Sunday, January 29, 2012

Cybercriminal to the rescue?

kw: book reviews, nonfiction, memoirs, autobiographies, computers, cybercriminals

I used to live in a working-class neighborhood, and soon found out that my next door neighbor's children were all criminals. The parents were good and hard-working people, but their kids had all gone astray. One of their sons in particular was clearly a psychopath. He thought nothing of anyone's property, only of what might benefit him. He was also, you might say, the master of the short cut. This was evident in the way he got from place to place. If he was going to the street corner, once he left the door to the house, he went in an absolutely straight line, right across the front yards of about six homes. He was a very small-time criminal, really. Nothing so blatant as robbery, for example; his stock in trade was the sob story intended to elicit a "loan" that would never be repaid, and a little sneak thievery.

Many computer system hackers are primarily trespassers. They don't profit from their exploits, at least not in any monetary way. They do it for fun, or for bragging rights. Others are out for the cash, and modern "identity thieves" (to call fraud by another name) hone their computer skills purely for the money in it. As it happens, the most skilled hackers and crackers fall into the trespasser category; not being distracted by the money, they focus on developing their skills and building up their library of code used for compromising computer systems.

Kevin Mitnick is of this latter sort. In his most recent book, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker, written with William L. Simon, Mitnick claims frequently that he never obtained money by hacking. He was in it for the thrill of going where he wasn't supposed to go. Breaking into a computer system is quite a bit safer than physically breaking into, say, an office building or bank or military base. However, he did do a little B+E when it was the only way to get information he needed.

This is a case of a man's hobby becoming quite an expensive proposition. Mitnick took low-paying jobs to get access to computer systems, which he would compromise in ways that helped him get access to other systems over the telephone network. All this was in the days before the wideband Internet connections that so many of us have. Early days, he was limited to phone modems that ran at 300 to 1200 bits per second, and later at speeds to 9,600 bps. Connections from computer to computer were sometimes trunk lines that ran at 1,560,000 bps (called T1), and access to such a level of communication was a precious resource.

He started out "phone phreaking", primarily social engineering (deceiving phone company employees), to get levels of access that would permit him to use long distance at no charge. Later he was able to get free cell phone service, at a time the typical charge was a dollar per minute. Now, right there it is clear that, while he may not have had cash pass through his hands, he defrauded the telephone companies out of thousands of dollars by cheating to get free services. So his "no money" claim is rather hollow. In fact, his heavy use of cell phones in the dollar-per-minute days almost got him caught when fellow employees wondered how he could afford to call so much on a $28,000 salary.

After entertaining the reader with a racy history of his growth as a phone phreaker, and his eventual ability to pretty much take over the operations of at least one telephone company, he turns to the efforts of law enforcement to stop him. He was first jailed at the age of seventeen, but avoided spending time at "Juvie". Instead he had a supervised release program, which ran a few years, under which he was supposed to avoid computer use. He just used other people's computers. From this point, he soon became a fugitive, living under several assumed names.

Part of the reason he did not get into deeper trouble when he was young was that there were few laws prohibiting what he was doing. Once the Federal and State legislatures took care of that little detail, the FBI got involved. He was on the run from the FBI for several years. Once he was finally caught (if I recall right, he was by then 31), he spent nearly five years in various lockups. Most of that time was occupied with various arraignments and legal maneuverings. Once he was finally offered a plea deal he was willing to take, he was sentenced to little more than time served.

It has been said of this book that it reads like a Raymond Chandler thriller. I reckon so; it was designed that way by the co-author. It is, at least, easy to read, a page-turner. It opens a window on an unusual mind. We find a person compelled to find a way around restrictions, a person without conscience; if he refrained from profiting monetarily, it was mainly because he lacks the gene for love of money. Money isn't the only thing a thief can steal. By committing theft of services, stealing source code files so he could better break into systems, and taunting system administrators, he stole peace of mind, he caused large sums to be spent tracking him down, and he cut into the income of a few large companies just as effectively as if he'd robbed the pay clerks at gunpoint.

So what is he doing these days? Still hacking, but with permission. He has become a security consultant! On the theory that "it takes a thief to catch a thief" (the theme of a briefly popular TV show some forty years ago), he is paid handsome sums to commit "white hat" hacking. If he is still one of the best—which boils down to, if he is keeping his skills up to date—then if a system is made "Mitnick proof", it is probably pretty secure.

The biggest lesson of the book is that the weakest link in computer security is the human element. People are too trusting. Mitnick's "career" was based on harvesting low-hanging fruit. A couple of phone calls would often garner him access to a supposedly bullet-proof system. There is still a lot of low-hanging fruit out there! You just gotta hope that none of it can be found at your bank or broker's office.

Periodically at work, some of us get strange e-mails, usually directing us to do something very slightly shady; these are "Phishing" e-mails. It has been publicized that there is a place we are supposed to forward suspicious e-mails. Those who do so are praised; those who follow the Phishing directions are reprimanded. It is one facet of a white-hat-hacking program my company has, to see how much low-hanging "social engineering" fruit there is. The answer is distressingly large. Even where paranoia is justified, not all are sufficiently paranoid. This keeps Mitnick, and security consultants in general, and in business.

No comments: