The first DEF CON government-sponsored convention instead of a civilian took place in June 1993. convention. Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal gov- ernment employees, security researchers, and hackers with a general interest in software, computer architec- ture, phone phreaking, hardware modification, and any- thing else that can be “cracked.” The event consists of

66 12.2. NOTEWORTHY INCIDENTS 67

12.1 History 12.2.4 2007

DEF CON was founded in 1992 by Jeff Moss as a farewell In August 2007, Michelle Madigan, a reporter for party for his friend and fellow cracker. The party was Dateline NBC, attempted to secretly record hackers ad- planned for Las Vegas a few days before his friend was to mitting to crimes at the convention. After being outed leave the United States, because his father had accepted by DEF CON founder Jeff Moss during an assembly, employment out of the country. However, his friend’s she was heckled and chased out of the convention by at- father left early, taking his friend along, so Jeff was left tendees for her use of covert audio and video recording equipment. DEF CON staff tried to get Madigan to ob- alone with the entire party planned. Jeff decided to invite [7] all his cracker friends to go to Las Vegas with him and tain a press pass before the outing happened. A DEF CON source at NBC had tipped off organizers to Madi- have the party with them instead. Cracker friends from [2] far and wide got together and laid the foundation for DEF gan’s plans. CON, with roughly 100 persons in attendance. The term DEF CON comes from the movie WarGames, referenc- ing the U.S. Armed Forces defense readiness condition 12.2.5 2008 (DEFCON). In the movie, Las Vegas was selected as a nuclear target, and since the event was being hosted in Main article: Massachusetts Bay Transportation Author- Las Vegas, it occurred to Jeff Moss to name the conven- ity v. Anderson tion DEFCON. However, to a lesser extent, CON also stands for convention and DEF is taken from the letters MIT students Zack Anderson, R.J. Ryan and Alessan- on the number 3 on a telephone keypad, a reference to dro Chiesa were to present a session entitled “The phone phreakers. DEF CON was planned to be a one- Anatomy of a Subway Hack: Breaking Crypto RFIDS time event, a party for his friend, but he kept getting and Magstripes of Ticketing Systems.” The presenta- emails from people encouraging him to host again the tion description included the phrase “Want free subway next year. After a while, he was convinced to host the rides for life?" and promised to focus on the Boston T event again, and the attendance nearly doubled the sec- subway.[8] However, the Massachusetts Bay Transit Au- ond year.[4] thority (MBTA) sued the students and MIT in United A semi-fictionalized account of DefCon II, “Cyber Christ States District Court in Massachusetts on August 8, Meets Lady Luck” written by Winn Schwartau demon- claiming that the students violated the Computer Fraud strates some of the early DefCon culture.[5] and Abuse Act (CFAA) by delivering information to conference attendees that could be used to defraud the MBTA of transit fares.[9][10] The court issued a temporary restraining order prohibit- 12.2 Noteworthy incidents ing the students from disclosing the material for a pe- riod of ten days, despite the fact the material had already 12.2.1 1999 been disseminated to DefCon attendees at the start of the show. On July 10, 1999, the Cult of the Dead Cow hacker col- In 2008’s contest “Race to Zero,” contestants submitted a lective released Back Orifice 2000 at DEF CON 7, in version of given malware which was required to be unde- what was, at the time, the largest presentation in DEF tectable by all of the antivirus engines in each round. The CON history. contest concept attracted much negative attention.[11][12]

12.2.2 2001 12.2.6 2009 WIRED[13] reported that an ATM kiosk was positioned in On July 16, 2001, Russian programmer Dmitry Sklyarov the conference center of the Riviera Hotel Casino captur- was arrested the day after DEF CON for writing software ing data from an unknown number of hackers attending to decrypt Adobe’s e-book format. the DefCon hacker conference .

12.2.3 2005 12.2.7 2011

On July 31, 2005, Cisco used legal threats to suppress Security company HBGary Federal used legal threats to Mike Lynn from presenting at DEF CON about flaws he prevent former CEO Aaron Barr from attending a panel had found in the Cisco IOS used on routers.[6] discussion at the conference.[14] 68 CHAPTER 12. DEF CON

12.2.8 2012 • DEF CON 7 was held at the Alexis Park Re- sort July 9–11, 1999. The director of the National Security Agency, Keith • 2000’s: B. Alexander, gave the keynote speech.[15] During the question and answers session, the first question for • DEF CON 8 was held at the Alexis Park Re- Alexander,[15] fielded by Jeff Moss,[16] was “Does the sort July 28–30, 2000. NSA really keep a file on everyone, and if so, how can • DEF CON 9 was held at the Alexis Park Re- I see mine?" Alexander replied “Our job is foreign in- sort July 13–15, 2001. telligence” and that “Those who would want to weave • DEF CON 10 was held at the Alexis Park Re- the story that we have millions or hundreds of millions sort August 2–4, 2002. of dossiers on people, is absolutely false…From my per- • DEF CON 11 was held at the Alexis Park Re- spective, this is absolute nonsense.”[15] sort August 1–3, 2003. On March 12, 2013, during a United States Senate Select • DEF CON 12 was held at the Alexis Park Re- Committee on Intelligence hearing, Senator Ron Wyden sort July 30 - August 1, 2004. quoted the 2012 DEF CON keynote speech and asked • DEF CON 13 was held at the Alexis Park Re- Director of National Intelligence James Clapper if the sort July 29–31, 2005. U.S. conducted domestic surveillance; Clapper made • statements saying that there was no intentional domestic DEF CON 14 was held at the Riviera Hotel & surveillance.[15] In June 2013 NSA surveillance programs Casino August 4–6, 2006. which collected data on US citizens, such as PRISM, • DEF CON 15 was held at the Riviera Hotel & had been exposed. Andy Greenberg of Forbes said that Casino August 3–5, 2007. NSA officials, including Alexander, in the years 2012 • DEF CON 16 was held at the Riviera Hotel & and 2013 “publicly denied–often with carefully hedged Casino August 8–10, 2008. words–participating in the kind of snooping on Ameri- • DEF CON 17 was held at the Riviera Hotel & cans that has since become nearly undeniable.”[15] Casino July 30 - August 2, 2009. • 2010’s: 12.2.9 2013 • DEF CON 18 was held at the Riviera Hotel & Casino July 30 - August 1, 2010. On July 11, 2013, Jeff Moss posted a statement,[17] lo- • DEF CON 19 was held at the Rio Hotel & cated on the DEF CON blog, titled “Feds, We Need Some Casino August 4–7, 2011. Time Apart.” It stated that “I think it would be best for ev- • eryone involved if the feds call a ‘time-out’ and not attend DEF CON 20 was held at the Rio Hotel & DEF CON this year.”[18] This was the first time in the or- Casino July 26–29, 2012. ganization’s history that it had asked federal authorities • DEF CON 21 was held at the Rio Hotel & not to attend.[17] Casino August 1–4, 2013. • DEF CON 22 was held at the Rio Hotel & Actor Will Smith visited the convention to study the DEF Casino August 7-10, 2014. CON culture for an upcoming movie role.[19]

12.3.1 Upcoming venues and dates 12.3 List of venues and dates • DEF CON 23 will be at both the Paris Hotel and • 1990’s: Bally’s Hotel August 6-9, 2015.

• DEF CON 1 was held at the Sands Hotel & Casino June 9–11, 1993. 12.4 See also • DEF CON 2 was held at the Sahara Hotel and Casino July 22–24, 1994. • Black Hat Briefings • DEF CON 3 was held at the Tropicana Resort • Chaos Communication Congress (C3) & Casino August 4–6, 1995. • Hack-Tic. 4-yearly European version • DEF CON 4 was held at the Monte Carlo Re- • sort and Casino July 26–28, 1996. (HOPE) • DEF CON 5 was held at the Aladdin Hotel & • Summercon. The first American hacker conference, Casino July 11–13, 1997. organized by members of Phrack • DEF CON 6 was held at the Plaza Hotel & • ToorCon. A yearly hacker conference held in San Casino July 31 - August 2, 1998. Diego, California since 1999 12.6. FURTHER READING 69

12.5 References [18] Blue, Violet."Feds 'not welcome' at DEF CON hacker conference.” ZDNet. July 11, 2013. Retrieved on July 11, [1] HNS. “The Vulnerability Economy”. Help Net Security. 2013. Retrieved 2008-08-27. [19] “Will Smith Makes Unexpected Appearance At Defcon [2] Zetter, Kim (3 August 2007). “Dateline Mole Allegedly Hacker Conference”. Retrieved 2013-08-09. at DefCon with Hidden Camera -- Updated: Mole Caught on Tape”. Wired Blog Network. Retrieved 2007-08-15. According to DefCon staff, Madigan had told someone 12.6 Further reading she wanted to out an undercover federal agent at Def- Con. That person in turn warned DefCon about Madi- • gan’s plans. Federal law enforcement agents from FBI, "DefCon’s Moss: Undercover Reporter Damages DoD, United States Postal Inspection Service and other 'Neutral Zone'.” Information Week. August 6, 2007. agencies regularly attend DefCon to gather intelligence on • Mills, Elinor. "NSA director finally greets Defcon the latest techniques of hackers. hackers.” CNET. July 27, 2012. [3] “DEFCON 15 FAQ’s”. Retrieved 9 Feb 2011. Lots of people come to DEFCON and are doing their job; security professionals, federal agents, and the press. 12.7 External links [4] Jeff Moss (July 30, 2007). The Story of DEFCON. Re- trieved 9 Feb 2011. • Official website [5] Winn Schwartau. “Cyber Christ Meets Lady Luck” (PDF). Retrieved 9 Feb 2011. Contests

[6] Lamos, Rob (31 July 2005). “Exploit writers team up to • target Cisco routers”. Security Focus. Retrieved 2004-07- CoffeeWars: 2007 Official contest 31. Venues [7] Cassel, David (4 August 2007). “Transcript: Michelle Madigan’s run from Defcon”. Tech.Blorge.com. Re- trieved 2007-08-15. • The Alexis Park Resort & Hotel

[8] Lundin, Leigh (2008-08-17). “Dangerous Ideas”. MBTA • The Riviera Hotel & Casino v DefCon 16. Criminal Brief. Retrieved 2010-10-07.

[9] Jeschke, Rebecca (2008-08-09). “MIT Students Gagged Multimedia by Federal Court Judge”. Press Room. Las Vegas: EFF. • A first ever look inside the DEF CON NOC (2008) [10] Massachusetts Bay Transit Authority v. Zack Anderson, RJ Ryan, Alessandro Chiesa, and the Massachusetts Insti- • The Story of DEF CON - video interview with Jeff tute of Technology (United States District Court District Moss, a.k.a. Dark Tangent, the founder of DEF of Massachusetts). Text CON

[11] “Race to Zero”. Contest concept. • Transcript, audio, video of Jess Moss describing [12] McMillan, Robert (April 2008). “Security Vendors Slam DEF CON’s inception Defcon Virus Contest”. IDG News Service. • DEFCON: The Documentary [13] Malicious ATM Catches Hackers | Threat Level | WIRED

[14] “Legal Threat Pushes Former HBGary Federal CEO Out Of DEFCON”. Business Security. Retrieved 8/10/2011. Check date values in: |accessdate= (help)

[15] Greenberg, Andy. "Watch Top U.S. Intelligence Officials Repeatedly Deny NSA Spying On Americans Over The Last Year (Videos).” Forbes. June 6, 2013. Retrieved on June 11, 2013. “Eight months later, Senator Ron Wyden quoted[...]"

[16] Wagenseil, Paul. "Hackers Don't Believe NSA Chief’s Denial of Domestic Spying.” (Archive) NBC News. Au- gust 1, 2012. Retrieved on June 13, 2013.

[17] Whitney, Lance. "Defcon to feds: 'We need some time apart'.” CNET. July 11, 2013. Retrieved on July 12, 2013. Chapter 13

Exploit (computer security)

An exploit (from the English verb to exploit, meaning 13.1.1 Types “using something to one’s own advantage”) is a piece of software, a chunk of data, or a sequence of commands Exploits are commonly categorized and named by these that takes advantage of a bug, glitch or vulnerability in or- criteria: der to cause unintended or unanticipated behavior to oc- cur on computer software, hardware, or something elec- • The type of vulnerability they exploit (See tronic (usually computerized). Such behavior frequently vulnerabilities for a list) includes things like gaining control of a computer sys- • tem, allowing privilege escalation, or a denial-of-service Whether they need to be run on the same machine as attack. the program that has the vulnerability (local) or can be run on one machine to attack a program running on another machine (remote). • The result of running the exploit (EoP, DoS, 13.1 Classification Spoofing, etc.)

There are several methods of classifying exploits. The most common is by how the exploit contacts the vul- 13.1.2 Pivoting nerable software. A remote exploit works over a net- work and exploits the security vulnerability without any Pivoting refers to a method used by penetration testers prior access to the vulnerable system. A local exploit re- that uses the compromised system to attack other sys- quires prior access to the vulnerable system and usually tems on the same network to avoid restrictions such as increases the privileges of the person running the exploit firewall configurations, which may prohibit direct access past those granted by the system administrator. Exploits to all machines. For example, if an attacker compromises against client applications also exist, usually consisting a web server on a corporate network, the attacker can then of modified servers that send an exploit if accessed with use the compromised web server to attack other systems a client application. Exploits against client applications on the network. These types of attacks are often called may also require some interaction with the user and thus multi-layered attacks. Pivoting is also known as island may be used in combination with the social engineering hopping. method. Another classification is by the action against Pivoting can further be distinguished into proxy pivoting the vulnerable system; unauthorized data access, arbi- and VPN pivoting: trary code execution, and denial of service are examples. Many exploits are designed to provide superuser-level ac- • Proxy pivoting generally describes the practice of cess to a computer system. However, it is also possible to channeling traffic through a compromised target us- use several exploits, first to gain low-level access, then ing a proxy payload on the machine and launching to escalate privileges repeatedly until one reaches root. attacks from the computer.[2] This type of pivoting Normally a single exploit can only take advantage of a is restricted to certain TCP and UDP ports that are specific software vulnerability. Often, when an exploit is supported by the proxy. published, the vulnerability is fixed through a patch and the exploit becomes obsolete until newer versions of the • VPN pivoting enables the attacker to create an en- software become available. This is the reason why some crypted layer to tunnel into the compromised ma- black hat hackers do not publish their exploits but keep chine to route any network traffic through that target them private to themselves or other hackers. Such ex- machine, for example, to run a vulnerability scan on ploits are referred to as zero day exploits and to obtain the internal network through the compromised ma- access to such exploits is the primary desire of unskilled chine, effectively giving the attacker full network ac- attackers, often nicknamed script kiddies.[1] cess as if they were behind the firewall.

70 13.3. REFERENCES 71

Typically, the proxy or VPN applications enabling pivot- ing are executed on the target computer as the payload (software) of an exploit.

13.2 See also

• Computer security

• Computer virus • Crimeware

• Hacking: The Art of Exploitation (second edition) • IT risk

• Metasploit • Shellcode

• w3af

13.3 References

[1] Whitman,Michael (2012). “Chapter 2: The Need for Se- curity”. Principles of Information Security, Fourth Edi- tion. Boston, Mass: Course Technology. p. 53.

[2] Metasploit Framework Pivoting, Digital Bond: Metasploit Basics – Part 3: Pivoting and Interfaces

• Kahsari Alhadi, Milad. Metasploit Penetration Tester’s Guide - Persian, ISBN 978-600-7026-62-5 Chapter 14

Firewall (computing)

An illustration of where a firewall would be located in a network.

Other NF parts Packet flow in and General Networking Other Networking INPUT PATH FORWARD PATH OUTPUT PATH

basic set of filtering local opportunities at the Application Layer process network level

bridge level by Jan Engelhardt no clone to clone packet xfrm Protocol Layer xfrm/socket AF_PACKET (e.g. ipsec) (based in part on Joshua Snyder's graph) xfrm decode lookup Last updated 2014-Feb-28; Linux 2.6.36+ encode

filter * “security” table left raw mangle input routing out for brevity decision output conntrack output Network Layer * “nat” table only consulted mangle for “NEW” connections filter nat input reroute output output check

taps (e.g. raw mangle nat mangle filter mangle nat conntrack routing xfrm AF_PACKET) prerouting prerouting prerouting decision forward forward postrouting postrouting lookup AF_PACKET

filter mangle filter mangle nat nat filter nat Link Layer input forward forward postrouting postrouting output output postrouting clone packet Gufw is a graphical front-end for , clone packet ingress bridge broute nat raw mangle nat bridging filter mangle filter nat mangle nat egress interface (start) conntrack (qdisc) check brouting prerouting prerouting prerouting prerouting decision forward forward forward postrouting postrouting postrouting (qdisc) output which itself is a wrapper for netfilter

Flow of network packets through Netfilter, a module 14.1 History

The term firewall originally referred to a wall intended In computing, a firewall is a network security system that to confine a fire or potential fire within a building. Later controls the incoming and outgoing network traffic based uses refer to similar structures, such as the metal sheet on an applied rule set. A firewall establishes a barrier be- separating the engine compartment of a vehicle or aircraft tween a trusted, secure internal network and another net- from the passenger compartment. work (e.g., the Internet) that is assumed not to be secure Firewall technology emerged in the late 1980s when and trusted.[1] the Internet was a fairly new technology in terms of its Stand-alone firewalls exist both as firewall software ap- global use and connectivity. The predecessors to fire- pliances to run on general purpose or standard industry walls for network security were the routers used in the hardware, and as hardware-based firewall computer ap- late 1980s:[4] pliances. Personal computer operating systems may include • Clifford Stoll's discovery of German spies tampering [4] software-based firewalls to protect against threats from with his system the public Internet. Routers that pass data between • Bill Cheswick's “Evening with Berferd” 1992 in networks contain firewall components and, conversely, [2][3] which he set up a simple electronic “jail” to observe many firewalls can perform basic routing functions. an attacker[4] Hardware-based firewall appliances may also offer other functionality to the internal network they protect, such as • In 1988, an employee at the NASA Ames Research acting as a DHCP or VPN server for that network. Center in California sent a memo by email to his

72 14.1. HISTORY 73

colleagues[5] that read, “We are currently under at- the firewall exists to block telnet access, then the firewall tack from an Internet VIRUS! It has hit Berkeley, will block the TCP protocol for port number 23.[10] UC San Diego, Lawrence Livermore, Stanford, and NASA Ames.” 14.1.2 Second generation: “stateful” fil- • The Morris Worm spread itself through multiple ters vulnerabilities in the machines of the time. Al- though it was not malicious in intent, the Morris Main article: Stateful firewall Worm was the first large scale attack on Internet se- curity; the online community was neither expecting an attack nor prepared to deal with one.[6] From 1989–1990 three colleagues from AT&T Bell Lab- oratories, Dave Presetto, Janardan Sharma, and Kshi- tij Nigam, developed the second generation of firewalls, 14.1.1 First generation: packet filters calling them Circuit-level gateways.[11] Second-generation firewalls perform the work of their The first paper published on firewall technology was in first-generation predecessors but operate up to layer 4 1988, when engineers from Digital Equipment Corpo- (transport layer) of the OSI model. This is achieved ration (DEC) developed filter systems known as packet by retaining packets until enough information is avail- filter firewalls. This fairly basic system was the first able to make a judgement about its state.[12] Known as generation of what is now a highly involved and techni- stateful packet inspection, it records all connections pass- cal internet security feature. At AT&T Bell Labs, Bill ing through it and determines whether a packet is the start Cheswick and Steve Bellovin were continuing their re- of a new connection, a part of an existing connection, or search in packet filtering and developed a working model not part of any connection. Though static rules are still for their own company based on their original first gener- used, these rules can now contain connection state as one [7] ation architecture. of their test criteria. Packet filters act by inspecting the “packets” which are Certain denial-of-service attacks bombard the firewall transferred between computers on the Internet. If a with thousands of fake connection packets in an attempt packet matches the packet filter’s set of filtering rules, to overwhelm it by filling its connection state memory.[13] the packet filter will drop (silently discard) the packet or reject it (discard it, and send “error responses” to the source). 14.1.3 Third generation: application layer This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores Main article: Application level firewall no information on connection “state”). Instead, it filters each packet based only on information contained in the Marcus Ranum, Wei Xu, and Peter Churchyard devel- packet itself (most commonly using a combination of the oped an known as Firewall Toolkit packet’s source and destination address, its protocol, and, (FWTK). In June 1994, Wei Xu extended the FWTK for TCP and UDP traffic, the port number). with the Kernel enhancement of IP filter and socket trans- TCP and UDP protocols constitute most communication parent. This was known as the first transparent Applica- over the Internet, and because TCP and UDP traffic by tion firewall, released as a commercial product of Gaunt- convention uses well known ports for particular types let firewall at Trusted Information Systems. Gauntlet fire- of traffic, a “stateless” packet filter can distinguish be- wall was rated one of the number 1 firewalls during 1995– tween, and thus control, those types of traffic (such as 1998. web browsing, remote printing, email transmission, file The key benefit of application layer filtering is that it transfer), unless the machines on each side of the packet [8] can “understand” certain applications and protocols (such filter are both using the same non-standard ports. as File Transfer Protocol (FTP), Domain Name System Packet filtering firewalls work mainly on the first three (DNS), or Hypertext Transfer Protocol (HTTP)). This layers of the OSI reference model, which means most of is useful as it is able to detect if an unwanted protocol the work is done between the network and physical lay- is attempting to bypass the firewall on an allowed port, ers, with a little bit of peeking into the transport layer to or detect if a protocol is being abused in any harmful figure out source and destination port numbers.[9] When way. As of 2012, the so-called next-generation firewall a packet originates from the sender and filters through (NGFW) is nothing more than the “widen” or “deepen” a firewall, the device checks for matches to any of the inspection at application-stack. For example, the existing packet filtering rules that are configured in the firewall and deep packet inspection functionality of modern firewalls drops or rejects the packet accordingly. When the packet can be extended to include i) Intrusion prevention sys- passes through the firewall, it filters the packet on a pro- tems (IPS); ii) User identity integration (by binding user tocol/port number basis (GSS). For example, if a rule in IDs to IP or MAC addresses for “reputation”); and/or iii) 74 CHAPTER 14. FIREWALL (COMPUTING)

Web Application Firewall (WAF). WAF attacks may be for simple filters that require less time to filter than to implemented in the tool “WAF Fingerprinting utilizing look up a session. They may also be necessary for filter- timing side channels” (WAFFle).[14] ing stateless network protocols that have no concept of a session. However, they cannot make more complex deci- sions based on what stage communications between hosts 14.2 Types have reached. Newer firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, of the source, and many other attributes. Commonly used packet filters on various versions of Unix are IPFilter (various), ipfw (FreeBSD/Mac OS X), NPF (NetBSD), PF (OpenBSD, and some other BSDs), / (Linux).

14.2.2 Application-layer

Main article: Application layer firewall

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender). A common graphical depiction of a firewall in computing On inspecting all packets for improper content, firewalls There are different types of firewalls depending on where can restrict or prevent outright the spread of networked the communication is taking place, where the communi- computer worms and trojans. The additional inspection cation is intercepted and the state that is being traced.[15] criteria can add extra latency to the forwarding of packets to their destination. Application firewalls function by determining whether a 14.2.1 Network layer or packet filters process should accept any given connection. Applica- tion firewalls accomplish their function by hooking into Network layer firewalls, also called packet filters, operate socket calls to filter the connections between the applica- at a relatively low level of the TCP/IP protocol stack, not tion layer and the lower layers of the OSI model. Applica- allowing packets to pass through the firewall unless they tion firewalls that hook into socket calls are also referred match the established rule set. The firewall administrator to as socket filters. Application firewalls work much like a may define the rules; or default rules may apply. The term packet filter but application filters apply filtering rules (al- “packet filter” originated in the context of BSD operating low/block) on a per process basis instead of filtering con- systems. nections on a per port basis. Generally, prompts are used Network layer firewalls generally fall into two sub- to define rules for processes that have not yet received categories, stateful and stateless. Stateful firewalls main- a connection. It is rare to find application firewalls not tain context about active sessions, and use that “state in- combined or used in conjunction with a packet filter.[16] formation” to speed packet processing. Any existing net- Also, application firewalls further filter connections by work connection can be described by several properties, examining the process ID of data packets against a rule- including source and destination IP address, UDP or TCP set for the local process involved in the data transmission. ports, and the current stage of the connection’s lifetime The extent of the filtering that occurs is defined by the (including session initiation, handshaking, data transfer, provided ruleset. Given the variety of software that ex- or completion connection). If a packet does not match an ists, application firewalls only have more complex rule- existing connection, it will be evaluated according to the sets for the standard services, such as sharing services. ruleset for new connections. If a packet matches an ex- These per process rulesets have limited efficacy in filter- isting connection based on comparison with the firewall’s ing every possible association that may occur with other state table, it will be allowed to pass without further pro- processes. Also, these per process rulesets cannot de- cessing. fend against modification of the process via exploitation, Stateless firewalls require less memory, and can be faster such as memory corruption exploits. Because of these 14.4. REFERENCES 75

limitations, application firewalls are beginning to be sup- • Comparison of firewalls planted by a new generation of application firewalls that • rely on mandatory access control (MAC), also referred to Computer security [17] as sandboxing, to protect vulnerable services. • Distributed firewall • Egress filtering 14.2.3 Proxies • End-to-end connectivity Main article: Proxy server • Firewall pinhole • Firewalls and Internet Security A proxy server (running either on dedicated hardware or as software on a general-purpose machine) may act • Golden Shield Project as a firewall by responding to input packets (connection requests, for example) in the manner of an application, • Guard (information security) while blocking other packets. A proxy server is a gate- • IP fragmentation attacks way from one network to another for a specific network application, in the sense that it functions as a proxy on • List of Unix-like router or firewall distributions behalf of the network user.[1] • Next-Generation Firewall Proxies make tampering with an internal system from the external network more difficult and misuse of one inter- • Mangled packet nal system would not necessarily cause a security breach • exploitable from outside the firewall (as long as the ap- Personal firewall plication proxy remains intact and properly configured). • Screened-subnet firewall Conversely, intruders may hijack a publicly reachable sys- tem and use it as a proxy for their own purposes; the • Unidirectional network proxy then masquerades as that system to other internal • machines. While use of internal address spaces enhances Unified threat management security, crackers may still employ methods such as IP • Virtual firewall spoofing to attempt to pass packets to a target network. • Vulnerability scanner

14.2.4 Network address translation 14.4 References Main article: Network address translation [1] Oppliger, Rolf (May 1997). “Internet Security: FIRE- Firewalls often have network address translation (NAT) WALLS and BEYOND”. Communications of the ACM functionality, and the hosts protected behind a firewall 40 (5): 94. doi:10.1145/253769.253802. commonly have addresses in the “private address range”, [2] “What is Firewall?". Retrieved 2015-02-12. as defined in RFC 1918. Firewalls often have such func- tionality to hide the true address of protected hosts. Orig- [3] Definition of Firewall, Resources inally, the NAT function was developed to address the [4] Ingham, Kenneth; Forrest, Stephanie (2002). “A His- limited number of IPv4 routable addresses that could be tory and Survey of Network Firewalls” (PDF). Retrieved used or assigned to companies or individuals as well as 2011-11-25. reduce both the amount and therefore cost of obtaining enough public addresses for every computer in an organi- [5] Firewalls by Dr.Talal Alkharobi zation. Hiding the addresses of protected devices has be- [6] RFC 1135 The Helminthiasis of the Internet come an increasingly important defense against network reconnaissance.[18] [7] Ingham, Kenneth; Forrest, Stephanie (2002). “A History and Survey of Network Firewalls” (PDF). p. 4. Retrieved 2011-11-25.

14.3 See also [8] TCP vs. UDP By Erik Rodriguez

[9] William R. Cheswick, Steven M. Bellovin, Aviel D. Ru- • Access control list bin (2003). "Google Books Link". Firewalls and Internet Security: repelling the wily hacker • [10] Aug 29, 2003 Virus may elude computer defenses by • Bastion host Charles Duhigg, Washington Post 76 CHAPTER 14. FIREWALL (COMPUTING)

[11] Proceedings of National Conference on Recent Develop- ments in Computing and Its Applications, August 12–13, 2009. I.K. International Pvt. Ltd. 2009-01-01. Retrieved 2014-04-22.

[12] Conway, Richard (204). Code Hacking: A Developer’s Guide to Network Security. Hingham, Massachusetts: Charles River Media. p. 281. ISBN 1-58450-314-9.

[13] Chang, Rocky (October 2002). “Defending Against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial”. IEEE Communications Magazine 40 (10): 42–43. doi:10.1109/mcom.2002.1039856.

[14] “WAFFle: Fingerprinting Filter Rules of Web Applica- tion Firewalls”. 2012.

[15] “Firewalls”. MemeBridge. Retrieved 13 June 2014.

[16] “Software Firewalls: Made of Straw? Part 1 of 2”. Symantec Connect Community. 2010-06-29. Retrieved 2014-03-28.

[17] “Auto Sandboxing”. Comodo Inc. Retrieved 2014-08-28.

[18] “Advanced Security: Firewall”. Microsoft. Retrieved 2014-08-28.

14.5 External links

• Internet Firewalls: Frequently Asked Questions, compiled by Matt Curtin, Marcus Ranum and Paul Robertson.

• Firewalls Aren’t Just About Security - Whitepaper focusing on Cloud Applications Forc- ing Firewalls to Enable Productivity. • Evolution of the Firewall Industry - Discusses dif- ferent architectures and their differences, how pack- ets are processed, and provides a timeline of the evo- lution. • A History and Survey of Network Firewalls - pro- vides an overview of firewalls at the various ISO lev- els, with references to the original papers where first firewall work was reported. • Software Firewalls: Made of Straw? Part 1 and Software Firewalls: Made of Straw? Part 2 - a tech- nical view on software firewall design and potential weaknesses

• A Firewall with Arduino(s), through emulating the (authentic, not “virtual”) serial/parallel ports, etc. Chapter 15

Grey hat

The term "grey hat" or "gray hat" in Internet slang refers , discussed their intent as grey hat hackers to pro- to a computer hacker or computer security expert whose vide Microsoft with vulnerability discoveries in order to ethical standards fall somewhere between purely altruistic protect the vast number of users of its operating system. and purely malicious. The term began to be used in the [9] Finally, Mike Nash, Director of Microsoft’s server late 1990s, derived from the concepts of "white hat" and group, stated that grey hat hackers are much like technical "black hat" hackers.[1] When a white hat hacker discov- people in the independent software industry in that “they ers a vulnerability, they will exploit it only with permis- are valuable in giving us feedback to make our products sion and not divulge its existence until it has been fixed, better.” [10] whereas the black hat will illegally exploit it and/or tell The phrase grey hat was used by the hacker group L0pht others how to do so. The grey hat will neither illegally [11] [2] in a 1999 interview with The New York Times to de- exploit it, nor tell others how to do so. scribe their hacking activities. A further difference among these types of hacker lies in The phrase was used to describe hackers who support the their methods of discovering vulnerabilities. The white ethical reporting of vulnerabilities directly to the software hat generally breaks into systems and networks at the re- vendor in contrast to the full disclosure practices that were quest of their employer or with explicit permission for the prevalent in the white hat community that vulnerabilities purpose of determining how secure it is against hackers, not be disclosed outside of their group. [2] whereas the black hat will break into any system or net- work in order to uncover sensitive information and for In 2002, however, the Anti-Sec community published use personal gain. The grey hat generally has the skills and of the term to refer to people who work in the secu- intent of the white hat but will break into any system or rity industry by day, but engage in black hat activities by network without permission. [3][4] night.[12] The irony was that for black hats, this interpre- tation was seen as a derogatory term; whereas amongst When a grey hat hacker discovers a vulnerability, instead white hats it was a term that lent a sense of popular noto- of telling the vendor how the exploit works, he or she may riety. offer to repair it for a small fee. When one successfully gains illegal access to a system or network, he or she may Following the rise and eventual decline of the full dis- suggest to the system administrator that one of his or her closure vs. anti-sec “golden era”—and the subsequent friends be hired to fix the problem; however, this practice growth of an “ethical hacking” philosophy—the term grey has been declining due to the increasing willingness of hat began to take on all sorts of diverse meanings. The businesses to prosecute. [5] prosecution in the U.S. of Dmitry Sklyarov for activi- ties which were legal in his home country changed the In the search engine optimization (SEO) community, grey attitudes of many security researchers. As the Internet hat hackers are those who manipulate web sites’ search became used for more critical functions, and concerns engine rankings using improper or unethical means but [6] about terrorism grew, the term “white hat” started refer- that are not considered search engine spam. ring to corporate security experts who did not support full disclosure.[13] In 2008, the EFF defined grey hats as ethical security re- 15.1 History searchers who inadvertently or arguably violate the law in an effort to research and improve security. They advo- The phrase grey hat was first publicly used in the com- cate for computer offense laws that are clearer and more puter security context when DEF CON announced the narrowly drawn.[14] first scheduled Black Hat Briefings in 1996, although it may have been used by smaller groups prior to this time. [7] [8] Moreover, at this conference a presentation was given in which Midge, a key member of the hacking group

77 78 CHAPTER 15. GREY HAT

15.2 Examples Linn & Stephen Sims (2015). Gray Hat Hacking : The Ethical Hacker’s Handbook (4th ed.). New In April 2000, hackers known as "{}" and “Hardbeat” York: McGraw-Hill Education. ISBN 978-0-07- gained unauthorized access to Apache.org.[15] They chose 183238-0. to alert Apache crew of the problems rather than try to damage the Apache.org servers.[16] • A E (2014). Grey Hat SEO 2014: The Most Effective In June 2010, a group of computer experts known and Safest Techniques of 10 Web Developers. Secrets as exposed a flaw in AT&T security to Rank High including the Fastest Penalty Recover- which allowed the e-mail addresses of iPad users to be ies. Research & Co. ASIN B00H25O8RM. revealed.[17] The group revealed the security flaw to the media soon after notifying AT&T. Since then, the FBI opened an investigation into the incident and raided the 15.5 References house of , the group’s most prominent member.[18] In April 2011, a group of experts discovered that the Ap- [1] De, Chu (2002). “White Hat? Black Hat? Grey Hat?". ddth.com. Jelsoft Enterprises. Retrieved 2015-02-19. ple iPhone and 3G were “logging where the user visits”. Apple released a statement saying that the iPad [2] Regalado (et al.) (2015). Grey Hat Hacking: The Ethical and iPhone were only logging the towers that the phone Hacker’s Handbook (4th ed.). New York: McGraw-Hill could access. [19] There have been numerous articles on Education. p. 18. the matter and it has been viewed as a minor security is- sue. This instance would be classified as “grey hat” be- [3] Fuller, Johnray; Ha, John; Fox, Tammy (2003). “ 3 Security Guide”. Product Documenta- cause although the experts could have used this for mali- tion. Red Hat. Section (2.1.1). Retrieved 2015-02-16. cious intent, the issue was reported. [20] In August 2013 Khalil Shreateh, an unemployed com- [4] Cliff, A. “Intrusion Systems Detection Terminology, Part one: A-H”. Symantec Connect. Symantec. Retrieved puter security researcher, hacked the Facebook page of 2015-02-16. Mark Zuckerberg, Facebook’s CEO, in order to force ac- tion to correct a bug he discovered which allowed him [5] Moore, Robert (2011). Cybercrime: investigating high- to post to any user’s page without their consent. He had technology computer crime (2nd ed.). Burlington, MA: tried repeatedly to inform Facebook of this bug only to Anderson Publishing. p. 25. be told by Facebook that the issue was not a bug. After [6] A E (2014). Grey Hat SEO 2014: The Most Effective and this incident, Facebook corrected this vulnerability which Safest Techniques of 10 Web Developers. Secrets to Rank could have been a powerful weapon in the hands of pro- High including the Fastest Penalty Recoveries. Research & fessional spammers. Shreateh was not compensated by Co. ASIN B00H25O8RM. Facebook’s White Hat program because he violated their policies making this a grey hat incident. [21] [7] De, Chu (2002). “White Hat? Black Hat? Grey Hat?". ddth.com. Jelsoft Enterprises. Retrieved 2015-02-19.

[8] “Def Con Communications Presents The Black Hat Brief- 15.3 See also ings”. blackhat.com. blackhat.com. 1996.

• Anonymous (group) [9] Lange, Larry (15 July 1997). “Microsoft Opens Dialogue With NT Hackers”. blackhat.com. blackhat.com. Re- • Computer crime trieved 2015-03-31. • Cyber warfare [10] Lange, Larry (22 September 1997). “The Rise of the Un- derground Engineer”. blackhat.com. blackhat.com. Re- • trieved 2015-03-31.

• IT risk [11] “HacK, CouNterHaCk”. New York Times Magazine. 3 October 1999. Retrieved 6 January 2011. • Metasploit • [12] Digitalsec.net #Phrack High Council. 20 August 2002. Mischief “The greyhat-IS-whitehat List” • Penetration test [13] “The thin gray line”. CNET News. 23 September 2002. Retrieved 6 January 2011. 15.4 Related literature [14] EFF.org Electronic Frontier Foundation (EFF). 20 August 2008. “A 'Grey Hat' Guide”

• Daniel Regalado; Shon Harris; Allen Harper; Chris [15] Michelle Finley (2013-03-28). “Wired.com”. Eagle; Jonathan Ness; Branko Spasojevic; Ryan Wired.com. Retrieved 2013-11-01. 15.5. REFERENCES 79

[16] “Textfiles.com”. Retrieved 2013-11-01.

[17] FBI Opens Probe of iPad Breach Wall Street Journal, Spencer Ante and Ben Worthen. 11 June 2010.

[18] Tate, Ryan (9 June 2010). “Apple’s Worst Security Breach: 114,000 iPad Owners Exposed”. .com (Gawker Media). Retrieved 13 June 2010.

[19] Harrison, Natalie; Kerris, Natalie (27 April 2011). “Apple &A on Location Data”. Apple Press Info. Apple, Inc.

[20] “Is Apple Tracking You?". hackfile.org. Archived from the original on 28 April 2011.

[21] Gross, Doug (20 August 2013). “Zuckerberg’s Facebook page hacked to prove security flaw”. .com. CNN. Re- trieved 2015-04-04. Chapter 16

Hacker

Hacker may refer to: 16.3 People

16.3.1 Real 16.1 Technology • Francis Hacker (died 1660), fought for Parliament during the English Civil War and was one of the • Hacker (term), is a term used in computing that can Regicides of Charles I describe several types of persons • Arthur Hacker (1858–1919), British artist • Hacker (computer security) someone who seeks and exploits weaknesses in a computer • George Hacker (bishop) (born 1928), Suffragan system or computer network Bishop of Penrith • Hacker (hobbyist), who makes innovative cus- • Benjamin Thurman Hacker (1935–2003), U.S. tomizations or combinations of retail elec- Naval officer tronic and computer equipment • Sally Hacker (1936–1988), feminist sociologist • Hacker (programmer subculture), who com- bines excellence, playfulness, cleverness and • Alan Hacker (1938–2012), English clarinetist exploration in performed activities • Peter Hacker (born 1939), British philosopher

• Marilyn Hacker (born 1942), American poet, critic, 16.2 Entertainment and reviewer • Arthur and Ron Hacker (20th century), brothers • Hackers: Heroes of the Computer Revolution, 1984 who formed Dynatron Radio Ltd and Hacker Radio book by Stephen Levy Ltd • • Hackers: Wizards of the Electronic Age, 1985 The Hacker (Michel Amato, born 1972), French video documentary inspired by the book electrocrash and tech producer • Katrina Hacker (born 1990), American figure skater • Hacker (video game), 1985 puzzle/strategy com- puter game by Activision 16.3.2 Fictional • Hacker (card game), 1992 Steve Jackson Games re- lease • The Hacker, villain of the TV series Cyberchase

• Hackers (anthology), a 1996 anthology of short sto- • Jim Hacker, title character in Yes Minister and Yes ries edited by Jack Dann and Gardner Dozois Prime Minister • Staff Sergeant Hacker, a character on the US TV se- • Hackers (film), 1995 MGM film starring Jonny Lee ries Gomer Pyle, U.S.M.C. Miller and Angelina Jolie • Hacker, cyborg sidekick character in TV series The • Hacker, a children’s novel by Malorie Blackman Centurions

• “The Hacker,” a song by British industrial group • Hacker T. Dog, puppet character on Scoop and Clock DVA CBBC links.

80 16.5. SEE ALSO 81

16.4 Other

• Hacker Brewery, and its beer, since 1972 merged into Hacker-Pschorr Brewery • Hacker-Craft, boats made by the Hacker Boat Com- pany

• Hacker Radio Ltd, a British manufacturer of con- sumer electronics products

16.5 See also

• All pages with titles containing “Hacker” • Hack (disambiguation)

• Hacking (disambiguation) • Hacks (disambiguation)

• Haka (disambiguation) • Hakka (disambiguation) Chapter 17

Hacker (computer security)

In the computer security context, a hacker is someone group with whom they do not agree. who seeks and exploits weaknesses in a computer system Eric S. Raymond, author of The New Hacker’s Dictio- or computer network. Hackers may be motivated by a nary, advocates that members of the computer under- multitude of reasons, such as profit, protest, challenge. [1] ground should be called crackers. Yet, those people see enjoyment, or to evaluate those weaknesses to assist in themselves as hackers and even try to include the views removing them. The subculture that has evolved around of Raymond in what they see as a wider , hackers is often referred to as the computer underground a view that Raymond has harshly rejected. Instead of a and is now a known community.[2] While other uses of hacker/cracker dichotomy, they emphasize a spectrum of the word hacker exist that are related to computer secu- different categories, such as white hat, grey hat, black hat rity, such as referring to someone with an advanced un- [3] and script kiddie. In contrast to Raymond, they usually derstanding of computers and computer networks, they reserve the term cracker for more malicious activity. are rarely used in mainstream context. They are subject to the longstanding hacker definition controversy about the According to Ralph D. Clifford, a cracker or cracking term’s true meaning. In this controversy, the term hacker is to “gain unauthorized access to a computer in order is reclaimed by computer programmers who argue that to commit another crime such as destroying information someone who breaks into computers, whether computer contained in that system”.[6] These subgroups may also be criminal (black hats) or computer security expert (white defined by the legal status of their activities.[7] hats),[4] is more appropriately called a cracker instead.[5] Some white hat hackers claim that they also deserve the title hacker, and that only black hats should be called 17.2.1 White hat “crackers”. Main article: White hat

17.1 History A white hat hacker breaks security for non-malicious rea- sons, perhaps to test their own security system or while working for a security company which makes security Further information: Timeline of computer security software. The term “white hat” in Internet slang refers hacker history to an ethical hacker. This classification also includes in- dividuals who perform penetration tests and vulnerability Bruce Sterling traces part of the roots of the computer un- assessments within a contractual agreement. The EC- derground to the Yippies, a 1960s counterculture move- Council,[8] also known as the International Council of ment that published the Technological Assistance Pro- Electronic Commerce Consultants, is one of those orga- gram (TAP) newsletter. TAP was a phone phreaking nizations that have developed certifications, courseware, newsletter that taught techniques for unauthorized explo- classes, and online training covering the diverse arena of ration of the telephone network. Many people from the ethical hacking.[7] phreaking community are also active in the hacking com- munity even today, and vice versa. 17.2.2 Black hat

A “black hat” hacker is a hacker who “violates computer 17.2 Classifications security for little reason beyond maliciousness or for per- sonal gain” (Moore, 2005).[9] Black hat hackers form the Several subgroups of the computer underground with dif- stereotypical, illegal hacking groups often portrayed in ferent attitudes use different terms to demarcate them- popular culture, and are “the epitome of all that the pub- selves from each other, or try to exclude some specific lic fears in a computer criminal”.[10] Black hat hackers

82 17.3. ATTACKS 83

break into secure networks to destroy, modify, or steal 17.2.7 Blue hat data; or to make the network unusable for those who are authorized to use the network. Black hat hackers are also A blue hat hacker is someone outside computer security referred to as the “crackers” within the security industry consulting firms who is used to bug-test a system prior and by modern programmers. Crackers keep the aware- to its launch, looking for exploits so they can be closed. ness of the vulnerabilities to themselves and do not no- Microsoft also uses the term BlueHat to represent a series tify the general public or the manufacturer for patches to of security briefing events.[14][15][16] be applied. Individual freedom and accessibility is pro- moted over privacy and security. Once they have gained control over a system, they may apply patches or fixes to 17.2.8 Hacktivist the system only to keep their reigning control. Richard Stallman invented the definition to express the malicious- A hacktivist is a hacker who utilizes technology to publi- ness of a criminal hacker versus a white hat hacker who cize a social, ideological, religious or political message. performs hacking duties to identify places to repair.[11] Hacktivism can be divided into two main groups:

17.2.3 Grey hat • Cyberterrorism — Activities involving website de- facement or denial-of-service attacks; and, Main article: Grey hat • Freedom of information — Making information that A grey hat hacker lies between a black hat and a white hat is not public, or is public in non-machine-readable hacker. A grey hat hacker may surf the Internet and hack formats, accessible to the public. into a computer system for the sole purpose of notifying the administrator that their system has a security defect, for example. They may then offer to correct the defect 17.2.9 Nation state for a fee.[10] Grey hat hackers sometimes find the defect of a system and publish the facts to the world instead of Intelligence agencies and cyberwarfare operatives of na- [17] a group of people. Even though grey hat hackers may tion states. not necessarily perform hacking for their personal gain, unauthorized access to a system can be considered illegal and unethical. 17.2.10 Organized crime

Groups of hackers that carry out organized criminal ac- 17.2.4 Elite hacker tivities for profit.[17]

A social status among hackers, elite is used to describe the most skilled. Newly discovered exploits circulate among 17.3 Attacks these hackers. Elite groups such as Masters of Deception conferred a kind of credibility on their members.[12] Main article: Computer security

17.2.5 Script kiddie A typical approach in an attack on Internet-connected system is: A script kiddie (also known as a skid or skiddie) is an un- skilled hacker who breaks into computer systems by using automated tools written by others (usually by other black 1. Network enumeration: Discovering information hat hackers), hence the term script (i.e. a prearranged about the intended target. plan or set of activities) kiddie (i.e. kid, child—an indi- vidual lacking knowledge and experience, immature),[13] 2. Vulnerability analysis: Identifying potential ways of usually with little understanding of the underlying con- attack. cept. 3. Exploitation: Attempting to compromise the system by employing the vulnerabilities found through the [18] 17.2.6 Neophyte vulnerability analysis.

A neophyte ("newbie", or “noob”) is someone who is new In order to do so, there are several recurring tools of the to hacking or phreaking and has almost no knowledge or trade and techniques used by computer criminals and se- experience of the workings of technology and hacking.[10] curity experts. 84 CHAPTER 17. HACKER (COMPUTER SECURITY)

17.3.1 Security exploits thereby treated as a trusted system by a user or an- other program — usually to fool programs, systems Main article: Exploit (computer security) or users into revealing confidential information, such as user names and passwords. A security exploit is a prepared application that takes ad- vantage of a known weakness.[19] Common examples of Rootkit A rootkit is a program that uses low-level, hard- security exploits are SQL injection, cross-site scripting to-detect methods to subvert control of an operating and cross-site request forgery which abuse security holes system from its legitimate operators. Rootkits usu- that may result from substandard programming practice. ally obscure their installation and attempt to prevent Other exploits would be able to be used through File their removal through a subversion of standard sys- Transfer Protocol (FTP), Hypertext Transfer Protocol tem security. They may include replacements for (HTTP), PHP, SSH, Telnet and some Web pages. These system binaries, making it virtually impossible for are very common in Web site and Web domain hacking. them to be detected by checking process tables.

Social engineering In the second stage of the targeting 17.3.2 Techniques process, hackers often use Social engineering tac- tics to get enough information to access the network. Vulnerability scanner A vulnerability scanner is a tool They may contact the system administrator and pose used to quickly check computers on a network for as a user who cannot get access to his or her sys- known weaknesses. Hackers also commonly use tem. This technique is portrayed in the 1995 film port scanners. These check to see which ports on Hackers, when protagonist Dade “Zero Cool” Mur- a specified computer are “open” or available to ac- phy calls a somewhat clueless employee in charge cess the computer, and sometimes will detect what of security at a television network. Posing as an program or service is listening on that port, and its accountant working for the same company, Dade version number. (Firewalls defend computers from tricks the employee into giving him the phone num- intruders by limiting access to ports and machines, ber of a modem so he can gain access to the com- but they can still be circumvented.) pany’s computer system.

Finding vulnerabilities Hackers may also attempt to Hackers who use this technique must have cool find vulnerabilities manually. A common approach personalities, and be familiar with their target’s is to search for possible vulnerabilities in the code security practices, in order to trick the system of the computer system then test them, sometimes administrator into giving them information. In reverse engineering the software if the code is not some cases, a help-desk employee with limited provided. security experience will answer the phone and be relatively easy to trick. Another approach Brute-force attack Password guessing. This method is is for the hacker to pose as an angry supervi- very fast when used to check all short passwords, but sor, and when his/her authority is questioned, for longer passwords other methods such as the dic- threaten to fire the help-desk worker. Social tionary attack are used, because of the time a brute- engineering is very effective, because users are force search takes. the most vulnerable part of an organization. No security devices or programs can keep an organization safe if an employee reveals a pass- Password cracking Password cracking is the process of word to an unauthorized person. recovering passwords from data that has been stored in or transmitted by a computer system. Common approaches include repeatedly trying guesses for the Social engineering can be broken down into password, trying the most common passwords by four sub-groups: hand, and repeatedly trying passwords from a “dic- • Intimidation As in the “angry supervi- tionary”, or a text file with many passwords. sor” technique above, the hacker con- vinces the person who answers the phone Packet analyzer A packet analyzer (“packet sniffer”) is that their job is in danger unless they help an application that captures data packets, which can them. At this point, many people accept be used to capture passwords and other data in tran- that the hacker is a supervisor and give sit over the network. them the information they seek. • Helpfulness The opposite of intimida- Spoofing attack (phishing) A spoofing attack involves tion, helpfulness exploits many people’s one program, system or website that successfully natural instinct to help others solve prob- masquerades as another by falsifying data and is lems. Rather than acting angry, the 17.4. NOTABLE INTRUDERS AND CRIMINAL HACKERS 85

hacker acts distressed and concerned. use virus-, trojan-, and rootkit-like methods to con- The help desk is the most vulnerable to ceal themselves. However, some of them are used this type of social engineering, as (a.) its for legitimate purposes, even to enhance computer general purpose is to help people; and security. For example, a business may maintain a (b.) it usually has the authority to change keylogger on a computer used at a point of sale to or reset passwords, which is exactly what detect evidence of employee fraud. the hacker wants. • Name-dropping The hacker uses names Tools and Procedures of authorized users to convince the per- son who answers the phone that the A thorough examination of hacker tools and hacker is a legitimate user him or her- procedures may be found in Cengage Learn- self. Some of these names, such as those ing’s E|CSA certification workbook.[20] of webpage owners or company officers, can easily be obtained online. Hackers have also been known to obtain names 17.4 Notable intruders and crimi- by examining discarded documents (so- called “dumpster diving”). nal hackers • Technical Using technology is also a way Main article: List of computer criminals to get information. A hacker can send a fax or email to a legitimate user, seek- ing a response that contains vital infor- mation. The hacker may claim that he or she is involved in law enforcement and 17.5 Notable security hackers needs certain data for an investigation, or for record-keeping purposes. Main article:

Trojan horses A Trojan horse is a program that seems • to be doing one thing but is actually doing another. is an advocate, security re- It can be used to set up a back door in a computer searcher, and developer for the Tor project. He system, enabling the intruder to gain access later. speaks internationally for usage of Tor by human (The name refers to the horse from the Trojan War, rights groups and others concerned about Internet with the conceptually similar function of deceiving anonymity and censorship. defenders into bringing an intruder into a protected • Rakshit Tandon is an prominent cyber security re- area.) searcher from India with primary focus on combat- ing online abuse of women and children. Computer virus A virus is a self-replicating program • that spreads by inserting copies of itself into other Eric Corley (also known as Emmanuel Goldstein) executable code or documents. By doing this, it be- is the longstanding publisher of 2600: The Hacker haves similarly to a biological virus, which spreads Quarterly. He is also the founder of the Hackers on by inserting itself into living cells. While some Planet Earth (HOPE) conferences. He has been part viruses are harmless or mere hoaxes, most are con- of the hacker community since the late 1970s. sidered malicious. • Ed Cummings (also known as Bernie S) is a long- standing writer for 2600: The Hacker Quarterly. In Computer worm Like a virus, a worm is also a self- 1995, he was arrested and charged with possession replicating program. It differs from a virus in that of technology that could be used for fraudulent pur- (a.) it propagates through computer networks with- poses, and set legal precedents after being denied out user intervention; and (b.) does not need to both a bail hearing and a speedy trial. attach itself to an existing program. Nonetheless, • many people use the terms “virus” and “worm” in- Dan Kaminsky is a DNS expert who exposed mul- terchangeably to describe any self-propagating pro- tiple flaws in the protocol and investigated Sony’s gram. rootkit security issues in 2005. He has spoken in front of the United States Senate on technology is- sues. Keystroke logging A keylogger is a tool designed to record (“log”) every keystroke on an affected ma- • Andrew Auernheimer, sentenced to 3 years in chine for later retrieval, usually to allow the user of prison, is a grey hat hacker whose security group this tool to gain access to confidential information Goatse Security exposed a flaw in AT&T’s iPad se- typed on the affected machine. Some keyloggers curity. 86 CHAPTER 17. HACKER (COMPUTER SECURITY)

• Gordon Lyon, known by the handle Fyodor, au- DEF CON, HoHoCon (Christmas), ShmooCon (Febru- thored the Security Scanner as well as many ary), BlackHat, Chaos Communication Congress, Ath- network security books and web sites. He is a found- Con, Hacker Halted, and HOPE. Local Hackfest groups ing member of the Honeynet Project and Vice Pres- organize and compete to develop their skills to send a ident of Computer Professionals for Social Respon- team to a prominent convention to compete in group pen- sibility. testing, exploit and forensics on a larger scale. Hacker groups became popular in the early 1980s, providing ac- • Gary McKinnon is a Scottish hacker facing cess to hacking information and resources and a place extradition to the United States to face criminal to learn from other members. Computer bulletin board charges. Many people in the UK have called on the systems (BBSs), such as the Utopias, provided platforms authorities to be lenient with McKinnon, who suf- for information-sharing via dial-up modem. Hackers [21] fers from Asperger syndrome. could also gain credibility by being affiliated with elite [24] • Kevin Mitnick is a computer security consultant and groups. author, formerly the most wanted computer criminal in United States history.[22] 17.7 Consequences for malicious • Rafael Núñez, a.k.a. RaFa, was a notorious hacker who was sought by the Federal Bureau of Investiga- hacking tion in 2001. He has since become a respected com- puter security consultant and an advocate of chil- 17.7.1 India dren’s online safety.

• Meredith L. Patterson is a well-known technologist 17.7.2 Netherlands and biohacker who has presented research with Dan • Article 138ab of Wetboek van Strafrecht prohibits Kaminsky and Len Sassaman at many international computervredebreuk, which is defined as intruding security and hacker conferences. an automated work or a part thereof with intention • Len Sassaman was a Belgian computer programmer and against the law. Intrusion is defined as access by and technologist who was also a privacy advocate. means of: • • Solar Designer is the pseudonym of the founder of Defeating security measures the Openwall Project. • By technical means • • Michał Zalewski (lcamtuf) is a prominent security By false signals or a false cryptographic key researcher. • By the use of stolen usernames and passwords.

Maximum imprisonment is one year or a fine of the fourth 17.6 Customs category.[25]

[1] The computer underground has produced its own spe- 17.7.3 United States cialized slang, such as 1337speak. Its members often advocate freedom of information, strongly opposing the 18 U.S.C. § 1030, more commonly known as the principles of copyright, as well as the rights of free speech Computer Fraud and Abuse Act, prohibits unauthorized and privacy. Writing software and performing other ac- access or damage of “protected computers”. “Protected tivities to support these views is referred to as hacktivism. computers” are defined in 18 U.S.C. § 1030(e)(2) as: Some consider illegal cracking ethically justified for these goals; a common form is website defacement. The com- • A computer exclusively for the use of a financial puter underground is frequently compared to the Wild institution or the United States Government, or, in West.[23] It is common for hackers to use aliases to con- the case of a computer not exclusively for such use, ceal their identities. used by or for a financial institution or the United States Government and the conduct constituting the 17.6.1 Hacker groups and conventions offense affects that use by or for the financial insti- tution or the Government. Main articles: Hacker conference and Hacker group • A computer which is used in or affecting interstate or foreign commerce or communication, including The computer underground is supported by regular real- a computer located outside the United States that is world gatherings called hacker conventions or “hacker used in a manner that affects interstate or foreign cons”. These events include SummerCon (Summer), commerce or communication of the United States; 17.8. HACKING AND THE MEDIA 87

The maximum imprisonment or fine for violations of the Films Computer Fraud and Abuse Act depends on the severity of the violation and the offender’s history of violations under • Antitrust the Act. • Cypher • Eagle Eye 17.8 Hacking and the media • Enemy of the State • Firewall 17.8.1 Hacker magazines • Girl With The Tattoo Main category: Hacker magazines • Hackers • The most notable hacker-oriented print publications are Live Free or Die Hard Phrack, Hakin9 and 2600: The Hacker Quarterly. While • The Matrix series the information contained in hacker magazines and ezines was often outdated by the time they were published, they • The Net enhanced their contributors’ reputations by documenting • The Net 2.0 their successes.[24] • Pirates of Silicon Valley • 17.8.2 Hackers in fiction Skyfall • Sneakers See also: List of fictional hackers • Swordfish Hackers often show an interest in fictional cyberpunk • Take Down and cyberculture literature and movies. The adoption of • Tron fictional pseudonyms,[26] symbols, values and metaphors from these works is very common.[27] • Tron: Legacy • Untraceable Books • WarGames • The cyberpunk novels of William Gibson— • Weird Science especially the Sprawl trilogy—are very popular • with hackers.[28] The Fifth Estate • Who Am I – No System Is Safe (film) • Helba from the .hack manga and anime series • Merlin of Amber, the protagonist of the second se- 17.8.3 Non-fiction books ries in The Chronicles of Amber by Roger Zelazny, is a young immortal hacker-mage who has the • The Art of Deception by Kevin Mitnick ability to traverse shadow dimensions. • The Art of Intrusion by Kevin Mitnick • Lisbeth Salander in The Girl with the Dragon Tattoo by Stieg Larsson • The Cuckoo’s Egg by Clifford Stoll • • Alice from Heaven’s Memo Pad Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker by Kevin Mitnick • Ender’s Game by Orson Scott Card • by Bruce Sterling • Evil Genius by Catherine Jinks • The Hacker’s Handbook by Hugo Cornwall (Peter Sommer) • Hackers (anthology) by Jack Dann and Gardner Do- zois • Hacking: The Art of Exploitation Second Edition by Jon Erickson • Little Brother by Cory Doctorow • Out of the Inner Circle by Bill Landreth and Howard • Neuromancer by William Gibson Rheingold • Snow Crash by Neal Stephenson • Underground by Suelette Dreyfus 88 CHAPTER 17. HACKER (COMPUTER SECURITY)

17.9 See also [11] O'Brien, Marakas, James, George (2011). Management Information Systems. New York, NY: McGraw-Hill/ Ir- • Computer crime win. pp. 536–537. ISBN 978-0-07-752217-9. [12] Thomas, Douglas (2002). Hacker Culture. University of • Cracking of wireless networks Minnesota Press. ISBN 978-0-8166-3346-3. • Cyber spying [13] Andress, Mandy; Cox, Phil; Tittel, Ed (2001). CIW Secu- rity Professional. New York, NY: Wiley. p. 638. ISBN • Cyber Storm Exercise 0-7645-4822-0. • Hack value [14] “Blue hat hacker Definition”. PC Magazine Encyclopedia. Retrieved May 31, 2010. A security professional invited • Hacker (programmer subculture) by Microsoft to find vulnerabilities in Windows. • Hacker Manifesto [15] Fried, Ina (June 15, 2005). “Blue Hat summit meant to reveal ways of the other side”. Microsoft meets the hackers. • Hacker (term) CNET News. Retrieved May 31, 2010. • IT risk [16] Markoff, John (October 17, 2005). “At Microsoft, In- terlopers Sound Off on Security”. The New York Times. • Mathematical beauty Retrieved May 31, 2010. • Metasploit Project [17] Chabrow, Eric (February 25, 2012). “7 Levels of Hack- ers: Applying An Ancient Chinese Lesson: Know Your • Penetration test Enemies”. GovInfo Security. Retrieved February 27, • Technology assessment 2012. [18] Gupta, Ajay; Klavinsky, Thomas and Laliberte, Scott • Vulnerability (computing) (March 15, 2002) Security Through Penetration Testing: Internet Penetration. informit.com 17.10 References [19] Rodriguez, Chris; Martinez, Richard. “The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security” (PDF). Frost & Sullivan. [1] Sterling, Bruce (1993). “Part 2(d)". The Hacker Crack- Retrieved 13 August 2013. down. McLean, Virginia: IndyPublish.com. p. 61. ISBN 1-4043-0641-2. [20] Press, EC-Council (2011). Penetration Testing: Proce- dures & Methodologies. Clifton, NY: CENGAGE Learn- [2] Blomquist, Brian (May 29, 1999). “FBI’s Web Site ing. ISBN 1435483677. Socked as Hackers Target Feds”. New York Post. [21] “Gary McKinnon extradition ruling due by 16 October”. [3] “The Hacker’s Dictionary”. Retrieved 23 May 2013. BBC News. September 6, 2012. Retrieved September 25, 2012. [4] Political notes from 2012: September–December. stall- man.org [22] “Kevin Mitnick sentenced to nearly four years in prison; computer hacker ordered to pay restitution ...” (Press re- [5] Raymond, Eric S. “Jargon File: Cracker”. Coined ca. lease). United States Attorney’s Office, Central District 1985 by hackers in defense against journalistic misuse of of California. August 9, 1999. Retrieved April 10, 2010. hacker [23] Jordan, Tim and Taylor, Paul A. (2004). Hacktivism and [6] Clifford, D. (2011). Cybercrime: The Investigation, Cyberwars. Routledge. pp. 133–134. ISBN 978-0-415- Prosecution and Defense of a Computer-Related Crime. 26003-9. Wild West imagery has permeated discussions Durham, North Carolina: Carolina Academic Press. of cybercultures. ISBN 1594608539. [24] Thomas, Douglas (2003). Hacker Culture. University of [7] Wilhelm, Douglas (2010). “2”. Professional Penetration Minnesota Press. p. 90. ISBN 978-0-8166-3346-3. Testing. Syngress Press. p. 503. ISBN 978-1-59749-425- 0. [25] Artikel 138ab. Wetboek van Strafrecht, December 27, 2012 [8] EC-Council. eccouncil.org [26] Swabey, Pete (27 February 2013). “Data leaked by [9] Moore, Robert (2005). Cybercrime: Investigating High Anonymous appears to reveal Bank of America’s hacker Technology Computer Crime. Matthew Bender & Com- profiling operation”. Information Age. Retrieved 21 pany. p. 258. ISBN 1-59345-303-5.Robert Moore February 2014.

[10] Moore, Robert (2006). Cybercrime: Investigating High- [27] “Hackers and Viruses: Questions and Answers”. Scien- Technology Computer Crime (1st ed.). Cincinnati, Ohio: zagiovane. University of Bologna. 12 November 2012. Anderson Publishing. ISBN 978-1-59345-303-9. Retrieved 21 February 2014. 17.12. EXTERNAL LINKS 89

[28] Staples, Brent (May 11, 2003). “A Prince of Cyber- 17.12 External links punk Fiction Moves Into the Mainstream”. The New York Times. Mr. Gibson’s novels and short stories are wor- • CNN Tech PCWorld Staff (November 2001). shiped by hackers Timeline: A 40-year history of hacking from 1960 to 2001 17.11 Further reading • Can Hackers Be Heroes? Video produced by Off Book (web series)

• Apro, Bill; Hammond, Graeme (2005). Hackers: The Hunt for Australia’s Most Infamous Computer Cracker. Rowville, Vic: Five Mile Press. ISBN 1- 74124-722-5.

• Beaver, Kevin (2010). Hacking for Dummies. Hoboken, NJ: Wiley Pub. ISBN 978-0-7645-5784- 2.

• Conway, Richard; Cordingley, Julian (2004). Code Hacking: A Developer’s Guide to Network Security. Hingham, Mass: Charles River Media. ISBN 978- 1-58450-314-9.

• Freeman, David H.; Mann, Charles C. (1997). At Large: The Strange Case of the World’s Biggest Inter- net Invasion. New York: Simon & Schuster. ISBN 0-684-82464-7.

• Granville, Johanna (Winter 2003). “Dot.Con: The Dangers of Cyber Crime and a Call for Proac- tive Solutions”. Australian Journal of Politics and History 49 (1): 102–109. doi:10.1111/1467- 8497.00284. Retrieved 20 February 2014.

• Gregg, Michael (2006). Certfied Ethical Hacker. In- dianapolis, Ind: Que Certification. ISBN 978-0- 7897-3531-7.

• Hafner, Katie; Markoff, John (1991). Cyberpunk: Outlaws and Hackers on the Computer Frontier. New York: Simon & Schuster. ISBN 0-671-68322-5.

• Harper, Allen; Harris, Shon; Ness, Jonathan (2011). Gray Hat Hacking: The Ethical Hacker’s Handbook (3rd ed.). New York: McGraw-Hill. ISBN 978-0- 07-174255-9.

• McClure, Stuart; Scambray, Joel; Kurtz, George (1999). Hacking Exposed: Network Security Secrets and Solutions. Berkeley, Calif: Mcgraw-Hill. ISBN 0-07-212127-0.

• Russell, Ryan (2004). Stealing the Network: How to Own a Continent. Rockland, Mass: Syngress Media. ISBN 978-1-931836-05-0.

