Original Airdate: February 13, 2001
Updated: November 29, 2001
Produced and Directed by
NARRATOR: In the wake of the September 11th attacks, the anthrax scare, and threats of further terrorist actions, there is also something else the government is worried about: cyber terror.
TOM RIDGE, Secretary of Homeland Security: Protecting this infrastructure is critically important. Disrupt it, destroy it or shut it down, and you shut down america as we know it. This is an enormously difficult challenge because we must always remain one step ahead of the hackers.
NARRATOR: Tonight on FRONTLINE - They invade our computers.
UNIDENTIFIED VOICE hackers are a force to be reckoned with.
NARRATOR: They have shown just how vulnerable we really are.
NEWSCASTER: The giant auction site E-bay has been knocked out...
UNIDENTIFIED VOICE: We are at war, but we don╝t know who we are at war with yet.
NARRATOR: Are hackers the problem, or could they be the solution?
UNIDENTIFIED VOICE: They are seeing the dangers, they are seeing the vulnerability é and everyone wants to shoot the messenger.
NARRATOR: Correspondent Linden MacIntyre investigates hackers.
LINDEN MacINTYRE, FRONTLINE Correspondent: [voice-over] The last time I had a visit from burglars, they broke down a door. This time all it took was an email, one of billions that flash through homes and offices like mine each day. This one put a bug in my computer. It could have caused disaster.
Miles away, a former policeman had agreed to demonstrate an elementary and quite illegal hacking technique.
RENE HAMEL: At the other end now they've got a little box there that says, "We own your system."
LINDEN MacINTYRE: [on-camera] And do you?
RENE HAMEL: Yes. Yes.
LINDEN MacINTYRE: My computer? You own my computer?
RENE HAMEL: That's right.
LINDEN MacINTYRE: Now, if you're a bad guy, what are you going to do with it?
RENE HAMEL: I'm going to go and have a look at what you have in your file system here.
LINDEN MacINTYRE: Really?
RENE HAMEL: Yeah.
LINDEN MacINTYRE: [voice-over] Rene Hamel works for the accounting firm KPMG, breaking into clients' computers to reveal their weaknesses. The work is depressingly easy.
[on-camera] Look at this!
RENE HAMEL: There you go. So there's your document. And I can modify it. The hijack- it's a plug-in, basically, that enables me to take over your mouse and the keyboard. See that little red dot there?
LINDEN MacINTYRE: Yeah.
RENE HAMEL: OK, that's moving the cursor on your screen right now.
LINDEN MacINTYRE: [voice-over] An invisible intruder in an empty room explores an appliance as sensitive as a filing cabinet, as private as a diary, using technology available to anybody.
[on-camera] Now, how sophisticated is the software or the- whatever you've done here? I mean, or-
RENE HAMEL: This is free software on the Net that-
LINDEN MacINTYRE: [voice-over] Free software. Hackers are nothing if not generous. In fact, anybody can become a hacker just by visiting their Web sites and downloading available versions of a device called a Trojan horse, like Back Orifice, then load it into a greeting card or a popular computer game, like the one he sent to me by email.
RENE HAMEL: It's a fun program.
LINDEN MacINTYRE: [on-camera] Yeah. A little game I can play.
RENE HAMEL: And while you're doing this, the virus is getting installed in the background, and you're infected.
LINDEN MacINTYRE: [voice-over] Hacking often looks and sounds like mischief, but for Daniel Sieberg, a hacking incident had the psychological impact of a physical assault.
DANIEL SIEBERG: I was working on an essay for school, a graduate essay about women on the Internet. So I poured myself some wine and I sat down at the computer, and I was basically doing some research and surfing through a number of sites to check this out.
LINDEN MacINTYRE: They included porn sites, the most controversial - and popular - destinations on the Internet. As he watched, he didn't know that he was being watched by a cyber-vigilante, who decided to express his disapproval.
DANIEL SIEBERG: The words just started typing in. It said, "I can see what you're doing." I just thought it was either a really clever advertisement or another program that I'd accidentally downloaded from a site or something that had popped up. It really didn't hit me until I saw my Windows password come up in the chat box. At that point, I started to panic. I just wanted him out of there.
LINDEN MacINTYRE: He was a victim of that outlaw program, Back Orifice, a few lines of program code created by a group that includes these two elite hackers.
REID FLEMING, Hacker: And in fact, you have more control over that machine than the person sitting at the keyboard because we expose more power through the Back Orifice tool than the Windows 98 Desktop does.
LINDEN MacINTYRE: So much power that it made Daniel Sieberg's computer speak to him. This is the actual message that left in his system.
COMPUTER RECORDING: Good day. I'm a friendly hacker, and I live in Australia. Doesn't frighten the shit out of you that I can get into your computer and send you a sound wave like this. Well, you don't have to worry. I won't do anything wrong. But you better be a good boy or a good girl and not look at any dirty pictures because if you do, I'll know what you are doing and I can see it, too. I'll catch up with you again. Have a nice day. Bye.
DANIEL SIEBERG: At the time, I had an anti-virus- I had Norton anti-virus running, and he disabled that. And he was nice enough to tell me, "I've disabled Norton anti-virus. You're going to have to get another version and upgrade it."
In a sense, he was scolding me for, you know, having these outdated programs. I was not diligent enough to keep updating my, you know, firewalls and security programs. And people think they have this sense of comfort and security when they're on line, and it just totally blew that out of the water for me.
REID FLEMING: The Internet itself, you know, it was constructed with this idea that we were all going to be nice to each other. And all of the standards and all the protocols assume, basically, that no one is going to lie or cheat or steal.
