Apresando al intruso de la computadora: colecta y uso de la evidencia

What is a Computer Hacker?
The word «hacking» has not always been associated with computer crime. When computers were young, a hacker was a person who was totally engrossed with computer technology. (1,2) He did not merely write programs. He tore apart operating systems and utilities in order to learn more about them. He could easily program so as to solve difficult problems. (3) Clearly, referring to a computer programmer as a «hacker» was a compliment. However, a hacker today is a person who secretly invades other computers without authorization. Even though some computer people like to refer to intruders as «crackers,» the «hacker» handle is the one that survives. Computer hackers (intruders) come in different sizes, flavors and colors:
the curious hacker,
the thrill seeker,
the person who wants information about computers and their flaws,
the power seeker,
the vandal,
the person who steals industrial information, secrets and/or intellectual property,
the person who steals money,
the person who performs industrial espionage,
the terrorist,
the international spy.
Some hackers intend to cause harm — others do not. The typical hacker is a teenager. Teens began hacking during the early 1980’s when inexpensive personal home computers became available. At first, young hackers sought ways around copy protection created by manufacturers of computer games. However, this was often not enough. A «kid» with a computer and a modem could connect to industrial and government computers that were ready to exchange information with him. Invading other computers was often more fun than computer games. The journey through cyberspace was more thrilling than Dungeons and Dragons, but the danger was being caught by the authorities rather than being eaten by some imaginary monster. Often, these teens did not work alone. They formed hacker «gangs» and «clubs» dedicated to exchanging information about what computers could be attacked and about various operating system flaws (4). Among these were the Legion of Doom, the Masters of Deception, and the 2600 Club. Hackers communicated via computer bulletin boards (BBS) and magazines. Many were determined not to cause harm to other computers. Some even developed a hacker ethic. (5,6,7) They believed that all information should be free, but also felt strongly that hackers should do nothing to harm the computers intruded upon. They mistrusted authority and promoted decentralization.
Unfortunately, many hackers do not have this moral view. There have been many destructive «gang wars.» Some individuals enjoy vandalizing computers belonging to others. This is why most computer viruses are propagated. Other hackers are thieves. Some are bank robbers. Others steal industrial secrets, software or other intellectual property. Some hackers are spies.
Not all hackers are teenagers. Adult hackers typically began breaking into computers during their adolescent years. Many of these people still subscribe to a hacker code of ethics. However, this is not necessarily the case with adult hackers whose motive is either profit or espionage. Entrepreneurial adults often begin their hacking careers later in life. These individuals have one of two motives — either to steal or to destroy.
Unauthorized intrusion into a computer even by a person who does not want to disturb anything is still disconcerting to a computer owner or system manager. It is as though a burglar enters your locked house while you are not at home and merely looks around but does not disturb or take anything. You don’t know why he’s there; you don’t know when he might come in again; and you don’t know whether or not he might harm you in the future.
Some people have sympathy for hackers who have been caught. This is true both here and abroad. Israeli Prime Minister Benjamin Netanyahu recently praised a teenage hacker, Ehud Tenebaum, also known as the «Analyzer.» Tenebaum was accused of intruding upon hundreds of government computers in the US and Israel. The movie, «War Games,» also glorified the practice of hacking. Some people whom I spoke to as I prepared this article told me that they thought that it was acceptable to steal information from company and government computers. They believed that if companies or agencies could not secure their computer information, such material should be «free for the taking.» Furthermore, they felt that companies and government agencies were generally evil, and if they can be hacked, the world would be a better place to live.
After examining the statements and motives of many hackers, I have concluded that most of these individuals do not have evil intent. The malevolence apparent with other criminal activities is generally absent among most hackers. Many of them enjoy the challenge of hacking as though it were a sport. Others enjoy flaunting their activities before law enforcement officials («Catch me if you can!»). Some hackers have a compulsive obsession akin to that of excessive gambling.
Robin of Loxley, known as Robin Hood, was a hero. He performed illegal acts under the cover and protection of Sherwood Forest and right under the noses of the Sheriff of Nottingham and his men. Yet, Robin fought on the side of King Richard , who, when he returned from the Crusades, recognized his loyalty and forgave his misdeeds. However, despite the sympathy that many people feel toward hackers, it is unlikely that Congress or the Courts will follow the example of King Richard.
The Perceived Threat From Hackers
In 1992, the FBI proposed expanding the federal wiretapping laws to make it mandatory for all public and private networks in the United States to have a built-in means for intercepting a criminal suspect’s activities. The bureau was seeking real-time remote access to all data, fax, voice and video traffic in the US. Civil liberties groups fought against this proposal and eventually won.
On July 15, 1996, President Clinton set up the President’s Commission on Critical Infrastructure Protection by Executive Order 13010 (9,10). The Commission consists of members from the following departments:
Department of the Treasury;
Department of Justice;
Department of Defense;
Department of Commerce;
Department of Transportation;
Department of Energy;
Central Intelligence Agency;
Federal Emergency Management Agency;
Federal Bureau of Investigation;
National Security Agency.
In addition, the Commission included people from AT&T, IBM, Georgetown University, the Association of American Railroads, the National Association of Regulatory Utility Commissioners, the Federal Reserve Board, and Pacific Gas and Electric Company.
The PCCIP advises and assists the President of the United States by recommending a national strategy for protecting and assuring critical infrastructures from physical and cyber threats. The critical infrastructures to be considered were:
Information & Communications – telecommunications, computers & software, Internet, satellites, fiber optics
Physical Distribution – railroads, air traffic, maritime, intermodal, pipelines
Energy – electrical power, natural gas, petroleum, production, distribution & storage
Banking & Finance – financial transactions, stock & bond markets, federal reserve
Vital Human Services – water, emergency services, government services
The Commission was quoted as saying:
What is the Threat? Anyone with the capability, technology, opportunity, and intent to do harm. Potential threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element. Terrorists, insiders, disgruntled employees, and hackers are included in this profile.
In his letter to the President on October 13, 1997, Chairman Robert T. Marsh stated:
We found no evidence of an impending cyber attack which could have a debilitating effect on the nations critical infrastructures. While we see no electronic disaster around the corner, this is no basis for complacency. We did find widespread capability to exploit infrastructure vulnerabilities. The capability to do harm — particularly through information networks — is real; it is growing at an alarming rate; and we have little defense against it.
