Editorial Director of the Computer Security Institute (CSI), San Francisco, CA,
and author of Tangled web: Tales of Digital Crime from the Shadows of
Cyberspace. (Que, 2000)
Who are the bad guys? Who's the enemy in this new cyber world?
In terms of criminal activity? Well, it ranges from petty theft, really, to
state-sponsored terrorism. And you have everything in between. You have the
cyberspace mugger who's going to steal your personal identity, and destroy your
credit by committing fraud in your name, or stalk your children or your loved
ones online. There are organized crime syndicates that are going to be engaged
in stealing massive numbers of credit cards and selling them and using them for
credit card fraud globally. There are governments and corporate entities,
globally, that want to steal technology: cutting-edge technology, biotech,
high-tech, and low-tech technology. They want to compress the arc of time for
their economies to develop and catch up with the Big Eight economies. And
somewhere out there there's a cyber Unabomber, who is concocting for his own
bizarre motives some really unpleasant event that could impact the lives of
thousands or millions.
And there are the cults. Aum Shinri Kyo is the cult that hacked aggressively
into technology companies to steal technology that they were interested in.
There are the Osama bin Ladens of the world. Some people mock that specter, but
those folks have satellites, they use encryption, and they are on the Net, both
to gather information and to disseminate information, to gather intelligence
and conduct operations. And then, of course, there are governments. What will
happen in the Straits of Taiwan between Taiwan and China, and all the hot spots
in the world, is also taking place in cyberspace. They're looking at ways to
attack each other's digital infrastructure
The problem is a lot more complex then just people with green hair and body
Some of the folks with green hair and body piercing are very bright kids who
solve puzzles that people with computer engineering backgrounds can't solve.
But the juvenile hackers and the young hackers get caught, and they end
up in the headlines because they get caught. And the reason they get
caught is that they're not professionals. They are out for the adventure. They
are out for bragging rights. They are out for exploration. The professionals,
the ex-KGB agents, or the ex-CIA agents, the person from German intelligence,
or Israeli intelligence--they're not going to get caught. And when they are
detected, the people who detect them are not going to want to acknowledge that
they've been there. . . .
What happened with the Aum Shinri Kyo incident?
The important point that the story of the Aum cult brings home is the
plausibility of the cyberterrorist threat. We may never see a cyber attack, but
it would be irresponsible for those who are entrusted with national security to
not consider the consequences. For example, if someone had said before it
happened that a small New Age cult would launch a Sarin gas attack on the Tokyo
subway system to spur some Armageddon that would somehow leave their cult
leader in charge of the world, you would think it was implausible. But it
And the Aum cult was not only was preparing for chemical warfare and other
kinds of warfare. They were actively engaging in hacking into Japanese
corporations and other entities around the world to gain technology they
wanted--laser technology, for instance--because they wanted to build their own
laser guns. And they, in fact, targeted and were recruiting software engineers
and scientists and bright young people who had skills that they wanted. And
they did drive up to the gates of Mitsubishi in the middle of the night, break
in, get into the main computers, and hack into those computers to get trade
secrets, proprietary information.
It's not difficult to surmise that they involved themselves in other hacking
capers. But even this year, years after the Sarin gas attack . . . it turns out
that a front organization that is controlled by the Aum cult was the contractor
that developed software for 90 Japanese government agencies, including the
Japanese police and elements of the Japanese Defense Department. And literally
a day before this software was to be deployed, somebody put two and two
together, and blew the whistle, and said, "Wait a minute. Look who developed
this software." Now, was there anything funny in the code? We'll probably never
know. But the danger of it is astounding, and the plausibility. You wouldn't
believe it if I had told you, "A cult could be writing software that could be
downloaded into the police department or the military wing of your government."
People wouldn't believe it. But it almost happened, literally. It was within 24
hours of being deployed in Japan.
You've been monitoring crime, probably more specifically than anybody else
that I've talked to. Was there a case that sort of blew your socks off?
In the mid-1990s, there was a rumor about something called BlackNet. And the
rumor was that there were these crackers online who were stealing and selling
information, and you could ask them for whatever you wanted. They could go get
it, email it to you, and it was all done with encrypted accounts and anonymous
remailers, and all very cloak-and-dagger on the Net. Some people said this was
real, some people said it was an FBI sting. Some people said it was a hoax.
BlackNet itself turned out to be a hoax, perpetrated by a bright young
"cyperpunk," as they're called.
