Computer Terrorism : What are the risks
Chapter 2: Computer criminality
The goal of this chapter is to raise the reader's attention to the extent
of the phenomenon of computer criminality, as well as our vulnerability
to these attacks.
Computer criminality is a large field whose borders are not always easy
to define. Each country has a different legislation on this subject and
reacted more or less quickly to this problem. In Europe, Sweden was the
precursor, by instituting a law in 1973 which regarded the unauthorized
acquisition of stored data as a crime [LAB90_1],
whereas the Netherlands did not regard the intrusion (without damage)
in a computer as a crime until after 1990 [LAB90_4].
David L Carter, professor at the Department of Criminal Justice of the
University of Michigan, proposes a classification of data-processing criminality
1. The computer as the target
This category includes actions such as:
- Theft of information (confidential data about new products, customers
- Blackmail, based upon the information obtained by the theft of computer
files (medical information...).
- Sabotage of data or of the system.
- Unauthorized access to the files of the authorities to modify data
(criminal records, driving license...)
- Techno-vandalism (destruction without precise goal of data)
- Browsing (Intrusion in a system just for the pleasure of going there,
without the intention to steal anything there)
2. The computer as the tool of a conventional crime
This category includes/understands the cases where the computer facilitates
the work of the criminals, but is not essential to their activities.
- Murder by modifying a patient's drug proportions in a hospital.
- Servers providing illegal data (child pornography...)
3. The computer generates new types of crimes
This category includes/understands " traditional " crimes,
adapted to the computer.
- Software piracy
- Hardware counterfeiting
This classification is not exhaustive. Thereafter, I will concentrate
on the first two categories.
Hacking is the activity of a hacker. The meaning given to the
word hacker are very varied 2. Basically,a
hacker is a person who is pleased to explore, in detail a programmable
system and who seeks to extend to the maximum his knowledge in this field.
Currently, the term is generally employed to designate persons illegally
introduced into computer systems [STERLING92].
In this document the term hacker will be associated with this last definition,
which also incorporates phreaking (telphone hacking) since this two activities
are very close.
The goal of this chapter about hacking, is to discuss some cases to show
the incredible vulnerability of computer systems. A study carried out
in 1992 by the USA Research Inc showed that the number of intrusions in
computer systems in the United States, had grown from 339' 000 in 1989
to 684' 000 in 1991 [ROUSH92]. These
number are to be carefully interpreted, because very few cases are actually
reported to the authorities. The NCCS estimates that less than 10 % of
breakins are reported [ICOVE95]. The
companies that are victims of hackers do not want bad publicity, by acknowledging
Witness Protection Program
In the Eighties, a hacker called Michael Sinergy, penetrated the computer
system of the national agency of credit (TRW), which holds financial information
for nearly 80 million Americans. Michael's aim was to consult the file
of president Ronald Reagan. He discovered the file that he was looking
for and saw that 63 other people had consulted same information the same
day. He also noticed a group of 700 people who seemed to hold the same
credit card and their account history was strange. They seemed not to
have a past. He realized that he was doubtlessy consulting the history
of the credit, as well as the names and addresses of people who worked
within the Government witness protection program. As a good citizen, he
quickly warned the FBI of this potential security hole of their protection
In France, a hacker had found the means of remotely reprogramming the
rates of exchange of an ATM (Automated Teller Machine). He was granted,
for example a rate of exchange of 5 dollars for 1 franc and he thus changed
100 francs. He carried out the opposite operation and the rate of exchange
passed to 5 francs for 1 dollar and he turned over to change his dollars
and thus received 2500 francs! [BLANCH95]
In 1988, seven criminals carried out an embezzlement in the First National
Bank of Chicago. They transferred 70 million dollars belonging to 3 large
companies, to an account in a bank of New York, then, from there, to two
banks in Vienna. The transfers were ordered by telephone. The bank called
its customers to require confirmation of the transfer, but the calls were
diverted towards the residence of one of the criminals. The affected companies
quickly discovered the embezzlement and an investigation was opened. With
the help of the records of the confirmation calls, the investigators arrested
the seven criminals before they could escape. [ICOVE95]
Fry Guy is a 17 year old hacker, living in Indiana (USA). In 1989,
he became a master in the art of controlling the network of the local
telephone company and found an easy means to get a little pocket money.