LINDEN MacINTYRE: A lawyer named Mari Frank created this Web site after somebody stole her identity, a crime that now affects more than half a million Americans a year.
MARI FRANK, Identitytheft.com: I got a phone call from a bank that I'd never heard of, and they said, "Is this Mari Frank?" And I said yes. And the woman said, "Well, this is the Bank of New York in Delaware, and we want to know why you haven't paid your $11,000 bill to us." And I said, "I'm sorry. I'm running out now. You have the wrong name, the wrong number. I don't know who you are. I've got to go."
And the woman said, "Wait a minute. Is this your Social Security number and your birth date?" And of course, then, by that time, I started to get worried. And I said, "What are you looking at?" She said, "Well, I'm looking at your credit report."
LINDEN MacINTYRE: The thief was caught and sent to jail, but that wasn't the end of Mari's troubles.
MARI FRANK: I found there was over $50,000 worth of credit that was stolen in my name. This woman had purchased a red convertible Mustang in my name, as well. She had gotten credit cards so she could rent a car, total it, and I was being sued by Thrifty Rental Car.
LINDEN MacINTYRE: [on-camera] It's hard to imagine that anybody really foresaw how easy it would be to get into a computer or how, once inside, it becomes virtually possible to reach out and touch just about anything in the world. Of course, the flip side is that just about anybody in the world can reach back into your life through a computer that comes with tens of thousands of open access points, a machine connected to hundreds of millions of other machines, or how, when we leave the machine running, as we are more and more inclined to do, we increasingly expose ourselves to global snooping.
In the global village, personal privacy has become the privacy of a medieval hamlet, where everybody potentially knows everything about everybody else.
[voice-over] Not surprisingly, computer security experts are in big demand now. Kirk Bailey works for the Frank Russell Company, managers of $63 billion in clients' assets. In his personal life, he avoids the Internet like a plague zone.
KIRK BAILEY: I don't participate or have connectivity in the Internet at home. It's just something I've chosen not to do.
LINDEN MacINTYRE: If he ever needed proof of his personal vulnerability, he got it when he challenged some fellow security experts to build a file on him. Starting from Internet sources available on line, they were able to gather the elements of a virtual identity.
[on-camera] What sort of stuff did they find out about you?
KIRK BAILEY: It was a remarkable cache of information. Real quickly, the most damaging document was a certified copy of my birth certificate. This is an illegal document that can be used for the purposes of identifying myself. A complete colored copy of my college transcripts with the embossed seal from the university. From online they gathered a complete listing of on-line court documents that are related to me, everything from my dissolution of marriage documents to a failed business that was out there- information there.
I think the average citizen would be amazed at the thin veneer of control that really exists for their privacy.
TELEVISION COMMERCIAL: Global crossing. It's what happens when the most robust global network meets the richest content to take your business anywhere on the planet.
KIRK BAILEY: The engines of mass media and all the vendor marketing people have created this enormous impression on the general public that this is a necessity for you to be successful. It's the way to become rich. It's the way to become educated. Your whole future is based on it. There's this whole sense of anxiety about not being there and the pleasures of being there. The untold story is a bigger story, and that is this technology cannot be secured. And that's a fact.
LINDEN MacINTYRE: Just charting the connections between security and cyber-crime has become a full-time job for specialists like Richard Power of the Computer Security Institute in San Francisco. He's written a book about recent computer crimes, including a raid on the giant Citibank.
RICHARD POWER, Computer Security Institute: Nobody wants to talk about the Citibank case much because the bankers don't want you to think about problems with on-line banking. And the Internet, the dot-com companies, don't want you to think about the consequences of cyber-crime. But there it is.
LINDEN MacINTYRE: Whether the bankers like it or not, the Citibank case has made it into the hackers' hall of fame. And Vladimir Levin has entered hacker history as the first digital bank robber. Levin pulled off a $10 million heist without leaving his apartment in St. Petersburg, Russia. He used his computer and international telecommunications to raid Citibank accounts around the world.
[www.pbs.org: Examine cyber-crimes of the '90s]
RICHARD POWER: Early on in the evolution of things, this wasn't even an Internet crime. This was just a dial-in. You called up with your telephone, and you made transactions from your- to and from your account. And these systems were compromised early on, before the Internet. That kind of activity on the Internet, I suggest, is even easier, not harder.
LINDEN MacINTYRE: These are credit card numbers. Last year, thousands of them turned up on the Web site of a hacker named "Curador." They were clearly stolen, but it seemed the thief wasn't using them, just showing them off- a little hacker humor.
But it wasn't funny here, at the FBI's National Infrastructure Protection Center in Washington. They soon wanted to know badly who Curador was.
MICHAEL VATIS, FBI National Infrastructure Protection Center: Curador was someone who was able to hack into systems and steal, I believe, in the vicinity of 26,000 credit card numbers. That's a significant crime there, obviously, and he did it in many different countries.
LINDEN MacINTYRE: Curador was casting a shadow over the credibility of e-commerce and threatening the survival of a lot of companies, including a little firm in Buffalo, New York, called SalesGate. Owner Chris Keller.
CHRIS KELLER, Former Owner, SalesGate: My initial reaction was, like, "Oh, that's ridiculous. It's impossible." You know, we had- we had things set up and things in place so that that kind of thing would never happen.
LINDEN MacINTYRE: But it did happen.
CHRIS KELLER: We checked our server logs and found that we did have an incident that had gone undiscovered. So we immediately started searching the Net for this particular individual. And with the help of a security team in Canada, we he actually uncovered one of his Web sites.
