-Caveat Lector- from: http://www.strategicintel.com/slammer.htm <A HREF="http://www.strategicintel.com/slammer.htm">Selected Articles from Back Issues</A> ----- Security Awareness Bulletin 1-94 Understanding the Computer Criminal A paper presented at the Department of Defense Computer Crime Conference, Monterey California, 1993. (see note 1) by Neil S. Hibler and Jim Christy INTRODUCTION This report introduces our readers to a nationally-based study, currently in progress, under the auspices of Project Slammer . The researchers involved in this work are seeking to explain what is behind the many intentional penetrations of automated information systems and the increasingly frequent use of computers to commit crimes. They discuss the formation of this research program, the nature of information gathered, and concludes with four, brief case examples. Among the efforts undertaken by the government to combat computer crime is a scientific study of the criminals involved. The premise of this research is that in order to develop preventive countermeasures and investigative solutions, there needs to be an intimate, insider's understanding of the crime. These efforts approach the problem from the vantage point of those most intimately aware of all that happened: the perspective of the offenders themselves. The information sought includes contributing factors such as the criminal's perceptions and explanations of how and why they committed the crime. Developing a research model Getting one's arms around the larger issue of computer crime requires a system by which to clearly define and categorize this type of behavior. That was our first task for, once defined, our research design could then address the question, "Why do people do this sort of thing, and how can it be prevented?" These issues affected the selection of cases which is now developing into the database from which all analyses derive. In order to define "what" to study, a research committee was established, consisting of computer crime investigators from across the agencies of national government. This steering group prioritized their interests by two categories of issues, the mind-set of the criminal, and the spy tradecraft used. The clear preference of the steering committee was to establish a research base from cases that showed intentional malice. In so far as tradecraft was concerned, their interest was to include cases in which information systems that are in common use were violated. We wanted to know whether there were some common techniques used. However, the driving interest was to study cases involving novel methods and/or applications. Together, these criteria are helping us to establish a database that includes the most malicious cases and those reflecting the newest violation technologies. This initiative is also a complement to other, on-going Project Slammer research efforts that provide anchors for comparison to other security violations or betrayal of trust issues. For example, the established data collection procedure employed in the study of classic espionage (see note 2) supports this computer security study by providing a methodology that has already proven to be successful. Included in the information gathered by the common structured interview protocol are details regarding the subject's life span, as partitioned by rel ationships, family issues, education, employment, and medical condition. One section of this inquiry details the criminal behavior, it's causes and the efforts conducted to bring it about. Further collaborative information is obtained from those who knew the subject at the time the crime was being committed. These sources include work place associates (i.e., co-workers, supervisors) as well as intimates (spouse, girlfriends, boyfriends, co-conspirators, etc.). As additional informants, they provide confirmation of subject's statements, and add their own insights as to influences on the criminal behavior. An additional source of personal information is psychological testing. In each case, standardized examination instruments were used to measure intellectual functioning and personality characteristics, to include self-esteem, social skill, and mental status. Interestingly, early attempts to measure personality features were feared to be superficial, because often there were considerable intervals between the law- breaking behavior and testing. What the earlier research has shown is that those underlying personality traits that indicate high-risk, do not change over time. Further, these features have demonstrated considerable differences from persons who do not commit crime. The remaining area of interest is how these subjects committed their crimes. The structured interview itself includes a section that explores the criminal acts and influences on them. Of course, both barriers and impediments to the crime are of interest; the interview protocol is the stepping off point to as full and complete an understanding as possible. In order to capture all that the subjects say, the entire interview is video taped. This "modern" aid to recording is helpful in making records that are easy to review, and are further contributed to by yet other methods of capturing and recording data. Capitalizing on advances in simulation technology, researchers include an environmental test-bed component for observing first-hand how the crime was committed. A state of the art main frame computer has been partitioned, so that with an extensive library of