He contacted a tradesman telling him that he is an employee of a credit
card company. Fry Guy is able to make him give his customer number
and his password. With this information, Fry Guy connected himself
to the computer of the credit company to find the list of the tradesman
customers. He then selected a "quite rich" customer, write down
his telephone number and his credit card number .
He diverted the telephone line of his victim to a telephone box in the
small town of Paducah, and the line of the cabin towards to one of his
telephones. He called a bank to make a transfer in their agency of Paducah,
by debiting the card of its victim. The bank called back to require the
confirmation of the transfer and it is he who answers. Now he had just
to restore both telephone lines and go recover the money [CLOUGH93]
Phreaking is the action of pirating telephone networks. This activity
is related to computer hacking because hackers have to spend long hours
to try to be connected by modem on the computers what they had chosen
as targets. This can become very expensive. It is for this reason that
the majority of the hackers are also phreakers. Moreover, since
the modern telephone exchanges are computers, the hacking of the telephone
is very close to the hacking of a "traditional " computer.
The first case of phreaking listed occured in 1961 and the first article
on this subject was written in 1971 in Esquire magazine. At that time,
phreaking was an activity primarily practiced by blind men who used the
telephone as a means to breaking their insulation. To spoke to each other,
they used the test lines used for the system maintenance. These test lines
are characterized by the fact that each end has its own telephone number
which is assigned to it and it's easy for two people, agreeing in advance
on which line to use, to call each one one of the ends to be in contact
Gradually, the techniques improved and it became possible for hackers
to use all the functionalities of the network With the "blue box"
3, a device able to generate command
dial tones, it bacame possible for phreakers to control the network
as easily as an employee of the telephone company. [CLOUGH93]
Motivations and ethics
Many hackers explore computer systems through simple curiosity and for
intellectual challenge. "True" hackers have an ethical code
prohibiting the destruction of any information. However, bad guys, understood
that they could use this particular knowledge to gain advantages. The
most traditional case is the theft of credit card numbers, but some of
them found more original means, such as the hacker who mastered telephone
hacking, and who won games organized by radio stations, because he blocked
all the phone calls of the listeners and thus he was the first one to
call the radio and win the price!
A much more serious hacker was Karl Koch, a member of famous Chaos Computer
Club, who pirated American sites on behalf of the KGB, providing them
various programs, password lists etc. [CLOUGH93]
He did not act by ideology but rather for money (he was a drug addict)
and also to practice his favorite passtime : hacking !
Dr. Frederick B Cohen proposes a list of motivations [COHEN95]
which can incite people to enter the world of computer criminality.
The most banal motivation is money(see the two previous
For challenge or to obtain to a certain social recognition
(and to be able to form part of a group) a young hacker must always go
further. Dr. Cohen quotes the case of a German club which requires its
new members to create a new virus as membership fee.
The revenge of a laid off employee is often the reason for destruction
of data and even hardware !
In a related field, we find self-defense. For example, take a
programmer who introduces a logical bomb into his program in order to
ensure that he will be paid 4.
Sometimes economic advantages requires one to
use illegal means to obtain trade secrets of one's competitor. At the
end of the Cold war, it was necessary to find new missions to justify
the enormous infrastructures of the intelligence services, economic intelligence
became one of the priorities of these agencies. The degree of implication
varies from one country to another. It would seem that the French services,
as well as American, are very active in this field, the French directly
helping their companies by providing confidential information and with
the Americans with discrediting the competitors [GUISNEL95]
Viruses, Worms and Trojan horses
A virus is a program that is able to reproduce in a computer, able to
infect other programs and, thus, able to be transmitted from one computer
to another, if we copy an infected program to another computer. If they
only reproduced, the viruses would not worry anybody. However, the problem
is that they can be programmed to be harmful; for example by erasing all
of the machine's data on a precise date.
A worm differs from a virus by way that it transfers itself from one
computer to the other through a network. The best known example and the
most devasting is undoubtedly the worm of ARPANET, which paralyzed the
network in 1988.
A Trojan horse is a program which is not what
it seems to be. For example, let's say you receive by (snail) mail an
advertisement, as a floppy disk featuring the demonstration version of
a new word processing software. If, in addition to being a word processing
program, its programmer decided to make it seek the list of all the applications
contained in your computer and to erase all other word processing software,
it is a Trojan horse. Under the auspice of an honest software hides a
perfidious program! It is also possible to use a Trojan horse to introduce
a virus on a computer. In this last case, the " ideal " Trojan
horse is an antivirus software that the user installs in all confidence
on his machine!