LINDEN MacINTYRE: Chris Davis was actually a security consultant and ex-hacker from Ottawa, Canada, who'd started tracking the cocky Curador independently.
CHRIS DAVIS: He just thought very, very highly of what it was that he was doing. And really, in the sort of the hacker community, it's considered, you know, sort of absolutely no-skill kind of stuff. I mean, it's what we term as "script kiddy" stuff, which means that, you know, you just download an application off the Internet, and you run that application. It does everything for you.
LINDEN MacINTYRE: Curador was openly bragging about his achievement to anybody who wanted to listen.
LINDEN MacINTYRE: One of the people listening was Chris Davis, thanks to the Internet.
**INTERVIEWER: Curador said he likes to compare himself to the main character in the movie "The Saint."
"CURADOR": Basically. it's my delusions of grandeur coming into full view.
INTERVIEWER: You've got potentially several law enforcement agencies in several countries tracking you.
"CURADOR": Yeah, that doesn't concern me at all. They couldn't hack their way out of a wet paper bag, law enforcement.
LINDEN MacINTYRE: But Davis tracked him, following electronic footprints around the world without leaving his computer terminal. And he caught him and notified the FBI.
CHRIS DAVIS: You know, the bragging got to me. I just wanted to say, "OK, look, you're really not this good. You're not as good as you think you are. I know- I'm, you know, guessing. I have a really good idea how you're doing this." From looking at the log, I was able to trace back what Internet service provider it was he was using in the U.K.
LINDEN MacINTYRE: U.K. headquarters for the villain Curador turned out to be a bedroom in rural Wales littered with broken computers and New Age books, pop cans and ashtrays, and a TV set where twice a day a bored teenager indulges an addiction to reruns of the '60s spy series The Saint.
"Curador" is Raphael Gray, 18 years old. He's been getting a lot of visitors lately, ever since Chris Davis blew his cover.
[on-camera] Is this your first trip back here?
CHRIS DAVIS: Oh, yeah. This is fascinating, driving on the wrong side of the road.
LINDEN MacINTYRE: Yes, I'm fascinated. There we are- Clunderwen.
CHRIS DAVIS: Clunderwen, yeah.
LINDEN MacINTYRE: Clunderwen.
CHRIS DAVIS: Yeah. Interesting.
LINDEN MacINTYRE: [voice-over] Davis, the ex-hacker, was keen to meet him.
[on-camera] This your room?
LINDEN MacINTYRE: [voice-over] He's remarkably friendly, considering that just weeks earlier he'd opened the door to be swarmed by a squad of police officers and an FBI agent.
"CURADOR": And all in all, there was, like, 10 of us in this room, all crowded 'round. But there was less floor space in here than there is now, a lot less. So they were all crammed in here. Four of them were plainclothes, and there was one guy wearing a sort of gray trenchcoat, looking very disheveled, unshaven. He seriously looked like he had some jet lag. So I figured-
CHRIS DAVIS: I'm guessing that's FBI, huh?
"CURADOR": Yeah, that was confirmed later on. He wouldn't admit it to begin with. He claimed to be a Welsh police officer with a strong accent.
LINDEN MacINTYRE: [voice-over] They carted Curador off to the nearby town of Tenby, charged him with computer crimes. His case is currently in the courts. Raphael sees himself as a fairly typical hacker, not so much a crook as a nuisance.
"CURADOR": I think, obviously, I'm just a very nosy person. I'm like your nosy neighbor on steroids, basically.
LINDEN MacINTYRE: They are explorers, tirelessly travelling, fueled on caffeine, looking in cyber-windows, trying cyber-doorknobs because they're bored, or just because they can.
"CURADOR": Theres a lot of adrenaline, if nothing else, while you're trying to track it down. I sometimes, you know, spend two days solidly trying to do something without sleep, without anything, just constantly trying to do it. And when you finally get through, the relief is not just from the fact you've got in, but now you can sleep. Your body is just literally crying out in relief from every possible avenue.
LINDEN MacINTYRE: Bored boys once threw stones at empty warehouse windows, spray-painted public monuments. Now they're in cyberspace, making public mischief that they claim serves useful public purposes.
[on-camera] You didn't break in there just to show the world how stupid and sloppy these people were. What were you really after?
"CURADOR": The whole point of it was the message.
LINDEN MacINTYRE: And the message was?
"CURADOR": There are a lot of people out there who won't even safeguard their own safety, let alone the safety of their customers, you know?
LINDEN MacINTYRE: [voice-over] They're thumbing their noses at technology, some say, just to get attention. And they're getting it from some of the most influential people in Washington, who aren't buying the line about the social value of the pranks.
MARTHA STANSELL-GAMM, Head of Computer Crime, Justice Dept.: It seems to me that thanking hackers who violate the privacy of networks or network users for pointing out to us our vulnerabilities is a little bit like sending thank-you notes to burglars for pointing out the infirmity of our physical alarms. That's- that's silly.
LINDEN MacINTYRE: [on-camera] How do you credibly quantify this problem that we're talking about, this vulnerability through Internet?
MARTHA STANSELL-GAMM: It's big. It's deep. It's wide. It has many facets.
LINDEN MacINTYRE: [voice-over] And it now has structure, complete with conventions for the very unconventional. They are the newest counter-culture, challenging the power of industry giants like Microsoft, with a language as impenetrable to outsiders as their sense of humor.
**CONFERENCE SPEAKER: The other thing it lets you do, which always just seemed an obvious thing to me, is when Window machines start up, they send out a package that says, "Hey, I'd like to use this game. Is that OK with everybody?" So one of the other things my program does is say "No!" [laughter, cheers]
LINDEN MacINTYRE: But are they really delinquents? Their interests seem to be maturing from hardware and sophisticated program codes to, perhaps, another kind of code.