software, it is possible for us to replicate the hardware and software configurations of virtually any automated information system. The resulting replicated systems are accessible by modem, allowing the subject to re-enact the crime under laboratory conditions. As he accessed the (simulated) information system, the subject's every key stroke is automatically recorded. In total, this research effort is a collaboration between a variety of disciplines, each working closely with the other to build a better understanding of computer crime, and how to prevent and investigate it. Cases studied to date have provided many interesting details. The brief summaries that follow provide a look at some of the information that has been evaluated. CASE EXAMPLES Case 1. Going over the Wall An example of low tech computer crime, this case began when a U.S. soldier decided to abandon his duty station and to defect to a foreign nation. Incidental to this plan, the soldier took with him a standard lap top computer, and two floppy disks that contained sensitive information. The disks were to provide the foreign intelligence service with his bona fides, as well as a (hoped for) sense of recognition and advantage. The soldier was surrounded by various stresses. Included were persons with whom he could not get along, peers and supervisors who were critical of his work. Just the same, he had a clean record, so much so that he was scheduled to be interviewed for recognition as "Soldier of the Month." Just the same, he had great difficulty in forming effective interpersonal relationships. He had no real anchors to rely on, no one with whom to seek solace, nor to air his frustration. In his own mind, defection was an act of desperation. This subject's knowledge of computers was so primitive that he didn't know how to copy disks, or even how to list files. He took with him the laptop computer because he didn't know if the service to which he would defect had a means to read the classified disks. He had no idea that the computer's hard drive had once held documents even more sensitive than those he stole. Unfortunately, the opposition realized what had been handed to them, they had no difficulty in recovering everything that was of value. In a surprising twist of fate, after this soldier was tried, convicted and sent to jail, he was assigned to duties in the prison library where he learned to use an MS DOS system for tracking the library's holdings. He later told researchers that if he knew then (about computers) what he knew now, he could have caused damage many times more significant. Fortunately, this subject was naive regarding computers at the time of his defection. This is very different from other cases in which the criminal had advanced knowledge, and every intent to exploit it. Case 2. The All-American Kid This is the story of a youthful offender who was able to conduct sophisticated violations, resulting in several hundreds of thousands of dollars damage. Beginning at thirteen years of age, he committed over two thousand computer crimes, but was arrested and convicted of only one. He admitted to using computers to gain unauthorized entry into commercial telephone computer systems to find access codes and numbers. And he admitted using "phreaking" activities to eliminate long distance phone charges by using an unauthorized voice-mail system, 1-800 numbers, and customers' access card numbers. He began his illegal activity by obtaining copies of credit reports and credit card numbers. These acts perhaps, were the foreshadowing of things to come. The subject is a hacker who explored the cyberspace networks of computers in order to communicate with other hackers. At the time of his arrest, he appeared to be an "All-American" kid. He was a high school honor student who had been awarded a full college scholarship. He worked after school, using the income to finance his computer hobby. He was described as coming from a stable home, with only minor trouble preceding his arrest. But friends considered him to be an introverted person, nearly absent in interpersonal skills. The major reasons for this subject's illegal activity included curiosity and intellectual challenge. Hacking provided the opportunity to expand his horizons, and perhaps to overcome his social weaknesses, he used bulletin boards to relate to other hackers and to explore far away places. CASE 3. No Stranger to the Police This was a co-conspirator of the subject in case 2. He was also a teenager (age 16), but unlike the "honor student" profile of the preceding case, he was cocky and abrasive. Others, particularly adults, found him to be a liar who enjoyed game playing with superiors and wholly untrustworthy. He was physically small and self- conscious, but hid it with his "in your face" attitude. His parents were separated, his father was being treated for depression. The family tree also had some bad fruit. A grandfather had died in prison, having been twice convicted for armed robbery. In so far as hacking was concerned, this subject found particular pleasure in looking at people's records; he enjoyed violating their privacy. In some instances, he wanted to cause them trouble. He would obtain credit reports, but did most of his mischief by running up telephone bills. His utmost fantasy was to enter into a computer system in which he would have the power to launch a space shuttle or to start a world war. He was so consumed by his hacking that nothing else seemed important. The vindictive