Although the Commission did not discover a clear and present danger, and despite the above disclaimer, the report recommends action by the President as though the United States were in severe jeopardy from a «cyber» revolution. The report goes on to say:
The federal government must lead the way into the Information Age by example, tightening measures to protect the infrastructures it operates against physical and cyber attack.
The government can also help by streamlining and clarifying elements of the legal structure that have not kept pace with technology. Some laws capable of promoting assurance are not as clear or effective as they could be. Others can operate in ways that may be unfriendly to security concerns. Sorting them out will be an extensive undertaking, involving efforts at local, state, federal, and international levels.
Our fundamental conclusion is this: Waiting for disaster is a dangerous strategy. Now is the time to act to protect our future.
The report expresses a fear that a «cyber» attack can be combined with a real attack. Under these circumstances, telephones may not work, the electric power grid might fail, or the 911 system could be disabled. Certainly the fear is real. Remember the Northeast Power Blackout in 1964 or the failure of the AT&T long distance computers in 1990. Neither of these events came about as a result of hacking or terrorism. However, these events along with many smaller incidents seem to generate wake-up calls.
The report further states:
We believe the eventual goal in this area is an indications and warning capability that provides immediate, real-time detection of an attempted cyber attack on critical infrastructures. The model for what we have in mind is the air defense and missile warning system. This is a defense system consisting of a monitoring or sensor capability, an analytic capability, and an alerting capability.
The Commission made several recommendations to the President. Many of these were constructive. They felt that it is important to put a mechanism into place to detect major threats and then alert appropriate agencies that would act on the information. Actually, these recommendations should be followed. We should be prepared. However, the Commission also recommended changes to laws that would enable law enforcement officials to function more effectively.
Fortunately, there is no clear and present danger of a massive «cyber» attack that would paralyze critical elements of our infrastructure. We are foolish if we do not anticipate the possibility of such an occurrence and prepare for that possibility. The Internet exists today because, in the 1950’s and 1960’s, the government wanted to decentralize placement and distribution of electronic information in case of nuclear war. However, under the present circumstances, existing domestic laws seem adequate to enable law enforcement officials to apprehend and prosecute «cyber» criminals. There is no need to erode our civil liberties at a time when we still have «peace» in cyberspace.
While a massive «cyber» attack on our information handling capability would seriously jeopardize the well being of the entire nation, the probability of such an attack is very low. On the other hand, the impending Millennium or Y2K computer disaster has the very real potential of damaging our infrastructure and causing a global economic collapse (11). Yet, because not enough attention is being paid to this problem, the consequences are inevitable. I believe that at this time, an all-out effort to deal with potential «cyber» attacks would be foolish.
The Real Threat From Hackers
Imagine that you go to your local bank to withdraw money from your account. A sad faced bank executive approaches you and tells you that the bank lost some of your money and that you can only access half of what is in your account. (Of course, this cannot happen today, but at one time in American history, such a situation would not have been so unbelievable.) What would you do? First, you would withdraw the remaining funds from your account, and then, you would probably approach the authorities. What next? Would you deposit the money that you were able to withdraw into another bank? If the year were 1930, you probably would not do so. You might hide your cash in a safe or even under your mattress. Why? The reason is plain. If you cannot trust the banking system enough to know that your money would be available when you need it, you would not use a bank.
Information, data, software, novel inventions, books, plays, poetry and the like require much time, much effort, and often, much money to create. Authors and inventors often store such intellectual property on some tangible medium such as paper, magnetic media, or some computer storage. Most intellectual property is protected by domestic and foreign law by obtaining patents or copyrights or by maintaining it as a trade secret. Many authors feel that this material should be shared freely with the public. This sentiment is noble, but it is done at the discretion of the author. The author owns the work, and unless it is harmful to the public, he or she can dispose of it at will. On the other hand, most authors need to safeguard their works in order to prevent copying, revelation or destruction.
Information stored on a computer has two attributes associated with it — sensitivity and criticality. Sensitivity is a measure of the damage that would occur if the information became known by individuals other than those designated by the owner. Criticality is a measure of the damage that would occur if the information were no longer available to the owner. Highly sensitive and critical information is most often stored on computers because the owners of such information have trust in the security of such stored information. Let this trust erode sufficiently, and sensitive and critical information will no longer be stored on computers.
We live in the information age. We depend upon computers for most business activities, much research, and much pleasure. We communicate by e-mail. We use the internet extensively. Computer users find it extremely useful to be able to remotely dial-into a computer. When we lose trust in the security of these conveniences, we will no longer use them. In fact, many computer owners, in the interest of security, have already disabled the ability of their computers to use these facilities.
This is the real threat from hackers. It would be a real disaster if the public’s mistrust of computers becomes so great that they stop using them. If you know that every time you use the internet, you run a severe risk of your stored files being compromised, you would not use the internet. If you know that every time you send unencrypted e-mail you run a severe risk of interception, you would not communicate in this way. If you know that leaving a live modem connected to your computer leaves you at risk that someone else can use your system, you would turn off your modem. Furthermore, if you believe that computer viruses are so rampant that you run the risk of losing your data every time you turn on your PC, you would not use computers at all.
Of course the threat is real. Hackers can attack your system. In fact, you cannot secure your system enough to protect yourself from the most persistent hacker. A hacker who wants to get in can get in. All of your vital information, your intellectual property, your client files, your credit cards and your bank accounts are vulnerable. Local area networks are in great danger. Using the internet to hack into private computer systems is quite common. If you are an employer, your system can be compromised by insider disgruntled employees and saboteurs even though your computers are not connected by modem to the outside world.
Still, hackers would not want to break into your computer. Why would they? In order to get at your system, a hacker would need all sorts of information. Security is not your real concern — is it? Still, even though computer burglary and vandalism is highly improbable, hackers attack computers like yours every day. Should you stop using online banking? Should you not use your credit card over the internet? Is your email private? Is hacking, like wiretapping, officially or unofficially sanctioned by the government? When should you stop trusting computers to protect your privacy? The answer is when hacking becomes so prevalent that you are personally affected.