• Taylor, Paul A. (1999). Hackers: Crime in the Digi- tal Sublime. London: Routledge. ISBN 978-0-415- 18072-6. Chapter 18

Hacker (term)

Hacker is a term that is used to mean a variety of different and the computer security hackers accept all uses of the things in computing. Depending on the context, the term word, people from the programmer subculture consider can refer to a person in any one of several distinct (but the computer intrusion related usage incorrect, and em- not completely disjoint) communities and subcultures:[1] phasize the difference between the two by calling security breakers “crackers” (analogous to a safecracker). • People committed to cir- cumvention of computer security. This primarily concerns unauthorized remote computer break-ins 18.1 Hacker definition controversy via communication networks such as the Internet (Black hats), but also includes those who debug or Currently, "hacker" is used in two main conflicting ways fix security problems (White hats), and the morally ambiguous Grey hats. See Hacker (computer secu- rity). 1. as someone who is able to subvert computer security; if doing so for malicious purposes, the person can • A community of enthusiast computer program- also be called a cracker. mers and systems designers, originated in the 1960s around the Massachusetts Institute of Technology's 2. an adherent of the technology and programming (MIT’s) Tech Model Railroad Club (TMRC) and subculture. MIT Artificial Intelligence Laboratory.[2] This com- munity is notable for launching the free software The controversy is usually based on the assumption that movement. The World Wide Web and Internet are the term originally meant someone messing about with hacker artifacts.[3] The Request for Comments RFC something in a positive sense, that is, using playful clev- 1392 amplifies this meaning as "[a] person who de- erness to achieve a goal. But then, it is supposed, the lights in having an intimate understanding of the in- meaning of the term shifted over the decades since it first ternal workings of a system, computers and com- came into use in a computer context and came to refer to puter networks in particular.” See Hacker (program- computer criminals. mer subculture). As usage has spread more widely, the primary misunder- • The hobbyist home computing community, focus- standing of newer users conflicts with the original primary ing on hardware in the late 1970s (e.g. the emphasis. In popular usage and in the media, computer Homebrew Computer Club)[4] and on software intruders or criminals is the exclusive meaning today, (video games,[5] software cracking, the demoscene) with associated pejorative connotations. (For example, in the 1980s/1990s. The community included Steve “An Internet 'hacker' broke through state government se- Wozniak, Bill Gates and Paul Allen and created the curity systems in March.”) In the computing community, personal computing industry.[6] See Hacker (hobby- the primary meaning is a complimentary description for ist). a particularly brilliant programmer or technical expert. (For example, "Linus Torvalds, the creator of Linux, is Today, mainstream usage of “hacker” mostly refers to considered by some to be a hacker.”) A large segment of computer criminals, due to the mass media usage of the the technical community insist the latter is the “correct” word since the 1980s. This includes what hacker slang usage of the word (see the Jargon File definition below). calls "script kiddies,” people breaking into computers us- The mainstream media's current usage of the term may ing programs written by others, with very little knowledge be traced back to the early 1980s. When the term was about the way they work. This usage has become so pre- introduced to wider society by the mainstream media in dominant that the general public is unaware that different 1983, even those in the computer community referred to meanings exist. While the self-designation of hobbyists computer intrusion as “hacking”, although not as the ex- as hackers is acknowledged by all three kinds of hackers, clusive use of that word. In reaction to the increasing

90 18.2. COMPUTER SECURITY HACKERS 91

media use of the term exclusively with the criminal con- machine in a love-hate relationship... They're kids who notation, the computer community began to differentiate tended to be brilliant but not very interested in conven- their terminology. Alternative terms such as "cracker" tional goals[...] It’s a term of derision and also the ulti- were coined in an effort to distinguish between those ad- mate compliment.”[9] hering to the historical use of the term "hack" within the Fred Shapiro thinks that “the common theory that 'hacker' programmer community and those performing computer originally was a benign term and the malicious connota- break-ins. Further terms such as "black hat", "white hat" tions of the word were a later perversion is untrue.” He and "gray hat" developed when laws against breaking into found out that the malicious connotations were present at computers came into effect, to distinguish criminal activ- MIT in 1963 already (quoting The Tech, an MIT student ities and those activities which were legal. newspaper) and then referred to unauthorized users of the However, since network news use of the term pertained telephone network,[10][11] that is, the phreaker movement primarily to the criminal activities despite this attempt that developed into the computer security hacker subcul- by the technical community to preserve and distinguish ture of today. the original meaning, the mainstream media and general public continue to describe computer criminals with all levels of technical sophistication as “hackers” and do not 18.2 Computer security hackers generally make use of the word in any of its non-criminal connotations. Members of the media sometimes seem unaware of the distinction, grouping legitimate “hackers” Main article: Hacker (computer security) such as Linus Torvalds and along with In computer security, a hacker is someone who focuses criminal “crackers”.[7] As a result of this difference, the definition is the sub- ject of heated controversy. The wider dominance of the pejorative connotation is resented by many who object to the term being taken from their cultural jargon and used negatively,[8] including those who have historically preferred to self-identify as hackers. Many advocate us- ing the more recent and nuanced alternate terms when describing criminals and others who negatively take ad- vantage of security flaws in software and hardware. Oth- ers prefer to follow common popular usage, arguing that the positive form is confusing and unlikely to become widespread in the general public. A minority still use the term in both original senses despite the controversy, leav- ing context to clarify (or leave ambiguous) which meaning Bruce Sterling, author of The Hacker Crackdown is intended. However, the positive definition of hacker was widely on security mechanisms of computer and network sys- used as the predominant form for many years before the tems. While including those who endeavor to strengthen negative definition was popularized. “Hacker” can there- such mechanisms, it is more often used by the mass media fore be seen as a shibboleth, identifying those who use the and popular culture to refer to those who seek access de- technically oriented sense (as opposed to the exclusively spite these security measures. That is, the media portrays intrusion-oriented sense) as members of the computing the 'hacker' as a villain. Nevertheless, parts of the sub- community. culture see their aim in correcting security problems and use the word in a positive sense. White hat is the name A possible middle ground position has been suggested, given to ethical computer hackers, who utilize hacking in based on the observation that “hacking” describes a col- a helpful way. White hats are becoming a necessary part lection of skills which are used by hackers of both de- of the information security field.[12] They operate under a scriptions for differing reasons. The analogy is made code, which acknowledges that breaking into other peo- to locksmithing, specifically picking locks, which—aside ple’s computers is bad, but that discovering and exploit- from its being a skill with a fairly high tropism to 'clas- ing security mechanisms and breaking into computers is sic' hacking—is a skill which can be used for good or still an interesting activity that can be done ethically and evil. The primary weakness of this analogy is the inclu- legally. Accordingly, the term bears strong connotations sion of script kiddies in the popular usage of “hacker”, that are favorable or pejorative, depending on the context. despite the lack of an underlying skill and knowledge base. Sometimes, hacker also is simply used synony- The subculture around such hackers is termed network mous to geek: “A true hacker is not a group person. hacker subculture, hacker scene or computer under- He’s a person who loves to stay up all night, he and the ground. It initially developed in the context of phreaking during the 1960s and the microcomputer BBS scene of 92 CHAPTER 18. HACKER (TERM)

the 1980s. It is implicated with 2600: The Hacker Quar- 18.3 Programmer subculture of terly and the alt.2600 newsgroup. hackers In 1980, an article in the August issue of Psychology Today (with commentary by Philip Zimbardo) used the term “hacker” in its title: “The Hacker Papers”. It was Main article: Hacker (programmer subculture) an excerpt from a Stanford Bulletin Board discussion on the addictive nature of computer use. In the 1982 In the programmer subculture of hackers, a hacker is a film Tron, Kevin Flynn (Jeff Bridges) describes his in- person who follows a spirit of playful cleverness and loves tentions to break into ENCOM’s computer system, say- programming. It is found in an originally academic move- ing “I've been doing a little hacking here”. CLU is the ment unrelated to computer security and most visibly as- software he uses for this. By 1983, hacking in the sense sociated with free software and open source. It also has a of breaking computer security had already been in use hacker ethic, based on the idea that writing software and as computer jargon,[13] but there was no public aware- sharing the result on a voluntary basis is a good idea, and ness about such activities.[14] However, the release of the that information should be free, but that it’s not up to the film WarGames that year, featuring a computer intrusion hacker to make it free by breaking into private computer into NORAD, raised the public belief that computer se- systems. This hacker ethic was publicized and perhaps curity hackers (especially teenagers) could be a threat to originated in Steven Levy's Hackers: Heroes of the Com- national security. This concern became real when, in the puter Revolution (1984). It contains a codification of its same year, a gang of teenage hackers in Milwaukee, Wis- principles. consin, known as The 414s, broke into computer sys- tems throughout the United States and Canada, includ- The programmer subculture of hackers disassociates ing those of Los Alamos National Laboratory, Sloan- from the mass media’s pejorative use of the word 'hacker' Kettering Cancer Center and Security Pacific Bank.[15] referring to computer security, and usually prefer the The case quickly grew media attention,[15][16] and 17- term 'cracker' for that meaning. Complaints about sup- year-old Neal Patrick emerged as the spokesman for the posed mainstream misuse started as early as 1983, when gang, including a cover story in Newsweek entitled “Be- media used “hacker” to refer to the computer criminals ware: Hackers at play”, with Patrick’s photograph on the involved in the 414s case.[20] [17] cover. The Newsweek article appears to be the first use In the programmer subculture of hackers, a computer of the word hacker by the mainstream media in the pejo- hacker is a person who enjoys designing software and rative sense. building programs with a sense for aesthetics and playful Pressured by media coverage, congressman Dan Glick- cleverness. The term hack in this sense can be traced back man called for an investigation and began work on new to “describe the elaborate college pranks that...students laws against computer hacking.[18][19] Neal Patrick testi- would regularly devise” (Levy, 1984 p. 10). To be con- fied before the U.S. House of Representatives on Septem- sidered a 'hack' was an honor among like-minded peers as ber 26, 1983, about the dangers of computer hacking, and “to qualify as a hack, the feat must be imbued with inno- six bills concerning computer crime were introduced in vation, style and technical virtuosity” (Levy, 1984 p. 10) the House that year.[19] As a result of these laws against The MIT Tech Model Railroad Club Dictionary defined computer criminality, white hat, grey hat and black hat hack in 1959 (not yet in a computer context) as “1) an ar- hackers try to distinguish themselves from each other, de- ticle or project without constructive end; 2) a project un- pending on the legality of their activities. These moral dertaken on bad self-advice; 3) an entropy booster; 4) to conflicts are expressed in The Mentor's "The Hacker produce, or attempt to produce, a hack(3)", and “hacker” Manifesto", published 1986 in Phrack. was defined as “one who hacks, or makes them”. Much of TMRC’s jargon was later imported into early comput- Use of the term hacker meaning computer criminal was ing culture, because the club started using a DEC PDP-1 also advanced by the title “Stalking the Wily Hacker”, and applied its local model railroad slang in this comput- an article by Clifford Stoll in the May 1988 issue of the ing context. Initially incomprehensible to outsiders, the Communications of the ACM. Later that year, the release slang also became popular in MIT’s computing environ- by Robert Tappan Morris, Jr. of the so-called Morris ments beyond the club. Other examples of jargon im- worm provoked the popular media to spread this usage. ported from the club are 'losing' {"when a piece of equip- The popularity of Stoll’s book The Cuckoo’s Egg, pub- ment is not working”)[21] and 'munged' (“when a piece of lished one year later, further entrenched the term in the equipment is ruined”).[21] public’s consciousness. According to Eric S. Raymond,[22] the Open Source and Free Software hacker subculture developed in the 1960s among 'academic hackers’[23] working on early minicomputers in computer science environments in the United States. Hackers were influenced by and absorbed many ideas of 18.3. PROGRAMMER SUBCULTURE OF HACKERS 93

from the everyday English sense “to cut or shape by or as if by crude or ruthless strokes” [Merriam-Webster] and is even used among users of the positive sense of “hacker” who produces “cool” or “neat” hacks. In other words to “hack” at an original creation, as if with an axe, is to force- fit it into being usable for a task not intended by the orig- inal creator, and a “hacker” would be someone who does this habitually. (The original creator and the hacker may be the same person.) This usage is common in both pro- gramming, engineering and building. In programming, hacking in this sense appears to be tolerated and seen as a necessary compromise in many situations. Some argue that it should not be, due to this negative meaning; oth- ers argue that some kludges can, for all their ugliness and imperfection, still have “hack value”. In non-software engineering, the culture is less tolerant of unmaintainable solutions, even when intended to be tem- porary, and describing someone as a “hacker” might im- A Hacker Emblem proposed by Eric S. Raymond. ply that they lack professionalism. In this sense, the term has no real positive connotations, except for the idea that the hacker is capable of doing modifications that allow a key technological developments and the people associated system to work in the short term, and so has some sort with them. Most notable is the technical culture of the of marketable skills. However, there is always the under- pioneers of the Arpanet, starting in 1969. The PDP-10 standing that a more skillful or technical logician could machine AI at MIT, which was running the ITS operating have produced successful modifications that would not system and which was connected to the Arpanet, provided be considered a “hack-job”. The definition is similar to an early hacker meeting point. After 1980 the subculture other, non-computer based uses of the term “hack-job”. coalesced with the culture of Unix. Since the mid-1990s, For instance, a professional modification of a production it has been largely coincident with what is now called the sports car into a racing machine would not be considered free software and open source movement. a hack-job, but a cobbled together backyard mechanic’s result could be. Even though the outcome of a race of the Many programmers have been labeled “great two machines could not be assumed, a quick inspection [24] hackers”, but the specifics of who that label applies would instantly reveal the difference in the level of pro- to is a matter of opinion. Certainly major contributors fessionalism of the designers. The adjective associated to computer science such as Edsger Dijkstra and Donald with hacker is “hackish” (see the Jargon file). Knuth, as well as the inventors of popular software such as Linus Torvalds (Linux), and Dennis Ritchie and Ken In a very universal sense, hacker also means someone who Thompson (the C programming language) are likely to makes things work beyond perceived limits in a clever be included in any such list; see also List of program- way in general, without necessarily referring to com- [3] mers. People primarily known for their contributions puters, especially at MIT. That is, people who apply to the consciousness of the programmer subculture of the creative attitude of software hackers in fields other hackers include Richard Stallman, the founder of the than computing. This includes even activities that pre- free software movement and the GNU project, president date computer hacking, for example reality hackers or of the and author of the urban spelunkers (exploring undocumented or unautho- famous text editor as well as the GNU Compiler rized areas in buildings). One specific example is clever [25] Collection (GCC), and Eric S. Raymond, one of the pranks traditionally perpetrated by MIT students, with founders of the Open Source Initiative and writer of the the perpetrator being called hacker. For example, when famous text The Cathedral and the Bazaar and many MIT students surreptitiously put a fake police car atop [26] other essays, maintainer of the Jargon File (which was the dome on MIT’s Building 10, that was a hack in previously maintained by Guy L. Steele, Jr.). this sense, and the students involved were therefore hack- ers. Another type of hacker is now called a reality Within the computer programmer subculture of hack- hacker. More recent examples of usage for almost any ers, the term hacker is also used for a programmer who type of playful cleverness are wetware hackers (“hack reaches a goal by employing a series of modifications to your brain”), media hackers and “hack your reputation”. extend existing code or resources. In this sense, it can In a similar vein, a “hack” may refer to a math hack, that have a negative connotation of using inelegant kludges to is, a clever solution to a mathematical problem. The GNU accomplish programming tasks that are quick, but ugly, General Public License has been described as a copyright inelegant, difficult to extend, hard to maintain and inef- hack because it cleverly uses the copyright laws for a pur- ficient. This derogatory form of the noun "hack" derives 94 CHAPTER 18. HACKER (TERM) pose the lawmakers did not foresee. All of these uses now producing the strange, dis-harmonic digital tones that be- also have spread beyond MIT as well. came part of the techno music style. Companies take different attitudes towards such practices, ranging from open acceptance (such as Texas Instruments for its graph- 18.4 Home computer hackers ing calculators and Lego for its Lego Mindstorms robotics gear) to outright hostility (such as Microsoft's attempts to lock out Xbox hackers or the DRM routines on Blu-ray Main article: Hacker (hobbyist) Disc players designed to sabotage compromised players.) In this context, a “hack” refers to a program that (some- In yet another context, a hacker is a computer hobbyist times illegally) modifies another program, often a video who pushes the limits of software or hardware. The home game, giving the user access to features otherwise inac- computer hacking subculture relates to the hobbyist home cessible to them. As an example of this use, for Palm computing of the late 1970s, beginning with the availabil- OS users (until the 4th iteration of this operating sys- ity of MITS Altair. An influential organization was the tem), a “hack” refers to an extension of the operating sys- Homebrew Computer Club. However, its roots go back tem which provides additional functionality. Term also further to amateur radio enthusiasts. The amateur radio refers to those people who cheat on video games using slang referred to creatively tinkering to improve perfor- [27] special software. This can also refer to the jailbreaking mance as “hacking” already in the 1950s. of iPhones. A large overlaps between hobbyist hackers and the pro- grammer subculture hackers existed during the Home- brew Club’s days, but the interests and values of both communities somewhat diverged. Today, the hobby- 18.5 Overlaps and differences ists focus on commercial computer and video games, software cracking and exceptional computer program- The main basic difference between programmer subcul- ming (demo scene). Also of interest to some members ture and computer security hackers is their mostly sep- of this group is the modification of computer hardware arate historical origin and development. However, the and other electronic devices, see modding. Jargon File reports that considerable overlap existed for the early phreaking at the beginning of the 1970s. An article from MIT’s student paper The Tech used the term hacker in this context already in 1963 in its pejorative meaning for someone messing with the phone system.[10] The overlap quickly started to break when people joined in the activity who did it in a less responsible way.[28] This was the case after the publication of an article exposing the activities of Draper and Engressia. According to Raymond, hackers from the programmer subculture usually work openly and use their real name, while computer security hackers prefer secretive groups and identity-concealing aliases.[29] Also, their activities in practice are largely distinct. The former focus on cre- ating new and improving existing infrastructure (espe- cially the software environment they work with), while A DIY musician probes the circuit board of a synthesizer for the latter primarily and strongly emphasize the general “bends” using a jeweler’s screwdriver and alligator clips act of circumvention of security measures, with the ef- Electronics hobbyists working on machines other than fective use of the knowledge (which can be to report and computers also fall into this category. This includes peo- help fixing the security bugs, or exploitation for criminal ple who do simple modifications to graphing calculators, purpose) being only rather secondary. The most visible video game consoles, electronic musical keyboards or difference in these views was in the design of the MIT other device (see CueCat for a notorious example) to ex- hackers’ Incompatible Timesharing System, which delib- pose or add functionality to a device that was unintended erately did not have any security measures. for use by end users by the company who created it. There are some subtle overlaps, however, since ba- A number of techno musicians have modified 1980s-era sic knowledge about computer security is also common Casio SK-1 sampling keyboards to create unusual sounds within the programmer subculture of hackers. For exam- by doing circuit bending: connecting wires to different ple, Ken Thompson noted during his 1983 Turing Award leads of the integrated circuit chips. The results of these lecture that it is possible to add code to the UNIX “lo- DIY experiments range from opening up previously in- gin” command that would accept either the intended en- accessible features that were part of the chip design to crypted password or a particular known password, allow- 18.6. FILMOGRAPHY 95 ing a back door into the system with the latter password. grammer subculture of hackers has stories about sev- He named his invention the "Trojan horse". Furthermore, eral hardware hacks in its folklore, such as a mysterious Thompson argued, the C compiler itself could be modi- 'magic' switch attached to a PDP-10 computer in MIT’s fied to automatically generate the rogue code, to make de- AI lab, that, when turned off, crashed the computer.[33] tecting the modification even harder. Because the com- The early hobbyist hackers built their home computers piler is itself a program generated from a compiler, the themselves, from construction kits. However, all these Trojan horse could also be automatically installed in a activities have died out during the 1980s, when the phone new compiler program, without any detectable modifica- network switched to digitally controlled switchboards, tion to the source of the new compiler. However, Thomp- causing network hacking to shift to dialing remote com- son disassociated himself strictly from the computer se- puters with modems, when pre-assembled inexpensive curity hackers: “I would like to criticize the press in its home computers were available, and when academic in- handling of the 'hackers,' the 414 gang, the Dalton gang, stitutions started to give individual mass-produced work- etc. The acts performed by these kids are vandalism at station computers to scientists instead of using a central best and probably trespass and theft at worst. ... I have timesharing system. The only kind of widespread hard- watched kids testifying before Congress. It is clear that ware modification nowadays is case modding. they are completely unaware of the seriousness of their [30] An encounter of the programmer and the computer secu- acts.” rity hacker subculture occurred at the end of the 1980s, The programmer subculture of hackers sees secondary when a group of computer security hackers, sympathiz- circumvention of security mechanisms as legitimate if it ing with the (who disclaimed any is done to get practical barriers out of the way for doing knowledge in these activities), broke into computers of actual work. In special forms, that can even be an ex- American military organizations and academic institu- pression of playful cleverness.[31] However, the system- tions. They sold data from these machines to the Soviet atic and primary engagement in such activities is not one secret service, one of them in order to fund his drug ad- of the actual interests of the programmer subculture of diction. The case could be solved when Clifford Stoll, a hackers and it does not have significance in its actual scientist working as a system administrator, found ways activities, either.[29] A further difference is that, histor- to log the attacks and to trace them back (with the help of ically, members of the programmer subculture of hack- many others). 23, a German film adaption with fictional ers were working at academic institutions and used the elements, shows the events from the attackers’ perspec- computing environment there. In contrast, the prototyp- tive. Stoll described the case in his book The Cuckoo’s ical computer security hacker had access exclusively to a Egg and in the TV documentary The KGB, the Computer, home computer and a modem. However since the mid- and Me from the other perspective. According to Eric 1990s, with home computers that could run Unix-like op- S. Raymond, it “nicely illustrates the difference between erating systems and with inexpensive internet home ac- 'hacker' and 'cracker'. Stoll’s portrait of himself, his lady cess being available for the first time, many people from Martha, and his friends at Berkeley and on the Internet outside of the academic world started to take part in the paints a marvelously vivid picture of how hackers and the programmer subculture of hacking. people around them like to live and how they think.”[34] Since the mid-1980s, there are some overlaps in ideas and members with the computer security hacking com- munity. The most prominent case is Robert T. Mor- 18.6 Filmography ris, who was a user of MIT-AI, yet wrote the Morris worm. The Jargon File hence calls him “a true hacker • WarGames (1983) who blundered”.[32] Nevertheless, members of the pro- grammer subculture have a tendency to look down on and • Sneakers (1992) disassociate from these overlaps. They commonly refer disparagingly to people in the computer security subcul- • The Net (1995) ture as crackers, and refuse to accept any definition of hacker that encompasses such activities. The computer • Hackers (1995) security hacking subculture on the other hand tends not • to distinguish between the two subcultures as harshly, in- Pirates of Silicon Valley (1999) stead acknowledging that they have much in common in- • Track Down (2000) cluding many members, political and social goals, and a love of learning about technology. They restrict the use • Swordfish (2001) of the term cracker to their categories of script kiddies and black hat hackers instead. • Antitrust (2001) All three subcultures have relations to hardware modifi- • The Social Network (2010) cations. In the early days of network hacking, phreaks were building blue boxes and various variants. The pro- • Blackhat (2015) 96 CHAPTER 18. HACKER (TERM)

18.7 See also [15] Elmer-DeWitt, Philip (August 29, 1983). “The 414 Gang Strikes Again”. Time. p. 75. • Computer crime [16] Detroit Free Press. September 27, 1983. Missing or empty |title= (help) • Cyberwarfare [17] “Beware: Hackers at play”. Newsweek. September 5, • Exploit (computer security) 1983. pp. 42–46, 48. • Hack value [18] “Timeline: The U.S. Government and Cybersecurity”. Washington Post. 2003-05-16. Retrieved 2006-04-14. • Hackerspace • [19] David Bailey, “Attacks on Computers: Congressional Hacktivism Hearings and Pending Legislation,” sp, p. 180, 1984 IEEE • IT risk Symposium on Security and Privacy, 1984. [20] j...@uvacs. UUCP (19 September 1983). “for hack ( er ) s • Penetration test who want to complain to CBS”. Newsgroup: net.followup • Vulnerability (computing) net.misc, net.followup. [21] Levy, Steven (2001) [1984]. Hackers: Heroes of the Com- puter Revolution. Penguin Books. p. 9. ISBN 0-14- 18.8 References 100051-1. [22] Eric S.Raymond: A Brief History of Hackerdom (2000) [1] Löwgren, Jonas (February 23, 2000). “Hacker culture(s): Origins”. Retrieved 2008-10-18. [23] Raymond, Eric Steven (19 September 2003). “Reasons to Believe”. The Art of Unix Programming. Addison- [2] Raymond, Eric (25 August 2000). “The Early Hackers”. Wesley. A Brief History of Hackerdom. Thyrsus Enterprises. Re- trieved 6 December 2008. [24] Graham, Paul (2004). “Great Hackers”.

[3] Eric Steven Raymond (2001). “What Is a Hacker?". How [25] “MIT Gallery of Hacks”. Hacks.mit.edu. Retrieved To Become A Hacker. Thyrsus Enterprises. Retrieved 2013-11-30. 2008-10-18. [26] “IHTFP Hack Gallery: CP Car on the Great Dome”. [4] Levy, part 2 Hacks.mit.edu. 1994-05-09. Retrieved 2013-11-30.

[5] Levy, part 3 [27] hacker. The Jargon Lexicon. Retrieved 2008-10-18.

[6] Sterling, Bruce. “cyberview_91.report”. hackers” had [28] phreaking. The Jargon Lexicon. Retrieved 2008-10-18. built the entire personal computer industry. Jobs was a hacker, Wozniak too, even Bill Gates, the youngest bil- [29] cracker. The Jargon Lexicon. Retrieved 2008-10-18. lionaire in the history of America -- all “hackers. [30] Thompson, Ken (August 1984). “Reflections on Trusting [7] DuBois, Shelley. “A who’s who of hackers”. Reporter. Trust” (PDF). Communications of the ACM 27 (8): 761. Fortune Magazine. Retrieved 19 June 2011. doi:10.1145/358198.358210.

[8] “TMRC site”. Archived from the original on 2006-05-03. [31] Richard Stallman (2002). “The Hacker Community and Ethics: An Interview with Richard M. Stallman”. GNU [9] Alan Kay quoted in Stewart Brand, “S P A C E W A R: Project. Retrieved 2008-10-18. Fanatic Life and Symbolic Death Among the Computer Bums:" In Rolling Stone (1972) [32] Part III. Appendices. The Jargon Lexicon. Retrieved 2008- 10-18. [10] Fred Shapiro: Antedating of “Hacker”. American Dialect Society Mailing List (13. June 2003) [33] A Story About ‘Magic'. The Jargon Lexicon. Retrieved 2008-10-18. [11] “The Origin of “Hacker"". [34] Part III. Appendices. The Jargon Lexicon. Retrieved 2008- [12] Caldwell, Tracey (22 July 2011). “Ethical hackers: 10-18. putting on the white hat”. Network Security 2011 (7): 10– 13. doi:10.1016/s1353-4858(11)70075-7. [13] See the 1981 version of the Jargon File, entry “hacker”, 18.9 Further reading last meaning.

[14] “Computer hacking: Where did it begin and how did it • Michael Hasse: Die Hacker: Strukturanalyse einer grow?". WindowSecurity.com. October 16, 2002. jugendlichen Subkultur (1994) 18.9. FURTHER READING 97

18.9.1 Computer security • Lakhani, Karim R.; Wolf, Robert G. (2005). “Why Hackers Do What They Do: Understanding Mo- • Logik Bomb: Hacker’s Encyclopedia (1997) tivation and Effort in Free/Open Source Soft- ware Projects” (PDF). In Feller, J.; Fitzgerald, B.; • Revelation: The Ultimate Beginner’s Guide to Hissam, S. et al. Perspectives on Free and Open Hacking & Phreaking (1996) Source Software. MIT Press.

• Hafner, Katie; Markoff, John (1991). Cyberpunk: • Himanen, Pekka (2001). The Hacker Ethic and the Outlaws and Hackers on the Computer Frontier. New Spirit of the Information Age. Random House. ISBN York: Simon & Schuster. ISBN 0-671-68322-5. 0-375-50566-0. • • Sterling, Bruce (1992). The Hacker Crackdown. Ingo, Henrik (2006). Open Life: The Philosophy of Bantam. ISBN 0-553-08058-X. Open Source. Lulu.com. ISBN 1-84728-611-9.

• Slatalla, Michelle; Joshua Quittner (1995). Masters of Deception: The Gang That Ruled Cyberspace. HarperCollins. ISBN 0-06-017030-1.

• Dreyfus, Suelette (1997). Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier. Mandarin. ISBN 1-86330-595-5.

• Verton, Dan (2002). The Hacker Diaries : Confes- sions of Teenage Hackers. McGraw-Hill Osborne Media. ISBN 0-07-222364-2.

• Thomas, Douglas (2002). Hacker Culture. Univer- sity of Minnesota Press. ISBN 0-8166-3345-2.

• Taylor, Paul A. (1999). Hackers: Crime in the Digi- tal Sublime. Routledge. ISBN 978-0-415-18072-6.

• Levy, Steven (2002). Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age. Penguin. ISBN 0-14-024432-8.

• Ventre, Daniel (2009). Information Warfare. Wiley - ISTE. ISBN 978-1-84821-094-3.

18.9.2 Free Software/Open Source

• Raymond, Eric S.; Steele, Guy L., eds. (1996). The New Hacker’s Dictionary. The MIT Press. ISBN 0- 262-68092-0.

• Raymond, Eric S. (2003). The Art of Unix Pro- gramming. Prentice Hall International. ISBN 0-13- 142901-9.

• Levy, Steven (1984). Hackers: Heroes of the Com- puter Revolution. Doubleday. ISBN 0-385-19195- 2.

• Turkle, Sherry (1984). The Second Self: Comput- ers and the Human Spirit. MIT Press. ISBN 0-262- 70111-1.

• Graham, Paul (2004). Hackers and Painters. Bei- jing: O'Reilly. ISBN 0-596-00662-4. Chapter 19

Hacker group

Hacker groups began to flourish in the early 1980s, with the advent of the home computer. Prior to that, the term hacker was simply a referral to any computer hobbyist. The hacker groups were out to make names for them- selves, and were often spurred on by their own press. This was a heyday of hacking, at a time before there was much law against computer crime. Hacker groups pro- vided access to information and resources, and a place to learn from other members.[1] Hackers could also gain credibility by being affiliated with an elite group.[1] The names of hacker groups parody large corporations, gov- ernments, police and criminals;[2] and often used special- ized orthography.[2]

19.1 See also

19.2 References

[1] Thomas, Douglas (2003). Hacker Culture. University of Minnesota Press. p. 90. ISBN 978-0-8166-3346-3.

[2] Sterling, Bruce (1993). “Part 2(d)". The Hacker Crack- down. McLean, Virginia: IndyPublish.com. p. 61. ISBN 1-4043-0641-2.

19.3 External links

• Hacker group at DMOZ

98 Chapter 20

Hacker Manifesto

The Conscience of a Hacker (also known as The Hacker 20.1 In popular culture Manifesto) is a small essay written January 8, 1986 by a computer security hacker who went by the han- The article is quoted several times in the 1995 movie dle (or pseudonym) of The Mentor (born Loyd Blanken- Hackers, although in the movie it is being read from an ship), who belonged to the 2nd generation of Legion of issue of the hacker magazine 2600, not the historically [1] Doom. accurate Phrack. It is also reproduced inside the CD case It was written after the author’s arrest, and first published of the computer game Uplink. [2] in the underground hacker ezine Phrack and can be The Mentor gave a reading of The Hacker Manifesto and found on many websites, as well as on T-shirts and in offered additional insight at H2K2.[5] It is also an item in [3] films. the game Culpa Innata. [4] Considered a cornerstone of hacker culture, The Mani- “A Hacker Manifesto” is also the name of a book written festo acts as a guideline to hackers across the globe, espe- by The New School media studies professor McKenzie cially those new to the field. It serves as an ethical founda- Wark. tion for hacking, and asserts that there is a point to hack- ing that supersedes selfish desires to exploit or harm other A poster of the Hacker Manifesto is displayed in The So- people, and that technology should be used to expand our cial Network in Mark Zuckerberg’s dorm room. horizons and try to keep the world free. When asked about his motivation for writing the article, Blankenship said, 20.2 See also

• Phrack

I was going through hacking withdrawal, • Timeline of computer security hacker history and Craig/Knight Lightning needed something for an upcoming issue of Phrack. I was read- ing The Moon is a Harsh Mistress and was very 20.3 Related taken with the idea of revolution.[1]

• The Hacker Ethic

At a more prominent public event, when asked about his • The Hacker’s Way written by Mark Zuckerberg[7] arrest and motivation for writing the article, Blankenship said, 20.4 References

I was just in a computer I shouldn’t have [1] “Elf Qrin interviews The Mentor”. been. And [had] a great deal of empathy for my friends around the nation that were also in [2] The Mentor. “The Conscience of a Hacker” 1 (7). Phrack, the same situation. This was post-WarGames, Inc. p. 3 of 10. Retrieved 15 June 2014. the movie, so pretty much the only public per- [3] Thomas, Douglas (2003). Hacker Culture. University of ception of hackers at that time was ‘hey, we’re Minnesota Press. pp. xxiv. ISBN 978-0-8166-3346-3. going to start a nuclear war, or play tic-tac-toe, one of the two,’ and so I decided I would try to [4] Marsh, Josh (November 4, 2013). “Hacking and Philos- write what I really felt was the essence of what ophy: The Mentor’s Manifesto”. Hackaday.com. Re- we were doing and why we were doing it.[5][6] trieved 15 June 2014.

99 100 CHAPTER 20. HACKER MANIFESTO

[5] Blankenship, Lloyd (July 13, 2002). ""The Conscience of a Hacker,” Panel at H2K2 (Hackers on Planet Earth)". New York, NY: 2600. Retrieved 15 June 2014.

[6] “The Mentor at H2K2”. Archived from the original on 2005-04-14. Retrieved 2014-04-10.

[7] “Mark Zuckerberg’s letter to investors: 'The Hacker Way'". February 1, 2012. Retrieved 15 June 2014. Chapter 21

Hacking tool

A hacking tool is a program designed to assist with 21.3 Hacking Linux hacking, or a piece of software which can be used for hacking purposes. Although not much is said about threats to the Linux sys- Examples include Nmap, Nessus, John the Ripper, p0f, tem, they do exist and could increase in the future. One and Winzapper.[1] Bribes have also been described as of the biggest threats to the Linux system is given by the among the most potent hacking tools, due to their po- so-called Rootkits. These are programs that have special tential exploitation in social engineering attacks.[2] Occa- privileges and are able to hide to the system administra- sionally, common software such as ActiveX is exploited tor. [3][4] as a hacking tool as well. One way to counteract rootkits is by (security soft- Hacking tools such as Cain and Abel, however, are well ware) program. This is a set of scripts that allow us to known as Script Kiddie Tools. Script kiddies are people monitor whether a program on your computer privileges who follow instructions from a manual, without realis- has changed recently. ing how it happens. These Script Kiddies have been an enormous threat to computer security as there are many hacking tools and keyloggers up for download which are 21.4 References free. [1] Top 15 Security/Hacking Tools and Utilities, July 23, 2007.

[2] New hacking tool: chocolate, Munir Kotadia, Zdnet, Apr. 21.1 Worms 20, 2004. [3] ActiveX used as hacking tool, CNet, Feb. 7, 1997. Main article: Computer worm [4] The basics of hacking and penetration testing: ethical hacking and penetration testing made easy, Engebretson, Another example of a hacking tool is a computer Pat (Patrick Henry), 1974- Call NumberPublisherEdition worm. These malicious programs detect vulnerabilities Waltham, MA : Elsevier, 2010. in operating systems. Not all worms, however, are ma- licious. The Nachi Worms have actually fixed operating system vulnerabilities by downloading and installing se- 21.5 External links curity patches from the Microsoft website. • Top 100 Network Security Tools, Fyodor • Clause 202c of German penal code endangers Ger- man IT industry, Chaos Computer Club 21.2 Port Scanners • Top 400 Security Tools organized by Functionality Main article: Port scanner

Port scanners detect vulnerabilities in firewalls, and are able to find a great deal about the computer system, such as the operating system, ISP, wireless routers and how long the system has been online. However, port scanners are the best security auditing tools.

101 Chapter 22

Keystroke logging

A logfile from a software-based keylogger A keylogger example of a screencapture, which holds potentially confidential and private information. This is the corresponding text result of the keylogger. reside in a malware hypervisor running underneath the operating system, which remains untouched. It Keystroke logging, often referred to as keylogging or effectively becomes a virtual machine. Blue Pill is a keyboard capturing, is the action of recording (or log- conceptual example. ging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware • Kernel-based: A program on the machine obtains that their actions are being monitored.[1] It has uses in root access to hide itself in the OS and starts in- the study of human–computer interaction. There are nu- tercepting keystrokes that pass through the kernel. merous keylogging methods, ranging from hardware and This method is difficult both to write and to com- software-based approaches to acoustic analysis. bat. Such keyloggers reside at the kernel level and are thus difficult to detect, especially for user-mode applications who don't have root access. They are 22.1 Application frequently implemented as rootkits that subvert the operating system kernel and gain unauthorized ac- cess to the hardware, making them very powerful. 22.1.1 Software-based keyloggers A keylogger using this method can act as a keyboard device driver for example, and thus gain access to These are computer programs designed to work on the any information typed on the keyboard as it goes to target computer’s software.[2] Keyloggers are used in IT the operating system. organizations to troubleshoot technical problems with computers and business networks. Other legal uses in- • API-based: These keyloggers hook keyboard APIs clude family or business people using them to monitor inside a running application. The keylogger regis- the network usage without their users’ direct knowledge. ters for keystroke events, as if it was a normal piece However, malicious individuals may use keyloggers on of the application instead of malware. The keylog- public computers to steal passwords or credit card infor- ger receives an event each time the user presses or mation. releases a key. The keylogger simply records it. From a technical perspective there are several categories: • Windows APIs such as GetAsyncKeyState(), GetForegroundWindow(), etc. are used to poll • Hypervisor-based: The keylogger can theoretically the state of the keyboard or to subscribe to

102 22.1. APPLICATION 103

keyboard events.[3] A more recent example of writing activities,[8] including Inputlog, Scriptlog, and simply polls the BIOS for pre-boot authenti- Translog. cation PINs that have not been cleared from [4] In terms of legitimate uses, Keystroke logging can be a memory. suitable research instrument in a number of writing con- • Form grabbing based: Form grabbing-based key- texts. These include studies on cognitive writing pro- loggers log web form submissions by recording the cesses, description of writing strategies, the writing de- web browsing on submit events. These happen when velopment of children with and without writing diffi- the user finishes filling in a form and submits it culties, spelling, first and second language writing, and usually by clicking a button or hitting enter. This specialist skill areas such as translation and subtitling. records form data before it is passed over the Inter- Keystroke logging be used in research specifically on net. writing, it can also be integrated in educational domains for second language learning, programming skills, and • Memory injection based: Memory Injection typing skills. (MitB)-based keyloggers alter memory tables asso- ciated with the browser and other system functions to perform their logging functions. By patching the Related features memory tables or injecting directly into memory, this technique can be used by malware authors who Software keyloggers may be augmented with features that are looking to bypass Windows UAC (User Account capture user information without relying on keyboard key Control). The Zeus and Spyeye Trojans use this presses as the sole input. Some of these features include: method exclusively.[5] Non-Windows systems have analogous protection mechanisms that need to be • Clipboard logging. Anything that has been copied thwarted somehow by the keylogger. to the clipboard can be captured by the program. • Packet analyzers: This involves capturing network • Screen logging. Screenshots are taken in order to traffic associated with HTTP POST events to re- capture graphics-based information. Applications trieve unencrypted passwords. This is made more with screen logging abilities may take screenshots difficult when connecting via HTTPS, which is one of the whole screen, just one application or even of the reasons HTTPS was invented. just around the mouse cursor. They may take these • Remote access software keyloggers screenshots periodically or in response to user be- haviours (for example, when a user has clicked the These are local software keyloggers with an mouse). A practical application used by some key- added feature that allows access to the locally loggers with this screen logging ability is to take recorded data from a remote location. Remote small screenshots around where a mouse has just communication may be achieved using one of clicked; these defeat web-based keyboards (for ex- these methods: ample, the web-based screen keyboards that are of- ten used by banks) and any web-based on-screen • Data is uploaded to a website, database keyboard without screenshot protection. or an FTP server. • Data is periodically emailed to a pre- • Programmatically capturing the text in a control. defined email address. The Microsoft Windows API allows programs to • Data is wirelessly transmitted by means request the text 'value' in some controls. This of an attached hardware system. means that some passwords may be captured, even if they are hidden behind password masks (usually • The software enables a remote login to asterisks).[9] the local machine from the Internet or the local network, for data logs stored on the • The recording of every program/folder/window target machine to be accessed. opened including a screenshot of each and every website visited, also including a screenshot of each. Most of these aren't stopped by HTTPS encryption be- cause that only protects data in transit between comput- • The recording of search engines queries, instant ers; this is a threat in your own computer - the one con- messenger conversations, FTP downloads and other nected to the keyboard. Internet-based activities (including the bandwidth used).

Keystroke logging in Writing Process Research 22.1.2 Hardware-based keyloggers Keystroke logging has become an established research method to study writing processes.[6][7] Different pro- Main article: Hardware keylogger grams have been developed to collect online process data 104 CHAPTER 22. KEYSTROKE LOGGING

key sequence.[11] A hardware keylogger has an ad- vantage over a software solution: it is not dependent on being installed on the target computer’s operating system and therefore will not interfere with any pro- gram running on the target machine or be detected by any software. However its physical presence may be detected if, for example, it is installed outside the case as an inline device between the computer and the keyboard. Some of these implementations have the ability to be controlled and monitored remotely by means of a wireless communication standard.[12]

A hardware-based keylogger. • Wireless keyboard sniffers: These passive sniffers collect packets of data being transferred from a wireless keyboard and its receiver. As encryption may be used to secure the wireless communica- tions between the two devices, this may need to be cracked beforehand if the transmissions are to be read.

• Keyboard overlays: Criminals have been known to use keyboard overlays on ATMs to capture people’s PINs. Each keypress is registered by the keyboard of the ATM as well as the criminal’s keypad that is placed over it. The device is designed to look like an integrated part of the machine so that bank cus- tomers are unaware of its presence.[13]

• Acoustic keyloggers: Acoustic cryptanalysis can be used to monitor the sound created by someone typ- ing on a computer. Each key on the keyboard makes A connected hardware-based keylogger. a subtly different acoustic signature when struck. It is then possible to identify which keystroke signature relates to which keyboard character via statistical Hardware-based keyloggers do not depend upon any soft- methods such as . The repetition ware being installed as they exist at a hardware level in a frequency of similar acoustic keystroke signatures, computer system. the timings between different keyboard strokes and other context information such as the probable lan- • Firmware-based: BIOS-level firmware that handles guage in which the user is writing are used in this keyboard events can be modified to record these analysis to map sounds to letters.[14] A fairly long events as they are processed. Physical and/or root- recording (1000 or more keystrokes) is required so level access is required to the machine, and the soft- that a big enough sample is collected.[15] ware loaded into the BIOS needs to be created for the specific hardware that it will be running on.[10] • Electromagnetic emissions: It is possible to capture • Keyboard hardware: Hardware keyloggers are used the electromagnetic emissions of a wired keyboard for keystroke logging by means of a hardware circuit from up to 20 metres (66 ft) away, without being [16] that is attached somewhere in between the computer physically wired to it. In 2009, Swiss researchers keyboard and the computer, typically inline with the tested 11 different USB, PS/2 and laptop keyboards keyboard’s cable connector. There are also USB in a semi-anechoic chamber and found them all vul- connectors based Hardware keyloggers as well as nerable, primarily because of the prohibitive cost [17] ones for Laptop computers (the Mini-PCI card plugs of adding shielding during manufacture. The re- into the expansion slot of a laptop). More stealthy searchers used a wide-band receiver to tune into the implementations can be installed or built into stan- specific frequency of the emissions radiated from the dard keyboards, so that no device is visible on the keyboards. external cable. Both types log all keyboard activ- ity to their internal memory, which can be subse- • Optical surveillance: Optical surveillance, while not quently accessed, for example, by typing in a secret a keylogger in the classical sense, is nonetheless 22.3. CRACKING 105

an approach that can be used to capture passwords As of 2013, Russian special services still use or PINs. A strategically placed camera, such as typewriters.[29][31][32] a hidden surveillance camera at an ATM, can al- low a criminal to watch a PIN or password being entered.[18][19] 22.3 Cracking

• Physical evidence: For a keypad that is used only Writing simple software applications for keylogging can to enter a security code, the keys which are in ac- be trivial, and like any nefarious computer program, can tual use will have evidence of use from many fin- be distributed as a trojan horse or as part of a virus. What gerprints. A passcode of four digits, if the four dig- is not trivial for an attacker, however, is installing a covert its in question are known, is reduced from 10,000 keystroke logger without getting caught and downloading possibilities to just 24 possibilities (104 versus 4! data that has been logged without being traced. An at- (factorial of 4)). These could then be used on sepa- tacker that manually connects to a host machine to down- rate occasions for a manual “brute force attack”. load logged keystrokes risks being traced. A trojan that sends keylogged data to a fixed e-mail address or IP ad- • Smartphone sensors: Researchers have demon- dress risks exposing the attacker. strated that it is possible to capture the keystrokes of nearby computer keyboards using only the com- 22.3.1 Trojan modity accelerometer found in smartphones.[20] The attack is made possible by placing a smartphone Researchers devised several methods for solving this nearby a keyboard on the same desk. The smart- problem. They presented a deniable password snatch- phone’s accelerometer can then detect the vibrations ing attack in which the keystroke logging trojan is in- created by typing on the keyboard, and then trans- stalled using a virus or worm.[33] [34] An attacker who late this raw accelerometer signal into readable sen- is caught with the virus or worm can claim to be a tences with as much as 80 percent accuracy. The victim. The cryptotrojan asymmetrically encrypts the technique involves working through probability by pilfered login/password pairs using the public key of detecting pairs of keystrokes, rather than individ- the trojan author and covertly broadcasts the resulting ual keys. It models “keyboard events” in pairs and ciphertext. They mentioned that the ciphertext can be then works out whether the pair of keys pressed is steganographically encoded and posted to a public bul- on the left or the right side of the keyboard and letin board such as . whether they are close together or far apart on the QWERTY keyboard. Once it has worked this out, it compares the results to a preloaded dictionary 22.3.2 Use by police where each word has been broken down in the same way.[21] Similar techniques have also been shown to In 2000, the FBI used FlashCrest iSpy to obtain the PGP be effective at capturing keystrokes on touchscreen passphrase of Nicodemo Scarfo, Jr., son of mob boss keyboards[22][23][24] while in some cases, in combi- Nicodemo Scarfo.[35] Also in 2000, the FBI lured two nation with gyroscope.[25][26] suspected Russian cyber criminals to the US in an elab- orate ruse, and captured their usernames and passwords with a keylogger that was covertly installed on a machine 22.2 History that they used to access their computers in Russia. The FBI then used these credentials to hack into the suspects’ computers in Russia in order to obtain evidence to pros- An early keylogger was written by Perry Kivolowitz ecute them.[36] and posted to the Usenet news group net.unix- wizards,net.sources on November 17, 1983.[27] The posting seems to be a motivating factor in restricting access to /dev/kmem on Unix systems. The user-mode 22.4 Countermeasures program operated by locating and dumping character lists (clists) as they were assembled in the Unix kernel. The effectiveness of countermeasures varies, because keyloggers use a variety of techniques to capture data In the 1970s, spies installed keystroke loggers in the and the countermeasure needs to be effective against the US Embassy and Consulate buildings in Moscow and St particular data capture technique. For example, an on- Petersburg.[28][29] They installed the bugs in Selectric II [30] screen keyboard will be effective against hardware key- and Selectric III electric typewriters. loggers, transparency will defeat some—but not all— Soviet embassies used manual typewriters, rather screenloggers and an anti-spyware application that can than electric typewriters, for classified information— only disable hook-based keyloggers will be ineffective apparently because they are immune to such bugs.[30] against kernel-based keyloggers. 106 CHAPTER 22. KEYSTROKE LOGGING

Also, keylogger program authors may be able to up- but it could potentially defeat hook- and API-based key- date the code to adapt to countermeasures that may have loggers. proven to be effective against them. 22.4.4 Network monitors 22.4.1 Anti keyloggers Network monitors (also known as reverse-firewalls) can Main article: Anti keylogger be used to alert the user whenever an application attempts to make a network connection. This gives the user the An anti keylogger is a piece of software specifically de- chance to prevent the keylogger from "phoning home" signed to detect keyloggers on a computer, typically com- with his or her typed information. paring all files in the computer against a database of key- loggers looking for similarities which might signal the 22.4.5 Automatic form filler programs presence of a hidden keylogger. As anti keyloggers have been designed specifically to detect keyloggers, they have Main article: Form filler the potential to be more effective than conventional anti virus software; some anti virus software do not consider certain keyloggers a virus, as under some circumstances Automatic form-filling programs may prevent keylogging a keylogger can be considered a legitimate piece of soft- by removing the requirement for a user to type personal ware. details and passwords using the keyboard. Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts. Once the user’s 22.4.2 Live CD/USB account and credit card information has been entered into the program, it will be automatically entered into forms Rebooting the computer using a Live CD or write- without ever using the keyboard or clipboard, thereby re- protected Live USB is a possible countermeasure against ducing the possibility that private data is being recorded. software keyloggers if the CD is clean of malware and However someone with physical access to the machine the operating system contained on it is secured and fully may still be able to install software that is able to inter- patched so that it cannot be infected as soon as it is cept this information elsewhere in the operating system started. Booting a different operating system does not or while in transit on the network. (Transport Layer Se- impact the use of a hardware or BIOS based keylogger. curity (TLS) reduces the risk that data in transit may be intercepted by network sniffers and proxy tools.) 22.4.3 Anti-spyware / Anti-virus programs 22.4.6 One-time passwords (OTP) Many anti-spyware applications are able to detect some software based keyloggers and quarantine, disable or Using one-time passwords may be keylogger-safe, as each cleanse them. However, because many keylogging pro- password is invalidated as soon as it is used. This solu- grams are legitimate pieces of software under some cir- tion may be useful for someone using a public computer. cumstances, anti spyware often neglects to label keylog- However, an attacker who has remote control over such a ging programs as spyware or a virus. These applications computer can simply wait for the victim to enter his/her are able to detect software-based keyloggers based on credentials before performing unauthorised transactions patterns in executable code, heuristics and keylogger be- on their behalf while their session is active. haviours (such as the use of hooks and certain APIs). No software-based anti-spyware application can be 100% 22.4.7 Security tokens effective against all keyloggers. Also, software-based anti-spyware cannot defeat non-software keyloggers (for Use of smart cards or other security tokens may improve example, hardware keyloggers attached to keyboards will security against replay attacks in the face of a success- always receive keystrokes before any software-based anti- ful keylogging attack, as accessing protected information spyware application). would require both the (hardware) security token as well However, the particular technique that the anti-spyware as the appropriate password/passphrase. Knowing the application uses will influence its potential effective- keystrokes, mouse actions, display, clipboard etc. used on ness against software keyloggers. As a general rule, one computer will not subsequently help an attacker gain anti-spyware applications with higher privileges will de- access to the protected resource. Some security tokens feat keyloggers with lower privileges. For example, work as a type of hardware-assisted one-time password a hook-based anti-spyware application cannot defeat a system, and others implement a cryptographic challenge- kernel-based keylogger (as the keylogger will receive the response authentication, which can improve security in keystroke messages before the anti-spyware application), a manner conceptually similar to one time passwords. 22.5. SEE ALSO 107

Smartcard readers and their associated keypads for PIN 22.4.12 Macro expanders/recorders entry may be vulnerable to keystoke logging through a so-called supply chain attack[37] where an attacker substi- With the help of many programs, a seemingly meaning- tutes the card reader/PIN entry hardware for one which less text can be expanded to a meaningful text and most records the user’s PIN. of the time context-sensitively, e.g. “en.wikipedia.org” can be expanded when a web browser window has the focus. The biggest weakness of this technique is that 22.4.8 On-screen keyboards these programs send their keystrokes directly to the tar- get program. However, this can be overcome by using the 'alternating' technique described below, i.e. sending Most on-screen keyboards (such as the on-screen key- mouse clicks to non-responsive areas of the target pro- board that comes with Windows XP) send normal key- gram, sending meaningless keys, sending another mouse board event messages to the external target program to click to target area (e.g. password field) and switching type text. Software key loggers can log these typed char- back-and-forth. acters sent from one program to another.[38] Addition- ally, keylogging software can take screenshots of what is displayed on the screen (periodically, and/or upon each 22.4.13 Non-technological methods mouse click), which means that although certainly a use- ful security measure, an on-screen keyboard will not pro- Alternating between typing the login credentials and typ- tect from all keyloggers. ing characters somewhere else in the focus window[40] can cause a keylogger to record more information than they need to, although this could easily be filtered out by 22.4.9 Keystroke interference software an attacker. Similarly, a user can move their cursor using the mouse during typing, causing the logged keystrokes Keystroke interference software is also available.[39] to be in the wrong order e.g., by typing a password be- These programs attempt to trick keyloggers by introduc- ginning with the last letter and then using the mouse to ing random keystrokes, although this simply results in move the cursor for each subsequent letter. Lastly, some- the keylogger recording more information than it needs one can also use context menus to remove, cut, copy, and to. An attacker has the task of extracting the keystrokes paste parts of the typed text without using the keyboard. of interest—the security of this mechanism, specifically An attacker who is able to capture only parts of a pass- how well it stands up to cryptanalysis, is unclear. word will have a smaller key space to attack if he chose to execute a brute-force attack. Another very similar technique uses the fact that any se- 22.4.10 Speech recognition lected text portion is replaced by the next key typed. e.g., if the password is “secret”, one could type “s”, then some Similar to on-screen keyboards, speech-to-text conver- dummy keys “asdfsd”. Then, these dummies could be se- sion software can also be used against keyloggers, since lected with the mouse, and the next character from the there are no typing or mouse movements involved. The password “e” is typed, which replaces the dummies “as- weakest point of using voice-recognition software may be dfsd”. how the software sends the recognized text to target soft- These techniques assume incorrectly that keystroke log- ware after the recognition took place. ging software cannot directly monitor the clipboard, the selected text in a form, or take a screenshot every time a keystroke or mouse click occurs. They may however be 22.4.11 Handwriting recognition and effective against some hardware keyloggers. mouse gestures

Also, many PDAs and lately tablet PCs can already 22.5 See also convert pen (also called stylus) movements on their touchscreens to computer understandable text success- • Anti keylogger fully. Mouse gestures use this principle by using mouse • movements instead of a stylus. Mouse gesture programs Black-bag cryptanalysis convert these strokes to user-definable actions, such as • Computer surveillance typing text. Similarly, graphics tablets and light pens can be used to input these gestures, however these are less • Digital footprint common everyday. • Hardware keylogger The same potential weakness of speech recognition ap- plies to this technique as well. • Reverse connection 108 CHAPTER 22. KEYSTROKE LOGGING

• Spyware [19] Maggi, Federico; Volpatto, Alberto; Gasparini, Simone; Boracchi, Giacomo; Zanero, Stefano (2011). A fast • Trojan horse eavesdropping attack against touchscreens. 7th Interna- tional Conference on Information Assurance and Security. • Virtual keyboard IEEE. doi:10.1109/ISIAS.2011.6122840. [20] Marquardt, Philip; Verma, Arunabh; Carter, Henry; Traynor, Patrick (2011). (sp)iPhone: decoding vibrations 22.6 References from nearby keyboards using mobile phone accelerome- ters. Proceedings of the 18th ACM conference on Com- [1] “Keylogger”. Oxford dictionaries. puter and communications security. ACM. pp. 561–562. doi:10.1145/2046707.2046771. [2] “What is a Keylogger?". PC Tools. [21] “iPhone Accelerometer Could Spy on Computer [3] “The Evolution of Malicious IRC Bots” (PDF). Symantec. Keystrokes”. Wired. 19 October 2011. Retrieved August 2005-11-26. pp. 23–24. Retrieved 2011-03-25. 25, 2014.

[4] Jonathan Brossard (2008-09-03). “Bypassing pre-boot [22] Owusu, Emmanuel; Han, Jun; Das, Sauvik; Perrig, authentication passwords by instrumenting the BIOS key- Adrian; Zhang, Joy (2012). ACCessory: password infer- board buffer (practical low level attaks against x86 pre- ence using accelerometers on smartphones. Proceedings of boot authentiation software)" (PDF). Iviz Technosolu- the Thirteenth Workshop on Mobile Computing Systems tions. Retrieved 2008-09-23. and Applications. ACM. doi:10.1145/2162081.2162095.

[5] “SpyEye Targets Opera, Google Chrome Users”. Krebs [23] Aviv, Adam J.; Sapp, Benjamin; Blaze, Matt; Smith, on Security. Retrieved 26 April 2011. Jonathan M. (2012). Practicality of accelerometer side channels on smartphones. Proceedings of the 28th An- [6] K.P.H. Sullivan & E. Lindgren (Eds., 2006), Studies in nual Computer Security Applications Conference. ACM. Writing: Vol. 18. Computer Key-Stroke Logging and doi:10.1145/2420950.2420957. Writing: Methods and Applications. Oxford: Elsevier. [24] Cai, Liang; Chen, Hao (2011). TouchLogger: inferring [7] V. W. Berninger (Ed., 2012), Past, present, and future keystrokes on touch screen from smartphone motion (PDF). contributions of cognitive writing research to cognitive Proceedings of the 6th USENIX conference on Hot topics psychology. New York/Sussex: Taylor & Francis. [ISBN in security. USENIX. Retrieved 25 August 2014. 9781848729636] [25] Xu, Zhi; Bai, Kun; Zhu, Sencun (2012). TapLog- [8] Vincentas (11 July 2013). “Keystroke Logging in Spy- ger: inferring user inputs on smartphone touchscreens WareLoop.com”. Spyware Loop. Retrieved 27 July 2013. using on-board motion sensors. Proceedings of the fifth ACM conference on Security and Privacy in Wire- [9] Microsoft. “EM_GETLINE Message()". Microsoft. Re- less and Mobile Networks. ACM. pp. 113–124. trieved 2009-07-15. doi:10.1145/2185448.2185465.

[10] “Apple keyboard hack”. Apple keyboard hack. Digital [26] Miluzzo, Emiliano; Varshavsky, Alexander; Balakrish- Society. Retrieved 9 June 2011. nan, Suhrid; Choudhury, Romit Roy (2012). Tap- prints: your finger taps have fingerprints. Proceed- [11] “Keyghost”. keyghost.com. Retrieved 2009-04-19. ings of the 10th international conference on Mobile sys- tems, applications, and services. ACM. pp. 323–336. [12] “Keylogger Removal”. Keylogger Removal. SpyReveal doi:10.1145/2307636.2307666. Anti Keylogger. Retrieved 25 April 2011. [27] “The Security Digest Archives”. Retrieved 2009-11-22. [13] Jeremy Kirk (2008-12-16). “Tampered Credit Card Ter- minals”. IDG News Service. Retrieved 2009-04-19. [28] “Soviet Spies Bugged World’s First Electronic Typewrit- ers” [14] Andrew Kelly (2010-09-10). “Cracking Passwords using [29] Geoffrey Ingersoll. “Russia Turns To Typewriters To Pro- Keyboard Acoustics and Language Modeling” (PDF). tect Against Cyber Espionage”. 2013. [15] Sarah Young (14 September 2005). “Researchers re- [30] Sharon A. Maneki. “Learning from the Enemy: The cover typed text using audio recording of keystrokes”. UC GUNMAN Project”. 2012. Berkeley NewsCenter. [31] “Wanted: 20 electric typewriters for Russia to avoid leaks” [16] “Remote monitoring uncovered by American techno ac- tivists”. ZDNet. 2000-10-26. Retrieved 2008-09-23. [32] Anna Arutunyan. “Russian security agency to buy type- writers to avoid surveillance”. [17] Martin Vuagnoux and Sylvain Pasini (2009-06-01). “Compromising Electromagnetic Emanations of Wired [33] Young, Adam; Yung, Moti (1997). “Deniable and Wireless Keyboards”. Lausanne: Security and Cryp- Password Snatching: On the Possibility of Evasive tography Laboratory (LASEC). Electronic Espionage”. Proceedings of IEEE Sym- posium on Security and Privacy (IEEE): 224–235. [18] “ATM camera”. snopes.com. Retrieved 2009-04-19. doi:10.1109/SECPRI.1997.601339. 22.7. EXTERNAL LINKS 109

[34] Young, Adam; Yung, Moti (1996). “Cryptovirology: extortion-based security threats and countermeasures”. Proceedings of IEEE Symposium on Security and Privacy (IEEE): 129–140. doi:10.1109/SECPRI.1996.502676.

[35] John Leyden (2000-12-06). “Mafia trial to test FBI spy- ing tactics: Keystroke logging used to spy on mob suspect using PGP”. The Register. Retrieved 2009-04-19.

[36] John Leyden (2002-08-16). “Russians accuse FBI Agent of Hacking”. The Register.

[37] Austin Modine (2008-10-10). “Organized crime tampers with European card swipe devices”. The Register. Re- trieved 2009-04-18.

[38] Scott Dunn (2009-09-10). “Prevent keyloggers from grabbing your passwords”. Windows Secrets. Retrieved 2014-05-10.

[39] Christopher Ciabarra (2009-06-10). “Anti Keylogger”. Networkintercept.com.

[40] Cormac Herley and Dinei Florencio (2006-02-06). “How To Login From an Internet Cafe Without Worrying About Keyloggers” (PDF). Microsoft Research. Retrieved 2008- 09-23.

22.7 External links

• Keyloggers at DMOZ Chapter 23

List of computer criminals

use of devices, forgery (or identity theft) and electronic fraud.[2] In the infancy of the hacker subculture and the computer underground,[3] criminal convictions were rare because there was an informal code of ethics that was followed by white hat hackers.[4] Proponents of hacking claim to be motivated by artistic and political ends, but are often unconcerned about the use of criminal means to achieve them.[5] White hat hackers break past computer secu- rity for non-malicious reasons and do no damage, akin to breaking into a house and looking around.[6] They en- joy learning and working with computer systems, and by Hacker (left) with contemporaries Kevin Mitnick this experience gain a deeper understanding of electronic [6] (center) and Kevin Poulsen security. As the computer industry matured, individu- als with malicious intentions (black hats) would emerge to exploit computer systems for their own personal profit.[6] Convictions of computer crimes, or hacking, began as early as 1983 with the case of The 414s from the 414 area code in Milwaukee. In that case, six teenagers broke into a number of high-profile computer systems, including Los Alamos National Laboratory, Sloan-Kettering Can- cer Center and Security Pacific Bank. On May 1, 1983, one of the 414s, Gerald Wondra, was sentenced to two years of probation.[7] In 2006, a prison term of nearly five years was handed down to Jeanson James Ancheta, who created hundreds of zombie computers to do his bidding via giant bot net- works or botnets.[8] He then sold the botnets to the highest bidder who in turn used them for Denial-of-service (DoS) , who was convicted of computer charges attacks.[9] As of 2012, the longest sentence for computer crimes is Convicted computer criminals are people who are caught that of for 20 years.[10] and convicted of computer crimes such as breaking into computers or computer networks.[1] Computer crime can The next longest sentences are those of 13 years for be broadly defined as criminal activity involving infor- Max Ray Vision,[11] 108 months of Brian Salcedo in mation technology infrastructure, including illegal access 2004 and upheld in 2006 by the U.S. 4th Circuit Court (unauthorized access), illegal interception (by technical of Appeals,[12][13] and 68 months of Kevin Mitnick in means of non-public transmissions of computer data to, 1999.[14] from or within a computer system), data interference (unauthorized damaging, deletion, deterioration, alter- ation or suppression of computer data), systems interfer- ence (interfering with the functioning of a computer sys- tem by inputting, transmitting, damaging, deleting, de- teriorating, altering or suppressing computer data), mis-

110 23.3. REFERENCES 111

23.1 Computer criminals [15] “Phiber Optik Goes to Prison—Issue 2.04”. Wired. April 1994. Retrieved August 23, 2008. 23.2 See also [16] Elinor Mills (June 23, 2009). “Q&A: Mark Abene, from 'Phiber Optik' to security guru”. CNET Networks. Re- trieved June 28, 2009. • Timeline of computer security hacker history [17] “American owns up to hijacking PCs”. BBC News. Jan- uary 24, 2006. Retrieved June 22, 2009. 23.3 References [18] Debra Wong Chang - United States Attorney (May 8, 2006). ""Botherder” Dealt Record Prison Sentence [1] Bruce Sterling (1993). The Hacker Crackdown—Law and for Selling and Spreading Malicious Computer Code”. Disorder on the Electronic Frontier (January 1994 ed.). United States Department of Justice. Retrieved June 22, Project Gutenberg. p. 336. ISBN 0-553-56370-X. 2009. [2] Paul Taylor. Hackers: Crime in the Digital Sublime [19] Dreyfus, Suelette (1997). Underground: Tales of Hack- (November 3, 1999 ed.). Routledge; 1 edition. p. 200. ing, Madness and Obsession on the Electronic Frontier ISBN 0-415-18072-4. (PDF). pp. 48–49. [3] Steve Mizrach (2009). “The electronic discourse of the computer underground”. Florida International University. [20] Dreyfus, Suelette (1997). Underground: Tales of Hack- Retrieved May 10, 2009. Gordon Meyer, a sociologist ing, Madness and Obsession on the Electronic Frontier who has since left academia but continues to be involved (PDF). pp. 48–49. in the computer industry (and to publish the Computer [21] http://zlh.halcon.tv/files/Phreak/Misc/handbook.txt Underground Digest), wrote in his seminal paper The So- cial Organization of the Computer Underground that the [22] http://www.textfiles.com/magazines/NEUROCACTUS/ “computer underground consists of actors in three roles – nc-002.txt computer hackers, phone phreaks, and software pirates.” [23] . April 16, 2012 http://www.textfiles.com/magazines/ [4] “Interview with Chris Davis”. Public Broadcasting Ser- NEUROCACTUS/nc-002.txt/. Missing or empty |title= vice. 2001. Retrieved May 9, 2009. (help) [5] Brian Blomquist (May 29, 1999). “FBI'S web site socked [24] Kevin Poulsen (2009). “Michigan Wi-Fi hacker jailed for as hackers target feds”. New York Post. Retrieved May nine years”. The Register. Retrieved June 22, 2009. 8, 2009.

[6] Andrew Brandt (April 2, 2001). “Hacker Speak”. PC [25] “Judgement in a Criminal Case, 5:03CR53-02, Western World (magazine). Retrieved May 10, 2009. District of North Carolina” (PDF). timmins. December 16, 2004. Retrieved August 23, 2008. [7] “Computer User Sentenced”. The New York Times. May 1, 1983. Retrieved September 11, 2008. [26] Tony Long (February 7, 2007). “February 7, 2000: Mafi- aboy’s Moment”. Wired. Retrieved May 23, 2009. [8] pg 26—Richard Gissel. Digital Underworld (August 23, 2005 ed.). Lulu. p. 222. ISBN 1-4116-4423-9. [27] “Mafiaboy given eight months”. The Register. September 13, 2001. Retrieved May 23, 2009. [9] Robert Vamosi (January 27, 2006). “Cybercrime does pay; here’s how”. CNET Reviews. Retrieved September [28] “FBI Facts and Figure 2003”. Federal Bureau of Investi- 11, 2008. gation. April 2003. Archived from the original on March 26, 2007. Retrieved March 27, 2007. [10] Zetter, Kim (March 25, 2010). “TJX Hacker Gets 20 Years in Prison”. Wired (magazine). Retrieved January [29] “Chad Davis, “Global Hell” Hacker, Sentenced to Six 22, 2012. Months in Prison, Three Years Probation., For Air Force [11] Poulsen, Kevin (February 12, 2010). “Record 13-Year Network Hacks”. United States Department of Justice. Sentence for Hacker Max Vision”. Wired (magazine). March 1, 2000. Retrieved May 11, 2009. Retrieved January 22, 2012. [30] “Hack to the future”. Melbourne: The Age. May 25, [12] “Hacker Sentenced to Prison for Breaking into Lowe’s 2003. Retrieved August 23, 2008. Companies’ Computers with Intent to Steal Credit Card Information”. cybercrime.gov. December 15, 2004. Re- [31] John Leyden (July 6, 2001). "‘Bill Gates’ hacker escapes trieved January 22, 2012. jail”. The Register. Retrieved September 11, 2008.

[13] “Crazy-Long Hacker Sentence Upheld”. Wired (maga- [32] “Teen hacker escapes jail sentence”. BBC News. July 6, zine). July 11, 2006. Retrieved January 22, 2012. 2001. Retrieved September 11, 2008.

[14] “Kevin Mitnick Sentenced to Nearly Four Years in [33] Poulsen, Kevin (April 6, 2007). “Court Okays Counter- Prison”. cybercrime.gov. August 9, 1999. Retrieved Jan- Hack of eBay Hacker’s Computer”. Wired News. Re- uary 22, 2012. trieved April 21, 2010. 112 CHAPTER 23. LIST OF COMPUTER CRIMINALS

[34] Michael Newton (2004). The Encyclopedia of High-Tech [52] Robert Blincoe (September 27, 2001). “Kournikova virus Crime and Crime-Fighting (November 2003 ed.). Check- kiddie gets 150 hours community service”. The Register. mark Books, an imprint of Facts on File Inc. p. 416. Retrieved May 10, 2009. ISBN 0-8160-4978-5. [53] John Leyden (September 14, 2001). “Anna Kournikova [35] “MySpace speaks about Kamkar’s sentencing”. virus author stands trial”. The Register. Retrieved June TechSpot. January 31, 2007. Retrieved December 27, 22, 2009. 2010. [54] Joris Evers (September 28, 2001). “Kournikova Virus [36] , Times Dispatch, United States, 21 November 2014. Writer Found Guilty”. PC World. Retrieved May 23, 2009. [37] Brian Krebs (February 27, 2007). “They'll Always Have Paris”. . Retrieved May 9, 2009. [55] “Two who raided computers pleading guilty—Late City Final Edition, Section 1, Page 6, Column 1, 383 words”. [38] George V. Hulme (July 15, 2004). “Hacker Lamo Sen- The New York Times. March 17, 1984. Retrieved May 9, tenced To Home Detention”. Information Week. United 2009. Business Media, Inc. Retrieved August 23, 2008. [56] Dreyfus, Suelette (1997). Underground: Tales of Hack- [39] Is Department of Defense (DoD), Pentagon, NASA, NSA ing, Madness and Obsession on the Electronic Frontier secure?, TheHackerNews, May 14, 2011. (PDF). pp. 43–45.

[40] Man jailed for attempting to compromise websites, Kent [57] Dreyfus, Suelette (1997). Underground: Tales of Hack- Police, United Kingdom, 16 May 2013. ing, Madness and Obsession on the Electronic Frontier (PDF). pp. 45–46. [41] “Kevin Mitnick sentenced to nearly four years in prison”. United States Department of Justice. August 9, 1999. Re- trieved August 23, 2008. 23.4 External links [42] “Hacker sentenced, must program jail computers”. USA Today. Associated Press. February 6, 2002. Retrieved • Hacker High: 10 Stories of Teenage Hackers Get- August 23, 2008. ting into the System [43] Ronald B. Standler (August 14, 2002). “Judgment in U.S. • v. Robert Tappan Morris”. rbs2. Retrieved August 23, CUSSE List of Convicted Hackers 2008.

