Cyberthreat - An investigation into the methods, perpetrators, future & prevention of cyberspace computer crime A Bsc Final year dissertation by James John Richardson Abstract This report aims to provide the reader with knowledge regarding the threats cyberspace presents to computer security, give outlines of strategies to defend against these threats and to provide an answer the question: is prevention of unauthorised intrusion into computer systems possible ? Finally, the future of these ever increasing threats and their effects upon society are discussed in order to give the reader some insight into the how the subject area may progress into the new millennium. Acknowledgements The author wishes to acknowledge the help received during the writing of this dissertation. My thanks to Dr. Alan Maybury for the editorials and guidance, Jim Credland at Demon Internet whose contribution (however small) was gratefully accepted, Advanced Micro Devices (UK) Ltd., Microsoft, Silicon Graphics International Ltd., the WELL, my family and friends for support, and finally Bruce Sterling for the genesis of an idea. I’ll see you all in the place between the phones. Introduction Computer security is a subject that tends to bring out interesting responses from computer professionals. In research for this dissertation I contacted a number of companies that I thought might be good resources of information. These companies ranged from manufacturers of home PC systems to fabricators of semiconductor devices to software companies. At the time of this writing, I have had four responses, only one of which was positive. AMD telephoned me and told me they had nothing to do with computer security. In a commercial sense, of course, they are right however, if the prospect of being hacked/phreaked is a headache for an ordinary company, then it must be a real headsplitter for a manufacturer of computer components. Never the less, they didn’t want to share any opinions. Microsoft, William H. Gates III’s computing behemoth, rang me and referred me to company spiel on the gigantic Microsoft website. They too were reluctant to establish a dialogue. Silicon Graphics International, cutting edge computer manufacturers that they are, at least responded with a letter that wished me “…every success in my studies” but stated that they were “..not in a position to discuss security arrangements.” SGI, however, did help me direct my searches elsewhere. The only company interested in the establishment of a dialogue were UK internet service providers Demon Internet, who had there Security Administrator contact me via E-mail. This communication helped greatly with this dissertation. Perhaps it was the wording of the letter I sent out as a contact, but it seems that these responses (such as they are) are at least slightly paranoid, the equivalent of a pat on the head and shove out the door. It appears that this is a sign of the times, large companies fearing lowly nerds in bedrooms with too much knowledge for their own good. Is it really like this ? Is the new online world as suspicious of strangers as the old west was ? On search of the internet using the word hacker will trawl up a vast amount of information ranging from tutorials in computer intrusion to cracked software. In real terms, most of the information holds no interest for ordinary denizens of the net, but for a few individuals virtually all the knowledge needed is available. Pandora’s box may well be open and ready for business. Hacking is an unusual past time. To most people, the idea of sitting in front of a computer terminal for hours on end attempting to gain illicit access to a large computer system is ridiculous, but then again to most people the idea of actually programming a computer is considered akin to rocket science, or quantum physics. Hackers are simply computer programmers who’s desire to know about computers extends into a desire to know about everyone else’s computers. To ordinary individuals, the world-wide law enforcement community and even other computer programmers the idea that hackers can use this curiosity and knowledge to gain access to computer systems controlling such diverse operations as banking to nuclear weapons is terrifying. Terrifying to the extent that perhaps the threat is blown out of all proportions. Then again, perhaps they’re merely being realistic. General users of computers tend to have a clearer understanding of the computer virus and programmed threat. Much is made of the terrors of what a virus could do to a system, wiping files, crashing hard drives, deleting BIOS. We even have figure heads like Symantec’s Mr. Norton posing on software box fronts with a stern expression promising “…kills 100% of in the wild viruses” as if some cyberspace disinfectant or antibiotic were being peddled. Indeed, a tutorial video clip on Symantec’s Antivirus 5.0 software CD depicts hackers and threat writers as evil, corrupt and demonic in appearance, chuckling maliciously as they prepare to destroy everyone’s computer systems. Continuation of this image is, of course, good for Symantec (the more paranoid computer users there are out there the more software they sell), however the truth of the situation is never that simple. Unlike in the movies, bad guys don’t always wear black hats. Computer crime is a fairly broad term that covers illegal activities ranging from hacking to fraud involving computers and, of course, old fashioned theft. This dissertation aims to analyse the threats hacking, viruses and other types of cyberspace computer crime could have on the computer systems society now relies on to function (such as the banking system or personal records) and determine courses of action to prevent and combat such crime. 1: Threats This chapter highlights computer security threats from cyberspace by defining what they are and how they can effect a computer system whilst citing some notorious case histories. The second and third chapters will discuss in turn how these forms of intrusion can be guarded against and what implications these measures will have on the wider online community. Hackers What is a Hacker ? When researching this dissertation, a clear definition for the terms hacker and hacking proved extremely hard to track down. On the one hand, there is the pure, holistic, Zen definition coined by Steven Levy in his book “Hackers: Heroes of the Computer Revolution” [1]. On the other hand there is the public perception the term hacker has gained through many incidents throughout the eighties and nineties, and from various Hollywood feature films. Unfortunately, this second definition is the one that has now been adopted by the computer industry as a whole, although many in the industry dislike the name in use as anything other than a Levy-like figure. The Dictionary of Computing defines hacking as: “ (a) to experiment and explore computer software and hardware (b) to break into a computer systems for criminal purposes.” [2]. This dual definition is perhaps the most accurate. Going along with the current negative perception of hackers for the lack of a better term (Digiterrorist? Cybervandal?[3]), the term hacker comes to mean any individual who is interested in the intrusion (i.e. access without the knowledge or consent of an acknowledged administrator), legal or otherwise, into other peoples computer systems, whether it be for the sake of knowledge, criminal activity, boredom or any other reason. Hacking, or to Hack is the act of intrusion into these computer systems. Hackers are generally young (in their teens or early twenties), intelligent, middle class males who have a ferocious interest in computers but who are generally shy and retiring “geeks”. They could perhaps be called socially maladjusted, preferring to spend time with computers than people, and they generally hold radical views on computers, the information they contain and the laws and law enforcement agencies that have sprung against them. Bruce Sterling [4] suggests an alternative view of a hacker as a “..computer addict”, that they are physically compelled to do what they do. Hackers have a underlying need to be revered by their peers, with their worth amongst other hackers being determined by what big computer systems they’ve been into and what new techniques to accomplish intrusions they’ve discovered. They convene in cyberspace on BBS’s (Bulletin Board Systems) where they exchange stories and, more often than not, evidence of computers they’ve intruded upon. They act very much like they are doing nothing wrong, indeed they would tell you that information should not and can not be anybody’s personal property. Established hackers usually form themselves into unofficial groups, using strange names such as “Legion of Doom” (sometimes shortened to LoD) or “Anarchy Inc.”, that share information and get involved in disputes with other groups. The ultimate insult to a true hacker is to be called “lame” and to be accused of merely trashing computer systems and using hacker skills to steal money, thereby turning your back on the true beauty of hacking for hacking's sake. Hacking is an offshoot of the digital underground activity known as phreaking. Phreaks sprung up in numbers during the 1960’s as part of the Hippie anti-culture with an ethos similar to the early hackers, an insatiable desire to know about high technology in everyday use [5]. This early curiosity eventually developed into a jaded view that electronics and electronic equipment should be turned against the establishment and used for pranks, tricks or subversion of the norm. One of the most attractive of phreak targets has always been the telephone system, ranging from stealing telephone services by wiring in home-made “Blue” or “Black” boxes to telephones through to (in recent years) conducting huge conference calls in company voice mail systems. Phreaks are in many ways similar to hackers, indeed both these groups began life with innocent intentions and beliefs that eventually developed into genuine