What Does A Hacker Do?
The term «hacker» as it is currently used describes a person who misuses someone else’s computer or communications technology. Unauthorized computer intrusion is called hacking. Such use of telephone or other communications facilities is called phreaking. The first thing to realize is that there are people who want to hack. These people have different reasons for breaking through the security wall of computer and telecommunication systems. Most hackers invade any computer that is vulnerable. Some break into a computer by directly accessing that computer. This is done either at the keyboard of a stand-alone computer or at the console or terminal attached to a multi-user computer. However, most hackers break into a computer using telecommunications. This is normally accomplished using a modem or the internet. A computer attached to a modem is an extremely vulnerable target. It is more difficult to trace hackers over the internet than over telephone lines. Therefore, those hackers who use modems are usually phone phreaks. This is done to avoid detection.
Hackers often have direct access to computers into which they intrude. An example would be a user that has limited privileges, and uses hacking skills to become the administrator or «super user.» Another example is a legitimate user of a multi-user computer who wants to examine or destroy other peoples’ files. Yet another example is a disgruntled employee who has become a thief, saboteur or terrorist. Most often, unauthorized intrusion into restricted parts of a computer arises from poor system security. Stand-alone personal computers are often left on when their owners are not around. Multi-user systems generally require a user to use a login name and a password. However, the login name is normally very easy to figure out, and password security is usually lacking. Users often use their own or family member names or birthdates as passwords. Where the password is complex, it is often written down and stored in a typical place (like in the top drawer of a desk) so that the user can refer to it and not be required to memorize it.
Spoofing is the process by which a hacker gains access to a computer by pretending to be a legitimate user. Computer security systems perform only limited checks to ascertain the identity of a user at logon. After logon, additional checks are rarely performed. Therefore, by feeding a minimal amount of information to the computer, logon can be achieved by a hacker claiming to be a valid user. Even where security is more stringent, hackers can still get in. In one instance, I encountered a security system that constantly measures the typing pattern of a user and compares it to a known profile. If the typing pattern does not match, the computer does not respond. The user cannot accomplish anything. With this system, a user does not need a logon name or password since the computer can recognize the user by the typing pattern. This is similar to radio telegraph operators during World War II recognizing the Morse Code pattern, or «fist,» of an operative in the field who was sending messages. Every telegraph operator has a «fist» pattern different from every other operator. Similarly, every typist has a unique typing pattern. However, in testing the system, I was able to imitate the typing pattern of another user and fool the computer into thinking that I was that user. This is an example of very sophisticated spoofing.
Another method by which a hacker can spoof is called social engineering. In this case, a hacker nicely cajoles a legitimate user into revealing computer access information by pretending to be a user having trouble accessing the system. For instance, the hacker would call a telephone company employee telling her that he is a line worker atop a telephone pole who is unable to access the system for test purposes. The telephone company employee, trying to be helpful, then provides him with access information.
Finally, hackers can get information relating to legitimate users’ access information by «dumpster diving.» It is amazing what garbage people throw away. Searching through the trash of any company once left outside for collection often reveals login names, passwords, access telephone numbers, and other confidential information about the company’s computer system. Clever hackers are very often «garbage pickers.»
Hackers are often able to break into computers because of operating system or other built-in system defects. UNIX is the most hacked operating system to date. UNIX passwords are limited in size and are subject to repeated attack using a computer. This type of attack attempts to break-in using all possible combinations of characters until the correct password is entered. A more efficient method is to transmit the most common passwords first. Other defects occur where the original developers of the operating system did not consider the problem of users entering non-standard text strings into the computer. For example, when too many characters were entered as the argument of the UNIX finger command the operating system would execute the excess characters as though they constituted program statements. Using this method, hackers were able to input instructions into a UNIX computer that enabled them to acquire root or «super user» privileges. Fortunately, this problem was fixed in later versions of UNIX, but other defects surfaced and probably will always surface. Other operating systems that are vulnerable to attack are VAX/VMS, WINDOWS NT and WINDOWS 95. Local area networks and intranets have real security problems. Normal security measures appear to be inadequate to protect information shared across multiple computers in this way.
The phenomenal growth of the internet has been accompanied by new methods of hacking. While a user is connected to the internet, his computer is extremely vulnerable. Some computers are always attached to the internet. Sometimes entire local area networks keep their internet connection open twenty-four hours a day to allow users access to the web and email all the time. Hackers routinely break into networks via the internet by spoofing the identity of computers that the network expects to be present.
Phone phreaking is the oldest form of hacking. Before computers became prevalent in our society, people created slugs to cause coin phones to act as though money had been deposited. Sometimes hackers would simulate the sound of coins being deposited. In the days of the «pulse» phone, people would click the receiver cradle multiple times to simulate dialing the number. When «Touch Tone» was introduced, hackers created devices that would create appropriate tones so that they could misappropriate telephone service or even gain access to telephone company information and controls. Hackers were able to wiretap other peoples’ phones and listen to their private conversations. They were able to create phone numbers that would never be billed for service. They were able to obtain so much information about telephone company computers that many of them knew more about these computers than telephone company professionals. Hackers were able to actually remotely control telephone office switching equipment. With the advent of cellular phones, phreaking took on a new dimension. Computer hackers began to use a combination of cellular phones and land-line phones to cover their tracks when performing illegal computer attacks. Their phone calls were virtually untraceable.
Apprehending the Hacker
Just as it is virtually impossible to secure a computer against the most persistent hacker, it is also virtually impossible for a serial hacker to avoid detection and capture. «Cyber detectives» are out there laying traps for and ultimately apprehending «cyber criminals.» The «cyber police» have a number of powerful weapons. First, there are the applicable statutes. In his ‘Infojacking’ article (12), Marc Friedman stated:
The first federal computer crime statute was the Computer Fraud and Abuse Act of 1984 (CFAA), 18 U.S.C. § 1030 (1994)… Only one indictment was ever made under the C.F.A.A. before it was amended in 1986… Under the C.F.A.A. today, it is a crime to knowingly access a federal interest computer without authorization to obtain certain defense, foreign relations, financial information, or atomic secrets. It is also a criminal offense to use a computer to commit fraud, to «trespass» on a computer, and to traffic in unauthorized passwords… In 1986, Congress also passed the Electronic Communications Privacy Act of 1986, 18 U.S.C.§§2510-20, §§2710-20 (1992), (ECPA). This updated the Federal Wiretap Act to apply to the illegal interception of electronic (i.e., computer) communications or the intentional, unauthorized access of electronically stored data… On October 25, 1994, Congress amended the ECPA by enacting the Communications Assistance for Law Enforcement Act (13) (CALEA). Other federal criminal statutes used to prosecute computer crimes include criminal copyright infringement, wire fraud statutes, the mail fraud statute, and the National Stolen Property Act.