**ROBERT STEELE, Security Expert, Former CIA Agent: We have to create a network ethics that is institutionalized by law.
LINDEN MacINTYRE: Robert Steele used to work for the CIA. Now he's an information security specialist, and the hackers asked him to come and talk to them about a code of ethics.
**ROBERT STEELE: Why is ethics important? Ethics is about building for the common good. Ethics is about establishing due diligence standards, so that when you buy a car, the bolts on the wheels are actually screwed on. Bill Gates is selling computers without wheels. They crash a lot.
Food is regulated. Automobile safety is regulated. People need licenses to cut your hair. There are no licenses required to write software. There are no standards of documentation or testing or certification for software. So in essence, our entire digital society now is based on software built by people we don't know, who have no licenses, who have no quality control, who are not legally liable if their software causes the destruction of our business. That's scary.
LINDEN MacINTYRE: At Microsoft, the head of security disagrees. Howard Schmidt says that, for the most part, software needs less regulation than other businesses.
[on-camera] If I buy a cigarette lighter, it's going to have a little stamp on the bottom of it, you know, approved by some regulatory standards-setting agency. Yet I can buy software that'll control my life, and it doesn't have to have that.
HOWARD SCHMIDT: Yeah, that's correct. And software obviously used for different reasons, whether you're sitting home, as I do with my son, and software's just installed to play some games, the level of security built into that would be far different than what we need to run an enterprise or a business on. And those are the standards that we're looking at now and trying to come up with to identify what are the core processes in place that identify what security standards would be.
I think there's little likelihood that the government's going to mandate things. They have been very good about saying that "We will stay out of the business things. Let the market forces drive this, as long as it doesn't compromise national security and the economic structure of the country."
LINDEN MacINTYRE: [voice-over] But for people who live a large part of their lives on the Internet, regulation is essential for integrity, and they're committed to keeping companies like Microsoft publicly accountable for their products.
ROBERT STEELE, Security Expert, Former CIA Agent: These young people have a gift for finding holes in computer and communications systems. They have a gift for telling us that the emperor is naked and has no clothes.
LINDEN MacINTYRE: They clothe serious messages in the gaudy fabrics of their generation, but the point is clear: The software industry encourages a culture of convenience that is endangering personal privacy and public security.
This group of hackers calls itself Cult of the Dead Cow. They created the Back Orifice program to illustrate that point.
REID FLEMING, Hacker: I think for us, the motivation for releasing Back Orifice was that Microsoft has the world's most popular operating systems, installed on 90 percent of the computers in the world - or at least the desktop computers - and those people are being encouraged, urged to take those computers and plug them into the Internet.
Unfortunately, those people are wide open to attack of various kinds. We thought we would be serving the community best by demonstrating that we could easily write a tool that would take advantage of that and as an existence proof for the ability to do that.
"COUNT ZERO", Hacker: You think there's downtime now when your desktop computer crashes, just wait until the future, if we don't get it right and your entire house crashes for a week, and you can't talk, you can't communicate, you can't do anything.
Ultimately, everything becomes computerized. You know, your refrigerator will tell your watch that you need milk, so when you're in the car and you drive by a store and the store has a sale on milk, it'll tell your watch, which will then speak to you and say, "Hey, why don't you go pick up some milk? It's on sale there, and you need it at home."
And all of this will be part of a global conversation that happens in this digital world. And that's another reason why I'm just very- I'm very concerned that we make sure we get it right in terms of the security.
LINDEN MacINTYRE: Even Microsoft agrees, up to a point. The problem really lies in the public obsession with convenience, which makes security more difficult. Steven Lipner is a senior security analyst for the company.
STEVEN B. LIPNER, Microsoft Senior Security Analyst: In a prior job in another company, I built what the U.S. government called an "A1" system, a system that was as secure as the U.S. Defense Department knew how to make it, OK? And we put years and millions of dollars into doing that. And then at the end of that development project, I made the decision to cancel it because nobody wanted to buy it, OK?
LINDEN MacINTYRE: [on-camera] The moral of the story being?
STEVEN B. LIPNER: The moral of the story being that usability, flexibility, security are a set of trade-offs, and customers don't want systems that are so secure that they can't use them.
LINDEN MacINTYRE: [voice-over] For all its mysteries, the computer is the ultimate in user-friendliness. A Microsoft commercial celebrates the virtue of simplicity. Unfortunately, not all users are as virtuous as Microsoft would hope.
**NEWSCASTER: And last year when police rounded up the Filipino students suspected of having created the I Love You virus, they found there was no law to prosecute.
NEWSCASTER: From British Parliamentarians faced with an "I Love You" headline to the Pentagon, White House and FBI-
PENTAGON SPOKESMAN: Well, first of all, we do not love the Love Bug virus.
LINDEN MacINTYRE: The virus affected an estimated 45 million computer users and cost billions. It became a plague because of an inherent weaknesses in another Microsoft product.
"COUNT ZERO": We take it for granted that you have to be afraid when you're- when you get an attachment. You have to be afraid to figure out where it came from- "I'm afraid to click on this," you know? "Is it worth it to open this spreadsheet where I might blow up my computer?"
I mean, if you got in your automobile and every day it would stall several times, and there was no way to lock it, there was no way to lock your car, I mean, you would be really mad and furious at the car manufacturer for not putting locks in there,
LINDEN MacINTYRE: And so we are witnessing the emergence of a powerful dynamic, hackers dedicated to discovering weaknesses in commercial systems, weaknesses that they discover with disconcerting ease and often illustrate with cyber-mischief, software manufacturers racing to keep up with the hackers and their discoveries, developing remedies that are, revealingly, called "patches," making them available for easy application by their customers.