troublemaking. These trouble making hackers grew from computer science students of the late 70’s and early 80’s who relied mainly on university computers for programming experience. With computing time at a premium many gained extra time and file space on machines by unauthorised intrusion into them, allowing their passion to justify breaking the rules. The “hacker ethic” of earlier generations, the belief that information should not be contained coupled with tremendous ability and desire to work with computers became diluted and less idealistic as hacker numbers grew. Indeed, many of the now giants of the computer industry engaged in forms of intrusion and phreaking in their college careers, [6] their generation developing many of the techniques still used today. The majority of university minicomputers at the time ran the UNIX operating system [7] which was designed to be relatively unrestricted and open, indeed the logistics of imposing tight security on a system as widely used as a university minicomputer were (and still are) formidable. Because of this relatively lax security, students found themselves able to amass great knowledge of the operating system and it’s associated security risks, knowledge that could easily be applied to the outside world’s computer systems where UNIX was also prevalent. This extensive knowledge of how to manipulate and subvert authority within UNIX systems is really the genesis of modern hacking and, because UNIX is still in widespread use today, remains an ongoing computer security problem. Hackers today have become an integral part of the internet, with numerous sites devoted to spreading information on how to break into computer systems. Such sites revel in the dissemination of illicit information, thus these sites usually carry “cracked” (copy protection routines removed) software known as “warez”, information on phreaking and a smattering of pornographic material. [8] Hacking is still closely related to phreaking (both can be said to be part of the same “digital underground”), thus it’s sometimes hard to tell where one ends and the other begins. For example, numerous hackers have been convicted for long distance telephone call fraud (using phreaking techniques) or credit card fraud (using hacker written software or numbers stolen using hacking techniques) not the computer crimes they may have also committed. A case in point is that of “Fry Guy”, a hacker loosely connected to the Legion of Doom, who stole $6000 from Western Union between December 1988 and July 1989. Only sixteen at the time he committed his crimes, Fry Guy also bought goods using stolen credit card numbers. [9] Types of Attack Hackers, as outlined above, behave in cyberspace very much like a gang would in the real world, bearing grudges, struggling over status etc. but how exactly are they a threat to computer security ? How might they damage a computer system ? Hackers have a number of weapons at their disposal, most of which are aimed at obtaining the “trust” of a targeted computer system, thereby granting themselves privileges on the targeted system to which they are not entitled. This trust could be gained by breaking any associated security surrounding access, for instance guessing a password, or by changing the authority of an assumed identity to that of an administrator, thereby granting control above the level actually allowed. Hackers pass software freely amongst themselves that can “scan” passwords [10] to gain access to systems, or they may use a technique known as “social engineering”. The social engineering method doesn’t require the use of computers, and is all about fooling people into believing you are not who you say you are. For example, a hacker may find out the number to an internal company phone line and pose as a technical support employee. The hacker then asks for an employees login and password under some false pretence. The employee will never know they have been hoodwinked and the hacker has a login code and a password with which to enter the system. An adaptation of this technique is known as “trashing”, whereby a hacker roots through company rubbish bins looking for scraps of useful information such as social security numbers, passwords, internal telephone directories, anything that could be used to pose as employees of a company. These techniques do seem far fetched, however they have been said by numerous hackers to be how intrusions were accomplished. With the growth of the internet and networked computers, security can be compromised by a hacker snooping data packets as they are in transit between computers. This open broadcast of sensitive data has led to the development of encryption software as a preventative method, however this too can be circumvented by methods such as brute force. Once a hacker has access to a computer system they can generally do what they want or feel like doing. They could copy sensitive material, change information, delete essential files, steal proprietary software, use the targeted computer to carry out further intrusions into other computer systems. In short, they are only limited by what data the computer contains and how skilful and inventive they are. Needless to say, this kind of power over any essential or relied upon system could be devastating. As well as pure intrusion into a computer systems, hackers have been known to carry out malicious “Denial of Service” attacks against computer. Denial of service is quite a self explanatory title, in that the hacker denies legitimate users of a computer system of the availability of services they rely on. For example, a hacker could learn the login code of the highest level user in a system, and systematically type the incorrect password so that the system security measures “freeze out” any further login attempts. This would prevent any access to the system by the administrator. Or, a hacker may flood an E-mail system with an “E-mail bomb”, a self referential message that starts small but quickly multiplies to swamp the system. This would disable an E-mail service for an amount of time until the system could be cleared [11]. Denial of service attacks are often used as acts of revenge against organisations or individuals that have upset or antagonised a hacker or hacker group. Cases: Hacking There are numerous examples of hacking, with varying consequences for the perpetrator and the victims of the intrusion. Perhaps the most famous hacker case to date is that of Craig Niedorf, known in cyberspace as “Knight Lightning”. Niedorf was co-editor of an online underground “magazine” known as Phrack, which ran articles about hacking and phreaking and was generally regarded to be the centrepiece of the hacking world. Niedorf published in Phrack a heavily edited version of a document entitled “Control Office Administration of Enhanced 911 Services for Special Services and Major Account Centers”, a trophy of a hacker raid uploaded to Niedorf by a hacker known as “Prophet”. Niedorf was subsequently arrested and tried as part of the notorious “Hacker Crackdown” of 1991 by the US Secret Service and Chicago police. The case against Niedorf centred on the transportation across state lines (via modem between computers) and fraudulent copying of the E911 document that Prophet had stolen from the computers of AT&T Bell South, a document that AT&T claimed was worth a substantial amount of money [12]. Backed by the fledgling cyberspace civil rights organisation EFF (Electronic Frontier Foundation), Niedorf eventually won his case on the grounds that the E911 document was actually freely (although obscurely) available by mail order from AT&T for a mere $13. The case highlighted major flaws in the US law enforcement community’s methods in investigating computer intrusion crimes, and also raised issues about what constitutes data theft, fraud or piracy in cyberspace. One other case of hacking was that of Randal Schwarz, a contract worker at the Intel Oregon fabrication plant. Schwarz, a UNIX expert, became interested in security lapse upon finding his E- mail system had been hacked and, using a hacker program named “Crack” that was written to crack passwords, he began testing the password security of a number of companies he was involved with. In October of 1993, Schwarz ran Crack on the Intel computer system at the Oregon plant in order to ascertain the company’s weakness to the program. His finding were surprising considering the high tech nature of the company, the test revealing forty eight employee logins that could be deciphered by anybody outside the company. Unbeknownst to Schwarz, one of his supervisors had noticed his activities and instead of talking to him about it, notified Intel security. The police were called and Schwarz was indicted on three separate felonies, eventually being convicted and sentenced in 1994 to five months probation, three months in prison suspended until 1998, 480 hours of community service and ordered to pay $69,000 to Intel in damages [13]. His plea that he was testing security was ignored. Programmed Threats What is a Programmed Threat ? A computer, described in it’s most basic form, is a collection of hardware that carries out electronic instructions (software). As the complexity of programming has increased, so have the likelihood and effects of pieces of software being written with logical flaws in their code. Software that contains such flaws accidentally (capable of effects ranging from unusual or unexpected behaviour to total derailment of a system) is said to have a bug. In recent years, however, software has appeared that causes these ill effects by design, whether maliciously or as an academic exercise. Because of the potential to usurp established security or damage a system irreparably, this type of software has become known as a programmed threat (sometimes called malware). Programmed threats are many and varied in both implementation and in the ways they effect targeted systems. They are at least as great a threat to computer security