By the mid 1990s, nearly every state has enacted a computer crime statute. New Jersey’s laws are typical: in 1984, New Jersey amended its theft statute, N.J.S.A. 2C:20-1 et seq, to allow a person to be convicted of theft for knowingly or purposely altering, damaging, taking, or destroying computer equipment, data, or programs. The seriousness of the offense is measured by the value of the data, service, or equipment which is wrongfully altered, damaged, taken, or destroyed. Accessing a computer to commit fraudulent schemes or to interfere with financial instruments is also considered theft. The statute criminalizes wrongful access by itself and disclosure of data which is gained by wrongful access. Victims are entitled to compensatory and punitive damages, as well as the costs of investigation and litigation (including attorney’s fees). Hackers may also be prosecuted under a state statute that corresponds roughly with the ECPA.
The U.S. Code is very inclusive covering:
fraudulent use of credit cards and PIN numbers
embezzlement and theft
espionage
malicious mischief
concealment, removal or mutilation of records or reports
sabotage
interception of communications
abuse of billing or customer notification requirements of telegraph, telephone and radiotelegraph carriers
A large number of foreign countries have adopted similar statutes designed to protect electronic commerce and information stored on computers internally. (13) In many instances these countries cooperate with the United States in order to apprehend hackers operating inside their borders. (14) In 1998, the United Nations proposed that the member states effect a concerted effort to combat computer-related crimes. (15) Such crimes included hacking.
If you suffer damages from hacking, in addition to all of the statutes on your side, you are able to institute a civil suit against a hacker. Of course, most hackers have no money and, therefore, are judgment proof. However, this is not always the case.
What to do about hacking! Well, the best offense is a good defense. Computer owners must protect their systems against hackers. Hacking is so prevalent, that it is wrong to assume that it will not happen to you. Yet, even though keeping hackers away from your data is virtually impossible, you can do much to minimize your risk.
First, you must take formal inventory of all your computer assets — hardware, software and data. Each item must be classified in terms of sensitivity and criticality. Typically, these assets are given values of 1 to 5 for sensitivity (ranging from not sensitive to extremely sensitive) and criticality (ranging from not critical to extremely critical). From this classification it is possible for you to perform a risk analysis. Most computers have public areas and private areas. For example, in a local area network, the file server might be a public machine while the individual client computers are private machines. The public area is where outsiders may access the system. An outsider should never be given permission to access the private (user) areas. Sensitive and critical data must be kept in private areas — never in the public area. However tight security may be in the public area, it must be «super tight» in the private areas. Very sensitive material must be encrypted. Very critical material must be stored redundantly.
The first step in securing computers against hackers is establishing physical security. Hackers must never be able to access your computer. In large companies, strangers in business attire often walk from office to office attempting to gather information about the computers. These people have mastered the art of social engineering. For example, even in high security environments, I have been able to walk by the security guards by being friendly and completely believing that I actually belonged there. I was not even challenged. I have called corporate computer rooms at 3:00 AM and persuaded unwary computer operators to provide me with modem access numbers. Company employees must be educated in the familiar wartime doctrine: «Loose Lips Sink Ships!» Physical security is every employee’s responsibility.
The next step is creating a «firewall.» A «firewall» is a barrier against unauthorized intrusion. Having a «firewall» on a computer is equivalent to having a lock on a door. Break-ins are possible, but less likely. The most common «firewalls» are software based. They are generally less expensive than hardware «firewalls,» but hardware can provide greater security than software. A hardware «firewall» is a separate computer that serves as the interface between the outside world and the computers that process data. All modem and internet connections must be processed through this dedicated computer. The only thing that this computer concerns itself with is security. Every message passing through this computer in either direction must be authenticated. Software and hardware «firewalls» are commonly available for all but the most obscure operating systems. Having a «firewall» is essential to reducing the probability of intrusion.
Next, user identification and authentication procedures must be put in place. The most common operating systems come with common user names such as ‘guest’ and ‘admin’ pre-loaded with no password protection. Often, system administrators are not aware of the existence of these common user accounts. Computers containing sensitive or critical data should never be accessed by unidentified users. Users should be minimally authenticated using passwords. Computers requiring greater security should use biometric identification or physical tokens for authentication. Remember, even computers not connected to the outside world are vulnerable.
No computer can be perfectly secured against break-in by the most persistent hackers. Once the optimal tradeoff between security and functionality has been achieved, methods of detecting intruders and logging their activities must be put in place. All modem lines must have caller ID. Incoming anonymous phone calls must be blocked. Log files must be reviewed on a regular basis. Once intrusion is suspected, user activity auditing must be activated. To apprehend an intruder, software to monitor every keystroke by selected users is often utilized.
How would intrusion be detected? With all of these security measures, only the most sophisticated hackers can break into the system. Initial intrusion into a computer can occur in one of two ways. Either the hacker takes advantage of security flaws to circumvent authentication or masquerades as a legitimate user. Once having initially accessed the system, a hacker can set up mechanisms to avoid future detection. Often, after breaking into a particular computer many times, an adept hacker has multiple «back doors» of entry and numerous user accounts that can be used for future login. After logging onto a particular system whose security is less than perfect, a hacker can «piggyback» onto a computer that «trusts» the computer that the hacker uses for initial entry. Since serial computer hackers are usually also phone phreaks, it is likely that any phone number traced to a hacker would not belong to the actual telephone from which he is calling.
