By the end of the 1990s, the perfect conditions for
cybercrime had formed: everyone was online, lots of people conducting online
banking and credit card transactions, lack of legal framework and resources to
prosecute cyber crime, and poor security. Two huge events in the 1990s made
this happen. The first was the invention of the World Wide Web. In 1990, Tim
Berners-Lee completed his build out of all the components necessary for his ‘WorldWideWeb’
project - a web server, a web browser, a web editor, and the first web pages. In
1991, he made his project publicly available on the Internet as the ‘Web’. In a single decade, the Web grew from
non-existent to over 17 million web sites. [1]
The other history-altering event was the build out of
public internet access points. In 1994, the National Science Foundation
sponsored four companies to build public Internet access points – Pacific Bell,
WorldCom, Sprint, and Ameritech. Within a couple of years, Joe Public declared
the Internet was good and got on-line. At the beginning of the decade there were two
million people on the Internet in the U.S. By the end of the decade there were
135 million.
Companies followed the public and moved their commerce
channels online. The U.S. Department of Commerce reported for 1999 $5.25
billion in online travel bookings, $3.75 billion in online brokerage fees, and
$15 billion in retail sales. Banks got on-line too, with 10 million people
conducting banking online in 2000.
Adoption of the internet was not just a U.S. phenomenon.
Though lagging developed economies by about five years, the emerging economies
got online too. By 2000, 36 million people in the BRIC countries – Brazil,
Russia, India, and China – were online. While the U.S. and its Allies
established reasonably functional agreements for prosecuting cyber crime, no
such agreements were realized with the rest of the world. The result was, and
remains today, an internet with no functional legal system for fighting crime.
Motives and Crimes
With the millions of new systems coming online, the 1990s
was a target rich decade for hackers. Fortunately
for businesses and people putting their private information online, hackers
primarily made a sport of defacing websites, rather than targeting the
sensitive information stored in the systems. It would take until the following
decade for the criminal profiteers to figure out how to monetize computer
crime.
Sport
The most common computer crime of the 1990s was defacing
websites. Hacking for ‘sport’ is good category for these compromises. There
really was no knowledge to gain, no curiosity to satisfy – just the sport of
compromising web sites. Attrition.org documented many of the web site hacks
through its web page hack mirror at http://attrition.org/mirror/. According to
Attrition’s data, four web sites were hacked in 1995. Attrition reported 1905 websites being hacked
in 1999.
Number of Website Defacements Reported by
Attrition.org[2]
Some very high profile sites fell during the decade. In
1996, the top sites compromised included the U.S. Air Force, NASA, and the site
of the British Labour Party. Sites compromised in 1997 included Stanford
University, Farmers & Merchants Bank, Fox News, and Yahoo. Other high profile sites to be compromised
included the U.S. Senate’s www.senate.gov, ebay.com, alashdot.org, and nytimes.com.
The content placed on these sites ranged from ‘Free
Kevin!’, to pornography; from taunting messages like ‘Look you sorry ass system
admin…’, to security advice such as ‘Stop using old versions of FTP’. A
screenshot of part of the compromised senate.gov site is shown below.[3]
Money
There were a few notable money-driven computer crimes in
the 1990s. In 1994, a group led by Vladimir Levin, broke in to the bank
accounts of several corporations held at Citibank. Accessing the funds through
Citi’s dial-up wire transfer service, he transferred $10.7 million to accounts
controlled by accomplices in Finland, the United States, Germany, the
Netherlands, and Israel.
In 1999, a Russian by the handle of ‘Maxus’ compromised
the CD Universe web site and stole over 300,000 credit card records. Attempting to profit from the crime, Maxus faxed
an extortion note to CD Universe demanding $100,000 in return for silence of
the theft and destruction of the stolen data. His extortion rejected, he published
25,000 of the records on a website. In reporting on the incident, ZDNET called
it the ‘biggest hacking fraud ever’.[4]
Curiosity
Though the Melissa Virus wasn’t the first, it certainly
opened the eyes of corporations and system administrators to the fragility and
vulnerability of computer systems and the Internet. In 1999, David Smith, a
network programmer, released the Melissa Virus to the Internet. The virus was
contained in a Microsoft Word document macro. When an infected document was
opened, it would email itself to the first 50 addresses in the MAPI email
address file on the computer. In asking why he did it, David Smith stated that
he just wanted to see if it would work.
It did work – splendidly, crashing an estimated 100,000
email servers. People readily opened the malicious document received from
someone they knew containing a moderately convincing subject line and message.
Besides, this type of attack was new. People weren’t used to being on their
guard when opening up email attachments, especially from people they knew.
Politics
A few political hacks occurred during the decade. In 1998,
three members of the hacker group Milw0rm, as a protest of the Indian
government’s nuclear weapons test program, broke in to several servers of the
India Atomic Research Centre and modified the organizations homepage and stole
thousands of emails and related research documents.[5]
That same year hackers compromised and disabled filtering on a half-dozen
firewalls used by China to filter its people’s Internet traffic.[6]