Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace


QUE. A Division of Macmillan USA

from the

e-book shop
Tangled Web:
Tales of Digital Crime from the Shadows of Cyberspace

Tangled Web itself is an acknowledgement of some of the many bright and dedicated
individuals who have helped reveal what lurks in the shadows of cyberspace. Their
names and affiliations are strewn throughout the text. There are others, too, who are
not mentioned, or could not be mentioned, who have made significant contributions.
Without the foresight and daring of Patrice Rapalus, the director of the Computer
Security Institute (CSI), I would not have been able to accomplish as much as I have
in this field. Indeed, all those who take information security seriously owe her a debt
of gratitude whether they are aware of it or not.

Tangled Web is the result of several years of intense focus but was produced on a harrowing
schedule in an insanely short span of weeks. Without the creative vision, professionalism,
and humor of Kathryn Purdum and Hugh Vandivier, my editors at
Macmillan, it would not have been possible to do the impossible. Michael Dietsch,
Tonya Simpson, Benjamin Berg, and others at Macmillan also worked hard and well
on this project.

I also want to thank Christina Stroz, Doron Sims, and Scott Hamilton, three students at
York Prep High School in New York, who navigated their way through the maze of the
U.S. Federal court system, located some court documents vital to this book (although
they had been given the wrong docket number), and photocopied them for me.

Our world has been changing dramatically, and we haven’t being paying much attention.
Sure, we know how computer technology and networking have increased productivity
and that the Internet has become an enabling technology similar to the
invention and development of electricity as a power source. We are all aware of how
much money has been made by Internet startups, through online stock trading and
through business-to-business networking.

What few are aware of are the dangerous waters we are treading.
We live in a society quite capable of providing sufficient physical security. Banks have
vaults and alarm systems; office buildings have controlled access and guards; government
installations have fences and much better armed guards when appropriate.
Jewelry shop owners remove their wares from window displays and lock them in a
vault each night. Stores in poor neighborhoods use video cameras full-time and have
bars or grates over windows when closed.

But the online world is not so secure. A company that spent millions installing a stateof-
the-art alarm system might not even have a single employee tasked with computer
security. Companies that do spend money install the equivalent of network burglar
alarms, intrusion detection systems, but then do not hire anyone to monitor the IDS
console. The firewalls that are the equivalent to the guard at the entryway to the networks
get configured for performance, not security. At best, the majority of organizations
pay only lip service to computer security.

Tangled Web makes these points abundantly clear. Through surveys, case studies, and
stories about the few successful prosecutions, Tangled Web exposes the depth of our
vulnerability to online theft, penetration, abuse, and manipulation. Even as the business
world migrates to a fully online presence, we remain stuck with our heads in the
sand, hoping that what we can’t see won’t hurt us.

But what we can see—the adolescent hacker “owning” computers for use in chat
rooms, stealing credit cards to pay for new computer equipment, using your network
to deliver spam email advertisements for pornographic sites—is only the tip of the iceberg.
Defacement of Web servers by a hacktivist may garner 30 seconds in the evening
news, but such public attacks are not the real problem.

In Tangled Web, you will learn about the details that you didn’t see on the evening
news. For example, how two hackers’ systems were found to have the commands that
brought down the AT&T phone network in 1990 (and you thought it was just a software
bug). Or how, exactly, a Russian went about getting his hands on more than $10
million wired from Citibank. Or how an electronic entrepreneur was prepared to sell
84,000 credit card numbers, burned on a CD and encrypted with a key taken from a
novel about the Mafia.

The CSI/FBI surveys in the beginning of the book present statistics on the growing
awareness of the threat to our security. The participants in the series of surveys, over
a five-year period, show increasing awareness of not just the level of threat, but also
the ability to place a dollar amount on the damages caused by various forms of electronic
malfeasance. As you read through these chapters, you might be surprised to
see that the greatest threat to your company’s resources has remained exactly the
same over the years, while the threat of Internet attacks has continued to rise.

And yet, the incidents and statistics reported in Tangled Web detail just the parts that
we do know about. The chapter on corporate espionage, for example, provides abundant
details about the cases of information theft that we know about. But this is like
bragging about capturing a single truck loaded with cocaine at the border, when tens
of thousands of tons actually wind up in the noses of addicts each year.
The true extent of computer crime is still unknown. Most organizations still refuse to
share information about computer crime with law enforcement. And, for every system
penetration or instance of unauthorized use discovered, there are probably ten
or more left unnoticed.

Individual hackers have their own resources and what they can garner from friends,
associates, and the Internet to work with. Just imagine what it would be like if you
could take what is essentially an amateur computer security specialist and provide
unlimited resources to him or her, including training, access to classified intelligence,
the fastest computers and network links, and cooperation with a cadre of other dedicated
and enthusiastic individuals. What you would have then would look like the
information warfare teams already in existence in more than 20 countries worldwide.

When these teams perform an intrusion, it is unlikely that it will be noticed. They are
after not attention but information or future control. They have a better understanding
of the systems they are attacking, and they have the time and patience necessary
to do a thorough job without leaving behind any traces of the attack. It is the unseen
and unheard-of attacks that any organization with any critical online resources should
be afraid of. And, if you think this is beyond the capacities of most large nation-states,
just read about how a small group called the Phonemasters completely compromised
a regional phone company to the point that they could do anything they wanted, even
warning criminals of wiretaps placed on their phone lines. Even as the phone company
was implementing better security, the Phonemasters were creating back doors
into the compromised systems that would let them get around the enhanced security.
Instead of improving our defenses, the marketplace has generally chosen to go with
fluff. The security chosen by most companies today is like that on a fishing shack on
a backcountry lake: a sign saying “Protected by Smith and Wesson.” I have visited
companies where a firewall, intended to protect an e-commerce business, was still in
its packing crate, and ones where the ID systems were merely there to show to visiting
investors. And the most popular products in use are not the most secure by far.

Today, the number-one and number-two (in sales) firewalls use a technique known as
stateful packet filtering, or SPF. SPF has the dual advantages of being fast and flexible,
and this is why it has become so popular. Notice that I didn’t even mention security,
as this is not the number-one reason people chose these firewalls. Instead, SPF is popular
because it is easy to install and doesn’t get in the way of business as usual. It is
as if you hired a guard for the entry to your building who stood there waving people
through as fast as possible.

Marketing plays an even greater role in the failure of security. Microsoft, unfortunately
for the world, owns the desktop market and is busily going after the server market as
well. On the desktop, Microsoft features, such as Outlook and Windows Script Host,
turn every desktop into a potential relay for viruses like Melissa and ILOVEYOU, or a
source for denial of service attacks. NT Web servers, which can with great effort be
made relatively secure, get hacked three times more often than any type of Unix Web
server, and yet make up only one-fifth of the Web servers installed today. Instead of
building and shipping truly secure systems, Microsoft talks about what it can do. And
what it actually does is introduce amazingly flexible and complex products that even
its own engineers admit are based on undocumented source code.

If I haven’t already moved you to pay attention to security, I certainly expect that
Tangled Web will do it. This book can be used as a tool to convince management of
the extent of the risk—not simply that there is a real risk, but how damaging it can be
to ignore that risk. Not just in financial terms, which is real enough and welldocumented
here, but also in terms of winding up with a security breach detailed
above the fold of the New York Times.

If you are a security professional, you will, in most cases, know that your company is
not spending enough money and attention on security. Buy this book and give it to
your managers. Read it yourself, so you can be armed with stories and statistics about
those who ignored the risk instead of managing it. Learn about successful prosecutions
and what evidence proved significant, so instead of being a just a victim, you
will have at least a chance to strike back.

As Richard Power writes in the epilogue, the stories about computer crime continue
to unfold. Even so, what you have in your hands is the single, most complete description
in existence today. And perhaps, someday in the not-too-distant future, we can
be proud instead of embarrassed of our security, because we chose not to ignore the
problem but to get serious about it instead.
Rik Farrow
July 2000

Contents at a Glance
Foreword xi
I Crime, War, and Terror in the Information Age 1
1 Welcome to the Shadow Side of Cyberspace 3
2 Inside the Mind of the Cybercriminal 9
3 Been Down So Long It Looks Like Up To Me: The Extent and Scope of the
Cybercrime Problem 21
4 Let It Bleed: The Cost of Computer Crime and Related
Security Breaches 39
II Hackers, Crackers, and Virus Writers 53
5 Did the 1990s Begin with a Big Lie? 55
6 Joy Riders: Mischief That Leads to Mayhem 65
7 Grand Theft Data: Crackers and Cyber Bank Robbers 87
8 Hacktivists and Cybervandals 115
9 The $80 Million Lap Dance and the $10 Billion Love Letter 141
III Spies and Saboteurs 157
10 Corporate Spies: Trade Secret Theft in Cyberspace 159
11 Insiders: The Wrath of the Disgruntled Employee 179
12 Infowar and Cyberterror: The Sky Is Not Falling, But… 191
IV Muggers and Molesters in Cyberspace 213
13 Identity Theft 215
14 Child Pornography on the Internet 223
V The Defense of Cyberspace 229
15 Inside Fortune 500 Corporations 231
16 Inside Global Law Enforcement 249
17 Inside the U.S. Federal Government 263
18 Countermeasures 279
Epilogue: The Human Factor 313
VI Appendixes 325
Glossary 327
A U.S. Laws and International Treaties 339
B Excerpt from Criminal Affidavit in the Ardita Case 369
C Resources and Publications 387
Index 403


e-book shop

Purchase Now !
Just with Paypal

Product details
 2.00 USD
 449 p
 File Size
 2,446 KB
 File Type
 PDF format
 2000 by Que Corporation

═════ ═════

DMCA.com Protection Status