Cyber Criminals
The internet and computers have brought many benefits to our lives but
these new technologies have brought with them a new breed of criminal
It's becoming impossible these days to open the newspapers and not read
about the latest crime to be committed in cyberspace: be it a new virus
unleashed, a hacking attack on a prominent organisation, or even entire
Internet services being crippled.
It is an unfortunate reality of modern life that for every new invention
made to make our lives easier, criminal opportunists are never far
behind and sometimes infront.
When car manufacturers fitted new safety systems to their models which
inflated airbags and unlocked the doors in the event of a crash, it
seemed a good idea enabling the emergency services to gain access to
injured people without having to smash their way in.
But opportunist thieves soon realised that a sufficiently hard hit to a
car's front bumper was just as good as having a key - the door locks
would simply pop open.
A similar battle between innovators and criminals is being played out in
the computer industry. And the stakes are high.
E-commerce is changing the way the world does business, an increasing
number of companies and organisations are relying on e-mail to keep in
contact with their customers and suppliers, government departments are
making their services available online and it is now possible to visit
your bank, your favourite shops and book a holiday by simply pressing a
few keys on your computer keyboard.
But along with technical progress comes a new breed of criminal - the
computer hacker.
Technically speaking a hacker is someone who is an adept computer
programmer, but the term has been coined - mostly by the media - to
describe those cyber terrorists who get their kicks from breaking into
computer systems, defacing websites and generally causing chaos in the
virtual world. Real hackers call these people 'crackers' and there is a
constant battle being waged between those charged with Information
Technology innovation and those who seek to undermine it.
Challenge
The FBI reported that 90 per cent of online US companies experienced
Internet pranks last year, but most companies are anxious to play down
breaches to their security to save any embarrassment. It is usually only
when major damage has been caused, or high profile sites attacked, that
we get to hear about them.
Many hackers see it as a challenge to explore computer systems, but are
not intent on causing damage. They breach security as a game but often
only leave a small calling card, or no trace at all.
"But crackers are malicious hackers who hack for personal gain or to
vandalise systems," according to one 'legitimate' hacker. "They're more
categorised by their desire to do damage than by their programming
skills.
They are not an honourable class, but are often teenage kids with so-so
skills who have downloaded one of hundreds of programmes that allow you
to enact certain damage without having any particular in-depth computing
or programming skills. They're more members of a sub-culture. "The
really adept crackers are few in number. These are people who really
know how to break into systems. This requires a lot of study, a lot of
intelligence, and a certain amount of sociopathy."
David Jensen, a Dubai-based IT marketing specialist uses the analogy of
a break-in, which is essentially what hacking is, to explain. "If you
consider hacking like a burglary, there are a lot who will gain entry
and maybe kick over a flower pot in the lobby. But it's the few that go
through the lobby, into the lift and start smashing up the boardroom
that you really need to worry about."
But the reasons why hackers attack are wide ranging.
An Information Technology consultant breached the security of British
internet service provider Redhotant to expose security lapses. He
managed to obtain the names, addresses, passwords and credit card
details of more than 24,000 people, including military scientists,
government officials, and top company executives just to show it could
be done.
He used a proxy, a device normally used for disguising the identity of a
user, as an intermediary to search the site for files and soon found the
customer database.
The hacker said breaching the site's security was 'child's play' in an
anonymous interview with The Times newspaper in June. "It was like
rooting around in bins for a key and then finding there was a wide-open
side entrance," he said.
Even the might of Microsoft was called into question last September when
a group calling itself Hackers Unite claimed it had breached Hotmail's
security systems to demonstrate how poor its defences were.
Other 'ethical hackers' who say they are acting in the public interest
are groups such as Hackers Against Child Pornography and Condemned.org
which launch vigilante attacks to disable websites displaying illegal
and indecent material.
But the vast majority of the headline grabbing attacks are not as well
meaning.
A gang demanded a US$15 million ransom from Visa in December after
claiming to have stolen vital information in a hacking raid. eUniverse
was hit by a hacker who claimed to have stolen more than 300,000 credit
card numbers. He went public with this information, a move which caused
many to question how safe e-commerce transactions really are and it begs
the question: How secure is the online business you last gave your
credit card details to?
A cheeky teenage hacker from renowned group Global Hell pulled off a
stunt of some magnitude by getting into 27 separate different Internet
service providers in the US. One of these, Pacific Bell, was even forced
to take the unusual step of asking customers to close down their
accounts after the incident.
One of Britain's most popular ISPs was forced to take similarly drastic
action after it discovered a breach of its online security. Virgin.net
not only called in the police but had to issue 170,000 new e-mail
passwords and even sent individual letters of apology to customers after
e-mail and dial-up access were disrupted.
UAE
Internet services were also disrupted in the United Arab Emirates in
June which Etisalat, the country's only Internet service provider,
blamed on "the work of an internationally dispersed group of Internet
hackers."
A 21 year-old British computer network engineer working for a Dubai
construction company was arrested on suspicion of being one of the
hackers involved and a criminal investigation is ongoing.
The two weeks of disruption meant thousands of Internet users in the UAE
were unable to log onto the Internet for long periods and the damage
cost millions of dirhams in lost time and left many users frustrated.
Anti-capitalism activists also showed they could Just Do It to
sportswear company Nike when they took over Nike.com in June demanding
'global justice.'
"Global Justice is coming ? prepare now!" the hijacked site read before
directing surfers to the website of an Australian organization called
S-11 urging people to protest against the World Economic Forum being
held in Melbourne, Australia, in September.
It seems that nobody is fully safe from hack attacks, and insurance
companies are starting to start their own version of e-commerce by
offering policies protecting companies against the financial damage
hackers can cause.
Special Laws
The cyber vandalism will escalate further if there is no legal
detererrant against such crimes, and more and more governments are
awakening to the amount of damage that can be caused to their economy by
hacking and are rushing through legislation to give them the teeth to
deal with it. The more advanced countries have already enacted
fully-fledged legislation but many industry experts feel worldwide
recognition of cyber law is needed: as what may be a crime in one
country, may not be where it was committed - such is the global
phenomenon of both computer hacking and the Internet.
The FBI was one of the first law enforcement authorites to start a
special unit dedicated to patrolling cyberspace and was quick to offer
its services to the government of the Phillipines as the search began
for the author of the ILOVEYOU virus which swept its way through
cyberspace like wildfire in May this year.
The worm-like 'Love Bug' was quickly announced as far more damaging than
its Melissa predecessor and hit 200,000 mail hubs globally, including
the British House of Commons, the White House, Pentagon, Merrill Lynch,
Ford Motors, Switzerland's Credit Suisse, US military bases and many
multinational companies.
It is estimated to have cost companies hundreds of millions of dollars
in software damage and lost commerce and was soon given the tag 'The
Killer from Manila.'
The ensuing publicity from such attacks gives hackers their '15 minutes
of fame' and sparks others to follow suit. Soon after the declarations
of love came a request for a job with the FW:CV virus.
Both came as e-mail messages which seemingly looked harmless when opened
but invaded computer hard drives wiping out all MP3 files in seconds and
automatically forwarded themselves to every address stored in the
Microsoft Outlook programme to spread infection to the next computer,
then the next...
But the legal authorities are clamping down and recent high profile
cases in the US have included the jailing of 'Global Hell' hacker Chad
Davis for six months for hacking into the US Air Force's network, the
'Web-Bandit' was sentenced to 15 months for hacking NATO websites and
other hacking cases are pending.
The FBI also recently managed to track down a university student who
later admitted in Boston Federal Court in June to breaking into US
government computers including Defense Department and NASA systems.
Ikenna Iffih, a student at Northeastern University's College of Computer
Science, pleaded guilty to a series of coast-to-coast cyber attacks in
the US.
Under a plea deal, he faces up to 20 years in prison with a possible
mandatory minimum sentence of six months, a fine of up to US$750,000 and
three years of supervised release when he is sentenced on October 25.
The 29-year-old student also admitted hacking into Zebra Marketing
Online Services (ZMOS), a Washington-state company that provides Web
service to other firms.
Court papers showed the firm lost more than US$30,000 and took about 42
hours to return to minimal operations during the April 1999 attack. FBI
agents were able to trace the break-ins to the NASA (National
Aeronautics and Space Administration) computer, the Defense Department's
Logistics Agency computer, and ZMOS system to the personal computer in
Iffih's home in Boston.
"All in all, the defendant used his home computer to leave a trail of
cybercrime from coast to coast," US Attorney for Massachusetts Donald
Stern said.
Just as the new e-conomy is changing the way the world does business, it
has also spurned new crimes and a whole new generation of computer
companies offering network security solutions.
The police and telephone companies are arresting people and stopping a
lot of cyber crime from happening with new technology making it easier
to catch the criminals than before. But the battle between the hackers,
legal authorities and online enterprises will continue in a vicious and
costly circle - the more security put in place, the greater the
challenge will be to the dedicated hacker.
Hacking in the UAE
The United Arab Emirates has formed a committee to urgently draft
legislation to tackle computer hacking as a result of the disruptions
caused to the Internet service in June. Etisalat, which operates
Internet services in the UAE through its subsidary company Emirates
Internet and Multimedia, blamed the interuptions to the service on an
"internationally dispersed group of Internet hackers, who have caused
disruption not only to our operations, but to many other systems and
networks worldwide." EIM general manager Maroua Naim added: "This is a
menace and a threat that everyone on the Internet is continuously facing
and fighting." A 21 year-old Briton allegedly traced by Etisalat and
arrested by Dubai Police on suspicion of being one of the hackers
involved has been charged under a 1991 law relating to the misuse of
Etisalat's equipment, services or facilities. But his lawyer Dr Habib Al
Mulla has stated in the local press that his client, who denys
Etisalat's accusations, cannot have committed a criminal offence as
there are currently no laws in the UAE governing cybercrime. He argues
that his client has been charged under a 1991 law when the Internet
wasn't even introduced to the UAE until 1995. Whether his argument will
sway a judge if evidence of hacking is produced remains to be seen. But
new laws are needed to classify cybercrime and determine penalties for
it, especially at a time when the UAE is introducing e-government,
e-commerce is developing and the first phase of the Dubai Internet City
is set to open in October. |