But while that urban legend was passing around the internet, there was a real
"BlackNet" operation going on. It was eventually called "Phonemasters"
by the federal investigators. This was a gang of crackers, across the country,
Philadelphia, Santiago, Dallas, and in Canada, Switzerland, and as far away as
Sicily. They were involved in stealing credit card information and reselling
that information. They had a menu of activities they could perform. They had
Madonna's home phone number, they could hack into the FBI's national crime
database. They hacked into a telephone company to find out where the federal
wiretaps were for the Drug Enforcement Administration, beeped the dealers that
were being tapped and said, "Hey, you're being tapped by the DEA." And that
blew drug investigations out of the water. These guys were serious. . . . It
took years to get a conviction and a sentence in that case. . . . And you know,
these guys were amateurs in the sense of criminal activity. So you can imagine
what a serious criminal organization that takes that kind of hacking seriously
could do. . . .
What have we learned so far from the big attacks that we've experienced to
The Citibank case, where some Russian hackers, notably "Vladimir Lenin"
operating in St. Petersburg in Russia hacked into Citibank in New York. They
succeeded in committing wire fraud, basically, to the extent of $10 million
before they were caught, arrested, tried, convicted and everything else. There
are a lot of lessons in that case. Nobody wants to talk about the Citibank case
much, because the bankers don't want you to think about problems with online
banking and the internet. The dotcom companies don't want you to think about
the consequences of cybercrime. . . . This wasn't even an internet crime. This
was just a dial-in system where you made transactions to and from your account
over the phone. And these systems were compromised early on. I suggest that
that kind of activity on the internet is even easier, not harder. And in fact,
Citibank, in order to deal with those vulnerabilities after the fact,
instituted "smart cards"--cards for the customer to swipe and identify
themselves, similar to an ATM card. My suggestion is, if you're conducting
online banking, and you are using a password and user ID, you are not using
adequate authentication to the network. You are exposing yourself to
What did we learn from the Martin Luther King Day crash at AT&T?
Well, the Martin Luther King Day telephone crash, back in the early 1990s,
affected the public switch network, the telephone system from coast to coast,
for many hours. There was significant infrastructure collapse. . . . We hear a
lot of talk about information warfare, and the preparation for information
warfare, and the need to build up defenses against infrastructure attacks. And
some of the doubters say, "Well, where is the evidence of infrastructure
attacks?" And no one will talk about it, and maybe there hasn't been one. But
the Martin Luther King Day crash in the early 1990s is an incident that I
understand to be an infrastructure attack, although AT&T only acknowledges
a software glitch. There was never any prosecution, any arrest or prosecution
in the case. There is evidence that it was a single command issued by a hacker
that brought down the public switch network that day. . . .
What is it going to take to make cyberspace a safer place?
I think it will have to do with tort law, civil liability and exposure.
And of course, no one wants to talk about government regulation. But I always
point out to people that when they come into their office in the morning and
switch on their lights and they get electricity, and they pick up their phone
and they get a dial tone, to some extent, like it or not, the availability and
the constancy of those utilities has to do with government regulation. If we
are going to look at the internet as a place to do business, as something as
vital as the phone system, or the power grid, or the air traffic control system
itself, then you have to start looking at what you will require from those who
want to be the bulwarks of that . . . .
Author, Applied Cryptography and Secrets and Lies: Digital Security
in a Networked World.
What are the dangers for the average computer user?
The danger for the average computer user is that someone will hack their
system. Now, most average computer users don't have anything worth stealing.
Right. It's the joke of protecting your house by poverty--there's nothing in
your house worth stealing. Now, on the internet, there are other dangers,
because your computer could be a launching pad for other attacks. So people
might want to break into your computer to use your computer as a site to break
into something further on. These are real dangers, and this happens all the
time. A lot of the denial of service attacks from last February were
based on these sorts of launching pads.
What are the economic dangers for the corporate world?
For a corporation, the dangers are very great, and we see it again and again.
We see major web sites that are hacked, and they're brought down for six, eight,
ten hours. This affects their bottom line if they have a revenue model. We
see a company like CD Universe get hacked and have 300,000 credit card numbers
stolen. This greatly affects their credibility, and I don't know if they've
recovered yet from that.
We see companies that are losing proprietary information. The web site for the
television show "Survivor" had the big ending of their series stolen off the
web site. . . . So there are enormous risks out there if you're a business.
On the plus side, all these risks are manageable. None of them are new. None
of them are new for the internet. If you had a storefront, you were worried
about graffiti. You worry about someone breaking into your store and stealing
things. You worry about losing money, you worry about losing credibility. So
the internet is just a new venue for these old risks. . . .