[44] “Teen Pleds Guilty in Blaster Worm Attack”. CRN Mag- azine. August 12, 2004. Retrieved May 11, 2009.

[45] “Blaster-B worm author sentenced to 18 months in jail - but bigger villain remains free, Sophos reports”. Sophos Plc. January 28, 2005. Retrieved May 11, 2009.

[46] Henry Weinstein (March 23, 1991). “Hacker Enters Guilty Plea in Theft of Computer Data”. Business; PART-D; Financial Desk: Los Angeles Times. p. 2. Re- trieved May 9, 2009.

[47] Rodney Hoffman (March 27, 1991). “’s “Terminus” sentenced”. RISKS Digest. Retrieved May 9, 2009.

[48] Rodney Hoffman (March 31, 1991). “Correction Re: Terminus”. RISKS Digest. Retrieved May 9, 2009. Un- der the plea agreements, ... Rose ... will serve a year in prison.

[49] “Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison”. United States Department of Justice. May 1, 2002. Retrieved May 11, 2009.

[50] Kevin Poulsen (June 15, 2001). “Solar Sunrise hacker ‘Analyzer’ escapes jail”. The Register. Retrieved Septem- ber 11, 2008.

[51] “Two years jail for UK virus writer who infected 27,000 PCs, Sophos reacts”. Sophos Plc. January 21, 2003. Re- trieved August 23, 2008. Chapter 24

Phreaking

This article is about the manipulation of telephone call to find “secret” documents. They snuck into telephone routing. For the use of telephone technology to steal company buildings at night and wired up their own tele- information, see Phone hacking. phones. They built clever little electronic devices called blue boxes, black boxes, and red boxes to help them ex- plore the network and make free phone calls. They hung Phreaking is a slang term coined to describe the activ- ity of a culture of people who study, experiment with, out on early conference call circuits and “loop arounds” to communicate with one another. They wrote their own or explore telecommunication systems, such as equip- ment and systems connected to public telephone net- newsletters to spread information. works. The term phreak is a portmanteau of the words Prior to 1984, long-distance telephone calls were a pre- phone and freak, and may also refer to the use of various mium item, with archaic regulations. In some locations, audio frequencies to manipulate a phone system. Phreak, calling across the street counted as long distance.[2] To re- phreaker, or phone phreak are names used for and by in- port that a phone call was long distance meant an elevated dividuals who participate in phreaking. importance universally accepted as, the calling party is The term first referred to groups who had reverse engi- paying by the minute to speak to the called party; trans- neered the system of tones used to route long-distance act business quickly. calls. By re-creating these tones, phreaks could switch Phreaking consisted of techniques to evade the long- calls from the phone handset, allowing free calls to be distance charges. This evasion was illegal; the crime was made around the world. To ease the creation of these called “toll fraud.”[3] tones, electronic tone generators known as blue boxes be- came a staple of the phreaker community, including fu- ture Apple Inc. cofounders Steve Jobs and Steve Woz- 24.1.1 Switch hook and tone dialer niak. The blue box era came to an end with the ever increasing Possibly one of the first phreaking methods was switch- use of computerized phone systems which sent dialling hooking. It allows placing calls from a phone where the information on a separate, inaccessible channel. By the rotary dial or keypad has been disabled by a key lock 1980s, much of the system in the US and Western Europe or other means to prevent unauthorized calls from that had been converted. Phreaking has since become closely phone. It is done by rapidly pressing and releasing the linked with computer hacking.[1] This is sometimes called switch hook to open and close the subscriber circuit, sim- the H/P culture (with H standing for hacking and P stand- ulating the pulses generated by the rotary dial. Even ing for phreaking). most current telephone exchanges support this method, as they need to be backward compatible with old subscriber hardware.[4] By rapidly clicking the hook for a variable number of 24.1 History times at roughly 5 to 10 clicks per second, separated by in- tervals of roughly one second, the caller can dial numbers Phone phreaking got its start in the late 1950s in the as if they were using the rotary dial. The pulse counter United States. Its golden age was the late 1960s and early in the exchange counts the pulses or clicks and interprets 1970s. Phone phreaks spent a lot of time dialing around them in two possible ways. Depending on continent and the telephone network to understand how the phone sys- country, one click with a following interval can be either tem worked. They listened to the pattern of tones to fig- “one” or “zero” and subsequent clicks before the inter- ure out how calls were routed. They read obscure tele- val are additively counted. This renders ten consecutive phone company technical journals. They learned how to clicks being either “zero” or “nine”, respectively. Some impersonate operators and other telephone company per- exchanges allow using additional clicks for special con- sonnel. They dug through telephone company trash bins trols, but numbers 0–9 now fall in one of these two stan-

113 114 CHAPTER 24. PHREAKING

dards. One special code, “flash”, is a very short single While single frequency worked on certain phone routes, click, possible but hard to simulate. Back in the day of ro- the most common signaling on the then long-distance net- tary dial, very often technically identical phone sets were work was multi-frequency (MF) controls. The slang term marketed in multiple areas of the world, only with plugs for these tones and their use was “Marty Freeman.” The matched by country and the dials being bezeled with the specific frequencies required were unknown to the gen- local standard numbers. eral public until 1964, when the Bell System published Such key-locked telephones, if wired to a modern DTMF the information in the Bell System Technical Journal in capable exchange, can also be exploited by a tone dialer an article describing the methods and frequencies used for interoffice signalling. The journal was intended for that generates the DTMF tones used by modern keypad units. These signals are now very uniformly standardized the company’s engineers; however, it found its way to var- ious college campuses across the United States. With this worldwide, and along with rotary dialing, they are almost all that is left of in-band signaling. It is notable that the one article, the Bell System accidentally gave away the “keys to the kingdom,” and the intricacies of the phone two methods can be combined: Even if the exchange does not support DTMF, the key lock can be circumvented by system were at the disposal of people with a knowledge of electronics.[8] switch-hooking, and the tone dialer can be then used to operate automated DTMF controlled services that can't The second generation of phreaks arose at this time, in- be used with rotary dial. cluding the New Yorkers “Evan Doorbell”, “Ben Deci- bel” and Neil R. Bell and Californians Mark Bernay, Chris Bernay, and “Alan from Canada”. Each conducted 24.1.2 2600 hertz their own independent exploration and experimentation of the telephone network, initially on an individual basis, The origins of phone phreaking trace back at least to and later within groups as they discovered each other in AT&T's implementation of fully automatic switches. their travels. “Evan Doorbell,” “Ben” and “Neil” formed These switches used tone dialing, a form of in-band sig- a group of phreaks known as Group Bell. Mark Bernay naling, and included some tones which were for internal initiated a similar group named the Mark Bernay Soci- telephone company use. One internal-use tone was a tone ety. Both Mark and Evan received fame amongst today’s of 2600 Hz which caused a telephone switch to think the phone phreakers for Internet publication of their collec- call was over, leaving an open carrier line which could tion of telephone exploration recordings. These record- be exploited to provide free long-distance and interna- ings, conducted in the 1960s, 1970s, and early 1980s are tional calls. At that time, long-distance calls were quite available at Mark’s website Phone Trips.[9] expensive.[5] The tone was discovered in approximately 1957,[5] by Joe Engressia, a blind seven-year-old boy. Engressia had 24.1.4 Blue boxes perfect pitch, and discovered that whistling the fourth E above middle C (a frequency of 2600 Hz) would stop a Main article: Blue box dialed phone recording. Unaware of what he had done, Engressia called the phone company and asked why the In October 1971, phreaking was introduced to the masses recordings had stopped. Joe Engressia is considered to be when Esquire Magazine published a story called “Se- the father of phreaking.[6] crets of the Little Blue Box”[10][11][12][13] by Ron Rosen- Other early phreaks, such as “Bill from New York”, began baum. This article featured Engressia and to develop a rudimentary understanding of how phone prominently, synonymising their names with phreaking. networks worked. Bill discovered that a recorder he The article also attracted the interest of other soon-to-be owned could also play the tone at 2600 Hz with the same phreaks, such as Steve Wozniak and Steve Jobs, who went [14] effect. John Draper discovered through his friendship on to found Apple Computer. with Engressia that the free whistles given out in Cap'n 1971 also saw the beginnings of YIPL (Youth Interna- Crunch cereal boxes also produced a 2600 Hz tone when tional Party Line), a publication started by Abbie Hoff- blown (providing his nickname, “Captain Crunch”). This man and Al Bell to provide information to Yippies on how allowed control of phone systems that worked on single to “beat the man,” mostly involving telephones. In 1973, frequency (SF) controls. One could sound a long whistle Al Bell would move YIPL over and start TAP (Techno- to reset the line, followed by groups of whistles (a short logical American Party).[15] TAP would develop into a tone for a “1”, two for a “2”, etc.) to dial numbers.[7] major source for subversive technical information among phreaks and hackers all over the world. TAP ran from 1973 to 1984, with Al Bell handing over the magazine to 24.1.3 Multi frequency “Tom Edison” in the late 70’s. TAP ended publication in 1984 due mostly to a break-in and arson at Tom Edison’s Main article: Multi-frequency residence in 1983.[16] Cheshire Catalyst then took over running the magazine for its final (1984) year. 24.1. HISTORY 115

A controversially suppressed article “How to Build a 24.1.6 Toll fraud 'Phone Phreaks’ box” in Ramparts Magazine (June, 1972) touched off a firestorm of interest in phreaking. The 1984 AT&T breakup gave rise to many small com- This article published simple schematic plans of a “black panies intent upon competing in the long distance mar- box” used to make free long-distance phone calls, and in- ket. These included the then-fledgling Sprint and MCI, cluded a very short parts list that could be used to con- both of whom had only recently entered the marketplace. struct one. Bell sued Ramparts, forcing the magazine At the time, there was no way to switch a phone line to to pull all copies from shelves, but not before numerous have calls automatically carried by non-AT&T compa- copies were sold and many regular subscribers received nies. Customers of these small long distance operations them. would be required to dial a local access number, enter their calling card number, and finally enter the area code and phone number they wish to call. Because of the rel- atively lengthy process for customers to complete a call, the companies kept the calling card numbers short – usu- ally 6 or 7 digits. This opened up a huge vulnerability to phone phreaks with a computer. 24.1.5 Computer hacking 6-digit calling card numbers only offer 1 million com- binations. 7-digit numbers offer just 10 million. If a In the 1980s, the revolution of the personal computer company had 10,000 customers, a person attempting to and the popularity of computer bulletin board systems “guess” a card number would have a good chance of do- (BBSes) (accessed via modem) created an influx of tech- ing so correctly once every 100 tries for a 6-digit card savvy users. These BBSes became popular for com- and once every 1000 tries for a 7-digit card. While this puter hackers and others interested in the technology, is almost easy enough for people to do manually, com- [17][18] and served as a medium for previously scattered inde- puters made the task far easier. “Code hack” pro- pendent phone phreaks to share their discoveries and ex- grams were developed for computers with modems. The periments. This not only led to unprecedented collab- modems would dial the long distance access number, en- oration between phone phreaks, but also spread the no- ter a random calling card number (of the proper num- tion of phreaking to others who took it upon themselves ber of digits), and attempt to complete a call to a com- to study, experiment with, or exploit the telephone sys- puter bulletin board system (BBS). If the computer con- tem. This was also at a time when the telephone com- nected successfully to the BBS, it proved that it had found pany was a popular subject of discussion in the US, as a working card number, and it saved that number to disk. the monopoly of AT&T Corporation was forced into di- If it did not connect to the BBS in a specified amount of vestiture. During this time, exploration of telephone net- time (usually 30 or 60 seconds), it would hang up and try works diminished, and phreaking focused more on toll a different code. Using this method, code hacking pro- fraud. Computer hackers began to use phreaking meth- grams would turn up hundreds (or in some cases thou- ods to find the telephone numbers for modems belonging sands) of working calling card numbers per day. These to businesses, which they could exploit later. Groups then would subsequently be shared amongst fellow phreakers. formed around the BBS hacker/phreaking (H/P) commu- There was no way for these small phone companies to nity such as the famous Masters of Deception (Phiber identify the culprits of these hacks. They had no ac- Optik) and Legion of Doom () groups. In cess to local phone company records of calls into their 1985, an underground e-zine called Phrack (a combina- access numbers, and even if they had access, obtaining tion of the words Phreak and Hack) began circulation such records would be prohibitively expensive and time- among BBSes, and focused on hacking, phreaking, and consuming. While there was some advancement in track- other related technological subjects. ing down these code hackers in the early 1990s, the prob- In the early 1990s, H/P groups like Masters of Deception lem did not completely disappear until most long distance and Legion of Doom were shut down by the US Secret companies were able to offer standard 1+ dialing without Service's . Phreaking as a subculture the use of an access number. saw a brief dispersion in fear of criminal prosecution in the 1990s, before the popularity of the internet initiated a 24.1.7 Diverters reemergence of phreaking as a subculture in the US and spread phreaking to international levels. Another method of obtaining free phone calls involved Into the turn of the 21st century, phreaks began to focus the use of so-called “diverters”. Call forwarding was on the exploration and playing with the network, and the not an available feature for many business phone lines in concept of toll fraud became widely frowned on among the 1980s and early 1990s, so they were forced to buy serious phreakers, primarily under the influence of the equipment that could do the job manually between two website Phone Trips, put up by second generation phreaks phone lines. When the business would close, they would Mark Bernay and Evan Doorbell. program the call diverting equipment to answer all calls, 116 CHAPTER 24. PHREAKING pick up another phone line, call their answering service, mailboxes less popular. To this day bridges are still very and bridge the two lines together. This gave the appear- popular with phreakers yet, with the advent of VoIP, the ance to the caller that they were directly forwarded to the use of telephone company owned bridges has decreased company’s answering service. The switching equipment slightly in favor of phreaker-owned conferences. would typically reset the line after the call had hung up and timed out back to dial tone, so the caller could sim- ply wait after the answering service had disconnected, and 24.1.9 Cell phones would eventually get a usable dial tone from the second line. Phreakers recognized the opportunity this provided, By the late 1990s, the fraudulent aspect of phreaking and they would spend hours manually dialing businesses all but vanished. Most cellular phones offered unlim- after hours, attempting to identify faulty diverters. Once ited domestic long distance calling for the price of stan- a phreaker had access to one of these lines, he could use dard airtime (often totally unlimited on weekends), and it for one of many purposes. In addition to completing flat-rate long-distance plans appeared offering unlimited phone calls anywhere in the world at the businesses’ ex- home phone long distance for as little as $25 per month. pense, they could also dial 1-900 phone sex/entertainment Rates for international calls had also decreased signifi- numbers, as well as use the phone line to harass their ene- cantly. Between the much higher risk of being caught mies without fear of being traced. Victimized small busi- (due to advances in technology) and the much lower gain nesses were usually required to foot the bill for the long of making free phone calls, toll fraud started to become distance calls, as it was their own private equipment (not a concept associated very little with phreaking. phone company security flaws) that allowed such fraud to occur. By 1993, call forwarding was offered to nearly every business line subscriber, making these diverters ob- 24.1.10 End of multi-frequency solete. As a result, hackers stopped searching for the few remaining ones, and this method of toll fraud died. The end of multi-frequency (MF) phreaking in the lower 48 United States occurred on June 15, 2006, when the last exchange in the contiguous United States to use a 24.1.8 Voice mail boxes and bridges “phreakable” MF-signalled trunk replaced the aging (yet still well kept) N2 carrier with a T1 carrier. This ex- Prior to the BBS era of the 1980s phone phreaking was change, located in Wawina Township, Minnesota, was more of a solitary venture as it was difficult for phreaks run by the Northern Telephone Company of Minnesota. to connect with one another. In addition to communi- cating over BBSs phone phreaks discovered voice mail boxes and party lines as ways to network and keep in touch over the telephone. It was rare for a phone phreak 24.2 2600 Hz to legally purchase access to voice mail. Instead, they would usually appropriate unused boxes that were part In the original analog networks, short-distance telephone of business or cellular phone systems. Once a vulnera- calls were completed by sending relatively high-power ble mailbox system was discovered, word would spread electrical signals through the wires to the end office, around the phreak community, and of them would which then switched the call. This technique could not take residence on the system. They would use the sys- be used for long-distance connections, because the sig- tem as a “home base” for communication with one an- nals would be filtered out due to capacitance in the wires. other until the rightful owners would discover the intru- Long-distance switching remained a manual operation sion and wipe them off. Voice mailboxes also provided a years after short-distance calls were automated, requiring safe phone number for phreaks to give out to one another operators at either end of the line to set up the connec- as home phone numbers would allow the phreak’s iden- tions. tity (and home address) to be discovered. This was espe- Bell automated this process by sending “in-band” signals. cially important given that phone phreaks were breaking Since the one thing the long-distance trunks were def- the law. initely able to do was send voice-frequency signals, the Phreakers also used “bridges” to communicate live with Bell System used a selection of tones sent over the trunks one another. The term “bridge” originally referred to a to control the system. When calling long-distance, the group of telephone company test lines that were bridged local end-office switch would first route the call to a spe- together giving the effect of a party-line. Eventually, all cial switch which would then convert further dialing into party-lines, whether bridges or not, came to be known as tones and send them over an appropriately selected trunk bridges if primarily populated by hackers and/or phreak- line (selected with the area code). A similar machine at ers. the far end of the trunk would decode the tones back into The popularity of the Internet in the mid-1990s, along electrical signals, and the call would complete as normal. with the better awareness of voice mail by business and In addition to dialing instructions, the system also in- cell phone owners, made the practice of stealing voice cluded a number of other tones that represented various 24.3. SEE ALSO 117 commands or status. 2600 Hz, the key to early phreaking, ing lines which phreaks could not access. This system is was the frequency of the tone sent by the long-distance known as Common Channel Interoffice Signaling. Clas- switch indicating that the user had gone on-hook (hung up sic phreaking with the 2600 Hz tone continued to work the phone). This normally resulted in the remote switch in more remote locations into the 1980s, but was of little also going on-hook, freeing the trunk for other uses. In use in North America by the 1990s. order to make free lines easy to find, the 2600 Hz tone was The last 2600 Hz-controlled trunk in the continental continually played into free trunks. If the tone was sent United States was operated by the independent Northern manually by the local user into the phone line, it would Telephone Company with an N2 Carrier system serving trigger the remote switch to go on-hook, but critically, Wawina, Minnesota until June 15, 2006, when it was the local switch knew he was still off-hook because that replaced by T1 carrier.[19] The last 2600 Hz-controlled was signaled electrically, not by the tone (which their local trunks in North America were located in Livengood, switch ignored). The system was now in an inconsistent Alaska, survived another 5 years, and were finally retired state, leaving the local user connected to an operational in March 2011.[20] long-distance trunk line. With further experimentation, the phreaks learned the rest of the signals needed to dial on the remote switch. 24.3 See also Normally, long-distance calls were billed locally. Since the “trick” required a long distance call to be placed in or- der to connect to the remote switch, it would be billed as 24.4 References usual. However there were some types of calls that had ei- ther no billing, like calls to directory service, or for which [1] Sterling, Bruce (2002) [1993]. The Hacker Crackdown. the billing was reversed or billed to another number, like McLean, Virginia: IndyPublish.com. ISBN 1-4043- WATS lines (area code 800 numbers). By dialing one of 0641-2. these “toll-free” numbers, the caller was connected to a remote switch as normal, but no billing record was made [2] Stott, Kim (22 July 1983). “Hung Up Glenpool Has Long- locally. The caller would then play the 2600 Hz tone into Distance Woes In Making Calls Across the Street”. New- the line to return the remote switch to on-hook, and then sOK. Retrieved 26 May 2013. use a blue box to dial the number to which they really wanted to connect. The local Bell office would have no [3] “Notice to our customers regarding Toll Fraud” (PDF). BizFon. Retrieved 2014-07-25. record of the call. As knowledge of phreaking spread, a minor culture [4] SoftCab. “Phone Call Recorder”. Modemspy.com. Re- emerged from the increasing number of phone phreaks. trieved 2014-07-24. Sympathetic (or easily social-engineered) telephone com- [5] Robson, Gary D. (April 2004). “The Origins of Phreak- pany employees were persuaded to reveal the various ing”. Blacklisted! 411. routing codes to use international satellites and trunk lines. At the time it was felt that there was nothing Bell [6] DELON (February 27, 2008). “COMPLETE HISTORY could do to stop this. Their entire network was based OF HACKING”. Hacking | LEMNISCATE. Retrieved on this system, so changing the system in order to stop 2014-12-25. the phreakers would require a massive infrastructure up- grade. [7] Lapsley, Phil (2013-11-02). Exploding the Phone: The Untold Story of the Teenagers and Outlaws who Hacked In fact, Bell responded fairly quickly, but in a more tar- Ma Bell. New York: Grove/Atlantic, corporated. ISBN geted fashion. Looking on local records for inordinately 080212061X. long calls to directory service or other hints that phreak- ers were using a particular switch, filters could then be in- [8] Bell System Technical Journal 43 (5). September stalled to block efforts at that end office. Many phreakers 1964 http://www.alcatel-lucent.com/bstj/vol43-1964/ were forced to use pay telephones as the telephone com- bstj-vol43-issue05.html. Retrieved 24 June 2011. pany technicians regularly tracked long-distance toll free Missing or empty |title= (help) calls in an elaborate cat-and-mouse game. AT&T instead [9] “Phone Trips”. Retrieved 2008-06-21. turned to the law for help, and a number of phreaks were caught by the government. [10] Rosenbaum, Ron (2011-10-07). “The article that inspired Eventually, the phone companies in North America did, Steve Jobs: “Secrets of the Little Blue Box”". Slate.com. Archived from the original on 2011-11-03. Retrieved in fact, replace all their hardware. They didn't do it to stop 2013-11-30. the phreaks, but simply as a matter of course while mov- ing to fully digital switching systems. Unlike the crossbar [11] “Secrets of the Little Blue Box”. Retrieved 2010-09-04. switch, where the switching signals and voice were carried on the same lines, the new systems used separate signal- [12] “Steve Jobs and Me: He said my 1971 article inspired him. His iBook obsessed me.”. Retrieved 2011-10-12. 118 CHAPTER 24. PHREAKING

[13] ""Secrets of the Little Blue Box": The 1971 article about phone hacking that inspired Steve Jobs.”. Archived from the original on 2011-11-03. Retrieved 2011-10-12.

[14] “Welcome to Woz.org”. Retrieved 2008-06-21.

[15] “Youth International Party Line (YIPL) / Technological American Party (TAP), New York FBI files 100-NY- 179649 and 117-NY-2905 (3.2 Mbytes).” (PDF). Re- trieved 2013-11-30.

[16] “Cheshire’s Book - TAP.HTML”. Retrieved 2008-06-21.

[17] “W32.Bugbear.B Worm Identified As Targeting Banks | Scoop News”. Scoop.co.nz. 2003-06-09. Retrieved 2014-07-24.

[18] Angela Moscaritolo (2011-03-18). “AT&T sues two over scheme to steal customer data”. SC Magazine. Retrieved 2014-07-24.

[19] “Telephone World - Sounds & Recordings from Wawina, MN”. Phworld.org. Retrieved 2013-11-30.

[20] “The death of Livengood - Old Skool Phreaking - Binary Revolution Forums”. Binrev.com. Retrieved 2013-11-30.

24.5 External links

• “Original Esquire article that started it all”.

• AusPhreak - Australia’s oldest and largest phreaking forum

• Secrets of the Little Blue Box – article with photos • Telephone World – Sounds & Recordings of Waw- ina, Minnesota • Textfiles.com / phreak Large collection of phreaking related text files. See also, audio conferences. • Digital Information Society

• The History of Phone Phreaking • Phone Trips Large collection of historical phone recordings. • Phreaky Boys A collection of recordings made in 1990 of voice mail box systems compromised by phreakers.

• Phone Phreaking Demonstrated in India. Chapter 25

Rootkit

A rootkit is a stealthy type of software, typically using tools such as Tripwire that had not been compro- malicious, designed to hide the existence of certain pro- mised to access the same information.[4][5] Davis cesses or programs from normal methods of detection and Steven Dake wrote the earliest known rootkit in 1990 and enable continued privileged access to a computer.[1] for Sun Microsystems' SunOS UNIX operating system.[6] The term rootkit is a concatenation of “root” (the tradi- In the lecture he gave upon receiving the Turing award in tional name of the privileged account on Unix operating 1983, Ken Thompson of Bell Labs, one of the creators systems) and the word “kit” (which refers to the soft- of Unix, theorized about subverting the C compiler in a ware components that implement the tool). The term Unix distribution and discussed the exploit. The modi- “rootkit” has negative connotations through its associa- fied compiler would detect attempts to compile the Unix tion with malware.[1] login command and generate altered code that would ac- Rootkit installation can be automated, or an attacker can cept not only the user’s correct password, but an addi- install it once they've obtained root or Administrator ac- tional "backdoor" password known to the attacker. Ad- cess. Obtaining this access is a result of direct attack on ditionally, the compiler would detect attempts to com- a system (i.e.), exploiting a known vulnerability (such as pile a new version of the compiler, and would insert the privilege escalation) or a password (obtained by cracking same exploits into the new compiler. A review of the source code for the login command or the updated com- or social engineering). Once installed, it becomes possi- [7] ble to hide the intrusion as well as to maintain privileged piler would not reveal any malicious code. This exploit access. The key is the root or Administrator access. Full was equivalent to a rootkit. control over a system means that existing software can The first documented computer virus to target the be modified, including software that might otherwise be personal computer, discovered in 1986, used cloaking used to detect or circumvent it. techniques to hide itself: the Brain virus intercepted attempts to read the boot sector, and redirected these Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. De- to elsewhere on the disk, where a copy of the original boot sector was kept.[1] Over time, DOS-virus cloak- tection methods include using an alternative and trusted operating system, behavioral-based methods, signature ing methods became more sophisticated, with advanced techniques including the hooking of low-level disk INT scanning, difference scanning, and memory dump anal- 13H BIOS interrupt calls to hide unauthorized modifica- ysis. Removal can be complicated or practically impos- [1] sible, especially in cases where the rootkit resides in the tions to files. kernel; reinstallation of the operating system may be the The first malicious rootkit for the Windows NT operating only available solution to the problem.[2] When dealing system appeared in 1999: a trojan called NTRootkit cre- with firmware rootkits, removal may require hardware re- ated by .[8] It was followed by HackerDe- placement, or specialized equipment. fender in 2003.[1] The first rootkit targeting Mac OS X appeared in 2009,[9] while the Stuxnet worm was the first to target programmable logic controllers (PLC).[10] 25.1 History 25.1.1 Sony BMG copy protection rootkit The term rootkit or root kit originally referred to a ma- scandal liciously modified set of administrative tools for a Unix- like operating system that granted "root" access.[3] If an intruder could replace the standard administrative tools Main article: Sony BMG copy protection rootkit scandal on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing In 2005, Sony BMG published CDs with copy protection these activities from the legitimate system administrator. and digital rights management software called Extended These first-generation rootkits were trivial to detect by Copy Protection, created by software company First 4 In-

119 120 CHAPTER 25. ROOTKIT

and modify the data block checksum verification com- mand. A backdoor allowed an operator with sysadmin status to deactivate the exchange’s transaction log and alarms and access commands related to the surveillance capability.[17] The rootkit was discovered after the intrud- ers installed a faulty update, which caused SMS texts to be undelivered, leading to an automated failure report being generated. Ericsson engineers were called in to investi- gate the fault and discovered the hidden data blocks con- taining the list of phone numbers being monitored, along with the rootkit and illicit monitoring software.

Screenshot of RootkitRevealer, showing the files hidden by the 25.2 Uses Extended Copy Protection rootkit Modern rootkits do not elevate access,[3] but rather are used to make another software payload undetectable by ternet. The software included a music player but silently adding stealth capabilities.[8] Most rootkits are classified installed a rootkit which limited the user’s ability to ac- as malware, because the payloads they are bundled with [11] cess the CD. are malicious. For example, a payload might covertly Software engineer Mark Russinovich, who created the steal user passwords, credit card information, comput- rootkit detection tool RootkitRevealer, discovered the ing resources, or conduct other unauthorized activities. A rootkit on one of his computers.[1] The ensuing scandal small number of rootkits may be considered utility appli- raised the public’s awareness of rootkits.[12] cations by their users: for example, a rootkit might cloak a CD-ROM-emulation driver, allowing video game users To cloak itself, the rootkit hid from the user any file start- to defeat anti-piracy measures that require insertion of the ing with "$sys$". Soon after Russinovich’s report, mal- original installation media into a physical optical drive ware appeared which took advantage of that vulnerability to verify that the software was legitimately purchased, of affected systems.[1] which can be very inconvenient even to those who did One BBC analyst called it a “public relations legitimately purchase it. nightmare.”[13] Sony BMG released patches to uninstall Rootkits and their payloads have many uses: the rootkit, but it exposed users to an even more serious vulnerability.[14] The company eventually recalled the • CDs. In the United States, a class-action lawsuit was Provide an attacker with full access via a backdoor, brought against Sony BMG.[15] permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such 25.1.2 Greek wiretapping case 2004–05 as the /bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function normally, but also accepts a secret login Main article: Greek wiretapping case 2004–2005 combination that allows an attacker direct access to the system with administrative privileges, bypass- The Greek wiretapping case of 2004-05, also referred ing standard authentication and authorization mech- to as Greek Watergate,[16] involved the illegal tapping anisms. of more than 100 mobile phones on the Vodafone Greece network belonging mostly to members of the Greek gov- • Conceal other malware, notably password-stealing [18] ernment and top-ranking civil servants. The taps began key loggers and computer viruses. sometime near the beginning of August 2004 and were • Appropriate the compromised machine as a zombie removed in March 2005 without discovering the identity computer for attacks on other computers. (The at- of the perpetrators. tack originates from the compromised system or net- The intruders installed a rootkit targeting Ericsson’s AXE work, instead of the attacker’s system.) “Zombie” telephone exchange. According to IEEE Spectrum, this computers are typically members of large botnets was “the first time a rootkit has been observed on a that can launch denial-of-service attacks, distribute special-purpose system, in this case an Ericsson tele- e-mail spam, conduct click fraud, etc. phone switch.”[17] The rootkit was designed to patch the • memory of the exchange while it was running, enable Enforcement of digital rights management (DRM). wiretapping while disabling audit logs, patch the com- mands that list active processes and active data blocks, In some instances, rootkits provide desired functionality, 25.3. TYPES 121

and may be installed intentionally on behalf of the com- User-Mode puter user:

• Conceal cheating in online games from software like Warden.[19] • Detect attacks, for example, in a honeypot.[20] • Enhance emulation software and security software.[21] Alcohol 120% and Daemon Tools Kernel-Mode are commercial examples of non-hostile rootkits Ring 0 used to defeat copy-protection mechanisms such as SafeDisc and SecuROM. Kaspersky antivirus software also uses techniques resembling rootkits Ring 1 to protect itself from malicious actions. It loads its own drivers to intercept system activity, and Ring 2 then prevents other processes from doing harm Ring 3 to itself. Its processes are not hidden, but cannot Gate be terminated by standard methods (It can be terminated with Process Hacker). Computer security rings (Note that Ring ‑1 is not shown) • Anti-theft protection: Laptops may have BIOS- based rootkit software that will periodically report • Interception of messages. to a central authority, allowing the laptop to be mon- itored, disabled or wiped of information in the event • Debuggers. that it is stolen.[22] • Exploitation of security vulnerabilities. • Bypassing Microsoft Product Activation[23] • Function hooking or patching of commonly used APIs, for example, to hide a running process or file [26] 25.3 Types that resides on a filesystem.

...since user mode applications all run in Further information: Ring (computer security) their own memory space, the rootkit needs to perform this patching in the memory space There are at least five types of rootkit, ranging from those of every running application. In addition, the at the lowest level in firmware (with the highest privi- rootkit needs to monitor the system for any leges), through to the least privileged user-based variants new applications that execute and patch those that operate in Ring 3. Hybrid combinations of these programs’ memory space before they fully may occur spanning, for example, user mode and kernel execute. mode.[24] —Windows Rootkit Overview, Symantec[3]

25.3.1 User mode 25.3.2 Kernel mode User-mode rootkits run in Ring 3, along with other appli- cations as user, rather than low-level system processes.[25] Kernel-mode rootkits run with the highest operating sys- They have a number of possible installation vectors to tem privileges (Ring 0) by adding code or replacing por- intercept and modify the standard behavior of appli- tions of the core operating system, including both the cation programming interfaces (APIs). Some inject a kernel and associated device drivers. Most operating sys- dynamically linked library (such as a .DLL file on Win- tems support kernel-mode device drivers, which execute dows, or a .dylib file on Mac OS X) into other processes, with the same privileges as the operating system itself. and are thereby able to execute inside any target process As such, many kernel-mode rootkits are developed as de- to spoof it; others with sufficient privileges simply over- vice drivers or loadable modules, such as loadable ker- write the memory of a target application. Injection mech- nel modules in Linux or device drivers in Microsoft Win- anisms include:[25] dows. This class of rootkit has unrestricted security ac- cess, but is more difficult to write.[27] The complexity • Use of vendor-supplied application extensions. For makes bugs common, and any bugs in code operating example, Windows Explorer has public interfaces at the kernel level may seriously impact system stabil- that allow third parties to extend its functionality. ity, leading to discovery of the rootkit.[27] One of the first 122 CHAPTER 25. ROOTKIT

widely known kernel rootkits was developed for Windows The only known defenses against bootkit attacks are NT 4.0 and released in Phrack magazine in 1999 by Greg the prevention of unauthorized physical access to the Hoglund.[28][29][30] system—a problem for portable computers—or the use of a Trusted Platform Module configured to protect the Kernel rootkits can be especially difficult to detect and [45] remove because they operate at the same as boot path. the operating system itself, and are thus able to intercept or subvert the most trusted operating system operations. Any software, such as antivirus software, running on the 25.3.3 Hypervisor level compromised system is equally vulnerable.[31] In this sit- uation, no part of the system can be trusted. Rootkits have been created as Type II Hypervisors in academia as proofs of concept. By exploiting hardware A rootkit can modify data structures in the Windows ker- virtualization features such as Intel VT or AMD-V, this nel using a method known as direct kernel object manip- type of rootkit runs in Ring −1 and hosts the target op- [32] ulation (DKOM). This method can be used to hide erating system as a virtual machine, thereby enabling the processes. A kernel mode rootkit can also hook the rootkit to intercept hardware calls made by the original System Service Descriptor Table (SSDT), or modify the operating system.[5] Unlike normal hypervisors, they do gates between user mode and kernel mode, in order to not have to load before the operating system, but can load [3] cloak itself. Similarly for the Linux operating system, into an operating system before promoting it into a vir- a rootkit can modify the system call table to subvert ker- tual machine.[5] A hypervisor rootkit does not have to [33] nel functionality. It’s common that a rootkit creates a make any modifications to the kernel of the target to sub- hidden, encrypted filesystem in which it can hide other vert it; however, that does not mean that it cannot be de- [34] malware or original copies of files it has infected. tected by the guest operating system. For example, tim- Operating systems are evolving to counter the threat of ing differences may be detectable in CPU instructions.[5] kernel-mode rootkits. For example, 64-bit editions of The “SubVirt” laboratory rootkit, developed jointly by Microsoft Windows now implement mandatory signing Microsoft and University of Michigan researchers, is an of all kernel-level drivers in order to make it more difficult academic example of a virtual machine–based rootkit for untrusted code to execute with the highest privileges (VMBR),[46] while Blue Pill is another. [35] in a system. In 2009, researchers from Microsoft and North Carolina State University demonstrated a hypervisor-layer anti- rootkit called Hooksafe, which provides generic protec- Bootkits tion against kernel-mode rootkits.[47]

A kernel-mode rootkit variant called a bootkit can in- fect startup code like the Master Boot Record (MBR), 25.3.4 Firmware and hardware Volume Boot Record (VBR) or boot sector, and in this way, can be used to attack full disk encryption systems. A firmware rootkit uses device or platform firmware An example is the “Evil Maid Attack”, in which an at- to create a persistent malware image in hardware, such tacker installs a bootkit on an unattended computer, re- as a router, network card,[48] hard drive, or the sys- placing the legitimate boot loader with one under his con- tem BIOS.[25] The rootkit hides in firmware, because trol. Typically the malware loader persists through the firmware is not usually inspected for code integrity. John transition to protected mode when the kernel has loaded, Heasman demonstrated the viability of firmware rootkits and is thus able to subvert the kernel.[36][37][38][39] For in both ACPI firmware routines[49] and in a PCI expan- example, the “ Bootkit” subverts the system by sion card ROM.[50] using a compromised boot loader to intercept encryp- tion keys and passwords.[40] More recently, the Alureon In October 2008, criminals tampered with European rootkit has successfully subverted the requirement for 64- credit-card-reading machines before they were installed. The devices intercepted and transmitted credit card de- bit kernel-mode driver signing in Windows 7 by modify- [51] ing the master boot record.[41] Although not malware in via a mobile phone network. In March 2009, re- the sense of doing something the user doesn't want, cer- searchers Alfredo Ortega and Anibal Sacco published tain “Vista Loader” or “Windows Loader” software works details of a BIOS-level Windows rootkit that was able to survive disk replacement and operating system re- in a similar way by injecting an ACPI SLIC (System Li- [52][53][54] censed Internal Code) table in the RAM-cached version installation. A few months later they learned that of the BIOS during boot, in order to defeat the Windows some laptops are sold with a legitimate rootkit, known as Vista and Windows 7 activation process.[42][43] This vec- Absolute CompuTrace or Absolute LoJack for Laptops, tor of attack was rendered useless in the (non-server) preinstalled in many BIOS images. This is an anti-theft technology system that researchers showed can be turned versions of Windows 8, which use a unique, machine- [22] specific key for each system, that can only be used by that to malicious purposes. one machine.[44] Intel Active Management Technology, part of Intel vPro, 25.5. DETECTION 123

implements out-of-band management, giving adminis- a rootkit to disable the event logging capacity of an op- trators remote administration, remote management, and erating system, in an attempt to hide evidence of an at- remote control of PCs with no involvement of the host tack. Rootkits can, in theory, subvert any operating sys- processor or BIOS, even when the system is powered off. tem activities.[59] The “perfect rootkit” can be thought of Remote administration includes remote power-up and as similar to a "perfect crime": one that nobody realizes power-down, remote reset, redirected boot, console redi- has taken place. rection, pre-boot access to BIOS settings, programmable Rootkits also take a number of measures to ensure their filtering for inbound and outbound network traffic, agent survival against detection and cleaning by antivirus soft- presence checking, out-of-band policy-based alerting, ac- ware in addition to commonly installing into Ring 0 cess to system information, such as hardware asset infor- (kernel-mode), where they have complete access to a sys- mation, persistent event logs, and other information that tem. These include polymorphism, stealth techniques, re- is stored in dedicated memory (not on the hard drive) generation, and disabling anti-malware software.[60] where it is accessible even if the OS is down or the PC is powered off. Some of these functions require the deep- est level of rootkit, a second non-removable spy computer built around the main computer. Sandy Bridge and future chipsets have “the ability to remotely kill and restore a lost 25.5 Detection or stolen PC via 3G”. Hardware rootkits built into the chipset can help recover stolen computers, remove data, The fundamental problem with rootkit detection is that if or render them useless, but they also present privacy and the operating system has been subverted, particularly by security concerns of undetectable spying and redirection a kernel-level rootkit, it cannot be trusted to find unautho- by management or hackers who might gain control. rized modifications to itself or its components.[59] Actions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave as ex- 25.4 Installation and cloaking pected. In other words, rootkit detectors that work while running on infected systems are only effective against Rootkits employ a variety of techniques to gain control rootkits that have some defect in their camouflage, or that run with lower user-mode privileges than the detection of a system; the type of rootkit influences the choice of [27] attack vector. The most common technique leverages software in the kernel. As with computer viruses, the detection and elimination of rootkits is an ongoing strug- security vulnerabilities to achieve surreptitious privilege [59] escalation. Another approach is to use a Trojan horse, de- gle between both sides of this conflict. ceiving a computer user into trusting the rootkit’s installa- Detection can take a number of different approaches, tion program as benign—in this case, social engineering including signatures (e.g. antivirus software), integrity convinces a user that the rootkit is beneficial.[27] The in- checking (e.g. digital signatures), difference-based de- stallation task is made easier if the principle of least priv- tection (comparison of expected vs. actual results), and ilege is not applied, since the rootkit then does not have behavioral detection (e.g. monitoring CPU usage or net- to explicitly request elevated (administrator-level) privi- work traffic). For kernel-mode rootkits, detection is con- leges. Other classes of rootkits can be installed only by siderably more complex, requiring careful scrutiny of the someone with physical access to the target system. Some System Call Table to look for hooked functions where the rootkits may also be installed intentionally by the owner malware may be subverting system behavior,[61] as well of the system or somebody authorized by the owner, e.g. as forensic scanning of memory for patterns that indicate for the purpose of employee monitoring, rendering such hidden processes. subversive techniques unnecessary.[55] Unix rootkit detection offerings include Zeppoo,[62] The installation of malicious rootkits is commercially chkrootkit, rkhunter and OSSEC. For Windows, driven, with a pay-per-install (PPI) compensation method detection tools include Microsoft Sysinternals typical for distribution.[56][57] RootkitRevealer,[63] Avast! Antivirus, Sophos Anti- [64] [65] [66] [67] Once installed, a rootkit takes active measures to ob- Rootkit, F-Secure, Radix, GMER, and scure its presence within the host system through sub- WindowsSCOPE. Any rootkit detectors that prove ef- version or evasion of standard operating system security fective ultimately contribute to their own ineffectiveness, as malware authors adapt and test their code to escape tools and APIs used for diagnosis, scanning, and mon- [Notes 1] itoring. Rootkits achieve this by modifying the behav- detection by well-used tools. ior of core parts of an operating system through load- Detection by examining storage while the suspect operat- ing code into other processes, the installation or mod- ing system is not operational can miss rootkits not recog- ification of drivers, or kernel modules. Obfuscation nised by the checking software, as the rootkit is not active techniques include concealing running processes from and suspicious behavior is suppressed; conventional anti- system-monitoring mechanisms and hiding system files malware software running with the rootkit operational and other configuration data.[58] It is not uncommon for may fail if the rootkit hides itself effectively. 124 CHAPTER 25. ROOTKIT

25.5.1 Alternative trusted medium A rootkit may detect the presence of a such difference- based scanner or virtual machine (the latter being com- The best and most reliable method for operating-system- monly used to perform forensic analysis), and adjust level rootkit detection is to shut down the computer sus- its behaviour so that no differences can be detected. pected of infection, and then to check its storage by Difference-based detection was used by Russinovich's booting from an alternative trusted medium (e.g. a rescue RootkitRevealer tool to find the Sony DRM rootkit.[1] CD-ROM or USB flash drive).[68] The technique is effec- tive because a rootkit cannot actively hide its presence if it is not running. 25.5.5 Integrity checking

25.5.2 Behavioral-based

The behavioral-based approach to detecting rootkits at- tempts to infer the presence of a rootkit by looking for rootkit-like behavior. For example, by profiling a system, differences in the timing and frequency of API calls or in overall CPU utilization can be attributed to a rootkit. The method is complex and is hampered by a high incidence of false positives. Defective rootkits can sometimes in- troduce very obvious changes to a system: the Alureon rootkit crashed Windows systems after a security update exposed a design flaw in its code.[69][70] Logs from a packet analyzer, firewall, or intrusion preven- tion system may present evidence of rootkit behaviour in a networked environment.[24]

25.5.3 Signature-based

Antivirus products rarely catch all viruses in public tests (depending on what is used and to what extent), even though security software vendors incorporate rootkit de- The rkhunter utility uses SHA-1 hashes to verify the integrity of tection into their products. Should a rootkit attempt system files. to hide during an antivirus scan, a stealth detector may notice; if the rootkit attempts to temporarily unload it- Code signing uses public-key infrastructure to check if a self from the system, signature detection (or “fingerprint- file has been modified since being digitally signed by its ing”) can still find it. This combined approach forces publisher. Alternatively, a system owner or administrator attackers to implement counterattack mechanisms, or can use a cryptographic hash function to compute a “fin- “retro” routines, that attempt to terminate antivirus pro- gerprint” at installation time that can help to detect subse- grams. Signature-based detection methods can be effec- quent unauthorized changes to on-disk code libraries.[72] tive against well-published rootkits, but less so against However, unsophisticated schemes check only whether specially crafted, custom-root rootkits.[59] the code has been modified since installation time; sub- version prior to that time is not detectable. The fingerprint must be re-established each time changes are made to the 25.5.4 Difference-based system: for example, after installing security updates or a service pack. The hash function creates a message digest, Another method that can detect rootkits compares a relatively short code calculated from each bit in the file “trusted” raw data with “tainted” content returned by using an algorithm that creates large changes in the mes- an API. For example, binaries present on disk can be sage digest with even smaller changes to the original file. compared with their copies within operating memory (in By recalculating and comparing the message digest of the some operating systems, the in-memory image should installed files at regular intervals against a trusted list of be identical to the on-disk image), or the results re- message digests, changes in the system can be detected turned from file system or Windows Registry APIs can and monitored—as long as the original baseline was cre- be checked against raw structures on the underlying phys- ated before the malware was added. More-sophisticated ical disks[59][71]—however, in the case of the former, rootkits are able to subvert the verification process by some valid differences can be introduced by operating presenting an unmodified copy of the file for inspection, system mechanisms like memory relocation or shimming. or by making code modifications only in memory, rather 25.7. PUBLIC AVAILABILITY 125

than on disk. The technique may therefore be effective to be copied off—or, alternatively, a forensic examina- only against unsophisticated rootkits—for example, those tion performed.[24] Lightweight operating systems such that replace Unix binaries like "ls" to hide the presence of as Windows PE, Windows Recovery Console, Windows a file. Recovery Environment, BartPE, or Live Distros can be Similarly, detection in firmware can be achieved by com- used for this purpose, allowing the system to be cleaned. puting a cryptographic hash of the firmware and compar- Even if the type and nature of a rootkit is known, man- ing it to a whitelist of expected values, or by extending the ual repair may be impractical, while re-installing the hash value into Trusted Platform Module (TPM) config- operating system and applications is safer, simpler and uration registers, which are later compared to a whitelist quicker.[83] of expected values.[73] The code that performs hash, com- pare, or extend operations must also be protected—in this context, the notion of an immutable root-of-trust holds that the very first code to measure security properties of 25.7 Public availability a system must itself be trusted to ensure that a rootkit or bootkit does not compromise the system at its most fun- Like much malware used by attackers, many rootkit damental level.[74] implementations are shared and are easily available on the Internet. It is not uncommon to see a compro- mised system in which a sophisticated, publicly avail- 25.5.6 Memory dumps able rootkit hides the presence of unsophisticated worms or attack tools apparently written by inexperienced Forcing a complete dump of virtual memory will cap- programmers.[24] ture an active rootkit (or a kernel dump in the case of a Most of the rootkits available on the Internet originated kernel-mode rootkit), allowing offline forensic analysis to as exploits or as academic “proofs of concept” to demon- be performed with a debugger against the resulting dump strate varying methods of hiding things within a computer file, without the rootkit being able to take any measures to system and of taking unauthorized control of it.[85] Often cloak itself. This technique is highly specialized, and may not fully optimized for stealth, such rootkits sometimes require access to non-public source code or debugging leave unintended evidence of their presence. Even so, symbols. Memory dumps initiated by the operating sys- when such rootkits are used in an attack, they are often tem cannot always be used to detect a hypervisor-based effective. Other rootkits with keylogging features such rootkit, which is able to intercept and subvert the lowest- [5] as GameGuard are installed as part of online commercial level attempts to read memory —a hardware device, games. such as one that implements a non-maskable interrupt, may be required to dump memory in this scenario.[75][76] 25.8 Defenses 25.6 Removal System hardening represents one of the first layers of de- Manual removal of a rootkit is often too difficult for a typ- fence against a rootkit, to prevent it from being able to install.[86] Applying security patches, implementing the ical computer user,[25] but a number of security-software vendors offer tools to automatically detect and remove principle of least privilege, reducing the attack surface and installing antivirus software are some standard secu- some rootkits, typically as part of an antivirus suite. As of 2005, Microsoft’s monthly Windows Malicious Software rity best practices that are effective against all classes of malware.[87] Removal Tool is able to detect and remove some classes of rootkits.[77][78] Some antivirus scanners can bypass file New secure boot specifications like Unified Extensible system APIs, which are vulnerable to manipulation by Firmware Interface are currently being designed to ad- a rootkit. Instead, they access raw filesystem structures dress the threat of bootkits. directly, and use this information to validate the results For server systems, remote server attestation using tech- from the system APIs to identify any differences that may [Notes 2][79][80][81][82] nologies such as Intel Trusted Execution Technology be caused by a rootkit. (TXT) provide a way of validating that servers remain There are experts who believe that the only reliable in a known good state. For example, Microsoft Bitlocker way to remove them is to re-install the operating sys- encrypting data-at-rest validates servers are in a known tem from trusted media.[83][84] This is because antivirus “good state” on bootup. PrivateCore vCage is a soft- and malware removal tools running on an untrusted sys- ware offering that secures data-in-use (memory) to avoid tem may be ineffective against well-written kernel-mode bootkits and rootkits by validating servers are in a known rootkits. Booting an alternative operating system from “good” state on bootup. The PrivateCore implementation trusted media can allow an infected system volume to be works in concert with Intel TXT and locks down server mounted and potentially safely cleaned and critical data system interfaces to avoid potential bootkits and rootkits. 126 CHAPTER 25. ROOTKIT

25.9 See also [11] “Spyware Detail: XCP.Sony.Rootkit”. Computer Asso- ciates. 2005-11-05. Archived from the original on 2012- • Hacker con 09-21. Retrieved 2010-08-19. [12] Russinovich, Mark (2005-10-31). “Sony, Rootkits and • Host-based intrusion detection system Digital Rights Management Gone Too Far”. TechNet • Man-in-the-middle attack Blogs. Microsoft. Archived from the original on 2012- 07-07. Retrieved 2010-08-16. • The Rootkit Arsenal: Escape and Evasion in the [13] “Sony’s long-term rootkit CD woes”. BBC News. 2005- Dark Corners of the System 11-21. Archived from the original on 2012-07-15. Re- trieved 2008-09-15. 25.10 Notes [14] Felton, Ed (2005-11-15). “Sony’s Web-Based Unin- staller Opens a Big Security Hole; Sony to Recall Discs”. Archived from the original on 2012-09-05. [1] The process name of Sysinternals RootkitRevealer was targeted by malware; in an attempt to counter this counter- [15] Knight, Will (2005-11-11). “Sony BMG sued over cloak- measure, the tool now uses a randomly generated process ing software on music CD”. New Scientist (Sutton, UK: name. Reed Business Information). Archived from the original on 2012-09-21. Retrieved 2010-11-21. [2] In theory, a sufficiently sophisticated kernel-level rootkit could subvert read operations against raw filesystem data [16] Kyriakidou, Dina (March 2, 2006). ""Greek Watergate” structures as well, so that they match the results returned Scandal Sends Political Shockwaves”. Reuters. Retrieved by APIs. 2007-11-24.

[17] Vassilis Prevelakis, Diomidis Spinellis (July 2007). “The Athens Affair”. Archived from the original on 2012-09- 25.11 References 21.

[1] “Rootkits, Part 1 of 3: The Growing Threat” (PDF). [18] Russinovich, Mark (June 2005). “Unearthing Root Kits”. McAfee. 2006-04-17. Archived from the original (PDF) Windows IT Pro. Archived from the original on 2012-09- on 2006-08-23. 18. Retrieved 2010-12-16.

[2] http://www.technibble.com/ [19] “World of Warcraft Hackers Using Sony BMG Rootkit”. how-to-remove-a-rootkit-from-a-windows-system/ The Register. 2005-11-04. Archived from the original on 2012-09-17. Retrieved 2010-08-23. [3] “Windows Rootkit Overview” (PDF). Symantec. 2006- 03-26. Retrieved 2010-08-17. [20] Steve Hanna (September 2007). “Using Rootkit Tech- nology for Honeypot-Based Malware Detection” (PDF). [4] Sparks, Sherri; Butler, Jamie (2005-08-01). “Raising CCEID Meeting. The Bar For Windows Rootkit Detection”. Phrack 0xb (0x3d). [21] Russinovich, Mark (6 February 2006). “Using Rootkits to Defeat Digital Rights Management”. Winternals. Sys- [5] Myers, Michael; Youndt, Stephen (2007-08-07). “An In- Internals. Archived from the original on 31 August 2006. troduction to Hardware-Assisted Virtual Machine (HVM) Retrieved 2006-08-13. Rootkits”. Crucial Security. CiteSeerX: 10 .1 .1 .90 .8832. [22] Ortega, Alfredo; Sacco, Anibal (2009-07-24). Deactivate [6] Andrew Hay, Daniel Cid, Rory Bray (2008). OSSEC Host- the Rootkit: Attacks on BIOS anti-theft technologies (PDF). Based Intrusion Detection Guide. Syngress. p. 276. ISBN Black Hat USA 2009 (PDF). Boston, MA: Core Security 1-59749-240-X. Technologies. Retrieved 2014-06-12.

[7] Thompson, Ken (August 1984). “Reflections on Trusting [23] Kleissner, Peter (2009-09-02). “Stoned Bootkit: The Rise Trust” (PDF). Communications of the ACM 27 (8): 761. of MBR Rootkits & Bootkits in the Wild” (PDF). Re- doi:10.1145/358198.358210. trieved 2010-11-23.

[8] Greg Hoglund, James Butler (2006). Rootkits: Subverting [24] Anson, Steve; Bunting, Steve (2007). Mastering Win- the Windows kernel. Addison-Wesley. p. 4. ISBN 0-321- dows Network Forensics and Investigation. John Wiley and 29431-9. Sons. pp. 73–74. ISBN 0-470-09762-0.

[9] Dai Zovi, Dino (2009-07-26). Advanced Mac OS X [25] “Rootkits Part 2: A Technical Primer” (PDF). McAfee. Rootkits (PDF). Blackhat. Endgame Systems. Retrieved 2007-04-03. Archived from the original (PDF) on 2008- 2010-11-23. 12-05. Retrieved 2010-08-17.

[10] “Stuxnet Introduces the First Known Rootkit for Indus- [26] Kdm. “NTIllusion: A portable Win32 userland rootkit”. trial Control Systems”. Symantec. 2010-08-06. Archived Phrack 62 (12). Archived from the original on 2012-09- from the original on 2012-09-11. Retrieved 2010-12-04. 12. 25.11. REFERENCES 127

[27] “Understanding Anti-Malware Technologies” (PDF). [44] Microsoft tightens grip on OEM Windows 8 licensing Microsoft. 2007-02-21. Retrieved 2010-08-17. [45] Scambray, Joel; McClure, Stuart (2007). Hacking Ex- [28] Hoglund, Greg (1999-09-09). “A *REAL* NT Rootkit, posed Windows: Windows Security Secrets & Solutions. Patching the NT Kernel”. Phrack 9 (55). Archived from McGraw-Hill Professional. pp. 371–372. ISBN 0-07- the original on 2012-07-14. Retrieved 2010-11-21. 149426-X.

[29] Shevchenko, Alisa (2008-09-01). “Rootkit Evolution”. [46] King, Samuel T.; Chen, Peter M.; Wang, Yi-Min; Help Net Security. Help Net Security. p. 2. Archived Verbowski, Chad; Wang, Helen J.; Lorch, Jacob R. from the original on 2012-09-03. (2006-04-03). International Business Machines (ed.), ed. SubVirt: Implementing malware with virtual ma- [30] Chuvakin, Anton (2003-02-02). An Overview of Unix chines (PDF). 2006 IEEE Symposium on Security and Rootkits (PDF) (Report). Chantilly, Virginia: iDE- Privacy. Institute of Electrical and Electronics Engi- FENSE. Retrieved 2010-11-21. neers. doi:10.1109/SP.2006.38. ISBN 0-7695-2574-1. [31] Butler, James; Sparks, Sherri (2005-11-16). “Windows Retrieved 2008-09-15. Rootkits of 2005, Part Two”. Symantec Connect. Syman- [47] Wang, Zhi; Jiang, Xuxian; Cui, Weidong; Ning, tec. Archived from the original on 2012-09-11. Retrieved Peng (2009-08-11). “Countering Kernel Rootkits with 2010-11-13. Lightweight Hook Protection” (PDF). In Al-Shaer, Ehab [32] Butler, James; Sparks, Sherri (2005-11-03). “Windows (General Chair). Proceedings of the 16th ACM Confer- Rootkits of 2005, Part One”. Symantec Connect. Syman- ence on Computer and Communications Security. CCS tec. Archived from the original on 2012-09-12. Retrieved 2009: 16th ACM Conference on Computer and Com- 2010-11-12. munications Security. Jha, Somesh; Keromytis, An- gelos D. (Program Chairs). New York: ACM New [33] Burdach, Mariusz (2004-11-17). “Detecting Rootkits York. doi:10.1145/1653662.1653728. ISBN 978-1- And Kernel-level Compromises In Linux”. Symantec. 60558-894-0. Retrieved 2009-11-11. Archived from the original on 2012-09-13. Retrieved 2010-11-23. [48] Delugré, Guillaume (2010-11-21). Reversing the Broacom NetExtreme’s Firmware (PDF). hack.lu. Sogeti. Retrieved [34] Marco Giuliani (11 April 2011). “ZeroAccess – An Ad- 2010-11-25. vanced Kernel Mode Rootkit” (PDF). Software. Retrieved 10 August 2011. [49] Heasman, John (2006-01-25). Implementing and Detect- ing an ACPI BIOS Rootkit (PDF). Black Hat Federal 2006. [35] “Driver Signing Requirements for Windows”. Microsoft. NGS Consulting. Retrieved 2010-11-21. Archived from the original on 2012-05-30. Retrieved 2008-07-06. [50] Heasman, John (2006-11-15). “Implementing and De- tecting a PCI Rootkit” (PDF). Next Generation Security [36] Soeder, Derek; Permeh, Ryan (2007-05-09). “Bootroot”. Software. CiteSeerX: 10 .1 .1 .89 .7305. Retrieved 2010- eEye Digital Security. Archived from the original on 11-13. 2012-09-21. Retrieved 2010-11-23. [51] Modine, Austin (2008-10-10). “Organized crime tam- [37] Schneier, Bruce (2009-10-23). "'Evil Maid' Attacks on pers with European card swipe devices: Customer data Encrypted Hard Drives”. Archived from the original on beamed overseas”. The Register. Situation Publishing. 2012-09-11. Retrieved 2009-11-07. Archived from the original on 2012-09-12. Retrieved [38] Kumar, Nitin; Kumar, Vipin (2007). Vbootkit: Compro- 2008-10-13. mising Windows Vista Security (PDF). Black Hat Europe [52] Sacco, Anibal; Ortéga, Alfredo (2009). Persistent BIOS 2007. infection (PDF). CanSecWest 2009. Core Security Tech- [39] “BOOT KIT: Custom boot sector based Windows nologies. Retrieved 2010-11-21. 2000/XP/2003 Subversion”. NVlabs. 2007-02-04. Re- [53] Goodin, Dan (2009-03-24). “Newfangled rootkits sur- trieved 2010-11-21. vive hard disk wiping”. The Register. Situation Publish- [40] Kleissner, Peter (2009-10-19). “Stoned Bootkit”. Peter ing. Archived from the original on 2012-09-21. Retrieved Kleissner. Archived from the original on 2012-09-21. 2009-03-25. Retrieved 2009-11-07. [54] Sacco, Anibal; Ortéga, Alfredo (2009-06-01). “Persistent [41] Goodin, Dan (2010-11-16). “World’s Most Advanced BIOS Infection: The Early Bird Catches the Worm”. Rootkit Penetrates 64-bit Windows”. The Register. Phrack 66 (7). Archived from the original on 2012-07- Archived from the original on 2012-09-21. Retrieved 17. Retrieved 2010-11-13. 2010-11-22. [55] Ric Vieler (2007). Professional Rootkits. John Wiley & [42] Peter Kleissner, “The Rise of MBR Rootkits And Bootkits Sons. p. 244. ISBN 9780470149546. in the Wild”, Hacking at Random (2009) - text; slides [56] Matrosov, Aleksandr; Rodionov, Eugene (2010-06-25). [43] Windows Loader - Software Informer. This is the loader “TDL3: The Rootkit of All Evil?" (PDF). Moscow: application that’s used by millions of people worldwide ESET. p. 3. Retrieved 2010-08-17. 128 CHAPTER 25. ROOTKIT

[57] Matrosov, Aleksandr; Rodionov, Eugene (2011-06-27). [75] “How to generate a complete crash dump file or a kernel “The Evolution of TDL: Conquering x64” (PDF). ESET. crash dump file by using an NMI on a Windows-based Retrieved 2011-08-08. system”. Microsoft. Archived from the original on 2012- 07-20. Retrieved 2010-11-13. [58] Brumley, David (1999-11-16). “Invisible Intruders: rootkits in practice”. USENIX. USENIX. Archived from [76] Seshadri, Arvind et al. (2005). “Pioneer: Verifying Code the original on 2012-05-27. Integrity and Enforcing Untampered Code Execution on Legacy Systems”. Carnegie Mellon University. [59] Davis, Michael A.; Bodmer, Sean; LeMasters, Aaron (2009-09-03). “Chapter 10: Rootkit Detection” (PDF). [77] Dillard, Kurt (2005-08-03). “Rootkit battle: Rootkit Re- Hacking Exposed Malware & Rootkits: Malware & rootk- vealer vs. Hacker Defender”. Archived from the original its security secrets & solutions (PDF). New York: McGraw on 2012-07-13. Hill Professional. ISBN 978-0-07-159118-8. Retrieved 2010-08-14. [78] “The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software [60] Trlokom (2006-07-05). “Defeating Rootkits and Keylog- from computers that are running Windows 7, Windows gers” (PDF). Trlokom. Retrieved 2010-08-17. Vista, , , or Windows XP”. Microsoft. 2010-09-14. Archived from [61] Dai Zovi, Dino (2011). “Kernel Rootkits”. Retrieved 13 the original on 2012-09-21. Sep 2012. [79] Hultquist, Steve (2007-04-30). “Rootkits: The next big [62] “Zeppoo”. SourceForge. 18 July 2009. Archived from enterprise threat?". InfoWorld (IDG). Archived from the the original on 2012-07-19. Retrieved 8 August 2011. original on 2012-09-21. Retrieved 2010-11-21. [63] Cogswell, Bryce; Russinovich, Mark (2006-11-01). [80] “Security Watch: Rootkits for fun and profit”. CNET Re- “RootkitRevealer v1.71”. Microsoft. Archived from the views. 2007-01-19. Archived from the original on 2012- original on 2012-06-04. Retrieved 2010-11-13. 07-18. Retrieved 2009-04-07. [64] “Sophos Anti-Rootkit”. Sophos. Archived from the orig- [81] Bort, Julie (2007-09-29). “Six ways to fight back against inal on 2012-09-21. Retrieved 8 August 2011. botnets”. PCWorld. San Francisco: PCWorld Communi- [65] “BlackLight”. F-Secure. Archived from the original on cations. Archived from the original on 2012-09-07. Re- 2012-09-21. Retrieved 8 August 2011. trieved 2009-04-07.

[66] “Radix Anti-Rootkit”. usec.at. Archived from the origi- [82] Hoang, Mimi (2006-11-02). “Handling Today’s Tough nal on 2012-09-21. Retrieved 8 August 2011. Security Threats: Rootkits”. Symantec Connect. Symantec. Archived from the original on 2012-09-21. [67] “GMER”. Archived from the original on 2012-08-02. Retrieved 2010-11-21. Retrieved 8 August 2011. [83] Danseglio, Mike; Bailey, Tony (2005-10-06). “Rootkits: [68] Harriman, Josh (2007-10-19). “A Testing Methodology The Obscure Hacker Attack”. Microsoft. Archived from for Rootkit Removal Effectiveness” (PDF). Dublin, Ire- the original on 2012-09-21. land: Symantec Security Response. Retrieved 2010-08- 17. [84] Messmer, Ellen (2006-08-26). “Experts Divided Over Rootkit Detection and Removal”. NetworkWorld.com [69] Cuibotariu, Mircea (2010-02-12). “Tidserv and MS10- (Framingham, Mass.: IDG). Archived from the original 015”. Symantec. Archived from the original on 2012-09- on 2012-09-03. Retrieved 2010-08-15. 21. Retrieved 2010-08-19. [85] Stevenson, Larry; Altholz, Nancy (2007). Rootkits for [70] “Restart Issues After Installing MS10-015”. Microsoft. Dummies. John Wiley and Sons Ltd. p. 175. ISBN 0- 2010-02-11. Archived from the original on 2012-07-07. 471-91710-9. Retrieved 2010-10-05. [86] Skoudis, Ed; Zeltser, Lenny (2004). Malware: Fighting [71] “Strider GhostBuster Rootkit Detection”. Microsoft Re- Malicious Code. Prentice Hall PTR. p. 335. ISBN 0-13- search. 2010-01-28. Archived from the original on 2012- 101405-6. 07-29. Retrieved 2010-08-14. [87] Hannel, Jeromey (2003-01-23). “Linux RootKits For Be- [72] “Signing and Checking Code with Authenticode”. ginners - From Prevention to Removal” (PDF). SANS In- Microsoft. Archived from the original on 2012-09-21. stitute. Retrieved 2010-11-22. Retrieved 2008-09-15.

[73] “Stopping Rootkits at the Network Edge” (PDF). Beaver- ton, Oregon: Trusted Computing Group. January 2007. 25.12 Further reading Retrieved 2008-07-11.

[74] “TCG PC Specific Implementation Specification, Version • Blunden, Bill (2009). The Rootkit Arsenal: Es- 1.1” (PDF). Trusted Computing Group. 2003-08-18. Re- cape and Evasion in the Dark Corners of the System. trieved 2010-11-22. Wordware. ISBN 978-1-59822-061-2. 25.13. EXTERNAL LINKS 129

• Hoglund, Greg; Butler, James (2005). Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional. ISBN 0-321-29431-9.

• Grampp, F. T.; Morris, Robert H., Sr. (October 1984). “The UNIX System: UNIX Operating Sys- tem Security”. AT&T Bell Laboratories Technical Journal (AT&T) 62 (8): 1649–1672.

• Kong, Joseph (2007). Designing BSD Rootkits. No Starch Press. ISBN 1-59327-142-5.

• Veiler, Ric (2007). Professional Rootkits. Wrox. ISBN 978-0-470-10154-4.

25.13 External links

• Rootkit Analysis: Research and Analysis of Rootk- its • Even Nastier: Traditional RootKits

• Sophos Podcast about rootkit removal • Rootkit research in Microsoft

• Testing of antivirus/anti-rootkit software for the de- tection and removal of rootkits, Anti-Malware Test Lab, January 2008 • Testing of anti-rootkit software, InformationWeek, January 2007 • Security Now! Episode 9, Rootkits, Podcast by Steve Gibson/GRC explaining Rootkit technology, October 2005 Chapter 26

Script kiddie

In programming culture a script kiddie or skiddie[1] toolkits to create and propagate the Anna Kournikova and (also known as skid, script bunny,[2] script kitty)[3] is an Love Bug viruses.[1] Script kiddies lack, or are only de- unskilled individual who uses scripts or programs devel- veloping, programming skills sufficient to understand the oped by others to attack computer systems and networks, effects and side effects of their actions. As a result, they and deface websites. It is generally assumed that script leave significant traces which lead to their detection, or kiddies are juveniles who lack the ability to write sophis- directly attack companies which have detection and coun- ticated programs or exploits on their own, and that their termeasures already in place, or in recent cases, leave au- objective is to try to impress their friends or gain credit tomatic crash reporting turned on.[11][12] in computer-enthusiast communities.[4] The term is gen- erally considered to be pejorative. 26.2 See also

26.1 Characteristics • Black hat hacker • In a Carnegie Mellon report prepared for the U.S. De- Exploit (computer security) partment of Defense in 2005, script kiddies are defined • Hacker (computer security) as • Lamer “The more immature but unfortunately of- • List of convicted computer criminals ten just as dangerous exploiter of security lapses on the Internet. The typical script kiddy uses existing and frequently well known and easy-to-find techniques and programs or 26.3 References scripts to search for and exploit weaknesses in other computers on the Internet—often [1] Leyden, John (February 21, 2001). “Virus toolkits are randomly and with little regard or perhaps s’kiddie menace”. The Register. even understanding of the potentially harmful [2] “Script bunny - definition”. SpywareGuide.com. consequences.[5] [3] Baldwin, Clare; Christie, Jim (July 9, 2009). “Cyber at- Script kiddies have at their disposal a large number of ef- tacks may not have come from North Korea”. San Fran- fective, easily downloadable programs capable of breach- cisco; Reuters.com. [4] ing computers and networks. Such programs have [4] Lemos, Robert (July 12, 2000). “Script kiddies: The Net’s [6] included remote denial-of-service WinNuke, trojans cybergangs”. ZDNet. Retrieved 2007-04-24. Back Orifice, NetBus, Sub7,[7] and ProRat, vulnerability scanner/injector kit Metasploit,[8] and often software in- [5] Mead, Nancy R.; Hough, Eric D.; Stehney, Theodore tended for legitimate security auditing.[9] A survey of col- R. III (May 16, 2006). “Security Quality Require- lege students in 2010, supported by the UK’s Association ments Engineering () Methodology CMU/SEI- 2005-TR-009” (PDF). Carnegie Mellon University, DOD. of Chief Police Officers, indicated a high level of interest CERT.org. in beginning hacking: “23% of 'uni' students have hacked into IT systems [...] 32% thought hacking was 'cool' [...] [6] Klevinsky, T. J. ; Laliberte, Scott; Gupta, Ajay (2002). 28% considered it to be easy.”[10] Hack I.T.: security through penetration testing. Addison- Wesley. ISBN 978-0-201-71956-7. Script kiddies vandalize websites both for the thrill of it and to increase their reputation among their peers.[4] [7] Granneman, Scott (January 28, 2004). “A Visit from the Some more malicious script kiddies have used virus FBI - We come in peace”. The Register.

130 26.5. EXTERNAL LINKS 131

[8] Biancuzzi, Federico (March 27, 2007). “Metasploit 3.0 day”. SecurityFocus.com.

[9] Rodriguez, Chris; Martinez, Richard (September 2, 2012). “The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security” (PDF). Frost & Sullivan. Retrieved November 30, 2013.

[10] Zax, David (September 22, 2010). “IT Security Firm: Fear Students”. Fast Company.

[11] Taylor, Josh (August 26, 2010). “Hackers accidentally give Microsoft their code”. ZDNet.com.au.

[12] Ms. Smith (August 28, 2010). “Error Reporting Oops: Microsoft, Meter Maids and Malicious Code”. Privacy and Security Fanatic. Network World.

26.4 Further reading

• Tapeworm (2005). 1337 h4x0r h4ndb00k. Sams Publishing. ISBN 0-672-32727-9.

26.5 External links

• Honeynet.org - Know Your Enemy (Essay about script kiddies) Chapter 27

Spyware

Spyware is software that aims to gather information 27.1 Routes of infection about a person or organization without their knowledge and that may send such information to another entity without the consumer’s consent, or that asserts control over a computer without the consumer’s knowledge.[1] “Spyware” is mostly classified into four types: system monitors, trojans, adware, and tracking cookies.[2] Spy- ware is mostly used for the purposes of tracking and stor- ing Internet users’ movements on the Web and serving up pop-up ads to Internet users. Whenever spyware is used for malicious purposes, its presence is typically hidden from the user and can be dif- ficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users. While the term spyware suggests software that monitors a user’s computing, the functions of spyware can extend be- yond simple monitoring. Spyware can collect almost any Malicious websites attempt to install spyware on readers’ type of data, including personal information like Internet computers. surfing habits, user logins, and bank or credit account in- formation. Spyware can also interfere with user control of a computer by installing additional software or redi- Spyware does not necessarily spread in the same way as a recting Web browsers. Some spyware can change com- virus or worm because infected systems generally do not puter settings, which can result in slow Internet connec- attempt to transmit or copy the software to other comput- tion speeds, un-authorized changes in browser settings, or ers. Instead, spyware installs itself on a system by deceiv- changes to software settings. ing the user or by exploiting software vulnerabilities. Sometimes, spyware is included along with genuine soft- Most spyware is installed without users’ knowledge, or ware, and may come from a malicious website. In re- by using deceptive tactics. Spyware may try to deceive sponse to the emergence of spyware, a small industry users by bundling itself with desirable software. Other has sprung up dealing in anti-spyware software. Run- common tactics are using a Trojan horse. Some spyware ning anti-spyware software has become a widely recog- authors infect a system through security holes in the Web nized element of computer security practices, especially browser or in other software. When the user navigates to for computers running Microsoft Windows. A number of a Web page controlled by the spyware author, the page jurisdictions have passed anti-spyware laws, which usu- contains code which attacks the browser and forces the ally target any software that is surreptitiously installed to download and installation of spyware. control a user’s computer. The installation of spyware frequently involves Internet In German-speaking countries, spyware used or made by Explorer. Its popularity and history of security issues the government is sometimes called govware. Govware is have made it a frequent target. Its deep integration typically a trojan horse software used to intercept com- with the Windows environment make it susceptible to munications from the target computer. Some countries attack into the Windows operating system. Internet Ex- like Switzerland and Germany have a legal framework plorer also serves as a point of attachment for spyware in governing the use of such software.[3][4] In the US, the the form of Browser Helper Objects, which modify the term policeware has been used for similar purposes.[5] browser’s behavior to add toolbars or to redirect traffic.

132 27.3. REMEDIES AND PREVENTION 133

27.2 Effects and behaviors 27.3 Remedies and prevention

See also: Virus removal

As the spyware threat has worsened, a number of tech- niques have emerged to counteract it. These include pro- grams designed to remove or block spyware, as well as various user practices which reduce the chance of getting A spyware program is rarely alone on a computer: an af- spyware on a system. fected machine usually has multiple infections. Users fre- quently notice unwanted behavior and degradation of sys- Nonetheless, spyware remains a costly problem. When a tem performance. A spyware infestation can create sig- large number of pieces of spyware have infected a Win- nificant unwanted CPU activity, disk usage, and network dows computer, the only remedy may involve backing up traffic. Stability issues, such as applications freezing, user data, and fully reinstalling the operating system. For failure to boot, and system-wide crashes are also com- instance, some spyware cannot be completely removed by mon. Spyware, which interferes with networking soft- Symantec, Microsoft, PC Tools. ware, commonly causes difficulty connecting to the In- ternet. 27.3.1 Anti-spyware programs In some infections, the spyware is not even evident. Users assume in those situations that the performance issues re- See also: Category:Spyware removal late to faulty hardware, Windows installation problems, or another infection. Some owners of badly infected sys- Many programmers and some commercial firms have re- tems resort to contacting technical support experts, or leased products dedicated to remove or block spyware. even buying a new computer because the existing system Programs such as PC Tools’ Spyware Doctor, ’s “has become too slow”. Badly infected systems may re- Ad-Aware SE and Patrick Kolla’s Spybot - Search & De- quire a clean reinstallation of all their software in order stroy rapidly gained popularity as tools to remove, and in to return to full functionality. some cases intercept, spyware programs. On December Moreover, some types of spyware disable software 16, 2004, Microsoft acquired the GIANT AntiSpyware firewalls and anti-virus software, and/or reduce browser software,[7] rebranding it as Windows AntiSpyware beta security settings, which further open the system to fur- and releasing it as a free download for Genuine Windows ther opportunistic infections. Some spyware disables XP and Windows 2003 users. (In 2006 it was renamed or even removes competing spyware programs, on the Windows Defender). grounds that more spyware-related annoyances make it Major anti-virus firms such as Symantec, PC Tools, even more likely that users will take action to remove the McAfee and Sophos have also added anti-spyware fea- programs.[6] tures to their existing anti-virus products. Early on, Keyloggers are sometimes part of malware packages anti-virus firms expressed reluctance to add anti-spyware downloaded onto computers without the owners’ knowl- functions, citing lawsuits brought by spyware authors edge. Some keyloggers software is freely available on against the authors of web sites and programs which de- the internet while others are commercial or private ap- scribed their products as “spyware”. However, recent plications. Most keyloggers allow not only keyboard versions of these major firms’ home and business anti- keystrokes to be captured but also are often capable of virus products do include anti-spyware functions, albeit collecting screen captures from the computer. treated differently from viruses. Symantec Anti-Virus, A typical Windows user has administrative privileges, for instance, categorizes spyware programs as “extended mostly for convenience. Because of this, any program threats” and now offers real-time protection against these the user runs has unrestricted access to the system. As threats. with other operating systems, Windows users are able to follow the principle of least privilege and use non- 27.3.2 How anti-spyware software works administrator accounts. Alternatively, they can also re- duce the privileges of specific vulnerable Internet-facing Anti-spyware programs can combat spyware in two ways: processes such as Internet Explorer.

Since Windows Vista, by default, a computer administra- 1. They can provide real-time protection in a manner tor runs everything under limited user privileges. When similar to that of anti-virus protection: they scan all a program requires administrative privileges, a User Ac- incoming network data for spyware and blocks any count Control pop-up will prompt the user to allow or threats it detects. deny the action. This improves on the design used by previous versions of Windows. 2. Anti-spyware software programs can be used solely 134 CHAPTER 27. SPYWARE

for detection and removal of spyware software that taken a different approach to blocking spyware: they use has already been installed into the computer. This their network firewalls and web proxies to block access to kind of anti-spyware can often be set to scan on a Web sites known to install spyware. On March 31, 2005, regular schedule. Cornell University's Information Technology department released a report detailing the behavior of one particular Such programs inspect the contents of the Windows reg- piece of proxy-based spyware, Marketscore, and the steps istry, operating system files, and installed programs, and the university took to intercept it.[8] Many other educa- remove files and entries which match a list of known spy- tional institutions have taken similar steps. ware. Real-time protection from spyware works identi- Individual users can also install firewalls from a variety of cally to real-time anti-virus protection: the software scans companies. These monitor the flow of information going disk files at download time, and blocks the activity of to and from a networked computer and provide protection components known to represent spyware. In some cases, against spyware and malware. Some users install a large it may also intercept attempts to install start-up items or to hosts file which prevents the user’s computer from con- modify browser settings. Earlier versions of anti-spyware necting to known spyware-related web addresses. Spy- programs focused chiefly on detection and removal. Java- ware may get installed via certain shareware programs cool Software’s SpywareBlaster, one of the first to offer offered for download. Downloading programs only from real-time protection, blocked the installation of ActiveX- reputable sources can provide some protection from this based spyware. source of attack.[9] Like most anti-virus software, many anti-spyware/adware tools require a frequently updated database of threats. As new spyware programs are released, anti-spyware devel- 27.4 Comparison of spyware, ad- opers discover and evaluate them, adding to the list of known spyware, which allows the software to detect and ware, and viruses remove new spyware. As a result, anti-spyware software is of limited usefulness without regular updates. Updates 27.4.1 Spyware, adware and trackers may be installed automatically or manually. A popular generic spyware removal tool used by those The term adware frequently refers to software that that requires a certain degree of expertise is HijackThis, displays advertisements. An example is the Eudora which scans certain areas of the Windows OS where spy- email client display advertisements as an alternative to ware often resides and presents a list with items to delete shareware registration fees. However, these are not con- manually. As most of the items are legitimate windows sidered spyware. files/registry entries it is advised for those who are less Other spyware behavior, such as reporting websites the knowledgeable on this subject to post a HijackThis log user visits, occurs in the background. The data is used for on the numerous antispyware sites and let the experts de- “targeted” advertisement impressions. The prevalence of cide what to delete. spyware has cast suspicion on other programs that track If a spyware program is not blocked and manages to get Web browsing, even for statistical or research purposes. itself installed, it may resist attempts to terminate or unin- Many of these adware-distributing companies are backed stall it. Some programs work in pairs: when an anti- by millions of dollars of adware-generating revenues. Ad- spyware scanner (or the user) terminates one running pro- ware and spyware are similar to viruses in that they can cess, the other one respawns the killed program. Like- be considered malicious in nature. wise, some spyware will detect attempts to remove reg- istry keys and immediately add them again. Usually, 27.4.2 Spyware, viruses and worms booting the infected computer in safe mode allows an anti-spyware program a better chance of removing per- Unlike viruses and worms, spyware does not usually self- sistent spyware. Killing the process tree may also work. replicate. Like many recent viruses, however, spyware— by design—exploits infected computers for commercial 27.3.3 Security practices gain. Typical tactics include delivery of unsolicited pop- up advertisements, theft of personal information (includ- To detect spyware, computer users have found several ing financial information such as credit card numbers), practices useful in addition to installing anti-spyware pro- monitoring of Web-browsing activity for marketing pur- grams. Many users have installed a web browser other poses, and routing of HTTP requests to advertising sites. than Internet Explorer, such as Mozilla Firefox or Google Chrome. Though no browser is completely safe, Internet 27.4.3 “Stealware” and affiliate fraud Explorer is at a greater risk for spyware infection due to its large user base as well as vulnerabilities such as ActiveX. A few spyware vendors, notably 180 Solutions, have writ- Some ISPs—particularly colleges and universities—have ten what the New York Times has dubbed "stealware", 27.4. COMPARISON OF SPYWARE, ADWARE, AND VIRUSES 135

and what spyware researcher Ben Edelman terms affiliate daily basis, like spyware.[20][21] It can be removed with fraud, a form of click fraud. Stealware diverts the pay- the RemoveWGA tool. ment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor. 27.4.6 Personal relationships Spyware which attacks affiliate networks places the spy- ware operator’s affiliate tag on the user’s activity — re- Spyware has been used to monitor electronic activities placing any other tag, if there is one. The spyware op- of partners in intimate relationships. At least one soft- erator is the only party that gains from this. The user ware package, Loverspy, was specifically marketed for has their choices thwarted, a legitimate affiliate loses rev- this purpose. Depending on local laws regarding com- enue, networks’ reputations are injured, and vendors are munal/marital property, observing a partner’s online ac- harmed by having to pay out affiliate revenues to an “af- tivity without their consent may be illegal; the author of filiate” who is not party to a contract.[10] Affiliate fraud is Loverspy and several users of the product were indicted a violation of the terms of service of most affiliate mar- in California in 2005 on charges of wiretapping and var- keting networks. As a result, spyware operators such as ious computer crimes.[22] 180 Solutions have been terminated from affiliate net- works including LinkShare and ShareSale. Mobile de- vices can also be vulnerable to chargeware, which ma- 27.4.7 Browser cookies nipulates users into illegitimate mobile charges. Anti-spyware programs often report Web advertisers’ HTTP cookies, the small text files that track browsing 27.4.4 Identity theft and fraud activity, as spyware. While they are not always inher- ently malicious, many users object to third parties using In one case, spyware has been closely associated with space on their personal computers for their business pur- [11] identity theft. In August 2005, researchers from se- poses, and many anti-spyware programs offer to remove curity software firm Sunbelt Software suspected the cre- them.[23] ators of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc.";[12] however it turned out that “it actu- 27.4.8 Examples ally (was) its own sophisticated criminal little trojan that’s independent of CWS.”[13] This case is currently under in- These common spyware programs illustrate the diversity vestigation by the FBI. of behaviors found in these attacks. Note that as with The Federal Trade Commission estimates that 27.3 mil- computer viruses, researchers give names to spyware pro- lion Americans have been victims of identity theft, and grams which may not be used by their creators. Pro- that financial losses from identity theft totaled nearly $48 grams may be grouped into “families” based not on shared billion for businesses and financial institutions and at least program code, but on common behaviors, or by “follow- $5 billion in out-of-pocket expenses for individuals.[14] ing the money” of apparent financial or business connec- tions. For instance, a number of the spyware programs distributed by Claria are collectively known as “Gator”. 27.4.5 Digital rights management Likewise, programs that are frequently installed together may be described as parts of the same spyware package, even if they function separately. Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights man- • CoolWebSearch, a group of programs, takes ad- agement technology[15] Like spyware, not only was it dif- vantage of Internet Explorer vulnerabilities. The ficult to detect and uninstall, it was so poorly written that package directs traffic to advertisements on Web most efforts to remove it could have rendered computers sites including coolwebsearch.com. It displays pop- unable to function. Texas Attorney General Greg Abbott up ads, rewrites search engine results, and alters the filed suit,[16] and three separate class-action suits were infected computer’s hosts file to direct DNS lookups [24] filed.[17] Sony BMG later provided a workaround on its to these sites. website to help users remove it.[18] • Beginning on 25 April 2006, Microsoft’s Windows Gen- FinFisher, sometimes called FinSpy is a high-end uine Advantage Notifications application[19] was installed surveillance suite sold to law enforcement and intel- on most Windows PCs as a “critical security update”. ligence agencies. Support services such as training [25] While the main purpose of this deliberately uninstallable and technology updates are part of the package. application is to ensure the copy of Windows on the ma- chine was lawfully purchased and installed, it also installs • HuntBar, aka WinTools or Adware.Websearch, software that has been accused of "phoning home" on a was installed by an ActiveX drive-by download at 136 CHAPTER 27. SPYWARE

affiliate Web sites, or by advertisements displayed advertisements linked from a Web site, so that the by other spyware programs—an example of how advertisements make unearned profit for the 180 So- spyware can install more spyware. These pro- lutions company. It opens pop-up ads that cover over grams add toolbars to IE, track aggregate browsing the Web sites of competing companies (as seen in behavior, redirect affiliate references, and display their [Zango End User License Agreement]).[10] advertisements.[26][27] • , or just Zlob, downloads itself to a • Internet Optimizer, also known as DyFuCa, redi- computer via an ActiveX codec and reports informa- rects Internet Explorer error pages to advertising. tion back to Control Server. Some information can When users follow a broken link or enter an er- be the search-history, the Websites visited, and even roneous URL, they see a page of advertisements. keystrokes. More recently, Zlob has been known to However, because password-protected Web sites hijack routers set to defaults.[33] (HTTP Basic authentication) use the same mecha- nism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.[28] 27.5 History and development

• Spyware such as Look2Me hides inside system- The first recorded use of the term spyware occurred on critical processes and start up even in safe mode. 16 October 1995 in a Usenet post that poked fun at [34] With no process to terminate they are harder to de- Microsoft's business model. Spyware at first denoted tect and remove, which is a combination of both spy- software meant for espionage purposes. However, in early ware and a rootkit. Rootkit technology is also seeing 2000 the founder of Zone Labs, Gregor Freund, used the increasing use,[29] as newer spyware programs also term in a press release for the ZoneAlarm Personal Fire- [35] have specific countermeasures against well known wall. Later in 2000, a parent using ZoneAlarm was anti-malware products and may prevent them from alerted to the fact that “Reader ,” educational soft- running or being installed, or even uninstall them. ware marketed to children by the Mattel toy company, was surreptitiously sending data back to Mattel.[36] Since then, “spyware” has taken on its present sense. • Movieland, also known as Moviepass.tv and Pop- corn.net, is a movie download service that has According to a 2005 study by AOL and the National been the subject of thousands of complaints to the Cyber-Security Alliance, 61 percent of surveyed users’ Federal Trade Commission (FTC), the Washington computers were infected with form of spyware. 92 per- State Attorney General’s Office, the Better Business cent of surveyed users with spyware reported that they Bureau, and other agencies. Consumers complained did not know of its presence, and 91 percent reported they were held hostage by a cycle of oversized pop- that they had not given permission for the installation of [37] up windows demanding payment of at least $29.95, the spyware. As of 2006, spyware has become one of claiming that they had signed up for a three-day the preeminent security threats to computer systems run- free trial but had not cancelled before the trial pe- ning Microsoft Windows operating systems. Computers riod was over, and were thus obligated to pay.[30][31] on which Internet Explorer (IE) is the primary browser The FTC filed a complaint, since settled, against are particularly vulnerable to such attacks, not only be- [38] Movieland and eleven other defendants charging cause IE is the most widely used, but because its tight them with having “engaged in a nationwide scheme integration with Windows allows spyware access to cru- [38][39] to use deception and coercion to extract payments cial parts of the operating system. [32] from consumers.” Before Internet Explorer 6 SP2 was released as part of Windows XP Service Pack 2, the browser would auto- • WeatherStudio has a plugin that displays a matically display an installation window for any ActiveX window-panel near the bottom of a browser win- component that a website wanted to install. The com- dow. The official website notes that it is easy bination of user ignorance about these changes, and the to remove (uninstall) WeatherStudio from a com- assumption by Internet Explorer that all ActiveX com- puter, using its own uninstall-program, such as un- ponents are benign, helped to spread spyware signifi- der C:\Program Files\WeatherStudio. Once Weath- cantly. Many spyware components would also make use erStudio is removed, a browser returns to the prior of exploits in JavaScript, Internet Explorer and Windows display appearance, without the need to modify the to install without user knowledge or permission. browser settings. The Windows Registry contains multiple sections where modification of key values allows software to be executed • Zango (formerly 180 Solutions) transmits detailed automatically when the operating system boots. Spyware information to advertisers about the Web sites which can exploit this design to circumvent attempts at removal. users visit. It also alters HTTP requests for affiliate The spyware typically will link itself from each location 27.8. LEGAL ISSUES 137

in the registry that allows execution. Once running, the • AntiVirus Gold spyware will periodically check if any of these links are • removed. If so, they will be automatically restored. This ContraVirus ensures that the spyware will execute when the operating • MacSweeper system is booted, even if some (or most) of the registry links are removed. • Pest Trap

• PSGuard

27.6 Programs distributed with • Spy Wiper

spyware • Spydawn • • Kazaa[40] Spylocked • • Morpheus[41] Spysheriff • • WeatherBug[42] SpyShredder • • WildTangent[43][44] Spyware Quake • SpywareStrike

27.6.1 Programs formerly distributed with • UltimateCleaner spyware • WinAntiVirus Pro 2006 • [43] AOL Instant Messenger (AOL Instant Messen- • Windows Police Pro ger still packages Viewpoint Media Player, and WildTangent) • WinFixer[55]

• DivX[45] • WorldAntiSpy

• FlashGet[46][47][48][49][50][51] Fake antivirus products constitute 15 percent of all • magicJack[52] malware.[56] On January 26, 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its 27.7 Rogue anti-spyware programs Spyware Cleaner product.[57]

See also: List of rogue security software, List of fake anti-spyware programs and Rogue software 27.8 Legal issues

Malicious programmers have released a large number 27.8.1 Criminal law of rogue (fake) anti-spyware programs, and widely dis- tributed Web banner ads can warn users that their Unauthorized access to a computer is illegal under computers have been infected with spyware, directing computer crime laws, such as the U.S. Computer Fraud them to purchase programs which do not actually re- and Abuse Act, the U.K.'s Computer Misuse Act, and move spyware—or else, may add more spyware of their similar laws in other countries. Since owners of comput- own.[53][54] ers infected with spyware generally claim that they never authorized the installation, a prima facie reading would The recent proliferation of fake or spoofed antivirus suggest that the promulgation of spyware would count as products that bill themselves as antispyware can be trou- a criminal act. Law enforcement has often pursued the blesome. Users may receive popups prompting them to authors of other malware, particularly viruses. However, install them to protect their computer, when it will in fact few spyware developers have been prosecuted, and many add spyware. This software is called rogue software. It operate openly as strictly legitimate businesses, though is recommended that users do not install any freeware some have faced lawsuits.[58][59] claiming to be anti-spyware unless it is verified to be le- gitimate. Some known offenders include: Spyware producers argue that, contrary to the users’ claims, users do in fact give consent to installations. Spy- • AntiVirus 360 ware that comes bundled with shareware applications may be described in the legalese text of an end-user li- • Antivirus 2009 cense agreement (EULA). Many users habitually ignore 138 CHAPTER 27. SPYWARE

these purported contracts, but spyware companies such as Netherlands OPTA Claria say these demonstrate that users have consented. Despite the ubiquity of EULAs agreements, under which An administrative fine, the first of its kind in Europe, has been issued by the Independent Authority of Posts and a single click can be taken as consent to the entire text, relatively little caselaw has resulted from their use. It has Telecommunications (OPTA) from the Netherlands. It applied fines in total value of Euro 1,000,000 for infecting been established in most common law jurisdictions that this type of agreement can be a binding contract in cer- 22 million computers. The spyware concerned is called DollarRevenue. The law articles that have been violated tain circumstances.[60] This does not, however, mean that are art. 4.1 of the Decision on universal service providers every such agreement is a contract, or that every term in and on the interests of end users; the fines have been is- one is enforceable. sued based on art. 15.4 taken together with art. 15.10 of Some jurisdictions, including the U.S. states of Iowa[61] the Dutch telecommunications law.[67] and Washington,[62] have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to in- 27.8.3 Civil law stall software that alters Web-browser settings, monitors keystrokes, or disables computer-security software. Former New York State Attorney General and former In the United States, lawmakers introduced a bill in Governor of New York Eliot Spitzer has pursued spy- [68] 2005 entitled the Internet Spyware Prevention Act, which ware companies for fraudulent installation of software. would imprison creators of spyware.[63] In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling, by agreeing to pay US$7.5 million and to stop distributing spyware.[69] The hijacking of Web advertisements has also led to liti- 27.8.2 Administrative sanctions gation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court. US FTC actions Courts have not yet had to decide whether advertisers The US Federal Trade Commission has sued Internet can be held liable for spyware that displays their ads. marketing organizations under the "unfairness doctrine" In many cases, the companies whose advertisements ap- [64] to make them stop infecting consumers’ PCs with spy- pear in spyware pop-ups do not directly do business with ware. In one case, that against Seismic Entertainment the spyware firm. Rather, they have contracted with an Productions, the FTC accused the defendants of devel- advertising agency, which in turn contracts with an on- oping a program that seized control of PCs nationwide, line subcontractor who gets paid by the number of “im- infected them with spyware and other malicious software, pressions” or appearances of the advertisement. Some bombarded them with a barrage of pop-up advertising for major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies that have run their ads Seismic’s clients, exposed the PCs to security risks, and [70] caused them to malfunction. Seismic then offered to sell in spyware. the victims an “antispyware” program to fix the comput- ers, and stop the popups and other problems that Seis- 27.8.4 Libel suits by spyware developers mic had caused. On November 21, 2006, a settlement was entered in federal court under which a $1.75 million Litigation has gone both ways. Since “spyware” has be- judgment was imposed in one case and $1.86 million in come a common pejorative, some makers have filed libel another, but the defendants were insolvent[65] and defamation actions when their products have been so In a second case, brought against CyberSpy Software described. In 2003, Gator (now known as Claria) filed LLC, the FTC charged that CyberSpy marketed and sold suit against the website PC Pitstop for describing its pro- “RemoteSpy” keylogger spyware to clients who would gram as “spyware”.[71] PC Pitstop settled, agreeing not to then secretly monitor unsuspecting consumers’ comput- use the word “spyware”, but continues to describe harm ers. According to the FTC, Cyberspy touted Remote- caused by the Gator/Claria software.[72] As a result, other Spy as a “100% undetectable” way to “Spy on Anyone. anti-spyware and anti-virus companies have also used From Anywhere.” The FTC has obtained a temporary or- other terms such as "potentially unwanted programs" der prohibiting the defendants from selling the software or greyware to denote these products. and disconnecting from the Internet any of their servers that collect, store, or provide access to information that this software has gathered. The case is still in its prelim- 27.8.5 WebcamGate inary stages. A complaint filed by the Electronic Privacy Information Center (EPIC) brought the RemoteSpy soft- Main article: Robbins v. Lower Merion School District ware to the FTC’s attention.[66] 27.10. REFERENCES 139

In the 2010 WebcamGate case, plaintiffs charged two [7] "http://www.microsoft.com/presspass/press/2004/ suburban Philadelphia high schools secretly spied on stu- dec04/12-16GIANTPR.mspx" dents by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were us- [8] Schuster, Steve. "“Blocking Marketscore: Why Cornell Did It”. Archived from the original on February 14, ing at home, and therefore infringed on their privacy 2007.”. Cornell University, Office of Information Tech- rights. The school loaded each student’s computer with nologies. March 31, 2005. LANrev’s remote activation tracking software. This in- cluded the now-discontinued “TheftTrack”. While Theft- [9] Vincentas (11 July 2013). “Information About Spyware in Track was not enabled by default on the software, the pro- SpyWareLoop.com”. Spyware Loop. Retrieved 27 July gram allowed the school district to elect to activate it, and 2013. to choose which of the TheftTrack surveillance options [10] Edelman, Ben (2004). "The Effect of 180solutions on the school wanted to enable.[73] Affiliate Commissions and Merchants". Benedelman.org. TheftTrack allowed school district employees to secretly Retrieved November 14, 2006. remotely activate a tiny webcam embedded in the stu- [11] Ecker, Clint (2005). Massive spyware-based identity theft dent’s laptop, above the laptop’s screen. That allowed ring uncovered. Ars Technica, August 5, 2005. school officials to secretly take photos through the we- bcam, of whatever was in front of it and in its line of [12] Eckelberry, Alex. “Massive identity theft ring”, Sunbelt- sight, and send the photos to the school’s server. The BLOG, August 4, 2005. LANrev software disabled the webcams for all other uses (e.g., students were unable to use Photo Booth or video [13] Eckelberry, Alex. “Identity Theft? What to do?", Sun- chat), so most students mistakenly believed their web- beltBLOG, August 8, 2005. cams did not work at all. In addition to webcam surveil- [14] FTC Releases Survey of Identity Theft in U.S. 27.3 lance, TheftTrack allowed school officials to take screen- Million Victims in Past 5 Years, Billions in Losses for shots, and send them to the school’s server. In addition, Businesses and Consumers. Federal Trade Commission, LANrev allowed school officials to take snapshots of in- September 3, 2003. stant messages, web browsing, music playlists, and writ- ten compositions. The schools admitted to secretly snap- [15] Russinovich, Mark. “Sony, Rootkits and Digital Rights ping over 66,000 webshots and screenshots, including we- Management Gone Too Far,”, Mark’s Blog, October 31, 2005. Retrieved November 22, 2006. bcam shots of students in their bedrooms.[73][74][75] [16] Press release from the Texas Attorney General’s office, November 21, 2005; Attorney General Abbott Brings 27.9 See also First Enforcement Action In Nation Against Sony BMG For Spyware Violations. Retrieved November 28, 2006. • Cyber spying [17] “Sony sued over copy-protected CDs; Sony BMG is facing • Employee monitoring software three lawsuits over its controversial anti-piracy software”, BBC News, November 10, 2005. Retrieved November 22, • Industrial espionage 2006. • Malware [18] Information About XCP Protected CDs. Retrieved November 29, 2006. • Spy-phishing [19] Microsoft.com – Description of the Windows Genuine Advantage Notifications application. Retrieved June 13, 27.10 References 2006. [20] Weinstein, Lauren. Windows XP update may be classi- [1] FTC Report (2005). "" fied as 'spyware', Lauren Weinstein’s Blog, June 5, 2006. Retrieved June 13, 2006. [2] SPYWARE "" [21] Evers, Joris. Microsoft’s antipiracy tool phones home [3] Basil Cupa, Trojan Horse Resurrected: On the Legality of daily, CNET, June 7, 2006. Retrieved August 31, 2014. the Use of Government Spyware (Govware), LISS 2013, pp. 419-428 [22] “Creator and Four Users of Loverspy Spyware Program [4] FAQ – Häufig gestellte Fragen Indicted”. Department Of Justice. August 26, 2005. Re- trieved 21 November 2014. [5] Jeremy Reimer (20 July 2007). “The tricky issue of spy- ware with a badge: meet 'policeware'". Ars Technica. [23] “Tracking Cookie”. Symantec. Retrieved 2013-04-28.

[6] Edelman, Ben; December 7, 2004 (updated February 8, [24] "“CoolWebSearch”. Parasite information database. 2005); Direct Revenue Deletes Competitors from Users’ Archived from the original on January 6, 2006. Retrieved Disks; benedelman.com. Retrieved November 28, 2006. September 4, 2008. 140 CHAPTER 27. SPYWARE

[25] Nicole Perlroth (August 30, 2012). “Software Meant to [44] “Winpipe”. Sunbelt Malware Research Labs. June 12, Fight Crime Is Used to Spy on Dissidents”. The New York 2008. Retrieved September 4, 2008. It is possible that Times. Retrieved August 31, 2012. this spyware is distributed with the adware bundler Wild- Tangent or from a threat included in that bundler. [26] “CA Spyware Information Center – HuntBar”. .ca.com. Retrieved September 11, 2010. [45] "How Did I Get Gator?". PC Pitstop. Retrieved July 27, 2005. [27] “What is Huntbar or Search Toolbar?". Pchell.com. Re- trieved September 11, 2010. [46] "eTrust Spyware Encyclopedia – FlashGet". Computer Associates. Retrieved July 27, 2005. [28] "“InternetOptimizer”. Parasite information database. Archived from the original on January 6, 2006. Retrieved [47] “Jotti’s malware scan of FlashGet 3”. Virusscan.jotti.org. September 4, 2008. Retrieved September 11, 2010.

[29] Roberts, Paul F. "Spyware meets Rootkit Stealth". [48] VirusTotal scan of FlashGet 3. eweek.com. June 20, 2005. [49] “Jotti’s malware scan of FlashGet 1.96”. Viruss- [30] “FTC, Washington Attorney General Sue to Halt Unfair can.jotti.org. Retrieved September 11, 2010. Movieland Downloads”. Federal Trade Commission. Au- [50] VirusTotal scan of FlashGet 1.96. gust 15, 2006. [51] Some caution is required since FlashGet 3 EULA makes [31] “Attorney General McKenna Sues Movieland.com and mention of Third Party Software, but does not name any Associates for Spyware”. Washington State Office of the third party producer of software. However, a scan with Attorney General. August 14, 2006. SpyBot Search & Destroy, performed on November 20, 2009 after installing FlashGet 3 did not show any malware [32] “Complaint for Permanent Injunction and Other Equi- on an already anti-spyware immunized system (by SpyBot table Relief (PDF, 25 pages)" (PDF). Federal Trade Com- and SpywareBlaster). mission. August 8, 2006. [52] “Gadgets boingboing.net, ''MagicJack’s EULA says it [33] PCMAG, New Malware changes router settings, PC Mag- will spy on you and force you into arbitration''". Gad- azine, June 13, 2008. gets.boingboing.net. April 14, 2008. Retrieved Septem- ber 11, 2010. [34] Vossen, Roland (attributed); October 21, 1995; Win 95 Source code in c!! posted to rec..programmer; retrieved [53] Roberts, Paul F. (May 26, 2005). “Spyware-Removal from groups.google.com November 28, 2006. Program Tagged as a Trap”. eWeek. Retrieved September 4, 2008. [35] Wienbar, Sharon. "The Spyware Inferno". News.com. August 13, 2004. [54] Howes, Eric L. "The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites". [36] Hawkins, Dana; "Privacy Worries Arise Over Spyware in Retrieved July 10, 2005. Kids’ Software". U.S. News & World Report. June 25, 2000 [55] Also known as WinAntiVirusPro, ErrorSafe, System- Doctor, WinAntiSpyware, AVSystemCare, WinAntiSpy, [37] "AOL/NCSA Online Safety Study". America Online & Windows Police Pro, Performance Optimizer, Stor- The National Cyber Security Alliance. 2005. ageProtector, PrivacyProtector, WinReanimator, Drive- Cleaner, WinspywareProtect, PCTurboPro, FreePCSe- [38] Spanbauer, Scott. "Is It Time to Ditch IE?". Pcworld.com. cure, ErrorProtector, SysProtect, WinSoftware, XPAn- September 1, 2004 tivirus, Personal Antivirus, Home Antivirus 20xx, Virus- Doctor, and ECsecure [39] Keizer, Gregg. "Analyzing IE At 10: Integration With OS Smart Or Not?". TechWeb Technology News. August 25, [56] Elinor Mills (April 27, 2010). “Google: Fake antivirus is 2005. 15 percent of all malware”. CNET. Retrieved 2011-11- 05. [40] Edelman, Ben (2004). "Claria License Agreement Is Fifty Six Pages Long". Retrieved July 27, 2005. [57] McMillan, Robert. Antispyware Company Sued Under Spyware Law. PC World, January 26, 2006. [41] Edelman, Ben (2005). "Comparison of Unwanted Soft- ware Installed by P2P Programs". Retrieved July 27, [58] "Lawsuit filed against 180solutions". zdnet.com Septem- 2005. ber 13, 2005

[42] "“WeatherBug”. Parasite information database. Archived [59] Hu, Jim. "180solutions sues allies over adware". from the original on February 6, 2005. Retrieved Septem- news.com July 28, 2004 ber 4, 2008. [60] Coollawyer; 2001–2006; Privacy Policies, Terms and [43] “Adware.WildTangent”. Sunbelt Malware Research Conditions, Website Contracts, Website Agreements; Labs. June 12, 2008. Retrieved September 4, 2008. coollawyer.com. Retrieved November 28, 2006. 27.11. EXTERNAL LINKS 141

[61] "CHAPTER 715 Computer Spyware and Malware Pro- 27.11 External links tection". nxtsearch.legis.state.ia.us. Retrieved May 11, 2011. • Home Computer Security - Carnegie Mellon Soft- ware Institute [62] Chapter 19.270 RCW: Computer spyware. apps.leg.wa.gov. Retrieved November 14, 2006. • OnGuard Online.gov – How to Secure Your Com- puter [63] Gross, Grant. US lawmakers introduce I-Spy bill. In- foWorld, March 16, 2007. Retrieved March 24, 2007. • What Is Spyware?

[64] See Federal Trade Commission v. Sperry & Hutchinson Trading Stamp Co. 27.12 Categories [65] FTC Permanently Halts Unlawful Spyware Operations (FTC press release with links to supporting documents; archived copy); see also FTC cracks down on spyware and PC hijacking, but not true lies, Micro Law, IEEE MICRO (Jan.-Feb. 2005), also available at IEEE Xplore.

[66] See Court Orders Halt to Sale of Spyware (FTC press re- lease Nov. 17, 2008, with links to supporting documents).

[67] OPTA, “Besluit van het college van de Onafhankelijke Post en Telecommunicatie Autoriteit op grond van artikel 15.4 juncto artikel 15.10 van de Telecommunicatiewet tot oplegging van boetes ter zake van overtredingen van het gestelde bij of krachtens de Telecommunicatiewet” from 5 november 2007, http://opta.nl/download/202311+boete+ verspreiding+ongewenste+software.pdf

[68] “State Sues Major “Spyware” Distributor” (Press release). Office of New York State Attorney General. April 28, 2005. Retrieved September 4, 2008. Attorney General Spitzer today sued one of the nation’s leading internet marketing companies, alleging that the firm was the source of “spyware” and “adware” that has been secretly installed on millions of home computers.

[69] Gormley, Michael. “Intermix Media Inc. says it is set- tling spyware lawsuit with N.Y. attorney general”. Yahoo! News. June 15, 2005. Archived from the original on June 22, 2005.

[70] Gormley, Michael (June 25, 2005). “Major advertisers caught in spyware net”. USA Today. Retrieved September 4, 2008.

[71] Festa, Paul. "See you later, anti-Gators?". News.com. Oc- tober 22, 2003.

[72] "Gator Information Center". pcpitstop.com November 14, 2005.

[73] “Initial LANrev System Findings”, LMSD Redacted Forensic Analysis, L-3 Services – prepared for Ballard Spahr (LMSD’s counsel), May 2010. Retrieved August 15, 2010.

[74] Doug Stanglin (February 18, 2010). “School district ac- cused of spying on kids via laptop webcams”. USA Today. Retrieved February 19, 2010.

[75] “Suit: Schools Spied on Students Via Webcam”. CBS NEWS. March 8, 2010. Chapter 28

Timeline of computer security hacker history

Timeline of computer security hacker history. 28.3.1 1965 Hacking and system cracking appeared with the first electronic computers. Below are some important events • William D. Mathews from MIT found a vulnerabil- in the history of hacking and cracking. ity in a Multics CTSS running on an IBM 7094. The standard text editor on the system was designed to be used by one user at a time, working in one di- 28.1 1903 rectory, and so created a temporary file with a con- stant name for all instantiations of the editor. The flaw was discovered when two system programmers • Magician and inventor Nevil Maskelyne disrupts were editing at the same time and the temporary files John Ambrose Fleming's public demonstration of for the message-of-the day and the password file be- Guglielmo Marconi's purportedly secure wireless came swapped, causing the contents of the system telegraphy technology, sending insulting Morse [1] CTSS password file to display to any user logging code messages through the auditorium’s projector. into the system.[2][3]

28.2 1930s 28.4 1970s

28.2.1 1932 28.4.1 1971

• Polish cryptologists Marian Rejewski, Henryk Zy- • John T. Draper (later nicknamed Captain Crunch), galski and Jerzy Różycki broke the his friend Joe Engressia, and blue box phone phreak- code. ing hit the news with an Esquire Magazine feature story.[4] 28.2.2 1939

• Alan Turing, Gordon Welchman and Harold Keen 28.5 1980s worked together to develop the Bombe (on the ba- sis of Rejewski’s works on Bomba). The Enigma 28.5.1 1981 machine's use of a reliably small key space makes it vulnerable to brute force and thus a violation of • Chaos Computer Club forms in Germany. CWE-326. • The Warelords forms in The United States, founded by Black Bart (cracker of Dung Beetles 28.2.3 1943 in 1982) in St. Louis, Missouri, and was com- posed of many teenage hackers, phreakers, coders, • French computer expert René Carmille, hacked the and largely black hat-style underground computer punched card used by the Nazis to locate Jews. geeks. One of the more notable group members was Tennessee Tuxedo, a young man who was in- strumental with developing conference calls via the 28.3 1960s use of trunk line phreaking via the use of the No- vation Apple Cat II that allowed them to share their

142 28.5. 1980S 143

current hacks, phreaking codes, and new software • In his Turing Award lecture, Ken Thompson men- releases. Other notable members were The Ap- tions “hacking” and describes a security exploit that ple Bandit, Krakowicz, Krac-man, and The Code- he calls a "Trojan horse".[9] smith, who ran the BBS The Trading Post for the group. Black Bart was clever at using his nation- ally known and very popular BBS system in order 28.5.3 1984 to promote the latest gaming software. He used • that relationship to his advantage, often shipping the Someone calling himself Lex Luthor founds the original pre-released software to his most trusted Legion of Doom. Named after a Saturday morning code crackers during the beta-testing phase, weeks cartoon, the LOD had the reputation of attracting prior to their public release. The Warelords often “the best of the best”—until one of the most talented collaborated with other piracy groups at the time, members called Phiber Optik feuded with Legion such as The Syndicate and The Midwest Pirates of Doomer Erik Bloodaxe and got 'tossed out of the Guild, and developed an international ring of in- clubhouse'. Phiber’s friends formed a rival group, volved piracy groups that reached as far away as the Masters of Deception. Japan. Long before the movie WarGames went into • The Comprehensive Crime Control Act gives the Se- pre-production, The Warelords had successfully in- cret Service jurisdiction over computer fraud. filtrated such corporations and institutions as the White House, Southwestern Bell “Ma Bell” Main- • Cult of the Dead Cow forms in Lubbock, Texas, and frame Systems, and large corporate providers of begins publishing its ezine. voice mail systems. • The hacker magazine 2600 begins regular publica- tion, right when TAP was putting out its final issue. • Captain Zap: Ian Murphy, known to his friends as The editor of 2600,"Emmanuel Goldstein" (whose Captain Zap, was the first cracker to be tried and real name is Eric Corley), takes his handle from the convicted as a felon. Murphy broke into AT&T’s leader of the resistance in George Orwell's 1984. computers in 1981 and changed the internal clocks The publication provides tips for would-be hackers that metered billing rates. People were getting late- and phone phreaks, as well as commentary on the night discount rates when they called at midday. hacker issues of the day. Today, copies of 2600 are sold at most large retail bookstores. Of course, the bargain-seekers who waited until midnight • The Chaos Communication Congress, the annual to call long distance were hit with high bills.[5] European hacker conference organized by the Chaos Computer Club, is held in Hamburg, Germany 28.5.2 1983 • William Gibson's groundbreaking science fiction novel Neuromancer, about “Case”, a futuristic com- • The 414s break into 60 computer systems at institu- puter hacker, is published. Considered the first ma- tions ranging from the Los Alamos National Labora- jor cyberpunk novel, it brought into hacker jargon tory to Manhattan’s Memorial Sloan-Kettering Can- such terms as "cyberspace", “the matrix”, “simstim”, cer Center.[6] The incident appeared as the cover and "ICE". story of Newsweek with the title “Beware: Hack- ers at play”, possibly the first mass-media use of the term hacker in the context of computer security.[7] 28.5.4 1985 As a result, the U.S. House of Representatives held • hearings on computer security and passed several KILOBAUD is re-organized into The P.H.I.R.M., laws. and begins sysopping hundreds of BBSs throughout the United States, Canada, and Europe. • The group KILOBAUD is formed in February, • The online 'zine Phrack is established. kicking off a series of other hacker groups which form soon after. • The Hacker’s Handbook is published in the UK.

• The movie WarGames introduces the wider public • The FBI, Secret Service, Middlesex County NJ to the phenomenon of hacking and creates a de- Prosecutor’s Office and various local law enforce- gree of mass paranoia of hackers and their supposed ment agencies execute seven search warrants con- abilities to bring the world to a screeching halt by currently across New Jersey on July 12, 1985, seiz- launching nuclear ICBMs. ing equipment from BBS operators and users alike for “complicity in computer theft”,[10] under a newly • The U.S. House of Representatives begins hearings passed, and yet untested criminal statue.[11] This is on computer security hacking.[8] famously known as the Private Sector Bust,[12] or 144 CHAPTER 28. TIMELINE OF COMPUTER SECURITY HACKER HISTORY

the 2600 BBS Seizure,[13] and implicated the Pri- 28.5.8 1989 vate Sector BBS sysop, Store Manager (also a BBS sysop), Beowulf, Red Barchetta, The Vampire, the • Jude Milhon (aka St Jude) and R. U. Sirius launch NJ Hack Shack BBS sysop, and the Treasure Chest Mondo 2000, a major '90s tech-lifestyle magazine, BBS sysop. in Berkeley, California.

• The politically motivated WANK worm spreads 28.5.5 1986 over DECnet. • After more and more break-ins to government • Dutch magazine Hack-Tic begins. and corporate computers, Congress passes the Computer Fraud and Abuse Act, which makes it • The Cuckoo’s Egg by Clifford Stoll is published. a crime to break into computer systems. The law, however, does not cover juveniles. • Robert Schifreen and Stephen Gold are convicted 28.6 1990s of accessing the Telecom Gold account belonging to the Duke of Edinburgh under the Forgery and Coun- terfeiting Act 1981 in the United Kingdom, the first 28.6.1 1990 conviction for illegally accessing a computer system. • On appeal, the conviction is overturned as hacking Operation Sundevil introduced. After a prolonged is not within the legal definition of forgery.[14] sting investigation, Secret Service agents swoop down on organizers and prominent members of • Arrest of a hacker who calls himself The Mentor. BBSs in 14 U.S. cities including the Legion of He published a now-famous treatise shortly after his Doom, conducting early-morning raids and arrests. arrest that came to be known as the Hacker’s Man- The arrests involve and are aimed at cracking down ifesto in the e-zine Phrack. This still serves as the on credit-card theft and telephone and wire fraud. most famous piece of hacker literature and is fre- The result is a breakdown in the hacking commu- quently used to illustrate the mindset of hackers. nity, with members informing on each other in ex- • Astronomer Clifford Stoll plays a pivotal role in change for immunity. The offices of Steve Jackson tracking down hacker Markus Hess, events later Games are also raided, and the role-playing source- covered in Stoll’s 1990 book The Cuckoo’s Egg.[15] book GURPS Cyberpunk is confiscated, possibly because the government fears it is a “handbook for computer crime”. Legal battles arise that prompt the 28.5.6 1987 formation of the Electronic Frontier Foundation, in- cluding the trial of Knight Lightning. • Decoder magazine begins in Italy. • Australian federal police tracking Realm members • The Christmas Tree EXEC “worm” causes ma- Phoenix, Electron and Nom are the first in the world jor disruption to the VNET, BITNET and EARN [16] to use a remote data intercept to gain evidence for a networks. computer crime prosecution.[19]

• 28.5.7 1988 The Computer Misuse Act 1990 is passed in the United Kingdom, criminalising any unauthorised • The Morris Worm. Graduate student Robert T. access to computer systems. Morris, Jr. of Cornell University launches a worm on the government’s ARPAnet (precursor to the Internet).[17][18] The worm spreads to 6,000 net- 28.6.2 1992 worked computers, clogging government and uni- versity systems. Morris is dismissed from Cor- • Release of the movie Sneakers, in which security ex- nell, sentenced to three years probation, and fined perts are blackmailed into stealing a universal de- $10,000. coder for encryption systems.

• First National Bank of Chicago is the victim of $70- • MindVox opens to the public. million computer theft. • Bulgarian virus writer wrote 1260, • The Computer Emergency Response Team (CERT) the first known use of polymorphic code, used to is created by DARPA to address network security. circumvent the type of pattern recognition used by • The Father Christmas (computer worm) spreads Anti-virus software, and nowadays also intrusion de- over DECnet networks. tection systems. 28.6. 1990S 145

• Publication of a hacking instruction manual for pen- • The U.S. General Accounting Office reports that etrating TRW credit reporting agency by Infinite hackers attempted to break into Defense Depart- Possibilities Society (IPS) gets Dr. Ripco, the sysop ment computer files some 250,000 times in 1995 of Ripco BBS mentioned in the IPS manual, ar- alone. About 65 percent of the attempts were suc- rested by the US Secret Service.[20] cessful, according to the report. • The MP3 format gains popularity in the hacker 28.6.3 1993 world. Many hackers begin setting up sharing sites via FTP, Hotline, IRC and Usenet. • The first DEF CON hacking conference takes place in Las Vegas. The conference is meant to be a one- 28.6.7 1997 time party to say good-bye to BBSs (now replaced by the Web), but the gathering was so popular it be- • A 15-year-old Croatian youth penetrates computers came an annual event. at a U.S. Air Force base in Guam.[22] • AOL gives its users access to USENET, precipitat- • June: Eligible Receiver 97 tests the American gov- ing Eternal September. ernment’s readiness against cyberattacks. • December: Information Security publishes first is- 28.6.4 1994 sue. • First high-profile attacks on Microsoft’s Windows • Summer: Russian crackers siphon $10 million from NT operating system Citibank and transfer the money to bank accounts around the world. Vladimir Levin, the 30-year-old • In response to the MP3 popularity, the Recording ringleader, uses his work laptop after hours to trans- Industry Association of America begins cracking fer the funds to accounts in Finland and Israel. Levin down on FTPs . The RIAA begins a campaign of stands trial in the United States and is sentenced to lawsuits shutting down many of the owners of these three years in prison. Authorities recover all but sites including the more popular ripper/distributors $400,000 of the stolen money. The Maxx (Germany, Age 14), Chapel976 (USA, Age 15), Bulletboy (UK, Age 16), Sn4rf (Canada, • Hackers adapt to emergence of the World Wide Age 14) and others in their young teens via their Web quickly, moving all their how-to information ISPs. Their houses are raided and their computers and hacking programs from the old BBSs to new and modems are taken. The RIAA fails to cut off hacker Web sites. the head of the MP3 beast and within a year and a half, Napster is released. • AOHell is released, a freeware application that al- lows a burgeoning community of unskilled script kiddies to wreak havoc on America Online. For 28.6.8 1998 days, hundreds of thousands of AOL users find their mailboxes flooded with multi-megabyte email • January: Yahoo! notifies Internet users that anyone bombs and their chat rooms disrupted with spam visiting its site in recent weeks might have down- messages. loaded a and worm planted by hackers claiming a “logic bomb” will go off if Kevin Mitnick is not released from prison. 28.6.5 1995 • January: Anti-hacker runs during Super Bowl XXXII • The movies The Net and Hackers are released. • February: The Internet Software Consortium pro- • February 22: The FBI raids the “Phone Masters”.[21] poses the use of DNSSEC (domain-name system se- curity extensions) to secure DNS servers. • May 19: The seven members of the hacker think 28.6.6 1996 tank known as L0pht testifies in front of the US congressional Government Affairs committee on • Hackers alter Web sites of the United States Depart- “Weak Computer Security in Government”. ment of Justice (August), the CIA (October), and the U.S. Air Force (December). • June: Information Security publishes its first annual Industry Survey, finding that nearly three-quarters • Canadian hacker group, Brotherhood, breaks into of organizations suffered a security incident in the the Canadian Broadcasting Corporation. previous year. 146 CHAPTER 28. TIMELINE OF COMPUTER SECURITY HACKER HISTORY

• October: "U.S. Attorney General Janet Reno an- 28.7 2000s nounces National Infrastructure Protection Center.” 28.7.1 2000 28.6.9 1999 • May: The ILOVEYOU worm, also known as • Software security goes mainstream In the of VBS/Loveletter and Love Bug worm, is a computer Microsoft’s Windows 98 release, 1999 becomes a worm written in VBScript. It infected millions of banner year for security (and hacking). Hundreds computers worldwide within a few hours of its re- of advisories and patches are released in response to lease. It is considered to be one of the most dam- newfound (and widely publicized) bugs in Windows aging worms ever. It originated in the Philippines; and other commercial software products. A host of made by an AMA Computer College student for his security software vendors release anti-hacking prod- thesis. ucts for use on home computers. • September: teenage hacker Jonathan James be- • The Electronic Civil Disobedience project, an on- comes first juvenile to serve jail time for hacking. line political performance-art group, attacks calling it conceptual art and claiming it to be a protest against the U.S. support of the suppres- 28.7.2 2001 sion of rebels in southern Mexico by the Mexican government. ECD uses the FloodNet software to • Microsoft becomes the prominent victim of a new bombard its opponents with access requests. type of hack that attacks the domain name server. In • U.S. President Bill Clinton announces a $1.46 bil- these denial-of-service attacks, the DNS paths that lion initiative to improve government computer se- take users to Microsoft’s Web sites are corrupted. curity. The plan would establish a network of intru- • February: A Dutch cracker releases the Anna sion detection monitors for certain federal agencies Kournikova virus, initiating a wave of viruses that and encourage the private sector to do the same. tempts users to open the infected attachment by • January 7: an international coalition of hackers promising a sexy picture of the Russian tennis star. (including CULT OF THE DEAD COW, 2600 's • staff, Phrack's staff, L0pht, and the Chaos Com- April: FBI agents trick two into coming to the U.S. puter Club) issued a joint statement () condemning and revealing how they were Hacking U.S. banks . the LoU’s declaration of war. The LoU responded • May: Spurred by elevated tensions in Sino- by withdrawing its declaration. American diplomatic relations, U.S. and Chinese • A hacker interviewed by Hilly Rose during the Art hackers engage in skirmishes of Web defacements Bell Coast-to-Coast Radio Show exposes a plot by that many dub "The Sixth Cyberwar". Al-Qaida to derail Amtrak trains. This results in • ALL trains being forcibly stopped over Y2K as a July: Russian programmer Dmitry Sklyarov is ar- safety measure. rested at the annual Def Con hacker convention. He is the first person criminally charged with violating • March: The Melissa worm is released and quickly the Digital Millennium Copyright Act (DMCA). becomes the most costly malware outbreak to date. • August: worm, infects ts. • July: CULT OF THE DEAD COW releases Back Orifice 2000 at DEF CON • August: Kevin Mitnick, “the most wanted man in 28.7.3 2002 cyberspace”, sentenced to 5 years, of which over 4 years had already been spent pre-trial including 8 • January: Bill Gates decrees that Microsoft will months solitary confinement. secure its products and services, and kicks off a mas- sive internal training and quality control campaign. • September: Level Seven Crew hacks The US Em- bassy in ’s Website and places racist, anti- • May: .H, a variant of the worm discovered in government slogans on embassy site in regards to November 2001, becomes the biggest malware out- 1998 U.S. embassy bombings. break in terms of machines infected, but causes little • September 16: The United States Department of monetary damage. Justice sentences the “Phone Masters”.[23] • June: The Bush administration files a bill to cre- • October: American Express introduces the “Blue” ate the Department of Homeland Security, which, smart card, the industry’s first chip-based credit card among other things, will be responsible for protect- in the US. ing the nation’s critical IT infrastructure. 28.7. 2000S 147

• August: Researcher Chris Paget publishes a pa- 28.7.7 2006 per describing "shatter attacks", detailing how Win- dows’ unauthenticated messaging system can be • January: One of the few worms to take after the used to take over a machine. The paper raises ques- old form of malware, destruction of data rather than tions about how securable Windows could ever be. the accumulation of zombie networks to launch at- It is however largely derided as irrelevant as the vul- tacks from, is discovered. It had various names, in- nerabilities it described are caused by vulnerable ap- cluding Kama Sutra (used by most media reports), plications (placing windows on the desktop with in- Black Worm, Mywife, Blackmal, Nyxem version D, appropriate privileges) rather than an inherent flaw Kapser, KillAV, Grew and CME-24. The worm within the Operating System. would spread through e-mail client address books, and would search for documents and fill them with • October: The International Information Systems Se- garbage, instead of deleting them to confuse the curity Certification Consortium - (ISC)² - confers its user. It would also hit a web page counter when 10,000th CISSP certification. it took control, allowing the programmer who cre- ated it as well as the world to track the progress of the worm. It would replace documents with random 28.7.4 2003 garbage on the third of every month. It was hyped by the media but actually affected relatively few com- puters, and was not a real threat for most users. • The hacktivist group Anonymous was formed • May: Jeanson James Ancheta receives a 57-month • March: CULT OF THE DEAD COW and prison sentence, and is ordered to pay damages Hacktivismo are given permission by the United amounting to $15,000.00 to the Naval Air Warfare States Department of Commerce to export software Center in China Lake and the Defense Information utilizing strong encryption. Systems Agency, for damage done due to DDoS at- tacks and hacking. Ancheta also had to forfeit his • December 18: Milford Man pleas guilty to hacking. gains to the government, which include $60,000 in cash, a BMW, and computer equipment . • May: Largest Defacement in Web History, at 28.7.5 2004 that time, is performed by the Turkish hacker iSKORPiTX who successfully hacked 21,549 web- • March: Myron Tereshchuk is arrested for attempt- sites in one shot. ing to extort $17 million from Micropatent. • July: Robert Moore and Edwin Pena featured on Americas Most Wanted with Kevin Mitnick pre- • July: North Korea claims to have trained 500 hack- senting their case commit the first VOIP crime ever ers who successfully crack South Korean, Japanese, seen in the USA. Robert Moore served 2 years in and their allies’ computer systems.[24] federal prison with a $152,000.00 restitution while Edwin Pena was sentenced to 10 years and a $1 mil- lion restitution. 28.7.6 2005 • September: Viodentia releases FairUse4WM tool which would remove DRM information off WMA • April 2: Rafael Núñez aka RaFa a notorious mem- music downloaded from music services such as Ya- ber of the hacking group is arrested hoo Unlimited, Napster, Rhapsody Music and Urge. following his arrival at Miami International Airport for breaking into the Defense Information Systems [25] Agency computer system on June 2001. 28.7.8 2007

• • May 17: Estonia recovers from massive denial-of- September 13: Cameron Lacroix is sentenced to 11 [28] months for gaining access to T-Mobile USA’s net- service attack work and exploiting Paris Hilton’s Sidekick.[26] • June 13: FBI Operation Bot Roast finds over 1 mil- lion botnet victims[29] • November 3: Jeanson James Ancheta, whom prose- cutors say was a member of the “Botmaster Under- • June 21: A spear phishing incident at the Office ground”, a group of script kiddies mostly noted for of the Secretary of Defense steals sensitive U.S. their excessive use of bot attacks and propagating defense information, leading to significant changes vast amounts of spam, was taken into custody after in identity and message-source verification at being lured to FBI offices in Los Angeles.[27] OSD.[30][31] 148 CHAPTER 28. TIMELINE OF COMPUTER SECURITY HACKER HISTORY

• August 11: United Nations website hacked by Turk- 28.8.2 2011 ish Hacker Kerem125[32] • The Hacker group Lulz security is formed • November 29: FBI Operation Bot Roast II: 1 mil- • April 9: Bank Of America website got hacked by lion infected PCs, $20 million in losses and 8 a Turkish hacker named JeOPaRDY. An estimated indictments[33] 85,000 credit card numbers and accounts were re- ported to have been stolen due to the hack. Bank officials say no personal customer bank information 28.7.9 2008 is available on that web-page. Investigations are be- ing conducted by the F.B.I to trace down the incrim- • January 17: ; Anonymous attacks inated hacker.[39] Scientology website servers around the world. Pri- vate documents are stolen from Scientology com- • April 17: An "external intrusion" sends the puters and distributed over the Internet PlayStation Network offline, and compromises per- sonally identifying information (possibly including • March 7: Around 20 Chinese hackers claim to have credit card details) of its 77 million accounts, in gained access to the world’s most sensitive sites, in- what is claimed to be one of the five largest data [40] cluding The Pentagon. They operate from a bare breaches ever. apartment on a Chinese island.[34] • Elite hacker sl1nk releases information of his pene- tration in the servers of the Department of Defense • March 14: Trend Micro website successfully hacked (DoD), Pentagon, NASA, NSA, US Military, other by Turkish hacker Janizary(aka Utku)[35] UK government websites.[41]

• The hacker group LulzRaft is formed 28.7.10 2009 • September: Bangladeshi hacker TiGER-M@TE • made world record in defacement history by hacking April 4: Conficker worm infiltrated millions of PCs [42] worldwide including many government-level top- 700,000 websites in one shot. security computer networks[36] • October 16: The YouTube channel of Sesame Street was hacked, streaming pornographic content for about 22 minutes.[43] 28.8 2010s • November 1: The main phone and Internet networks of the Palestinian territories sustained a hacker at- 28.8.1 2010 tack from multiple locations worldwide.[44]

• January 12: Google publicly • November 7: The forums for Valve’s Steam ser- reveals[37] that it has been on the receiving end of vice were hacked. Redirects for a hacking website, a “highly sophisticated and targeted attack on our Fkn0wned, appeared on the Steam Users’ Forums, corporate infrastructure originating from China that offering “hacking tutorials and tools, porn, free give- resulted in the theft of intellectual property from aways and much more.”[45] Google” • December 14: Five members of the Norwegian • June: Stuxnet The Stuxnet worm is found by Virus- hacker group Noria was arrested, allegedly sus- BlokAda. Stuxnet was unusual in that while it spread pected for hacking into the email account of the mil- via Windows computers, its payload targeted just itant extremist Anders Behring Breivik[46] one specific model and type of SCADA systems. It slowly became clear that it was a cyber attack on Iran’s nuclear facilities - with most experts believing 28.8.3 2012 that Israel[38] was behind it - perhaps with US help. • Saudi hacker, 0xOmar, published over 400,000 • December 3: The first Malware Conference, credit cards online,[47] and threatened Israel to re- MALCON takes place in India. Founded by Ra- lease 1 million credit cards in the future.[48] jshekhar Murthy, Malware coders are invited to showcase their skills at this annual event supported • In response to that incident, an Israeli by the Government of India. An advanced malware hacker published over 200 Saudi’s credit cards for Symbian OS is released by hacker A0drul3z. online.[49] 28.9. REFERENCES 149

• January 6: Hacker group The Hacker Encrypters • October 27: NSA’s website shut down after the in- found and reported an open SQLi exploit on Face- filtration of a Japanese elite hacker Daisuke Dan.[60] book. The results of the exploit have been posted on Pastebin.[50] 28.8.5 2014 • January 7: Team Appunity, a group of Norwegians • February 7: The Bitcoin exchange Mt.Gox filed for hackers, got arrested for breaking into and publish- bankruptcy after $460 million was apparently stolen ing the user database of Norway’s largest prostitu- by hackers due to “weaknesses in [their] system” and tion website.[51] another $27.4 million went missing from its bank accounts.[61] • February 3: Marriott was hacked by a new age ideologist, Attila Nemeth who was resisting against • the New World Order where Corporations Rule the October: The White House computer system is World. As a response Marriott reported him to the hacked by Russians. United States Secret Service.[52] • November 28: The website of a major provider • February 8: Foxconn is hacked by rising hacker of Telecommunications Services in the Philippines group, Swagg Security, releasing a massive amount Globe Telecom usually known as GLOBE was of data including email logins, server logins, and hacked to acquaint for the poor internet connection [62] even more alarming - bank account credentials of service they are distributing. large companies like Apple and Microsoft. Swagg Security stages the attack just as a Foxconn protest ignites against terrible working conditions[53] 28.9 References

• May 4: A lot of important Turkish Websites [1] Marks, Paul (December 27, 2011). “Dot-dash-diss: The are hacked by F0RTYS3V3N (Turkish Hacker) . gentleman hacker’s 1903 lulz”. New Scientist. Retrieved Google, Yandex, Microsoft, Gmail, Msn, Hotmail, January 11, 2012. PayPal Turkish representative offices ' s Websites [2] “untitled1.html”. Retrieved 14 March 2015. hacked in one shot.[54] [3] http://osvdb.org/show/osvdb/23257 • May 24 WHMCS is hacked by UGNazi, they claim [4] David Price: Blind Whistling Phreaks and the FBI’s His- that the reason for this is because of the illegal sites torical Reliance on Phone Tap Criminality CounterPunch, that are using their software. June 30, 2008

• May 31: MyBB is hacked by newly founded hack [5] http://archive.wired.com/science/discoveries/news/ 2001/02/41630?currentPage=all group, UGNazi, the website was defaced for about a day, they claim their reasoning for this was be- [6] Elmer-DeWitt, Philip (August 29, 1983). “The 414 Gang cause they were upset that the forum board Hackfo- Strikes Again”. Time. p. 75. rums.net uses their software. [7] “Beware: Hackers at play”. Newsweek. September 5, 1983. pp. 42–46, 48. • October 7: Farmers Insurance, MasterCard, and several other high-level government sites are hacked [8] “Timeline: The U.S. Government and Cybersecurity”. by Swagg Security. Released is several thousand Washington Post. May 16, 2003. Retrieved 2006-04-14. usernames and logins, as well as other confidential Check date values in: |year= / |date= mismatch (help) [55] information. [9] Thompson, Ken (October 1983). “Reflections on Trusting Trust” (PDF). 1983 Turing Award Lecture. ACM.

28.8.4 2013 [10] “2600: The Hacker Quarterly (Volume 2, Number 8, Au- gust 1985)". Retrieved 14 March 2015. • February 18: Burger King's Twitter account 'hacked' with McDonald’s logo [56] According to [11] http://nj-statute-info.com/getStatute.php?statute_id= Anonymous, it was due to the horse meat scandal 1618 [57] in Europe. An account named “iThug” was re- [12] “TUCoPS :: Cyber Law :: psbust.txt”. Retrieved 14 sponsible for the hack. As a result, iThug’s account March 2015. was suspended.[58] [13] “2600 Article”. Retrieved 14 March 2015.

• March 2: Two FBI web servers hacked by a [14] 'Hacking' into Prestel is not a Forgery Act offence” (Law Japanese hacker named Daisuke Dan.[59] Report), The Times, 21 July 1987. 150 CHAPTER 28. TIMELINE OF COMPUTER SECURITY HACKER HISTORY

[15] Cliff Stoll (1989). The cuckoo’s egg. New York: Double- [35] Stefanie Hoffman. “Trend Micro Victim Of Malicious day. ISBN 0-370-31433-6. Hack”. CRN. Retrieved 14 March 2015.

[16] Burger, R.: “Computer viruses - a high tech disease”, Aba- [36] Markoff, John (2009-08-26). “Defying Experts, Rogue cus/Data Becker GmbH (1988), ISBN 1-55755-043-3 Computer Code Still Lurks”. New York Times. Retrieved 2009-08-27. [17] Spafford, E.H.: “The Internet Worm Program: An Anal- ysis”, Purdue Technical Report CSD-TR-823 (undated) [37] “A new approach to China”. Google Inc. 2010-01-12. Retrieved 17 January 2010. [18] Eichin, M.W. and Rochlis, J.A.: “With Microscope and Tweezers: An Analysis of the Internet Virus of November [38] Broad, William J.; Sanger, David E. (18 November 2010). 1988”, MIT(1989) “Worm in Iran Can Wreck Nuclear Centrifuges”. The New York Times. [19] Bill Apro & Graeme Hammond (2005). Hackers: The Hunt for Australia’s Most Infamous Computer Cracker. [39] Mohit Kumar (26 March 2011). “Thousands of Bank of Five Mile Press. ISBN 1-74124-722-5. America Accounts Hacked !". The Hacker News - Biggest Information Security Channel. Retrieved 14 March 2015. [20] Esquibel, Bruce (1994-10-08). ""Operation Sundevil” is finally over for Dr. Ripco”. Electronic Frontier Founda- [40] Apr 27, 2011 10:56 AM ET (April 27, 2011). tion. Retrieved 2009-03-08. “PlayStation data breach deemed in 'top 5 ever' - Business - CBC News”. Cbc.ca. Retrieved 2011-04-29. [21] “Recent Large Name Phreaker Busts by Anonymous”. EmpireTimes. March 11, 1995. [41] Is Department of Defense (DoD), Pentagon, NASA, NSA secure?, TheHackerNews, May 14, 2011. [22] http://www.nap.edu/html/trust/trust-1.htm [42] Eduard Kovacs (26 September 2011). “700,000 InMo- [23] “U.S. Department of Justice, For Immediate Release, tion Websites Hacked by TiGER-M@TE”. softpedia. Re- Dallas, Texas”. USDOJ. September 16, 1999. trieved 14 March 2015.

[24] “North Korean hackers sabotage computer networks of [43] John P. Mello Jr. “Sesame Street Hacked, Porn Posted”. South Korea”. Pravda Online. Retrieved 2008-10-14. PC World. Retrieved 2011-10-26.

[25] Rob Lemos. “Campaign seeks to defang Rafa’s hacker [44] Alaa Ashkar. “PA Telecommunications minister: Pales- image”, “Security Focus”, April 11, 2005. tinian Internet Under Hacking Attacks”. IMEMC. Re- trieved 2011-11-02. [26] Krebs, Brian. “Teen Pleads Guilty to Hacking Paris Hilton’s Phone”, The Washington Post, September 13, [45] Ashcraft, Brian. “Steam Forums Apparently Hacked”. 2005. Kotaku.

[27] Iain Thomson (2005-11-04). “FBI sting nets botnet [46] Jonas Sverrisson Rasch. “News article about the arrests of hacker”. vnunet.com. Archived from the original on Noria”. Dagbladet. Retrieved 2012-12-14. 2007-12-20. Retrieved 2008-09-26. [47] Flock, Elizabeth (January 3, 2012). “Saudi hackers say [28] Jeremy Kirk (17 May 2007). “Estonia recovers from mas- they published Israeli credit card information”. The Wash- sive denial-of-service attack”. Network World. Retrieved ington Post. 14 March 2015. [48] http://hitechanalogy.com/ [29] Michael Cooney (13 June 2007). “FBI: Operation Bot saudi-hacker-0xomar-threatens-israel-release-01-million-credit-card-numbers-story/ Roast finds over 1 million botnet victims”. Network [49] “Israeli hacker retaliates to credit card hacking”. BBC World. Retrieved 14 March 2015. News. January 12, 2012. [30] McMillan, Robert (June 21, 2007). “Pentagon shuts down [50] Results of the Facebook exploit on pastebin - http:// systems after ”. InfoWorld (IDG). Retrieved pastebin.com/z5YgWanz 2008-03-10. [51] Kripos. "(Norwegian) Tre personer siktet for [31] Aitoro, Jill R. (March 5, 2008). “Defense officials still datainnbrudd”. Kripos. Retrieved 2012-04-25. concerned about data lost in 2007 network attack”. Gov- ernment Executive (National Journal Group). Retrieved [52] “Marriott,Hack,Extortion, Arrest and important websites 2008-03-10. hacked”. Feb 3, 2012.

[32] “BMnin sitesi hacklendi haberi”. Internethaber. Re- [53] Garside, Juliette (February 9, 2012). “Apple supplier trieved 14 March 2015. Foxconn hacked in factory conditions protest”. The Guardian (London). [33] Michael Cooney (29 November 2007). “FBI ‘Bot Roast II: 1 million infected PCs, $20 million in losses and 8 in- [54] “Google,Microsoft,Yandex,Paypal and important web- dictments”. Network World. Retrieved 14 March 2015. sites hacked”. May 4, 2012.

[34] “Chinese hackers: No site is safe”. CNN. March 7, 2008. [55] USA Gov., Farmers Ins., Mastercard and + Hacked! Retrieved 2008-03-07. Pastebin - http://pastebin.com/AP2M5cDX 28.10. FURTHER READING 151

[56] BBC - http://www.bbc.co.uk/news/ world-us-india-8533906955

[57] New Times Broward-Palm Beach - http://blogs. browardpalmbeach.com/pulp/2013/02/anonymous_ hacked_burger_king_horse_meat.

[58] - http://gizmodo.com/5985385/ jeeps-twitter-account-has-been-hacked

[59] ZATAZ - http://archives.zataz.com/news/23303/ fbi--faille--fuite--data-leak.html

[60] ZATAZ - http://archives.zataz.com/news/23139/ nsa--oD-Defense-Connect-online.html

[61] “The Inside Story of Mt. Gox, Bitcoin’s $460 Million Dis- aster - WIRED”. WIRED. Retrieved 14 March 2015.

[62] http://www.coorms.com/2014/11/ globe-website-was-hacked-by-bloodsec-hackers.html

28.10 Further reading

• Allan Lundell (1989). Virus! The secret world of computer invaders that breed and destroy. Wayne A. Yacco. ISBN 0-8092-4437-3. • Bill Landreth (1989[1985]). Out of the Inner Circle. Tempus Books of Microsoft Press. ISBN 1-55615- 223-X. Check date values in: |date= (help)

• Owen Bowcott and Sally Hamilton (1990). Beating the System: Hackers, phreakers and electronic spies. Bloomsbury. ISBN 0-7475-0513-6. • Philip Fites, Peter Johnston and Martin Kratz (1989). The computer virus crisis. Van Nostrand Reinhold. ISBN 0-442-28532-9.

• Bruce Sterling (1992). The Hacker Crackdown: Law and disorder on the electronic frontier. Penguin. ISBN 0-14-017734-5. • Steve Gold (1989). Hugo Cornwall’s New Hacker’s Handbook. London: Century Hutchinson Ltd. ISBN 0-7126-3454-1. Chapter 29

Trojan horse (computing)

For other uses, see Trojan horse (disambiguation). • Electronic money theft

• Infects entire Network banking information and A Trojan horse, or Trojan, in computing is generally a other connected devices non-self-replicating type of malware program containing malicious code that, when executed, carries out actions • Data theft, including confidential files, sometimes determined by the nature of the Trojan, typically caus- for industrial espionage, and information with fi- ing loss or theft of data, and possible system harm. The nancial implications such as passwords and payment term is derived from the Ancient Greek story of wooden card information horse used to trick defenders of Troy into taking con- cealed warriors into their city in ancient Anatolia, be- • Modification or deletion of files cause computer Trojans often employ a form of social • Downloading or uploading of files for various pur- engineering, presenting themselves as routine, useful, or poses interesting in order to persuade victims to install them on [1][2][3][4][5] their computers. • Downloading and installing software, including A Trojan often acts as a backdoor, contacting a controller third-party malware and ransomware which can then have unauthorized access to the affected • Keystroke logging computer.[6] While Trojans and backdoors are not easily detectable by themselves, computers may appear to run • Watching the user’s screen slower due to heavy processor or network usage. Mali- cious programs are classified as Trojans if they do not • Viewing the user’s webcam attempt to inject themselves into other files (computer virus) or otherwise propagate themselves (worm).[7] A • Controlling the computer system remotely computer may host a Trojan via a malicious program that • Encrypting files; a ransom payment may be de- a user is duped into executing (often an e-mail attachment manded for decryption, as with the CryptoLocker disguised to be unsuspicious, e.g., a routine form to be ransomware filled in), or by drive-by download. • System registry modification 29.1 Purpose and uses • Using computer resources for mining [8]

A Trojan may give a hacker remote access to a targeted • Using the infected computer as proxy for illegal ac- computer system. Operations that could be performed by tivities and/or attacks on other computers. a hacker, or be caused unintentionally by program oper- ation, on a targeted computer system include: Trojan horses in this way may require interaction with a malicious controller (not necessarily distributing the Tro- • Crashing the computer, e.g. with "blue screen of jan horse) to fulfill their purpose. It is possible for those death" (BSOD) involved with Trojans to scan computers on a network to • Data corruption locate any with a Trojan horse installed, which the hacker can then control.[9] • Formatting disks, destroying all contents Some Trojans take advantage of a security flaw in older • Use of the machine as part of a botnet (e.g. to per- versions of Internet Explorer and Google Chrome to use form automated spamming or to distribute Denial- the host computer as an anonymizer proxy to effectively of-service attacks) hide Internet usage,[10] enabling the controller to use the

152 29.4. REFERENCES 153

Internet for illegal purposes while all potentially incrimi- • Remote administration nating evidence indicates the infected computer or its IP • address. The host’s computer may or may not show the Remote administration software internet history of the sites viewed using the computer as • Cyber spying a proxy. The first generation of anonymizer Trojan horses tended to leave their tracks in the page view histories of • Dancing pigs the host computer. Later generations of the Trojan horse • tend to “cover” their tracks more efficiently. Several ver- Exploit (computer security) sions of Sub7 have been widely circulated in the US and • Industrial espionage Europe and became the most widely distributed examples of this type of Trojan horse.[9] • Malware

In German-speaking countries, spyware used or made • Principle of least privilege by the government is sometimes called govware. Gov- ware is typically a trojan horse software used to intercept • Privacy-invasive software communications from the target computer. Some coun- • tries like Switzerland and Germany have a legal frame- Reverse connection [11][12] work governing the use of such software. Exam- • Rogue security software ples of govware trojans include the Swiss MiniPanzer and MegaPanzer[13] and the German “state trojan” nick- • Social engineering (security) named R2D2.[11] • Spam Due to the popularity of botnets among hackers and the availability of advertising services that permit authors to • Spyware violate their users’ privacy, Trojan horses are becom- • ing more common. According to a survey conducted Timeline of computer viruses and worms by BitDefender from January to June 2009, “Trojan-type malware is on the rise, accounting for 83-percent of the global malware detected in the world.” Trojans have a re- 29.4 References lationship with worms, as they spread with the help given by worms and travel across the internet with them.[14] • Carnegie Mellon University (1999): “CERT Ad- The anti-virus company BitDefender has stated that ap- visory CA-1999-02 Trojan Horses”, Retrieved on proximately 15% of computers are members of a botnet, 2009-06-10. usually recruited by a Trojan infection.[15] [1] Landwehr, C. E; A. R Bull; J. P McDermott; W. S Choi (1993). A taxonomy of computer program security flaws, 29.2 Notable Trojan horses with examples. DTIC Document. Retrieved 2012-04-05. [2] “Trojan Horse Definition”. Retrieved 2012-04-05. • Netbus Advance System Care(by Carl-Fredrik [3] “Trojan horse”. Webopedia. Retrieved 2012-04-05. Neikter) [4] “What is Trojan horse? - Definition from Whatis.com”. • Subseven or Sub7(by Mobman) Retrieved 2012-04-05.

• Back Orifice (Sir Dystic) [5] “Trojan Horse: [coined By MIT-hacker-turned-NSA- spook Dan Edwards] N.”. Retrieved 2012-04-05. • Beast [6] “What is the difference between viruses, worms, and Tro- • Zeus jans?". Symantec Corporation. Retrieved 2009-01-10.

• Flashback Trojan (Trojan BackDoor.Flashback) [7] “VIRUS-L/comp.virus Frequently Asked Questions • (FAQ) v2.00 (Question B3: What is a Trojan Horse?)". ZeroAccess 9 October 1995. Retrieved 2012-09-13. • [8] Robert McMillan (2013): Trojan Turns Your PC Into Bit- coin Mining Slave, Retrieved on 2015-02-01 • Vundo [9] Jamie Crapanzano (2003): “Deconstructing SubSeven, the Trojan Horse of Choice”, SANS Institute, Retrieved 29.3 See also on 2009-06-11 [10] Vincentas (11 July 2013). “Trojan Horse in Spy- • Computer security WareLoop.com”. Spyware Loop. Retrieved 28 July 2013. 154 CHAPTER 29. TROJAN HORSE (COMPUTING)

[11] Basil Cupa, Trojan Horse Resurrected: On the Legality of the Use of Government Spyware (Govware), LISS 2013, pp. 419-428

[12] http://www.ejpd.admin.ch/content/ejpd/de/home/ themen/sicherheit/ueberwachung_des_post-/faq_vuepf. faq_3.html

[13] “Swiss coder publicises government spy Trojan - Tech- world.com”. News.techworld.com. Retrieved 2014-01- 26.

[14] BitDefender.com Malware and Spam Survey

[15] Datta, Ganesh. “What are Trojans?". SecurAid.

29.5 External links

• Trojan Horses at DMOZ Chapter 30

Vulnerability (computing)

In computer security, a vulnerability is a weakness information resources that support the organization’s mis- which allows an attacker to reduce a system’s information sion[4] assurance. Vulnerability is the intersection of three ele- IETF RFC 2828 define vulnerability as:[5] ments: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.[1] To exploit a vulnerability, an attacker must have at least one A flaw or weakness in a system’s design, imple- applicable tool or technique that can connect to a system mentation, or operation and management that weakness. In this frame, vulnerability is also known as could be exploited to violate the system’s secu- the attack surface. rity policy Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating The Committee on National Security Systems of United vulnerabilities.[2] This practice generally refers to soft- States of America defined vulnerability in CNSS In- ware vulnerabilities in computing systems. struction No. 4009 dated 26 April 2010 National Infor- mation Assurance Glossary:[6] A security risk may be classified as a vulnerability. The use of vulnerability with the same meaning of risk can Vulnerability — Weakness in an IS, system se- lead to confusion. The risk is tied to the potential of curity procedures, internal controls, or imple- a significant loss. Then there are vulnerabilities with- mentation that could be exploited out risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as Many NIST publications define vulnerability in IT con- an exploitable vulnerability — a vulnerability for which test in different publications: FISMApedia[7] term[8] pro- an exploit exists. The window of vulnerability is the vide a list. Between them SP 800-30,[9] give a broader time from when the security hole was introduced or mani- one: fested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was A flaw or weakness in system security proce- disabled—see zero-day attack. dures, design, implementation, or internal con- Security bug (security defect) is a narrower concept: there trols that could be exercised (accidentally trig- are vulnerabilities that are not related to software: hard- gered or intentionally exploited) and result in a ware, site, personnel vulnerabilities are examples of vul- security breach or a violation of the system’s se- nerabilities that are not software security bugs. curity policy.

Constructs in programming languages that are difficult to [10] use properly can be a large source of vulnerabilities. ENISA defines vulnerability in as:

The existence of a weakness, design, or imple- 30.1 Definitions mentation error that can lead to an unexpected, undesirable event [G.11] compromising the se- curity of the computer system, network, appli- ISO 27005 defines vulnerability as:[3] cation, or protocol involved.(ITSEC) A weakness of an asset or group of assets that [11] can be exploited by one or more threats The Open Group defines vulnerability in as:

where an asset is anything that has value to the organiza- The probability that threat capability exceeds tion, its business operations and their continuity, including the ability to resist the threat.

155 156 CHAPTER 30. VULNERABILITY (COMPUTING)

Factor Analysis of Information Risk (FAIR) defines vul- states. If generic, the vulnerability may charac- nerability as:[12] terize many vulnerable states; if specific, it may characterize only one... The probability that an asset will be unable to resist the actions of a threat agent National Information Assurance Training and Education Center defines vulnerability: [14][15] According FAIR vulnerability is related to Control Strength, i.e. the strength of a control as compared to a A weakness in automated system security pro- standard measure of force and the threat Capabilities, i.e. cedures, administrative controls, internal con- the probable level of force that a threat agent is capable trols, and so forth, that could be exploited by a of applying against an asset. threat to gain unauthorized access to informa- tion or disrupt critical processing. 2. A weak- ISACA defines vulnerability in Risk It framework as: ness in system security procedures, hardware design, internal controls, etc. , which could be A weakness in design, implementation, opera- exploited to gain unauthorized access to classi- tion or internal control fied or sensitive information. 3. A weakness in the physical layout, organization, procedures, Data and Computer Security: Dictionary of standards personnel, management, administration, hard- concepts and terms, authors Dennis Longley and Michael ware, or software that may be exploited to cause Shain, Stockton Press, ISBN 0-935859-17-9, defines vul- harm to the ADP system or activity. The pres- nerability as: ence of a vulnerability does not in itself cause harm; a vulnerability is merely a condition or set 1) In computer security, a weakness in auto- of conditions that may allow the ADP system or mated systems security procedures, administra- activity to be harmed by an attack. 4. An asser- tive controls, Internet controls, etc., that could be tion primarily concerning entities of the internal exploited by a threat to gain unauthorized access environment (assets); we say that an asset (or to information or to disrupt critical processing. class of assets) is vulnerable (in some way, pos- 2) In computer security, a weakness in the physi- sibly involving an agent or collection of agents); cal layout, organization, procedures, personnel, we write: V(i,e) where: e may be an empty set. management, administration, hardware or soft- 5. Susceptibility to various threats. 6. A set warethat may be exploited to cause harm to the of properties of a specific internal entity that, in ADP system or activity. 3) In computer secu- union with a set of properties of a specific exter- rity, any weakness or flaw existing in a system. nal entity, implies a risk. 7. The characteristics The attack or harmful event, or the opportunity of a system which cause it to suffer a definite available to a threat agent to mount that attack. degradation (incapability to perform the desig- nated mission) as a result of having been sub- Matt Bishop and Dave Bailey[13] give the following defi- jected to a certain level of effects in an unnatu- nition of computer vulnerability: ral (manmade) hostile environment.

A computer system is composed of states de- scribing the current configuration of the entities 30.2 Vulnerability and risk factor that make up the computer system. The system models computes through the application of state tran- sitions that change the state of the system. All states reachable from a given initial state using A resource (either physical or logical) may have one or a set of state transitions fall into the class of au- more vulnerabilities that can be exploited by a threat thorized or unauthorized, as defined by a secu- agent in a threat action. The result can potentially com- rity policy. In this paper, the definitions of these promise the confidentiality, integrity or availability of re- classes and transitions is considered axiomatic. sources (not necessarily the vulnerable one) belonging A vulnerable state is an authorized state from to an organization and/or others parties involved (cus- which an unauthorized state can be reached us- tomers, suppliers). ing authorized state transitions. A compromised The so-called CIA triad is the basis of Information Secu- state is the state so reached. An attack is a se- rity. quence of authorized state transitions which end An attack can be active when it attempts to alter sys- in a compromised state. By definition, an at- tem resources or affect their operation, compromising in- tack begins in a vulnerable state. A vulnera- tegrity or availability. A "passive attack" attempts to learn bility is a characterization of a vulnerable state or make use of information from the system but does not which distinguishes it from all non-vulnerable affect system resources, compromising confidentiality.[5] 30.5. CAUSES 157

• inadequate recruiting process • inadequate security awareness

• site

• area subject to flood • unreliable power source OWASP: relationship between threat agent and business impact • organizational OWASP (see figure) depicts the same phenomenon in • lack of regular audits slightly different terms: a threat agent through an attack vector exploits a weakness (vulnerability) of the system • lack of continuity plans and the related security controls, causing a technical im- • lack of security pact on an IT resource (asset) connected to a business impact. The overall picture represents the risk factors of the risk 30.5 Causes scenario.[16]

• Complexity: Large, complex systems increase the 30.3 Information security manage- probability of flaws and unintended access points[18] ment system • Familiarity: Using common, well-known code, soft- ware, operating systems, and/or hardware increases A set of policies concerned with information security the probability an attacker has or can find the knowl- [19] management, the information security management sys- edge and tools to exploit the flaw tem (ISMS), has been developed to manage, according to • Risk management principles, the countermeasures in or- Connectivity: More physical connections, privi- der to ensure the security strategy is set up following the leges, ports, protocols, and services and time each [12] rules and regulations applicable in a country. These coun- of those are accessible increase vulnerability termeasures are also called Security controls, but when • applied to the transmission of information they are called Password management flaws: The computer user security services.[17] uses weak passwords that could be discovered by brute force. The computer user stores the pass- word on the computer where a program can access it. Users re-use passwords between many programs 30.4 Classification and websites.[18]

Vulnerabilities are classified according to the asset class • they are related to:[3] Fundamental operating system design flaws: The operating system designer chooses to enforce sub- optimal policies on user/program management. For • hardware example operating systems with policies such as • susceptibility to humidity default permit grant every program and every user full access to the entire computer.[18] This operating • susceptibility to dust system flaw allows viruses and malware to execute • susceptibility to soiling commands on behalf of the administrator.[20] • susceptibility to unprotected storage • Internet Website Browsing: Some internet websites • software may contain harmful Spyware or Adware that can be installed automatically on the computer systems. • insufficient testing After visiting those websites, the computer systems • lack of audit trail become infected and personal information will be [21] • network collected and passed on to third party individuals. • unprotected communication lines • Software bugs: The programmer leaves an ex- • insecure network architecture ploitable bug in a software program. The soft- ware bug may allow an attacker to misuse an • personnel application.[18] 158 CHAPTER 30. VULNERABILITY (COMPUTING)

• Unchecked user input: The program assumes that Some sets of criteria to be satisfied by a computer, its all user input is safe. Programs that do not check operating system and applications in order to meet a good user input can allow unintended direct execution security level have been developed: ITSEC and Common of commands or SQL statements (known as Buffer criteria are two examples. overflows, SQL injection or other non-validated inputs).[18] • Not learning from past mistakes:[22][23] for exam- 30.7 Vulnerability disclosure ple most vulnerabilities discovered in IPv4 pro- tocol software were discovered in the new IPv6 Responsible disclosure (many now refer to it as 'coordi- implementations.[24] nated disclosure' because the first is a biased word) of vulnerabilities is a topic of great debate. As reported by The research has shown that the most vulnerable point The Tech Herald in August 2010, "Google, Microsoft, in most information systems is the human user, opera- TippingPoint, and Rapid7 have recently issued guidelines tor, designer, or other human:[25] so humans should be and statements addressing how they will deal with disclo- [27] considered in their different roles as asset, threat, infor- sure going forward.” mation resources. Social engineering is an increasing se- A responsible disclosure first alerts the affected ven- curity concern. dors confidentially before alerting CERT two weeks later, which grants the vendors another 45 day grace period be- fore publishing a security advisory. 30.6 Vulnerability consequences Full disclosure is done when all the details of vulnerability is publicized, perhaps with the intent to put pressure on The impact of a security breach can be very high. The the software or procedure authors to find a fix urgently. fact that IT managers, or upper management, can (eas- Well respected authors have published books on vulner- ily) know that IT systems and applications have vulnera- abilities and how to exploit them: Hacking: The Art of bilities and do not perform any action to manage the IT Exploitation Second Edition is a good example. risk is seen as a misconduct in most legislations. Privacy law forces managers to act to reduce the impact or likeli- Security researchers catering to the needs of the hood of that security risk. Information technology secu- cyberwarfare or cybercrime industry have stated that this rity audit is a way to let other independent people cer- approach does not provide them with adequate income tify that the IT environment is managed properly and for their efforts.[28] Instead, they offer their exploits pri- lessen the responsibilities, at least having demonstrated vately to enable Zero day attacks. the good faith. Penetration test is a form of verification The never ending effort to find new vulnerabilities and to of the weakness and countermeasures adopted by an or- fix them is called Computer insecurity. ganization: a White hat hacker tries to attack an orga- nization’s information technology assets, to find out how In January 2014 when Google revealed a Microsoft vul- easy or difficult it is to compromise the IT security. [26] nerability before Microsoft released a patch to fix it, a The proper way to professionally manage the IT risk is to Microsoft representative called for coordinated practices [29] adopt an Information Security Management System, such among software companies in revealing disclosures. as ISO/IEC 27002 or Risk IT and follow them, accord- ing to the security strategy set forth by the upper manage- 30.7.1 Vulnerability inventory ment. [17] One of the key concept of information security is the prin- maintains a list of disclosed vulnera- ciple of defence in depth: i.e. to set up a multilayer de- bilities in a system called Common Vulnerabilities and fence system that can: Exposures, where vulnerability are classified (scored) us- ing Common Vulnerability Scoring System (CVSS). • prevent the exploit OWASP collects a list of potential vulnerabilities in or- • detect and intercept the attack der to prevent system designers and programmers from inserting vulnerabilities into the software.[30] • find out the threat agents and prosecute them

Intrusion detection system is an example of a class of sys- 30.8 Vulnerability disclosure date tems used to detect attacks. Physical security is a set of measures to protect physi- The time of disclosure of a vulnerability is defined dif- cally the information asset: if somebody can get physical ferently in the security community and industry. It is access to the information asset, it is quite easy to make most commonly referred to as “a kind of public disclo- resources unavailable to its legitimate users. sure of security information by a certain party”. Usually, 30.10. EXAMPLES OF VULNERABILITIES 159 vulnerability information is discussed on a mailing list or • and their combinations. published on a security web site and results in a security advisory afterward. It is evident that a pure technical approach cannot even The time of disclosure is the first date a security vul- protect physical assets: one should have administrative nerability is described on a channel where the disclosed procedure to let maintenance personnel to enter the facil- information on the vulnerability has to fulfill the follow- ities and people with adequate knowledge of the proce- ing requirement: dures, motivated to follow it with proper care. See Social engineering (security). • The information is freely available to the public Four examples of vulnerability exploits: • The vulnerability information is published by a • trusted and independent channel/source an attacker finds and uses an overflow weakness to install malware to export sensitive data; • The vulnerability has undergone analysis by experts • such that risk rating information is included upon an attacker convinces a user to open an email mes- disclosure sage with attached malware; • an insider copies a hardened, encrypted program onto a thumb drive and cracks it at home; 30.9 Identifying and removing vul- • a flood damages one’s computer systems installed at nerabilities ground floor.

Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer 30.10.1 Software vulnerabilities system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they Common types of software flaws that lead to vulnerabil- can not replace human judgment. Relying solely on scan- ities include: ners will yield false positives and a limited-scope view of the problems present in the system. • Memory safety violations, such as: Vulnerabilities have been found in every major operat- • Buffer overflows and over-reads ing system including Windows, Mac OS, various forms • of Unix and Linux, OpenVMS, and others. The only way Dangling pointers to reduce the chance of a vulnerability being used against • Input validation errors, such as: a system is through constant vigilance, including care- ful system maintenance (e.g. applying software patches), • Format string attacks best practices in deployment (e.g. the use of firewalls and • SQL injection access controls) and auditing (both during development • and throughout the deployment lifecycle). Code injection • E-mail injection • Directory traversal 30.10 Examples of vulnerabilities • Cross-site scripting in web applications • HTTP header injection Vulnerabilities are related to: • HTTP response splitting • physical environment of the system • Race conditions, such as: • the personnel • Time-of-check-to-time-of-use bugs • management • Symlink races • administration procedures and security measures • Privilege-confusion bugs, such as: within the organization • Cross-site request forgery in web applications • business operation and service delivery • • hardware • FTP bounce attack • software • Privilege escalation • communication equipment and facilities • failures, such as: 160 CHAPTER 30. VULNERABILITY (COMPUTING)

• Warning fatigue[31] or user conditioning. [13] Matt Bishop and Dave Bailey. A Critical Analysis of • Blaming the Victim Prompting a user to make Vulnerability Taxonomies. Technical Report CSE-96- 11, Department of Computer Science at the University a security decision without giving the user of California at Davis, September 1996 enough information to answer it[32] • Race Conditions[33][34] [14] Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Infor- mation Systems Security Organization) Some set of coding guidelines have been developed and a large number of static code analysers has been used to [15] NIATEC Glossary verify that the code follows the guidelines. [16] ISACA THE RISK IT FRAMEWORK (registration re- quired) [17] Wright, Joe; Harmening, Jim (2009). “15”. In Vacca, 30.11 See also John. Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 257. • ISBN 978-0-12-374354-1. • Computer emergency response team [18] Kakareka, Almantas (2009). “23”. In Vacca, John. Com- puter and Information Security Handbook. Morgan Kauf- • Information security mann Publications. Elsevier Inc. p. 393. ISBN 978-0- 12-374354-1. • Internet security [19] Krsul, Ivan (April 15, 1997). “Technical Report CSD- • Mobile security TR-97-026”. The COAST Laboratory Department of Computer Sciences, Purdue University. CiteSeerX: • Vulnerability scanner 10 .1 .1 .26 .5435. [20] “The Six Dumbest Ideas in Computer Security”. ranum.com. 30.12 References [21] “The Web Application Security Consortium / Web Appli- cation Security Statistics”. webappsec.org. [1] “The Three Tenets of Cyber Security”. U.S. Air Force Software Protection Initiative. Retrieved 2009-12-15. [22] Ross Anderson. Why Fail. Technical re- port, University Computer Laboratory, Cam- bridge, Jan- [2] Foreman, P: Vulnerability Management, page 1. Taylor & uary 1994. Francis Group, 2010. ISBN 978-1-4398-0150-5 [23] Neil Schlager. When Technology Fails: Significant Tech- [3] ISO/IEC, “Information technology -- Security techniques- nological Disasters, Accidents, and Failures of the Twen- Information security risk management” ISO/IEC FIDIS tieth Century. Gale Research Inc., 1994. 27005:2008 [24] Hacking: The Art of Exploitation Second Edition [4] British Standard Institute, Information technology -- Se- [25] Kiountouzis, E. A.; Kokolakis, S. A. Information systems curity techniques -- Management of information and com- security: facing the information society of the 21st century. munications technology security -- Part 1: Concepts and London: Chapman & Hall, Ltd. ISBN 0-412-78120-4. models for information and communications technology security management BS ISO/IEC 13335-1-2004 [26] Bavisi, Sanjay (2009). “22”. In Vacca, John. Computer and Information Security Handbook. Morgan Kaufmann [5] Internet Engineering Task Force RFC 2828 Internet Se- Publications. Elsevier Inc. p. 375. ISBN 978-0-12- curity Glossary 374354-1. [6] CNSS Instruction No. 4009 dated 26 April 2010 [27] “The new era of vulnerability disclosure - a brief chat with HD Moore”. The Tech Herald. [7] “FISMApedia”. fismapedia.org. [28] “Browse - Content - SecurityStreet”. rapid7.com. [8] "Term:Vulnerability". fismapedia.org. [29] Betz, Chris (11 Jan 2015). “A Call for Better Coordinated [9] NIST SP 800-30 Risk Management Guide for Information Vulnerability Disclosure - MSRC - Site Home - TechNet Technology Systems Blogs”. blogs.technet.com. Retrieved 12 January 2015. [10] “Glossary”. europa.eu. [30] "Category:Vulnerability". owasp.org. [11] Technical Standard Risk Taxonomy ISBN 1-931624-77-1 [31] “Warning Fatigue”. freedom-to-tinker.com. Document Number: C081 Published by The Open Group, [32] January 2009. [33] “Jesse Ruderman » Race conditions in security dialogs”. [12] “An Introduction to Factor Analysis of Information Risk squarefree.com. (FAIR)", Risk Management Insight LLC, November 2006; [34] “lcamtuf’s blog”. lcamtuf.blogspot.com. 30.13. EXTERNAL LINKS 161

30.13 External links

• Security advisories links from the Open Di- rectory http://www.dmoz.org/Computers/Security/ Advisories_and_Patches/ Chapter 31

White hat (computer security)

The term "white hat" in Internet slang refers to an eth- with a great amount of media attention around the world ical computer hacker, or a computer security expert, in 1992.[4] who specializes in penetration testing and in other testing methodologies to ensure the security of an organization’s information systems.[1] Ethical hacking is a term coined 31.2 Tactics by IBM meant to imply a broader category than just pen- etration testing.[2] White-hat hackers may also work in teams called "sneakers",[3] red teams, or tiger teams.[4] While penetration testing concentrates on attacking soft- ware and computer systems from the start – scanning ports, examining known defects and patch installations, for example – ethical hacking, which will likely include 31.1 History such things, is under no limitations when asked for by stake holders in the company. A full blown ethical hack might include emailing staff to ask for password de- One of the first instances of an ethical hack being used tails, rummaging through executive’s dustbins and usually was a “security evaluation” conducted by the United breaking and entering – all, of course, with NO knowl- States Air Force of the Multics operating systems for edge and consent of the targets. ONLY the owners, “potential use as a two-level (secret/top secret) system.” CEO’s and Board Members (stake holders) whom asked Their evaluation found that while Multics was “signifi- for such a security review of this magnitude are aware. cantly better than other conventional systems,” it also had A complete understanding, and sometimes if allowed by "... vulnerabilities in hardware security, software secu- those stake holders, a complete non-understanding of rity and procedural security” that could be uncovered with the hack attempt is allowed to test penetration points. “a relatively low level of effort.” The authors performed To try to replicate some of the destructive techniques a their tests under a guideline of realism, so that their re- real attack might employ, ethical hackers may arrange sults would accurately represent the kinds of access that for cloned test systems, or organize a hack late at night an intruder could potentially achieve. They performed while systems are less critical.[2] In most recent cases tests that were simple information-gathering exercises, as these hacks perpetuate for the long term con, (days, if well as other tests that were outright attacks upon the sys- not weeks, of long term human infiltration into an orga- tem that might damage its integrity. Clearly, their audi- nization). Some examples include leaving USB/flash key ence wanted to know both results. There are several other drives with hidden auto-start software in a public area, as now unclassified reports that describe ethical hacking ac- [4] if someone lost the small drive and an unsuspecting em- tivities within the U.S. military. The idea to bring this ployee found it and took it. tactic of ethical hacking to assess security of systems was formulated by Dan Farmer and Wietse Venema. With the Some other methods of carrying out these include: goal of raising the overall level of security on the Internet and intranets, they proceeded to describe how they were • DoS attacks able to gather enough information about their targets to have been able to compromise security if they had cho- • Social engineering tactics sen to do so. They provided several specific examples of • how this information could be gathered and exploited to Security scanners such as: gain control of the target, and how such an attack could • W3af be prevented. They gathered up all the tools that they had used during their work, packaged them in a single, easy- • Nessus to-use application, and gave it away to anyone who chose • Nexpose to download it. Their program, called Security Adminis- trator Tool for Analyzing Networks, or SATAN, was met • Frameworks such as:

162 31.6. REFERENCES 163

• Metasploit • IT risk

• Wireless identity theft Such methods identify and exploit known vulnerabilities, and attempt to evade security to gain entry into secured areas. They are able to do this by hiding software and system 'back-doors’ that could be used as a link to the 31.6 References information or access the non-ethical hacker, also known as 'black-hat' or 'grey-hat', may want to reach. [1] “What is white hat? - a definition from Whatis.com”. Searchsecurity.techtarget.com. Retrieved 2012-06-06.

[2] Knight, William (16 October 2009). “License to 31.3 Legality in the UK Hack”. InfoSecurity 6 (6): 38–41. doi:10.1016/s1742- 6847(09)70019-9.

Struan Robertson, legal director at Pinsent Masons LLP, [3] “What is a White Hat?". Secpoint.com. 2012-03-20. Re- and editor of OUT-LAW.com, says “Broadly speaking, trieved 2012-06-06. if the access to a system is authorized, the hacking is ethical and legal. If it isn't, there’s an offence under the [4] Palmer, C.C. (2001). “Ethical Hacking” (PDF). IBM Sys- Computer Misuse Act. The unauthorized access offence tems Journal 40 (3): 769. doi:10.1147/sj.403.0769. covers everything from guessing the password, to access- ing someone’s webmail account, to cracking the security of a bank. The maximum penalty for unauthorized access to a computer is two years in prison and a fine. There are higher penalties – up to 10 years in prison – when the hacker also modifies data”. Unauthorized access even to expose vulnerabilities for the benefit of many is not le- gal, says Robertson. “There’s no defense in our hacking laws that your behavior is for the greater good. Even if it’s what you believe.”[2]

31.4 Employment

The United States National Security Agency offers cer- tifications such as the CNSS 4011. Such a certifica- tion covers orderly, ethical hacking techniques and team- management. Aggressor teams are called “red” teams. Defender teams are called “blue” teams.[3]

31.4.1 List of prominent white hat hackers

• Eric Corley • Przemysław Frasunek • Raphael Gray • Barnaby Jack • Kevin Mitnick • Robert Tappan Morris • Kevin Poulsen

31.5 See also

• Certified Ethical Hacker • Computer hacking (category) Chapter 32

Hacker (programmer subculture)

“Hacker subculture” redirects here. For other hacker 32.1 Definition subcultures, see Hacker (subculture). The Jargon File, an influential but not universally ac- A hacker is an adherent of the subculture that orig- cepted compendium of hacker slang, defines hacker as inally emerged in academia in the 1960s, around the “A person who enjoys exploring the details of pro- Massachusetts Institute of Technology (MIT)'s Tech grammable systems and stretching their capabilities, as Model Railroad Club (TMRC)[1] and MIT Artificial In- opposed to most users, who prefer to learn only the min- telligence Laboratory.[2] imum necessary.”[8] The Request for Comments (RFC) 1392, the Internet Users’ Glossary, amplifies this mean- A hacker is one who enjoys the intellectual challenge ing as “A person who delights in having an intimate un- of creatively overcoming and circumventing limitations derstanding of the internal workings of a system, com- of programming systems and who tries to extend their puters and computer networks in particular.”[9] capabilities.[3] The act of engaging in activities (such as programming or other media[4]) in a spirit of playfulness As documented in the Jargon File, these hackers are dis- and exploration is termed hacking. However the defining appointed by the mass media and general public’s usage characteristic of a hacker is not the activities performed of the word hacker to refer to security breakers, call- themselves (e.g. programming), but the manner in which ing them “crackers” instead. This includes both “good” it is done: Hacking entails some form of excellence, crackers ("white hat hackers") who use their computer for example exploring the limits of what is possible,[5] security related skills and knowledge to learn more about thereby doing something exciting and meaningful.[4] Ac- how systems and networks work and to help to discover tivities of playful cleverness can be said to have “hack and fix security holes, as well as those more “evil” crack- value” and are termed hacks[5] (examples include pranks ers ("black hat hackers") who use the same skills to author at MIT intended to demonstrate technical aptitude and harmful software (like viruses, trojans, etc.) and illegally cleverness). infiltrate secure systems with the intention of doing harm to the system.[10] The programmer subculture of hackers, Richard Stallman explains about hackers who program: in contrast to the cracker community, generally sees com- puter security related activities as contrary to the ideals of the original and true meaning of the hacker term that in- What they had in common was mainly love stead related to playful cleverness.[10] of excellence and programming. They wanted to make their programs that they used be as good as they could. They also wanted to make them do neat things. They wanted to be able 32.2 History to do something in a more exciting way than anyone believed possible and show “Look how The word “hacker” derives from the seventeenth century wonderful this is. I bet you didn't believe this word of a “lusty laborer” who harvested fields by dogged could be done.”[6] and rough swings of his hoe. Although the idea of “hack- ing” has existed long before the term “hacker”— with the most notable example of Lightning Ellsworth, it was not Hackers from this subculture tend to emphatically dif- a word that the first programmers used to describe them- ferentiate themselves from what they pejoratively call selves. In fact, many of the first programmers were often- "crackers"; those who are generally referred to by me- times from the engineering or physics background. “But dia and members of the general public using the term from about 1945 onward (and especially during the cre- “hacker”, and whose primary focus— be it to malign or ation of the first ENIAC computer) some programmers benevolent purposes— lies in exploiting weaknesses in realized that their expertise in computer software and computer security.[7] technology had evolved not just into a profession, but into

164 32.3. ETHICS AND PRINCIPLES 165 a passion” (46).[3] It was not until the 1960s that the term hackers began to be used to describe proficient computer programmers. Therefore, the fundamental characteristic that links all who identify themselves as hackers are ones who en- joy "…the intellectual challenge of creatively overcoming and circumventing limitations of programming systems and who tries to extend their capabilities” (47).[3] With this definition in mind, it can be clear where the negative implications of the word “hacker” and the subculture of “hackers” came from. Some common nicknames among this culture include “crackers” who are unskilled thieves who mainly rely on luck. Others include “phreak”— which refers to a type of skilled crackers and “warez d00dz”— which is a kind of cracker that acquires reproductions of copyrighted soft- ware. Within all hackers are tiers of hackers such as the “samurai” who are hackers that hire themselves out for legal electronic locksmith work. Furthermore, there The Glider, proposed as an emblem of the “hacker community” by Eric S. Raymond. are other hackers that are hired to test security which are called “sneakers” or “tiger teams”. Before communications between computers and com- increasing adoption of common slang and a shared view puter users were as networked as they are now, there were of history, similar to the way in which other occupational multiple independent and parallel hacker subcultures, of- groups have professionalized themselves but without the ten unaware or only partially aware of each other’s exis- formal credentialing process characteristic of most pro- tence. All of these had certain important traits in com- fessional groups. mon: Over time, the academic hacker subculture has tended to become more conscious, more cohesive, and better • Creating software and sharing it with each other organized. The most important consciousness-raising moments have included the composition of the first • Placing a high value on freedom of inquiry Jargon File in 1973, the promulgation of the GNU Man- • Hostility to secrecy ifesto in 1985, and the publication of Eric Raymond's The Cathedral and the Bazaar in 1997. Correlated • Information-sharing as both an ideal and a practical with this has been the gradual recognition of a set of strategy shared culture heroes, including: Bill Joy, Donald Knuth, Dennis Ritchie, Paul Graham, Alan Kay, Ken Thomp- • Upholding the right to fork son, Richard M. Stallman, Linus Torvalds, Larry Wall, • Emphasis on rationality and Guido Van Rossum. The concentration of academic hacker subculture has par- • Distaste for authority alleled and partly been driven by the commoditization • Playful cleverness, taking the serious humorously of computer and networking technology, and has in turn and the humor seriously accelerated that process. In 1975, hackerdom was scat- tered across several different families of operating sys- tems and disparate networks; today it is largely a Unix and These sorts of subcultures were commonly found at TCP/IP phenomenon, and is concentrated around vari- academic settings such as college campuses. The MIT ous operating systems based on free software and open- Artificial Intelligence Laboratory, the University of Cal- source software development. ifornia, Berkeley and Carnegie Mellon University were particularly well-known hotbeds of early hacker culture. They evolved in parallel, and largely unconsciously, until the Internet, where a legendary PDP-10 machine at MIT, 32.3 Ethics and principles called AI, that was running ITS, provided an early meet- ing point of the hacker community. This and other devel- opments such as the rise of the free software movement Main article: Hacker ethic and community drew together a critically large population and encouraged the spread of a conscious, common, and Many of the values and tenets of the free and open source systematic ethos. Symptomatic of this evolution were an software movement stem from the hacker ethics that orig- 166 CHAPTER 32. HACKER (PROGRAMMER SUBCULTURE)

inated at MIT[11] and at the Homebrew Computer Club. 32.5 Hack value The hacker ethics were chronicled by Steven Levy in [12] Hackers: Heroes of the Computer Revolution and in Hack value is the notion used by hackers to express that other texts in which Levy formulates and summarizes something is worth doing or is interesting.[15] This is general hacker attitudes: something that hackers often feel intuitively about a prob- lem or solution. • Access to computers-and anything that might teach An aspect of hack value is performing feats for the sake you something about the way the world works- of showing that they can be done, even if others think it should be unlimited and total. is difficult. Using things in a unique way outside their in- tended purpose is often perceived as having hack value. • All information should be free. Examples are using a dot matrix impact printer to pro- duce musical notes, using a flatbed scanner to take ultra- • Hackers should be judged by their hacking, not bo- high-resolution photographs or using an optical mouse as gus criteria such as degrees, age, race, or position. barcode reader. A solution or feat has “hack value” if it is done in a way • You can create art and beauty on a computer. that has finesse, cleverness or brilliance, which makes creativity an essential part of the meaning. For exam- • Computers can change your life for the better. ple, picking a difficult lock has hack value; smashing a lock does not. As another example, proving Fermat’s last theorem by linking together most of modern mathemat- Hacker ethics are concerned primarily with sharing, ics has hack value; solving a combinatorial problem by openness, collaboration, and engaging in the hands-on exhaustively trying all possibilities does not. Hacking is imperative.[12] not using process of elimination to find a solution; it’s the Linus Torvalds, one of the leaders of the open source process of finding a clever solution to a problem. movement (known primarily for developing the Linux kernel), has noted in the book The Hacker Ethic[13] that these principles have evolved from the known Protestant 32.6 See also ethics and incorporates the spirits of capitalism, as intro- duced in the early 20th century by Max Weber. • Cowboy coding: software development without the use of strict software development methodologies 32.4 Use outside of computing • Demoscene • History of free software While using hacker to refer to someone who enjoys play- ful cleverness is most often applied to computer program- • Unix philosophy mers, it is sometimes used for people who apply the same attitude to other fields.[7] For example, Richard Stall- man describes the silent composition 4′33″ by John Cage 32.7 References and the 14th century palindromic three-part piece “Ma Fin Est Mon Commencement” by Guillaume de Machaut as hacks.[14] According to the Jargon File,[8] the word [1] TMRC - Hackers hacker was used in a similar sense among radio amateurs [2] Words to Avoid (or Use with Care) Because They Are in the 1950s, predating the software hacking community. Loaded or Confusing (gnu.org) The book Inside Narcotics, a semi-clandestine work ap- pearing in 1990 and in its fifth English edition as of 2007 [3] Gehring, Verna (2004). The Internet In Public Life. Mary- land: Rowman & Littlefield Publishers. pp. 43–56. ISBN which is a compendium of scientific, historical, and cul- 0742542335. tural information about the opiates and related drugs and includes historical and scientific research on more than [4] The Hacker Community and Ethics: An Interview with 150 drugs of this type, includes a discussion of the term in Richard M. Stallman, 2002 (gnu.org) its Introduction. After making the above-mentioned dis- tinction betwixt crackers and hackers (“a hacker is simply [5] On Hacking (stallman.org) an autodidact, someone who doesn't feel satisfied with the [6] Richard Stallman: interview as shown in Hackers — Wiz- information spoon-fed to the masses by the grey forces of ards of the Electronic Age mediocrity...”) it goes on to say “it is therefore possible to be a phone hacker [ phreaker ], music hacker, sex hacker, [7] Raymond, Eric (2008-01-08). “How To Become A drugs hacker, politics hacker, religion hacker...” Hacker”. Thyrsus Enterprises. Retrieved 2008-03-16. 32.9. EXTERNAL LINKS 167

[8] Raymond, Eric, ed. (2003-12-29). “hacker”. Jargon File • Levy, Steven. Hackers: Heroes of the Computer (version 4.4.7 ed.). Retrieved 2008-03-02. Revolution. Garden City, NY: Anchor Press / Doubleday. ISBN 9780385191951. [9] Internet Users’ Glossary (Request for Comments 1392), January 1993 • Raymond, Eric S.. The Cathedral and the Bazaar. Cambridge, MA: O'Reilly Media. ISBN [10] Definition of “Cracker” in the Jargon File 9781565927247. [11] “The Hacker’s Ethics”. Retrieved 31 August 2011. • Stoll, Cliff. The Cuckoo’s Egg. New York, NY: [12] Levy, S: “Hackers: Heroes of the Computer Revolution”, Doubleday. ISBN 9780385249461. Anchor Press/Doubleday, 1984. ISBN 0-385-19195-2

[13] Himanen, Pekka; Linus Torvalds, and Manuel Castells (2001). The Hacker Ethic. Secker & Warburg. ISBN 32.9 External links 0-436-20550-5. • A Brief History of Hackerdom [14] Stallman, Richard (2002). “On Hacking”. Retrieved 2008-03-16. • Hack, Hackers, and Hacking (see Appendix A)

[15] Definition of 'hack value' in the Jargon File • Gabriella Coleman: The Anthropology of Hackers. , 2010. 32.8 Further reading

The Jargon File has had a role in acculturating hackers since its origins in 1975. These academic and literary works helped shape the academic hacker subculture:

• Abelson, Hal; Sussman, Gerald Jay. Structure and Interpretation of Computer Programs. London: MIT Press. ISBN 9780070004849.

• Aho; Sethi; Ullman. Compilers: Principles, Tech- niques, and Tools. Reading, MA: Addison-Wesley. ISBN 9780201100884.

• Bourne, Stephen R.. The Unix System. Reading, MA: Addison-Wesley. ISBN 9780201137910.

• Brooks, Fred. The Mythical Man-Month. Reading, MA: Addison-Wesley. ISBN 9780201006506.

• Graham, Paul. Hackers & Painters. Sebastopol, CA: O'Reilly Media. ISBN 9780596006624.

• Hoftstadter, Douglas. Gödel, Escher, Bach. New York, NY: Basic Books. ISBN 9780465026852.

• James, Geoffrey. The Tao of Programming. Santa Monica, CA: InfoBooks. ISBN 9780931137075.

• Kernighan, Brian W.; Ritchie, Dennis. The C Programming Language. Englewood Cliffs, NJ: Prentice Hall. ISBN 9780131103702.

• Kidder, Tracy. The Soul of a New Machine. Boston, MA: Little, Brown and Company. ISBN 9780316491709.

• Knuth, Donald. The Art of Computer Program- ming. Reading, MA: Addison-Wesley. ISBN 9780201038019. Chapter 33

Hacker ethic

For the book, see The Hacker Ethic. For uses in com- The free software movement was born in the early 1980s puter security hacking, see Hacker (computer security), from followers of the hacker ethic. Its founder, Richard Hacker Manifesto, and White hat (computer security) Stallman, is referred to by Steven Levy as “the last true hacker”.[3] Modern hackers who hold true to the hacker Hacker ethic is a term for the moral values and philos- ethics—especially the Hands-On Imperative—are usually ophy that are common in the hacker community. The supporters of free and open source software. This is be- early hacker culture and resulting philosophy originated cause free and open source software allows hackers to get at the Massachusetts Institute of Technology (MIT) in the access to the source code used to create the software, to 1950s and 1960s. The term hacker ethic is attributed to allow it to be improved or reused in other projects. journalist Steven Levy as described in his 1984 book ti- Richard Stallman describes: tled Hackers: Heroes of the Computer Revolution. The key points within this ethic are access, freedom of informa- The hacker ethic refers to the feelings of tion, and improvement to quality of life. right and wrong, to the ethical ideas this com- While some tenets of hacker ethic were described in other munity of people had—that knowledge should texts like Computer Lib/Dream Machines (1974) by Ted be shared with other people who can benefit Nelson, Levy appears to have been the first to document from it, and that important resources should be both the philosophy and the founders of the philosophy. utilized rather than wasted.[4] Levy explains that MIT housed an early IBM 704 computer inside the Electronic Accounting Machinery and states more precisely that hacking (which Stallman (EAM) room in 1959. This room became the staging defines as playful cleverness) and ethics are two separate grounds for early hackers, as MIT students from the Tech issues: Model Railroad Club sneaked inside the EAM room af- ter hours to attempt programming the 30-ton, 9-foot-tall Just because someone enjoys hacking does (2.7 m) computer. not mean he has an ethical commitment to treating other people properly. Some hackers The MIT group defined a hack as a project undertaken or care about ethics—I do, for instance—but that a product built to fulfill some constructive goal, but also is not part of being a hacker, it is a separate with some wild pleasure taken in mere involvement.[1] trait. [...] Hacking is not primarily about an The term hack arose from MIT lingo, as the word had ethical issue. long been used to describe college pranks that MIT stu- [...] hacking tends to lead a significant number dents would regularly devise. However, Levy’s hacker of hackers to think about ethical questions in ethic also has often been quoted out of context and mis- a certain way. I would not want to completely understood to refer to hacking as in breaking into com- deny all connection between hacking and views puters, and so many sources incorrectly imply that it is de- on ethics.[5] scribing the ideals of white-hat hackers. However, what Levy is talking about does not necessarily have anything particular to do with computer security, but addresses broader issues. 33.1 The hacker ethics The hacker ethic was described as a “new way of life, As Levy summarized in the preface of Hackers, the gen- with a philosophy, an ethic and a dream”. However, the [6] elements of the hacker ethic were not openly debated eral tenets or principles of hacker ethic include: and discussed; rather they were implicitly accepted and silently agreed upon.[2] • Sharing • Openness

168 33.1. THE HACKER ETHICS 169

• Decentralization tasks with few instructions.[15] A program’s code was considered to hold a beauty of its own, having • Free access to computers been carefully composed and artfully arranged.[16] • World Improvement Learning to create programs which used the least amount of space almost became a game between the early hackers.[13] In addition to those principles, Levy also described more specific hacker ethics and beliefs in chapter 2, The Hacker Computers can change your life for the better [7] Ethic: The ethics he described in chapter 2 are: Hackers felt that computers had enriched their lives, given their lives focus, and made their lives Access to computers—and anything which might adventurous. Hackers regarded computers as teach you something about the way the world works— Aladdin’s lamps that they could control.[17] They should be unlimited and total. Always yield to the believed that everyone in society could benefit from Hands-On Imperative! experiencing such power and that if everyone could Levy is recounting hackers’ abilities to learn and interact with computers in the way that hackers build upon pre-existing ideas and systems. He did, then the hacker ethic might spread through believes that access gives hackers the opportunity society and computers would improve the world.[18] to take things apart, fix, or improve upon them and The hacker succeeded in turning dreams of endless to learn and understand how they work. This gives possibilities into realities. The hacker’s primary them the knowledge to create new and even more object was to teach society that “the world opened interesting things.[8][9] Access aids the expansion of up by the computer was a limitless one” (Levy technology. 230:1984)[13] All information should be free Linking directly with the principle of access, information needs to be free for hackers to fix, improve, and reinvent systems. A 33.1.1 Sharing free exchange of information allows for greater over- all creativity.[10] In the hacker viewpoint, any system From the early days of modern computing through to the could benefit from an easy flow of information,[11] 1970s, it was far more common for computer users to a concept known as transparency in the social sci- have the freedoms that are provided by an ethic of open ences. As Stallman notes, “free” refers to unre- sharing and collaboration. Software, including source stricted access; it does not refer to price.[12] code, was commonly shared by individuals who used computers. Most companies had a business model based Mistrust authority—promote decentralization on hardware sales, and provided or bundled the associ- The best way to promote the free exchange of ated software free of charge. According to Levy’s ac- information is to have an open system that presents count, sharing was the norm and expected within the no boundaries between a hacker and a piece of non-corporate hacker culture. The principle of sharing information or an item of equipment that he needs stemmed from the open atmosphere and informal access in his quest for knowledge, improvement, and time to resources at MIT. During the early days of computers on-line.[11] Hackers believe that bureaucracies, and programming, the hackers at MIT would develop a whether corporate, government, or university, are program and share it with other computer users. flawed systems. If the hack was deemed particularly good, then the pro- Hackers should be judged by their hacking, not cri- gram might be posted on a board somewhere near one teria such as degrees, age, race, sex, or position of the computers. Other programs that could be built Inherent in the hacker ethic is a meritocratic system upon it and improved it were saved to tapes and added to where superficiality is disregarded in esteem of skill. a drawer of programs, readily accessible to all the other Levy articulates that criteria such as age, sex, race, hackers. At any time, a fellow hacker might reach into position, and qualification are deemed irrelevant the drawer, pick out the program, and begin adding to [13] within the hacker community. Hacker skill is the it or “bumming” it to make it better. Bumming referred ultimate determinant of acceptance. Such a code to the process of making the code more concise so that within the hacker community fosters the advance of more can be done in fewer instructions, saving precious hacking and software development. In an example memory for further enhancements. of the hacker ethic of equal opportunity,[14] L Peter Deutsch, a twelve-year-old hacker, was accepted in In the second generation of hackers, sharing was about the TX-0 community, though he was not recognized sharing with the general public in addition to sharing with by non-hacker graduate students. other hackers. A particular organization of hackers that was concerned with sharing computers with the general You can create art and beauty on a computer public was a group called Community Memory. This Hackers deeply appreciate innovative techniques group of hackers and idealists put computers in public which allow programs to perform complicated places for anyone to use. The first community computer 170 CHAPTER 33. HACKER ETHIC was placed outside of Leopold’s Records in Berkeley, Homebrew Computer Club and the People’s Computer California. Company helped hackers network, collaborate, and share Another sharing of resources occurred when Bob Al- their work. brecht provided considerable resources for a non-profit The concept of community and collaboration is still rel- organization called the People’s Computer Company evant today, although hackers are no longer limited to (PCC). PCC opened a computer center where anyone collaboration in geographic regions. Now collaboration could use the computers there for fifty cents per hour. takes place via the Internet. Eric S. Raymond identifies and explains this conceptual shift in The Cathedral and This second generation practice of sharing contributed [22] to the battles of free and open software. In fact, when the Bazaar: Bill Gates' version of BASIC for the Altair was shared among the hacker community, Gates claimed to have lost Before cheap Internet, there were some ge- a considerable sum of money because few users paid for ographically compact communities where the the software. As a result, Gates wrote an Open Letter culture encouraged Weinberg’s egoless pro- to Hobbyists.[19][20] This letter was published by several gramming, and a developer could easily attract computer magazines and newsletters, most notably that of a lot of skilled kibitzers and co-developers. the Homebrew Computer Club where much of the shar- Bell Labs, the MIT AI and LCS labs, UC ing occurred. Berkeley: these became the home of innova- tions that are legendary and still potent.

33.1.2 Hands-On Imperative Raymond also notes that the success of Linux coincided with the wide availability of the World Wide Web. The Many of the principles and tenets of hacker ethic con- value of community is still in high practice and use today. tribute to a common goal: the Hands-On Imperative. As Levy described in Chapter 2, “Hackers believe that essen- tial lessons can be learned about the systems—about the 33.2 Levy’s “true hackers” world—from taking things apart, seeing how they work, and using this knowledge to create new and more inter- Levy identifies several “true hackers” who significantly esting things.”[21] influenced the hacker ethic. Some well-known “true Employing the Hands-On Imperative requires free ac- hackers” include: cess, open information, and the sharing of knowledge. To a true hacker, if the Hands-On Imperative is restricted, • John McCarthy: Co-founder of the MIT Artificial then the ends justify the means to make it unrestricted Intelligence Lab and Stanford AI Laboratory so that improvements can be made. When these princi- • Bill Gosper: Mathematician and hacker ples are not present, hackers tend to work around them. For example, when the computers at MIT were protected • Richard Greenblatt: Programmer and early designer either by physical locks or login programs, the hackers of LISP machines there systematically worked around them in order to have • Richard Stallman: Programmer and political activist access to the machines. Hackers assumed a “willful blind- who is well known for GNU, Emacs and the Free ness” in the pursuit of perfection.[10] Software Movement This behavior was not malicious in nature: the MIT hack- ers did not seek to harm the systems or their users. This Levy also identified the “hardware hackers” (the “sec- deeply contrasts with the modern, media-encouraged im- ond generation”, mostly centered in Silicon Valley) and age of hackers who crack secure systems in order to steal the “game hackers” (or the “third generation”). All three information or complete an act of cyber-vandalism. generations of hackers, according to Levy, embodied the principles of the hacker ethic. Some of Levy’s “second- generation” hackers include: 33.1.3 Community and collaboration • Steve Wozniak: One of the founders of Apple Com- Throughout writings about hackers and their work pro- puter cesses, a common value of community and collaboration is present. For example, in Levy’s Hackers, each gen- • Bob Marsh: A designer of the Sol-20 computer eration of hackers had geographically based communi- • Fred Moore: Activist and founder of the Homebrew ties where collaboration and sharing occurred. For the Computer Club hackers at MIT, it was the labs where the computers were running. For the hardware hackers (second gen- • Steve Dompier: Homebrew Computer Club mem- eration) and the game hackers (third generation) the ge- ber and hacker who worked with the early Altair ographic area was centered in Silicon Valley where the 8800 33.5. FOOTNOTES 171

• Lee Felsenstein: A hardware hacker and co-founder • Free software movement of Community Memory and Homebrew Computer • Club; a designer of the Sol-20 computer Free software philosophy

• John Draper: A legendary figure in the computer programming world. He wrote EasyWriter, the first 33.5 Footnotes word processor. [1] Hackers. pg 9 Levy’s “third generation” practitioners of hacker ethic in- clude: [2] Hackers. pg. 26 [3] See the title and content of the Epilogue to Hackers: • John Harris: One of the first programmers hired at Heroes of the Computer Revolution On-Line Systems (which later became Sierra Enter- tainment) [4] MEME 2.04 (1996) [5] The Hacker Community and Ethics: An Interview with • Ken Williams: Along with wife Roberta, founded Richard M. Stallman, 2002 On-Line Systems after working at IBM [6] Hackers, page ix. 33.3 Other descriptions [7] Hackers, pages 26–36. [8] Hackers, p. 226

In 2001, Finnish philosopher Pekka Himanen promoted [9] Hackers, pp 3-36 the hacker ethic in opposition to the Protestant work ethic. In Himanen’s opinion, the hacker ethic is more [10] Hackers. pg 27 closely related to the virtue ethics found in the writings [11] Hackers. pg 28 of Plato and of Aristotle. Himanen explained these ideas in a book, The Hacker Ethic and the Spirit of the Informa- [12] http://faculty.nps.edu/dedennin/publications/ tion Age, with a prologue contributed by Linus Torvalds ConcerningHackers-NCSC.txt and an epilogue by Manuel Castells. [13] Hackers, pp 3–36 In this manifesto, the authors wrote about a hacker ethic centering around passion, hard work, creativity and joy in [14] http://gabriellacoleman.org/biella/ creating software. Both Himanen and Torvalds were in- Coleman-Golub-Hacker-Practice.pdf spired by the Sampo in Finnish mythology. The Sampo, [15] Hackers. pg 31 described in the Kalevala saga, was a magical artifact con- structed by Ilmarinen, the blacksmith god, that brought [16] Hackers. pg 30–31 good fortune to its holder; nobody knows exactly what it was supposed to be. The Sampo has been interpreted in [17] Hackers. pg 33 many ways: a world pillar or world tree, a compass or [18] Hackers. pg 36 astrolabe, a chest containing a treasure, a Byzantine coin die, a decorated Vendel period shield, a Christian relic, [19] Charles Leadbetter (2008). We-Think. Profile Books. etc. Kalevala saga compiler Lönnrot interpreted it to be [20] Fiona Macdonald (12 March 2008). “Get a fair share of a “quern” or mill of some sort that made flour, , and creativity”. Metro. gold out of thin air. [21] Hackers, pages 27–36. The hacker ethic and its wider context can be associated with liberalism and anarchism. [22] “The Social Context of Open-Source Software”. Catb.org. Retrieved 2011-07-01. 33.4 See also 33.6 References • Hacks at the Massachusetts Institute of Technology • Himanen, Pekka (2001). The Hacker Ethic and the • Hacker (programmer subculture) Spirit of the Information Age. New York: Random • Hacker (term) House. ISBN 0375505660. OCLC 45393052. • • Tech Model Railroad Club Levy, Steven (2001). Hackers: Heroes of the Com- puter Revolution (updated ed.). New York: Penguin • The Cathedral and the Bazaar Books. ISBN 0141000511. OCLC 47216793. 172 CHAPTER 33. HACKER ETHIC

33.7 Further reading

• Weinberg, Gerald M. (1998–2001). The psychol- ogy of computer programming (Silver anniversary ed.). New York: Dorset House Publ. ISBN 978- 0-932633-42-2.

33.8 External links

• Gabriella Coleman, an anthropologist at McGill University, studies hacker cultures and has written extensively on the hacker ethic and culture • Tom Chance’s essay on The Hacker Ethic and Mean- ingful Work • Hacker ethic from the Jargon file

• Directory of free software • ITERATIVE DISCOURSE AND THE FOR- MATION OF NEW SUBCULTURES by Steve Mizrach describes the hacker terminology, includ- ing the term cracker. • Richard Stallman’s Personal Website

• Is there a Hacker Ethic for 90s Hackers? by Steven Mizrach

• The Hacker’s Ethics by the Cyberpunk Project 33.9. TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES 173

33.9 Text and image sources, contributors, and licenses

33.9.1 Text

• Antivirus software Source: http://en.wikipedia.org/wiki/Antivirus%20software?oldid=661991271 Contributors: Bryan Derksen, Zun- dark, Danny, Fubar Obfusco, William Avery, DennisDaniels, Edward, Pnm, Tannin, Tgeorgescu, Minesweeper, CesarB, Ronz, Yaronf, Rlandmann, Whkoh, Stefan-S, Nikai, IMSoP, RickK, Pedant17, Furrykef, Tempshill, Omegatron, Pakaran, Shantavira, Robbot, Chealer, Boffy b, Calimero, RedWolf, Altenmann, KellyCoinGuy, Iaen, Delpino, Lzur, David Gerard, Fabiform, Graeme Bartlett, Laudaka, Eran, Noone~enwiki, Rick Block, AlistairMcMillan, Solipsist, Wmahan, Utcursch, SoWhy, Beland, Piotrus, Cynical, Gscshoyru, TonyW, Ho- bart, Eisnel, Discospinster, Rich Farmbrough, ESkog, JoeSmack, Evice, Aecis, Chungy, PhilHibbs, Sietse Snel, Femto, Perfecto, Stesmo, Longhair, Orbst, Richi, TheProject, Troels Nybo~enwiki, Timsheridan, Hagerman, Alansohn, CyberSkull, Conan, PatrickFisher, Baba- jobu, Stephen Turner, Snowolf, Wtmitchell, Downlode, Rotring, Nightstallion, Umapathy, Woohookitty, Mindmatrix, Armando, Robwing- field, Pol098, Urod, Isnow, Kralizec!, Pictureuploader, Palica, Matturn, Cuvtixo, Kbdank71, Yurik, Ryan Norton, Rjwilmsi, DirkvdM, RainR, FlaBot, JiFish, RexNL, Gurch, DavideAndrea, ChongDae, Born2cycle, Melancholie, Ahunt, Peterl, Gwernol, YurikBot, Wave- length, Borgx, Grizzly37, Wfried, Arado, TheDoober, Piet Delport, SpuriousQ, Akhristov, Claunia, NawlinWiki, Hm2k, Badagnani, Arich- nad, Vlad, Bota47, Bokonon~enwiki, BazookaJoe, GraemeL, Peter, Fourohfour, Hirebrand, Jaysbro, Eptin, robot, Dunxd, Cumbi- agermen, Firewall-guy, SmackBot, Although, JurgenHadley, J7, Dxco, Relaxing, Easygoeasycome, Gilliam, JorgePeixoto, Lakshmin, Gary09202000, Chris the speller, Egladkih, Morte, EncMstr, Jerome Charles Potts, Bigs slb, DHN-bot~enwiki, Uniwares, Darth Panda, Frap, JonHarder, Korinkami, 03vaseyj, SundarBot, Cybercobra, Valenciano, Mwtoews, Ihatetoregister, Oo7jeep, Gobonobo, Capmo, NongBot~enwiki, 16@r, Erotml, Beetstra, Doczilla, Qu4rk, Caiaffa, Hu12, DabMachine, SimonD, Phantomnecro, UncleDouggie, Capi- talR, Kirill Chiryasov, Courcelles, Tawkerbot2, FleetCommand, CmdrObot, BENNYSOFT, Jesse Viviano, NaBUru38, Chrisahn, Cydebot, Gogo Dodo, Xxhopingtearsxx, AcceleratorX, Tawkerbot4, Khattab01~enwiki, Ohadgliksman, The Mad Bomber, SpK, Neustradamus, Mikewax, TAG.Odessa, Dimo414, Thijs!bot, Jdivakarla, Leedeth, LemonMan, Saibo, Dalahäst, TurboForce, Dawnseeker2000, Men- tifisto, AntiVandalBot, Sjconrad-mchedrawe, Gökhan, ’s Choice, JAnDbot, Meinsla, MER-C, Tushard mwti, .anacondabot, Raanoo, Penubag, Bongwarrior, Lotusv82, Proland, The Kinslayer, JohnLai, Gomm, Xeolyte, Chris G, DerHexer, Hdt83, MartinBot, STBot, CliffC, FDD, Icenine378, CommonsDelinker, Emilinho~enwiki, J.delanoy, Pharaoh of the Wizards, Dinoguy1000, Public Menace, Jesant13, Tur- bulencepb, Neon white, Ripdog2121, Tokyogirl79, 5theye, Patrickjk, AntiSpamBot, Dougmarlowe, DadaNeem, Pandawelch, White 720, Jamesontai, Idioma-bot, Javeed Safai, Melovfemale, VolkovBot, AlnoktaBOT, Philip Trueman, DoorsAjar, TXiKiBoT, Emedlin1, Muj- dat61, Vipinhari, Technopat, Anonymous Dissident, Qxz, Corvus cornix, LeaveSleaves, Natg 19, Tmalcomv, Haseo9999, C45207, Ngan- tengyuen, LittleBenW, Fredtheflyingfrog, Lonwolve, Wrldwzrd89, Sahilm, Derekcslater, Newspartnergroup, Swaq, Sephiroth storm, Yin- tan, Miremare, Mothmolevna, Jerryobject, Flyer22, PolarBot, Nosferatus2007, Askild, Topicle, OKBot, Plati, Samker, PrimeYoshi, Escape Orbit, Arnos78, Martarius, Tanvir Ahmmed, Leahtwosaints, ClueBot, Kl4m, The Thing That Should Not Be, IceUnshattered, Trotline, Spuernase, Mild Bill Hiccup, Ka vijay, LizardJr8, ChandlerMapBot, Georgest23, Rockfang, DragonBot, Excirial, Socrates2008, Pavix, Tyler, Pladook, Jotterbot, JamieS93, ChrisHodgesUK, DanielPharos, Versus22, Johnuniq, SoxBot III, SF007, Sensiblekid, XLinkBot, Rror, Mavenkatesh, Svarya, HexaChord, Addbot, Xp54321, Wizho, Mortense, Nuno Brito, Softfreak, Sergey AMTL, Vatrena ptica, Cana- dianLinuxUser, Fluffernutter, Ankitguptajaipur, Kueensrÿche, NjardarBot, WorldlyWebster, MrOllie, CarsracBot, FluffyWhiteCat, Wom- anitoba, ChenzwBot, Jasper Deng, Mike A Quinn, Tide rolls, Luckas Blade, Teles, Luckas-bot, Yobot, THEN WHO WAS PHONE?, Wonderfl, AnomieBOT, Jim1138, DMWuCg, Roastingpan, Bluerasberry, Materialscientist, Police267, Kalamkaar, Eumolpo, Cameron Scott, Misi91, Avun, XZeroBot, Rwmoekoe, S0aasdf2sf, Frosted14, SassoBot, ReformatMe, Mathonius, VB.NETLover, TheRyan95, Shadowjams, Diablosblizz, Samwb123, G7yunghi, FrescoBot, GunAlchemist, WPANI, Yuyujoke, Mi8ka, HJ Mitchell, Craig Pemberton, Franklin.online2006, Expertour, HamburgerRadio, Redrose64, SuperAntivirus, Marnegro, Pinethicket, HRoestBot, Skyerise, Paulsterne, A8UDI, Ma2001, Kostes32, One666, Seam123, AntonST, Σ, Meaghan, Salvidrim!, Ravensburg13, Cnwilliams, Trappist the monk, Lamar- mote, Miiszmylove, LogAntiLog, Lotje, Wikipandaeng, Vrenator, TBloemink, Neshemah, Diannaa, Hornlitz, Execter, Teenboi001, Mean as custard, RjwilmsiBot, Ripchip Bot, Panda Madrid, Enauspeaker, DASHBot, EmausBot, John of Reading, WikitanvirBot, Immunize, Philtweir, Heracles31, Dinhtuydzao, Ibbn, Ryanxo, Tommy2010, Emenid, Elison2007, Fæ, Mats131, ElationAviation, Makecat, Skyinfo, Yabba67, Rickraptor707, Diflame, ChuispastonBot, Pastore Italy, EdoBot, Kandr8, Petrb, ClueBot NG, Lzeltser, TheKaneDestroyer, Jack Greenmaven, Satellizer, LK20, Dfarrell07, Multiwikiswat, Piyush1992, JuventiniFan, Malijinx, Widr, Hsinghsarao, Joseph843, Helpful Pixie Bot, Dwe0008, HMSSolent, Krenair, Jeza87, Janendra, Arthurnyc, AvocatoBot, Thekillerpenguin, Teksquisite, Irfanshaharuddin, TheMw2Genius, Kremnin, Newmen1020304050, BattyBot, Justincheng12345-bot, JC.Torpey, Divonnais, Farqad, IddiKlu, Nisha1987, Rohaneknathshinde459, Garamond Lethe, JYBot, Dark Silver Crow, Codename Lisa, Cryptodd, Pcguru66, K1ngXSp3c1al, Lugia2453, Kumarworld2, Sourov0000, Seo100, M.R.V model, Gautamcool12, Faizan, I am One of Many, Ryan889, Matt.Sharp98, Jakec, Eddymck1, Ashajose0002, Assumelation, Ginsuloft, Quenhitran, Dannyruthe, MetalFusion81, Robevans123, Monkbot, TerryAlex, Xpasindu123, Thetechgirl, Williamahendric, Jacbizer, Puffle7275, Deanwalt123, Rom broke, Drop knowhow, Seanpatrickgray and Anonymous: 645 • Application security Source: http://en.wikipedia.org/wiki/Application%20security?oldid=654320542 Contributors: SimonP, Charles Matthews, Psychonaut, DavidCary, Kravietz, Hillel, AliveFreeHappy, Discospinster, Rhobite, Enric Naval, JYolkowski, Bobrayner, OwenX, Mindmatrix, Halovivek, Vegaswikian, Pseudomonas, Welsh, Tjarrett, Slicing, NielsenGW, Rwwww, Algae, Tyler Oderkirk, SmackBot, Ohnoitsjamie, Frap, JonHarder, IronGargoyle, Iridescent, Sander Säde, Tedmarynicz, OnPatrol, Blackjackmagic, Njan, Aarnold200, Dawnseeker2000, Obiwankenobi, Dman727, Robina Fox, Toutoune25, JLEM, Grabon~enwiki, IronAlloy, JEMLA, DatabACE, Maurice Carbonaro, Maxgleeson, Alanfeld, Philip Trueman, Felmon, Pryderi100, NEUrOO, M4gnum0n, Friendlydata, Dosco, Swtechwr, Wiscoplay, Dcunited, Raysecurity, Paulmnguyen, Dthomsen8, Mitch Ames, Ha runner, Bookbrad, Eheitzman, Jnarvey, Yobot, Fraggle81, Nickbell79, AnomieBOT, Fhuonder, Stationcall, Mwd, FrescoBot, Nageh, Geofhill, Amey.anekar, Hnguyen322, Trappist the monk, Vrenator, Mr.moyal, Super n1c, We hope, ClueBot NG, Widr, RachidBM, BG19bot, MatthewJPJohnson, Swameticul, Xena77, Mdann52, Tohimanshu, Triomio, Isoron27000, Roberto Bagnara, Truehorizon, Securechecker1, Jpickel, MuscleheadNev, Chrisdmiller5, Greenmow and Anonymous: 73 • Backdoor (computing) Source: http://en.wikipedia.org/wiki/Backdoor%20(computing)?oldid=662411634 Contributors: Damian Yer- rick, The Anome, Arvindn, Dwheeler, Wshun, Voidvector, Pnm, Ixfd64, (, Iluvcapra, Ronz, Jebba, Nikai, Ww, Furrykef, Thue, Khym Chanur, Movermover, RedWolf, Lowellian, Danutz, KellyCoinGuy, Tobias Bergemann, David Gerard, Graeme Bartlett, Gtrmp, Fennec, Mintleaf~enwiki, Tom harrison, Leonard G., Kravietz, AlistairMcMillan, Eckhart Wörner~enwiki, LiDaobing, Robert Brockway, Am088, Icairns, Ojw, Monkeyman, GoodStuff~enwiki, Rich Farmbrough, FT2, MCBastos, Smyth, CanisRufus, Sietse Snel, Euyyn, Smalljim, Ral315, Kdau, Woohookitty, RHaworth, Flamingspinach, Stefanomione, Scratchy, Marudubshinki, BD2412, Rjwilmsi, Commander, Al- lynfolksjr, RainR, Flarn2006, FlaBot, JiFish, Quuxplusone, Daev, YurikBot, Borgx, Cybercat, Hairy Dude, Gene.arboit, Stephenb, Bul- lzeye, Wiki alf, Matir, Fabulous Creature, Anetode, Vlad, Bota47, Arthur Rubin, Urchin, RealityCheck, Luk, SmackBot, Mmernex, 174 CHAPTER 33. HACKER ETHIC

Ultramandk, KelleyCook, Xaosflux, Nbarth, Lmsilva~enwiki, Bisected8, Wonderstruck, The undertow, SashatoBot, Harryboyles, Xandi, Lee Carre, Doceddi, CWY2190, Tim1988, DumbBOT, Thijs!bot, Oerjan, KeithPenguin, Gioto, Widefox, JAnDbot, V. Szabolcs, VoABot II, Gwern, CliffC, RP88, Axlq, Maurice Carbonaro, Milo03, Daedalus CA, Katalaveno, Berserkerz Crit, KCinDC, Mike V, Bonadea, Ale2006, TXiKiBoT, Baumfreund-FFM, Rei-bot, FironDraak, Xeno8, Rep07, Jroptimus, SieBot, Sephiroth storm, Jojalozzo, Soulweaver, Geoff Plourde, ClueBot, Excirial, Socrates2008, Christopherlmarshall, Zac439, RaceGT, Rhododendrites, DanielPharos, Rror, Black- Death3, Stemaboatlion, Addbot, TIAA Is An Acronym, SDJ, ZX81, Yobot, THEN WHO WAS PHONE?, AnomieBOT, Materialscientist, Jeffrey Mall, Censorship Workaround, A Quest For Knowledge, Aldebrn, FrescoBot, Safinaskar, HamburgerRadio, I dream of horses, Calmer Waters, Full-date unlinking bot, Cnwilliams, Trappist the monk, Rooseycheeksdrown, Reaper Eternal, RjwilmsiBot, Dewritech, Erianna, Schnoatbrax, Nhero2006, ClueBot NG, LeoVeo, Dipankan001, Phoenixia1177, Garamond Lethe, Codename Lisa, Hmainsbot1, Openmikenite, Dr Dinosaur IV, Comp.arch, JadeGuardian, Tqe1999, Monkbot, Hannasnow, Marty-the-Bluetooth, CaseyMillerWiki and Anonymous: 141 • Black hat Source: http://en.wikipedia.org/wiki/Black%20hat?oldid=662699710 Contributors: Berek, Stevertigo, Pnm, Delirium, DropDeadGorgias, Hectorthebat, Dfeuer, Furrykef, Jerzy, PuzzletChung, Chealer, Altenmann, Merovingian, Michael Snow, Pengo, To- bias Bergemann, Aomarks, SWAdair, Golbez, Neilc, R. fiend, Quarl, Kiteinthewind, Cynical, Adashiel, Zaf, Mike Rosoft, Sysy, FT2, KevinBot, JoeSmack, FirstPrinciples, Mairi, Bobo192, Army1987, NetBot, John Vandenberg, Flxmghvgvk, BrokenSegue, Adrian~enwiki, Urthogie, Tonei, Mattl, Krellis, Alansohn, SpaceFalcon2001, InShaneee, Cdc, Erik II, Keepsleeping, PMD~enwiki, Jheald, Dominic, H2g2bob, Axeman89, Kaerondaes, Kelly Martin, Simetrical, Mindmatrix, Andrev, Gerbrant, Marudubshinki, Deltabeignet, Dave Cohoe, Vegaswikian, Mycro, Ver, Chobot, David91, YurikBot, Borgx, Retodon8, Kerowren, Stephenb, Wimt, Anomalocaris, Shreshth91, Drag- onHawk, ONEder Boy, RazorICE, Abb3w, OliverSeal, Treevillan, Rsriprac, Mateo LeFou, Dcb1995, Kungfuadam, Kf4bdy, Pandemic, Veinor, SmackBot, Rtc, David.Mestel, NickShaforostoff, CapitalSasha, Sam Pointon, Gilliam, Ohnoitsjamie, Chris the speller, JordeeBec, Ittaskforce, Thumperward, Deli nk, A. B., Chameleons84, Can't sleep, clown will eat me, Frap, Tim Pierce, NaeRey, Shdwfeather, LtPow- ers, Soap, Coastergeekperson04, Robofish, Ironwater, Woer$, Man pl, Chrisch, Beetstra, Peyre, Atakdoug, Emx~enwiki, Colonel Warden, Tar7arus, Dragon Hilord, Fordmadoxfraud, Dept of Alchemy, Mblumber, Abeg92, Lesqual, Dangermus, Editor at Large, Omicronper- sei8, Maziotis, Thijs!bot, Coelacan, Headbomb, NorwegianBlue, Dfrg.msc, AntiVandalBot, Widefox, Dylan Lake, Cowb0y, JAnDbot, Harryzilber, NapoliRoma, Cyberhacker665, Tqbf, Mjhmach5, Penubag, VoABot II, Mbc362, Cyktsui, Japo, $yD!, M8v5, Edward321, MartinBot, Fragment1618, Slash, Huzzlet the bot, Jilsi, Weefun, Katalaveno, Ncmvocalist, DarkBlackHat, SJP, MarzaTax, Dog777, Al- noktaBOT, Bovineboy2008, TXiKiBoT, Asabbagh, Seraphim, Wikiisawesome, VARGUX, Doug, Staka, Longobord, Monty845, Steven Weston, Darkieboy236, SieBot, Whitehatnetizen, One more night, Dawn Bard, Chiroz, Sephiroth storm, Bentogoa, Jc-S0CO, Oxy- moron83, MarkMLl, ClueBot, Engelalber, X3vious, WDavis1911, XsilentforestX, Hafspajen, Otolemur crassicaudatus, Trivialist, Ex- cirial, Igorberger, Niteshift36, DamageW, Andrew81446, BOTarate, DanielPharos, Certes, Outkastz, Apparition11, Sensiblekid, Silent- pistol, DumZiBoT, Neuralwarp, Codenaur, Ost316, Addbot, Micahmedia, Iaent, Fluffernutter, Reaper240sx, Jtermaat, Buddha24, Tide rolls, TaBOT-zerem, JamesWallisHunt, Martin-vogel, Ian Kelling, Galoubet, Seoschrijver, ImperatorExercitus, ArthurBot, Ched, Ml- pearc, Pigby, Pradameinhoff, Amaury, Brazilian83, Surv1v4l1st, Durval.menezes, ClickRick, Iamrwc, MastiBot, Turian, Reaper Eternal, ,Satellizer, Brettq42, Mrn5-NJITWILL, MerlIwBot ,احمد الاسمر ,EmausBot, Imperial Monarch, Staszek Lem, Quantumor, ClueBot NG Jack1565, Bigdnn, Johngot and Anonymous: 289 • Black Hat Briefings Source: http://en.wikipedia.org/wiki/Black%20Hat%20Briefings?oldid=644352806 Contributors: Pnm, Julesd, Ao- marks, Sempf, Vsmith, Grifter, Dalm, Kenyon, Woohookitty, Mindmatrix, Myleslong, Vegaswikian, YurikBot, RussBot, Hydrargyrum, Raistolo, Arthur Rubin, Janizary, SmackBot, Haymaker, Deli nk, Cybercobra, Pissant, JoshuaZ, Aeternus, CmdrObot, Angryredplanet, Cydebot, MarS, DumbBOT, SusanLesch, Widefox, Sandwiches99, Wanders1, Dman727, Dricherby, Tqbf, Philip Trueman, Sephiroth storm, Martarius, Trivialist, DanielPharos, XLinkBot, Addbot, Lightbot, Yobot, PimRijkee, Xanablaka, BenzolBot, OMGWEEGEE2, Mean as custard, RjwilmsiBot, Leendert123, Pastore Italy, Morgi669, Twillisjr, BG19bot, And Adoil Descended, Kangaroopower, Mark Arsten, UltimateSupreme, Hypothetical questions, Hackerwithin, Randomname3234234, Deskshasty, XWillZer0x, Macofe, 555Jos, Jes- sicaHofmann, Steveschain, Mike Kabinsky, PosTech and Anonymous: 29 • Botnet Source: http://en.wikipedia.org/wiki/Botnet?oldid=659017039 Contributors: The Anome, Fubar Obfusco, Jtk, DonDaMon, Ed- ward, Pnm, Baylink, Plop, Dean p foster, Julesd, Dynabee, Kaihsu, Pedant17, Furrykef, Tbutzon, Walloon, Alerante, Gtrmp, Rick Block, Gracefool, Khalid hassani, Alvestrand, Ianneub, Moxfyre, Slavik0329, Freakofnurture, Bender235, Dewet, RJHall, Tjic, Bobo192, Jjmerelo~enwiki, Kjkolb, Krellis, Hooperbloob, ClementSeveillac, Joolz, BodyTag, InShaneee, Juhtolv, Kusma, BDD, Bsdlogical, Yuriv- ict, Feezo, Simetrical, Woohookitty, Mindmatrix, Carlos Porto, Shello, Mihai Damian, Pol098, CiTrusD, JediKnyghte, Josh Parris, Rjwilmsi, PHenry, Yamamoto Ichiro, FlaBot, Latka, Gurch, Intgr, Zebediah49, Benlisquare, Dadu~enwiki, YurikBot, Wavelength, Kol- lision, StuffOfInterest, The Literate Engineer, NawlinWiki, Mosquitopsu, Scs, Flipjargendy, Romal, Abune, Rurik, Fsiler, Katieh5584, One, SmackBot, Narson, McGeddon, Brick Thrower, KelleyCook, Eiler7, Mcld, Gilliam, Ohnoitsjamie, Chris the speller, Kurykh, Tim- Bentley, Jcc1, Sinicixp, DHN-bot~enwiki, Emurphy42, Jmax-, Can't sleep, clown will eat me, Trinite, Blah2, Mitsuhirato, Frap, Jon- Harder, Hitoride~enwiki, Luno.org, Rockpocket, Kuru, Euchiasmus, Ivucica, Ehheh, Ttul, Dl2000, Hu12, DabMachine, HisSpaceRe- search, Iridescent, Winkydink, KimChee, Powerslide, DavidTangye, Kylu, Dgw, Jesse Viviano, Hserus, RagingR2, Abdullahazzam, Gra- hamrichter, Mzima, Mato, Gogo Dodo, DumbBOT, Optimist on the run, Zokum, Kozuch, Tobias382, Ferris37, Mbell, Ckhung, Aiko, Bobblehead, OrenBochman, Binarybits, Sidasta, Luna Santin, Tohnayy, Luxomni, Lfstevens, Mscullin, SemperSecurus, Husond, Sheitan, Struthious Bandersnatch, Andreas Toth, Magioladitis, VoABot II, Nyttend, Upholder, Boffob, Daniel.birket, Ryan1918, Forensicsguy, Mar- tinBot, SasaMaker, LittleOldMe old, Boston, J.delanoy, EscapingLife, Skiidoo, Eliz81, Milo03, Mtxf, Buhadram, Fomalhaut71, Crakkpot, Jwh335, STBotD, Sbanker, VolkovBot, LokiClock, Franck Dernoncourt, Philip Trueman, TXiKiBoT, Stagefrog2, Brian Helsinki, Lam- byte, Calculuslover800, Ephix, InFAN1ty, C45207, Michael Frind, Logan, Derekcslater, Sephiroth storm, Yintan, Android Mouse, Exert, KoshVorlon, Lightmouse, Dracker, Denisarona, Escape Orbit, The sunder king, Jaimee212, Church, ClueBot, GorillaWarfare, Abhinav, Vacio, Ravivr, Lawrence Cohen, Konsumkind, Pwitham, Paul Abrahams, Mild Bill Hiccup, DnetSvg, Dante brevity, Rprpr, Julesbar- bie, Excirial, Gulmammad, Dralokyn, Rhododendrites, SchreiberBike, DanielPharos, D.Cedric, BlueDevil, Herunar, XLinkBot, Dark Mage, Stickee, Little Mountain 5, WikHead, Jadtnr1, A little mollusk, Addbot, Ramu50, A.qarta, Burkestar, Enkrona, Zellfaze, Toth- wolf, Linktopast30, Scientus, MrOllie, Danpoulton, Hintss, Jarble, Luckas-bot, Yobot, Ptbotgourou, AnomieBOT, Jim1138, Yachtsman1, Materialscientist, Hcps-spottsgr, LykMurph, ArthurBot, Quebec99, Xqbot, THWoodman, DataWraith, BebyB, S0aasdf2sf, GrouchoBot, Kyng, Chaheel Riens, W Nowicki, HamburgerRadio, 10metreh, Skyerise, Bugsguy, Pastafarian32, GlowBee, Fishsicles, Stdundon, Lotje, Dragan2~enwiki, Tbhotch, Jfmantis, Onel5969, Liamzebedee, Ripchip Bot, EmausBot, Jackson McArthur, Cmartincaj, Heracles31, Scot- tyBerg, JohnValeron, RenamedUser01302013, K6ka, Marshviperx, Martinibra, Daonguyen95, A930913, H3llBot, Ivhtbr, Erianna, Staszek Lem, TyA, The guy on da moon, Cyberdog958, Schnoatbrax, Shrigley, TravisMunson1993, Whoop whoop pull up, Mjbmrbot, ClueBot NG, Magicman3894, MelbourneStar, Satellizer, Abecedarius, Guive37, Twillisjr, Mgnicholas, Mesoderm, O.Koslowski, Helpful Pixie Bot, Harley16ss, TRANA1-NJITWILL, Lifemaestro, Hewhoamareismyself, Fredo699, Vagobot, DaveB549, Paulbeeb, ElphiBot, MusikAni- mal, Socal212, Affinanti3, Szary89, Zune0112, Jbarre10, Gyvachius, Tetraflexagon, Haleycat, Deimos747, Faisal ALbarrak, Oknitram, 33.9. TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES 175

Chengshuotian, Padenton, Superkc, Waqob, Oneplusnine, Agent766, Axesrotoor, Jakedtc, FrB.TG, Herpingdo, JaconaFrere, Impsswoon, TheEpTic, Jamesmarkchan, AnonArme, Fl4meb0tnet, Professornova, Anotherdaylate, Spagheti and Anonymous: 451 • Computer crime Source: http://en.wikipedia.org/wiki/Computer%20crime?oldid=662636846 Contributors: Damian Yerrick, Freckle- foot, Edward, D, Ixfd64, Sannse, Dori, Ihcoyc, Ronz, Jebba, Darkwind, Andrewa, Julesd, Andres, Kaihsu, GCarty, Ww, Greenrd, Zoicon5, Katana0182, Robbot, ZimZalaBim, Lowellian, Desmay, UtherSRG, Alan Liefting, Everyking, Edcolins, Utcursch, Antandrus, Jorm, Be- land, Joyous!, Ta bu shi da yu, DanielCD, Discospinster, Rich Farmbrough, ArnoldReinhold, Atchom, MarkS, Elwikipedista~enwiki, Nar- cisse, Cmdrjameson, Elipongo, Vishnu vijay, Timmywimmy, ADM, Zachlipton, Alansohn, Arthena, Snowolf, Wtmitchell, L33th4x0rguy, TaintedMustard, Harej, RainbowOfLight, H2g2bob, BlastOButter42, Y0u, Woohookitty, Wikiklrsc, Prashanthns, BD2412, Galwhaa, Josh Parris, Rjwilmsi, Bill37212, Bruce1ee, Bhadani, Amelio Vázquez, Rabreu, Nivix, Gurch, Tieno007~enwiki, Czar, Alphachimp, David91, Bgwhite, Wavelength, Phantomsteve, SpuriousQ, IanManka, Akamad, Stephenb, Markjx, NawlinWiki, Welsh, Renata3, Fool- sWar, Lippard, Zzuuzz, Gtdp, Rurik, CWenger, Tom Morris, Sardanaphalus, Crystallina, SmackBot, Reedy, Stifle, Canthusus, Nil Einne, Gilliam, Skizzik, Jrkagan, Kurykh, JDCMAN, Dimonicquo, Silly rabbit, Octahedron80, Mihairad, Tim Pierce, ConMan, Expugilist, Savi- dan, RolandR, FlyHigh, Prehistoricmaster2, Kuru, Ocee, Shadowlynk, Joffeloff, Kirkoconnell, Barrycarlyon, Beetstra, Invisifan, Hu12, MikeWazowski, Iridescent, Kencf0618, CapitalR, Sim8183, Tawkerbot2, Dlohcierekim, CmdrObot, Ale jrb, JohnCD, Penbat, MrFish, Equendil, Anthonyhcole, DumbBOT, ErrantX, Heathniederee, Epbr123, Mojo Hand, Vertium, Esemono, The Legendary Ranger, Dzu- bint, I already forgot, AntiVandalBot, Oducado, QuiteUnusual, Paste, Joe Schmedley, Oddity-, Wayiran, Gilliantayloryoung, JAnDbot, Dustin gayler, Levitica, SiobhanHansa, VoABot II, Maheshkumaryadav, Joellee, Kiwimandy, Edper castro, DerHexer, JaGa, Mahnol, Co- cytus, MartinBot, Lordmyx, Jeannealcid, Jim.henderson, Rhlitonjua, Psychoair, Jerry teps, Bemsor, Nixonmahilum, Tgeairn, JonBurrows, Jmm6f488, Kemiv, Semaja, Reno911, Boxmoor, Neon white, NYCRuss, Vanillagorillas, Tokyogirl79, Turner70, HiLo48, DadaNeem, Olegwiki, Druss666uk, Ja 62, Funandtrvl, Metallicaguy007, VolkovBot, Philip Trueman, MissionInn.Jim, Technopat, Sparkzy, Help- per, Jose figueredo, Sankalpdravid, Qxz, Anna Lincoln, The3stars, Tpk5010, Snowbot, Jlhw, Milan Keršláger, Billinghurst, Enigmaman, Falcon8765, Justmeherenow, Noncompliant one, Cool110110, DeanC81, Yintan, LeadSongDog, Flyer22, Jojalozzo, Iestynpugh, Oxy- moron83, Harry~enwiki, Techman224, Manway, Millstream3, AMbot, Mr. Stradivarius, Barry Jameson, Denisarona, Jons63, Elassint, ClueBot, Kai-Hendrik, Binksternet, The Thing That Should Not Be, Jotag14, Taroaldo, Tomas e, Chris.tripledot, CounterVandalismBot, Niceguyedc, Trivialist, PMDrive1061, Chaserx7, Canis Lupus, Rhododendrites, Imaximax1, Vivon1, Jmaio2, Aleksd, Light show, Agi- lentis, Thingg, PCHS-NJROTC, Aronzak, Johnuniq, MBK-iPhone, BarretB, XLinkBot, Roxy the dog, Gonzonoir, Afpre, Charco2006, Bamford, Addbot, Some jerk on the Internet, Gpershing, MrOllie, Jgkjfdlsgkjd, Fatboy500, PranksterTurtle, Debresser, Favonian, Jay- dec, 5 albert square, Tide rolls, Bultro, Jarble, HerculeBot, Matt.T, Albeiror24, Jackelfive, Ben Ben, Kurtis, Publicly Visible, Luckas-bot, Yobot, Legobot II, II MusLiM HyBRiD II, Mdolphy, KamikazeBot, JackCoke, Lessandmore, IW.HG, Ircpresident, Vörös, Backslash For- wardslash, AnomieBOT, DemocraticLuntz, Kerfuffler, Jim1138, IRP, Darkblazikenex2, NickK, Materialscientist, ArthurBot, Quebec99, Justwiki, Xqbot, JimVC3, Capricorn42, RoodyAlien, Mrc1028, Srich32977, Pradameinhoff, Wikieditor1988, Tankrider, Lior1075, Shad- owjams, FrescoBot, Weyesr1, Yashansi, YOKOTA Kuniteru, Blockyeyes, Ka4, Buchana4, Dejan33, Sfafinski, Bobmack89x, Pinethicket, I dream of horses, Gajic32, Professional7, MJ94, Serols, Mentmic, Full-date unlinking bot, Merlion444, FoxBot, Lotje, Callanecc, Vre- nator, Aoidh, Reaper Eternal, ThinkEnemies, Reach Out to the Truth, Minimac, DARTH SIDIOUS 2, Fred11111111, RjwilmsiBot, VernoWhitney, Agent Smith (The Matrix), Becritical, EmausBot, John of Reading, Immunize, Sophie, Angrytoast, Katherine, Dewritech, Minimac’s Clone, RenamedUser01302013, Tommy2010, Wikipelli, Dcirovic, Ida Shaw, Pragnesh89, Josve05a, Michael Essmeyer, Empty Buffer, Forgottenking, Bustermythmonger, EneMsty12, Christina Silverman, Kjg0972, Erianna, Umni2, Donner60, Yulli67, Chuispaston- Bot, Trickmind, Petrb, ClueBot NG, Mechanical digger, Sagaa2010, Gareth Griffith-Jones, AznBurger, Catlemur, 6ii9, Hiral NJITWILL, Widr, Leeaaro4, Helpful Pixie Bot, Aigendon, HMSSolent, Nightenbelle, Markthing Inc., Titodutta, KLBot2, BG19bot, VasundraTaneja, Jhanov1999, Ramesh Ramaiah, FxHVC, Najma El Shelhi, Frze, AvocatoBot, SusanBREN, Metricopolus, Mark Arsten, Lochfyneman, Dainomite, Harizotoh9, MrBill3, Glacialfox, Klilidiplomus, Yasht101, Aisteco, CrimeWeb, Fylbecatulous, Agent 78787, Darylgolden, Riley Huntley, Iristotle, Pratyya Ghosh, Padenton, Khazar2, Abowker, Bamachick20, HelicopterLlama, Lugia2453, Frosty, Metalytics, FrostieFrost, Mason Doering, PinkAmpersand, Greengreengreenred, Dddege, LectriceDuSoir, Reziebear, Glaisher, Bullblade, EdynBliss, Ginsuloft, Quenhitran, Cindy123456, Jnguyenx3, Keatonhouse, M3osol1301, JaconaFrere, Skr15081997, Kacyoconnor14, Lordangel101, Altaythegooner, AKS.9955, Cybersecurity101, Pinklights2323, S166865h, StaceyHutter, Johnc123456, Willhesucceed, Vanyaxd, Juliet- deltalima, Hellys320, Destor918, Lymaniffy, Rishab Elangovan, Guegreen, FormerPatchEditor, Erosen15, Drdebaratiwiki, Dmonshaugen, Airplane Maniac, DebaratiH and Anonymous: 654 • Computer security Source: http://en.wikipedia.org/wiki/Computer%20security?oldid=662104568 Contributors: Tobias Hoevekamp, Derek Ross, Tuxisuau, Brion VIBBER, Eloquence, Zardoz, Mav, Robert Merkel, The Anome, Stephen Gilbert, Taw, Arcade~enwiki, Gra- ham Chapman, Dachshund, Arvindn, PierreAbbat, Fubar Obfusco, SimonP, Ben-Zin~enwiki, Ant, Ark~enwiki, Heron, Dwheeler, Chuq, Iorek~enwiki, Frecklefoot, Edward, Michael Hardy, Pnm, Kku, Ixfd64, Dcljr, Dori, Arpingstone, CesarB, Haakon, Ronz, Snoyes, Yaronf, Nikai, Smaffy, Qwert, Mydogategodshat, Jengod, JidGom, Aarontay, Gingekerr, Taxman, Joy, Vaceituno, Khym Chanur, Pakaran, Rob- bot, Yas~enwiki, Fredrik, ZimZalaBim, Rursus, Texture, KellyCoinGuy, 2501~enwiki, Hadal, Tobias Bergemann, David Gerard, Honta, Wolf530, Tom harrison, Dratman, Mike40033, Siroxo, C17GMaster, Matt Crypto, SWAdair, Bobblewik, Wmahan, Mu, Geni, Antan- drus, Beland, Mako098765, CSTAR, GeoGreg, Marc Mongenet, Gscshoyru, Joyous!, Bluefoxicy, Squash, Strbenjr, Mike Rosoft, Kmccoy, Monkeyman, Pyrop, Rich Farmbrough, Rhobite, Leibniz, FT2, Jesper Laisen, ArnoldReinhold, YUL89YYZ, Zarutian, MeltBanana, Sper- ling, Bender235, ZeroOne, Moa3333, JoeSmack, Danakil, Omnifarious, Jensbn, El C, Joanjoc~enwiki, Marcok, Perspective, Spearhead, EurekaLott, Nigelj, Stesmo, Smalljim, Rvera~enwiki, Myria, Adrian~enwiki, Boredzo, ClementSeveillac, JohnyDog, Poweroid, Alansohn, Quiggles, Arthena, Lightdarkness, Cdc, Mrholybrain, Caesura, Gbeeker, Raraoul, Filx, Proton, M3tainfo, Suruena, HenkvD, 2mcm, Wi- kicaz, H2g2bob, Condor33~enwiki, Bsdlogical, Johntex, Dan100, Woohookitty, Daira Hopwood, Al E., Prashanthns, Zhen-Xjell, Palica, Kesla, Vininim, Graham87, Clapaucius, Icey, Sjakkalle, Rjwilmsi, Seidenstud, Koavf, Guyd, DeadlyAssassin, Dookie~enwiki, Edggar, Oblivious, QuickFox, Kazrak, Ddawson, Ligulem, Smtully, Aapo Laitinen, Ground Zero, RexNL, Alvin-cs, BMF81, JonathanFreed, Jmor- gan, J.Ammon, Hall Monitor, Digitalme, Gwernol, FrankTobia, Elfguy, Wavelength, NTBot~enwiki, Alan216, StuffOfInterest, Foxxygirl- tamara, Stephenb, Gaius Cornelius, Ptomes, Morphh, Salsb, Wimt, Bachrach44, AlMac, Irishguy, Albedo, Rmky87, Amcfreely, Romal, Peter Schmiedeskamp, Zzuuzz, Gorgonzilla, Papergrl, Arthur Rubin, Ka-Ping Yee, Juliano, GraemeL, Rlove, JoanneB, Whouk, NeilN, SkerHawx, SmackBot, Mmernex, Tripletmot, Reedy, KnowledgeOfSelf, TestPilot, Kosik, McGeddon, Stretch 135, Ccalvin, Manjunathb- hatt, Gilliam, Ohnoitsjamie, Skizzik, Lakshmin, Kurykh, Autarch, Snori, Miquonranger03, Deli nk, Jenny MacKinnon, Kungming2, Jonasyorg, Timothy Clemans, Frap, Ponnampalam, Nixeagle, KevM, JonHarder, Wine Guy, Cpt~enwiki, Krich, Bslede, Richard001, Stor stark7, Newtonlee, Doug Bell, Harryboyles, Kuru, Geoinline, Disavian, Robofish, Joffeloff, Kwestin, Mr. Lefty, Beetstra, Jadams76, Ehheh, Boxflux, Kvng, Chadnibal, Wfgiuliano, Dthvt, IvanLanin, DavidHOzAu, Lcamtuf, CmdrObot, Tional, ShelfSkewed, Michael B. Trausch, Phatom87, Cydebot, Mblumber, Future Perfect at Sunrise, Blackjackmagic, UncleBubba, Gogo Dodo, Anonymi, Anthonyhcole, GRevolution824, Clovis Sangrail, SpK, Njan, Ebyabe, Thijs!bot, Epbr123, The Punk, Kpavery, Wistless, Oarchimondeo, RichardVeryard, EdJohnston, Druiloor, SusanLesch, I already forgot, Sheridbm, AntiVandalBot, Obiwankenobi, Shirt58, Marokwitz, Khhodges, Ellenaz, 176 CHAPTER 33. HACKER ETHIC

Manionc, Chill doubt, Dmerrill, SecurityGuy, JAnDbot, Jimothytrotter, Barek, MER-C, The Transhumanist, Technologyvoices, Tqbf, Dave Nelson, Acroterion, Raanoo, VoABot II, Ukuser, JNW, Michi.bo, Szh~enwiki, Hubbardaie, Arctific, Froid, JXS, AlephGamma, Rohasnagpal, Catgut, WhatamIdoing, Marzooq, Gerrardperrett, Thireus, Devmem, DerHexer, JaGa, Rcseacord, XandroZ, Gwern, Soli- taryWolf, CliffC, =JeffH, Sjjupadhyay~enwiki, Bertix, Booker.ercu, J.delanoy, Gam2121, Maurice Carbonaro, Public Menace, Jesant13, Jreferee, JA.Davidson, Katalaveno, Touisiau, Ansh1979, Toon05, Mufka, Largoplazo, Dubhe.sk, YoavD, Bonadea, Red Thrush, RJASE1, Cralar, Javeed Safai, ABF, Wiki-ay, Davidwr, Zifert, Crazypete101, Dictouray, Shanata, Haseo9999, Falcon8765, Pctechbytes, Sapphic, Donnymo, FutureDomain, Smith bruce, Kbrose, JonnyJD, Lxicm, Whitehatnetizen, Jargonexpert, SecurInfos~enwiki, Ml-crest, Immzw4, Sephiroth storm, Graceup, Yuxin19, Agilmore, JohnManuel, Flyer22, Jojalozzo, Riya.agarwal, Corp Vision, Lightmouse, KathrynLy- barger, Mscwriter, Soloxide, StaticGull, Capitalismojo, PabloStraub, Rinconsoleao, Denisarona, White Stealth, Ishisaka, WikipedianMar- lith, Sfan00 IMG, Elassint, ClueBot, Shonharris, PipepBot, TransporterMan, Supertouch, Add32, Emantras, Tanglewood4, Niceguyedc, Dkontyko, Trivialist, Gordon Ecker, DragonBot, Dwcmsc, Excirial, Socrates2008, Dcampbell30, Moomoo987, Dr-Mx, Rbilesky, Daniel- Pharos, Versus22, HarrivBOT, Fathisules, Raysecurity, XLinkBot, BodhisattvaBot, Solinym, Skarebo, Wingfamily, WikiDao, MystBot, Dsimic, JimWalker67, Addbot, Cst17, MrOllie, Passport90, Favonian, AgadaUrbanit, Tassedethe, Jarble, Ben Ben, Tartarus, Luckas- bot, Yobot, OrgasGirl, The Grumpy Hacker, Librsh, Cyanoa Crylate, Grammaton, THEN WHO WAS PHONE?, Dr Roots, Sweerek, AnomieBOT, JDavis680, Jim1138, Galoubet, Dwayne, Piano non troppo, AdjustShift, Rwhalb, Quantumseven, HRV, Vijay Varadhara- jan, Materialscientist, Aneah, Stationcall, ArthurBot, Cameron Scott, Intelati, Securitywiki, Hi878, Coolkidmoa, Zarcillo, Mark Schier- becker, Pradameinhoff, Amaury, George1997, Architectchamp, =Josh.Harris, Shadowjams, President of hittin' that ass, FrescoBot, Bingo- 101a, Nageh, Ionutzmovie, Cudwin, Expertour, Intelligentsium, Pinethicket, I dream of horses, Edderso, Access-bb, Yahia.barie, Red- Bot, MastiBot, Wlalng123, Mentmic, Dac04, Banej, Codemaster32, Tjmannos, Nitesh13579, Lotje, Sumone10154, Arkelweis, Ntlhui, Aoidh, Endpointsecurity, Tbhotch, Jesse V., DARTH SIDIOUS 2, Ripchip Bot, Panda Madrid, DASHBot, Julie188, EmausBot, Timtem- pleton, Dewritech, Active Banana, P@ddington, Susfele, Dolovis, Cosmoskramer, Alxndrpaz, AvicAWB, Bar-abban, Ocaasi, Solipsys, Tolly4bolly, Sharpie66, DennisIsMe, Veryfoolish, Geohac, ChuispastonBot, Pastore Italy, Tentontunic, Sepersann, Gadgad1973, Rock- etrod1960, Jramio, ClueBot NG, AAriel42, Enfcer, Iliketurtlesmeow, Widr, Helpful Pixie Bot, TechGeek70, Curb Chain, Calabe1992, BG19bot, Mollsiebee, M0rphzone, Rubmum, Mohilekedar, Karlomagnus, IraChesterfield, Sburkeel, Zune0112, Venera Seyranyan, Won- dervoll, Mihai.scridonesi, Jtlopez, Nfirdosian, Alessandra Napolitano, Wannabemodel, Keeper03, BattyBot, Popescucalin, Arr4, Mrt3366, Khazar2, Peter A. Wolff, Soulparadox, Ilker Savas, BIG ISSUE LADY, Saturdayswiki, Dexbot, Jmitola, Mogism, Pete Mahen, Lugia2453, Doopbridge, Sbhalotra, SFK2, Arjungiri, Jamesx12345, ElinaSy, Patna01, Dr Dinosaur IV, Pdecalculus, Mbmexpress, Idavies007, Ra- heemaHussain, Cyberlawjustin, Rkocher, MoHafesji, ResearcherQ, Westonbowden, Peter303x, Karinera, OccultZone, Robevans123, Chima4mani, ClyderRakker46, Jonathan lampe, Jppcap, Leejjung86, Azulfiqar, IrvingCarR, Nyashinski, Monkbot, Nitzy99, Carpalclip3, RicardoBanchez, Owais Khursheed, Oushee, 405Duke, BrettofMoore, Gr3yHatf00l, Thetechgirl, Fimatic, Hchaudh3, AndrewKin, JRPol- icy, Pacguy, HVanIderstine, Leeemily, FormerPatchEditor, Pixelized frog, Johngot, Bmore84, Informationsystemgeeks and Anonymous: 674 • Computer worm Source: http://en.wikipedia.org/wiki/Computer%20worm?oldid=661819683 Contributors: LC~enwiki, Brion VIBBER, Mav, The Anome, Stephen Gilbert, Koyaanis Qatsi, Malcolm Farmer, PierreAbbat, Daniel Mahu, Paul~enwiki, Fubar Obfusco, Patrick, Nixdorf, Pnm, Wwwwolf, CesarB, Ahoerstemeier, Cyp, Jebba, Jdforrester, UserGoogol, Andres, Evercat, GCarty, Gamma~enwiki, Dj ansi, Hashar, Agtx, Ww, Dysprosia, Fuzheado, WhisperToMe, Wik, Zoicon5, Furrykef, Dcsohl, Wilinckx~enwiki, Robbot, Naddy, Yosri, Jondel, Seth Ilys, Tobias Bergemann, David Gerard, Alerante, Fennec, Akadruid, Jtg, Noone~enwiki, Eequor, Fanf, Matt Crypto, Just An- other Dan, Maximaximax, Gscshoyru, Trafton, Grunt, Monkeyman, Discospinster, Rich Farmbrough, Rhobite, KneeLess, YUL89YYZ, Bender235, ESkog, JoeSmack, RJHall, PhilHibbs, Sietse Snel, DavidSky, Smalljim, MITalum, Sam Korn, Nsaa, Alansohn, Andrew- pmk, Jonathanriley, Staeiou, Bsadowski1, Pauli133, Bobrayner, Newnoise~enwiki, Roboshed, Woohookitty, Mindmatrix, Camw, Guy M, TomTheHand, Isnow, Kralizec!, Palica, SqueakBox, Jclemens, Rjwilmsi, Matt.whitby, Syndicate, Mcmvanbree, Nguyen Thanh Quang, RainR, Jwkpiano1, Dan Guan, JiFish, RexNL, Ewlyahoocom, King of Hearts, Pstevens, Daev, Chobot, AFA, Bornhj, DVdm, Mogh, Yurik- Bot, Borgx, Kerowren, Barefootguru, Wimt, Wiki alf, Misza13, DeadEyeArrow, Bota47, Jkelly, WAS 4.250, Dspradau, Rs232, Kung- fuadam, GrinBot~enwiki, Asterion, DVD R W, Rahul s55, SmackBot, Mmernex, Aim Here, Gamerzworld, David.Mestel, KelleyCook, Ob- ject01, Gilliam, Ohnoitsjamie, Martial Law, Biblioteqa, Bluebot, Snori, Miquonranger03, Pomegranite, DHN-bot~enwiki, Firetrap9254, Anabus, Tsca.bot, NYKevin, Can't sleep, clown will eat me, Yidisheryid, Rrburke, Addshore, Celarnor, Jaimie Henry, James McNally, Richard001, Wirbelwind, Weregerbil, SashatoBot, Ian Dalziel, Nic tan33, Ehheh, Optakeover, Waggers, Vernalex, Woodroar, Iridescent, Jason.grossman, Joseph Solis in Australia, Aeons, Mzub, Tawkerbot2, Dlohcierekim, Chetvorno, Makeemlighter, GHe, Jesse Viviano, Au- grunt, Oden, Slazenger, Gogo Dodo, ST47, Luckyherb, Thijs!bot, Epbr123, Luigifan, Powellatlaw, Dawnseeker2000, Mentifisto, AntiVan- dalBot, Seaphoto, Oducado, Waerloeg, Jenny Wong, Clharker, JAnDbot, Leuko, MER-C, PubliusFL, Coopercmu, Superjag, SteveSims, Yixin1996, Bongwarrior, Rami R, Alekjds, Adrian J. Hunter, DerHexer, Shuini, Pikolas, S3000, MartinBot, STBot, Ghatziki, Poeloq, Lilac Soul, Bitethesilverbullet, Herbythyme, Imfo, Uncle Dick, Yonidebot, Milo03, Crimson Instigator, Barts1a, Ignatzmice, Demizh, DJ1AM, Juliancolton, Beezhive, CardinalDan, Idioma-bot, Lights, Deor, Hersfold, Jeff G., Philip Trueman, Dindon~enwiki, Zifert, Technopat, Zman2000, Oxfordwang, LeaveSleaves, Tpk5010, BigDunc, RandomXYZb, MDfoo, Falcon8765, Enviroboy, Burntsauce, EJF, Barkeep, SieBot, BotMultichill, Itsme2000, DarkfireInferno, Sephiroth storm, Sat84, Happysailor, Mszegedy, Very cheap, Smaug123, Hello71, Miniapolis, Macy, OKBot, Amrishdubey2005, StaticGull, Mygerardromance, Hamiltondaniel, GioCM, Cellorelio, Minimosher, ClueBot, Traveler100, The Thing That Should Not Be, Lawrence Cohen, Fenwayguy, CrazyChemGuy, Eeekster, Rhododendrites, WalterGR, Dek- isugi, DanielPharos, Thingg, Aitias, VIKIPEDIA IS AN ANUS!, XXXSuperSnakeXXX, SoxBot III, Sensiblekid, DumZiBoT, XLinkBot, Skarebo, WikHead, PL290, Noctibus, ZooFari, Jabberwoch, Wnzrf, Addbot, Amanda2423, A.qarta, Fieldday-sunday, Leszek Jańczuk, CactusWriter, MrOllie, Protonk, Chzz, Favonian, Comphelper12, Jasper Deng, Yyaflkaj;fasd;kdfjk, Numbo3-bot, Craigsjones, Tide rolls, Yobot, Amirobot, Nallimbot, Gunnar Hendrich, Tempodivalse, Souch3, A More Perfect Onion, Jim1138, Piano non troppo, Meatabex, Ma- terialscientist, Neurolysis, ArthurBot, MauritsBot, Xqbot, Useingwere, Capricorn42, Avastik, Frosted14, RibotBOT, Ulm, AlanNShapiro, Crackitcert, WPANI, Rossd2oo5, DylanBigbear, HamburgerRadio, Uberian22, Intelligentsium, Pinethicket, I dream of horses, Adlerbot, Subzerobubbles, Lotje, Fox Wilson, Vrenator, Wiwiwiwiwiwiwiwiwiwi, Nattippy99, Adi4094, Reach Out to the Truth, DARTH SIDI- OUS 2, Hajatvrc, DASHBot, EmausBot, Orphan Wiki, Gfoley4, Bexz2000, Wikipelli, Fæ, Kalin.KOZHUHAROV, A930913, Tolly4bolly, W163, MonoAV, DennisIsMe, ChuispastonBot, Ziyad en, ClueBot NG, Henry Stanley, Borkificator, O.Koslowski, Widr, Helpful Pixie Bot, TheTrainEnthusiast, Tobias B. Besemer, Toccata quarta, Mantovanifabiomarco, Glacialfox, Derschueler, Anbu121, BattyBot, John- thehero, ChrisGualtieri, EagerToddler39, Dexbot, Lal Thangzom, Codename Lisa, Webclient101, Djairhorn, Lugia2453, Jamesx12345, Rossumund, Muhammadbabarzaman, Smilieyss, Ginsuloft, Dannyruthe, JaconaFrere, Satyajeet vit, Gautamnarayan and Anonymous: 497 • Crimeware Source: http://en.wikipedia.org/wiki/Crimeware?oldid=653231321 Contributors: Paul~enwiki, EpiVictor, Niteowlneils, Necrothesp, Trevor MacInnis, Canterbury Tail, MeltBanana, Nabla, Sietse Snel, Saxifrage, Rocastelo, Bluemoose, MarSch, FlaBot, Ni- hiltres, Common Man, Ali Karbassi, Closedmouth, Alex Ruddick, Katieh5584, Liujiang, SmackBot, BranStark, Poweron, Random name, Cydebot, MarshBot, Lfstevens, Blahbleh, Leuko, Epeefleche, Rmenikoff, GermanX, Tiangua1830, Rhododendrites, DanielPharos, Addbot, 33.9. TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES 177

AnomieBOT, IRP, Nosperantos, Cantons-de-l'Est, Pradameinhoff, WPANI, Oldgrowyoung, K6ka, Djr2468, Codename Lisa, Seankclark and Anonymous: 31 • Cryptovirology Source: http://en.wikipedia.org/wiki/Cryptovirology?oldid=654334826 Contributors: Fubar Obfusco, Edward, Ahoerste- meier, Julesd, Bogdangiusca, Palfrey, Ww, Pengo, Matt Crypto, JoeSmack, TheParanoidOne, Riana, Uncle G, Ner102, Rjwilmsi, Ligulem, Quuxplusone, RussBot, Bachrach44, Thiseye, THB, Guinness man, SmackBot, KelleyCook, Ohnoitsjamie, Sspecter, Ligulembot, Waggers, Jesse Viviano, Underpants, Vonbraun~enwiki, Seaphoto, GiM, JAnDbot, Cyda, David Eppstein, Parthasarathy.kr, TreasuryTag, TXiKi- BoT, Logan, Adamlucasyoung, Fratrep, Rhododendrites, DanielPharos, Jack Bauer00, MensaDropout, Addbot, Yobot, Citation bot, Ham- burgerRadio, RjwilmsiBot, ZéroBot, Benjabean1, Daicarus, Iwebsurfer, Hannasnow and Anonymous: 33 • DEF CON Source: http://en.wikipedia.org/wiki/DEF%20CON?oldid=662154207 Contributors: Dreamyshade, Arvindn, Mrwojo, Pnm, Breakpoint, Julesd, Reddi, WhisperToMe, Jose Ramos, Jeffq, TexasDex, Graeme Bartlett, BenFrantzDale, Tom-, Academician, Tim Prit- love, Rdsmith4, Zondor, Eep², Spiko-carpediem~enwiki, ElTyrant, Alexkon, R.123, Bender235, Zscout370, Rcsheets, Evolauxia, Bro- kenSegue, Johnteslade, Elipongo, Adrian~enwiki, Tygerdsebat, Alyeska, Grifter, Sligocki, Ynhockey, InShaneee, Tom12519, Musicscene, Wtmitchell, Saga City, Guthrie, Kelly Martin, Dalmoz~enwiki, Thivierr, Myleslong, SJanssen, Tabletop, Senda, Marudubshinki, Strom- carlson, Search4Lancer, Rjwilmsi, Vegaswikian, Flydpnkrtn, Eldred, Czar, Daev, Chobot, RussBot, Hydrargyrum, Mipadi, Madcoverboy, Santaduck, Pegship, Raistolo, Arthur Rubin, JQF, Hobx, KnightRider~enwiki, SmackBot, McGeddon, Alex mayorga, InGearX, MJBur- rage, А, Cybercobra, CypherXero, Digital Avatar, Marcus Brute, Gloriamarie, Aboutblank, 293.xx.xxx.xx, JoeBot, Cheschire, Wafulz, Neelix, Cydebot, Samuell, MarS, Mmmpie, Themantoblame, Coyets, Credema, Dman727, JAnDbot, Davewho2, Prosavage2600, Elin- ruby, Vahokif, Dspencer, Johnpacklambert, Emersoneells, Athaenara, BeŻet, Joshua Issac, Whiteandnerdy52, Praesidium~enwiki, Ma- lik Shabazz, UnicornTapestry, Katydidit, SteveClement, Theamk, UnitedStatesian, Blurpeace, Brianga, Truthanado, SecretaryNotSure, BobDoleFan999, PeterCanthropus, WTucker, Sephiroth storm, CoryWright, Dillard421, Faulknerfan, Cap'n Walker, Startswithj, Wurm- ,Vegaswikian1, VengeancePrime ,55דוד ,Woode, Hidro, Dr. Skullthumper, DumZiBoT, Addbot, M.nelson, Buddha24, SpBot, Lightbot AnomieBOT, Lennykaufman, LilHelpa, Tollsjo, Keastes, Brutaldeluxe, FrescoBot, LittleWink, 11hpr01, Kurtalden, LoStrangolatore, Go- ingBatty, Jeffgus, Monterey Bay, Erianna, Leendert123, Kranix, Cuddles 2.0, ClueBot NG, HectorAE, Trunks ishida, Moving Chicane, MusikAnimal, Mdy66, Billie usagi, Zordsthrone, Monkbot, Agent0047, TrumpetPlayer1234567890, Karthik koppolu, Augenblink and Anonymous: 118 • Exploit (computer security) Source: http://en.wikipedia.org/wiki/Exploit%20(computer%20security)?oldid=656732816 Contributors: AxelBoldt, Mav, Aldie, SimonP, Stevertigo, Michael Hardy, TakuyaMurata, Karada, Ronz, Nikai, Smaffy, Rl, Enigmasoldier, Alten- mann, Pengo, Alerante, SWAdair, Utcursch, Bluefoxicy, Discospinster, Rich Farmbrough, Pie4all88, Syp, El C, Matteh, Bobo192, La goutte de pluie, Ramsey, Walter Görlitz, Adequate~enwiki, Ringbang, Nuno Tavares, Mindmatrix, Georgia guy, Apokrif, Vargc0, Mind- fuq, RainR, FlaBot, Ground Zero, Latka, Arunkoshy, Chobot, KDK, YurikBot, Hydrargyrum, Stephenb, Pseudomonas, Dpakoha, Irishguy, Ugnius, Zwobot, Yudiweb, Raistolo, Papergrl, SmackBot, Pgk, Bomac, BiT, Jerome Charles Potts, Abaddon314159, JonHarder, Slover- lord, Nakon, Tompsci, Pilotguy, Lambiam, Putnamehere3145, LebanonChild, Ehheh, Dreftymac, SkyWalker, Fabio-cots, Skittleys, Omi- cronpersei8, Ebraminio, Dreaded Walrus, PC Master, Zorro CX, Ghostwo, SpigotMap, Crakkpot, TXiKiBoT, Wolfrock, Jamespolco, Irsdl, Swwiki, PeterCanthropus, PabloStraub, ClueBot, Excirial, SchreiberBike, DanielPharos, Fathisules, SkyLined, GD 6041, Legobot, Luckas-bot, Amirobot, Nallimbot, Galoubet, ExploITSolutions, ArthurBot, Sionus, Boyrussia, Waterloox, Weltersmith, Pradameinhoff, Erik9, Erik9bot, HamburgerRadio, Guriue, Guriaz, PleaseStand, EmausBot, WikitanvirBot, Dewritech, ZéroBot, IGeMiNix, Pastore Italy, ClueBot NG, Neynt, BG19bot, Who.was.phone, Compfreak7, T2kien, Kelly McDaniel, Shellcode 64, Favone, In Harry Potter We Trust, TragicEnergy, FoxStudios, Pkutuzov314, Potayto, S166865h and Anonymous: 132 • Firewall (computing) Source: http://en.wikipedia.org/wiki/Firewall%20(computing)?oldid=662294626 Contributors: Paul~enwiki, Nealmcb, Michael Hardy, Pnm, Egil, Ahoerstemeier, Copsewood, Haakon, Jebba, Rl, Dcoetzee, Jay, DJ Clayworth, Taxman, Bevo, Top- banana, Joy, Khym Chanur, Robbot, ZimZalaBim, Danutz, Auric, Jondel, Hadal, Diberri, Tobias Bergemann, Pabouk, Giftlite, Yama, Ev- eryking, Rchandra, AlistairMcMillan, Eequor, Matthäus Wander, Wiki Wikardo, DemonThing, Wmahan, Stevietheman, ConradPino, An- tandrus, Ricky~enwiki, Mitaphane, Biot, Deewiant, Joyous!, Hax0rw4ng, Asqueella, Mernen, Grand Edgemaster, Monkeyman, Discospin- ster, Fabioj, Wk muriithi, EliasAlucard, Smyth, YUL89YYZ, Deelkar, DonDiego, Pmetzger, El C, Mwanner, Dols, Spearhead, Linkoman, RoyBoy, Femto, Jpgordon, Bobo192, Smalljim, Enric Naval, Viriditas, Giraffedata, Danski14, Alansohn, Anthony Appleyard, Interiot, Malo, Wtmitchell, Velella, L33th4x0rguy, Rick Sidwell, IMeowbot, Henry W. Schmitt, TheCoffee, DSatz, Kenyon, Brookie, Zntrip, Andem, Nuno Tavares, Angr, OwenX, Woohookitty, Karnesky, Mindmatrix, Dzordzm, Bazsi~enwiki, Kralizec!, Prashanthns, DESiegel, Turnstep, Ashmoo, Graham87, Chun-hian, Kbdank71, FreplySpang, Jclemens, Rjwilmsi, OneWeirdDude, Eptalon, NeonMerlin, ElKevbo, Sferrier, Dmccreary, Gurch, DevastatorIIC, Intgr, Alphachimp, OpenToppedBus, Ahunt, Marcuswittig, DVdm, FeldBum, Bgwhite, They- mos, YurikBot, Wavelength, Borgx, TexasAndroid, Quentin X, Sceptre, Alan216, MMuzammils, RussBot, Mattgibson, Lincolnite, Piet Delport, Stephenb, Manop, Rsrikanth05, Wimt, Capi, NawlinWiki, ENeville, Trevor1, Rebel, Mortein, Cryptosmith, Jpbowen, Voidxor, Bkil, Zwobot, Bucketsofg, Black Falcon, Mcicogni, CraigB, Nlu, Wknight94, Rwxrwxrwx, Dse, JonnyJinx, Closedmouth, E Wing, Pb30, ILRainyday, Chriswaterguy, Talyian, Cffrost, Anclation~enwiki, Maxamegalon2000, Bswilson, A13ean, SmackBot, Unschool, Rbmcnutt, KnowledgeOfSelf, C.Fred, Od Mishehu, Eskimbot, Vilerage, Info lover, Xaosflux, Gilliam, Ohnoitsjamie, Lakshmin, Bluebot, DStoykov, Jprg1966, Thumperward, Mcj220, Oli Filth, Prasan21, Lubos, Elagatis, DavidChipman, DHN-bot~enwiki, Da Vynci, Anabus, Suici- dalhamster, Abaddon314159, Can't sleep, clown will eat me, Frap, Chlewbot, JonHarder, Yorick8080, Fynali, Celarnor, Meandtheshell, Ntolkin, Aldaron, Nachico, Elcasc, HarisM, Skrewz~enwiki, Phoenix314, LeoNomis, FerzenR, Andrei Stroe, Ugur Basak Bot~enwiki, The undertow, Harryboyles, Eldraco, Mattloaf1, Melody Concerto, Beetstra, Boomshadow, Feureau, Peyre, Hu12, Hetar, BranStark, BananaFiend, Jhi247, Robbie Cook, Newone, GDallimore, Pmattos~enwiki, Tawkerbot2, Chetvorno, SkyWalker, JForget, FleetCom- mand, Ale jrb, Megaboz, JohnCD, Topspinslams, Kgentryjr, Random name, Lazulilasher, WeggeBot, Josemi, Nnp, Equendil, Phatom87, Cydebot, T Houdijk, Mashby, UncleBubba, Gogo Dodo, Tbird1965, Hamzanaqvi, Guitardemon666, Πrate, Omicronpersei8, Thijs!bot, Danhm, Epbr123, Barticus88, Kubanczyk, Dschrader, Pajz, Randilyn, Simeon H, Marek69, SGGH, Chrisdab, CharlotteWebb, Wai Wai, AntiVandalBot, RoMo37, Davidoff, Purpleslog, Isilanes, Vendettax, LegitimateAndEvenCompelling, Dougher, ShyShocker, DoogieCon- verted, Dman727, Deadbeef, Acrosser, JAnDbot, Sheridp, MER-C, Seddon, Lucy1981, Tushard mwti, Kjwu, Jahoe, Raanoo, VoABot II, Maheshkumaryadav, Swpb, Djdancy, Hps@hps, Cellspark, Twsx, Dean14, AlephGamma, Gstroot, LeinaD natipaC, Hans Persson, Nposs, Greg Grahame, Just James, DerHexer, Rtouret, Hbent, Jalara, XandroZ, Seba5618, Tommysander, MartinBot, CliffC, LeonTang, R'n'B, Ash, PrestonH, Tgeairn, J.delanoy, NightFalcon90909, Shawniverson, Ans-mo, Jigesh, L'Aquatique, !Darkfire!6'28'14, Molly-in-md, KCinDC, STBotD, Equazcion, Red Thrush, Beezhive, Halmstad, SoCalSuperEagle, Idioma-bot, , Jramsey, Timotab, VolkovBot, Mike.batters, Jeff G., Indubitably, AlnoktaBOT, VasilievVV, Venom8599, Philip Trueman, Apy886, Jackrockstar, Cedric dlb, Ulrichlang, OlavN, Anna Lincoln, Corvus cornix, David.bar, Sanfranman59, Justin20, LeaveSleaves, Seb az86556, Lolsalad, Yk Yk Yk, Phirenzic, Why Not A Duck, Brianga, MrChupon, JasonTWL, EmxBot, Hoods11, SieBot, EQ5afN2M, Jchandlerhall, YonaBot, Sephiroth storm, Yintan, Miremare, Calabraxthis, Milan Kerslager, Android Mouse, Hokiehead, JSpung, Hazawazawaza, Goodyhusband, Doctorfluffy, Oxy- 178 CHAPTER 33. HACKER ETHIC

moron83, Nuttycoconut, Tombomp, C'est moi, Mygerardromance, Altzinn, WikiLaurent, Bryon575, Ilpostinouno, Berford, Escape Orbit, Loren.wilton, ClueBot, Rumping, Snigbrook, CorenSearchBot, The Thing That Should Not Be, Jan1nad, SecPHD, Arakunem, Jobeard, Njmanson, Blanchardb, Harland1, ChandlerMapBot, Bencejoful, Jusdafax, Tim874536, Dcampbell30, Estirabot, Shiro jdn, Aurora2698, Peter.C, Mxbuck, Creed1928, ChrisHodgesUK, BOTarate, La Pianista, 9Nak, Aitias, Apparition11, Vanished user uih38riiw4hjlsd, Sen- siblekid, DumZiBoT, BarretB, Wordwizz, Gnowor, Booster4324, Gonzonoir, Rror, NellieBly, Badgernet, Alexius08, Noctibus, WikiDao, Thatguyflint, Osarius, Wyatt915, Addbot, Wikialoft, RPHv, Some jerk on the Internet, Captain-tucker, Otisjimmy1, Crazysane, Tutter- Mouse, Lets Enjoy Life, Vishnava, CanadianLinuxUser, Leszek Jańczuk, Sysy909, Cst17, MrOllie, Roseurey, Emailtonaved, Chzz, De- bresser, Muheer, LinkFA-Bot, Tide rolls, Lightbot, OlEnglish, Krano, Iune, Bluebusy, WikiDreamer Bot, Shawnj99, Luckas-bot, Yobot, Terronis, Fraggle81, Amirobot, Fightingirishfan, AnomieBOT, JDavis680, Jlavepoze, Tcosta, Killiondude, Jim1138, Gascreed, Piano non troppo, Elieb001, Gc9580, Fahadsadah, Kyleflaherty, Flewis, Materialscientist, Citation bot, Aneah, Neurolysis, Obersachsebot, Xqbot, TheAMmollusc, Duesseljan, Addihockey10, JimVC3, Capricorn42, CoolingGibbon, 4twenty42o, Jmprtice, Ched, GrouchoBot, Backpack- adam, Prunesqualer, RibotBOT, SassoBot, EddieNiedzwiecki, Thearcher4, Doulos Christos, =Josh.Harris, Gnuish, Chaheel Riens, Jaraics, Dan6hell66, G7yunghi, Prari, FrescoBot, Nageh, WPANI, Kamathvasudev, Galorr, Smile4ever, Expertour, Lukevenegas, DivineAlpha, Grapht, Pinethicket, I dream of horses, HRoestBot, Meaghan, Richard, MrBenCai, December21st2012Freak, Cougar w, Weylinp, Dan- shelb, TobeBot, WilliamSun, FunkyBike1, Vrenator, Clarkcj12, Stephenman882, Bangowiki, Mwalsh34, Eponymosity, Tbhotch, Gaiterin, DARTH SIDIOUS 2, Hugger and kisser, Dbrooksgta, Teenboi001, Aviv007, Regancy42, VernoWhitney, DASHBot, Chuck369, Emaus- Bot, WikitanvirBot, Timtempleton, Super48paul, Solarra, Winner 42, K6ka, Aejr120, Shuipzv3, Athn, Ebrambot, Kandarp.pande.kandy, Sg313d, Cit helper, IntelligentComputer, Rafiwiki, OisinisiO, NTox, Cubbyhouse, Zabanio, DASHBotAV, Sepersann, 28bot, Socialser- vice, ClueBot NG, AAriel42, Lord Roem, Vakanuvis789, 123Hedgehog456, Vlhsrp, Widr, Debby5.0, HMSSolent, Titodutta, Kan- war47, Wbm1058, Wiki13, Silvrous, Dentalplanlisa, Zune0112, Paulwray97, Nperrakis, Klilidiplomus, Sk8erPrince, Cimorcus, Fastcatz, CGuerrero-NJITWILL, Cvarta, PhilipFoulkes, Dexbot, Sendar, SimonWiseman, Codename Lisa, Avinash7075, Pete Mahen, CaSJer, Jamesx12345, Rob.bosch, VikiED, Palmbeachguy, Epicgenius, Camayoc, Melonkelon, Anupasinha.20, Praemonitus, SamoaBot, Ever- greenFir, Indiesingh, Ginsuloft, ScotXW, Harshad1310, Nyashinski, Monkbot, Darshansham, Williamahendric, Jeremy.8910, Kenkutengu, AMLIMSON, Miraclexix and Anonymous: 955 • Grey hat Source: http://en.wikipedia.org/wiki/Grey%20hat?oldid=660988969 Contributors: Nealmcb, Pnm, Samw, Furrykef, Jerzy, Al- tenmann, Pengo, Tieno, Mboverload, Neilc, Adambondy, KevinBot, NetBot, BrokenSegue, Urthogie, Tonei, NicM, Brookie, Hq3473, Mindmatrix, Stephanspencer, Jannetta, Reisio, Rjwilmsi, Vary, X1011, Greyhat, RussBot, Kerowren, Hydrargyrum, Cryptic, Korny O'Near, Voidxor, Alex43223, Ninly, Mateo LeFou, Rtc, Aurista25, Cronium, Ohnoitsjamie, Skizzik, Cybercobra, Blaufish, Deepred6502, InedibleHulk, Ojan, Dariusofthedark, Amalas, Ilikefood, Smably, Redlock, Neelix, Mato, Alucard (Dr.), Omicronpersei8, Superstunt- guy, Gogogoat, AGrobler, Escarbot, Exeltica, Daniel Verity O'Connor, MER-C, PhilKnight, Acroterion, Mjhmach5, Penubag, DerHexer, R'n'B, AlexiusHoratius, J.delanoy, Ian.thomson, BlueGuy213, Znx, Dog777, Speciate, Philip Trueman, Mosmof, Woodsstock, Seraphim, Mcclarke, Michaeldsuarez, Varinyc1, Roxya, Ethyr, Schnurrbart, Sephiroth storm, Flyer22, MinorContributor, Jojalozzo, Martinlc, Ga- henton, JohnnyMrNinja, Shonharris, IceUnshattered, Drmies, Blackvenomx, Plasynins, Andrew81446, Dmyersturnbull, Holothurion, Ap- parition11, Bearsona, Neuralwarp, The Internet Murderer, Delicious carbuncle, MensaDropout, Addbot, Justallofthem, Mtndew9191, OlEnglish, Yobot, Bathysphere, Kaljtgg, AnomieBOT, ArthurBot, Pradameinhoff, FrescoBot, Amirhmoin, Pinethicket, Jonesey95, Rush- bugled13, SiPlus, Steveninspokane, Lotje, Aoidh, Qrsdogg, Wikipelli, Mumbojumbo 101, 413X4ND3R, Ὁ οἶστρος, Ocaasi, Avelino Houed, Cymbelmineer, Bomazi, JohnnyLurg, ClueBot NG, Vacation9, MixwellUSA, Whitehatpeople, Hz.tiang, Mark Arsten, Player017, Xcyss, Unofficialeditor, Blindedhall, Infinitematter, PinkAmpersand, Spacepenguin79102, Whiteneues, Akshay0000, Hhhhherd, Seo- solver, Djaussiekid, Usernamebox, Thetechgirl, Dasingamaroos, Sonora Carlos and Anonymous: 117 • Hacker Source: http://en.wikipedia.org/wiki/Hacker?oldid=661021102 Contributors: Damian Yerrick, Lee Daniel Crocker, Bryan Derk- sen, The Anome, M~enwiki, Frecklefoot, Pnm, GTBacchus, Delirium, Dori, Eric119, Ahoerstemeier, CatherineMunro, Rl, Furrykef, RadicalBender, Friedo, PBS, ZimZalaBim, Altenmann, Pengo, Wiglaf, Pne, Beland, Khaosworks, Plasma east, Bodnotbod, Ojw, Ran- dalSchwartz, Strbenjr, Gazpacho, Mindspillage, Discospinster, Vsmith, Paul August, Night Gyr, ESkog, Jnestorius, Bobo192, Army1987, Longhair, Smalljim, Alansohn, Anthony Appleyard, Andrewpmk, Lectonar, Bart133, Snowolf, Zsero, Wtmitchell, Velella, Dominic, Bsadowski1, Reaverdrop, Redvers, Djsasso, Mindmatrix, David Haslam, ^demon, The Wordsmith, Lkjhgfdsa, Tabletop, Kralizec!, Prashanthns, GSlicer, Mandarax, Graham87, BD2412, Bikeable, Zoz, Sjö, Jake Wartenberg, Alex Nisnevich, Quiddity, PHiZ, MZM- cBride, Jehochman, Nandesuka, Ucucha, RLent, D.brodale, Butros, King of Hearts, Chobot, DVdm, Cornellrockey, MishaDynin, Scep- tre, Akamad, NawlinWiki, Ejdzej, Irishguy, Fantusta, Abb3w, Mikeblas, Leontes, Figaro, Darkfred, Hosterweis, Closedmouth, KGasso, DGaw, KristofferLunden, Wainstead, Katieh5584, DesignExplosion, DVD R W, Pandemic, Mmernex, Rtc, Freekee, Davewild, Wook- ieInHeat, Canthusus, Yamaguchi, Gilliam, Ohnoitsjamie, Richfife, Rmosler2100, Sviemeister, Chris the speller, CISSP Researcher, Persian Poet Gal, Thumperward, SchfiftyThree, Deli nk, Nazgjunk, Shalom Yechiel, Onorem, Lobner, Adamantios, Khoikhoi, COMP- FUNK2, Jmlk17, MatthewDaly, Al Fecund, Cybercobra, Blake-, Shadow1, Derek R Bullamore, The PIPE, DMacks, Copysan, Madeleine Price Ball, Cast, ArglebargleIV, Dwpaul, Dark Formal, Viciousalloy, IronGargoyle, 16@r, Loadmaster, Waggers, Anonymous anony- mous, Iridescent, Colonel Warden, Shoeofdeath, Majora4, Lazeo, Tawkerbot2, Joshuagross, Owen214, INkubusse, BeenAroundAWhile, Lentower, T23c, Neelix, Montanabw, Sebastian789, Cahk, Mato, SyntaxError55, Gogo Dodo, Travelbird, Foofish, Wo0t, Christian75, DumbBOT, Njan, Btharper1221, ForbiddenWord, TheHumanhalo, Thijs!bot, Epbr123, Daa89563, Marek69, James086, Chet nc, Lith- piperpilot, SusanLesch, Cyclonenim, Luna Santin, Seaphoto, Quintote, LDGE, Xenix~enwiki, Coyets, Vivek singh1200, Farosdaughter, Daniel Verity O'Connor, Manishf1, Res2216firestar, MER-C, Robina Fox, Acroterion, Bongwarrior, VoABot II, Utilly, Froid, Avicen- nasis, MGD11, Testla, Cpl Syx, DerHexer, Esanchez7587, L3th4l, ZOMG Zombies, S3000, AVRS, Meamvagabond, CliffC, Anaxial, R'n'B, EdBever, J.delanoy, Pharaoh of the Wizards, Timmccloud, Uncle Dick, Extransit, Jerry, Zg, MakotoSaruwatari, Katalaveno, SHTR, LordAnubisBOT, Ncmvocalist, NewEnglandYankee, Zerokitsune, SJP, Bonadea, Funandtrvl, Xnuala, Wikieditor06, VolkovBot, CWii, Irene Ringworm, Leebo, Boris242, Indubitably, Thenthornthing, Philip Trueman, Dchmelik, TXiKiBoT, Technopat, Someguy1221, To- byreynolds, Lradrama, BotKung, Maxim, VARGUX, Enigmaman, Haseo9999, Wolfrock, Loznjes, Tomaxer, Sylent, Vchimpanzee, HiDr- Nick, Hazel77, NHRHS2010, Sayosayo~enwiki, EJF, Ttony21, Tresiden, Tiddly Tom, Caulde, AlphaPyro, Jauerback, Dawn Bard, Cal- tas, Sephiroth storm, Falcofire, Bentogoa, Happysailor, Radon210, Oda Mari, Oxymoron83, Lisatwo, Bandi669, Kgkian, WordsExpert, Denisarona, Escape Orbit, Faithlessthewonderboy, ClueBot, Smart Viral, Deviator13, GorillaWarfare, The Thing That Should Not Be, Rjd0060, Mild Bill Hiccup, LukeShu, SuperHamster, Boing! said Zebedee, Blanchardb, Neverquick, Auntof6, Alan dx, Adrian lopez, OneCoolKid, Excirial, PixelBot, Eeekster, Abrech, GreenGourd, Willdgiles, Andrew81446, Skytreader, CowboySpartan, Xxyt4n2, Mor- mon17, Troelssj, La Pianista, Cold Phoenix, Jpearson72, Versus22, Gooey0037, Johnuniq, NeVic1, XLinkBot, Rror, Hackersmalta, Mitch Ames, Skarebo, PL290, Alexius08, RyanCross, HexaChord, AlioTheFool, Addbot, Goon111113, Bubbaraid, Jojhutton, Tcncv, Tpjarman, Doesthiscount, TutterMouse, Abhay1120, OO0saj0Oo, CanadianLinuxUser, Cst17, MrOllie, Glane23, Ld100, Debresser, Roux, Favo- nian, Bgalla01, Tassedethe, Tide rolls, Krano, Jarble, N0ths, Frehley, Yobot, Tohd8BohaithuGh1, Hacker11012929348, Bigtophat, THEN WHO WAS PHONE?, InvestExp, Jim1138, IRP, Kingpin13, Wikipeeeeedia, Materialscientist, Pipolol, Waterjuice, GB fan, Quebec99, 33.9. TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES 179

Haxyourmom, Capricorn42, Hakcers r us, Jeffrey Mall, HavikRyan, FuturePrefect, Sagber, Leagirl95, GrouchoBot, Amaury, Der Falke, Shadowjams, AnDixx, Griffinofwales, Who then was a gentleman?, Custoo, FrescoBot, Liquidluck, Caveman101, Destroyerman22, Re- cognizance, Wizer121, Alxeedo, Jpistofast, Finalius, Mikemaximum33, Dethcircle, Norsehorse89, Srijan89, Pinethicket, Jschnur, Serols, Pwnmonster, Ansarkp123, Wadders199, ShowEXP, Yunshui, Codylonsdale, LogAntiLog, Slumvillage13, Lotje, Gdi2290, Vrenator, Nhy- bgtvfrcdexswzaq, Specs112, Fastilysock, DARTH SIDIOUS 2, Mean as custard, The Utahraptor, Bento00, NerdyScienceDude, Vinnyzz, Petux7, Katherine, Nailer111, Wikipelli, K6ka, ZéroBot, Bollyjeff, 5rdx6tfc, AndrewN, Wayne Slam, OnePt618, L Kensington, Kishee4, MaGa, Ferhatcitil, Donner60, Mcis101, Forever Dusk, DASHBotAV, 28bot, Rocketrod1960, Ben is a fail, Petrb, ClueBot NG, Chetrasho, MelbourneStar, This lousy T-shirt, Alexajju, Kro-Kite, Satellizer, RadaVarshavskaya, Lukeno94, Cntras, Muon, EditAce, Widr, Electriccat- fish2, 2001:db8, WNYY98, Eeik5150, Zhaynes123, Official Spokesman, Mark Arsten, Rashin3132, AnonyDentified, Altaïr, Mottengott, Dllecter, Snow Blizzard, Camarones12, Jpw177, Fluxboy6789, MarkHennessy, Mewhho18, Calebcrusco, Buechlein, Klilidiplomus, Ilovey- oubuhh, Abgelcartel, Tutelary, Pratyya Ghosh, Arr4, Imamurdera, Mediran, MadGuy7023, Aditya sain, Hackstorix1000, Webclient101, VampireProject23, Neoheurist, Frosty, Jamesx12345, Hungrypillow, Zdarm, Hnfiurgds, Lego99, Red-eyed demon, Giansol, Qiyue2001, Cadab321, Eyesnore, Tentinator, Yuvanselva, Zhir Slemany, Lee Tru., Zangraravi, DJ TUeRIO SET, Babitaarora, Camo335XD, Hack- ersExposed, Ginsuloft, Manul, Techi 2013, Abdale Mohamed, VeryCrocker, Thomas22865, Crow, Tyty505, Hosen1991, Vieque, Sher- lock502, NATHANWASHERE2014, Bckingofkings, Biblioworm, 65440ahq7, Ghamnadaram, Dracomalfoy3, Idospa, Yxcker, Mushfiqa Ayesha, SEZDRX, Deanthomps, Suryansh gr, Khem kd, Sandra zavala, AmandaWhyte99, Xtreme PJ, Swiftor says stab, RubaZatar, De- unanknute, VenturesClassic, REPTILE HT, I like porto, PokemonMaster48, Malic0usploit9011, Aziz142036, The Arfmeow, Cool10299, Abrahem.alobra, Deadsec333 and Anonymous: 641

• Hacker (computer security) Source: http://en.wikipedia.org/wiki/Hacker%20(computer%20security)?oldid=657126582 Contributors: The Anome, , Fred Bauder, Pnm, HarmonicSphere, Ronz, Jebba, Darkwind, Charles Matthews, Andrewman327, Topbanana, Chu- unen Baka, ZimZalaBim, Academic Challenger, Michael Snow, Pengo, Marcika, Tieno, Mckaysalisbury, OverlordQ, DragonflySixtyseven, AndrewKeenanRichardson, CesarFelipe, Joyous!, Mike Rosoft, Freakofnurture, Discospinster, Rich Farmbrough, Qutezuce, Thedanger- ouskitchen, ESkog, MisterSheik, MBisanz, Aude, Adambro, Bobo192, Army1987, Smalljim, Duk, Adrian~enwiki, Wrs1864, Storm Rider, Alansohn, Tek022, Arthena, Diego Moya, Howrealisreal, Mysdaao, Zsero, Wtmitchell, Velella, Crystalllized, H2g2bob, BlastOButter42, Mahanga, Kelly Martin, Woohookitty, Mindmatrix, TigerShark, Unixer, NeoChaosX, WadeSimMiser, Tckma, MONGO, Waldir, Xiong Chiamiov, SqueakBox, Graham87, Jclemens, Icey, Ketiltrout, Rjwilmsi, ElKevbo, Jehochman, Ghepeu, The wub, DoubleBlue, FayssalF, RexNL, Intgr, SpectrumDT, Coolhawks88, Celebere, David91, DVdm, Gwernol, YurikBot, Wavelength, RussBot, TheDoober, Spuri- ousQ, Hydrargyrum, Gaius Cornelius, Rsrikanth05, Pseudomonas, NawlinWiki, Xkeeper, Bachrach44, Grafen, Deskana, DarthVader, Ejdzej, Thiseye, Irishguy, Abb3w, RUL3R, Gigor, Nate1481, Bucketsofg, DeadEyeArrow, Kewp, Kakero, Alpha 4615, Intershark, Zzu- uzz, Arthur Rubin, Josh3580, Dspradau, Dcb1995, Whaa?, Tall Midget, SmackBot, Rtc, Maelwys, Hydrogen Iodide, Jacek Kendysz, Dav- ewild, KVDP, KelleyCook, AnOddName, Bburton, Edgar181, Yamaguchi, Zvonsully, Gilliam, Hmains, Oscarthecat, Rmosler2100, Tytrain, Chris the speller, Bluebot, Kurykh, MK8, Droll, Gutworth, Swiftdr, Mark7-2, Kungming2, Farry, Yunaffx, Wisden17, Butter- boy, Pegua, Tsca.bot, SheeEttin, Onorem, JonHarder, Mos4567, Addshore, Khoikhoi, Fuhghettaboutit, Cybercobra, Nakon, Weregerbil, WikiMASTA, Antipode, Ligulembot, Vic93, Rory096, Zymurgy, Harryboyles, Microchip08, Acidburn24m, Grimhim, Gobonobo, Erhik, Mgiganteus1, Ben Moore, A. Parrot, Othtim, Slakr, Ehheh, Hu12, Swotboy2000, BananaFiend, Iridescent, Twas Now, Nfutvol, Igoldste, Beno1000, Sbbpff, Courcelles, Tawkerbot2, CYRAX, TheHorseCollector, JForget, GeneralIroh, Paulmlieberman, Tanthalas39, Rand- hirreddy, Sir Vicious, Taimy, Neelix, Fordmadoxfraud, Unmitigated Success, Nauticashades, Mblumber, Ryan, Anthony62490, Gogo Dodo, Anthonyhcole, ST47, Brianpie, Ameliorate!, Njan, Omicronpersei8, Kokey, Maziotis, Pipatron, Click23, Thijs!bot, Alexmunroe, Epbr123, Kubanczyk, Ishdarian, PierceG, Marek69, NorwegianBlue, Cdf333fad3a, Pogogunner, Nick Number, Porqin, KrakatoaKatie, AntiVandalBot, BokicaK, Luna Santin, Seaphoto, Nickrj, QuiteUnusual, Jj137, Deadbeef, Leuko, MER-C, Skomorokh, CosineKitty, Davman1510, Hexatron2006, Tqbf, Acroterion, Propaniac, Meeples, Pigmietheclub, Hroðulf, Bongwarrior, VoABot II, JamesBWatson, Wikichesswoman, Digital Pyro, Jvhertum, Evaunit666, Animum, Mukesh2006, Allstarecho, JonWinge, DerHexer, Atulsnischal, Martin- Bot, Comperr, R'n'B, Brothejr, Terafox, ArcAngel, Ash, Tgeairn, Manticore, J.delanoy, Pharaoh of the Wizards, Trusilver, Grim Revenant, Rekrutacja, Bogey97, Tikiwont, Adamryanlee, Vanished user 342562, Footballfan42892, Kudpung, Dipu2susant, Katalaveno, Crakkpot, Xython, SJP, Touch Of Light, Toon05, KylieTastic, Juliancolton, Cometstyles, Atsinganoi, Rising*From*Ashes, Bonadea, Useight, John- Doe0007, SoCalSuperEagle, Dark-Dragon847, Funandtrvl, Hchoe, Jeff G., Indubitably, Robertobaroni, Danbloch, Delivi, Philip Trueman, Fran Rogers, Tense, Technopat, MrFirewall, KillerBl8, Someguy1221, Nicopresto, Lradrama, Zimbardo Cookie Experiment, Martin451, Slysplace, PaulTanenbaum, Seb az86556, Snowbot, Roo556, Benedictaddis, Doug, Haseo9999, Staka, Meters, Qlid, Turgan, Indexum, PokeYourHeadOff, Howlingmadhowie, Horrorlemon, Jwray, Work permit, Scarian, Dawn Bard, Caltas, SecurInfos~enwiki, Triwbe, Mn- bitar, Ml-crest, Sephiroth storm, Yintan, JoeMaster, Quest for Truth, Flyer22, Jasgrider, Bdorsett, Redmarkviolinist, Oxymoron83, Fara- dayplank, Nuttycoconut, Jameshacksu, Poindexter Propellerhead, Hobartimus, Aiden Fisher, Ustad24, Denisarona, Darkspin, Nokeyplc, Loren.wilton, Martarius, Elassint, ClueBot, WilliamRoper, Jackollie, The Thing That Should Not Be, T.Neo, Ndenison, Taroaldo, Adri- anwn, TheOldJacobite, Boing! said Zebedee, Hafspajen, Halod~enwiki, Krazekidder, Blanchardb, Ottawahitech, Stayman Apple, Sv1xv, Kitsunegami, Excirial, Bedwanimas214, Encyclopedia77, BigChris044, AWoodland, KnowledgeBased, SpikeToronto, Rhododendrites, AndyFielding, Morel, SchreiberBike, Knowz, Ottawa4ever, Thehelpfulone, DanielPharos, Thingg, Error −128, Andponomarev, Aitias, Versus22, Hans Kamp, SoxBot III, Egmontaz, Apparition11, SF007, Glacier Wolf, DumZiBoT, Lolimahaxu, BarretB, AlanM1, Ange- lafirstone, XLinkBot, Armeyno, Rayzoy, Fastily, RebirthThom, Xena-mil, Avoided, Mitch Ames, Condra, PL290, Badgernet, Noctibus, Speddie2, Ipwnz, Mounlolol, Hannibal14, RyanCross, Nolan130323, Bookbrad, Fat4lerr0r, Creepymortal, Zeeshaanmohd, Landon1980, Nallen20, Tpjarman, IXavier, Grandscribe, Vatrena ptica, Jncraton, Mr. Wheely Guy, Computerhackr, A1b1c1d1e1, CanadianLinuxUser, Fluffernutter, Asphatasawhale, MrOllie, Mentisock, Proxima Centauri, FerrousTigrus, Vonvin, Freqsh0, Dan Brown456, Glane23, Dan- ,ברי"א ,brown666, FCSundae, Favonian, 5 albert square, Tyw7, Japonca, Imanoob69, Im anoob68, Hudy23, Tide rolls, OlEnglish, RaidX Khawar.nehal, CRYSIS UK, Jarble, Ladanme, Lolhaxxzor, Frehley, Ben Ben, Publicly Visible, HTS3000, Yobot, WikiDan61, Aub- wie, Fraggle81, Sdtte345, Doctor who9393, THEN WHO WAS PHONE?, Hackistory, Br33z3r, UncleanSpirit, 007exterminator, Daniel 1992, Evilmindwizard, Tempodivalse, Surya.4me, Retro00064, AnomieBOT, Andrewrp, Holyjoely, DemocraticLuntz, Noq, Jim1138, Gyakusatsu99, AdjustShift, Kingpin13, Ulric1313, RandomAct, Materialscientist, Limideen, ImperatorExercitus, DogPog1, Danno uk, Citation bot, Aneah, Object404, Waterjuice, GB fan, Ammubhave, Xf21, JimVC3, Capricorn42, Nivekcizia, Delmundo.averganzado, Jmundo, Mzinzi, Martychamberlain, Raganaut, Steaphan Greene, Mccleskeygenius10, Abce2, Frosted14, VanHelsing23, 7OA, Pradamein- hoff, Mathonius, Raptor1135, Alex60466176, Shadowjams, Axonizer, Erik9, A.amitkumar, Voatsap, Haxor000, Satanthemodifier, K-lhc, Ravyr, FrescoBot, Amirhmoin, Michael93555, Recognizance, XxtofreashxX, Jersey92, Dejan33, Cannolis, Killian441, ChadWardenz, I dream of horses, HRoestBot, Spidey104, MHPSM, Achraf52, Sweetpaseo, Nickgonzo23, SpaceFlight89, Yutsi, Σ, Cathy Richards, IAnalyst, KayinDawg, White Shadows, Winsock, Jaybhanderi, Chris5858, SchreyP, Strobelight Seduction, Slumvillage13, Searine, Lotje, Callanecc, Fox Wilson, Vrenator, Yong, Bluefist, Allen4names, Aoidh, Reaper Eternal, Acatyes, Specs112, Lilnik96, Tbhotch, Reach Out to the Truth, Minimac, DARTH SIDIOUS 2, Jfmantis, Mean as custard, RjwilmsiBot, Mrdifferentadams, Agent Smith (The Matrix), Skame- 180 CHAPTER 33. HACKER ETHIC

crazy123, Rollins83, DASHBot, Koppapa, EmausBot, John of Reading, Orphan Wiki, JCRules, Dewritech, GoingBatty, RA0808, Rename- dUser01302013, Computerwizkid991, Iamahaxor, Tommy2010, Elvenmuse, Wikipelli, K6ka, Thecheesykid, AvicBot, Tranhungnghiep, Fæ, Josve05a, Mr.honwer, Ὁ οἶστρος, A930913, Script-wolfey, Mukslove, H3llBot, Wikfr, Cymru.lass, Robotdantheman, XeroJavelin, Aviator702-njitwill, DarkFalcon04, Gray eyes, Sayros, Deutschgirl, Donner60, Pre101, Ranga42, Wipsenade, Bomazi, Mcc1789, Craxmil- ian, Hmcc10, GrayFullbuster, Sven Manguard, Rmashhadi, Rocketrod1960, Akasosetutza, Whoop whoop pull up, Socialservice, Vanished user ij3rnfkmclk3tkj4ncknefkjnadmcnbgrju, ClueBot NG, Smtchahal, WIERDGREENMAN, Headchopperz, Bigfatradish, WEBHTW, Jeff Song, MelbourneStar, Kro-Kite, A520, Decepticon1, Ezzk, Narracan3824, Tonersa, Afpropm, Frietjes, Mrn5-NJITWILL, Muon, -Helpful Pixie Bot, Augiecalisi, Bigwalter54, HMSSolent, The Elven Shadow, Cas CS, White ,דיסקוברי ,Mesoderm, Widr, Argionember hatpeople, Lowercase sigmabot, BG19bot, FAROOQBUTT2015, Sharkselva, Bausshackerhf, Sibidharan, Kennydo, MadHaTTer666, Rsotillo, Mybenyboy, Ajith P V, ExdeathSoul, Paganinip, Mourt1234, AwamerT, Mark Arsten, Khaosfarrow, Xcyss, Royalle, Sandman- chang, General lee awesome, Savrose, Mrk28-NJITWILL, Zdrft, Sachinaditya5, Kizar, Insidiae, Pkbaughman, Cbellalmr, Achowat, Hack- erxz13, Guanaco55, Abgelcartel, Codenamezuck, 2EChO, IamkenIT, Mala maju, Malqbi, Nohus, Hibye12345678910, Mediran, Gagan sedulity, Kaeza, Jacobsipod, Jon.weldon, Austin170, Pincode84, Zak123456789, To-man, Stefano Vincenzi, AutomaticStrikeout, Eager- Toddler39, Danishfareed, Codename Lisa, Webclient101, Lorenzozandoli98, RazrRekr201, K8steve, Faceashbook, Knuckles352, Ejoe91, SaltyKrackafag, Cubita linda, WikiEXBOB, Infinitematter, Nazanin8804023, Ydnom89, Numbermaniac, Bathtub41, Frosty, Little green rosetta, 93, Piyushratnu, Superboy 1989, Max Stardust, Telfordbuck, St.andrewstroll, Dnasuffix, SmartyPantsKid, Zdarm, Ashikali1607, Esmael001, Crydizzy, ProtossPylon, Risraeloff, Tentinator, Anonyseb13, Lolnoiedit, Geforsen, Arun vasan, Cfr robot, Ozuru, Balles2601, Jenselby, Crou, Hippiman36, Ginsuloft, Hacker Exploits, S Kaushik wiki, Simius narrans, MrLinkinPark333, Manul, Techi 2013, Dhhacks, Nickturner A$AP, WikiJuggernaut, Crenshawblackhat, KodojoDragon, Bshupe626, Vahidxaker, Akshay0000, Tathavms, Ethically Yours, Thrasherrdesigns, Hack3rzgethacked, Adeemjan666, Chimpgod, Monkbot, MightyHypnoToad, Magicwalrus69, Adogake, VACyber, BethNaught, Ipsdix, Person1928, Josephchenlin, NJMcrp1990, Isaiahs825, Nikhitagupta415, Mo5254, Ranjeet.yadav8563, Amortias, Dracomalfoy3, ROMAN JERRY, EDITOR2003, Ayush dhiman 272, SEZDRX, Jezzardloffler24, HexOp, UnpredictablePrashant, Momin Sohail, Therealinfosystir, XXGerry AdamsXx, Nikigreen02, Bhuwnesh.joshi2014, NAVNEET AGRAWAL GORAI, Esquivalience, Anonymous6767, ShpetimRacaj, Gs5star, Pyrotle, W33svm, Miguel ATW, ParadoxLuLz, Shin0bih4x0r, Dawave0, Johngot and Anony- mous: 1256

• Hacker (term) Source: http://en.wikipedia.org/wiki/Hacker%20(term)?oldid=662648558 Contributors: Damian Yerrick, TwoOneTwo, The Cunctator, Derek Ross, LC~enwiki, Brion VIBBER, Mav, Timo Honkasalo, The Anome, Taw, Jzcool, Rjstott, Ed Poor, Wayne Hard- man, Enchanter, Little guru, Ortolan88, Merphant, TomCerul, Arj, Ryguasu, B4hand, Erwan~enwiki, Modemac, Gpietsch, Elian, Edward, Ghyll~enwiki, PhilipMW, Michael Hardy, Modster, Cprompt, Voidvector, Blueshade, Pnm, Kpearce, MartinHarper, Wapcaplet, Ixfd64, Eurleif, GTBacchus, Dori, (, CesarB, Ams80, Ahoerstemeier, Ronz, Nanshu, Docu, William M. Connolley, Baylink, Snoyes, Angela, Jebba, Kingturtle, Salsa Shark, Bogdangiusca, Cyan, Kirun, Cimon Avaro, Med, Rob Hooft, KayEss, Schneelocke, Samnse, Ehn, Ylbissop, Hashar, PatriceNeff, Timwi, Pti, Malcohol, Fuzheado, Will, Pocopoco, Markhurd, HappyDog, Kaare, Jake Nelson, Jeffrey Smith, Fur- rykef, Saltine, Jnc, Bevo, Betterworld, Tjdw, Stormie, Dpbsmith, Olathe, Wetman, Pakaran, Jerzy, Flexure, Hajor, Jeffq, Lumos3, JessPKC, Denelson83, Aluion, Phil Boswell, Gromlakh, AlexPlank, Robbot, Noldoaran, Sander123, Astronautics~enwiki, Fredrik, Chris 73, Vespris- tiano, RedWolf, Covracer, Altenmann, Netizen, Romanm, Chris Roy, Tim Ivorson, Dersonlwd, Texture, Meelar, Zidane2k1, Faught, Italo, Hadal, HyLander42, Mushroom, Plotinuz, Cyrius, Pengo, Per Abrahamsen, GreatWhiteNortherner, Dina, Stetic, Decumanus, Matt Gies, Centrx, TimGrin, Fennec, Eric S. Raymond, Cokoli, Kim Bruning, Massysett, Nadavspi, Kenny sh, Itsnotvalid, Wiglaf, Brian Kendig, HangingCurve, Leflyman, Ds13, Average Earthman, Everyking, Anville, Curps, Frencheigh, Beta m, Quamaretto, Mboverload, Ezod, Jds, Xorx77, Rchandra, AlistairMcMillan, Matt Crypto, Jaan513, SWAdair, AdamJacobMuller, Jrdioko, Wmahan, Rheun, Neilc, Ato, Auximines, Mackeriv, Utcursch, Shibboleth, Workman161, Yath, Long John Silver~enwiki, Antandrus, Loremaster, Apotheon, Wikimol, Epalm, ArcRiley, Rdsmith4, DragonflySixtyseven, Fratley, , Nickptar, Sillydragon, Neutrality, Micpp, Strbenjr, Grstain, Mike Rosoft, Mernen, Mormegil, Freakofnurture, Mindspillage, Nerf, Discospinster, Solitude, Rich Farmbrough, Guanabot, Leibniz, Rama, Ponder, Lorn, Demitsu, Paul August, Gronky, Speedysnail, Calamarain, Jnestorius, AdmN, AndrewM1, Evice, Dataphile, CanisRufus, Kop, MBisanz, EDGE, Sietse Snel, RoyBoy, Leif, Orlady, Pikestaff, Bobo192, Army1987, Func, BrokenSegue, Viriditas, StoatBringer, Cmdrjameson, MITalum, Wisdom89, Njyoder, Matt Britt, Cohesion, Adrian~enwiki, Redquark, Blotwell, Coopdot~enwiki, The Recy- cling Troll, Physicistjedi, Minghong, Idleguy, MPerel, DanBUK, Bandaidman, Conny, Drangon, Jumbuck, Tra, Storm Rider, Gcbirzan, Rernst, Alansohn, Golgo13, Richard Harvey, Polarscribe, Jamyskis, Achitnis, ThePedanticPrick, Neonumbers, Andrewpmk, Horatio- Huxham, Echuck215, Blic~enwiki, Mysdaao, EdRich, Katefan0, Snowolf, Velella, Here, Mfecane, Keepsleeping, Garzo, Evil Monkey, WolFStaR, Guthrie, H2g2bob, Bsdlogical, Redvers, HGB, Recury, Ceyockey, Keithius, Dismas, Hq3473, OleMaster, Boothy443, Kelly Martin, Jak86, Mel Etitis, Woohookitty, Mindmatrix, TigerShark, Camw, DoctorWho42, Percy Snoodle, Myleslong, Kzollman, JeremyA, Brentdax, Mms, The Wordsmith, KymFarnik, MONGO, Schzmo, Grika, Bbatsell, Davidfstr, Terence, Adam Field, Bluemoose, Ralfipedia, Kralizec!, , Prashanthns, Essjay, Alan Canon, MarcoTolo, Dave Murphy, Marudubshinki, Dysepsion, Kesla, Graham87, Magister Mathematicae, Kbdank71, RxS, Jdoty, Binary Truth, Josh Parris, Ryan Norton, Rjwilmsi, Koavf, Panoptical, Vary, Dcavell, Bill37212, T0ny, Tangotango, MZMcBride, Oblivious, Ligulem, Sigmalmtd, ElKevbo, CalPaterson, Ghepeu, Afterwriting, ThePoorGuy, The wub, Bhadani, Ggfevans, Nandesuka, DickClarkMises, THE KING, GregAsche, Sango123, Mycro, Yamamoto Ichiro, Fish and karate, Alejos, Titoxd, Sgkay, Mirror Vax, RobertG, Musical Linguist, Doc glasgow, Nihiltres, Josh~enwiki, Harmil, RexNL, Gurch, Mike Van Emmerik, Alexjohnc3, TheDJ, Quuxplusone, Brendan Moody, Tylerttts, Alphachimp, Marlow4, Phoenix2~enwiki, Psantora, Chobot, Daekharel, David91, Korg, Stephen Compall, Bgwhite, Cactus.man, GroupOne, Jernejl, Borgx, Antichris, Extraordinary Machine, Splintercellguy, Sceptre, Hairy Dude, Family Guy Guy, Jeffthejiff, Crazytales, Diliff, SpuriousQ, Hydrargyrum, Akamad, Stephenb, CambridgeBay- Weather, Cpuwhiz11, Wimt, RadioKirk, NawlinWiki, Wiki alf, BigCow, Bachrach44, Grafen, NickBush24, Ejdzej, Maverick Leonhart, Robchurch, Irishguy, Retired username, Mortein, Anetode, DAJF, Abb3w, Leontes, KarlHeg, Brat32, Karl Meier, DeadEyeArrow, Psy guy, Jeremy Visser, Tachyon01, Phenz, Nick123, Max Schwarz, Googl, Theda, Denisutku, Mastercampbell, ArielGold, Yaco, Katieh5584, Kungfuadam, Bsod2, Paul Erik, DVD R W, Bibliomaniac15, Ryūkotsusei, A3ulafia, Luk, Yvwv, SmackBot, Mmernex, Monkeyblue, Mo- eron, Bobet, Estoy Aquí, Rtc, Reedy, KnowledgeOfSelf, Primetime, Pgk, C.Fred, 6Akira7, Ccreitz, Davewild, Agentbla, Edgar181, Yam- aguchi, Unforgettableid, Gilliam, Ohnoitsjamie, Irbobo, FakeHarajukuKid, Scaife, Chris the speller, Master Jay, Xchrisblackx, CISSP Researcher, MK8, Donbas, Thumperward, Edward H, Oli Filth, HartzR, Fluri, MidgleyDJ, Deli nk, Ikiroid, Yunaffx, DHN-bot~enwiki, Antonrojo, Janipewter, A. B., Rlevse, Audriusa, Zsinj, Dethme0w, Tsca.bot, Can't sleep, clown will eat me, Timothy Clemans, Mulder416, OrphanBot, Dushman, Tim Pierce, Sommers, Darthgriz98, Matthew, TheKMan, QubitOtaku, Xmastree, Lesnail, Pevarnj, Addshore, Edivorce, DGerman, Cpt~enwiki, Huon, COMPFUNK2, Jmlk17, Aldaron, Hackmiester, Cybercobra, Nakon, Jiddisch~enwiki, Michael- Billington, Weregerbil, Philpraxis~enwiki, Only, Filpaul, WikiMASTA, Sigma 7, Negator989, Jordanl122, Pilotguy, Kukini, Masterpjz9, TenPoundHammer, The undertow, Technocratic, Rory096, Robomaeyhem, Swatjester, Rklawton, Kuru, AmiDaniel, Demicx, Scientiz- zle, Colak, Soumyasch, Jasonious, NongBot~enwiki, Metavalent, Loadmaster, Andypandy.UK, Mr Stephen, Stikonas, Jon186, Waggers, Anonymous anonymous, Ralf Loire, Voshika, Klohunt, EEPROM Eagle, Caiaffa, GorillazFanAdam, Lord-Bren, Fan-1967, Iridescent, 33.9. TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES 181

RaiderTarheel, Colonel Warden, Wjejskenewr, Twas Now, Mikeandikes, DeathToAll, Linkspamremover, Tawkerbot2, Pi, Kingoomieiii, Paulmlieberman, Ahy1, CmdrObot, Tobes00, Corporal79, Dycedarg, Iced Kola, SupaStarGirl, KnightLago, Lentower, Neelix, Pro bug catcher, MrFish, Luther Brefo, TJDay, Jac16888, Mblumber, Dennette, MC10, Mualphachi, Steel, Michaelas10, Gogo Dodo, Corpx, ST47, Chingang2006, Elustran, Roymstat, Tawkerbot4, Codetiger, DumbBOT, SpamBilly, Chrislk02, Coder.keitaro, Dtwhitney, Editor at Large, TheJC, Omicronpersei8, Kokey, Gassaver, Aljo, Thijs!bot, Epbr123, Skreyola, Coelacan, Pajz, LactoseTI, Ultimus, ToxGunn, Ucanlookitup, Jdm64, Nedcarlson, John254, Kathovo, Gerry Ashton, Lewallen, James086, Aklm, X201, Tellyaddict, Sfxdude, Susan- Lesch, CamperStrike, Igorwindsor~enwiki, I already forgot, Dantheman531, Ksmathers, AntiVandalBot, Majorly, Yonatan, Luna Santin, JimScott, Turlo Lomon, Oducado, QuiteUnusual, Angeldust~enwiki, Shirt58, Quintote, Cracker001, AaronY, Wallamanage, Exteray, Mr Grim Reaper, Olexandr Kravchuk, Darklilac, Farosdaughter, Brian Katt, Zedla, Radar81, Ryanyomomma, JAnDbot, Husond, Raz0r, MER-C, Cyberhacker665, Churnedfortaste, Britcom, Calvin Nyein Chan, PhilKnight, Cole31337, MSBOT, Opgooi monster, Thing10, LittleOldMe, Acroterion, Raanoo, Propaniac, Penubag, Pedro, Slowcheetah, Ausome1, VoABot II, AurakDraconian, TARBOT, Zenchess- wikster, Jim Douglas, Dinosaur puppy, Rohasnagpal, Testla, Z19~enwiki, Sumguy hhh, Thireus, Martynas Patasius, Glen, DerHexer, JaGa, Esanchez7587, TheRanger, Fishdert, Cocytus, Foregone conclusion, Gwern, Custardninja, B9 hummingbird hovering, Kornfan71, Neon- blak, Hdt83, MartinBot, Attackrabbit, Jeannealcid, Poeloq, Comperr, Rhlitonjua, Justin Piga, Rettetast, Mschel, Jgarland79, Kateshort- forbob, ArcAngel, RockMFR, Timmccloud, Ankit bond2005, Public Menace, A Nobody, Wikipbob, Karthixinbox, Owlgorithm, Foot- ballfan42892, SU Linguist, Gutchfest, Squeezeweasel, Gzkn, Dispenser, BrokenSphere, LordAnubisBOT, BrWriter2006, DarkBlackHat, AntiSpamBot, Berserkerz Crit, Vanished user g454XxNpUVWvxzlr, Gordaen, Michaelban, Alpha713~enwiki, Creepzerg3, Astro Boii, Watermelonhacker, Tanaats, Cerebos, Cometstyles, Browngreen64, WJBscribe, BrokenPaleGlass, Jevansen, Treisijs, Mike V, Nomnol2, Bonadea, Micmic28, SoCalSuperEagle, The unsponsored sk8er, Kurdtkobain2707, Zer0is1337, Bite super poilue, VolkovBot, Thomas.W, Doctor medicine, Jeff G., Danbloch, Paxcoder, Bsroiaadn, Timmyishappy, Philip Trueman, Greatwalk, Zidonuke, ZDubciclysmo, Plane- tary Chaos, Sdsd87, Eisenhauer666, Z.E.R.O., Anonymous Dissident, Woodsstock, Qxz, Codenametiger, Linkacid, Lradrama, Quintus- Maximus, Aaron Bowen, Qwertasdfzxcv, Hfourxzeror, LeaveSleaves, Mattman2593, Ilyushka88, Patchthesock, Holyman98, Warrhamster, Worldrallychamp, Playqoy, Enigmaman, Wolfrock, Adam.J.W.C., APplle, Purgatory Fubar, Emo man50, Istillcandream, Ceranthor, Azn- fatnerd, Chenzw, Richard A Muller, Logan, Msjennings, 2600.ir, Ponyo, Konkrypton, SieBot, Cuj000, MLBplayer456, Oscarmayor7, Whitehatnetizen, Sonicology, Infosecwriter, Tehjustice, PeterCanthropus, Pizzachicken, Spartan, Scarian, WereSpielChequers, Mxtp, Ger- akibot, Josh the Nerd, Plinkit, Caltas, Eagleal, SE7, Ml-crest, Chiroz, Sephiroth storm, Yintan, Poohead121, Chris test, 360 Degree, Mrmrsgwangi, Keilana, ƑreeHaq, Android Mouse, Lee010cooldude, Pxma, Toddst1, Flyer22, Bdorsett, LETSskankTHEnightAWAY, Blaireaux, Rheoguq, Agent Q556, Oxymoron83, Antonio Lopez, AngelOfSadness, Nuttycoconut, Lightmouse, Poindexter Propeller- head, Techman224, Bluedart13, F1r3w4ll, Diego Grez, Maelgwnbot, Anakin101, Bip34, Spartan-James, JohnnyMrNinja, Dust Filter, H^a^x^k^i^o, Starcraft232, Guitaralex, Youugly93u, Explicit, MaxwellHansen, Dlrohrer2003, Shoopdawhooplol, Loren.wilton, Martar- ius, Shyguy100, ClueBot, Dakinijones, Kl4m, Duerring, Criticalmass24, Matdrodes, Frvade2007, Stahlsta210, Taroaldo, 5y573m-3rr0r, Zarkthehackeralliance, Nitrofurano, SuperHamster, Boing! said Zebedee, CounterVandalismBot, Blanchardb, BLiesting, Skate4life22, Neverquick, SamFinkAnchorageAk, Joeomfgwtfbbq, Lambdaphage, Excirial, Bedwanimas214, CrazyChemGuy, Jasonbtulsabiz, Sivenn, Yggdriedi, Rhododendrites, Milenkovic214, Andrew81446, Cr7i, Dekisugi, Synthus, JasonAQuest, Thehelpfulone, Lilboudreaux, Bald Zebra, Rohit bond2005, Aitias, Certes, Versus22, Lamendoluz, Goodvac, Xcez-be, DumZiBoT, Jpirie23, Fathisules, Teh00d3di, NeVic1, Joshowen041091, XLinkBot, Pichpich, Jjmshortys4life, Ost316, Mitch Ames, Skarebo, BlackDeath3, ErkinBatu, Mm40, Addbot, Creep- ymortal, DOI bot, Sam8888, Neonecho, Ronhjones, Scientus, TSWcontentlady, MrOllie, Ryoga Godai, Buster7, Dan Brown456, Glane23, ,Zorrobot, Jarble ,ברי"א ,Metalpunk182, HACKTOLEARN, Favonian, LemmeyBOT, West.andrew.g, Tassedethe, Tide rolls, OlEnglish Fdaneels, Hyhfct, Yobot, Taxisfolder, Maxí, Evilmindwizard, Suvhero, AnomieBOT, ESHARI, Rubinbot, Jim1138, Kingpin13, Mate- rialscientist, Citation bot, GB fan, Quebec99, Sixtysixwatts, Frankie0607, Prunesqualer, RibotBOT, Pradameinhoff, Sophus Bie, Archi- tectchamp, Howsa12, Shadowjams, A. di M., Green Cardamom, Captain-n00dle, FrescoBot, Skychildandsonofthesun, Longgg johnnn?, Weetoddid, Louperibot, Citation bot 1, Nabifly, Catphish, Pinethicket, I dream of horses, Xanadu1122, Hack news, Lotje, Nightkid411, Co- braBot, Aoidh, Davish Krail, Gold Five, Diannaa, DrakkenCrew, DARTH SIDIOUS 2, RjwilmsiBot, B4lz, Agent Smith (The Matrix), Mr. Greyhat, O iF R A GzBRO, Superways, Angrytoast, Grrow, GoingBatty, Matrix1010, RenamedUser01302013, Slightsmile, Elvenmuse, Wikipelli, Cfust, StringTheory11, Thargor Orlando, Erniedabou, Access Denied, Demonkoryu, Wayne Slam, Coasterlover1994, Soddy182, Puffin, Nom nom monster, Orange Suede Sofa, Pastore Italy, Matthewrbowker, Man du Fromage, Tarn taran, Zabanio, FiloMJ, Game- pro127, Domjenkin, Voomoo, ClueBot NG, Ezzk, Pcpikachu123, OxyTrip, Viybel~enwiki, Reify-tech, Thekickass, MrJosiahT, Youkana, Soulinthemachine, MerlIwBot, Helpful Pixie Bot, Whitehatpeople, The Mark of the Beast, Solomon7968, Xcyss, Bfugett, Toccata quarta, John Sawyer, Avantiext, BattyBot, Stefano Vincenzi, Lugia2453, Joseph M Warren, Zaldax, Dixiedean66, Nshunter, ManjushaV, Crow, Hacker124816, Monkbot, OKNoah, S166865h, HammadShamsi, Hacker alert 101, Vanyaxd, Kashif0334, Grazz54 and Anonymous: 1482 • Hacker group Source: http://en.wikipedia.org/wiki/Hacker%20group?oldid=648070333 Contributors: Pnm, Bobo192, Tony Sidaway, LFaraone, H2g2bob, Firsfron, DoctorWho42, Myleslong, RussBot, Moe Epsilon, SmackBot, Rtc, Mithaca, Blue Mirage, Gogo Dodo, Qwyrxian, OrenBochman, Acroterion, JamesBWatson, Nyttend, MartinBot, ArcAngel, AntiSpamBot, January2007, Chahax, Twooars, Sue Rangell, Accounting4Taste, FalconMan101, Matt Brennen, DOCOCTROC, Rhododendrites, Vanished user uih38riiw4hjlsd, Bearsona, Addbot, Lightbot, Materialscientist, 78.26, I dream of horses, Anibar E, Redx93, RedBot, KayinDawg, Deadman1420, Lotje, Hobbes Goodyear, Dewritech, Pro translator, ZéroBot, Wagner, SecData, ClueBot NG, Smashx90, WikiPuppies, Helpful Pixie Bot, Whyking thc, Mudkip11223, Mythpage88, Antivirotic, Jionpedia, MrOverkill, VariousLulz, Time for a nice cuppa brew, FBIArcadia, Skraito-0x71, Pyrotle, Malici0usploit and Anonymous: 51 • Hacker Manifesto Source: http://en.wikipedia.org/wiki/Hacker%20Manifesto?oldid=650676391 Contributors: SimonP, Light- ning~enwiki, Pnm, Tgeorgescu, CesarB, Conti, Ylbissop, Random832, Jake Nelson, Bamos, Altenmann, Everyking, Quinwound, TonyW, Arnauldvm, Eisnel, Article6, Mike Rosoft, Bneely, MBisanz, Blotwell, Mattl, JaveCantrell, *Kat*, H2g2bob, JanKG, Kelly Martin, Ste- fanomione, Marudubshinki, Who, Mallocks, The Rambling Man, YurikBot, RussBot, Hydrargyrum, Mipadi, Nikkimaria, Dposse, User24, SmackBot, Rtc, Winterheart, Ikiroid, Bldsnprx, Can't sleep, clown will eat me, Frap, Cybercobra, Petr Kopač, Gloriamarie, Kuru, Sub- Seven, TheFarix, Gr33k-10v3r, Switchercat, DanielRigal, Mato, WISo, DumbBOT, Cmalkarali, JAnDbot, VoABot II, Gwern, CrackSoft, Gaqzi, Jaimeastorga2000, Philip Trueman, TXiKiBoT, David Condrey, SieBot, Sephiroth storm, Roc314, Dabomb87, Trover, Trivialist, Unikron2001, DragonBot, Rhododendrites, Killkola, Addbot, AkhtaBot, Rubinbot, Materialscientist, ArthurBot, 4twenty42o, FrescoBot, Full-date unlinking bot, Lotje, Guerillero, Mrcarter011, DASHBot, WikitanvirBot, Dewritech, Openstrings, Ksommerville, Mjbmrbot, ClueBot NG, Helpful Pixie Bot, Whitehatpeople, Canestenmobile, BattyBot, Mrt3366, Hmainsbot1, 127lh, NorthBySouthBaranof, Sol- dierxDOTcom, Robertjefferson, Fixuture and Anonymous: 75 • Hacking tool Source: http://en.wikipedia.org/wiki/Hacking%20tool?oldid=660192501 Contributors: Pnm, Andreas Kaufmann, Charonn0, Gary, Wtmitchell, H2g2bob, Woohookitty, Mindmatrix, Intgr, Hydrargyrum, Rsrikanth05, Open2universe, SmackBot, Rtc, Betacommand, Captain Zyrain, LeoNomis, Mr Stephen, Clarityfiend, MER-C, Koraiem, Derfboy, ClueBot, Stayman Apple, Erebus Mor- gaine, Rhododendrites, UnCatBot, XLinkBot, IncandescentLight, Jabberwoch, Addbot, Cst17, MrOllie, AnomieBOT, Jim1138, KRLS, 182 CHAPTER 33. HACKER ETHIC

Guillermo~enwiki, Stanislao Avogadro, Xqbot, Blenheimears, Rohitdua, FrescoBot, Jeffrd10, Mrk123, ClueBot NG, Seoexpert91, X- men2011, Scienceomar, Juggared14, Akwin123 and Anonymous: 24 • Keystroke logging Source: http://en.wikipedia.org/wiki/Keystroke%20logging?oldid=661442467 Contributors: Derek Ross, LC~enwiki, The Anome, SimonP, R Lowry, Edward, Lir, Pnm, Ixfd64, Ellywa, Ronz, Angela, Kingturtle, Aimaz, Rossami, Evercat, Samw, GCarty, Guaka, Aarontay, Ww, Dysprosia, WhisperToMe, Markhurd, Tschild, Furrykef, Nv8200pa, Omegatron, Jamesday, Catskul, Blugill, Low- ellian, Hadal, Wereon, David Gerard, DavidCary, Laudaka, Jason Quinn, AlistairMcMillan, Solipsist, Antandrus, Beland, OverlordQ, Lynda Finn, Mike Rosoft, Discospinster, Rich Farmbrough, ArnoldReinhold, Xezbeth, ZeroOne, JoeSmack, Sietse Snel, RoyBoy, Femto, Adambro, Yono, Bobo192, Nigelj, Stesmo, Wisdom89, Dteare, Starchild, Alansohn, Danhash, Bobrayner, Woohookitty, Unixer, Armando, Pol098, WadeSimMiser, Firien, Dbutler1986, Graham87, JIP, Rjwilmsi, DickClarkMises, FlaBot, Weihao.chiu~enwiki, Latka, JiFish, Intgr, Runescape Dude, Salvatore Ingala, Peterl, Whosasking, Tiimage, YurikBot, Wavelength, Borgx, FlareNUKE, Lincolnite, Conscious, Hede2000, SpuriousQ, Rsrikanth05, Wimt, Mipadi, Bob Stromberg, Vivaldi, Tony1, Occono, Palpalpalpal, DeadEyeArrow, Closedmouth, GraemeL, Egumtow, Stefan yavorsky, Baxil, Veinor, A bit iffy, SmackBot, Royalguard11, Hydrogen Iodide, Gnangarra, J.J.Sagnella, Ohnoitsjamie, Skizzik, Chris the speller, Optikos, @modi, MK8, DHN-bot~enwiki, Colonies Chris, Firetrap9254, KojieroSaske, SheeEt- tin, Frap, Skidude9950, Ww2censor, Flask215, Khoikhoi, Engwar, Nakon, Gamgee, Kalathalan, Clicketyclack, Torritorri, Ckatz, Tu- anmd, Redboot, Ehheh, Njb, Mets501, H, Mike Doughney, Pauric, Sander Säde, On1ine, Jeremy Banks, JForget, Dycedarg, Jesse Viviano, Corpx, Alexdw, Odie5533, Tawkerbot4, Bposert, SJ2571, Njan, Alexey M., Epbr123, FTAAP, Snydley, RamiroB, Sheng.Long 200X, Druiloor, AntiVandalBot, Luna Santin, Seaphoto, Fayenatic london, Zorgkang, Spydex, Qwerty Binary, Dreaded Walrus, JAnDbot, Thylac- inus cynocephalus, Tony Myers, Barek, Bakasuprman, A1ecks, Hut 8.5, Isthisthingon, Techie guru, .anacondabot, Magioladitis, Jaysweet, Ukuser, JNW, Cheezyd, Confiteordeo, Fedia, Wikivda, Wikire, MartinBot, STBot, CliffC, [email protected], Anax- ial, Nono64, $pider, Tresmius, Slash, J.delanoy, Pharaoh of the Wizards, Cyrus abdi, Thomas Larsen, Samtheboy, Noogenesis, VolkovBot, TreasuryTag, MemeGeneScene, Jeff G., Philip Trueman, TXiKiBoT, Mrdave2u, Zifert, A4bot, Glarosa, Isis4563, Madhero88, Dirkbb, Turgan, Jjjccc~enwiki, ChewyCaligari, Rock2e, Resurgent insurgent, Cool110110, SieBot, Triwbe, Sephiroth storm, Nmviw, Arda Xi, OsamaBinLogin, Banditauron, Tombomp, Clearshield, Dillard421, ArchiSchmedes, ClueBot, Wilbur1337, The Thing That Should Not Be, AsymptoteG, Garyzx, Dotmax, Blanchardb, Asalei, Socrates2008, Rhododendrites, Technobadger, Manasjyoti, Arjayay, Drwho- for, Shin-chan01, El bot de la dieta, DanielPharos, Berean Hunter, Johnuniq, SF007, Noname6562, Darkicebot, Against the current, XLinkBot, Spitfire, Stickee, Rror, Dom44, Lamantine, WikHead, Dsimic, Tustin2121, Addbot, Mortense, Movingboxes, Rhinostopper, MrOllie, Etracksys, Matt5075, Networkintercept, Favonian, ChenzwBot, Sureshot327, Tide rolls, MuZemike, Luckas-bot, Yobot, 2D, Big- tophat, Navy blue84, AnomieBOT, Andrewrp, Kingpin13, Ulric1313, Materialscientist, Are you ready for IPv6?, ℍuman, HkBattousai, GB fan, LilHelpa, Xqbot, Dragonshardz, Jeffrey Mall, Reallymoldycheese, Automaite, Ezen, S0aasdf2sf, Aceclub, Ruy Pugliesi, Grou- choBot, IslandLumberJack, Mark Schierbecker, Krypton3, Aenus, Mountielee, Prari, FrescoBot, WPANI, Clubmaster3, DigitalMonster, PeramWiki, Nathancac, Waller540, HamburgerRadio, Italick, Redrose64, Rajtuhin, MKFI, AgentG, Reconsider the static, Ao5357, Lotje, Vrenator, F11f12f13, Sloppyjosh, Forenti, DASHBot, J36miles, EmausBot, Manishfusion1, GoingBatty, Wikipelli, LinuxAngel, Flip- pyFlink, John Cline, Ida Shaw, Traxs7, S3cr3tos, Δ, Ego White Tray, AlexNEAM, ClueBot NG, Matthiaspaul, O.Koslowski, Mactech1984, Lolpopz1234, Marsmore, Nbudden, BG19bot, IraChesterfield, Samiam111~enwiki, Guesst4094, Carliitaeliza, MeanMotherJr, BattyBot, Abgelcartel, Jfd34, Lloydliske, EagerToddler39, Codename Lisa, Webclient101, Klabor74, Zhiweisun, Jaericsmith, Sourov0000, Corn cheese, Way2veers, Yuvalg9, MountRainier, JadeGuardian, Kennethaw88, Lvanwaes, Mover07, Jianhui67, Dannyruthe, NewWorldOdor, Janeandrew01, Michael Dave, Jamesmakeon, Bobsd12, Wasill37, Scyrusk, Devwebtel, JoanaRivers, ScottDNelson, Jhfhey, Awmarks and Anonymous: 548 • List of computer criminals Source: http://en.wikipedia.org/wiki/List%20of%20computer%20criminals?oldid=654956581 Contributors: GCarty, PaulinSaudi, Michael Snow, Rdsmith4, Pablo X, Causa sui, Adrian~enwiki, Katana, H2g2bob, Bbatsell, Mendaliv, Rjwilmsi, Koavf, The wub, Randomusername331, Mordicai, Bgwhite, The Rambling Man, Sceptre, Morgan Leigh, Chrishmt0423, Shawnc, GrEp, Rwwww, SmackBot, Rtc, Bluebot, Pdspatrick, Kittybrewster, Grimhim, Heimstern, SubSeven, Ptimmins, CmdrObot, Riskyfrisky, Ruslik0, Fordmadoxfraud, AndrewHowse, Cydebot, Reywas92, Gogo Dodo, Christian75, PamD, Daniel, Esemono, AntiVandalBot, Luna Santin, Seaphoto, Danger, Qwerty Binary, Lovok, MikeDee~enwiki, Firealwaysworks, Eqdoktor, Iloveliz187, I-baLL, Ayecee, Maurice Carbonaro, Yauch, STBotD, The Duke of Waltham, Jeff G., GimmeBot, Quatar, Gibson Flying V, A Raider Like Indiana, Arbor to SJ, Lightmouse, Kumioko (renamed), Dabomb87, Haydenp123, Truco, Ottre, PCHS-NJROTC, Apparition11, ErgoSum88, Addbot, Vejvančický, No- homers48, Bte99, MrOllie, Sashi Degodeshi, Hackistory, AnomieBOT, Bluerasberry, Materialscientist, Citation bot, LilHelpa, Udayantha, Ksshannon, FrescoBot, Jellyjordan, Tlork Thunderhead, Winsock, Keshawn j jackson, Yunshui, Lotje, JanDeWit1, Airbag190, Jfmantis, RjwilmsiBot, Qrsdogg, Thecheesykid, ZéroBot, Michael Essmeyer, H3llBot, Mrobaer, Wayne Slam, Music Sorter, Yulli67, Chimpfunkz, of 220سلمانس بٹمم, ,Signalizing, ClueBot NG, MoondyneAWB, Achlysis, Helpful Pixie Bot, BG19bot, Goldenshimmer, Cressi97 Borg, Rcsenavirathna, Dariusg1, Codename Lisa, Michael Anon, Lugia2453, Jc86035, Aporvearyan, Rootdz, Rikesh.ballah1122, Frigid- Ninja, Razveer, McLean.Alex, SoldierxDOTcom, Tractor Tyres, Phreaker007, Monkbot, Colby Gleason, Kashimonok and Anonymous: 136 • Phreaking Source: http://en.wikipedia.org/wiki/Phreaking?oldid=661558619 Contributors: Bryan Derksen, Tarquin, Fubar Obfusco, Maury Markowitz, Sara Parks Ricker, Olivier, Citizenzero, Frecklefoot, RTC, Michael Hardy, Kwertii, Pnm, Dori, CesarB, Ahoerste- meier, Notheruser, Michael Shields, Alex756, Wfeidt, Dwo, Fry-kun, Mbstone, RickK, Ike9898, Paul Stansifer, Dysprosia, Geary, Rvolz, Furrykef, Saltine, Betterworld, Fvw, Bloodshedder, Shantavira, Denelson83, EdwinHJ, Dale Arnett, Fredrik, Greudin, Chancemill, Timo- thyPilgrim, Steeev, Auric, Jondel, Danceswithzerglings, Cyrius, Pengo, Falkonkirtaran, Skriptor~enwiki, Everyking, OrbitalBundle, Curps, Tieno, Beta m, Rchandra, Falcon Kirtaran, Matt Crypto, Pne, Peter Ellis, Wmahan, Lucioluciolucio, Ddhix 2002, Sayeth, Hellisp, Resister, Chmod007, Chane~enwiki, Rfl, VCA, KneeLess, Bneely, Vsmith, Smyth, Chowells, R.123, SocratesJedi, Paul August, Suriyawong, Mr. Billion, Kiand, Adrian~enwiki, Nicke Lilltroll~enwiki, Makomk, Juzeris, Larry V, Anthony Appleyard, Fwb44, Water Bottle, Stephen Turner, Seancdaug, Here, Cburnett, Anthony Ivanoff, H2g2bob, Galaxiaad, Angr, Woohookitty, Myleslong, Krille, The Wordsmith, BriskWiki, Hbdragon88, TotoBaggins, Karam.Anthony.K, Graham87, Stromcarlson, Ronnotel, Bilbo1507, JIP, Grammarbot, Josh Parris, Koavf, Chrisp510, PinchasC, Seraphimblade, Krash, The wub, FlaBot, Latka, Nihiltres, Gary D Robson, Bmicomp, Planetneutral, Jpkotta, ColdFeet, YurikBot, Wavelength, Ailag~enwiki, Hairy Dude, Kerowren, Gaius Cornelius, Lusanaherandraton, A314268, Wiki alf, Janarius, THB, Black Ratchet, Zypres, Moe Epsilon, Voidxor, Elkman, Sir Isaac, Tawal, Deltalima, Delirium of disorder, Dkgoodman, Arthur Rubin, Sturmovik, TomHawkey, Jonathan.s.kt, MansonP, Goob, Almostc, User24, SmackBot, Elonka, Rtc, KnowledgeOfSelf, Pgk, Rrius, Dazzla, TrancedOut, Skizzik, Saros136, Amatulic, EncMstr, SchfiftyThree, Kostmo, Hgrosser, Can't sleep, clown will eat me, Shalom Yechiel, Ian- macm, Kevlar67, Pretorious, Guroadrunner, Savetz, MKC, Rafert, RomanSpa, Othtim, Peyre, DabMachine, JmanA9, JoeBot, Highspeed, Twas Now, Dycedarg, Nczempin, Kylu, NickW557, Natas802, Lucky225, Neelix, No1lakersfan, Minilik, Mr.weedle, DumbBOT, Alai- bot, Wintermute314, JohnInDC, Squidward tortelini, Qwyrxian, Jedibob5, Link Spam Remover, Vaniac, Escarbot, Radimvice, Oducado, Gigi head, JAnDbot, Albany NY, Tqbf, Bongwarrior, JNW, Xb2u7Zjzc32, Leftblank, JanGB, Jim Douglas, Steven Walling, P.B. Pilhet, 33.9. TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES 183

Shuini, I-baLL, MartinBot, CliffC, Jeannealcid, Jim.henderson, Rhlitonjua, Bemsor, R'n'B, KTo288, Lilac Soul, Doranchak, Piercethe- organist, Galifrag, Terabandit, Davidm617617, Peterhgregory, Black Walnut, Seanbo, VolkovBot, SupaPhreak, TXiKiBoT, Anonymous Dissident, H3xx, David Condrey, Softtest123, Pious7, Enigmaman, Haseo9999, Lamro, Edkollin, Anonymousphreaker, Celain, Phreaka Dude, NHRHS2010, Trackinfo, Jimb20, Vortalux, RMB1987, Lightmouse, Seedbot, Svick, Retractor, Tegrenath, Twinsday, ClueBot, Pressforaction, Leatherstocking, Xitit, Dgabbard, Jotag14, Draxor99, Ottava Rima, SamuelTheGhost, Tlatseg, Alexbot, Mrchris, Eeek- ster, Goon Noot, EutychusFr, Johnuniq, Vanished User 1004, AlanM1, Badmachine, Ost316, Asrghasrhiojadrhr, Addbot, Leszek Jańczuk, MrOllie, Mphilip1, Devinriley, Luckas-bot, Yobot, Will Decay, Synchronism, AnomieBOT, Sidfilter, Theoprakt, Xqbot, The sock that should not be, Gidoca, Multixfer, Rohitdua, Miyagawa, Tabledhote, Ace of Spades, Rkr1991, Menilek, Kgrad, Lotje, Vrenator, Tbhotch, Sideways713, RjwilmsiBot, NameIsRon, WikitanvirBot, Mo ainm, EyeExplore, Amilianithiantha, H3llBot, Staszek Lem, Leitz31337, Cb3684, Scientific29, Ego White Tray, ClueBot NG, Frankienoone, Widr, Calabe1992, JohnChrysostom, MusikAnimal, Jimw338, Ju- rgenNL, SoledadKabocha, Cerabot~enwiki, Corn cheese, Electracion, IanDGunn, Phreaker007, Monkbot, Abhishekkr101, Licknooft, KH-1, DanielKnights, Buntee2, Matt Da Freak and Anonymous: 365 • Rootkit Source: http://en.wikipedia.org/wiki/Rootkit?oldid=662241846 Contributors: Zundark, Fubar Obfusco, William Avery, SimonP, Stevertigo, Frecklefoot, JohnOwens, Nixdorf, Pnm, Liftarn, Zanimum, Penmachine, Tregoweth, Ahoerstemeier, Haakon, Nikai, Schnee- locke, Emperorbma, Timwi, Aarontay, Ww, Olego, Fuzheado, Markhurd, Echoray, Furrykef, Taxman, Bevo, Rossumcapek, Phil Boswell, Robbot, Scott McNay, Henrygb, Auric, Zidane2k1, Paul G, Tobias Bergemann, Unfree, David Gerard, Alison, JimD, Ezhiki, Kravietz, AlistairMcMillan, Saucepan, Taka, Deewiant, Creidieki, Pascalv, Adashiel, Squash, Brianhe, ElTyrant, Rich Farmbrough, Agnistus, Jayc, Bender235, CanisRufus, Twilight (renamed), Kwamikagami, PhilHibbs, Spoon!, Femto, Perfecto, Stesmo, Smalljim, Chasmo, Mpvdm, Adrian~enwiki, Giraffedata, Yonkie, Bawolff, Helix84, Espoo, Jhfrontz, Polarscribe, CyberSkull, JohnAlbertRigali, Hookysun, Phocks, BanyanTree, Earpol, RJFJR, RainbowOfLight, Kazvorpal, RyanGerbil10, Japanese Searobin, Dtobias, Defixio, Alvis, CCooke, OwenX, Woohookitty, David Haslam, Steven Luo, Shevek, Pol098, Apokrif, Btmiller, Easyas12c, Midnightblaze, SDC, Umofomia, Xiong Chi- amiov, SqueakBox, Graham87, Rjwilmsi, TitaniumDreads, Syndicate, Arisa, Randolph, RainR, Flarn2006, FlaBot, RobertG, Stoph, Ji- Fish, Harmil, Mark Luszniak, Arunkoshy, Mordien, Intgr, Mimithebrain, Dbpigeon, Martin Hinks, Poorsod, FrankTobia, Elfguy, Uriah923, YurikBot, Wavelength, Hairy Dude, Diesonne, AVM, Chrisjustinparr, IByte, Hydrargyrum, NawlinWiki, Wiki alf, Mipadi, Ian Cheese, Ejdzej, Stephen e nelson, Cleared as filed, Nick, Raven4x4x, JackHe, Mysid, FoolsWar, Bota47, Nescio, Ninly, Maxwell’s Demon, Mateo LeFou, Theda, Closedmouth, Arthur Rubin, Reyk, Roothorick, AnimeJanai, Solarusdude, Jacqui M, That Guy, From That Show!, Smack- Bot, Mmernex, Estoy Aquí, Reedy, Mate.tamasko, Unyoyega, KelleyCook, Iph, SimonZerafa, Ohnoitsjamie, Chris the speller, Bluebot, Gspbeetle, Thumperward, Ben.the.mole, Octahedron80, DARQ MX, DHN-bot~enwiki, Jmax-, 1(), Frap, Onorem, Tim Pierce, Som- mers, Ukrained, Whpq, MichaelBillington, DMacks, J.Christopher.Wells, AndyBQ, A5b, Mitchumch, N-dy, Clicketyclack, FrostyBytes, Tasc, Tthtlc, Peyre, Simon Solts, Xionbox, LAlawMedMBA, IvanLanin, CapitalR, Prpower, Phoenixrod, Courcelles, Tawkerbot2, Davidb- spalding, FatalError, Zarex, Cyrus XIII, Megaboz, Jokes Free4Me, Jesse Viviano, Chrismo111, Racooper, Myasuda, Equendil, A876, GrahamGRA, Tryl, Πrate, Fetternity, Mewsterus, Etaon, Ambulnick, Marek69, Tocharianne, AntiVandalBot, Widefox, Obiwankenobi, Czj, Sjledet, Lfstevens, Bscottbrown, AndreasWittenstein, TuvicBot, Hiddenstealth, NapoliRoma, MER-C, Minitrue, QuantumEngineer, Karsini, BCube, Repku, Raanoo, Drugonot, Chevinki, Nyttend, Cl36666, Denorios, Stromdal, Alekjds, Hamiltonstone, Cpl Syx, XandroZ, Stephenchou0722, R27smith200245, MartinBot, Eshafto, CobraBK, Fethers, R'n'B, Nono64, Ash, Felipe1982, CraZ, Pharaoh of the Wiz- ards, UBeR, Uncle Dick, Maurice Carbonaro, Public Menace, Leeked, Andy5421, It Is Me Here, Peppergrower, Crakkpot, DavisNT, Wng z3r0, Marekz, Cometstyles, Gemini1980, ArneWynand, VolkovBot, Ashcan Rantings, Senachie, Soliloquial, TXiKiBoT, Sphinx2k, CanOfWorms, Miketsa, UnitedStatesian, Haseo9999, Willbrydo, Suzaku Medli, Ceranthor, Ggpur, MrChupon, SieBot, Technobreath, Sephiroth storm, Edans.sandes, Windowsvistafan, Aly89, General Synopsis, Fyyre, Clearshield, Capitalismojo, Bogwhistle, BfMGH, Guest141, Martarius, ClueBot, The Thing That Should Not Be, TheRasIsBack, Mild Bill Hiccup, Fossguy, Tai Ferret, Socrates2008, Crywalt, PixelBot, JunkyBox, Rhododendrites, Holden yo, NuclearWarfare, Mrkt23, Pinkevin, Htfiddler, DanielPharos, Floul1, Johnuniq, SF007, Uuddii, Pelican eats pigeon, XLinkBot, Thatguyflint, Addbot, Willking1979, Kongr43gpen, Sergey AMTL, Elsendero, Tutter- Mouse, Cst17, MrOllie, OlEnglish, Fiftyquid, Luckas-bot, Yobot, Fraggle81, GateKeeper, Golftheman, Alipie42, AnomieBOT, NoKind- OfName, Bluerasberry, Materialscientist, Nutsterrt, Citation bot, ArthurBot, LilHelpa, Avastik, S0aasdf2sf, Notwej, GrouchoBot, Ker- nel.package, Thearcher4, Trafford09, Sophus Bie, XLCior, Shadowjams, FrescoBot, WPANI, Ozhu, Wmcleod, HamburgerRadio, Citation bot 1, JoeSmoker, Winterst, Pinethicket, Jonesey95, Shultquist, Gim3x, OMGWEEGEE2, Rbt0, Trappist the monk, Techienow, Vanished user aoiowaiuyr894isdik43, TjBot, Alph Bot, EmausBot, John of Reading, WikitanvirBot, Timtempleton, Heracles31, Dewritech, Janiko, P3+J3^u!, ZéroBot, Herman Shurger, Basheersubei, Mike735150, IceCreamForEveryone, Bender17, Chicklette1, Diflame, Macwhiz, Nhero2006, DASHBotAV, Pianosa, ClueBot NG, Biterankle, Morgankevinj huggle, Matthiaspaul, MelbourneStar, Zakblade2000, Barry McGuiness, Helpful Pixie Bot, Strovonsky, Rijinatwiki, Abagi2, Johndavidthomas, BattyBot, Tkbx, StarryGrandma, ChrisGualtieri, Drac- ulamilktoast, Cadava14, Dexbot, Codename Lisa, Noul Edge, SoledadKabocha, Cryptodd, CaSJer, MopSeeker, Ginsuloft, Oranjelo100, Monkbot, Vieque, BethNaught, Ahollypak, Shinydiscoball, Jithendran Subburaj, TQuentin, Azlan 6473 and Anonymous: 574 • Script kiddie Source: http://en.wikipedia.org/wiki/Script%20kiddie?oldid=657126680 Contributors: AxelBoldt, WojPob, The Anome, -- April, Jagged, Zadcat, Ryguasu, Frecklefoot, Ubiquity, Patrick, Voidvector, Pnm, Zanimum, TakuyaMurata, (, CesarB, Looxix~enwiki, Ellywa, Angela, Marteau, Evercat, Schneelocke, Saint-Paddy, Przepla, WhisperToMe, Issa, Furrykef, Fvw, David.Monniaux, MrWeeble, Robbot, Altenmann, LGagnon, Hif, Pengo, Ich, Rchandra, The zoro, Matt Crypto, Neilc, Andycjp, Shibboleth, Tothebarricades., Scott Burley, Asbestos, Henriquevicente, Joyous!, Bluefoxicy, RedWordSmith, Rich Farmbrough, Rhobite, Fluzwup, Evice, Bobo192, Small- jim, Nectarflowed, Blotwell, Tadman, Red Scharlach, Rernst, Alansohn, Gary, Transfinite, 119, Arthena, Andrewpmk, Ciaran H, Seans Potato Business, Ethethlay, Scott5114, Robin201, Evil Monkey, Freyr, Feezo, JanusPaul, MickWest, Woohookitty, Mindmatrix, Grillo, Duncan.france, Pchov, Fred J, Terence, Kralizec!, Harkenbane, ArCgon, TNLNYC, Joe Roe, Mandarax, Ashmoo, Graham87, Magis- ter Mathematicae, Jclemens, Rjwilmsi, T0ny, JDanM, JenniferR, IpwnNES, Yamamoto Ichiro, Exeunt, FlaBot, Ian Pitchford, Fëaluinix, Crazycomputers, Kerowyn, JYOuyang, Gurch, Intgr, Salvatore Ingala, Masnevets, Rogertudor, Mysekurity, YurikBot, Rdoger6424, NT- Bot~enwiki, Curuinor, Hydrargyrum, Shaddack, Rsrikanth05, NawlinWiki, Borbrav, Aeusoes1, Ejdzej, Abb3w, Moe Epsilon, Tony1, Syrthiss, Xompanthy, Hydroksyde, DryaUnda, Vlad, Private Butcher, Werdna, Wknight94, Trojjer, Raijinili, Saranghae honey, Closed- mouth, Garion96, Staxringold, SmackBot, Haza-w, Rtc, Hammerite, ScaldingHotSoup, Eskimbot, Zanetu, BiT, Bluebot, Codeninja42, JD- CMAN, Miquonranger03, MalafayaBot, Dethme0w, CaptainCarrot, Stormchaser, Frap, PoiZaN, Ultra-Loser, Chlewbot, Efitu, Rrburke, Cybercobra, Nakon, Drc79, Foolish Child, Minna Sora no Shita, Hvn0413, Mets501, Dr.K., Clarityfiend, Ouzo~enwiki, Courcelles, Fil- ter1987, Tawkerbot2, Haneul, Bakanov, Neelix, Sideshow Todd, Myasuda, Jack mcdonagh, Clayoquot, Gogo Dodo, Chasingsol, Evogol, DumbBOT, Kozuch, Soccer skills, Thijs!bot, Epbr123, LactoseTI, Möchtegern, CTZMSC3, AntiVandalBot, Luna Santin, Seaphoto, Co- braWiki, Rossj81, Mgeel, Oddity-, Markthemac, Barek, CosineKitty, Wootery, Hawk90, Andreas Toth, JamesBWatson, Froid, Justaguy1, HastyDeparture, AndyI, A2-computist, Ryan1918, MartinBot, Kateshortforbob, Exarion, J.delanoy, Trusilver, WarthogDemon, Thomas Larsen, NewEnglandYankee, Wilson.canadian, Juliancolton, Crabworld, Tkgd2007, Yasuna, TheFrankinator, Lights, Vranak, Sparklism, VolkovBot, DSRH, Lexein, Supersonicjim, Philip Trueman, Anonymous Dissident, Imasleepviking, Seraphim, Haseo9999, Necris, Logan, 184 CHAPTER 33. HACKER ETHIC

W00taliter, Dawn Bard, Texmexsam111, MarkinBoston, Mr. Stradivarius, Atif.t2, ClueBot, Mattgirling, VQuakr, Excirial, Rhododen- drites, Andrew81446, Alexey Muranov, Thingg, XLinkBot, FactChecker1199, ErkinBatu, Alexius08, Brilliantine, Addbot, Xp54321, Proxima Centauri, Freqsh0, Sdribybab222, Jaydec, 5 albert square, Jarble, Lolgailzlz, Yobot, Jackie, M9.justin, Ajh16, THEN WHO WAS PHONE?, Skhu25993, Byeitical, Jim1138, Materialscientist, Citation bot, ShornAssociates, LaRoza, ArthurBot, Xqbot, The sock that should not be, Tyrol5, Peanuter, Ssarti, Amaury, Caseeaero, Cho fan, Afromayun, JoeJev, Evalowyn, I dream of horses, Hoo man, Red- Bot, SpaceFlight89, Lemonsourkid, Lotje, Neptunerover, Reaper Eternal, Merlinsorca, Diannaa, Tbhotch, DASHBot, EmausBot, Wik- itanvirBot, Gfoley4, Tommy2010, AsceticRose, Chealsearock, John Cline, Demonkoryu, Ocaasi, Randiv, Donner60, AndyTheGrump, Jlatto, Iarkey1337, Angwatch, ClueBot NG, Pcflight, K8ylynnn, Helpful Pixie Bot, Lowercase sigmabot, The Almightey Drill, Astros4477, No1dead, HappiestDrunk, EagerToddler39, Philip J Fry, Lugia2453, 93, Fusingwharf, Movinggun, Pwnyy, DavidLeighEllis, Someone not using his real name, SS7 Somebody, Bs9987, ThatRusskiiGuy, WikiWinters, Peterpacz1, Melcous, Doyouqa, Swagstar124, ChiTownDev, Kostubbs, Jizzle nizzle, Yaser09363239065 and Anonymous: 408

• Spyware Source: http://en.wikipedia.org/wiki/Spyware?oldid=659159185 Contributors: The Epopt, WojPob, LC~enwiki, Eloquence, Vicki Rosenzweig, Mav, Zundark, Berek, Toby Bartels, Fubar Obfusco, SimonP, Ellmist, R Lowry, Modemac, KF, Frecklefoot, Ed- ward, Willsmith, Fred Bauder, Pnm, Tannin, Wwwwolf, Tgeorgescu, Karada, Ahoerstemeier, DavidWBrooks, Haakon, Mac, Arwel Parry, Notheruser, Darkwind, Mcfly85, Julesd, Cgs, Glenn, Bogdangiusca, Slusk, Phenry, Evercat, Raven in Orbit, Mydogategodshat, Guaka, Aarontay, Mbstone, RickK, Dysprosia, WhisperToMe, Wik, Pedant17, Jake Nelson, Grendelkhan, Saltine, ZeWrestler, Sabbut, Wernher, Bevo, Joy, Khym Chanur, Fvw, Raul654, Pakaran, Jamesday, Denelson83, PuzzletChung, Aenar, Robbot, Paranoid, Senthil, ChrisO~enwiki, Korath, Tomchiukc, Vespristiano, Moondyne, ZimZalaBim, Psychonaut, Yelyos, Modulatum, Lowellian, Mirv, Justin- Hall, Stewartadcock, Academic Challenger, Texture, Meelar, LGagnon, DHN, Hadal, Dehumanizer, Wereon, Michael Snow, Boarder8925, ElBenevolente, Anthony, Mmeiser, Lzur, Tobias Bergemann, Alerante, Alexwcovington, DocWatson42, Fennec, Inter, Lupin, Ferkelpa- rade, Everyking, Kadzuwo~enwiki, Rookkey, Frencheigh, FrYGuY, Gracefool, Daniel Brockman, Zoney, Pascal666, AlistairMcMillan, Spe88, SWAdair, Golbez, Justzisguy, Gadfium, Shibboleth, Toytoy, CryptoDerk, GeneralPatton, Quadell, Antandrus, OverlordQ, The Trolls of Navarone, Piotrus, Quarl, Khaosworks, MFNickster, Kesac, Jesster79, Maximaximax, SeanProctor, Bumm13, Kevin B12, Sam Hocevar, Sridev, TonyW, Rantaro, Neutrality, Joyous!, Jcw69, Adashiel, JamesTeterenko, Grunt, Guppyfinsoup, Mike Rosoft, Maryevelyn, Tom X. Tobin, Monkeyman, Poccil, Imroy, Maestro25, Naryathegreat, Discospinster, Twinxor, Rich Farmbrough, Rho- bite, Andros 1337, MCBastos, Clawed, YUL89YYZ, Mani1, Tinus, Pavel Vozenilek, Martpol, Paul August, SpookyMulder, ESkog, JoeSmack, Violetriga, Brendandonhue, CanisRufus, *drew, Fireball~enwiki, Mwanner, Perspective, Aude, Spoon!, Femto, Incognito, ZooCrewMan, Sole Soul, Bobo192, Longhair, Meggar, Flxmghvgvk, Mikemsd, Chessphoon, Cwolfsheep, Alpheus, Jag123, Alexs let- terbox, Visualize, Minghong, Wrs1864, Haham hanuka, Jonathunder, SPUI, ClementSeveillac, Nkedel, Espoo, Danski14, Alansohn, JYolkowski, Cronus, GRider, Interiot, Arthena, Rd232, Jeltz, Andrewpmk, Plumbago, Zippanova, T-1000, Kocio, InShaneee, David- CWG, Idont Havaname, Blobglob, BanyanTree, Uucp, Yuckfoo, Evil Monkey, BlastOButter42, Kusma, Jsorensen, Someoneinmyhead- butit’snotme, Zootm, Kerry7374, Mikenolte, 4c27f8e656bb34703d936fc59ede9a, Kyrin, Bobrayner, Weyes, Boothy443, Kelly Martin, Woohookitty, LostAccount, Mindmatrix, Vorash, TigerShark, Scriberius, LOL, Nuggetboy, Localh77, Daniel Case, Baysalc, Snotty (renamed), WadeSimMiser, Drongo, Schzmo, BlaiseFEgan, Rchamberlain, Zzyzx11, Leemeng, Wayward, , Zhen-Xjell, Ste- fanomione, Karam.Anthony.K, Zpb52, Palica, Allen3, MassGalactusUniversum, Graham87, Marskell, Deltabeignet, Magister Math- ematicae, BD2412, Roger McCoy, RadioActive~enwiki, MauriceJFox3, Jclemens, Icey, Josh Parris, Canderson7, Sjakkalle, Seiden- stud, Coemgenus, Baeksu, Eyu100, Dannysalerno, Amire80, Carbonite, Harro5, Nneonneo, Oblivious, Roivas, Creative210, OKtosiTe, Hermione1980, AySz88, Yamamoto Ichiro, Teddythetank, Eexlebots, RainR, Titoxd, FlaBot, Ecb29, Ian Pitchford, RobertG, Otnru, HowardLeeHarkness, Arlondiluthel, JiFish, Avalyn, JYOuyang, Klosterdev, Rune.welsh, RexNL, Gurch, Quuxplusone, Intgr, Bmicomp, Noxious Ninja, Butros, King of Hearts, KaintheScion, Scoops, Bornhj, DVdm, Ariele, Voodoom, Bgwhite, YurikBot, Wavelength, Aleahey, Splintercellguy, Kencaesi, Kafziel, Adam1213, Pleonic, Hede2000, Bhny, Richjkl, Paul Quirk, Admiral Roo, Kirill Lokshin, Pvasiliadis, Van der Hoorn, Akamad, Chensiyuan, Amanaplanacanalpanama, Stephenb, Manop, Barefootguru, Coyote376, Gaius Cornelius, Cam- bridgeBayWeather, Kyorosuke, Member, Wimt, MarcK, Crazyman, Wiki alf, Dialectric, God Of All, AlMac, RazorICE, Irishguy, Brian Crawford, Kynes, Rmky87, Ugnius, Amcfreely, Misza13, FlyingPenguins, Zephalis, Pablomartinez, DeadEyeArrow, Bota47, Xpclient, Flipjargendy, Romal, Wknight94, Graciella, Zzuuzz, Encephalon, Gorgonzilla, Bayerischermann, AtOMiCNebula, Theda, Abune, Reyk, Dspradau, Sean Whitton, BorgQueen, GraemeL, Shawnc, Peter, QmunkE, Emc2, JLaTondre, MagneticFlux, Che829, Bluezy, Katieh5584, Kungfuadam, Plethorapw, NeilN, Leuk he, Kingboyk, Destin, Mardus, SkerHawx, That Guy, From That Show!, SG, Attilios, Veinor, MacsBug, Firewall-guy, SmackBot, Colinstu, Estoy Aquí, Justinstroud, KnowledgeOfSelf, Royalguard11, CompuHacker, Georgeryp, Blue520, Davewild, Matthuxtable, Stifle, ElDakio, Delldot, KelleyCook, ProveIt, Vilerage, Ccole, Kaunietis25, Gilliam, Ohnoitsjamie, Jushi, Oscarthecat, Skizzik, Chaojoker, ERcheck, Gary09202000, Chris the speller, Parajuris, Skintigh, Chemturion, Thumperward, Christopher denman, SchfiftyThree, Deli nk, Octahedron80, DHN-bot~enwiki, Darth Panda, Trimzulu, Jmax-, Can't sleep, clown will eat me, Frap, Episteme-jp, Nixeagle, JonHarder, Korinkami, Rablari Dash, Homestarmy, Xyzzyplugh, Jax9999, Midnightcomm, Mr.Z- man, Gabi S., Cybercobra, Engwar, Nakon, GhostDancer, Monotonehell, Warren, Weregerbil, Polonium, Sbluen, Sljaxon, Twain777, Fredgoat, Jeremyb, Kotjze, Nevyan, MOO, Risker, DataGigolo, Clicketyclack, SashatoBot, Rory096, Swatjester, JethroElfman, Heim- stern, Tor Stein~enwiki, Xaldafax, Minna Sora no Shita, Abdomination, Llamadog903, PseudoSudo, LebanonChild, Chrisch, Mr. Ver- non, Andypandy.UK, Jcmiras, Alistairphillips, Alistair.phillips1, Darklord.dave, MrArt, Mphill14, SandyGeorgia, Camp3rstrik3r, Jam01, Rip-Saw, Vernalex, Michael.koe, Sifaka, Jnk, Iridescent, Lonyo, JoeBot, Cowicide, Gholam, 10014derek, JHP, J Di, IvanLanin, Igold- ste, Cbrown1023, RekishiEJ, AGK, Linkspamremover, Astral9, Kanecain, Mzub, Tawkerbot2, Morryau, Jasrocks, SMRPG, Clintmsand, Alestrial, AbsolutDan, SkyWalker, J Milburn, JForget, FleetCommand, Anon user, Wikkid, Xlegiofalco, Ewc21, DevinCook, Pockle, Raceprouk, Green caterpillar, El aprendelenguas, Kejoxen, Herenthere, CJBot, Angelsfreeek, Kribbeh, Phatom87, TheBigA, Cydebot, Treybien, Steel, Gogo Dodo, Mroesler, Tiger williams, Bigjake, Shirulashem, Christian75, Codetiger, DumbBOT, TheJC, Omicronper- sei8, Zalgo, Lo2u, Jed keenan, Satori Son, FrancoGG, Thijs!bot, Epbr123, Wikid77, Ilpalozzo, Supermario99, Daniel, Wikikiki~enwiki, Nonagonal Spider, Who123, Rcandelori, Jojan, Moulder, West Brom 4ever, A3RO, Cool Blue, Grayshi, CharlotteWebb, Nick Num- ber, Wai Wai, Wikidenizen, Dawnseeker2000, Natalie Erin, Silver Edge, Escarbot, CamperStrike, Andykitchen, Mentifisto, Mr.Fraud, AntiVandalBot, Operator link, Luna Santin, Ownlyanangel, Schooop, Anotherpongo, Dylan Lake, Kmesserly, Shlomi Hillel, Pixelface, Jenny Wong, Falconleaf, Alevine-eantflick, Qwerty Binary, Ingolfson, JAnDbot, Hiddenstealth, Ginza, Barek, Epeefleche, BCube, Bhad- dow, D. Kapusta, Dcooper, The elephant, Entgroupzd, MadMom2, Kipholbeck, SteveSims, Magioladitis, Bongwarrior, VoABot II, Mike5906, Abbadox, Yandman, Dfense, XPOTX, Tedickey, Twsx, Mikey129, LonelyWolf, Alekjds, Violetness, Robotman1974, All- starecho, Cpl Syx, Fang 23, Bugtrio, Fayul, Glen, Myststix, Pikolas, Gwern, Atulsnischal, Ksero, Gundato, Hdt83, MartinBot, M3tal H3ad, CliffC, BetBot~enwiki, Flamingpanda, Axlq, Skipatek, Lcaa9, Ittan, R'n'B, I2omani, Bgold4, RaccoonFox, J.delanoy, Fakir005, Trusil- ver, Deonwilliams, Neon white, Singing guns, Dispenser, Justinm1978, LordAnubisBOT, 2IzSz, Thomas Larsen, Compman12, Freejason, ,فندليز ,Demizh, Jwright1, Legendsword, AntiSpamBot, WikiChip, TomasBat, Bushcarrot, NewEnglandYankee, Hellohellohello007 Fsf~enwiki, Juliancolton, WarFox, Atama, Teggis, Redrocket, Wiki989, Mguy, Kiyo o, VolkovBot, ChrisPerardi, Jeff G., Tesscass, 33.9. TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES 185

Dajahew1, TXiKiBoT, Zidonuke, Moogwrench, KevinTR, Rei-bot, GcSwRhIc, Shindo9Hikaru, Oxfordwang, Anna Lincoln, Melsaran, Martin451, LeaveSleaves, Alexarankteam, Master Bigode, Wikiisawesome, Copper20, Trickiality, Bercyon, Billinghurst, The Negotiator, Haseo9999, Flamesrule89, Willbrydo, Digita, Mickelln, LittleBenW, AlleborgoBot, Fredtheflyingfrog, Fabioejp, EmxBot, Overtheblock, Superfly789, SieBot, Techwrite, Spartan, Backpackkk, Backpack123, Gorx, Jack Merridew, IHateMalware, Dawn Bard, Schwartz, Ken, Sephiroth storm, WJerome, Arda Xi, Pdub567, Oda Mari, Arbor to SJ, Jojalozzo, Nosferatus2007, Oxymoron83, Faradayplank, An- gelOfSadness, Wjemather, ImageRemovalBot, Loren.wilton, ClueBot, Mr. pesci, GorillaWarfare, Fyyer, The Thing That Should Not Be, College222, Darthveda, Drmies, Mild Bill Hiccup, Braksus, Mackmar, Milenamm, Absmith111, Tokyogamer, Christineokelly, Bichon, Emperordarius, Igorberger, Rhododendrites, WalterGR, WWriter, Anti328, DanielPharos, Morriske, Apparition11, SF007, DumZiBoT, Adams527, Mikon8er, XLinkBot, ICaNbEuRsOuLjAgIrL, Skarebo, SilvonenBot, Alexius08, Noctibus, Dubmill, Addbot, Deepmath, Cls- dennis2007, Wowrocker2, Joost Kieviet, SuperSmashBros.Brawl777, AndrewJNeis, Christos2121, 15lsoucy, Ronhjones, Leszek Jańczuk, Skyezx, MrOllie, Glane23, Chzz, Debresser, Favonian, Mike A Quinn, Evildeathmath, Lightbot, OlEnglish, Qwertyytrewqqwerty, Fiilott, Luckas-bot, Yobot, Sdalk208, TaBOT-zerem, Voyage34, Aaronit~enwiki, Egosintrick, THEN WHO WAS PHONE?, SeanTheBest949, Writerjohan, KamikazeBot, Fortmadder, TJDishaw6, Quentinv57, AnomieBOT, Keepitreal74, Roman candles, Jim1138, MinnetonkaCZ, IRP, Galoubet, Piano non troppo, AdjustShift, Wasisnt, Yachtsman1, Ulric1313, Materialscientist, Danno uk, The Firewall, Xqbot, Sionus, Capricorn42, Dubboy1969, Avastik, Junkcops, Katcrane, Halstonm, PraeceptorIP, Mlpearc, S0aasdf2sf, Ragityman, Danalpha31, Kurt- driver, BubbleDude22, Prunesqualer, Mathonius, IShadowed, Vuletrox, Luminique, Fastguy397, VS6507, DigitalMonster, Cykloman15, Flakmonkey24, HamburgerRadio, Yodaddy4276, Jammy467, Pinethicket, Idemnow, Jacobdead, Chucknorriss007, JNorman704, Ngyikp, Brian Everlasting, SpaceFlight89, RandomStringOfCharacters, OMGWEEGEE2, Reconsider the static, MichaelRivers, Sahil16, Dinamik- bot, Vrenator, Halti1328, Sammonaran, Jeffrd10, JV Smithy, Thunerb, Tbhotch, Luis8750, RjwilmsiBot, VernoWhitney, Buggie111, Xvunrealvx, Nabahat, EmausBot, John of Reading, Marmbrus, Bob22234, Dewritech, RA0808, L235, Tommy2010, Wikipelli, K6ka, Boysfood, Zach eastburn, Roflcopter23, EneMsty12, L0ngpar1sh, Wayne Slam, Isarra, Hidbaty223, Janesilentbob, Damirgraffiti, Flori- daShawn123, GrayFullbuster, Jschwa12, ClueBot NG, Karlson2k, Cntras, Braincricket, 123Hedgehog456, O.Koslowski, Chikkey007, Widr, Neilacharya, Pattiewillford, Rubybarett, Icallitvera, DBigXray, Kwolton, Jordan james elder, PatrickCarbone, Larda, MusikAn- imal, EmadIV, Brilubic2, YolentaShield, Cre8tin, Mechanic1545, VanEman, RobertEdingerPHD, Egyptianmorrow, J3zzy1998DBZ, Jeremy112233, Cyan.aqua, Squishy901, Rms1524, ZappaOMati, EuroCarGT, Dexbot, Cwobeel, Codename Lisa, Jamiedude2002, Ge- niusmanship, SFK2, Sourov0000, Corn cheese, Allne1972, François Robere, Melonkelon, Eyesnore, Yuvalg9, Jameii123, Muhammad- babarzaman, MountRainier, Majidmec, Babitaarora, Ymd2004, Someone not using his real name, Jianhui67, Dannyruthe, Mickel1982, 7Sidz, BethNaught, Qwertyxp2000, Wii fi fi, Zaixar, 7thwave1, Julietdeltalima, Silien2002, MagyVi, Securitysentry, Tripboom, Jiesenpan and Anonymous: 1354 • Timeline of computer security hacker history Source: http://en.wikipedia.org/wiki/Timeline%20of%20computer%20security% 20hacker%20history?oldid=662294118 Contributors: ChangChienFu, Edward, Nixdorf, Eurleif, Sannse, Delirium, Paul A, Minesweeper, Tregoweth, Ronz, Snoyes, Cimon Avaro, Evercat, GCarty, Conti, Ylbissop, PatriceNeff, Reddi, Ike9898, Zoicon5, Jnc, Topbanana, Jeffq, RadicalBender, Sjorford, Gentgeen, Robbot, Fredrik, Sanders muc, RedWolf, Altenmann, Stewartadcock, Jy, PBP, Pengo, GreatWhiteNortherner, Davidcannon, Dave6, DocWatson42, Jtg, Kenny sh, Everyking, Niteowlneils, Broux, Maroux, DO'Neil, Alis- tairMcMillan, The zoro, Gzornenplatz, Matt Crypto, Alvestrand, Bobblewik, Gadfium, Utcursch, Ruy Lopez, Long John Silver~enwiki, Beland, Tim Pritlove, Kbrooks, Neutrality, Eisnel, Zoganes, Orange Goblin, D6, Wikiti, Guanabot, Ponder, Calebbell, Thebrid, CanisRu- fus, NetBot, Adrian~enwiki, Draconiszeta, RussBlau, Hektor, JaveCantrell, Inky, Bart133, Yolgie, M3tainfo, Danthemankhan, Guthrie, H2g2bob, Markaci, Lkinkade, Jbl, Brunnock, Myleslong, Skyraider, Amatus, Scm83x, Allen3, Rjwilmsi, Koavf, Vegaswikian, Bensin, Ground Zero, JdforresterBot, Kmorozov, Ewlyahoocom, TheDJ, Alvin-cs, Bgwhite, RussBot, Gaius Cornelius, EWS23, Mipadi, Bir- gitteSB, DeadEyeArrow, Izcool, Haemo, American2, Deville, Closedmouth, Arthur Rubin, Dcb1995, Rwwww, UltimatePyro, SmackBot, Jeffreykopp, Rtc, Zazaban, Anarchist42, 6Akira7, Resorb, Mauls, Commander Keane bot, Gilliam, GoneAwayNowAndRetired, Chris the speller, TimBentley, Snori, Roscelese, Steelmanronald, CSWarren, Kungming2, Colonies Chris, Wesw02, Racklever, ConMan, Warren, Tlmii, Blututh, Wizardman, KeithB, Via strass, Tomhubbard, DavidBailey, Breno, Dipset1991, Lightshadow~enwiki, Mets501, Xionbox, Zepheus, BranStark, Octane, Switchercat, CmdrObot, No1lakersfan, Dalen talas, Ngileadi, DrunkenSmurf, Alaibot, Satur9, Epbr123, NOYGDB-YHNNTK, Karin Spaink, Esemono, Jimhoward72, Nick Number, AntiVandalBot, Pipedreamergrey, Tqbf, Magioladitis, Tin- ucherian, Seigiac, Firealwaysworks, Animum, Edward321, Esanchez7587, Gun Powder Ma, Gwern, Pauly04, Coradon, Jargon777, Mau- rice Carbonaro, Shatner1, Craigmascot, Znx, SmackTacular, S, TheNewPhobia, Funandtrvl, Sam Blacketer, Indubitably, DBZROCKS, Seb az86556, Haseo9999, Oriaj, Chahax, Sue Rangell, BlueClerica, TJRC, Scarian, Malcolmxl5, Nathan, Matt Brennen, Happysailor, Mandsford, Oxymoron83, SilverbackNet, CultureDrone, Denisarona, Faithlessthewonderboy, Martarius, ClueBot, Plastikspork, Mild Bill Hiccup, Niceguyedc, Arunsingh16, Sv1xv, Leonard^Bloom, Rhododendrites, Sun Creator, Arjayay, Dark-Basics, DanielPharos, Genc- turk~enwiki, J3r3m3, Galt 57, DumZiBoT, UnUnNilium, XLinkBot, Ost316, RyanCross, Addbot, Montgomery '39, Cst17, Mohamed Magdy, Download, Sashi Degodeshi, Freqsh0, Chzz, Boydays, Yobot, TaBOT-zerem, Lacrymocéphale, SwisterTwister, Backslash For- wardslash, AnomieBOT, Noq, Jim1138, Materialscientist, Citation bot, Miles86, LilHelpa, Sixequalszero, Alexnickell, Uitham, Shad- owjams, FrescoBot, Haeinous, Meishern, HamburgerRadio, Citation bot 1, I dream of horses, Jeffger, Full-date unlinking bot, Arbero, Onel5969, Hobbes Goodyear, RjwilmsiBot, In ictu oculi, Acather96, Dixtosa, Szawi, Dewritech, GoingBatty, Wikipelli, Josve05a, Wikfr, Brandmeister, L Kensington, ClueBot NG, Jack Greenmaven, LogX, Catlemur, Steve dexon, Killawattson, Widr, Kleinash, Helpful Pixie Bot, Mrorville1, YusufZ, Rsotillo, MusikAnimal, Hackingtag, Neishamonaya, Conifer, Fylbecatulous, BattyBot, Mgreen11, Pratyya Ghosh, Tonyxc600, MikeTaylor1986, CooKiee2012, Maestro814, Codename Lisa, Lugia2453, Jamesx12345, Izniz, Cody Allan, Everymorning, JacobiJonesJr, The Herald, JaconaFrere, InfoSecGuy, Magma1983, Parveen97, Tjb5228, SirJohnWilliams, Beardog108 and Anonymous: 367 • Trojan horse (computing) Source: http://en.wikipedia.org/wiki/Trojan%20horse%20(computing)?oldid=662342900 Contributors: Damian Yerrick, Paul Drye, MichaelTinkler, LC~enwiki, Mav, Bryan Derksen, Zundark, Rjstott, Andre Engels, Gianfranco, Mincus, Heron, R Lowry, Michael Hardy, Voidvector, Pnm, Dori, Ahoerstemeier, Ronz, Darrell Greenwood, Julesd, Glenn, Jiang, Ryuukuro, Timwi, Andrevan, Ww, WhisperToMe, SEWilco, Chuunen Baka, Robbot, Kizor, Schutz, Altenmann, Puckly, Premeditated Chaos, Sun- ray, Tbutzon, Saforrest, Borislav, Miles, Splatt, Cyrius, GreatWhiteNortherner, Giftlite, Fennec, Brian Kendig, No Guru, Wikibob, Leonard G., ZeroJanvier, AlistairMcMillan, Fanf, Matt Crypto, PlatinumX, SWAdair, SoWhy, Knutux, SURIV, Antandrus, Tbjablin, Kesac, As- riel86, Bumm13, Trafton, Shiftchange, Monkeyman, A-giau, Discospinster, Sperling, Stereotek, JoeSmack, CanisRufus, Shanes, Sietse Snel, One-dimensional Tangent, Yono, Bobo192, Alexandre.tp, Cmdrjameson, Chirag, DCEdwards1966, Haham hanuka, Jjron, Ran- veig, Alansohn, Anthony Appleyard, Guy Harris, Andrewpmk, M7, Riana, Sade, Ciaran H, Kesh, Danhash, Evil Monkey, BDD, Ver- sageek, Brookie, Nuno Tavares, Woohookitty, Mindmatrix, TigerShark, Myleslong, Matey~enwiki, Briangotts, Pol098, WadeSimMiser, Easyas12c, Optichan, Gyrae, Mekong Bluesman, Graham87, Jclemens, Enzo Aquarius, Rjwilmsi, JoshuacUK, Blacktoxic, NeonMerlin, ElKevbo, Aapo Laitinen, AySz88, Andrzej P. Wozniak, RainR, RobertG, JiFish, Bubbleboys, Ewlyahoocom, Alexjohnc3, TheDJ, Devasta- torIIC, Ben-w, Gr8dude, M7bot, Ahunt, Chobot, DVdm, Roboto de Ajvol, Angus Lepper, Sceptre, Ytgy111, Kerowren, Eleassar, Ptomes, 186 CHAPTER 33. HACKER ETHIC

Wimt, NawlinWiki, Wiki alf, Dialectric, RattleMan, Johann Wolfgang, Vincspenc, THB, Ugnius, Nick C, Kenkoo1987, T, Lockesdonkey, Wknight94, Niggurath, Zzuuzz, E Wing, Jogers, GraemeL, Ethan Mitchell, RandallZ, Airconswitch, Suburbancow, CIreland, Jaysscholar, Slampaladino, J2xshandy, Scolaire, SmackBot, Kellen, Unschool, Narson, Bobet, Tarret, KocjoBot~enwiki, Delldot, KelleyCook, Jpvinall, Arsenaldc1988, Gilliam, Ohnoitsjamie, Spamhuntress, Snori, Tree Biting Conspiracy, Miquonranger03, Gareth, LaggedOnUser, Lexlex, DHN-bot~enwiki, Jeffreyarcand, Abaddon314159, Can't sleep, clown will eat me, MyNameIsVlad, Frap, Christan80, KaiserbBot, Rrburke, TKD, Emre D., Nibuod, Sljaxon, Drphilharmonic, HDow, LeoNomis, Richard0612, Clicketyclack, Neverender 899, SS2005, Kuru, Ji- danni, Gobonobo, Sir Nicholas de Mimsy-Porpington, Evan Robidoux, UkNegative, 041744, JHunterJ, George The Dragon, Alethiophile, Waggers, Iridescent, Redskull619, IvanLanin, JoeE, Blehfu, Courcelles, Linkspamremover, Astral9, Mzub, ChrisCork, Switchercat, Sky- Walker, JForget, DJPhazer, CmdrObot, Wafulz, Makeemlighter, ParadoX, CWY2190, Rikva, Lishy Guy, Jesse Viviano, INVERTED, Neelix, Funnyfarmofdoom, Equendil, Slazenger, MC10, Red Director, SnootyClaus, Strom, Mr. XYZ, Shirulashem, UnDeRsCoRe, Rudá Almeida, Omicronpersei8, Rocket000, Thijs!bot, Epbr123, Blademaster313, N5iln, Laboye, Vertium, John254, James086, Leon7, Dan- freedman, Mule Man, Dawnseeker2000, Mentifisto, AntiVandalBot, Luna Santin, Widefox, Seaphoto, Oducado, Karthik sripal, Rhuggins- ahammond, JAnDbot, Xhienne, El Dominio, Vaclon, HellDragon, Mishrankur, Freedomlinux, VoABot II, Nyq, Jrg7891, SineWave, GODhack~enwiki, Indon, Cailil, Esanchez7587, Shuini, DidierStevens, Charitwo, Gwern, Atulsnischal, MartinBot, Axlq, Jonathan Hall, R'n'B, JohnNapier, J.delanoy, Patsyanks06, Legoboy2000, Catmoongirl, Didgeman, Mccajor, McSly, RichJizz123, Demizh, Evils Dark, Gurchzilla, AntiSpamBot, Dividing, LeighvsOptimvsMaximvs, Shoessss, Cue the Strings, Andrewcmcardle, Darryl L James, Bonadea, Martial75, Ditre, Anapologetos, ThePointblank, CardinalDan, Burlywood, Deor, VolkovBot, ABF, Jeff G., Sulcage, Rtrace, VasilievVV, Jacroe, Ryan032, Philip Trueman, PGSONIC, Af648, Zidonuke, Dorcots, Floddinn, Drake Redcrest, Rei-bot, Crohnie, Arnon Chaf- fin, Warrush, Anna Lincoln, Clarince63, Undine235, LeaveSleaves, ^demonBot2, Lukes123, Skittles266, BotKung, Hurleyman, Spec- Mode, Darkness0110, Madhero88, Peteritism, Haseo9999, Falcon8765, Enviroboy, Insanity Incarnate, Why Not A Duck, Spitfire8520, LittleBenW, AlleborgoBot, Logan, PGWG, Numbuh48, Firefoxobsession, Ramesseum, Softpile, Copana2002, SieBot, Teh nubkilr, Bot- Multichill, Krawi, Josh the Nerd, Caltas, Eagleal, RJaguar3, X-Fi6, Chiroz, Sephiroth storm, Johnnyeagleisrocker, Happysailor, Flyer22, Caidh, Oxymoron83, Kosack, Hobartimus, Drsamgo, Bcrom, Hamiltondaniel, AtteOOIE, Snarkosis, The sunder king, Martarius, Clue- Bot, Jimmyrules1, Damonkeyman889944, Avenged Eightfold, Binksternet, Artichoker, The Thing That Should Not Be, IceUnshattered, Lawrence Cohen, Ndenison, Wysprgr2005, Ascabastion, Zarkthehackeralliance, Mild Bill Hiccup, Piriczki, Infogaufire, CounterVandal- ismBot, Dandog77, Aabrol19, Dennistang2007, Gunnar Kreitz, Somno, Aua, Excirial, Jusdafax, PixelBot, Eeekster, Bde1982, Rhodo- dendrites, Mac1202, Lunchscale, WalterGR, Doctor It, Jaizovic, DanielPharos, JaneGrey, Taranet, VIKIPEDIA IS AN ANUS!, 7, Ran- jithsutari, Berean Hunter, Egmontaz, Alchemist Jack, Polemos~enwiki, XLinkBot, Spitfire, NiveusLuna, Jovianeye, Feinoha, TFOWR, ErkinBatu, Mifter, Alexius08, Noctibus, Addbot, Some jerk on the Internet, Landon1980, A.qarta, Friginator, Markyman12, Ronhjones, Ashton1983, Nirajdoshi, MrOllie, Download, Morning277, Ericzhang789, London-infoman, D.c.camero, Glane23, Exor674, SamatBot, Arteyu, Theman98, Politoed666, Numbo3-bot, Tide rolls, Legion79, Krano, Apteva, Teles, Zorrobot, Jarble, Arbitrarily0, Fdaneels, Koru3, Legobot, Helpfulweasal, Yobot, 2D, Fraggle81, Cflm001, Xxxpivjtxxx, NERVUN, Nallimbot, QueenCake, Sujit.jhare, South Bay, AnomieBOT, KDS4444, DemocraticLuntz, Rubinbot, Captain Quirk, Jim1138, Chuckiesdad, Materialscientist, Arezey, Frankenpuppy, Xqbot, Capricorn42, Robot85, Liorma, Bihco, Jsharpminor, KrisBogdanov, Mlpearc, S0aasdf2sf, GrouchoBot, Megamonkeyextreme, Ri- botBOT, SassoBot, TrueGlue, Amaury, JulianDelphiki, Shadowjams, SchnitzelMannGreek, Vanatom, Thehelpfulbot, Trojan1223, Fres- coBot, Untilabout9am, Daerlun, Clubmaster3, Michael93555, Scottaucoin89, A little insignificant, Haein45, HamburgerRadio, Mitchell virus, Launchballer, Winterst, I dream of horses, Vicenarian, Edderso, Jacobdead, A8UDI, Rihdiugam, Ddspec, Robo Cop, Pcuser42, GW- PSP090, Ksanexx, DixonDBot, Lamarmote, Miiszmylove, MichaelRivers, Vrenator, Reaper Eternal, Jeffrd10, Specs112, Vanished user aoiowaiuyr894isdik43, Ciscorx, Minimac, Ameypersonsave, DARTH SIDIOUS 2, MMS2013, Lowoox, SMARTCUTEFUNNYXD, Bran- donprince00, NerdyScienceDude, Limited2fan, Slon02, DASHBot, EmausBot, Super48paul, Fly by Night, L235, Tommy2010, Wikipelli, TheGeomaster, Skaera, Ida Shaw, Dalek32, Traxs7, Eldruin, EneMsty12, Lolcat56734, Coasterlover1994, Sahimrobot, L Kensington, Donner60, ClueBot NG, Cwmhiraeth, MuffinMan999, Gareth Griffith-Jones, MelbourneStar, Bped1985, Augustalex, Muon, Braincricket, Mesoderm, Rezabot, Widr, OKIsItJustMe, Madpigeon12, Strike Eagle, Titodutta, Complol2234343, Robbiecee2, Wiki13, MusikAni- mal, AvocatoBot, Desenagrator, Mark Arsten, Sbd01, Onewhohelps, 1ravensnflfan, Snow Blizzard, MrBill3, Glacialfox, Kelvinruttman, Tutelary, Niraj.adyyyy, Th4n3r, Hsr.rautela, Adhithyan15, ChrisGualtieri, MadGuy7023, JayMyers-NJITWILL, Ghostman1947, Rezo- nansowy, SoledadKabocha, Djairhorn, Lugia2453, JoshLyman2012, Jc86035, Siravneetsingh, Soda drinker, Sourov0000, Cablewoman, Bugzeeolboy, NimaBoscarino, RootSword, Dave Braunschweig, Epicgenius, CatBallSack, Eyesnore, Gaman0091, Khabir123, Kushay tita- nium, Someone not using his real name, Manish2911, Oranjelo100, Dannyruthe, Sathishguru, STH235SilverLover, Joseph 0515, Marp pro, Rkpayne, Monkbot, Sidharta.mallick, Filedelinkerbot, Abcdfeghtys, Laura J. Pyle, Biblioworm, TerryAlex, Classofthewise, Earthquake58, HamadPervaiz, Helpguy77, TQuentin, James the king12, JeremiahY, TeacherWikipedia, OldMcdonald12345 and Anonymous: 1149 • Vulnerability (computing) Source: http://en.wikipedia.org/wiki/Vulnerability%20(computing)?oldid=661677087 Contributors: Kku, CesarB, Ronz, Joy, Eugene van der Pijll, Phil Boswell, ZimZalaBim, Waldo, Sdfisher, Jason Quinn, Wmahan, Utcursch, Beland, White- Dragon, Quarl, FrozenUmbrella, Mozzerati, Discospinster, Xezbeth, Mani1, Adequate~enwiki, InShaneee, Velella, Mindmatrix, Ahouse- holder, Ruud Koot, Macaddct1984, Mandarax, Tslocum, BD2412, Ketiltrout, Rjwilmsi, Jweiss11, ElKevbo, Naraht, Brownh2o, Chobot, YurikBot, Gardar Rurak, Gaius Cornelius, Irishguy, Gruffi~enwiki, Perry Middlemiss, Mugunth Kumar, Abune, SmackBot, Mmernex, AnOddName, Gilliam, PJTraill, Chris the speller, Persian Poet Gal, Manuc66~enwiki, JonHarder, Solarapex, Chris palmer, Mistress Selina Kyle, FlyHigh, Lambiam, Derek farn, Xandi, Beetstra, Ehheh, Nevuer, Dreftymac, JoeBot, Jbolden1517, Penbat, Vanished user fj0390923roktg4tlkm2pkd, Thijs!bot, EdJohnston, Obiwankenobi, Dman727, Eleschinski2000, S.C.F, Esanchez7587, CliffC, Fleetflame, Ash, Jesant13, Anant k, Sarveshbathija, Touisiau, Jramsey, Tanjstaffl, TXiKiBoT, Softtest123, Zhenqinli, Michaeldsuarez, Haseo9999, Swwiki, LittleBenW, Sassy410, JuTiLiu, Securityphreaks, Phe-bot, Cenzic, Jojalozzo, Jruderman, Ottawahitech, Dcampbell30, Liquifried, WalterGR, DanielPharos, PotentialDanger, Sensiblekid, Fathisules, Addbot, Larry Yuma, SpBot, Tide rolls, Luckas-bot, BaldPark, Yobot, Djptechie, Sweerek, AnomieBOT, MistyHora, Bluerasberry, ArthurBot, The Evil IP address, RibotBOT, Pradameinhoff, Bentisa, Erik9, FrescoBot, Kitaure, HamburgerRadio, Pinethicket, Guriaz, Tool789789, Dtang2, Lotje, DARTH SIDIOUS 2, VernoWhitney, EmausBot, John of Reading, Logical Cowboy, Timtempleton, Pastore Italy, ClueBot NG, Ptrb, Shajure, Emilyisdistinct, J23450N, AvocatoBot, Exer- cisephys, Mrebe1983, Mdann52, Mrt3366, Mediran, Codename Lisa, Mogism, Pharrel101, Wieldthespade, Krazy alice, OccultZone, Pat power11, Monkbot, S166865h, Balancesheet, Greenmow and Anonymous: 105 • White hat (computer security) Source: http://en.wikipedia.org/wiki/White%20hat%20(computer%20security)?oldid=662295700 Con- tributors: Pnm, Tango, Timwi, Joy, Jerzy, Altenmann, Pengo, Kenny sh, Gracefool, RoToRa, R. fiend, Quarl, Neutrality, Brianjd, JS Nelson, Discospinster, Smyth, Goplat, AndrewM1, Aranel, Mattingly23, Sietse Snel, Bobo192, Adrian~enwiki, HasharBot~enwiki, Alan- sohn, Khaim, CivilianJones, M3tainfo, Sciurinæ, Guthrie, H2g2bob, Bsadowski1, Sfacets, Richwales, True~enwiki, Woohookitty, Mind- matrix, Qwertyus, Jclemens, Reisio, Rjwilmsi, Tizio, Wiarthurhu, WhiteBoy, JYOuyang, RexNL, Quuxplusone, Chobot, YurikBot, Borgx, Kerowren, Hydrargyrum, Stephenb, Wimt, Korny O'Near, Awyllie, Rwalker, Intershark, Zzuuzz, Rsriprac, 404notfound, CWenger, That Guy, From That Show!, SmackBot, Estoy Aquí, Rtc, Primetime, KVDP, Mauls, Yamaguchi, Gilliam, Ohnoitsjamie, Oscarthecat, 33.9. TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES 187

Thumperward, Rediahs, A. B., BlackbeardSCBC, Pegua, Thejut, Pax85, Djm101, Zchenyu, Kuru, Robofish, Neokamek, Stratadrake, Gi- jake, Beetstra, Hu12, Iambagels, Colonel Warden, NativeForeigner, Beno1000, Kingoomieiii, JohnCD, DaveK@BTC, Neelix, Phatom87, The Librarian at Terminus, Sp!ke, Gogo Dodo, Chasingsol, Omicronpersei8, Epbr123, JNighthawk, Headbomb, Marek69, Tsschwartz, Seaphoto, Froglegs114, Harryzilber, MER-C, Skomorokh, Fetchcomms, GoodDamon, Y2kcrazyjoker4, Mjhmach5, JamesBWatson, Arc- tific, Testla, Web-Crawling Stickler, JonWinge, Thompson.matthew, Lunakeet, FisherQueen, MartinBot, Xumbra, RockMFR, J.delanoy, Ncmvocalist, AntiSpamBot, NewEnglandYankee, Cometstyles, Dkovalak, Bonadea, Jarry1250, Elephant101, Dog777, VolkovBot, Alnok- taBOT, Philip Trueman, TXiKiBoT, Securitytester, Martin451, BotKung, Doug, Falcon8765, Unused0030, Monty845, A pop machine, Mmairs, Whitehatnetizen, Neil Smithline, Ml-crest, Sephiroth storm, Rahk EX, KathrynLybarger, OKBot, Diego Grez, ClueBot, Bad- ger Drink, Ddonzal, Pitt the elder, Marktompsett, Excirial, Cronus111, Rhododendrites, Andrew81446, Elizium23, Jinxpuppy, C628, 9010154g, Jasburger, GoldenPhoenix, DumZiBoT, Neuralwarp, XLinkBot, Jediknight304, Johndci, Addbot, ZXZYZXZY, CL, Proxima Centauri, Buddha24, Muiranec, Yobot, THEN WHO WAS PHONE?, Tree-hugger-for-mccain, South Bay, Tom87020, Materialscientist, Wodawik, Naga.naga2009, Obersachsebot, Xqbot, CXCV, Peterdx, Pradameinhoff, Bellerophon, Architectchamp, Moby-Dick3000, Ex- tralars, Romangralewicz, DivineAlpha, Terence88, Pinethicket, Skyerise, Jandalhandler, Napsss, Krilykki, Lotje, Aoidh, Jeffrd10, No One of Consequence, RjwilmsiBot, Alexandru47, Beyond My Ken, EmausBot, WikitanvirBot, Hirsutism, Dewritech, Arfharwinder, Ida Shaw, Fæ, Josephkristianblack, Kilopi, Tolly4bolly, Donner60, Nayak.rakesh70, ClueBot NG, Unscintillating, WhitehatGuru, Tws6-NJITWILL, ScottSteiner, Mohsinmahfooz, Joshuajohnson555, Emasterashu, HMSSolent, Xcyss, DanyXyz, BattyBot, Smbcxkcd, Darylgolden, Frosty, Aroratrishneet, Pkcoolpk, Malerooster, Dr Dinosaur IV, Mongo Feels Better, Babitaarora, Jeffmeares, Ginsuloft, Saniya2090, Akshay0000, HelenaKitty, Pushpinder Joshi, Behroznathwani, FourViolas, Shesgirlfriday, Hoaxing, Prashanth 744, Jugad.ab, Rohi4417 and Anonymous: 261 • Hacker (programmer subculture) Source: http://en.wikipedia.org/wiki/Hacker%20(programmer%20subculture)?oldid=662486288 Contributors: The Anome, Aldie, Phil Bordelon, ChangChienFu, Edward, Liftarn, Gabbe, Zanimum, TakuyaMurata, Dori, AquaRichy, Stan Shebs, Stevenj, Pratyeka, Ylbissop, Dysprosia, Altenmann, Lowellian, Chris Roy, Pengo, Martinwguy, Eric S. Raymond, Kolab, Ich, Ds13, Mboverload, AlistairMcMillan, Elmindreda, Vanished user wdjklasdjskla, Neilc, Utcursch, Piotrus, Billposer, Gscshoyru, Trek011~enwiki, Rich Farmbrough, Triskaideka, Gronky, Bender235, Nabla, El C, Pikestaff, Army1987, Ypacaraí, ·~enwiki, Blotwell, Pearle, Diego Moya, Sl, Bart133, Paul1337, Astralnaut, H2g2bob, Versageek, Ringbang, Markaci, Mindmatrix, Daira Hopwood, WadeS- imMiser, The Wordsmith, Exxolon, Marudubshinki, Mycro, Windchaser, Quuxplusone, Jamessnell, Ahpook, WriterHound, Elfguy, Piet Delport, Kerowren, Proidiot, Abb3w, Froth, Janizary, Karora, SmackBot, Rtc, 6Akira7, Scifiintel, Renesis, Edgar181, Unforgettableid, Gilliam, Thumperward, Audriusa, Frap, Dee man 45, Pete Fenelon, Dmitrios, Cybercobra, N Shar, AmiDaniel, Dwpaul, Al1encas1no, Colonel Warden, Twas Now, Tawkerbot2, Kingoomieiii, JForget, Paulmlieberman, ShelfSkewed, Lentower, Neelix, JustAGal, AntiVan- dalBot, Joachim Michaelis, Dylan Lake, Vendettax, Utopiantheorist, Tedickey, Thireus, Scenestar, STBot, R'n'B, VirtualDelight, J.delanoy, Falljorda, Cometstyles, Jevansen, Funandtrvl, Jeff G., Rocka89, Comrade Graham, Getonyourfeet, Falcon8765, Scarian, Phe-bot, To- pher385, DancingPhilosopher, Svick, Torchwoodwho, Martarius, ClueBot, The Thing That Should Not Be, TableManners, Ndenison, Bob bobato, Trivialist, Excirial, OpinionPerson, Rhododendrites, Andrew81446, Subash.chandran007, Anonymasity, Bearsona, XLinkBot, David Delony, Dsimic, Addbot, Jojhutton, Grandscribe, Fluffernutter, TSWcontentlady, MrOllie, Glane23, Roux, AgadaUrbanit, Light- bot, OlEnglish, Jarble, Yobot, Eric-Wester, AnomieBOT, Rjanag, Aditya, Darolew, Materialscientist, MaxWinsForever, Karlzt, 2ndAc- count, Joaquin008, A. di M., FrescoBot, W3bW4rL0cK, Citation bot 1, Pinethicket, Jonesey95, Eagles247, Skyerise, Robvanvee, Detox- icated, Aoidh, Jeffrd10, Lynkynpark86, Scil100, Grrow, Dewritech, Wikipelli, Younghackerx, QEDK, Cosman246, Coasterlover1994, Palosirkka, Bk314159, Puffin, Ego White Tray, Tijfo098, ClueBot NG, Peter James, Gilderien, Decepticon1, Magister Scienta, Reify- tech, Nick7244, BG19bot, Arbsn, Eugén Jung, MusikAnimal, Valentine Wyggin, Bhanusharma027, Harban.mital, Hasimas, Avantiext, ChrisGualtieri, Billyshiverstick, Shikhil sharma(ethical hacker), Hnfiurgds, BreakfastJr, Jennpliu, NickDragonRyder, Blosoya, TheBigBad- HACKAH, Usman ki rani, Lakun.patra, Rotaryphone111, Orhanbajrami, PShermz, S166865h, OMPIRE, Aerial1030, Crystallizedcarbon, Anonymous6767, TheGamingMuffin and Anonymous: 176 • Hacker ethic Source: http://en.wikipedia.org/wiki/Hacker%20ethic?oldid=660465151 Contributors: The Anome, Vovkav~enwiki, Michael Hardy, Pnm, Dori, (, Darkwind, Dpbsmith, Jeffq, Pengo, DocWatson42, Long John Silver~enwiki, Ashmodai, Rich Farm- brough, Harriv, Gronky, Bobo192, Army1987, Adrian~enwiki, H0mee, Batmanand, Keziah, Danaman5, H2g2bob, Markaci, True~enwiki, Mindmatrix, Marudubshinki, Cuvtixo, Aputtu, Mycro, WhyBeNormal, Bjwebb, YurikBot, NTBot~enwiki, Gaius Cornelius, Trisapeace, Nlu, [email protected], Victor falk, Karora, SmackBot, Rtc, InverseHypercube, Gilliam, Chris the speller, Thumperward, Oli Filth, Audriusa, Frap, Xillion, Vanished user 9i39j3, Unclaimed avatar, Noah Salzman, Doczilla, Wwagner, Spinnick597, Colonel War- den, Johnthescavenger, Beno1000, Markg123, JohnCD, Tomchance, Shandris, Neelix, Victornrm, Jcmtan, XP105, Sirmylesnagopaleen- theda, Omicronpersei8, Thijs!bot, Carolmooredc, Pixelface, Leuko, Lsi, SteveSims, Magioladitis, Gwern, ArcAngel, Jdfulmer, Green- Runner0, Eliz81, Rich Janis, AllGloryToTheHypnotoad, Aphilo, Andy Dingley, Tomaxer, Fischer.sebastian, Indexum, Hmwith, Scarbrow, Mikemoral, Mikazo, Sethop, Denisarona, Floorwalker, Mr. Granger, Noctivigant wow, AlexConnell, Tangmas214, John723, Qianruo- mas214, Rhododendrites, Nguyenmas214, SjaichudinMAS214, Hilton214, Dmyersturnbull, Lombana, Kakofonous, Error −128, Black- Death3, RyanCross, Linuxguymarshall, JWCurtis2003, TSWcontentlady, AnnaFrance, MisterB777, Lightbot, Jarble, Legobot, Yobot, AnomieBOT, Lphung32, Paterson229, Parker229, Xqbot, Hamiltonmas229, Ahernmas214, Cloutmas229, Rawhunger, Pradameinhoff, Sophus Bie, Harkflatline, D'ohBot, Mhollo, Citation bot 1, Pinethicket, Kiefer.Wolfowitz, Zeptozoid, Ingrid Krunge, Wakelamp, Daulfn, Ripchip Bot, MithrandirAgain, Ego White Tray, Will Beback Auto, ClueBot NG, Reify-tech, Helpful Pixie Bot, Sbark26, Whitehatpeople, HelioSeven, Ugncreative Usergname, Mottengott, Avantiext, CheezRulez, Webclient101, Hnfiurgds, Eugpop2014, OMPIRE, Bcbethevans and Anonymous: 84

33.9.2 Images • File:2010-T10-ArchitectureDiagram.png Source: http://upload.wikimedia.org/wikipedia/commons/8/86/ 2010-T10-ArchitectureDiagram.png License: CC BY-SA 3.0 Contributors: http://www.owasp.org/index.php/File: 2010-T10-ArchitectureDiagram.png Original artist: Neil Smithline • File:2600_Hz.ogg Source: http://upload.wikimedia.org/wikipedia/commons/f/fe/2600_Hz.ogg License: Public domain Contributors: Own work Original artist: H2g2bob • File:Abene9_2005.jpg Source: http://upload.wikimedia.org/wikipedia/commons/d/d6/Abene9_2005.jpg License: Public domain Con- tributors: ? Original artist: ? • File:Ambox_globe_content.svg Source: http://upload.wikimedia.org/wikipedia/commons/b/bd/Ambox_globe_content.svg License: Public domain Contributors: Own work, using File:Information icon3.svg and File:Earth clip art.svg Original artist: penubag 188 CHAPTER 33. HACKER ETHIC

• File:Ambox_important.svg Source: http://upload.wikimedia.org/wikipedia/commons/b/b4/Ambox_important.svg License: Public do- main Contributors: Own work, based off of Image:Ambox scales.svg Original artist: Dsmurat (talk · contribs) • File:Ambox_rewrite.svg Source: http://upload.wikimedia.org/wikipedia/commons/1/1c/Ambox_rewrite.svg License: Public domain Contributors: self-made in Inkscape Original artist: penubag • File:Bending.jpg Source: http://upload.wikimedia.org/wikipedia/commons/b/bd/Bending.jpg License: CC BY-SA 2.5 Contributors: Own work - Original artist: Holotone / Holotone at en.wikipedia • File:Botnet.svg Source: http://upload.wikimedia.org/wikipedia/commons/c/c6/Botnet.svg License: CC BY-SA 3.0 Contributors: Own work Original artist: Tom-b • File:CPU_ring_scheme.svg Source: http://upload.wikimedia.org/wikipedia/commons/2/25/CPU_ring_scheme.svg License: CC-BY- SA-3.0 Contributors: This vector image was created with Inkscape. Original artist: User:Sven, original Author User:Cljk • File:ClamAV0.95.2.png Source: http://upload.wikimedia.org/wikipedia/commons/2/2f/ClamAV0.95.2.png License: GPL Contributors: my PC running Ubuntu 9.04 Original artist: • File:ClamTK3.08.jpg Source: http://upload.wikimedia.org/wikipedia/commons/2/26/ClamTK3.08.jpg License: GPL Contributors: Own work (own screenshot) Original artist: Dave Mauroni • File:Commons-logo.svg Source: http://upload.wikimedia.org/wikipedia/en/4/4a/Commons-logo.svg License: ? Contributors: ? Original artist: ? • File:.svg Source: http://upload.wikimedia.org/wikipedia/commons/5/53/Conficker.svg License: CC BY-SA 3.0 Contributors: Own work Original artist: Gppande • File:Crystal_Clear_device_cdrom_unmount.png Source: http://upload.wikimedia.org/wikipedia/commons/1/10/Crystal_Clear_ device_cdrom_unmount.png License: LGPL Contributors: All Crystal Clear icons were posted by the author as LGPL on kde-look; Original artist: Everaldo Coelho and YellowIcon; • File:DC13_Badge.jpg Source: http://upload.wikimedia.org/wikipedia/commons/8/84/DC13_Badge.jpg License: Public domain Contrib- utors: enwiki (http://en.wikipedia.org/wiki/Image:DC13_Badge.jpg) “Took image in bedroom. Origional can be found at the following: http://google.gotdns.com/modules.php?name=coppermine&file=displayimage&album=96&cat=0&pos=12". (en:Prosavage2600) Origi- nal artist: en:Prosavage2600 • File:DEF_CON_17_CTF_competition.jpg Source: http://upload.wikimedia.org/wikipedia/commons/4/47/DEF_CON_17_CTF_ competition.jpg License: CC BY 2.0 Contributors: Flickr Original artist: Nate Grigg • File:Disambig_gray.svg Source: http://upload.wikimedia.org/wikipedia/en/5/5f/Disambig_gray.svg License: Cc-by-sa-3.0 Contributors: ? Original artist: ? • File:Edit-clear.svg Source: http://upload.wikimedia.org/wikipedia/en/f/f2/Edit-clear.svg License: Public domain Contributors: The Tango! Desktop Project. Original artist: The people from the Tango! project. And according to the meta-data in the file, specifically: “Andreas Nilsson, and Jakub Steiner (although minimally).” • File:Encryption_-_decryption.svg Source: http://upload.wikimedia.org/wikipedia/commons/b/bf/Encryption_-_decryption.svg Li- cense: CC-BY-SA-3.0 Contributors: based on png version originally uploaded to the English-language Wikipedia by mike40033, and moved to the Commons by MichaelDiederich. Original artist: odder • File:Firewall.png Source: http://upload.wikimedia.org/wikipedia/commons/5/5b/Firewall.png License: CC BY-SA 3.0 Contributors: Feito por mim Original artist: Bruno Pedrozo • File:Firewall_bw.png Source: http://upload.wikimedia.org/wikipedia/commons/1/10/Firewall_bw.png License: GPL Contributors: http: //www.opendesktop.org/content/show.php?content=72618 Original artist: DBGthekafu • File:Flag_of_Las_Vegas,_Nevada.svg Source: http://upload.wikimedia.org/wikipedia/commons/e/ed/Flag_of_Las_Vegas%2C_ Nevada.svg License: Public domain Contributors: Own work Original artist: Dyfsunctional • File:Folder_Hexagonal_Icon.svg Source: http://upload.wikimedia.org/wikipedia/en/4/48/Folder_Hexagonal_Icon.svg License: Cc-by- sa-3.0 Contributors: ? Original artist: ? • File:Free_Software_Portal_Logo.svg Source: http://upload.wikimedia.org/wikipedia/commons/3/31/Free_and_open-source_ software_logo_%282009%29.svg License: Public domain Contributors: FOSS Logo.svg Original artist: Free Software Portal Logo.svg (FOSS Logo.svg): ViperSnake151 • File:Glider.svg Source: http://upload.wikimedia.org/wikipedia/commons/4/45/Glider.svg License: Public domain Contributors: Hacker Emblem Original artist: Eric S. Raymond • File:Gnome-mime-sound-openclipart.svg Source: http://upload.wikimedia.org/wikipedia/commons/8/87/ Gnome-mime-sound-openclipart.svg License: Public domain Contributors: Own work. Based on File:Gnome-mime-audio-openclipart. svg, which is public domain. Original artist: User:Eubulides • File:Gufw_10.04.4.png Source: http://upload.wikimedia.org/wikipedia/commons/b/ba/Gufw_10.04.4.png License: GPL Contributors: http://gufw.tuxfamily.org Original artist: ? • File:Internet_map_1024.jpg Source: http://upload.wikimedia.org/wikipedia/commons/d/d2/Internet_map_1024.jpg License: CC BY 2.5 Contributors: Originally from the English Wikipedia; description page is/was here. Original artist: The Opte Project • File:Internet_map_1024_-_transparent.png Source: http://upload.wikimedia.org/wikipedia/commons/b/bd/Internet_map_1024_-_ transparent.png License: CC BY 2.5 Contributors: Originally from the English Wikipedia; description page is/was here. Original artist: The Opte Project • File:Keylogger-hardware-PS2-example-connected.jpg Source: http://upload.wikimedia.org/wikipedia/commons/d/dc/ Keylogger-hardware-PS2-example-connected.jpg License: GFDL Contributors: http://www.weboctopus.nl/webshop/img/p/ 59-430-large.jpg Original artist: http://www.weboctopus.nl 33.9. TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES 189

• File:Keylogger-hardware-PS2.jpg Source: http://upload.wikimedia.org/wikipedia/commons/1/11/Keylogger-hardware-PS2.jpg Li- cense: Copyrighted free use Contributors: http://www.keylogger-keyloggers.nl/images/keylogger_company_keylogger_hardware_PS2.jpg Original artist: www.keylogger-keyloggers.nl • File:Keylogger-screen-capture-example.png Source: http://upload.wikimedia.org/wikipedia/commons/2/22/ Keylogger-screen-capture-example.png License: ? Contributors: Own work Original artist: own work • File:Keylogger-software-logfile-example.jpg Source: http://upload.wikimedia.org/wikipedia/commons/c/c4/ Keylogger-software-logfile-example.jpg License: GPL Contributors: Own work in combination with the keylogger program http://pykeylogger.sourceforge.net/ and the text editor http://notepad-plus.sourceforge.net/ Original artist: Own work • File:Lamo-Mitnick-Poulsen.png Source: http://upload.wikimedia.org/wikipedia/commons/f/fa/Lamo-Mitnick-Poulsen.png License: Public domain Contributors: en:Image:Lmp.jpg Original artist: Matthew Griffiths • File:Michael_Lynn_Black_Hat_Briefing_Las_Vegas_2005.jpg Source: http://upload.wikimedia.org/wikipedia/commons/5/5b/ Michael_Lynn_Black_Hat_Briefing_Las_Vegas_2005.jpg License: Public domain Contributors: ? Original artist: ? • File:Monitor_padlock.svg Source: http://upload.wikimedia.org/wikipedia/commons/7/73/Monitor_padlock.svg License: CC BY-SA 3.0 Contributors: Transferred from en.wikipedia; transferred to Commons by User:Logan using CommonsHelper. Original artist: Lunarbunny (talk). Original uploader was Lunarbunny at en.wikipedia • File:Morris_Worm.jpg Source: http://upload.wikimedia.org/wikipedia/commons/b/b6/Morris_Worm.jpg License: CC BY-SA 2.0 Con- tributors: Museum of Science - Morris Internet Worm Original artist: Go Card USA from Boston, USA • File:Netfilter-packet-flow.svg Source: http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg License: CC BY-SA 3.0 Contributors: Own work, Origin SVG PNG Original artist: Jengelh • File:PersonalStorageDevices.agr.jpg Source: http://upload.wikimedia.org/wikipedia/commons/8/87/PersonalStorageDevices.agr.jpg License: CC-BY-SA-3.0 Contributors: I took this photograph of artifacts in my possession Original artist: --agr 15:53, 1 Apr 2005 (UTC) • File:Portal-puzzle.svg Source: http://upload.wikimedia.org/wikipedia/en/f/fd/Portal-puzzle.svg License: Public domain Contributors: ? Original artist: ? • File:Question_book-new.svg Source: http://upload.wikimedia.org/wikipedia/en/9/99/Question_book-new.svg License: Cc-by-sa-3.0 Contributors: Created from scratch in Adobe Illustrator. Based on Image:Question book.png created by User:Equazcion Original artist: Tkgd2007 • File:Rkhunter_Ubuntu.png Source: http://upload.wikimedia.org/wikipedia/en/5/5c/Rkhunter_Ubuntu.png License: ? Contributors: Screenshot taken in Ubuntu Original artist: Michael Boelen et al • File:Rkhunter_on_Mac_OS_X.png Source: http://upload.wikimedia.org/wikipedia/commons/c/c0/Rkhunter_on_Mac_OS_X.png Li- cense: GPL Contributors: Transferred from en.wikipedia; transferred to Commons by User:IngerAlHaosului using CommonsHelper. Orig- inal artist: Original uploader was CyberSkull at en.wikipedia. Later version(s) were uploaded by Eliashc at en.wikipedia. • File:RootkitRevealer.png Source: http://upload.wikimedia.org/wikipedia/en/9/9c/RootkitRevealer.png License: Fair use Contributors: http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx Origi- nal artist: ? • File:Scale_of_justice_2.svg Source: http://upload.wikimedia.org/wikipedia/commons/0/0e/Scale_of_justice_2.svg License: Public do- main Contributors: Own work Original artist: DTR • File:Stering.jpg Source: http://upload.wikimedia.org/wikipedia/commons/f/fb/Stering.jpg License: BSD Contributors: Transferred from en.wikipedia; transferred to Commons by User:IngerAlHaosului using CommonsHelper. Original artist: Original uploader was Lamendoluz at en.wikipedia • File:U.S._Navy_Cyber_Defense_Operations_Command_monitor.jpg Source: http://upload.wikimedia.org/wikipedia/commons/d/ d6/U.S._Navy_Cyber_Defense_Operations_Command_monitor.jpg License: Public domain Contributors: http://www.navy.mil/ management/photodb/photos/081203-N-2147L-390.jpg Original artist: Mass Communications Specialist 1st Class Corey Lewis , U.S. Navy • File:Virus_Blaster.jpg Source: http://upload.wikimedia.org/wikipedia/commons/e/ec/Virus_Blaster.jpg License: Public domain Con- tributors: http://nuevovirus.info/virus-blaster/ Original artist: admin • File:Wiki_letter_w_cropped.svg Source: http://upload.wikimedia.org/wikipedia/commons/1/1c/Wiki_letter_w_cropped.svg License: CC-BY-SA-3.0 Contributors: • Wiki_letter_w.svg Original artist: Wiki_letter_w.svg: Jarkko Piiroinen • File:Wikibooks-logo-en-noslogan.svg Source: http://upload.wikimedia.org/wikipedia/commons/d/df/Wikibooks-logo-en-noslogan. svg License: CC BY-SA 3.0 Contributors: Own work Original artist: User:Bastique, User:Ramac et al. • File:Wiktionary-logo-en.svg Source: http://upload.wikimedia.org/wikipedia/commons/f/f8/Wiktionary-logo-en.svg License: Public do- main Contributors: Vector version of Image:Wiktionary-logo-en.png. Original artist: Vectorized by Fvasconcellos (talk · contribs), based on original logo tossed together by Brion Vibber • File:Wiktionary-logo.svg Source: http://upload.wikimedia.org/wikipedia/commons/e/ec/Wiktionary-logo.svg License: CC BY-SA 3.0 Contributors: ? Original artist: ? • File:Windows_ActiveX_security_warning_(malware).png Source: http://upload.wikimedia.org/wikipedia/en/7/71/Windows_ ActiveX_security_warning_%28malware%29.png License: ? Contributors: ? Original artist: ?

33.9.3 Content license • Creative Commons Attribution-Share Alike 3.0