TANGLED WEB Tales of Digital Crime from the Shadows of Cyberspace
RICHARD POWER
A Division of Macmillan USA 201 West 103rd Street, Indianapolis, Indiana 46290 Tangled Web: Tales of Digital Crime Associate Publisher from the Shadows of Cyberspace Tracy Dunkelberger Copyright 2000 by Que Corporation Acquisitions Editor All rights reserved. No part of this book shall be reproduced, stored in a Kathryn Purdum retrieval system, or transmitted by any means, electronic, mechanical, pho- Development Editor tocopying, recording, or otherwise, without written permission from the Hugh Vandivier publisher. No patent liability is assumed with respect to the use of the infor- mation contained herein. Although every precaution has been taken in the Managing Editor preparation of this book, the publisher and author assume no responsibility Thomas Hayes for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. Project Editor International Standard Book Number: 0-7897-2443-x Tonya Simpson Library of Congress Catalog Card Number: 00-106209 Copy Editor Printed in the United States of America Michael Dietsch First Printing: September 2000 Indexer 02 01 00 4 3 2 Erika Millen Trademarks Proofreader Benjamin Berg All terms mentioned in this book that are known to be trademarks or ser- vice marks have been appropriately capitalized. Que Corporation cannot Team Coordinator attest to the accuracy of this information. Use of a term in this book should Vicki Harding not be regarded as affecting the validity of any trademark or service mark. Design Manager Warning and Disclaimer Sandra Schroeder Every effort has been made to make this book as complete and as accurate Cover Designer as possible, but no warranty or fitness is implied. The information provided Anne Jones is on an “as is” basis. The author and the publisher shall have neither liabil- ity nor responsibility to any person or entity with respect to any loss or Interior Designer damages arising from the information contained in this book. Trina Wurst Product Marketing Manager Amy Neidlinger
Publicity Gardi Ipema Wilks
Layout Technicians Ayanna Lacey Heather Hiatt Miller Stacey Richwine-DeRome Contents at a Glance
Foreword xi
I Crime, War, and Terror in the Information Age 1 1 Welcome to the Shadow Side of Cyberspace 3 2 Inside the Mind of the Cybercriminal 9 3 Been Down So Long It Looks Like Up To Me: The Extent and Scope of the Cybercrime Problem 21 4 Let It Bleed: The Cost of Computer Crime and Related Security Breaches 39 II Hackers, Crackers, and Virus Writers 53 5 Did the 1990s Begin with a Big Lie? 55 6 Joy Riders: Mischief That Leads to Mayhem 65 7 Grand Theft Data: Crackers and Cyber Bank Robbers 87 8 Hacktivists and Cybervandals 115 9 The $80 Million Lap Dance and the $10 Billion Love Letter 141 III Spies and Saboteurs 157 10 Corporate Spies: Trade Secret Theft in Cyberspace 159 11 Insiders: The Wrath of the Disgruntled Employee 179 12 Infowar and Cyberterror: The Sky Is Not Falling, But… 191 IV Muggers and Molesters in Cyberspace 213 13 Identity Theft 215 14 Child Pornography on the Internet 223 V The Defense of Cyberspace 229 15 Inside Fortune 500 Corporations 231 16 Inside Global Law Enforcement 249 17 Inside the U.S. Federal Government 263 18 Countermeasures 279 Epilogue: The Human Factor 313 VI Appendixes 325 Glossary 327 A U.S. Laws and International Treaties 339 B Excerpt from Criminal Affidavit in the Ardita Case 369 C Resources and Publications 387 Index 403 Table of Contents I Crime, War, and Terror System Penetration from the Outside in the Information Age 47 1 Unauthorized Access from the Inside 1 Welcome to the Shadow Side of 47 Cyberspace 3 Sabotage of Data or Network Types of Cybercrime 4 Operations 48 Types of Cybercriminals 6 Malicious Code 48 2 Inside the Mind of the Don’t Underestimate “Soft Costs” Cybercriminal 9 48 “Stereotyping Can Be Dangerous” 10 If We Can Quantify Losses, We Can “Intense Personal Problems” Are the Key Calculate ROI 50 13 3 Been Down So Long It Looks Like II Hackers, Crackers, and Up To Me: The Extent and Scope of Virus Writers 53 the Cybercrime Problem 21 5 Did the 1990s Begin with a Big Lie? The CSI/FBI Computer Crime and 55 Security Survey 22 The First Serious Infrastructure Attack? Whom We Asked 24 55 Outlaw Blues 26 Public Cyberenemy No. 1? 57 Types of Cyberattack 28 The Worms Crawl In, the Worms Crawl Out… 60 To Report or Not to Report 28 What the Morris Worm Did to The Truth Is Out There 32 Systems 61 A Note on Methodology 32 What the Morris Worm Relevant Data from Other Sources 33 Demonstrated 63 CERT/CC Statistics 33 Conclusion 64 Dan Farmer’s Internet Security 6 Joy Riders: Mischief That Leads to Survey 35 Mayhem 65 WarRoom Research’s Information The Rome Labs Case: Datastream Security Survey 35 Cowboy and Kuji Mix It Up with the U.S. Conclusions 38 Air Force 66 4 Let It Bleed: The Cost of Computer Investigators Wrestle with Legal Crime and Related Security Issues and Technical Limitations 68 Breaches 39 Datastream Cowboy’s Biggest How Do You Quantify Financial Losses Mistake 69 Due to Info Security Breaches? 