STEVEN B. LIPNER, Microsoft Senior Security Analyst: We'd rather have fewer vulnerabilities, and we're- we're making progress on that score through our development processes, through some of the tools that we apply during development. But when vulnerabilities are found, the test then for a vendor is what do you do about them? And we don't cover them up. We don't try to deny them. We acknowledge them. We fix them as fast as we can.
LINDEN MacINTYRE: But remember Curador? He got all those credit card numbers through a loophole in one of Microsoft's popular software products. Microsoft knew about the problem and went so far as to post a notice on their Web site offering offering a patch to fix it. But victim Chris Keller says that wasn't good enough.
CHRIS KELLER, Former Owner, SalesGate: It's my feeling that Microsoft wasn't doing a good enough job of alerting its own customers to the fact that there was a flaw there. They claimed that they were trying to, but I don't think that they were doing it quite the way that a hacking incident could alert all major companies to something like this.
LINDEN MacINTYRE: [on-camera] You are issuing patches, but the ordinary person is not hearing about them, and certainly not applying them.
STEVEN B. LIPNER: That is a real concern for us, and it really makes me sad when somebody gets hit by that, you know, with the vulnerability that we have corrected.
LINDEN MacINTYRE: [voice-over] This illustrates the problem. These are Web sites penetrated by hackers in just two weeks last November, when Microsoft itself made the list.
A Dutch hacker named Dmitri mocked the software giant on their own Web site, and while he's keeping a low profile these days, he permitted an intermediary to explain for us just us how he broke into Microsoft's computers. It was through a software glitch, a glitch for which the company had invented a patch, but somehow forgot to use on itself.
Dmitri's friend, Gerrie Mansur, explained how the hacker actually alerted Microsoft to its problem after his first break-in. When they failed to correct the situation, he decided to teach them a lesson.
GERRIE MANSUR: After he compromised one server, he told Microsoft. And after some weeks, he found another server where he can get in. And it's really strange because if you are compromised one time, you probably are going to look at your security. Microsoft didn't do that, and after a week he could get in again.
LINDEN MacINTYRE: Gerrie claims they broke in through Microsoft's newest software package, the Windows 2000 operating system, a system designed with an unprecedented emphasis on security.
STEVEN B. LIPNER: Security was a show-stopper issue for that product. If there was a security vulnerability that was discovered in the product, the development team stopped ship or delayed ship until they had resolved that issue.
LINDEN MacINTYRE: Richard Power of the Computer Security Institute is skeptical about the talk of show-stopping security.
[on-camera] I mean, how comforted can we be by the reassurances that we're getting from them now?
RICHARD POWER, Computer Security Institute: Well, that's a loaded question. In one sense, you know, Windows NT came out a few years ago. It was heralded as a secure operating system. And the hackers had a few good whacks at that tree, and fruit started falling off it right away. And now there's hundreds of vulnerabilities for NT. In fact, the hackers joke among themselves. They say NT stands for "Nice Try."
[www.pbs.org: Study expert views on security dangers]
LINDEN MacINTYRE: As if Microsoft hadn't suffered enough, thanks to Dmitri, Gerrie Mansur himself launched an attack on some major American financial sites including, the NASDAQ stock exchange, CBS MarketWatch.com, BigCharts.com. He could have done a lot of damage, like altering share prices. But he just wanted to make a point, that breaking in was easy.
GERRIE MANSUR: I took only five minutes to break into all three of the sites.
LINDEN MacINTYRE: And how did he get into them?
GERRIE MANSUR: With a known bug in Microsoft NT, Windows 2000.
LINDEN MacINTYRE: Instead of making mischief, he tipped off his targets about the potentially costly loophole in security.
GERRIE MANSUR: I sent it to all companies within 10 minutes, a mail explaining what I did, how I did it and how they can prevent it.
LINDEN MacINTYRE: Driven by its convenience and a lot of high-energy promotion, Internet commerce has bloomed into an e-economy worth trillions of dollars. But companies and customers are only starting to discover how vulnerable e-commerce really is, how some smart 15-year old with a computer can knock it for a loop.
Which is exactly what happened last winter when a 15-year-old from Montreal calling himself "Mafia Boy" launched the worst hacking attack yet.
**NEWSCASTER: Giant site eBay was knocked out, then Buy.com and Amazon-
LINDEN MacINTYRE: Using basic hacking tools, he took control of an army of computers, then directed them to attack other computers at target locations with millions of messages, causing them to crash.
Mafia Boy got busted by the Canadian Mounties and the FBI for cyber-vandalism, but what's to stop the real Mafia from doing the same thing for profit? Nothing, says the FBI's Michael Vatis.
MICHAEL VATIS, FBI National Infrastructure Protection Center: We're also seeing a big spike in the number of cases involving organized criminal groups who are in it for illicit financial gain.
LINDEN MacINTYRE: And the problem may well be worse than even the FBI realizes. Richard Power suspects that many cyber-crimes go unreported because victims don't want to admit their weaknesses.
RICHARD POWER, Computer Security Institute: There are all kinds of reasons they want to keep it quiet. When there's blood in the water, the sharks get excited. And there's all kinds of sharks, not just hackers - civil liability lawyers, government regulators, stockholders, hostile takeover, people who are looking at your company for hostile takeovers - all kinds of reasons not to draw attention to your vulnerabilities in cyberspace.