It is actually very hard to detect the presence of a hacker. Generally, while you are working on your multi-user computer, you are oblivious to the activities of other users. A hacker is just another user. You may see some extra hard drive activity (as evidenced by the «little lights» on the computer console), but you often see that extra activity whether or not there is another user on the system. The time to detect a hacker’s presence is when there are very few or no users on the system. Then, a modem light while no users are logged on can be a signal that a hacker is on the system. Intrusion from the internet is not as simple to detect. Hackers often alter the log files to make sure that their presence is undetected. Regular examination of the log files could reveal the presence of a hacker. Of course, some hackers flaunt their activities by leaving telltale files or images that effectively say: «Catch me if you can!»
Hackers usually do not want to intrude upon a system when other users capable of detecting their presence are already logged on. So, for example, the first thing that a hacker might do upon initially accessing a computer could be checking who else is logged on. If the system administrator is working, the hacker usually disconnects immediately. Hackers search a system to find user accounts that have not been used for a long time. The intruder then masquerades as that user. Suddenly, that user’s account gains system privileges.
If an intrusion is detected, should you seal the system or should you encourage the hacker to continue accessing the computer in order to catch the intruder. At first glance, it appears that sealing the system would protect the integrity of your data. However, if a good hacker was able to break-in once, he can break-in again. Hackers often create multiple back doors in a vulnerable computer. Remember, you cannot secure your system against a persistent hacker. Therefore, the only real security available stems from apprehension of the hacker. It follows that if a hacker is allowed controlled access to the system, the probability of capture is greatly enhanced. In this way, the hacker is isolated, and his M.O. can be ascertained.
Once the presence of a hacker is established, he must be tracked. As a starting point, the caller ID information must be recorded. The *57 (official call trace facility) must be activated. If internet hacking is suspected, the IP address must be recorded. The audit trails for the hacker’s activities must be activated. If possible, every keystroke of the hacker must be recorded to be used as evidence. Within one company, I am aware of a method that once a hacker is detected, he is routed to a separate computer. This special computer contains neither sensitive nor critical information. Bait is placed within the system to trap the unwary hacker. Yet, at no time is a known hacker permitted into the main system. Another company actually setup an electronic bulletin board service (BBS) to set a trap for a particular hacker.
Once a hacking incident is detected, C.E.R.T. (the Computer Emergency Response Team) should be consulted. (16) [Additional help from various organizations is available. (17)] Next, the authorities must be contacted. Local police should be contacted first. They should be able to coordinate activities with the FBI if necessary. Formal contact with law enforcement authorities is necessary to secure call tracing to the source and ultimately, search warrants. If intrusion is occurring on foreign shores, the FBI should be able to coordinate efforts with appropriate governments.
Evidence from your computer system must be collected with great care. Remember, this is what will be used during the hacker’s trial once he is captured. However, no matter how strong your evidence is, equally strong evidence must tie the individual to the crime. Since hacking is a remote crime, the perpetrator is invisible. Once the hacker is tracked, a search warrant must be obtained and his computer equipment, magnetic and other data media, and documents must be seized and examined for evidence. A forensic consultant must analyze the seized materials to establish the connection between them and the evidence collected from your computer system.
Prosecuting the Alleged Hacker
Successful prosecution of a hacker depends upon the physical evidence. Because it is a criminal proceeding, guilt (in the United States) must be proven beyond a reasonable doubt. This is not easy. The nexus between the hacking incidents and the hacker must be firmly established. All records concerning the intrusion incidents must be presented. The more detailed the evidence the better. Nothing should have been deleted or tampered with. Today’s judges and juries do not normally have a technical background, although, in this case, it might be better to select a technically savvy jury. The evidence must be presented in such a way as to be understood by the jury. Someone should summarize the evidence in a clear and concise manner. The State must present its findings from the computer materials seized during the search. Expert testimony is necessary to prove that the alleged hacker is the one who perpetrated the intrusion. An expert’s findings, conclusions and opinions are the under pinning of the entire case.
Defending the Alleged Hacker
It is inconceivable that the prosecution would be unable to present a prima facie case against the defendant. Following this presentation, the only good defense would be to create doubt that the intrusion(s) were done by the defendant. Remember, in all but the rarest cases, nobody saw the defendant while in the process of hacking. «It wasn’t me!», is the only defense.
To make its case the defense must mount a detailed attack on the evidence. If an alibi for the defendant can be established for the date and time that even one of the incidents were shown to occur, reasonable doubt has been created. Under these circumstances, the prosecution must put forth a weak «two hacker» theory. After creating an alibi for the defendant at the instance of alleged hacking, a good defense expert can make the remaining prosecution’s evidence collapse like a house of cards.
Other defenses would be to attack the inconsistency of the evidence. In addition, if the evidence is incomplete or does not firmly establish that the defendant is the hacker or that hacking actually took place, the defendant is likely to be acquitted.
Case Studies
Marcus Hess
In 1989, Cliff Stoll told the story of the capture and prosecution of a West German hacker named Marcus Hess. (18) Stoll was an astronomer who designed telescope optics. However, cancellation of a government grant caused him to accept a position as a system administrator of the computer center of the Lawrence Berkeley Laboratory in California. On his first day on the job, he was assigned the apparently mundane job of tracking down an accounting discrepancy on the LBL computers. Stoll was a good detective. He followed every «cyber» trail. His investigation led him to the conclusion that computer security (which was minimal, at best) had been compromised. Not only had a hacker intruded into the system, but he also acquired «root» or system privileges. The hacker would capture many different legitimate user accounts. When one was deactivated, he would go to another. Stoll was also able to figure out how the hacker broke in and what he was doing. LBL was afraid that he could cause severe damage to the computers and considered sealing the system against further intrusion by this individual. However, Stoll and his colleagues convinced their management that sealing off the system would have been impossible. Therefore, a plot was hatched to trap the hacker.
Stoll contacted the local authorities who traced the call to a Tymnet switch in Oakland, California. Tymnet was a «gateway» service that a user called into that routed him to any one of a number of computer systems that also used the service. Tymnet was one of a number of services available that provided local telephone numbers where directly accessing the computer would have been a long distance call. Users normally use packet switching services like Tymnet because long distance computer sessions (owing to the length of time of a session) can be very costly. Because the call came in from Oakland rather than from Berkeley, it was obvious that the hacker was not working locally. Tymnet officials helped LBL with call traces. Sometimes the hacker’s calls appeared to come from the homes of Jack London, Ed Meese and Gertrude Stein. Eventually, with help from AT&T and the FBI, it became obvious that the calls were being «piggybacked» across the entire United States with their origin being Hanover, West Germany. Since this type of hacking was new, total cooperation from the FBI and the West German government was not immediately forthcoming. Eventually, the German authorities were able to break in and catch Marcus Hess in the act.