A C compiler like Trojan horse
The C compiler designed by Ken Thompson and Dennis Ritchie with the aim
of rewriting the core of the UNIX system was a Trojan horse, since it
didn't just compile the desired program. If the program to be compiled
was the UNIX source code, the compiler modified the login function code,
in order to introduce a back door, thereby allowing Ken and Dennis to
enter the system thanks to a default password.
As this back door could be easily seen during a compiler's source code
review, Thompson added a function in the compiler which detected if the
program to be compiled was a C compiler, and if it was, it added the first
Trojan horse there. All that was left was for him to remove from the source
code the traces, and from there, the back door became undetectable [COHEN93]
This story was revealed in 1984 by Ken Thompson. We will never know if
it is true or not. However, he told it with the aim of making us aware
of the following:
We cannot trust code which we did
not completely write ourselves !
In December 1989, 20' 000 floppy disks containing an AIDS information
software were sent to the four corners of the world, in packaging making
believe that it came from WHO. Uper execution of the program, the traditional
text of the license is displayed, warning the user against the fraudulent
use of the software and inviting him to pay for the software. Generally,
nobody reads this text, but this time, it would have been preferable to
have done so. It was specified in the terms of the contract that in the
event of non-payment, measures would be taken against other software in
the computer! Many people quickly tested this software and after a few
times, the Trojan horse destroyed their files. We will never know the
exact extent of the damage [DORAN96]
November 2, 1988, Robert Morris Jr, graduate of the University of Harvard,
released a worm on ARPANET 5. The
worm was transmitted from machine to machine exploiting a bug in the electronic
mail system . The worm saturated the machines contaminated, while reproducing.
Very quickly, the all networl communications were very strongly slowed
down. The system administrators had no other choice but to disconnect
their machines from the network. The following day, the worm was neutralized
and it was the center of attention. The ARPANET network designed to be
used for military communications in the event of nuclear attack, "
had been brought to its knees " by a simple program written by a
Human factor and human engineering
If there is a weak link in the computer security chain, it's man. The
majority of intrusions into password protected computer systems are carried
out using dictionaries of commonly-used terms. How many among us use for
ATM codes , or as a computer password, a date of birth (ours or that of
a close relation) a wife's name, our children's names, banal terms like
"secret ", " Star Trek", etc? There are also employees,
fearing to forget a complicated (and thus much more secure for the system)
password, who write it on a bit of paper and stick it on the edge of their
The term "human engineering" (or social engineering
) is used to indicate the fact of manipulating a person without
his knowledge while pretending to be someone else and using psychology
and adequate jargon to make him naturally reveal information that he holds.
This is the technique used by Fry Guy in
one of the previous examples. It should not be believed that it was an
isolated case.During the research phase prior to writing this document,
I had the chance to notice many such cases, even in circles which should
be sensitized to the problems of safety measures, such as the US army.
Matthew G. Devost quotes the example of Susan a hacker [DEVOST1]:
As Susan later told the story, a team of military brass...from three
services sat at a long conference table with a computer terminal, a modem,
and a telephone. When Susan entered the room, they handed her a sealed
envelope containing the name of computer system and told her to use any
abilities or resources that she had to get into that system. Without missing
a beat, she logged on to an easily accessible military computer directory
to find out where the system was. Once she found the system in the directory,
she could see what operating system it ran and the name of the officer
in charge of that machine. Next, she called the base and put her knowledge
of military terminology to work to find out who the commanding officer
was at the SCIF, a secret compartmentalized information facility. Oh yes,
Major Hastings. She was chatty, even kittenish. Casually, she told the
person she was talking to that she couldn't think of Major Hasting's secretary's
name. "Oh" came the reply. "You mean Specialist Buchanan."
With that, she called the data center and switching from nonchalant to
authoritative, said, "This is Specialist Buchanan calling on behalf
of Major Hastings. He's been trying to access his account on the system
and hasn't been able to get through and he'd like to know why" ...Within
twenty minutes she had what she later claimed was classified information
up on the screen. Susan argued "I don't care how many
millions of dollars you spend on hardware, if you don't have people trained
properly I'm going to get in if I want to get in.".