MARTHA STANSELL-GAMM, Head of Computer Crime, Dept of Justice: This is clearly an underreported crime. There's no doubt about that. But I think there are a lot of reasons for that. First of all, I'm not sure that these crimes are always, or even frequently, detected. That's a harder technological problem than it seems. And there's no doubt that some victims are concerned about competitive disadvantage.
[www.pbs.org: Explore the costs of cyber-crime]
LINDEN MacINTYRE: Inevitably, corporate America turns to its own resources to combat a growing problem, marshalling computer power and more traditional assets like spies and double agents, to bring order to the newest wild frontier, cyberspace.
James Adams, CEO of iDEFENSE, believes it's a job to large and too complex for government. His company may well be a prototype, a private intelligence agency for cyberspace.
JAMES ADAMS, CEO, iDEFENSE: You and I can go into our local computer store and buy what is essentially an immensely powerful weapon. And unlike- which is the computer. And you can load that weapon with very powerful bullets, which are hacks downloaded from the Web, and you can fire that weapon at pretty much anybody you choose.
Now, it's you and I going into the store that is buying the latest technology. Historically, it's been governments that have invested in some new gizmo or other, that has taken 20 years to get into service, that has had the access and the control of that technology. Now you and I have control. That's a huge shift. And it's a shift that governments are ill-equipped to deal with.
LINDEN MacINTYRE: The federal government is even ill-equipped to protect itself from hackers. In a recent study by the General Accounting Office, 24 major agencies had significant lapses in computer security.
KEITH RHODES, GAO Chief Technologist: By "significant" we mean that we could get in, alter, delete, create, destroy, you know, modify information or systems. You've signed an official document. You're an official of an agency. I go inside, take the electronic version of it, modify it, put it back in the exact same place it was in the system before. Nobody knows it. And now they're operating as though that was the official, you know, memorandum that came out from here, when it didn't.
LINDEN MacINTYRE: His job is penetrating America's most sensitive computers, and it's frighteningly easy.
KEITH RHODES: We're always successful.
LINDEN MacINTYRE: Even the U.S. Army is feeling insecure these days, adjusting to new security challenges. Remember Mafia Boy's attack on e-commerce? The Army's Computer Crime Investigation Unit is currently tracking a similar attempt to hijack some military computers for another attack, known in the jargon as a distributed denial of service.
Special Agent James Smith explains just how the unidentified hacker planned to launch his blitz using one of those readily available Trojan horse programs.
JAMES SMITH: It's very easy for the hacker to set this up. A lot of it's automated. He can scan for the vulnerabilities throughout the Internet and try to find computers that he can load this trojan program on. And by a keystroke, he can send the command, and all those computers infected would send the attack.
LINDEN MacINTYRE: The Army is a popular target for elite hackers, some just for thrill of trying, others with more sinister intentions.
JAMES SMITH: We've had about two serious compromises that basically, if implemented or carried through, they could have brought the Army to a stop.
MICHAEL VATIS, FBI National Infrastructure Protection Center: My greatest fear is that the level of vulnerability is still so high that we are really open to a devastating attack on a broad scale against the computer networks that run vital systems.
LINDEN MacINTYRE: The International Space Station. By one estimate it will have cost $100 billion by the time it's finished, a laboratory with a mind-boggling assembly of electronic systems, all controlled by 52 computers.
Two hundred and fifty miles below, in a quiet Miami neighborhood, a 16-year-old hacker thought it would be cool to download NASA files, including the software that controls the physical environment on board the space station. Because he's a juvenile, we're concealing his identity. His hacker name is "Comrade." He also broke into a national defense site that monitors serious security threats.
"COMRADE": It's power at your fingertips. You can control all these computers from the government, from the military, from large corporations, and that's power. It's a power trip.
LINDEN MacINTYRE: A Florida judge handed Comrade a six-month sentence of house arrest for his mischief. But he says the really bad hackers might not be as easy to catch as he was.
"COMRADE": I didn't cover my tracks at all, and had I done that, they would not have been able to catch me. If I wanted to, I could have hidden myself, but I didn't think I was doing anything wrong, so why bother?
LINDEN MacINTYRE: [on-camera] You could have escaped detection-
"COMRADE": I could have.
LINDEN MacINTYRE: -if you-
"COMRADE": Of course I could have.
LINDEN MacINTYRE: You could have done a lot of damage?
"COMRADE": If one was so inclined, they could have deleted files. They could have put a virus up, or they could have sold information to foreigners.
[www.pbs.org: Read interviews with hackers]
LINDEN MacINTYRE: [voice-over] Comrade, Curador, Mafia Boy - kids kicked out of cyberspace for misbehaving. But what does it really tell us?
RICHARD POWER, Computer Security Institute: The juvenile hackers and the young hackers get caught, and they end up in the headlines because they get caught. And the reason they get caught is they're not professionals. They are out for the adventure. They are out for bragging rights. They are out for exploration. The professional - the ex-KGB agent or the ex-CIA agent, you know, the person from German intelligence or Israeli intelligence - they're not going to get caught.
LINDEN MacINTYRE: There's nothing new about espionage - even George Washington had to deal with spies and saboteurs - but the Internet has made them a lot harder to catch. And so graduate students at George Washington University play a new kind of war game, an emergency response to a virtual crisis caused by a hostile hacker.
**WAR GAMER: FBI. Four Corners, Utah. At 0900 Pacific time, the main electrical transformers at the four generator plants at Four Corners, Utah, suffered catastrophic failures. The Nikkei Index dropped dramatically on the opening of trading on the 26th, triggering-
LINDEN MacINTYRE: In the imaginary scenario, cyber-terrorists have launched an international attack, with targets including privately-owned American utilities, like power stations.