Hess was a particularly dangerous hacker. His activities began in Hanover and expanded out of the University of Bremen or through the German DATEX-P Network via satellite link or transatlantic cable to the Tymnet International Gateway. From there, he branched out to the Jet Propulsion Laboratories in Pasadena, California and to the Tymnet Switching System. It is from Tymnet that he accessed the LBL computers. His primary use of LBL was to «piggyback» onto ARPANET and MILNET. ARPANET was a civilian wide area network created by the Department of Defense. MILNET was its military counterpart. ARPANET ultimately became the internet that we know today. Through MILNET, Hess was able to attack approximately four-hundred U.S. military computers. These facilities included:
SRI International – Omaha, NB
U.S. Army Darcom – Seckenheim, West Germany
Fort Bruckner Army Base – Japan
U.S. Army 24th Infantry – Fort Stewart, GA
U.S. Navy Coastal Systems Computer – Panama City, FL
U.S. Air Force – Ramstein, West Germany
MIT MX Computer, Cambridge, MA
OPTIMUS Database – Pentagon
Air Force Systems Command – El Segundo, CA
Anniston Army Depot – Anniston, AL
Hess was a computer prodigy who was recruited by the KGB. He was a spy. He sought to obtain U.S. military information and pass it on to the Soviets. He would peruse U.S. computers and gather information usually as mundane as schedules concerning the movement of troops or supplies. Stoll and his colleagues realized that the LBL computers were being used mainly for «piggybacking.» At first, when he contacted the security officers at the various compromised military facilities, these officers refused to believe that a hacker could break through the seemingly tight security. Eventually, most of these people cooperated with Stoll.
Stoll hatched an idea to trap the hacker. It was important to keep him online as long as possible in order to effectively trace his calls to their source. To that end, he created records of a «bogus» military project being conducted on the LBL computers. The pretense was that Lawrence Berkeley Laboratories was engaged in an important part of the SDI Star Wars project. Several LBL personnel worked full time creating many letters and memoranda that appeared to be military in nature. Stoll used a separate dedicated computer to monitor and record Hess’ activities. Although a scientist reading this material would have known that the information was worthless, Hess was no scientist. He was just a clever computer hacker. The bait worked, and Hess was ensnared in the trap.
Stoll testified at the trial of Hess in Germany in 1990. Hess was found guilty of espionage and received a one to three year prison sentence. He was eventually released on probation. He now writes networking software for a computer company in Germany.
Cliff Stoll’s detective work in this matter was exemplary. Apprehending Hess was not easy. Law enforcement and government authorities were not always cooperative. Stoll was persistent. He made careful records of Hess’ activities. His computer and logbook evidence was clear and definitive. When Hess was captured in the act, the nexus between him and his activities was firmly established. Here is one of the earliest examples of how a good forensic investigation produced excellent evidence that led to the conviction of a dangerous hacker and an international spy.
Mark Abene (a.k.a. Phiber Optik)
Mark Abene began hacking as a teenager in the 1980’s. He would stay awake most of the night working on his Radio Shack TRS-80 computer. The following day he would sleep through math class. As a youngster, Mark was already adept at social engineering. He would call the New York Telephone business office and, in a deep voice, claim that he was from the Repair Service Bureau. He told the woman on the line that he did not have a directory handy and that he needed a number for a line assignment. (19) He would then call the line assignment office and tell them that he needed a cable-and-pair number for his own telephone number. He later began hacking into the telephone company computer systems such as ICRIS (Integrated Customer Record Information System) and COSMOS (Computer System for Mainframe Operations). His primary objective was to learn more about the telephone system, but he was able to steal service first for himself and then for his friends.
Eventually, through the various BBS’s that were available to hackers, he «hooked up» with the hacker gang called the Legion of Doom (LOD). He was seventeen years old. At this point he adopted the alias of Phiber Optik. Mark believed in the hacker ethic — to look but not to destroy. Eventually, he began to hack into other hackers’ computer systems. After a number of years, Mark was kicked out of the Legion of Doom because of an argument with its leader. He then formed a new gang called Masters of Deception (MOD). The two gangs became bitter rivals, and gang wars began taking place in cyberspace.
As time went on, telephone company gurus realized that something was going on. They were able to occasionally kick Mark and his friends off phone company computers. However, Mark would always be able to get back on.
Tom Kaiser was a security officer with the New York Telephone Company. He dedicated himself to catch these intruders. Teaming up with an expert named Fred Staples, they monitored the calls of another known hacker, and they found a large number of telephone calls to Mark’s home. In fact, these calls would occur invariably each time after the other hacker would break into the telephone company computers. By this time, Phiber Optik and his friends had penetrated deeply into the phone system. Kaiser was worried. He was concerned that with a single keystroke, the hackers could disrupt phone service to the Wall Street area. He did not need a court order to wiretap Mark’s phone. Ultimately, Kaiser got the U.S. Attorney’s Office involved.
Mark and his friends did not confine their hacking activities to the telephone company. They created problems for AT&T, WNET-TV and Hallmark. The problem was that various MOD members began to boast online about their activities. MOD began breaking into private computer files, rewiring telephone lines and obtaining confidential credit information on individuals. The conflict between MOD and LOD became intense, and all the while, federal agents were monitoring all of the telephone lines and were collecting evidence.
On January 15, 1990, the AT&T computers crashed leaving thousands of customers without long distance service. Mark and his fellow hackers thought that they had caused the crash. AT&T eventually took the blame for the crash. However, two weeks later, armed with a search warrant, the U.S. Secret Service raided Mark’s apartment and confiscated his computer equipment, disks and documents. Shortly thereafter, the apartments of the other MOD members were similarly raided. Soon, many of Mark’s friends signed confessions.