as hacking, plus they pose the added difficulty of tracking down those responsible for their programming, release and distribution. The main types of programmed threat are discussed below. Viruses The computer term “Virus” has it’s origins in the medical definition of the word, that of a “..microscopic organism often causing disease [Latin, = poison]”. The Dictionary of Computing defines a computer virus as a “program which adds itself to an executable file and copies (or spreads) itself to other executable files each time an infected file is run.” [14]. Methods of infection range from reception of infected Java applets over the internet to using floppy disks that have been infected. Viruses can have many and varied effects on an infected system, from humorous to merely annoying to catastrophic. For example, the “Eight Tunes” virus plays one of eight tunes when active. Conversely, the “Terminator II” virus clears a computer’s CMOS BIOS chip and can overwrite disk sectors, with obviously non trivial side effects [15]. The term “Virus” has to come to be used in the media to cover the whole spectrum of programmed threats, however true viruses are those that adhere strictly to the definition given above. The first occurrence of a computer virus was recorded at the university of Delaware in October 1987. By 1997, there were some 9000 known viruses “in the wild”. [16] Trojan Horses Named after the Trojan horse from Greek mythology, Trojans are programs that masquerade as other programs and functions. For example, a Trojan might masquerade as an application familiar to the user and whilst asking for common confirmation of commands, the Trojan could be doing anything from erasing hard drives to corrupting files. Hackers have been known to employ Trojans to discover unwary users passwords. The hacker programs the Trojan to look exactly like the login screen the user is familiar with, except that once the user inputs the login and password the data is transmitted to the hacker. Trojans first appeared as practical jokes in programming environments before being put to more nefarious uses. Logic Bombs Logic Bombs are sections of code inserted into programs that, once certain conditions are met, perform various unpleasant or unusual effects. For example, a hacker might insert a logic bomb into a program that crashes the computer system it is installed upon on a certain date. One notorious example involved an employee programming a logic bomb that “detonated” if his name did not appear on the company payroll records in two consecutive months ( i.e. when he’d left the company). Logic bombs are in legitimate use today as devices to limit the usage of demo programs given out for free. For example, the Macromedia Dreamweaver 2 demo is fully functional but becomes disabled at a date one month after installation. Back Doors (Trap Doors) Back doors (sometimes called trap doors) are alternative routes of entry into programs or systems that were in place when the program or system was created. Generally the back door will bypass the usual security procedures for entry into the system. Back doors are usually an addition made during a programming process to facilitate easy entry to the program or code in the event of an error with the normal means of access. Problems only arise when the door is left in place after release, causing problems if knowledge of the door gets into the wrong hands (i.e. hackers). Worms Similar to computer viruses, worms are programs that travel from machine to machine across a network, leaving copies of themselves or parts of their code behind. Unlike viruses, worms do not effect other programs, although they may carry code that does (for example, a true virus). The main cause of trouble is that particularly infectious worms (such as the infamous internet worm, see below) can take over entire networks so successfully that they exclude all other programs. A worm attack is similar in effect to a hacker Denial Of Service attack in that the worm will attempt multiple logins to achieve access to the computer, each of which require the attention of the system being assaulted. Even if the worm does not achieve access, fighting of the assault may preclude the system carrying out any other activities. Bacteria / Rabbits Bacteria programs (sometimes called rabbit programs) are similar to worms except that they do not rely on networks to propagate. A typical bacteria program may simply create two copies of itself, which both create copies of themselves and so on exponentially until any available disk space, memory and processing power is completely taken up by the bacteria program. Bacteria programs are the oldest form of programmed attack, indeed users of early multiprocessor systems would write bacteria programs just to see what would happen, or to deliberately crash the system. Security Tools The final type of programmed threat are known as security tools. Security tools are applications written to test the very methods of illegal intrusion that hackers and worms may use, in order to determine how secure a system may be. These applications are available on the internet from hacker sites (such as the “Crack” program Randal Schwarz was convicted for using at Intel, see above) or from legitimate computer security professionals who use them to determine their systems security. Whatever their origin, security tools can be used against a computer system even if the purpose of the software is legitimate, indeed security tools are often used by inexperienced hackers in their first attempts to intrude into computer systems. This is because they require little skill to utilise and do most of the laborious security circumvention automatically. Threat Programmers On examination of the plethora of programmed threats that can assault computer systems, one could wonder what type of person would write such malicious but fiendishly inventive programs. In general, they have a lot in common with hackers. They are exclusively male [17], intelligent software programmers who feel under utilised and who have good access to computers. Perhaps the most notorious programmed threat author goes by the pseudonym “Dark Avenger”, a Bulgarian who is responsible for over 24 viruses, including the frighteningly efficient “Commander Bomber” strain. The new breeding grounds for programmed threats are the countries of the Eastern Bloc, India and Russia where highly skilled but under paid programmers write these programs to gain world-wide recognition for their work. Fame, however, is not the only reason that these threats are written. While viruses and such like were used solely in the past to display a programmer’s prowess by writing code extremely hard to crack, in today’s environment motives can range from expressing social statements to espionage to exactly revenge upon a previous employer. Taking this as the case, programmed threats can come from almost any quarter, causing a problem on a much wider scale than hacking. Programmed threats have the ability to wreak havoc on home PCs as well as large systems, whereas hackers would be unlikely to break into such soft targets. This indiscriminate nature makes them a more immediate, everyday worry for computer security than hacking. Cases: Programmed Threats Instances of programmed threats often become more infamous than the most publicised hacker break ins, perhaps because of the anonymous nature of the assault and the generally widespread effects. One such case that achieved almost mythological notoriety was that of the “Internet Worm”. The Internet worm was written in 1988 by a young US student named Robert Morris, apparently as an intellectual exercise. Morris wrote the worm to copy itself from UNIX machine to UNIX machine across the internet, charting it’s progress so it would not infect the same machine twice, and using hacker techniques (such as flaws in UNIX security, brute force password methods etc.) to obtain the “trust” needed to move freely. In order to stop wily server administration staff from halting the infection by reproducing the marker the worm used to identify previously infected machines, Morris included code that would re- introduce the worm onto every seventh machine it came across with the infection marker. Unfortunately, Morris underestimated the speed at which the worm would move resulting in machines becoming infested with the worm to the exclusion of all other functions. This resulted in the infested machines crashing, taking a good portion of internet activity with them. Morris, who claimed his intentions were never malicious (let alone criminal), was convicted under the US 1986 Computer Fraud & Abuse Act and fined $10,000 [18]. 