44 Scotland Yard Closes in on You Can’t Fully Quantify the Loss if Datastream Cowboy 71 You Haven’t Valued the Resource 44 Kuji Hacks into Goddard Space Flight Center 72 Kuji Attempts to Hack NATO HQ 72 From Russia With Love: The Sad Tale Scotland Yard Knocks on Datastream of Ekaterina and Evygeny 100 Cowboy’s Door 73 The Phonemasters Case 102 Kuji’s Identity Is Finally Revealed 74 How the Phonemasters Almost Who Can Find the Bottom Line? 75 Blunder into Discovering the FBI’s Surveillance 105 HotterthanMojaveinmyheart: The Case of Julio Cesar Ardita 76 A “Dream Wiretap” Results in an Enormous Challenge 105 How the Search for “El Griton” Began 77 Quantifying the Financial Losses Proved Essential in Court 107 Ardita’s Biggest Mistake 79 “The Number You Have Reached Has No Ordinary Wiretap 80 Been Disconnected…” 113 Debriefing “El Griton” 80 8 Hacktivists and Cybervandals 115 The Solar Sunrise Case: Mak, Stimpy, Hackers Run Amok in “Cesspool of and Analyzer Give the DoD a Run for Its Greed” 116 Money 81 Schanot Goes Underground 120 Conclusion 85 Schanot’s Indictment and Capture 7 Grand Theft Data: Crackers and 121 Cyber Bank Robbers 87 How Schanot Rang Southwestern’s The Case of Carlos “SMAK” Salgado 88 Bell 122 Diary of a Computer Crime Attack of the Zombies 124 Investigation 88 Once Upon A Time, An Eerie Calm Don’t Underestimate Internet-Based Descended on Cyberspace… 125 Credit Card Theft 91 Blow by Blow 126 The Crest of an Electronic Commerce Crime Wave? 91 How DDoS Works 127 Citibank 92 Who Launched the Attacks and Why 127 Where Did It All Begin? How Did It Happen? 93 Aftermath 129 Misconceptions Dispelled 93 Calculating the Financial Impact 132 What It Took To Take Levin Down 95 The Moral of the Tale 133 You Don’t Know How Lucky You Are, 9 The $80 Million Lap Dance and the Boys…Back in the USSR: $10 Billion Love Letter 141 Unanswered Questions About The $80 Million Lap Dance 143 Megazoid and the Russian Mafia 99 “My Baby, She Wrote Me a Letter…” 148 vi TANGLED WEB
III Spies and Saboteurs V The Defense of 157 Cyberspace 229 10 Corporate Spies: Trade Secret Theft 15 Inside Fortune 500 Corporations in Cyberspace 159 231 The Corporate World’s Dirty, Little, How to Structure Your Information Secret War 160 Security Unit 232 Some Real-World Tales of Economic Where Should Your Information Security Espionage 166 Unit Report? 238 Tit for Tat? State-Sponsored Economic 16 Inside Global Law Enforcement Espionage 169 249 EEA Sinks Its Teeth In 173 National Infrastructure Protection Center (NIPC) 250 11 Insiders: The Wrath of the Disgruntled Employee 179 The Role of Computer Analysis Types of Cyberattack by Insiders 179 Response Team (CART) 252 Oracle Scorned: The Unauthorized “Isn’t It Good, Norwegian Wood…” Access of Adelyn Lee 181 255 Omega Man: The Implosion of Tim Case Study in the Struggle Over Lloyd 183 Subscriber Data 257 12 Infowar and Cyberterror: The Sky U.S. Law Versus Norwegian Law Is Not Falling, But… 191 259 Cyberwar in Kosovo? 196 Council of Europe Floats a China, U.S., and Taiwan: Has Code War Cybercrime Treaty 260 Replaced Cold War? 200 17 Inside the U.S. Federal Government Storming the Digital Bastille 203 263 Inside the Pentagon 265 Helter Skelter in Cyberspace 204 What’s Going On in the Murky Waters at Digital Dirty Tricks and Cyber Plumbers Foggy Bottom? 268 208 FAA Secured on a Wing and a Prayer? Defensive Information Warfare 209 270 IV Muggers and Molesters Lessons Learned from the NASA Probe in Cyberspace 213 272 Is Something Nasty Floating in Your 13 Identity Theft 215 Alphabet Soup? 273 14 Child Pornography on the Internet 223 Harold Nicholson, Traitor 273 Do You Have Your Priorities Straight? Douglas Groat, Would-Be Traitor 225 274 John Deutch: A Good Man Blunders 274 King and Lipka, Traitors 276 Conclusion 276 CONTENTS vii
18 Countermeasures 279 B Excerpt from Criminal Affidavit in Organizational Issues 279 the Ardita Case 369 Risk Analysis 280 Efforts to Identify and Localize the Intruder Within the FAS Harvard Host Baseline Controls Versus Risk 372 Analysis 283 Real-Time Monitoring of the Intruder’s Sound Practices 284 Activities in November and December, Sixteen Sound Practices Learned 1995 376 from Leading Organizations 284 Identification of “Griton,” the Intruder, Information Protection Assessment in Buenos Aires, Argentina 384 Kit (IPAK) 286 C Resources and Publications 387 Policies and Procedures 292 General Information 387 Net Abuse 292 U.S. GAO Cybersecurity Assessments E-Mail Abuse 294 389 Security Awareness 298 Anti-Virus Information 391 Frontline 299 Incident Response Information 392 Security Technologies: Few Solutions, Organizations and Associations 394 Lots of Snake Oil, and No Silver Bullets Books and Publications 396 304 On-Line News Sources 397 Outsourcing? Yes and No 310 Security Mailing Lists 398 Epilogue: The Human Factor 313 Newsgroups 399 One Term I Never Heard In Silicon Valley 314 Conferences and Training 400 Infosec du Soleil 315 Computer Underground 401 Joseph’s Robe of Many Colors Was Made Index 403 of Patches 317 Another Patsy Named Lee? 317 From the Red-Eye to the Russell Office Building 322
VI Appendices 325 Glossary 327 A U.S. Laws and International Treaties 339 Computer Fraud and Misuse Act 339 Economic Espionage Act of 1996 344 Council of Europe - Draft Convention on Cybercrime 348 Foreword Our world has been changing dramatically, and we haven’t being paying much atten- tion. Sure, we know how computer technology and networking have increased pro- ductivity and that the Internet has become an enabling technology similar to the invention and development of electricity as a power source. We are all aware of how much money has been made by Internet startups, through online stock trading and through business-to-business networking. What few are aware of are the dangerous waters we are treading. We live in a society quite capable of providing sufficient physical security. Banks have vaults and alarm systems; office buildings have controlled access and guards; gov- ernment installations have fences and much better armed guards when appropriate. Jewelry shop owners remove their wares from window displays and lock them in a vault each night. Stores in poor neighborhoods use video cameras full-time and have bars or grates over windows when closed. But the online world is not so secure. A company that spent millions installing a state- of-the-art alarm system might not even have a single employee tasked with computer security. Companies that do spend money install the equivalent of network burglar alarms, intrusion detection systems, but then do not hire anyone to monitor the IDS console. The firewalls that are the equivalent to the guard at the entryway to the net- works get configured for performance, not security. At best, the majority of organiza- tions pay only lip service to computer security. Tangled Web makes these points abundantly clear. Through surveys, case studies, and stories about the few successful prosecutions, Tangled Web exposes the depth of our vulnerability to online theft, penetration, abuse, and manipulation. Even as the busi- ness world migrates to a fully online presence, we remain stuck with our heads in the sand, hoping that what we can’t see won’t hurt us. But what we can see—the adolescent hacker “owning” computers for use in chat rooms, stealing credit cards to pay for new computer equipment, using your network to deliver spam email advertisements for pornographic sites—is only the tip of the ice- berg. Defacement of Web servers by a hacktivist may garner 30 seconds in the evening news, but such public attacks are not the real problem. In Tangled Web, you will learn about the details that you didn’t see on the evening news. For example, how two hackers’ systems were found to have the commands that brought down the AT&T phone network in 1990 (and you thought it was just a soft- ware bug). Or how, exactly, a Russian went about getting his hands on more than $10 million wired from Citibank. Or how an electronic entrepreneur was prepared to sell 84,000 credit card numbers, burned on a CD and encrypted with a key taken from a novel about the Mafia. The CSI/FBI surveys in the beginning of the book present statistics on the growing awareness of the threat to our security. The participants in the series of surveys, over a five-year period, show increasing awareness of not just the level of threat, but also the ability to place a dollar amount on the damages caused by various forms of elec- tronic malfeasance. As you read through these chapters, you might be surprised to see that the greatest threat to your company’s resources has remained exactly the same over the years, while the threat of Internet attacks has continued to rise. And yet, the incidents and statistics reported in Tangled Web detail just the parts that we do know about. The chapter on corporate espionage, for example, provides abun- dant details about the cases of information theft that we know about. But this is like bragging about capturing a single truck loaded with cocaine at the border, when tens of thousands of tons actually wind up in the noses of addicts each year. The true extent of computer crime is still unknown. Most organizations still refuse to share information about computer crime with law enforcement. And, for every sys- tem penetration or instance of unauthorized use discovered, there are probably ten or more left unnoticed. Individual hackers have their own resources and what they can garner from friends, associates, and the Internet to work with. Just imagine what it would be like if you could take what is essentially an amateur computer security specialist and provide unlimited resources to him or her, including training, access to classified intelligence, the fastest computers and network links, and cooperation with a cadre of other ded- icated and enthusiastic individuals. What you would have then would look like the information warfare teams already in existence in more than 20 countries worldwide. When these teams perform an intrusion, it is unlikely that it will be noticed. They are after not attention but information or future control. They have a better understand- ing of the systems they are attacking, and they have the time and patience necessary to do a thorough job without leaving behind any traces of the attack. It is the unseen and unheard-of attacks that any organization with any critical online resources should be afraid of. And, if you think this is beyond the capacities of most large nation-states, just read about how a small group called the Phonemasters completely compromised a regional phone company to the point that they could do anything they wanted, even warning criminals of wiretaps placed on their phone lines. Even as the phone com- pany was implementing better security, the Phonemasters were creating back doors into the compromised systems that would let them get around the enhanced security. Instead of improving our defenses, the marketplace has generally chosen to go with fluff. The security chosen by most companies today is like that on a fishing shack on a backcountry lake: a sign saying “Protected by Smith and Wesson.” I have visited companies where a firewall, intended to protect an e-commerce business, was still in its packing crate, and ones where the ID systems were merely there to show to visit- ing investors. And the most popular products in use are not the most secure by far. Today, the number-one and number-two (in sales) firewalls use a technique known as stateful packet filtering, or SPF. SPF has the dual advantages of being fast and flexible, and this is why it has become so popular. Notice that I didn’t even mention security, as this is not the number-one reason people chose these firewalls. Instead, SPF is pop- ular because it is easy to install and doesn’t get in the way of business as usual. It is as if you hired a guard for the entry to your building who stood there waving people through as fast as possible. Marketing plays an even greater role in the failure of security. Microsoft, unfortunately for the world, owns the desktop market and is busily going after the server market as well. On the desktop, Microsoft features, such as Outlook and Windows Script Host, turn every desktop into a potential relay for viruses like Melissa and ILOVEYOU, or a source for denial of service attacks. NT Web servers, which can with great effort be made relatively secure, get hacked three times more often than any type of Unix Web server, and yet make up only one-fifth of the Web servers installed today. Instead of building and shipping truly secure systems, Microsoft talks about what it can do. And what it actually does is introduce amazingly flexible and complex products that even its own engineers admit are based on undocumented source code. If I haven’t already moved you to pay attention to security, I certainly expect that Tangled Web will do it. This book can be used as a tool to convince management of the extent of the risk—not simply that there is a real risk, but how damaging it can be to ignore that risk. Not just in financial terms, which is real enough and well- documented here, but also in terms of winding up with a security breach detailed above the fold of the New York Times. If you are a security professional, you will, in most cases, know that your company is not spending enough money and attention on security. Buy this book and give it to your managers. Read it yourself, so you can be armed with stories and statistics about those who ignored the risk instead of managing it. Learn about successful prosecu- tions and what evidence proved significant, so instead of being a just a victim, you will have at least a chance to strike back. As Richard Power writes in the epilogue, the stories about computer crime continue to unfold. Even so, what you have in your hands is the single, most complete descrip- tion in existence today. And perhaps, someday in the not-too-distant future, we can be proud instead of embarrassed of our security, because we chose not to ignore the problem but to get serious about it instead.