side of this subject was almost limitless. He was proud that he was able to be disruptive. Among the intrusions he was responsible for were cancellations of garbage and water services, passing along telephone numbers of those targeted to other hackers (by placing them on a hacker bulletin board), and interrupting operating systems by removing entry access to authorized users. All of this nefarious activity was experienced without regret. To quote the subject, "If I abuse the PBX, AT&T benefits... the private owner still has to pay... AT&T gets a lot of their profit through hackers because they call illegally and [AT&T] makes other people pay for it." He was no stranger to the police. He had been in a fight in elementary school which had to be settled by the authorities and later, when he was 14, he was arrested for stealing a car phone. A year later, his parents were contacted by the police because he was hacking into a commercial voice mail system. Security personnel from the telephone company had also reached the mother, but her only response was to yell at him. Perhaps among the most interesting findings from this case was the generalizability of the motive to many other hacker cases. Like many others, this computer criminal did not start out with criminal intent. His introduction to the world of hacking was simply to engage in computer activities which used telephone lines, and were therefore unaffordable. His use of the computer to annoy others developed only later. He estimated that he committed over one hundred computer-assisted offenses, before being apprehended. CASE 4. High on Hacking Like the previous teenager, this subject suffered from learning disabilities while a child. He had been diagnosed as having Attention Deficit Disorder and for most of his elementary school years was medicated with Ritalin. In high school his behavior problems changed in form, from being just learning inhibiting to being socially unacceptable. Despite better grades in high school, by the time this subject was seventeen he was using marijuana four times a week, and taking one to four doses of LSD one day a week. In fact, he often used drugs while hacking. He was unreliable, but didn't see it. For instance, he had been fired from a job at a service station for suspicion of theft. He seemed to fuss about the accusation, even though he admitted to researchers that he had been skimming proceeds. He had also been arrested: Shortly before he was detained for hacking he had broken into two automobiles. His intent had been to steal something he could use to pay his rent. He plead guilty to two counts of burglary, two for conveyance of stolen property, and two for petty theft. He was on two years probation (a plea bargain) when he was investigated for his computer crimes. While claiming he had been hacking for only nine months, his motive was ostensibly to seek out opportunities for profit; but ego needs seemed to be the force behind it all: "I felt that at some point I was going to discover something to make me wealthy, powerful or both, whether it was fraud opportunities or recruitment by a foreign or domestic power for somebody of my talents." His own attempts were initially fruitless, but he was able to hook-up with a mentor (a twenty-four year old) who taught him how to penetrate systems. Ironically, this mentor gained much of his knowledge on system vulnerabilities by keeping up to date on government-published computer security advisories. SUMMARY AND CONCLUSIONS As these brief case discussions suggest, there is a great deal to be learned about computer crime by studying computer criminals. It does not appear that truly effective countermeasures or investigative procedures will be possible until there is a more complete understanding of this behavior, and in particular, situational factors that permit or deter wrong doing. The research described in this paper is still quite recent. We hope to go on to identify patterns of behavior leading to effective security countermeasures and crime prevention. To do that, the Federal government is relying on insights from the criminals themselves; it's a process that has proven to be helpful when looking at other types of criminal activity. In working toward this goal, much is to be gained by continued cooperation among counterintelligence, security, and law-enforcement agencies. Methods of computer crime prevention, detection, and investigation should be shared among law enforcement professionals, but in ways that do not provide an advantage to a potential offender. As seen in Case 4, many of these people keep up-to-date on leading edge security technology. We need to be careful disseminators and consumers of research findings, especially those that concern the security of our own monitoring and crime fighting efforts. Notes: 1. The Department of Defense Computer Crime Conference, sponsored by the Defense Personnel Security Research Center, October 1993, was attended by researchers in government and industry. 2. By "classic espionage" we mean the theft of classified U.S. Government documents or other material and its transfer to an adversarial intelligence organization, or classified information supplied from memory to the same for whatever purpose. ----- Aloha, He'Ping, Om, Shalom, Salaam. Em Hotep, Peace Be, Omnia Bona Bonis, All My Relations. Adieu, Adios, Aloha. Amen. Roads End Kris DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance—not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om