What the internet does have, because the internet has no definition of
place, is that you're suddenly worried about all the criminals in the world.
If you had a store in Toronto, you had to be secure against all the criminals
for whom it's worth their time to drive to your store and break in. But if
you're on the internet, everything is next to you. So you're sitting in
Toronto, and you can have an attacker in Thailand who can very easily attack
your internet store.
So because the internet is global and there's no definition of place, the
number of criminals that you have to worry about goes up. On the other hand,
the number of targets goes up. So if you're in Toronto, those Toronto
criminals have no one else to rob except Toronto stores. But if you're on the
internet, all those criminals have all those other stores to possibly rob.
So, on the one hand there are a lot more possible attackers, but there are
also a lot more possible targets.
If hackers can do all this stuff, what could organized crime do?
I think we have to take organized crime much more seriously than we do hackers.
Organized crime goes where the money is, and the money is moving to the
internet. And if you can go on the internet and steal people's credit card
numbers, and steal identities, and steal phone numbers, and steal products and
money and possibly sell faulty goods, organized crime will move to that.
They're going to move to it as long as it's profitable. And organized crime is
likely to be better funded, better skilled and better organized than lone
criminals, than hackers are. . . . I think organized crime is a big worry,
and I think it's going to get worse, as criminals realize that there's money to
be made on the internet. . . .
Can the internet ever be totally secure?
. . . I believe the internet will never be secure. But that's okay. The real
world is an insecure place. Anybody can kill anybody they wanted to. Yet we
all live pretty much happy lives. . . . So the internet will be no more secure
than walking through the streets. But the reason we have security in our daily
lives is not because there's magic technology that renders guns inoperable, but
because we have a legal system, we have societal rules, we have culture that
makes our city safe, and our world safe. And I see the same thing happening on
As a society, are we up to speed on this? We have rules for guns, and rules
for traffic. But are we up to speed on the internet?
I don't think we are. I think the internet is a much more anonymous place.
One of the reasons there seems to be a lot of low-level crime in hacking is
that it's very easy to be anonymous. There isn't low-level mugging in cities,
because you're doing it. It's you. You're there, you can get caught, and you
can get in trouble. The internet is much more anonymous; it's much more
distant. You can do things without fear of reprise. That has to change. We
have to spend more time detecting crime, responding to crime, and prosecuting
crime on the internet, just like we prosecute crime on the streets to make our
cities safe. . . . The real moral is that the internet is no different than
the real world. We just have to take all the things that work in the real
world and move them into the internet. You can't just buy that firewall and
think you're safe. . . .
Manager of Information Security, Frank Russell Company
Sizing the threat is tough. There is a whole spectrum of different threats.
The possibility of abuse of people's privacy is a large threat. The threat of
internal abuse by employees on systems incidentally, just by mistake because
the systems are poorly configured, continues to rise. . . . On deliberate
attempts, I believe that the threat of people taking action against
organizations in a technological manner is increasing every day.
It is all second-guessing. There is no real intelligence or strong data to
support it. But instinctively, it is easy for me to foresee the technology
threat, the threat of abuse of technology against a company or person becoming
greater and greater every day. . . .
[What would a secure system look like?]
. . . This technology cannot be secured, and that's fact. I would debate that
with any vendor, with any inventor of internet technologies, with any business
that is deployed . . . . I would debate that with anybody. I believe it
cannot be secured. It can only be risk-managed. All the technology that
underlies this whole internet web phenomena is technology that was meant for
communication. It was not meant to conduct business. It is open technology.
Everything that you have to do to secure it is . . . afterthought stuff. And
because it is afterthought stuff, because it is not part of the infrastructure
itself, it creates a slew of problems and costs.
The fundamental problem is that vendors and people are involved in the myth of
how good it is, and they don't want to diminish that story by recognizing the
fact that it may not be as cost-effective or as sensible a use as they would
like to think it is. People are having a hard time giving up what they believe
this is, what the internet is going to be, what this technology can provide. .
Davis, a security consultant and ex-hacker from Ottawa, tracked down Curador,
an 18 year old hacker from South Wales who in 2000 stole an estimated
26,000 credit card numbers from e-commerce web sites and posted them online.
How would you characterize the internet's vulnerability . . . to criminals
. . . There are ways that you could shut down the internet in two or three
hours. I know people that have the ability to do it. Just thankfully, they
don't want to do it. They're ethical people. . . . But people who are working
for things like organized crime, or in terrorist groups, thankfully don't have
that type of skill set at this point. I think it's possible that they would be
able to find people with that skill set, and at that point, it would start to
get really scary. . . .