Rik Farrow July 2000 “Since it is universally believed that man is merely what his consciousness knows of itself, he regards himself as harmless and so adds stupidity to iniquity. He does not deny that terrible things have happened and still go on happening, but it is always ‘the others’ who do them…Even if, juristically speaking, we were not accessories to the crime, we are always, thanks to our human nature, potential criminals…None of us stands outside of humanity’s collective shadow. Whether the crime occurred many generations back or happens today, it remains the symptom of a disposition that is always and everywhere present—and one would therefore do well to possess some ‘imagination for evil,’ for only the fool can permanently disregard the condi- tions of his own nature. In fact, negligence is the best means of making him an instrument of evil. Harmlessness and naivete are as little helpful as it would be for a cholera patient and those in his vicinity to remain unconscious of the conta- giousness of the disease.”
—Carl Jung, The Undiscovered Self Acknowledgments Tangled Web itself is an acknowledgement of some of the many bright and dedicated individuals who have helped reveal what lurks in the shadows of cyberspace. Their names and affiliations are strewn throughout the text. There are others, too, who are not mentioned, or could not be mentioned, who have made significant contributions. Without the foresight and daring of Patrice Rapalus, the director of the Computer Security Institute (CSI), I would not have been able to accomplish as much as I have in this field. Indeed, all those who take information security seriously owe her a debt of gratitude whether they are aware of it or not. Tangled Web is the result of several years of intense focus but was produced on a har- rowing schedule in an insanely short span of weeks. Without the creative vision, pro- fessionalism, and humor of Kathryn Purdum and Hugh Vandivier, my editors at Macmillan, it would not have been possible to do the impossible. Michael Dietsch, Tonya Simpson, Benjamin Berg, and others at Macmillan also worked hard and well on this project. I also want to thank Christina Stroz, Doron Sims, and Scott Hamilton, three students at York Prep High School in New York, who navigated their way through the maze of the U.S. Federal court system, located some court documents vital to this book (although they had been given the wrong docket number), and photocopied them for me. P ART I Crime, War, and Terror in the Information Age
Chapter 1: Welcome to the Shadow Side of Cyberspace 3
Chapter 2: Inside the Mind of the Cybercriminal 9
Chapter 3: Been Down So Long It Looks Like Up To Me: The Extent and Scope of the Cybercrime Problem 21
Chapter 4 Let It Bleed: The Cost of Computer Crime and Related Security Breaches 39
CHAPTER 1 Welcome to the Shadow Side of Cyberspace
n 1991, Alvin Toffler’s The Third Wave proclaimed the dawn of I the Information Age. One decade later, cyberspace is an extraor- dinary extension of the human experience. You can play the stock market on-line. You can apply for a job on- line. You can shop for lingerie on-line. You can work on-line. You can learn on-line. You can borrow money on-line. You can engage in sexual activity on-line. You can barter on-line. You can buy and sell real estate on-line. You can purchase plane tickets on-line. You can gamble on-line. You can find long-lost friends on-line. You can be informed, enlightened, and entertained on-line. You can order a pizza on-line. You can do your banking on-line. In some places, you can even vote on-line. Indeed, the human race has not only brought its business to cyber- space, it has brought its exploration of the psyche there, too. And in the digital world, just as everywhere else, humanity has encoun- tered its shadow side. Information Age business, government, and culture have led to Information Age crime, Information Age war, and even Information Age terror. You can perform financial fraud on-line. You can steal trade secrets on-line. You can blackmail and extort on-line. You can trespass on- line. You can stalk on-line. You can vandalize someone’s property on- line. You can commit libel on-line. You can rob a bank on-line. You can frame someone on-line. You can engage in character assassina- tion on-line. You can commit hate crimes on-line. You can sexually 4 TANGLED WEB PART I
harass someone on-line. You can molest children on-line. You can ruin someone else’s credit on-line. You can disrupt commerce on-line. You can pillage and plunder on-line. You could incite to riot on-line. You could even start a war on-line.
Types of Cybercrime There is a broad spectrum of cybercrimes, including