Many of these students are military and political staffers. The leader is Jim Christy, a specialist in information warfare for Department of Defense. For now it's just a game, but the motivation is for real.
JIM CHRISTY, Special Agent, Defense Dept.: We ran this scenario with generals and admirals, and then CEOs of major corporations. And everybody looks at the world from their own perspective, and they all had different perspectives. The military wanted to be action-oriented. They wanted to counterattack, but they didn't know who to counterattack. And the civilian assistant secretaries, they wanted to do something, but they weren't sure what to do or who to do it to.
And the private sector folks kept saying, "Our infrastructure- we don't want federal government involved in our infrastructure. It's my infrastructure that's under attack. We don't want the federal government involved in it. We'll take care of it. We'll handle it. It's ours."
**WAR GAMER: FBI. Leesburg, Virginia. The main computers at the Leesburg air traffic control center serving the mid-Atlantic region go down for two hours-
LINDEN MacINTYRE: The catastrophic results of a serious Web attack are, in this case, just projections, but they are based on real calculations by the military, using real services that are vital in the daily lives of Americans.
JAMES ADAMS, CEO, iDEFENSE: As the Pentagon a little while ago demonstrated in an exercise that they ran, it was possible - easy, actually - to hack into the power grids of the 12 largest American cities, and to hack into the 911, the emergency system, and shut all of those off with a click of a button.
**WAR GAMER: The director of the FBI reported to the president that the Manhattan telephone switches and the Federal Reserve clearinghouse had been disabled by electronic pulse bombs.
JIM CHRISTY: I think every one of the individual scenarios could happen.
LINDEN MacINTYRE: A new generation of Americans prepare for leadership roles in a new kind of conflict, facing a phantom enemy, maybe just a disaffected teenager, maybe a terrorist.
JAMES ADAMS: You've got vandals. You've got organized crime. You've got extensive economic espionage. You've got 30 nation states with very aggressive offensive information warfare programs.
India is a whole new player in this game. And China- they've recognized in their own documentation that they cannot match the United States in a conventional way - they'll never be able to beat the U.S. in armored personnel carriers, tanks, missiles, guns and so on - but that they can do a great deal with informational warfare because they recognize how vulnerable the U.S. is and what they can do by setting up the right techniques and mechanisms.
LINDEN MacINTYRE: Which eventually could make terrorism, like the suicide attack on USS Cole in Yemen last October, less risky for the terrorists.
JIM CHRISTY: Countries and traditional terrorist organizations have not really adopted this doctrine yet. So their leadership didn't grow up with this technology, so they're going to, you know, blow things up with C4 still. When they- when the new generation of leadership in terrorist organizations and nation states move into position where they can affect things, I think we'll find that that's going to eventually happen to us.
LINDEN MacINTYRE: Jim Christie believes it's inevitable.
JIM CHRISTY: Absolutely. I mean, anonymity is built into the process. You don't have to sacrifice, like they did in Yemen. You don't have to sacrifice two individuals. You can do it remotely, and maybe do the same- have the same effect.
**WAR GAMER: Now it gets real. At 1800, an emergency video conference, the CIA and the FBI were told by the national security adviser that the president wanted them to increase their level of cooperation to whatever was needed to respond to the escalating domestic and international crisis.
LINDEN MacINTYRE: Recent efforts to penetrate Japanese infrastructure control and information systems were the work of sophisticated malevolent actors. It was the sort of terrorist act security experts have nightmares about.
In 1995, it was still too early to link a terrorist act, like the sarin gas attack on the Tokyo subway system by a cult, to information warfare. But five years later, the connection has become all too clear.
RICHARD POWER, Computer Security Institute: They were actively engaging in hacking into Japanese corporations and other entities around the world to gain technology. They wanted laser technology, for instance, because they wanted to build their own laser guns. And they, in fact, targeted and they were recruiting software engineers and scientists and bright young people who had skills that they wanted.
LINDEN MacINTYRE: The cult is called Aum Shinri Kyo, a sophisticated doomsday sect with a ministry of intelligence dedicated to stealing high-tech secrets from American and Japanese corporations and research institutions.
RICHARD POWER: In turns out that a front organization which is controlled by the Aum cult was the contractor that developed software for the Japanese, for 90 Japanese government agencies, including the Japanese police and elements of the Japanese defense department. And a day - literally a day - before this software was to be deployed, somebody put two and two together and blew the whistle and said, "Wait a minute," you know, "look who developed this software."
LINDEN MacINTYRE: One such lapse could lead to chaos, and as the war games in Washington conclude, talk of chaos soon leads to talk of martial law.
**1st WAR GAMER: As far as cyber-attacks go, I mean, martial law is very good for keeping people off the streets. But the problem is that they're going to be in their bedrooms with their computers clicking and doing more attacks. So I'm not seeing that martial law is going to be extremely effective.
2nd WAR GAMER: I'm not understanding how martial law is going to contribute to any heightened computer security.
3rd WAR GAMER: If you've got these domestic terrorist groups, who knows what they'll be doing. They could be blowing up trains in a couple days. They could be sabotaging water supplies. Who knows? So I think it'd be definitely justified to declare martial law, shut down everything and deal with the problem.
4th WAR GAMER: You said you're going to turn off the Internet. Let's shut it down. Let's shut everybody out. Are you going to have planes flying? We haven't even gotten into that.
5th WAR GAMER: We are at war. We don't know who we're at war with yet, but we are at war. And we're going to use everything at our disposal, and we're going to, you know- I don't know.
6th WAR GAMER: The point of all of this is we're redefining war.
LINDEN MacINTYRE: Information technology, redefining war, prosperity and peace, perhaps even freedom, by provoking new demands for government controls.
ROBERT STEELE, Security Expert, Former CIA Agent: We have to protect critical infrastructures. And that is essentially a three-part solution. Part one is the government has to legislate what comprises due diligence. Software has to meet certain standards of safety and stability and reliability and transparency.
The second part is that government has to test and certify that software, so that as a commonwealth interest, software is validated by the government as meeting those standards.
But the third and most important part is that the proprietors of the computers themselves must live up to a new standard of responsibility. You can't leave your computer connected to the world and not have firewalls. You can't send documents without encryption or other protection and expect them to remain private. So we ourselves have a responsibility.
But our responsibility, although the most important, is only the third step. The first two steps have to be taken by government and by the private sector.
RICHARD POWER, Computer Security Institute: We want this Internet, this global cyberspace, to be completely free, completely open. Everyone does. I do. But we also want to conduct business there, and we want to relax there and have our children be educated there and seek entertainment there. Those kinds of activities require law enforcement, require international treaties, require responsibility, corporate responsibility and personal responsibility. So we have a long way to go before cyberspace is as safe, even, as the highways. And as you know, the highways aren't all that safe.
LINDEN MacINTYRE: Infrastructure, services we take for granted, essentially insecure, and will stay like that until security catches up with technology.
MARTHA STANSELL-GAMM, Head of Computer Crime, Justice Dept: Computer security is very expensive. It costs a lot of money, and it requires a lot of technically skilled people. And as you know, we're all - government and industry - competing for those same folks. It's hard for government to have enough people to really secure networks.
LINDEN MacINTYRE: Finding the people to secure networks might not be as difficult as the bureaucrats believe. In Las Vegas, in July last year, there were 6,000 possibilities at the eighth annual Defcon convention, the premier event on any hacker's calendar. The crowd includes headhunters from industry and government, including the CIA. It's a place to network, test new technology, and test each other.
Last year, a group called Ghetto Hackers from Seattle,won the major competition in Las Vegas. The star of collective calls himself "Caezar."
"CAEZAR": It takes a certain kind of a mind to try and break things all day. It takes a certain kind of a person, and I think that kind of attracts a counter-culture mentality. And that's why you're seeing a lot of the news press releases in the security industry these days talk about the company's policy toward hackers. You know, "We hire hackers," "We don't hire hackers." Well, they all do.
LINDEN MacINTYRE: The social highlight at each convention is an unusual sort of party hosted by Caesar and his group. It's an invitation-only affair.
"CAEZAR": We've got about a hundred people coming to this party, maybe 200. They're special because they're government agents that are interested in what we have to know. And there are going to be very elite hackers from all over the world who are very interested in what the government has to know. And we're providing a forum for them to interact privately and without any interference from their reputations or from the public or anything and let them creatively solve some really difficult problems.
LINDEN MacINTYRE: Because only the elite could attend, they kicked us out early. By all accounts, we didn't miss much fun. It was mostly about advanced mathematics and mind-numbing computer codes. It went on all night.
ROBERT STEELE, Security Expert, Former CIA Agent: Hackers have come of age. I clearly see that government and industry understand that hackers and the views that hackers represent are a force to be reckoned with. And therefore over the next five to ten years, I anticipate that hackers will have a very beneficial influence on the safety and stability of cyberspace.
LINDEN MacINTYRE: "The safety and stability of cyberspace" will ultimately depend on the people who know most about the dangers, and perhaps most of all on people who helped define the dangers, in the first place.
ANNOUNCER: This report continues on FRONTLINE's Web site, which offers a live chat with top security experts and hackers, advice on how to protect your computer, a closer look at how hackers do what they do, a rundown on the most notorious hacks so far and what security experts have to say about them, plus the extended interviews from the program. Then join the discussion. See what others thought about the program and add your own comments at pbs.organization or write us an email at email@example.com, or write to this address. [DEAR FRONTLINE, 125 Western Ave., Boston, MA 02134].
PRODUCED AND DIRECTED BY
Leslie Steven Onody
Leslie Steven Onody
Michael H. Amundson
UNIT MANAGER FOR CBC
Marie Francoise Raffougeau
SENIOR PRODUCERS FOR CBC
EXECUTIVE PRODUCER FOR CBC
Copyright 2001 CANADIAN BROADCASTING CORPORATION
Michael H. Amundson
The Caption Center
Erin Martin Kane
SENIOR STAFF ASSOCIATE
Lee Ann Donner
Douglas D. Milton
Louis Wiley Jr.
SENIOR EXECUTIVE PRODUCER
A FRONTLINE Co-Production with the Canadian Broadcasting Corporation
WGBH EDUCATIONAL FOUNDATION
ALL RIGHTS RESERVED
FRONTLINE is a production of WGBH Boston, which is solely responsible for its content.
ANNOUNCER: Next time on FRONTLINE: It's all about cool.
ANNOUNCER: Buying it and selling it.
EXPERT: The system closely studies kids to figure out what will push their buttons. Then it blares it back at them relentlessly.
ANNOUNCER: But what is this assault doing to America's teens?
EXPERT: Advertising's always telling them they're creeps, they're losers, unless they're cool.
ANNOUNCER: The Merchants of Cool next time on FRONTLINE.
To order tonight's program on videocassette, call PBS Home Video at 1-800-PLAY-PBS. [$19.98 plus S&H]
National corporate funding for FRONTLINE is provided by Earthlink.
FRONTLINE is made possible by contributions to your PBS station from viewers like you. Thank you.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2014
WGBH educational foundation