2: Prevention In the previous chapter we have discussed the types of cyberspace security threats that may endanger a computer system. This chapter aims to outline methods of planning to combat such threats, define methods to implement these plans and to give a brief discussion of UK laws that apply to these types of computer crime. Security Planning & Risk Assessment Computer crime is on the increase. According to an Audit Commission report, in the period from 1990 to 1993 reported computer crime of all types increased from 12% of companies surveyed to 36%. The instances of cyberspace threats also showed an increase, virus infections particularly increased five fold, with hacking decreasing slightly, perhaps because of new laws to combat the activity (discussed below). As these figures show, computer security measures need to deal with an increasing number and variety of cyberspace threats, from the ingenuity and persistence of nuisance hackers to the automated onslaught of virus and worm programs. The task for any measures employed is therefore not to combat hackers, viruses, worms etc. independently, but to provide catchall defence against threats to the computer system (although there should be specific elements of any security plan dealing with each of these threats). The most efficient way to prepare this defence is by carrying out careful security planning and risk assessment coupled with competent execution of these plans. Security Planning Firstly, one must look at the computer systems most likely to be threatened by cyberspace criminals, to determine if measures are necessary. Invariably the computers most at risk are large, non-trivial systems that are connected via networks to other computer systems and that usually service more than one user. Examples of this type of computer could be an office network server or company e-mail or website server. The vulnerability of this type of computer comes about because of what it is, permanent connection to other computers presents a permanent route for hacker and threat programmer access, multiple users and/or large amounts of data processing present both hacker and threat programmer means and purpose for intrusion. One could say the ultimate secure system is that which is not connected to other computers and has no users. Finding the balance between security and non restriction of legitimate user access is one of many concerns with this type of computer security [19]. Secondly, one must decide upon what kind of protection the computer system needs. Barrett states that “…in most cases, computer security centres on Access and Authentication Control” [20], that is the restriction of a computer systems assets to those with the proper login information. Alone, however this alone is enough. Thought must be given to Audit control, provision for monitoring users and command logging to flag up “security events”, commands issued by user that have implications for the security of the system (ranging from initial login to changing login passwords or parameters). If logged correctly, audit information can be an invaluable tool in finding the source of security breaches. Systems must also be implemented to ensure data security, whether within the computer system or upon transmission between computers. Data security can be further divided into three sub- elements: data integrity (to prevent data from being changed without permission), data encryption ( to ensure data cannot be understood if it is intercepted or spied upon) and data repudiation (to ensure the recipients of the data are known and unable to deny receipt). Finally, decisions need to be made as to exactly how the security is to be implemented, and in what form these measures manifest themselves. Decisions on these matters can be arrived at by considering the following areas. Confidentiality What types of information does the system contain and transmit/receive? Information (files, programs etc.) should only be available to it’s specific owner, author or intended recipient. When grading the level of confidentiality any one piece of information has, care must be taken to ensure seemingly harmless information cannot be used to infer confidential information. Data Integrity Is there any protection for files and programs from change or deletion by parties other than the owner of that information? Data integrity represents the main area in which hackers/programmed threats can cause havoc. Availability Are there provisions for the protection of services legitimate users rely upon? This involves preventing crashing or degradation of the service. If a user cannot access systems they require when they require them, the results are potentially as damaging as deletion of the users files. Denial Of Service (DOS) attacks strike against this area of security. Consistency What steps are being taken to ensure the computer system behaves as the user expects on a day to day basis? The consequences of a sudden change in the operation of the system can be catastrophic [21]. Control How much control does the administration staff have over the computer system? In order to maintain knowledge of exactly who is using the system and exactly what programs are contained therein, administration staff should heavily regulate users, programs and files. Generally, the earlier a security breach is detected the less damaging it will be. Vigilance over the system and it’s programs/files is the best way to achieve this. Audit Is there a way to examine the systems command history? As mentioned above, by keeping detailed logs about the system and it’s users [22] it is possible to reconstruct any security breaches that occur after the fact enabling the determination of exactly who or what committed the breach, why the breach occurred and when the breach occurred. Auditing of this kind coupled with proper control measures are the key to more secure computer systems. How much weight is given to the considerations above will depend upon the use of the computer system. For example, Garfinkel & Spafford state that “…in a banking environment integrity and auditability are usually the most critical concerns…In a university, integrity and availability may be the most important requirements” [23]. Risk Assessment The second phase of planning security for a computer system is to assess what threats the computer is at risk from and what exactly you are trying to protect from these risks. Once this has been established, the finding should be tempered with considerations about how much money can be spent to put security measures into place. This process gives the administrator of the system the knowledge to go ahead and implement any security that is decided upon. Good risk assessment should take into consist of the following elements. Identifying Assets Essentially, answering the question: what is it I need to protect? This process has to take into account tangibles (computers, proprietary data, records, manuals etc.) and intangibles (such as personnel passwords, the maintainable speed of the computer system, personnel privacy etc.) in order to provide a broad view of the system as a whole. This list of assets should include everything associated with the computer system that is of value[24]. When considering cyberspace threats to security in particular, hard copies of information about the system and it’s accessibility should be valued highly. We have seen in the previous chapter the ways in which leaks of information such as this can be used by hackers and threat programmers to usurp otherwise efficient security arrangements. Identifying Threats Covered in the previous chapter, the process of identifying threats should really answer the question: what do I need to protect my computer system from? [25] When dealing with cyberspace threats, administrators should consider what types of intrusion they may suffer from. How likely is it that a virus will be introduced into the system? Will the computer system be a tempting target for outside hackers? Will the computer be subject to hacking by authorised users (perhaps to gain extra privileges)? Once these threats have been determined each one must be quantified in terms of how likely they are to occur. Various sources can be used to this end, such as industry reports, company records, educated guesswork etc. giving a mix of primary and anecdotal evidence which should build up a workable threat profile. Of course, the real world is not a stable entity and it is therefore good practice to review what threats to a computer system exist regularly, adjusting security plans accordingly. Cost-Benefit Analysis Once threats have been determined, a cost of defence must be assigned to it in order to develop a cost-benefit analysis. This analysis weighs the cost and effect of a particular risk against the cost of defence against that risk in order to determine at what point security ceases to be financially viable. In an ideal world, all organisations controlling large and/or strategically important computer systems would have infinite funds to provide infinite security measures. Given that this is not the case and that security (no matter how well planned and executed) can never be proven 100% infallible, threats must be prioritised to maximise the security measures and their associated budget. Spafford & Garfinkel refer to the cross referencing of the above factors as a “multidimensional matrix” that should allow the charting of risk against cost against consequences to assets. Once the above steps have been followed, a clear image of what measures are to be taken against what threats and at what cost. This can then be used to formulate policies for organisations to follow, or simply used to give administration staff increased knowledge and intelligence about their own computer system. Finally, good risk assessment is founded on common sense. It should identify all threats to a computer system, but only provide measures against those deemed realistic. Security Implementation Once security plans have been developed, the question remains how to physically implement these plans in the real world. We have seen that the most secure computer system is one that is not connected to any other computers, and whilst most methods of security on computer systems and networks are operating system specific (though universally involving administrator vigilance, properly executed user restrictions and data encryption [26]), protection of any system from cyberspace threats can be greatly enhanced by construction of non platform specific measures. Firewalls Firewalls are named after their building industry counterparts, in that they are designed to keep burning fires contained. Similarly, computer firewalls consist of software and hardware elements designed to keep the threats inherent with connection to the internet and other computers separated from a host system or network. The firewall effective limits communication between computers to defined data types, giving a good deal of the protection total isolation affords. Firewalls fall into two categories, those of default permit (the firewall is programmed to recognise types of data, hosts, programs etc. that will be denied access) and default deny (the firewall is programmed to recognise types of data, hosts, programs etc. that will be allowed access). Both