Computer Hacking
Review of 'Who's reading your E-mail" by Richard Behars
The article exposes the vulnerability of computer data and of corporations
with the popularity of the Internet. The Internet can allow hackers access to
any computer in the world, with understated ease. Break-ins can go virtually
undetected
Major corporations and government security departments have acknowledged
that hacker break-ins are out of control. Some companies are too fearful to
join networks because of this. Software programs brought out to deal with the
growing problem, such as firewalls, are no longer totally effective. New
technology has been developed such as ''Pilot Network Services' (offering
supervised Internet access); 'Netranger' (a monitor device used by Pentagon)
and 'Encrypton' (software that jumbles messages).
The basics of computer security (using difficult passwords, and guarding of
data) are not being met in a disturbingly large number of American companies
surveyed. A new bill demands that system operators become responsible for
security. Hackers can be prosecuted (with subsequent heavy penalties) only if
the exposed company has actively shown that it was security conscious. Further
more, exposed companies are liable to other companies if their lack of
security precautions allowed their computer network to become an opening for
other company break-ins.
Companies are dis-inclined to report breaches in security as it denotes a
poor image and highlights their vulnerability. Clients demand security, and
lack of it will send them elsewhere.
Billions of dollars annually is spent on protection devices. Others are
utilizing the expertise of former convicted hackers to fine tune and update
their security features. It is a case of befriending the enemy in order to
learn more. These hackers come out of goal with a ready market for their
expertise, and great financial rewards.
The explosion of the Internet use, and networks around the world have
brought with it a need for greater security consciousness amongst its users
and systems operation managers. Technology needs to be constantly updated in
the war against the ever-growing insidious and malicious hacker.
Review of 'Hackers: Taking a byte out of computer crime' by W. Roush.
Roush discusses the changing face of computer crime with the advent of the
modem and stricter laws. The article touches on the effect these changes are
having on hackers themselves, and the measures that are put in place to deal
with the problem. It also explores the common ground which hackers and
computer security experts agree on.
In the 1960's the dictionary definition of a hacker was that of a
"computer virtuoso". Hackers comprised of young, computer literate
and rebellious gangs vying for the status symbol image and thrill of breaking
into a computer network.
This all changed with the popularity of the modem and an increasing number
of computer users. The number of hackers exploded and thus the image of being
a hacker became passe. The tougher security measures put in place, combined
with more stringent laws (including imprisonment) had the effect of weeding
out all but the keenest of hackers, and the most malicious.
Firms and security enforcers are now dealing with elite hackers whose
intent is now focused on sinister revenge, malicious damage, political and
defense corruption; and monetary greed. The cost of these types of computer
crimes could run into the billions, but an accurate measure is unavailable.
This is due either to the reluctance of corporations to report any break-ins
(because they may feel guilty about their lax security), or because the
information systems are so massive that the scale of corruption may be too
difficult to detect.
There are also a select few who choose to label themselves as hackers with
moral ethics. These second types of hacker prevalent today are assisting
companies and law enforcers in the fight against dangerous hackers in a number
of ways. These include holding hacker conventions and on-line information
services to inform the public of new security risks, as well as being employed
by corporations to break into their systems in order to secure and refine
them. These hackers love computers and are motivated by the anger and
frustration they feel at the prevailing laxity of security measures in place.
Despite this level of co-operation there remains an inherent distrustful fear
between the two camps. Fear is also a motivating factor for corporations in
refusing to join networks, allocating enormous funds for security measures;
restricting access to information; and utilizing passwords to deter alien
entry.
Hacking crime is now far more sophisticated, varied and costly to society.
There is a need to continue to work with ethical hackers in the battle for
safety and order, otherwise we face an increasingly monitored future and a
reduction in the freedom of computer use.
Review of 'The United States Vs Craig Neidorf' by D. Denning.
This article initially focuses on the US indictment of Neidorf, a student
who started an Internet publication, 'Phrack'. This publication was accused by
the United States government of being a fraudulent scheme devised by Nied and
others to steal sensitive documents and make them freely available to the
public. The court case was centered on an article about the countries E99
emergency system, and how he managed to fraudulently obtain a highly sensitive
document which was then published with the intent to disrupt or halt all
services.
The author had taken a keen interest in the case due to the implications it
had on threats against freedom of the electronic press. The Electronic
Frontier Foundation (EFF) was founded with just this concern. It helps to
raise public awareness about civil liberties issues and works to preserve and
protect the constitutional rights with the electronic media.
Denning was sought by Neidorf to assist in the case an expert witness and
to provide evidence throughout the trial. The government dropped the charges
after 4 days and it was declared a mistrial. It cost Neidorf $100,000, but
potentially he stood to spend 65 years in goal.
Neidorf's case was argued that while Phrack may have seemed to promote
illegal hacking, the public itself was not illegal. It advises readers not to
engage in any intentional damage or harm. The purpose of Phrack was the free
exchange of information as covered by the First Amendment of Constitutional
Law and Civil Liberties. Neidorf actively co-operated with the government
agents in every way prior the indictment. Furthermore, it was found that the
supposed sensitive document (E911) was readily available elsewhere. There was
nothing in Phrack that couldn't be found in any other published books or
journals. In addition, Neidorf argued that if the E911 text had been a
sensitive document, it certainly was not treated or secured as such by
Bellcorp.