What sort of vulnerabilities are there? What could be done?
The major vulnerabilities that we see right now are in the Microsoft
products. Microsoft has a web server out that has 15 or 20 fairly large
security problems with it. There have been three or four really major ones
over the last couple of years. And this is what we see the young kids using
right now, because there's a lot of programs out there that you could just
download, run, and it'll re-write the web page for you. One gives you full
access to the remote web server in about four seconds. There's another one
that will completely shut down the web servers in a second. There are all
kinds of tools out there that these kids can download and they don't have to
understand how they work. They don't have to understand how to write it. The
only thing you have to do is understand how to click a mouse. So that does
cause a lot of issues and a lot of problems. . . .
Giovagnoni is the Executive Vice-President for Strategic Relations for
iDEFENSE, a private agency specializing in information intelligence.
Is it really possible to devise protection for the infrastructure of the
Well, yes. But I want to make a distinction here. I don't know that you can
totally secure something within the internet. . . . The internet, when it was
originally designed, was designed to be open. And now we are trying to protect
it in the way that you can close all the doors, and by its very nature, it
won't happen. Not in the foreseeable future. Maybe never. So what you have
to be able to do, if you are concerned about protecting a particular system . .
. is to put obstacles in the way of someone who wants to get access to it. . .
But there's no way of being on the internet that's not risky?
No. You cannot build a wall around your computer and assume it will never be
attacked, or that it will be protected totally, unless, of course, you're
connected to nothing, and you lock it in a room, and never use it. . . .
If I am on the internet, what are the chances that I am vulnerable to some
kind of an intrusion or loss?
Well, I would almost say that there's a 100 percent chance that you're
vulnerable. The internet itself is vulnerable. You are vulnerable, no matter
where you are on the internet. . . .
Is that just an inherent set of circumstances that we buy with the
technology, or can we do something about that?
I don't know that it's inherent. I think we can do something about it . . . .
Once we understand the internet, and once we understand the consequences of our
act when we take a laptop home and we take a computer disk from work, and we
load it at home, and maybe take it back . . . then we have a better way of
dealing with it. . . . If you're asking me, "Can we evolve or can we develop
this so that you have the ability to make it so that no one can break into
anything?" I don't think that will ever happen. So you can't make it
that secure. But you can make it secure, in the sense that, as people
become aware of security practices and how the system works, you can
protect the information that you want to protect by making conscious
Reid and Count Zero are members of Cult of the Dead Cow,
a hacker organization which developed "Back Orifice,"
a computer program which allows the user to remotely view and
control any computer running Windows 95 or later.
Do you see dangers in us being so wired and connected the way we are at the
Count: I think about that a lot. . . . I think a lot of the fear that's
happening is fundamentally because there are big misconceptions of what the
internet is all about. The internet is not a nicely packaged lined up row of
books in a library where everything's organized by the Dewey Decimal System and
everything is published by a handful of publishers that control all of it.
It's not something that's sanitized, categorized, shrink-wrapped and
freshness-dated on a shelf.
The internet is a mirror of society. It truly is something that reflects all
of the elements in the physical world--the types of people who use it, the
types of things that are on it, what's being said, and what you'll see and
read. . . . People who are criminals are going to be on there. There are
going to be people on there where you just cannot understand where they're
coming from, and that'll scare some people. . . .
Society is complex, and it's often very messy. And I think people just have to
deal with that, roll up their sleeves, and jump in and just get involved and
try to fix things that are broken, and accept the fact that other people are
going to say that things you don't like a lot of times.
Reid: The internet itself was constructed with this idea that we were all
going to be nice to each other. All of the standards and all of the protocols
assume, basically, that no one is going to lie or cheat or steal. It was
designed basically for the US government in planning a war, and then it was
co-opted by scientists to coordinate research. And there was really no effort
made early on to insulate that, or to protect against people who just are
outside the trust model, people who just want to go in and see what they can
do, and they just don't care. Unfortunately, it's hard to build on top of a
system like that and not retain some of those strengths and weaknesses. Those
protocols are very simple, they're fast, they're efficient. But they are wide
Nowadays, we are paying for the sins of our fathers in the same way that we had
the Y2K bug, which we spent years gearing up for--and thank God we did, because
it could have been awful. The general public is sick of hearing about Y2K, and
they assumed it was a big joke, but it never was. That could have been very
devastating. But those kinds of problems exist on the net in spades. If
somebody wanted to take down the internet, they could do it; they could still
do it. None of that has changed. . . .
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2013 WGBH educational foundation