methods have advantages and disadvantages, for example default deny firewalls are easier to implement, (you simply enable those protocols requested), however with default permit you can target specific protocols and allow greater flexibility for users. Firewalls should be designed to meet the specific needs of a particular computer system/network, it’s type and construction being different in every case. Once the firewall is in place, it should restrict communication in such a way that only authorised data is allowed to enter or leave the host system or network. If this is the case, hackers and programmed threats will be unable to cause damage beyond a specific level or area because, in real terms, there is no open physical connection to the host beyond the data the firewall permits. This can be invaluable in both protecting a system and reducing the damage done in the event of a security breach. Virus Killers Whilst implementation of the above methods will increase the security of a given computer system, there still remains the possibility of accidental or malicious damage by legitimate users. Although unlikely to accidentally hack a system, users are frequently responsible for the introduction of programmed threats via infected storage media (floppy disks etc.) or lapse practices such as careless internet surfing. The first sign of any infection by a programmed threat is usually the symptoms of the infection. Unfortunately, by this stage the only course of action is to remove the threat, a task that can be inordinately difficult due to the hardened nature of many viruses, worms and bacteria programs. A booming software industry has developed specifically to provide programs that defend computer systems from such programmed threats and the effects they can have. Virus “killers” (sometimes referred to as virus toolkits) [27] rely on constant research and updating of their “libraries” by the software companies who invariably run such laboratories in order to maintain their effectiveness. The problem with these killer programs is that there is a constant margin of fallibility until a new virus has been broken down and a cure found, meaning that although they give substantial protection there is still the risk of a computer system falling foul to a new strain even if killer programs are properly utilised. The best anti-virus software generally has an active element that monitors data flow through disk drives and network connections that can enable the program to prevent an infection, however the same reliance on a current threat library is apparent. Once again, the most effective defence against programmed threats is to instigate security measures so that they never have the chance to intrude upon a system. Cyberspace Computer Crime & The Law Though the security of computer systems is undoubtedly the responsibility of individuals, government has a huge part to play in the deterrence of cyberspace intrusions through the framework of the law. In the UK, the are three main avenues by which a prosecution may be gained in such cases. 1988 Copyright , Designs & Patents Act If an intrusion into a computer system resulted in the copying of proprietary information, prosecution could be brought under this act. Put simply, the first instance of copyright breach (i.e. if a hacker copies a file from a computer in which he is intruding to his own computer) is only prosecutable as a civil case, however any subsequent copyright breaches are classed as criminal. Barrett give the example of “..a hacker who makes a first copy available for download from a website (the first copy) can only be prosecuted for a civil offence. Those who download the software, however, are making subsequent copies, and so are liable under criminal copyright.” [28]. Prosecution under this act can also involve the owners of computers that are hosts to the stored copyright breaches, such as BBS owners or ISPs, although if said host has no means of knowing about the copyright breach they can claim innocent dissemination. 1990 Computer Misuse Act During the 1980’s, hacking was not classed as criminal activity in the UK. Hackers therefore, had free reign to intrude into computer systems without fear of prosecution except by obtuse and infrequent attempted prosecutions in high profile cases under mismatched laws (such as the 1981 Forgery & Counterfeiting Act). After one such conviction was quashed at appeal [29], the UK followed the lead of the United States and passed a specifically anti-hacker and programmed threat law. The result was the 1990 Computer Misuse Act, an act in framed into three sections to cover specific offences. Section One The first section of the act simply covers the procurement of access or privileges to a computer system to which the hacker is not entitled. This is the most general section of the act and can be used to prosecute all types of hacking from “..quite deliberate attempts at locating specific information files, to the most aimless of explorations”[30]. Section Two Section two classifies offences in which computer intrusion was used in order to facilitate further criminal activity, such as copyright theft, blackmail or using procured information to carry out more computer intrusions. Section Three This final section couples the offence of computer intrusion with the intent to alter the contents and workings of a system or denying legitimate access to the system. This section therefore neatly covers the writing of viruses, worms and other programmed threats and their release “into the wild”. The real benefit of such a specific act as the 1990 Computer Misuse Act is the focus it gives law enforcement in prosecuting cyberspace computer crimes, instead of patching other laws to the crime and failing to prosecute successfully. 1984 Data Protection Act (DPA) The DPA is primarily focused on protection in the UK of an individuals personal details (such as from use that may “..lead to a weakening of position of persons on whom data is stored” [31]. The DPA is regulated by the Data Protection registrar who is responsible for the bringing of any prosecutions under the act. A hacker may be targeted with a prosecution under the DPA if they are responsible for the procurement of personal data on an individual and the subsequent use of this information against such a person. 3: Discussion Cyberwar The past two chapters have defined and suggested preventative measures against illegal computer intrusion and malicious programmed threat infection, however the perpetrators of these crimes have always been assumed to be individuals or non-official groups that have acted out of the own whimsy or greed. To date, the vast majority of computer crimes of this nature have occurred in this way, however this may not always be the case. As more and more people in society learn to use and rely on computers, so they become more and more used to existing, working and playing in cyberspace. People meet in cyberspace, they fall in love, they chat (extensively), they argue. Cyberspace has it’s own politics, it’s own celebrities, it’s own gangs and tribes and it’s own conflicts. Inevitably, it will have it’s own warfare. In essence, cyberspace is a world of information. It is constructed from information passing between computers and over the communications networks they are connected to. Bruce Sterling defines the term cyberspace as: “…the place between the phones. The indefinite place out there, where the two of you, two human beings, actually meet and communicate.”[32] Warfare in the real world can be taken to mean a conflict between parties for commodities they are willing to kill over. These commodities can range from land to goods to people to religion. Thus, if cyberspace is a domain composed entirely of information, any war fought within cyberspace would be for the commodity of information. This theorising has led to the formulation by many military experts across the globe of the concept of Cyberwar, sometimes referred to as I-war (information war). Conflict over intelligence in conventional warfare is not a new concept. One can look back through history for examples of armies with superior intelligence and control mechanisms over information dominating enemies with considerably larger armed forces. The Mongol hordes of the thirteenth century controlled the largest empire of the time with relatively small armies by maintaining exceptional communications with horseback scouts and messengers. Similarly, superior intelligence has allowed victories that would have been impossible without it, such as the allied breaking of the enigma code during WWII or the total decimation of Iraqi armed forces for very few allied casualties during the Gulf War. This “topsight” is what modern intelligence aims to achieve, the superior knowledge of a situation over an enemy, equivalent to “…playing [chess] against an opponent who can hide the dispositions of his pieces, but who can see the placement of both his and yours.” [33] Cyberwar is a broad term that can be used to define a number of activities that achieve military or strategic advantages in cyberspace. Arquilla & Ronfeldt [34] break Cyberwar as a whole into two sections: Cyberwar, waged by the military of opposed nation states and Netwar, waged amongst individuals or groups against other individuals or groups or against a nation state. This second definition is akin to cyberterrorism, however it uses many of the techniques of Cyberwar against much the same type of targets. Neil Barrett [35] further breaks down the term Cyberwar into smaller areas, those of: Intelligence The cyberspace equivalent of spying. The methods and aims employed in this type of Cyberwar are much the same as ordinary hacking [36]. That is, discovery of passwords, theft and reproduction of sensitive material. This is the lowest intensity form of Cyberwar and is not much different from intelligence gathering techniques used today. Disinformation This area of Cyberwarfare is essentially intensified propaganda. A group or nation state could use Cyberwar tactics to subvert their enemy’s own intelligence network or infrastructure, changing vital information heavily relied upon in order to gain an advantage. Disinformation techniques could also be used to effectively remove support for a conflict by turning the tide of public opinion or sapping the will to fight of opposing armed forces. Barrett calls this attacking an armed forces’ “sanctuary” [37]. Denial By denying an enemy use of key computer systems you can easily gain an intelligence advantage and come near to achieving Arquilla & Ronfeldt’s “topsight”. This denial could take the form of unceremonious “trashing” of an enemy’s computers, or inserting a virus that disabled telephone systems probably by using the techniques highlighted in Chapter 1. The most important aspect of this denial is that afterward, if one needs to, the denial can be reversed. For example, this could mean telephone systems are disabled in a conflict but restored easily after a cessation. Destruction The permanent version of denial, whereby key systems are simply destroyed for good. This could be achieved via hacking or virus insertion, or by destruction by conventional military strikes or air raids. This is really Cyberwar at it’s least subtle but often most effective. It is also one of the few areas of Cyberwar that has currently been adopted by military doctrine. [38] Cyberwar is a terrifying concept. The idea that computer systems controlling medical records to ATM’s to nuclear weapons can be tampered with by anyone with the sufficient knowledge using technology most of us have in our homes should send a shiver down the spine of any sensible person. Society has embraced cyberspace and the benefits that it brings, from much increased communication possibilities to the increased wealth of information just a phone call away. It has not, however, taken heed of it’s obvious failings in regard to the computer systems we all now rely upon. On January 15th 1990, the US telecommunications giant AT&T’s long distance telephone service crashed. The event deprived sixty thousand people of their phone service altogether and over the nine hours it took to rectify the problem an estimated seventy million phone calls were unable to be made [39]. At first, AT&T assumed that hackers were to blame for the incident, as the fault had been tracked back to software in computerised switching stations. Indeed, the investigation into the outage uncovered rife hacker and phreaker activity in AT&T’s network, however the cause was later found to be a single faulty line of code in over ten million. This example of major system fragility is extreme, however when you consider the current fears over year 2000 compatibility problems in computer systems and other less well publicised software bugs [40], a clear picture of the potential unreliability of the systems society places it’s faith in takes shape. If chaos such as that caused by the 1990 AT&T crash and predicted by some as a result of the Y2K bug can be caused accidentally, the turmoil that could be wrought by malicious Cyberwar tactics such as those outlined above would be widespread and devastating. My own opinion after significant research is that full Cyberwar is at least a few years away yet, and perhaps a few decades away from mainstream military doctrine, however preparations need to be put into action to reduce the effects it could wreak now. Most computer security solutions rely on detection and prosecution of individual hackers and criminals after the fact [41]. In a Cyberwar situation, solutions such as these are redundant because warring nations are allowed to use methods illegal during peacetime (what conventional war does not involve murder ?) to achieve war aims. Would a nation care about possible prosecution under computer crime laws if the action it took won them the conflict ? The answer if definitely no. If they carry out their Cyberwar tactics correctly, there shouldn’t be any evidence of any intrusion at all let alone enough evidence to be able to prosecute. Indeed, individual groups engaging in Netwar against a nation may well want to claim credit for their actions. For example, responsibility is nearly always claimed when a terrorist bomb explodes, the case would be no different if it was a logic bomb detonated in an important computer system as opposed to a plastic explosive device detonated in a busy high street. Netwar tactics may well be the way forward for terrorist and extremist groups in the next century. Virus killer programs require research into known viruses in order to be effective, if a totally new virus is unleashed it takes an amount of time for an update to a killer to be released. The damage that could be done by a highly specialised and effective virus before a way is found to kill it could be catastrophic. Cyberwar takes away all the implications of prosecution as a deterrent in computer crime. Without this threat of prosecution, what other deterrent to computer crime is there ? Response in equal measure by an enemy ? If your Cyberwar is carried out correctly the enemy will be left without a means to retaliate. Is the threat of conventional attack a deterrent ? Again, if your Cyberwar tactics are extremely well implemented, the enemy may well be left without the means to attack you conventionally. A Cyberwar attack on an unprepared and undefended enemies computer systems could decide a conflict without any further action. Are there any defences against Cyberwar ? This is an interesting question, and one the papers and books I have read on the subject fail to present an answer for. Barrett [42] states that analysis of the threats to any particular computer system from Cyberwar or Netwar can be quantified by the same methods outlined in Chapter 2, and that the risk of damage to a computer system becomes a threat once directed by individuals or groups. Thus, the military and any future potential Cyberwar victims may face a situation similar to the one computer security professionals face today in preventing damage by hackers and programmed threats. If Cyberwar can be seen as a logical continuation of today’s Cyberthreats, so perhaps a defence against it could come in the form of techniques developed from today’s computer security, such as the UNIX Kerberos encryption system or highly developed firewalls. The evidence and theorising all points to a continuation of the cat-and-mouse game of hackers and threats versus computer security systems, with neither side of the equation gaining the upper hand for long. The trick to maintaining the integrity of a strategically important system will be to ensure security even on those occasions when an enemy has the upper hand. It is entirely possible that all of the above is too extreme, that Cyberwar will not play a major part of any future conflicts at all. Indeed, Arquilla & Ronfeldt make the point that “…it is not technology per se, but rather the organisation of technology, broadly defined, that is important.” [43] It is not cyberspace and computers that will make the difference, it’s how people and nations put them to use. When previous dangerous thresholds of technological power have been reached, international treaties have been put into place to limit their use in warfare. Perhaps in the future an international agreement and treaty on Cyberwar will be reached. The fundament of the argument remains that the threat does exist and may well occur, and most of the large computer systems society now relies upon are inherently fragile. The opportunity for using cyberspace and criminal computer activity in conflicts is clear. Cyberwar may well be coming. Civil Liberties One other major implication of the cat-and-mouse computer security and hacker conflict is a restriction of cyberspace civil liberties. Law enforcement agencies standard practice in pursuing computer criminals (especially hackers) normally involves some sort of search and seizure of a suspects computer systems. However, because the field of computer crime enforcement is so new, many officers cannot be called expert in computer systems and how they should be handled. Stories emerge (especially in the US) of hacker raids culminating in household being virtually stripped of electronic devices for fears that a wily hacker might have hidden vital chunks of evidence deep within his microwave, or telephone etc. Law enforcement, however, takes the view that it’s better to be thorough and so seizes any item in which illicit data could be stored (for example, a printer’s internal memory). One such seizure took place during “Operation Sundevil”, in a raid at a role-playing games manufacturer in Austin, Texas called Steve Jackson Games (SJG). The US Secret Service were in the process of building a case against a hacker handled “Urvile” who was an employee at SJG and, believing Urvile had stashed illicit stolen material on his employer’s computers, they seized everything piece of computer technology in the offices as evidence. This act alone nearly put SJG out of business, even though it was later found that there was nothing on the seized equipment pertaining to the case, only the about-to-be-published cyberpunk game SJG was working on. Agents mistook this information to be evidence of a criminal hacker ring, answering Steve Jackson’s cries of “..it’s science fiction” with “no, this is real”. [44] Steve Jackson sued the US Secret Service, eventually earning $50,000 in damages in January of 1993. Cyberspace civil libertarian groups (such as Mitch Kapor’s EFF) [45] have sprung up around raids such as that on SJG, aimed at stopping the erosion by new laws and heavy handed investigative activities of law enforcement agencies of free speech on the net. Tangible forces have appeared on both sides of the equation. Although there is no denying and also no defending the fact an unrestricted information source such as the net does get used for ill, I personally believe that inhabitants of cyberspace must fight to stop the baby being thrown out with the bath water. Decent people could not argue with laws that prevent abuse of children or other heinous activities, however the anonymous nature of the net blurs the lines between right and wrong. For instance, it is not illegal to read about or spread information about how an illegal activity may be carried out, however it is illegal to act upon this information (i.e. commit a crime). Thus, hackers are within their rights to tell the world how to break into a computer system, however by gaining this knowledge they may well have broken laws. By publishing are they inciting others to commit crimes ? Hackers would say no, the law enforcement community would no doubt say yes. It remains a fact that most convicted hackers are serving prison sentences not for computer crimes, but for associated fraud (telephone, credit card). Hackers would say that you cannot restrict information, it’s freedom is at the roots of the “Hands On” hacker ethic. Information cannot have an owner, and everyone has a right to it. Hackers, therefore, would tell you that they are doing absolutely nothing wrong (except infringing on copyright) when they snoop into a computer and copy some files. They haven’t stolen anything, they haven’t damaged anything, they have merely found something out and recorded it. Law enforcement and computer security officials are in the business of restricting information, they wish their hand to remain secret, often for the good of society. If everyone knew how to break into government computers, imagine the consequences. The two views are irreconcilable, and therein lies the problem. The situation the world faces with this issue is similar to that outlined above with Cyberwar. We are dealing with an incredibly powerful technology that has the power to impact everyone’s lives in such profound ways, yet the technology is still in it’s infancy. The spread of computers into the homes of people in relative ignorance of what their potential is and how exactly they can effect them is dangerous, like a child stumbling onto a busy road. In my opinion, from a computer security point of view, the only way to regulate a world- wide network such as the internet is with world-wide consensus and laws. Regulation needs to set down what is permissible and what is not. In the current hotch potch of national laws, very little good is being done. Decisions must be made upon what information needs to be protected and what does not. Choices must be made as to what extent the exercising of free speech and civil liberties is allowed to put computer security at risk, and to what extent civil liberties can be restricted in the name of protecting computer systems and society as a whole. The task is virtually impossible. Is prevention of unauthorised computer intrusion possible ? We have seen throughout this dissertation that the implications of computer crime are far reaching and have the potential to effect everyone on the planet. Chapter 2 shows that computer crime is on the increase, and outlines the proposed courses of action that could be undertaken to reduce the number of incidents. But is total eradication of the problem possible ? Put concisely, no, for the same reasons society will probably never stamp out car theft or fraud. The best administrators of computer systems and law enforcement can hope for is that practices and legal deterrents are put in place that reduce the number of incidents to a level whereby important systems are not threatened. It is imperative that the dangers posed by hacking and programmed threats are taken seriously by anyone who might be a target so that the cost in time, money, manpower and effects on society can be minimised. Computer crime exists mainly for the same reasons any crime exists and good proportions of computer crime in general (i.e. fraud) is merely of the same type that exists elsewhere but facilitated by computers. Hacking and threat programming, however, are new offences that must be treated as such and not patched over with ill-fitting laws that allow offenders to slip away through loopholes. Similarly, law enforcement agencies need to develop a higher understanding of the nature of these crimes in order to effectively build cases and bring prosecutions, repetition of fiascos such as the Knight Lightning trial must be avoided. Specific laws such as the 1990 Computer Misuse Act and it’s outlines of cyberspace offences represent excellent steps towards this goal. The challenge for businesses and organisations who are very often the victims of these crimes is also one of education. The prevailing image of the demonic hacker and nefarious threat programmer must give way to a developed understanding of how these threats could impact upon an organisation, and how defence against them can be effectively prepared and implemented. Radical changes in the information technology structures of organisations may well be necessary. The computer industry and it’s associated technologies are really still in their infancy, with prospects such as Cyberwar and increased reliance on computers looming in the near future. The feeling that the industry is heading towards a troubled adolescence is inescapable. In my opinion, the time to place the foundations of better security for the systems we will all eventually rely heavily upon is now. Conclusions In conclusion, there are several points this dissertation aims to make: 1. “Hacker” is the term most often used in association with cyberspace criminals. The term originated at the birth of computer programming, the 1950’s, where it was coined by users of MIT’s Artificial Intelligence laboratory. “Hacker” did not have a particularly negative connotation in general use until the high profile adaptation of the term by the media during the 1980s and early 1990s. Hackers are closely related to phreaks and to programmed threat authors. 2. Hackers may cause damage to computer systems in numerous ways. Most hacker techniques focus on subversion of any security a targeted computer system may have, thereby gaining “trust” and access beyond the level they are legitimately allowed. Once inside the security the damage they can do is limited only by their whim or by the information contained in the system. Hackers may also use Denial of Service (DOS) attacks against a computer system. Denial of Service means exactly that, the denial from legitimate users of a provided service, such as e-mail or simple login. 3. Programmed threats represent the most widespread cyberspace danger to computer systems. Though usually labelled by the media as “viruses”, programmed threats take on many forms apart from true viruses and can have devastating effects on unsecured computer systems. Research shows that threat authors are exclusively male, with the current hotbed of threat programming being the countries of the Eastern bloc, India and Russia. 4. Achieving greater computer security means developing a clear understanding of a system’s assets, the threats against those assets and the likelihood of these threats occurring. Generally, computer security focuses on access and authentication control, however thought should be given to system auditing, monitoring and data protection. 5. In the UK, prosecution may be brought for cyberspace computer crime under three main acts. The 1988 Copyright, Designs & Patents Act covering the copyright theft of software, The 1990 Computer Misuse Act which covers all acts of computer intrusion, damage through hacking and threat programming and the 1984 Data Protection Act which allows prosecution for the illegal procurement and use of an individuals personal information and use against them. 6. In the future, cyberspace computer criminal activity such as hacking and threat programming may develop into a form of warfare. Cyberwar (and it’s terrorism equivalent, Netwar) will focus on the removal or subversion of an enemy’s key computer systems in order to gain an intelligence advantage. As society as a whole relies more and more on large and strategically important computer systems, so the risk of Cyberwar and it’s possible consequences increases. 7. If computer security globally is to be increased, one dangerous side effect may be the restriction of free speech and civil liberties. As the value of computer information grows with the social reliance on computers, the temptation to restrict this information and punish those who disseminate it severely will be great. Care must be taken in the future to prevent unjust treatment of computer and cyberspace users. 