Denning questions the rights of government to seize documents and computer
ware for extended periods, causing severe disruption, without appropriate
court orders; and makes suggestions to rectify the process. The
responsibilities of system operators are also called into question. They
should take greater care from unauthorized break-ins, as they may be
vulnerable to lawsuits if accused of taking inadequate protection. Denning
also suggests an update of the current law, to bring it more into line with
the UK Computer Misuse Act of 1990. There is an acknowledgement of a new
threat emerging where computer criminals, as opposed to juvenile hackers, are
potentially capable of industrial espionage and damaging infrastructures.
There is also a final suggestion that the teaching of computer ethics could
decrease the incidence of hacking.
A Compilation of Viewpoints.
The articles written by Roush, Denning and Behar, as summarized earlier,
have many common themes. Issues about hackers, the Internet, on line
publications, invasions, security measures, and current laws are discussed
within varying frameworks.
Denning's article approaches the topics through the lens of a court case
involving Neidorf, a law student and the publisher of Phrack (an Internet
billboard). The case highlights that there is a fine but distinct line between
the right for freedom of information, and the unauthorized theft and use of
it. In a subtle way, Denning also distinguishes between the two prevalent
types of hacker.
Roush's article focuses primarily on the history and changing profile of
today's hacker, and their interaction with companies and corporations.
Behar discusses vulnerabilities via networks and the various measures
available to prevent or circumnavigate invasions.
All authors agree that the profile of hackers has changed since the early
computer heydays of the 1980's. Juveniles who hacked for the thrill of it have
been replaced by two distinct types of hackers. The first is the hacker with a
self-professed personal code of moral ethics. These hackers invade networks,
not only for the challenge, but to make the public aware of weak security
links. They abhor lax security measures and feel justified in their actions,
claiming a superior authority by publishing their exploits. Neidorf's case
inadvertedly alluded to this, and the other articles pointed to ethical
hackers who assist companies, or start security firms utilizing their
expertise. These hackers are acknowledged by non-hackers with a reluctant
acceptance. The second comprises of an elite number of hackers focused on
malicious intent and greed.
The issue of on-line publications and information networks were discussed
in different perspectives. All authors agree that the abundance of information
and interaction available on- line is beneficial. Denning's article may
suggest inadvertedly that there is a distinction between freedom of
information and the moral overtones of freedom of publication. In Neidors case
there was a clear distinction, according to the law. All agree that being
on-line to a network leaves your system vulnerable to exposure by hackers from
anywhere in the world.
The laws and penalties were discussed at length in Denning's article, with
suggestions for improvements. Roush and Behar pointed out that convicted
hackers had a lucrative ready made market for their expertise when they ended
their prison term - being paid to assist corporations by breaking into their
systems. They all agreed that prison sentences had deterred a large number of
juvenile thrill seekers, and mature hackers.
Roush and Behar discuss the enormous, yet understated cost of company
computer invasions. They point out the reluctance of those victims to report
occurrences because of embarrassment, and the loss of trust client's feel with
their security measures. They also suggest that invasions are understated
because many companies do not even realize they have been corrupted. Hacking
is very much out of control. Denning'' article indirectly showed how easily
sensitive information could be extrapolated from a system. All articles show
those hackers with strong social skills and graces can charm the information
out of a beguiled or proud computer owner/manager.
Lastly, all the articles discussed the important overall theme of security
measures. Roush and Behar point out that the most basic of measures, use of a
difficult password, was sadly lacking in many companies surveyed. Dennings
article features heavily on the inference of sensitive data, but the hypocrisy
of BellSouth's not adequately securing it. Behar extends into great detail
about the effectiveness of security measures available, and the acceptance and
use of them. All agree that system operator managers are being forced legally
to take more responsibility in their security measures.
In Conclusion
The articles demonstrate from different perspectives the growing problem
associated with the rapid rise in computer networks. The media provides us
with further revelations on the matter. There is no doubt that the inherent
psychology of human behavior determines that there will always be those whose
intellectual and technological pursuits will find an outlet in those of
computer intrusions. If convicted computer hackers are able to successfully
utilize their same skills in a more productive manner, then perhaps we are
missing the point altogether. Hackers need a suitable outlet for their
expertise and instincts for challenge. Perhaps we should be looking at ways to
channel that enthusiasm appropriately, before they discover the evil path.
In addition, perhaps the advent of the hackers is a blessing in disguise.
If the articles stated research lends us to believe that many companies are
lax in their responsibility to security measures then perhaps an intrusion
followed by a court case is what is required to make managers sit up, take
notice and take action. I am not suggesting the issue is open and clear cut.
The advent of continuous new technology demands continuous changes within
society, and new approaches. There are at least two ways to resolve the hacker
problem: deal with it as it is encountered; or take a different and proactive
approach. Either way, it is largely determined by our innovation and
motivation, just as it is with budding hackers, really!
References
Roush, W. (1995). 'Hackers: Taking a byte out of computer crime' in
Technology Review, April, pp. 32-40.
Denning, D. E. (1991). 'The United States Vs Craig Neidorf' in
Communications of the ACM, 34, 3, 1991, pp. 24-32.
Behar, R. 'Who's Reading Your E-mail?' in Time, February 3, 1997, pp.
64-67.
|
