Tuesday, December 31, 2013

Cybercrime in the 1970s

Note: This is a section of the full research paper

In the early 70s computers were limited to large, expensive timesharing mainframe and Unix systems owned by universities, large corporations, and government agencies. In 1975 Ed Roberts released the first microcomputer for sale to the public – the MITS Altair 8080. No keyboard, no screen – just a box with toggle switches for programming and LED lights to show the output of the program. He sold 2,000 of the systems the first year. The following year, Steve Jobs and Steve Wozniak released the Apple I. Again, no keyboard or screen. By the end of 1976 computing enthusiasts had purchased 40,000 microcomputers.[1] In 1977, the Apple II, the Tandy TRS-80 (I cut my teeth programming on this model), and the Commodore PET brought visual displays and keyboards to the market. People purchased 150,000 of these systems.[2]

Computer communications were pretty limited. The government, military, and a few universities had ARPA net and X25 networks. The public was limited to modem-based computer-to-computer phone calls, which was fine for dialing computers in your area, but a bit of a problem for those a long distance call away. The killer app for computer communications was Bulletin Board System software, which first came to public life, courtesy of Randy Seuss, during a snowstorm in February 1978.  This development connected computer enthusiasts across the U.S. in an electronic underground where they could publish ideas and communicate within their own realm on their own terms. From this technology the computer hacker underground took root.

While it took some time for microcomputers to take hold, the phone system was already built out and available. A large community of phone system fanatics – ‘phone phreaks’ – learned how to control the switching system of the predominant phone switching system in use at the time, largely in thanks to serious security flaws in the system and the publication of the details of the internal switching system in the November 1954 issue of the Bell Labs Technical Journal.

Motives and Crimes
The primary motives behind the computer crimes of the 60s and 70s were desire for system access, curiosity, and the sense of power attained from defeating security. The phone system was the first and favorite computer system targeted. The attraction to the phone system for the pioneers of phone phreaking was not free calls, but the desire to learn the system, the desire to beat the system, and the desire to control the system. John Draper, the father of phone phreaking, when asked about the techniques he developed for gaining operator access to phone systems, published in the October 1971 issue of Esquire Magazine, stated his motive behind unauthorized system access.

From Secrets of the Little Blue Box by Ron Rosenbaum, Esquire Magazine (October 1971)

The pioneers of ‘phone phreaking’ mastered the techniques for controlling the phone system and codified it in what is now called a ‘little blue box’. The box, commonly twice the size of a cigarette case, had buttons on the front that emitted tones. These tones could be used, if emitted at the right time and in the right sequence during a call would yield operator access to the phone system. The benefit, of course, was free calls to anywhere in the world.

Computers weren’t left alone. The first edition of Creative Computing magazine, published in 1976, had an article titled “Is Breaking Into A Timesharing System A Crime?”[3]

Besides the intellectual challenge of breaking in to systems, people were also motivated to break in to systems simply to gain access. In the 60s and early 70s time on the university-owned computer systems was limited. Students who wanted more time developed the first password crackers and trojan software in order to get the access they wanted.

With the introduction of microcomputers and Bulletin Board Systems in the mid to late 70s people wanted to connect to other computer systems. To foot the bill for the long-distance calls many resorted to stealing long distance access codes – wire fraud. Again, the primary motive to steal the access codes was not for profit, but curiosity – to connect and learn.

[1] http://jeremyreimer.com/postman/node/329
[2]http://arstechnica.com/old/content/2005/12/total-share.ars http://en.wikipedia.org/wiki/File:WIntHosts1981-2009.jpg

[3] http://www.atariarchives.org/bcc1/showpage.php?page=4

Saturday, December 28, 2013

The Conditions that Created the Perfect World for Cybercrime

Note: This is a section of the full research paper

Computer crime has changed from a 1970s characterization of hobbyists committing pranks and ‘exploring’ computer systems to a present day horizontally integrated industry of exploit researchers, malware writers, hackers, fraudster, and money mules that cause hundreds of millions of dollars in damages annually.  The articles below illustrate the juxtaposition of computer crimes from earlier decades with those of the present.

Teaching Hackers Ethics
Newsweek – January 14, 1985
The parents of "Echo Man," 16, "Thr ee Rocks," 15, and "Uncle Sam," 17, probably thought they were in their rooms doing homework.  Instead, the Burlingame, Calif., teen-agers were programming their Apples to scan the Sprint telephone-service computers for valid access numbers, which they used to make free calls.  The hackers then posted the numbers on an electronic bulletin board, so others could share in the spoils.  That was their undoing. Local police, who had been monitoring the bulletin board, raided each of the hackers' homes last month and found enough evidence to charge them with felony theft and wire fraud.

FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms[1]
Washington Post, Brian Krebs – October 26, 2009
Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week. According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim’s online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company’s online account…

How do you explain the typical computer crime making the leap from petty phone access theft in the 70s to huge heists in 00s? As it turns out, in each decade, the computer crimes fit pretty well with the demographics of their time. The type and frequency of computer crime occurring in each decade seems to have been shaped by three demographics:
·      The number of computers online
·      The type and amount of online commerce
·      The globalization of internet use

The number of crime targets is limited by the number of computers online. The profitability of a target is dependent on the type of commerce being conducted on the computers. And the likelihood of being caught is positively correlated with the effectiveness of law enforcement in prosecuting crimes which, I have observed, is inversely proportional with the globalization of the internet.

As these demographics evolved, so too did the crime.

The Perfect Conditions for Crime

What are the perfect conditions for crime? How about easy targets, high profits, and very little chance of being caught.

That is what the Internet provides – lots of easy targets where 220 million people are online in the U.S. alone and with very weak security. An almost guaranteed high return – 50 million people in the U.S. conducting banking online. And little chance of being caught – attribution of crime on the Internet is nearly impossible and governments don’t have the resources to handle the volume, let alone the high cost of international investigations. They successfully prosecute a few per year for publicity, but little else. The Internet is the perfect place to commit crime.

It took until the late 1990s for these conditions to converge to create the perfect storm.  Before that essential elements were missing – people, connectivity, commerce, and insecurity.

+ Computers and Connectivity
The first dimension to set in to motion was personal and commercial use of computers in the mid 1970s. In the 70s there weren’t very many computer systems and they weren’t interconnected. In the 80s private citizen computer ownership started ramping up, but their connectivity was limited largely to computer-to-computer modem services and access to the Internet was restricted to government and university. In the 90s the government opened up the Internet to commercial and then public access. By the end of the decade, about half of the U.S. population was ‘online’.

+ Commerce
The explosion of online commerce was another important ingredient in creating the cyber crime environment. Without commerce, all the potential targets connected to the Internet are just targets. With commerce, computers become rich targets – credit card processing systems and automated tellers. In 2000, 40 million people in the U.S. had ever bought something online[2]. By 2008, that number reached 201 million[3]. Nearly everyone who can shop online does shop online.

In 1998 8 million people in the U.S. were conducting banking online. By 2008 that grew to 50 million – 23% of online users and fully 17% of the entire U.S. population! Consider this fact: there are about 220 million people in the U.S. who use the Internet regularly. Twenty-three percent of them – 50 million – conduct banking online. 

+ Insecurity
The build out of the Internet network infrastructure and the connected systems was fast and furious. At this pace, all focus was on feature and functionality. Little thought was given to the consequences of the risks and to the security requirements of such a critical, complex infrastructure.  As a security consultant in the late 1990s, I examined up close the lack of security controls in even critical infrastructure. On one engagement, my co-worker and I were called up on short notice to conduct an Internet perimeter test of a company that provided core processing services to credit unions. One of their services was outsourced Internet Banking. Compromising their perimeter was simple, taking about 10 minutes. We scanned their public address space for common ports, noticed 135 and 139 were listening on their Internet Banking server, established a net session and went to work guessing the administrator account password. The password was ‘snow’. It was easy pickings from there. Towards the end of the engagement, I met on-site with the company’s system administrators to discuss the findings. In response to my recommendations they asked, “What is a firewall?”

+ Internationalization and No Law Enforcement
In 1998 – 1999 about 80% of the people using the Internet were U.S. citizens and about 95% were U.S. citizens or citizens of U.S. allied countries.[4] Under these conditions, serious computer crimes could be investigated and prosecuted because the crimes were largely occurring from within the borders of governments that were willing to cooperate in cyber crime investigations. This acted as a deterrent of sorts, deterring many people from committing really serious cyber crimes.

Even in to 2000, people using the Internet in developing economies were limited to the professional class – people in government, education, and industry, due to Internet access constraints. As Internet accessibility increased and cost decreased non-professionals quickly got online. By 2005, the number of Internet users in BRIC countries – Brazil, Russia, India, and China – surpassed the number of Internet users in the U.S. Among these Internet users were, as in other countries, criminals. The difference this time though was that governments proved inept in dealing with the volume, the costs and international legal and political barriers of prosecuting crime.  And frankly, non-U.S. allies were and continue to not be seriously interested in assisting other countries in criminal investigations. Ever contact a bank in Russia to request that they return a fraudulent wire? Ever participated in an FBI investigation that requires cooperation of Chinese authorities? Good luck.

The early financially driven international cyber crime spree in 2001 – 2002 went unchecked. This encouraged additional investment in cyber crime. Success continued to meet success, which continues to spiral to where we are today.

[1] http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html
[3] http://www.pewinternet.org/Reports/2008/Online-Shopping.aspx?r=1
[4] http://datafinder.worldbank.org/internet-users

Friday, December 27, 2013

A Fraudster's Manifesto

While researching fraud rings a few years ago, I discovered a post on a carder forum (carder.info) that gave me some insight into the motives of fraudsters. It is nothing new that fraudsters are motivated by money, but it is interesting to read it in their own words. The original post was a carding tutorial with an introductory 'manifesto'. I've left out the tutorial section...

 Carding Tutorial: By.. Aftermath
This tutorial is written only for your knowledge not for illegal stuff or comp crime.
This tutorial took me short time to write it’s , better than nothing
If you are an old carder and find that nothing is new please don’t posts sh*t comments!
There are a lot of beginners and they will profit and enlarge their knowledge reading this.

But you will know my ways of carding, as Live in black listed counrty and carding all days.


This text tutorial is written by me, Aftermath... yes..( the king of all kings ) .

I really want to help people who want to card and dream to get something from internet coz really we was all like them, I started to get free stuff from Websites now I have laptop, mp3, cams, nice clothes but am always anxious and sometimes when the door knocks I though that it’s the police I sometimes don’t want to open the door and I think that all of the carders feel that.
But lot of things have changed I didn’t never imagine that I can get a laptop, because am poor and I do carding for only one reason that I want to get a lot of stuff that I can’t buy them with my money which is very few, the fact that am poor and seeing others rich, the fact that there’s no originals CD’shere, or Hip hop clothes that I want in this country; pushed me to into this carding world and here to write you lot of things.

Wednesday, December 25, 2013

Amazing Fingers

It is amazing what a person can accomplish through a bit of training, practice, and persistence. For example, my Junior High daughter at the piano.

Monday, December 23, 2013

Mat's Dying Lesson to Me - Gratitude

In health, my twin sister’s husband, Mat, was 6’5” and 210 lbs. In 2006 he was diagnosed as having pancreatic cancer. He lived five more very courageous years of life, through an organ transplant, and numerous rounds of radiation and chemotherapy. By mid 2010 Mat was 6’5” but weighed 125 lbs. It hurt for him to walk because his bones and joints were covered with tumors that would grind together when he moved. To walk he relied heavily on a cane. In spite of this, he would go along with Kimberly and his boys to the beach where it would literally take him a painful 30 minutes to walk the 200 yards from their handicap parking space to the shore where he would sit in a chair and watch his boys. And he would go to his son’s baseball games where it would be the top of the third inning by the time he made it to the third-base line.

I never heard him complain. I spent a week with him at his home in Boston several months before he died. Over lunch at his favorite Mexican restaurant I finally asked him, “How do you do it, Mat? How have you lived so well through all of this hell?”

Mat said a few different things in reply. First, he said, “I have lived a very blessed life. I am married to my dream woman and I have two awesome boys. And I have had a great career.”

“I also have a pretty good sense of my place in the bigger picture.” He went on to relate an experience. “On one business trip to China in Hangzhou, I went for a walk and I took a wrong turn and ended up in a very poor part of the city. Anyway, as I was walking along I walked past an alley. In that dimly lit alley I saw a woman, probably about 30, squatting over a little gas burner boiling water. In that boiling water was the head of a cat she was going to eat for dinner. That has stayed with me.”

“So, I’ve lived a blessed life and I’ve never eaten the head of a cat for dinner. Besides, in the span of mankind, 40 years old is a very long life. And hey, I know that I will be together with Kimberly and my boys again.”

Mat lived another eight months. Funny thing is, during his sickness and until the very moment of his death he gave peace and happiness and courage, perhaps the greatest legacy he could give to his wife, his boys, and all who knew him.

Bombing double blacks with Dad on his Birthday - Happy 72!!!

My Dad turned 72 today - pretty old.  What did we do to celebrate? We skied the black diamonds at Park City Mountain Resort! We hit Silverlode, McConkeys, and Thaynes hard. The snow was great. We even bombed off the mine tailings face at the bottom of Thaynes. Great day! Great Dad! Happy birthday, Dad!