8. Finally, I believe it will never be possible to completely prevent unauthorised computer intrusion, be it by hackers or by automated programmed threats. As I stated in Chapter 2, the only totally secure system is one that has no outside connections and has no users, a thoroughly pointless machine. Security, however, can be increased to a point where the computer can (on the whole) be relied upon to be secure. There will always be a set of circumstances and occurrences that can undermine any security no mater how rigorous, even if the probability of the combination of these elements is astronomically small. Certainly, I don’t believe society will ever rid itself computer criminals in the same way it will never eradicate petty thieves. Indeed, as computers and computer use become increasingly more common in our society, so surely grows the potential for cyberspace crimes. Endnotes by Chapter 1: Threats [1] Levy, Steven “Hackers” 1984. “ [they had] a philosophy of sharing, openness, decentralization (sic) and getting your hands on machines at any cost – to improve the machines, to improve the world.” [2] Dictionary of Computing (Second Edition), Peter Collins Publishing [3] In his 1984 book, “Neuromancer”, science fiction author William Gibson (father of cyberpunk) interestingly never uses the term “hacker”. He always refers to his “hacker” character as a hustler, cowboy and even thief. [4] Sterling, Bruce “The Hacker Crackdown” 1992 [5] Hackers and phreaks share a murky history, some early hackers were also early phreaks, and vice versa. This inception of the digital underground is hard to date exactly, although Steven Levy describes some of the early MIT hackers experimenting in distinctly phreakish past times, such as hacking the phone system. [6] Steven Jobs & Steve Wozniak, founders of Apple, sold “Blue” boxes from their college dorms. Levy, Steven “Hackers” 1984 [7] UNIX (a weak pun on Multics, a software project Bell Labs had just abandoned) was developed in 1969 by Ken Thompson at AT&T Bell Laboratories to be an interactive time sharing system. UNIX was originally intended for use in telecommunications applications, but was distributed freely to universities (and eventually commercially) world-wide as a multi purpose, source portable operating system after it was re-implemented entirely in C between 1972-1974. Because of this, Dennis Ritchie (author of C) is considered co-author of UNIX. By 1991, UNIX had become the most widely used multi-user general purpose operating system in the world. Source: http://www.netmeg.net/jargon/terms/u/unix.html [8] Because of their nature, these sites are fluid and come and go all the time. They vary in morality (some advocate criminal acts, some merely claim the right to distribute information without breaching copyrights) and content, although they do make fascinating browsing. One such site is: http:\\www.underground.org [9] Sterling, Bruce “The Hacker Crackdown” 1992 [10] Also known as “Brute Force” method. A program uses an in-built dictionary to try and retry common characters and numerals at a password entry screen. Given enough time and, considering most users will use a password that has some meaning (a spouse’s name, a birthdate), the program can ascertain the password. Methods such as this can also be used to break encryption, with a program repeating combinations to break the encryption until the correct key is found. [11] DOS attacks can be carried out in ways too numerous to fully describe here. An attack can be thought of as DOS if it removes the availability of a service from legitimate users. This can range from deliberate crashing or switching off of computers to blocking up E-mail accounts. [12] Originally $79,449 later dropping to $24,693.05 during the Niedorf trial Sterling, Bruce “The Hacker Crackdown” 1992 [13] Jackson, Tim “Inside Intel” 1997 [14] Dictionary of Computing (Second Edition), Peter Collins Publishing [15] Norton Antivirus 5.0 Virus library (published by Symantec) [16] Barrett, Neil “Digital Crime: Policing the Cybernation” 1997 [17] “We have not yet seen a documented case of a female virus writer” Marian Merritt, Senior Product Manager for Norton Antivirus, Symantec. Personal Computer World, March 1999 (p117) [18] Barrett, Neil “Digital Crime: Policing the Cybernation” 1997 2: Prevention [19] Garfinkel & Spafford comment that “..the simplest way to protect a computer network is with physical isolation. Avoid the problems of networks by not connecting your host to the internet and not providing dial-in modems.” Garfinkel, S & Spafford, G “Practical UNIX & Internet Security” 1996 [20] Barrett, Neil “Digital Crime: Policing the Cybernation” 1997 [21] For example, if a function that usually lists files periodically erases them, the results to the user would be terrible. One other plus side to a consistent system is that users are more likely to notice tampering or operations that are out of the ordinary, such as a hacker login trojan. [22] Auditing of this kind raises moral, legal and civil liberties issues that will be discussed in Chapter 3. Methods such as these can help security but if taken too far will impinge on a users privacy. [23] Garfinkel, S & Spafford, G “Practical UNIX & Internet Security” 1996 [24] When determining value, Garfinkel & Spafford suggest administrators “..consider what the loss or damage of the item might be in terms of lost revenue, lost time or the cost of repair or replacement.” [25] In a good computer security plan, threat identification should include considerations of non- cyberspace and non-criminal factors such as contingencies for lightning strikes or personnel illnesses. Whilst this is good practice, it is outside the subject area of this dissertation. [26] One example of an encryption system is the UNIX based “Kerberos” method of password encryption and authentication developed by MIT, IBM and DEC as part of the Athena project during 1983. Kerberos utilises a separate server containing all network passwords. At login, the Kerberos server passes a ticket to the user at login that can only be decrypted by that particular user’s password. After login, the user must “present” an appropriate ticket to the Kerberos server in order to access any related network function. Because all encryption is carried out before transmission over a network, Kerberos data is not susceptible to eavesdropping or misappropriation. [27] It is a common problem of the modern software industry to group all programmed threats under the media friendly, generic term “virus”. [28] Barrett, Neil “Digital Crime: Policing the Cybernation” 1997 [29] The 1986 trial of Gold and Schifreen at Southwark Crown Court for the hacking of the BT Prestel system. [30] Barrett, Neil “Digital Crime: Policing the Cybernation” 1997 [31] Barrett, Neil “Digital Crime: Policing the Cybernation” 1997 3: Discussion [32] Sterling, Bruce “The Hacker Crackdown” 1992. The first author to coin the term cyberspace was science fiction author William Gibson who’s 1984 novel “Neuromancer” became the foundation for the cyberpunk genre. [33] Arquilla, J. & Ronfeldt, D. “Cyberwar is Coming !” International policy department, RAND. Arquilla and Ronfeldt define a model for discussion of Cyberwar within this paper based upon the Mongol hordes. [34] Arquilla, J. & Ronfeldt, D. “Cyberwar is Coming !” International policy department, RAND. [35] Barrett, Neil “Digital Crime: Policing the Cybernation” 1997. [36] Barrett also discusses such diverse techniques as TEMPEST (transient electro-magnetic pulse emanation) attacks whereby Van Eck radiation from VDU screens is collected and reproduced, to viruses that store keypress strings and E-mail the strings back to the virus writer once a set amount of information has been collected. [37] Barrett, Neil 1997 “..Although the US homeland is well outside the range of all but the opposing superpowers’ bombs and missiles, it is accessible by means of computers, particularly the internet. A viable Cyberwar target, for example, would then be the infrastructure –particularly economic infrastructure- within this sanctuary” [38] Allied NATO forces used this technique effectively during the Gulf War and are currently using the same tactics in air raids against the former Yugoslavia. [39] Sterling, Bruce “The Hacker Crackdown”, 1992 [40] Bugs that can cause repeatable crashes and/or security holes in software are often reported at online sites. One such site is http:\\www.iss.net, home of Internet Security Solutions. ISS employ a team of hackers (known as the X-Force) in the pursuit of security problems. [41] A case in point, Kevin Mitnick, a hacker now facing 100 years of jail time and accused of causing over $80 million worth of damages, was tracked down over an extended and protracted investigation. [42] Barrett, Neil “Digital Crime: Policing the Cybernation” 1997 [43] Arquilla, J. & Ronfeldt, D. “Cyberwar is Coming !” International policy department, RAND. [44] Sterling, Bruce “The Hacker Crackdown”, 1992 [45] Electronic Frontier Foundation. Kapor is the software innovator who founded Lotus Development Corporation, and co-founded the EFF along with John Perry Barlow, Steve Wozniak, Jon Gilmore, Stuart Brand, Jaron Lanier, Chuck Blanchard and Nat Goldhaber. The EFF was formed in response to the law enforcement reaction over the Nu-Prometheus attack against Apple. Bibliography & References Arquilla, J. & Ronfeldt, D. (1993) “Cyberwar is Coming !” International Policy Department, RAND ISSN 0149-5933/93 Available for download from Audit Commission (1994) “Opportunity Makes a Thief: An Analysis of Computer Abuse” Bath: Press On Printers ISBN: 001 886137 9 Barrett, N. (1997) “Digital Crime: Policing the Cybernation” London: Kogan Page ISBN: 0 7494 2097 9 Collin, SMH (1996) “Dictionary of Computing” 2nd Edition Teddington: Peter Collin ISBN: 0 948549 44 0 Garfinkel, S. & Spafford, G. (1996) “Practical UNIX & Internet Security” 2nd Edition Sebastapol: O’Reilly & Associates ISBN: 1 56592 148 8 Gates, B. (1995) “The Road Ahead” St.Ives: Clays Ltd. ISBN: 0 670 85913 3 Gibson, W. (1984) “Neuromancer” Glasgow: Collins ISBN: 0 586 06645 4 Jackson, T. (1997) “Inside Intel” Glasgow: Caledonian International Book Manufacturing ISBN: 0 00 638797 7 Levy, S. (1984) “Hackers: Heroes of the Computer Revolution” St. Ives: Clays Ltd. ISBN: 0 14 023269 9 Thompson, D. (Editor) (1996) “The Oxford Quick Reference Dictionary” Chatham: Mackays Plc ISBN 0 19 860048 8 “Steal, A”. (1997) “Everything a Hacker Needs to Know About Being Busted by the Feds” [internet] available from: [accessed 5-10-98] Sterling, B. (1992) “The Hacker Crackdown: Law & Disorder on the Electronic Frontier” St. Ives: Clays Ltd. ISBN 0 14 017734 5 Full text available for download from Thiruselvam, P. & Meinel, C. (1997) “Guide to (Mostly) Harmless Hacking” [internet] Available from: [accessed 5-10-98] US Department of Justice (1998) “USDOJ Homepage” [internet] Available from: [accessed 5-3-98] [Author Unknown] (1999) “ISS Homepage” [internet] Available from: [accessed 5-3-98] [Author Unknown] (1998) “Journal Info Law & Technology” [internet] Available from : [Accessed 5-3-98] [Author Unknown] (1999) “Symantec Anti-virus Research Centre” [internet] Available from: [accessed 3-1-99] Wheelwright, G. (1999) “Germ Warfare” Personal Computer World March 1999 pp.116-119 Appendices deleted from this version. Please contact Jim Richardson (the_spacebaby@hotmail.com) for any further information.