booklets and brochures
networked information systems
hackers and organized crime (continued)
The expansion of e-commerce is an inviting target for organized crime, which views e-commerce as the new frontier for large-scale theft. The "Phonemasters," for example, is an international group of criminals who penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and the FBI's National Crime Information Center (NCIC). "Dumpster diving" was used by this group to gather old telephone books and technical manuals on computer systems. This information was later used to con employees into supplying their logon and password information, thus enabling the "Phonemasters" to break into the computer systems of the aforementioned organizations.
The FBI was able to monitor the calls of one of the "Phonemasters" suspects, Calvin Cantrell. Cantrell downloaded thousands of Sprint calling card numbers, which he sold to a Canadian who then passed them on to someone in Ohio. The numbers eventually were sent to Switzerland and organized crime groups in Italy. As a result of his activities, Cantrell was sentenced to two years in jail.
In another example, a hacker acquired a list of telephone numbers to computers belonging to a bank. Although some of the computers were not directly accessible, the hacker was able to read an e-mail message from one of the bank's computers that discussed default passwords on the switching systems of a branch office. When the hacker dialed a number belonging to one of the inaccessible computers using the default password from the e-mail message, he found himself with system administrator privileges for the System 75 or PBX. In time, his experimenting with PBXs brought him notoriety as a "System 75" expert within the hacker community. The hacker said, "By the time I was arrested, I collected a list of nearly 200 System 75 switching systems around the country. I was getting into 97 percent of them, because the administrators were not changing the passwords, and AT&T just didn't care."
Politically motivated attacks on publicly accessible Web pages and e-mail servers have also increased. This activity, referred to as "Hactivism," is conducted by overloading the mail servers and hacking into Web sites to send a political message. In spring 1999 a group known as the "Electronic Disturbance Theater" called for online worldwide electronic civil disobedience in support of its political issues that included the Zapatista movement in Mexico. It called its activities "protest actions" against the White House and Department of Defense. Although such attacks generally have not altered operating systems or networks, they do deny public access to Web sites and infringe on the rights of others to communicate.
"Crackers," or recreational hackers, break into networked systems simply for the thrill of the challenge or for bragging rights within the hacker community. Recreational hacking requires only a fair amount of skill to download attack scripts and protocols from the World Wide Web and launch them against victim sites. Many software tools exist that allow crackers to "sniff" packets over the Internet to determine user name and passwords. If crackers achieve root-level access to a system, then full server access is possible, allowing them to steal data or conduct espionage and set "back doors."
the insider threat
Insider threats, which involve the misuse of authorized privileges, have long presented serious problems for government and private-sector computer systems. In addition to having access to the systems, insiders understand how things work, know what data are available, where data reside, and can wait for an opportune time to exploit a system, introduce malicious programs, or otherwise disrupt the systems. Insiders do not need a great deal of knowledge about computer intrusion techniques as their inside knowledge and "trusted" status often allows them sufficient access to cause damage to the system or to steal data. According to a 1999 Computer Security Institute survey, 55 percent of the respondents of the 163 businesses surveyed, reported malicious activity by insiders.