After the raids, the government authorities did nothing for a long time. The raid on his apartment initially scared Mark, but eventually law enforcement inactivity made him confident enough to begin hacking once again. He hacked into the TRW computers. Now the U.S. Justice Department, the FBI and the Secret Service really cracked down. For the first time in U.S. history, the authorities wanted to put wiretaps on computers. (20) In June of 1992, Mark and the other members of the MOD learned that they had become targets of a Grand Jury investigation. (21) Mark was given a court-appointed attorney. As a result of the indictment, Mark could have been sentenced to ten years in prison. Mark became famous. Confident, Mark continued his hacking activities.
Most of the other defendants in the case pled guilty. They all admitted complicity and implicated Mark. Mark pled not guilty and decided to go to trial. The evidence against him was massive. Then, five days before trial, Mark changed his plea to guilty. He was sentenced to serve one year in Pennsylvania’s Schuylkill Prison.
Kevin Mitnick (a.k.a. The Condor)
At the time of the writing of this article, Kevin Mitnick has been imprisoned by the U.S. Government without a trial for almost four years. (22) He was initially held on a fourteen count indictment (23), and charged with possession of unauthorized access devices (24), computer fraud (25), causing damage to computers (26), wire fraud (27), interception of wire or electronic communications, aiding and abetting (28), and causing an act to be done (29). Judge Mariana R. Pfaelzer (30) and Justice Sandra Day O’Connor have both denied bail to Kevin. (31) At times, Kevin was held in solitary confinement because of the unfounded fear that should he even get his hands on a transistor radio, he could cause problems with the prison’s computers. Although massive computer evidence exists against him, Kevin was, until recently, denied access to a computer to review the evidence being presented against him even when the computer was not connected to a modem.
Why the paranoia? Kevin Mitnick is considered by authorities to be the most dangerous hacker to date. Certainly, he is the most notorious.
On September 13, 1998, a group of hackers called HFG attacked the New York Times website and changed its entire appearance. Their message was clear: «FREE KEVIN!» As one drives in various parts of the country, FREE KEVIN bumper stickers can be occasionally seen. The media, including many prestigious newspapers and television stations, is seen to be sympathetic to Kevin.
Kevin David Mitnick began hacking in suburban Los Angeles in the mid-1970’s. He soon joined a group of phone phreaks that congregated in a pizza parlor in Hollywood. His goal was mastery of Pacific Bell’s computers. He would steal service. He would perform many pranks. He seemed to have a mean streak. For example, he would change the status of someone’s home telephone to that of a pay phone so that, when the individual would pick up the phone, he would be asked to deposit twenty cents. (32)
During the 1981 Memorial Day weekend, Kevin and two friends broke into the Pacific Bell COSMOS phone center in downtown Los Angeles. During this burglary, they stole much proprietary information (including password lists and operating manuals). They also tampered with the computers by inserting data that would facilitate later hacking. A telephone company manager soon began an investigation of the incident. He went to the local authorities. The case was solved when the girlfriend of one of his friends went to the police and informed on her boyfriend and others. Kevin was arrested. However, he was lucky that he was only seventeen. (33)
Kevin then became a serial hacker. He adopted the alias: «The Condor.» He had several run-ins with the police. In 1983, Kevin was arrested by the campus police of the University of Southern California for using a university computer to hack into the ARPANET. He used the ARPANET to gain access to a computer located in the Pentagon. Kevin served six-months in a juvenile prison in Stockton, California. (34)
After his release, he continued hacking. In December 1987, Kevin was sentenced to 36 months probation for stealing software from the Santa Cruz Operation, a software company in southern California. In 1987 and 1988, Kevin and a friend, Lenny DiCicco, persistently hacked into the computers of Digital Equipment Corporation (DEC) in an effort to secure the source code for the VMS operating system. Scientists at DEC were aware of what was going on, and put up a valiant battle with the hackers. The local police and the FBI became involved. Because of Kevin’s phone phreaking efforts, the FBI was virtually powerless to trace the hackers’ telephone calls. However, even though Kevin and Lenny were friends and accomplices, Kevin made fake calls to Lenny’s supervisors at work telling them that he was a government agent and that Lenny was in trouble with the IRS. DiCicco then confessed to his supervisor who then called the FBI and DEC. Kevin wound up in federal court in Los Angeles. He pleaded guilty to one count of computer fraud and one count of possessing illegal long distance access codes. Kevin’s defense tactic was that he was psychologically addicted to hacking. The case gained nationwide attention. Kevin’s attorney struck a plea bargain that would send him to prison for one year and then to counseling for six months. (35)
After his release, Kevin continued hacking and phreaking. He became the target of an FBI investigation. A federal judge then issued a warrant for Mitnick’s arrest for violating the terms of his 1989 probation. However, when the FBI came to arrest him, he had disappeared. He had several close encounters with the authorities, but he proved to be too clever for them. Kevin continued to elude the FBI until 1995. All the while, he continued his hacking and phreaking activities.
His downfall came as a result of his hacking the personal computers belonging to Tsutomu Shimomura during the Christmas holidays in 1994. Shimomura is a brilliant physicist from Japan, raised in Princeton and living, at the time, in San Francisco. Shimomura is an expert on computer security. (36, 37) Over the next year and two months, Tsutomu Shimomura pursued Kevin Mitnick across the country until he was finally apprehended in Raleigh, North Carolina. Shimomura had help from the FBI as well as from several employees of various local telephone companies. (38, 39)
Shimomura discovered that the hacker who intruded on his computers used a new access technique called IP spoofing. This enabled someone to hack a network server computer by pretending that he was operating from a «trusted» computer. By the middle of January 1995, Shimomura discussed the matter with John Markoff, a New York Times reporter. Eventually, the two of them decided that Kevin was the hacker. This was done through Markoff’s knowledge of Kevin’s M.O. Shimomura carefully collected and recorded evidence about the break-in to his own computers and other systems. At one point, Tsutomu’s personal files were found on another computer that was hacked. It was eventually determined that the hacker was using cellular phones to make his calls. With the help of a Sprint Cellular engineer, the origin of the calls was traced to Raleigh, North Carolina. This engineer was able to narrow the location to within a kilometer. Shimomura went to Raleigh. He was able to further narrow down the source of the phone calls. Warrants were obtained. On February 15, 1996, Kevin Mitnick was arrested by the FBI in his Raleigh apartment. (40)
At the beginning of 1998, the following notice appeared at the Official Kevin Mitnick Website: (41)
Wanted ASAP: Expert witness for Mitnick trial
Computer Expert Witness Needed «Immediately»
A computer expert is needed immediately to testify as
an expert witness in an ongoing criminal matter in
Federal District Court in Los Angeles. Kevin Mitnick is
seeking a highly credentialed expert in computer
security, telecommunications, system and network
administration to testify in this highly publicized
computer «hacking» case.
This will be a groundbreaking case and is expected to
attract significant media coverage. Testimony will be
required as early as March 30, 1998 in Los Angeles,
California. Further testimony will be needed at trial,
later this year. Expert witness fees will be paid by the
federal court.
Qualified candidates must have an advanced degree
and be knowledgeable in DOS, Windows, SunOS,
VAX/VMS, and Internet operations. Experience with
cellular telephone networks is a plus. Previous expert
testimony and/or publication are preferred.
Qualified candidates please contact Mr. Mitnick
through his appointed defense counsel, Donald C.
Randolph, Esq. at (310)395-7900.
Kevin has not yet been tried. What could his defense be? The evidence collected by Tsutomu Shimomura seems overwhelming. Furthermore, much incriminating evidence was found in his Raleigh apartment when he was arrested. I do not believe that the «addiction defense» will work again. A jury would probably not have sympathy for him, and Judge Pfaelzer does not seem to be inclined toward leniency. This case seems to be a prosecutor’s dream.
Mitnick’s court-appointed attorney, Donald C. Randolph, appears to be mounting a defense that Kevin’s constitutional rights have been violated. In an interview with Randolph, Mike Bruner of MSNBC states that «the Mitnick trial will venture into new legal ground… by refusing to plea bargain, hacker aims to set precedent.» (42) Randolph goes on to say that Kevin’s indictment now includes twenty-five counts of causing $80 million in damage by breaking into computers belonging to companies such as Motorola, Sun Microsystems, NEC and Novell. He points out that this matter, scheduled for trial in January 1999, will be one of the first major federal hacking cases to go to trial. If convicted, Mitnick could face as much as 200 years in prison. Yet, Kevin refuses to plea bargain.
Randolph said Mitnick’s trial … will establish precedent in terms of «the manner in which the evidence is handled, how the assessment of the amount of the alleged loss is [computed] … and how the wire fraud law is applied to computer fraud situations like this one, where there is no attempt at an economic or gainful use by the defendant.»
By also raising issues such as whether a defendant should have access to encrypted evidence that prosecutors can’t decode and whether a hacker can be denied bail on the basis that he or she poses a risk to the public, «It may set the standard for how computer fraud cases are going to be handled in the future,» Randolph said. (43)
During Mitnick’s trial, his defense is expected to challenge the use of federal wire fraud charges by arguing that hacking in its purest sense, invasion of computer systems without damaging them, does not meet the legal definition of wire fraud, since there is no monetary gain. The government will likely counter that theft of software is sufficient grounds for the charges.
If Mitnick is found guilty, the battle will shift to the prosecution’s calculation that he caused $80 million in damage to the companies whose systems he allegedly invaded. Randolph said that the prosecution has included the companies’ research and development costs of the software that Mitnick allegedly pirated to reach the sum.
«If the [software] is not removed from use … and has not been shown to anybody, then the victim is not harmed to the extent that all their research and development costs are worthless,» he said.
[Assistant U.S. Attorney Christopher] Painter agrees that the damages will be a point of contention if Mitnick is convicted.
«The way that federal sentencing laws are set up, damages are one of the driving forces of what the sentence ends up being,» he said. «There are many components to damages where someone is going and breaking into systems, including what they need to do to fix those systems, repair costs, if material is stolen you have to value the material that’s stolen, and there are a variety of ways to do that.» (44)
Whether or not Randolph uses the «nexus» defense, from the materials that I examined, I am not certain that the evidence conclusively proves scientifically that Kevin was the actual perpetrator in all of the criminal charges against him. From a technical viewpoint, there appears to be reasonable doubt.
John Doe
Recently, I was asked to perform a forensic investigation and to testify at a hearing for a young graduate student accused of hacking. I was engaged by the defense. The student, John Doe, completed his undergraduate work at a prestigious university far away from his home. After graduation, he returned home, worked for a year, and then started attending a local graduate school. His field of study was to prepare him for a profession that requires licensing.
John’s undergraduate school permitted him to continue using his computer account at that university to perform research and to receive and send email. At the time, use of the internet was not as prevalent as it is today. Internet service for home computers was not as readily available then as it is now. John either needed to use the internet to access his computer account or he had to incur costly long distance charges. From his experience, he knew that local universities normally permit students of other far away universities to «piggyback» on their computers to reach their own computer accounts when they are on vacation. For these schools, use of the internet is not a significant cost. John also knew the general procedure for doing this. A person wanting to «piggyback» did not have to log onto the local university’s computer. When a user dials the local modem number of the local university, the computer provides him with a front-end greeting. It then asks the user to login. By choosing the correct service, he can connect to any other computer serving on the internet without logging on to the local computer.
John’s graduate school, although closer to home than his undergraduate school, was still a long distance call from his home. Therefore, instead of using his own school’s computer to «piggyback,» he located a school closer to his home. Without asking their permission, he repeatedly began to use their computer exclusively for the purpose of communicating with the other computer. Apparently, this local university did not encourage visiting students to «piggyback.» Their own students could do this, but it was not anticipated that non-students would use their computers in this way. According to the university, a computer use fee is included in the tuition of all students. Non-students cannot use university computers in this way. They were unaware that their front-end permitted such use of their computers.
Earlier that year, the local university was experiencing problems with a hacker. Their computers used a UNIX operating system. At one point, they noticed that the log files were being deleted. The computer system administrators would restore the files only to find them deleted several days later. They began to notice extensive use of the finger command by a user no longer employed by the university. Administrators found certain programs on their computer that were obviously used to provide ordinary users w

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *