Kevin Mitnick's testimony on March 2, 2000 before the U.S. Senate Committee on Governmental Affairs (http://www.senate.gov/~gov_affairs/030200_mitnick.htm) had an intriguing tone of simplicity. His opening remarks seemed more like an introductory lecture on computer security found at any local junior college. Fundamental warnings about using good passwords, developing audit trails, establishing trust levels, and educating one's employees about keeping their mouths shut (no pillow talk about operational secrets) formed the core of his teaching. Complexity, the devil that taunts us, according to prophets like Bruce Schneier, was strangely absent from Mitnick's remarks.
Mitnick allowed others to fill in the silences for him: people, with the right coaching, volunteered information. "I was so successful in that line of attack that I rarely had to resort to a technical attack," commented the dragonslayer, the number one computer criminal in America. Mitnick's truth then becomes hacking is not a difficult trade to learn, if you want to dedicate the time and learn the art of the ruse.
In actuality, Mitnick, "Coolio," alleged master hacker, and others simply may be some guy behind a curtain, albeit an electronic one, pretending to be the Wizard of Oz in cyberspace. And, Mitnick (and his acolytes) never laid claim to designing a new computer language or operating system or contributing to the solution of Fermat's Last Theorem. Rather, his confessed tricks are those of the charlatan, the "carny con artist," the social engineer. He knows the psychological Achilles' heel of virtual space.
Mitnick commented favorably on Senate bill S1993, which would give legislative form to the basic security principles outlined in his opening remarks. Structured and linear steps like S1993 recommends will partially diminish hacker attacks against governmental computer systems. For computer crime does have its roots in the technical shortcomings of inadequate passwords, poor server security, and faulty firewalls cited by Mitnick. He also mentions the psychological vulnerabilities, and in an attempt to be comprehensive, his remarks recommend educational remedies as countermeasures. But, as the adage goes, "civilization is a race between education and disaster." Unfortunately, given time and economic pressures, education will slip, so cyberspace will have its share of disasters.
The future of computer crime is not the cron job but the con job. Making people accept illusions and falsehoods may be far more important than knowing Perl, C++, or flaws in the Linux operating system. Deception will flourish because cyberspace is the perfect medium for chicanery. Having evolved into a belief system, the Internet carries a high "truth-value" in many people's minds. The unreal has become real.
Witness the strange world of Internet stocks. Highly inflated values persist in spite of negative earnings and questionable balance sheets. Anyone can be in e-commerce, even the Mafia. The same people who brought you "Sammy the Bull" Gravano and John Gotti are being investigated for stock manipulations on the Internet. Securities fraud is zooming out of sight. And, the scams are just beginning.
Hunkering down behind technical security measures has been the traditional role for computer security specialists. Find a technical flaw? Institute a technical patch and fix it, a linear solution to a linear problem. But, what do you do about nonlinear problems like deception and psychological warfare? For example, rumor mills, propagated on the Internet, may ruin stock prices, dilute confidence in products, and disrupt sales and marketing plans. We may end up realizing our deepest fears in Sun Tzu's observation that "all warfare is based upon deception." Which is better: to attack an enemy directly or fool them into harming themselves? Tell them the right lies, and they will chop off their own hand, much like General Titus in Shakespeare's Titus Andronicus. With Aaron the Moor's false counsel that Titus' hand will be a ransom for his sons, Titus replies, " Good Aaron, wilt thou help to chop it off?" Twenty-first Century invitations to self-ruin include extorting a Web retailer with the threat to broadcast customer credit card numbers. (Paying the ransom only beckons other attacks.) Or, an e-mail campaign claiming falsely that a manufacturer's medication has been adulterated with a poison drives the company to pull the product from distribution. The resulting loss runs into millions of dollars.
A response to this coming sea of troubles may be a new breed of computer crime investigator. One who understands the technical side of the business and yet has training in social psychology, confidence schemes, and psychological warfare. Perhaps, for those with a love of film noir or mystery fiction, we can envision a computer savvy Jim Rockford who lives by a code that injects badly needed skepticism into the Net.
That code would encompass these rules:
1. Don't accept breaking information on a Web site unless it's proven elsewhere. (A case in point is the recent phony posting of a merger notice on Aastrom Biosciences Inc. Web site, an ingenious attempt by an outsider to boost Aastrom's stock price and that of its rival, Geron Corp. See the Wall Street Journal, February 18, 2000," Hackers Post Phony Merger, Duping Traders.")
2. Getting investment or business advice from people that you don't know makes Russian Roulette look like a low risk game.
3. The Internet can be fertile ground for any common-law crime. Information divulged there may serve as the basis for a burglary, a robbery, the hijacking of freight, or even murder.
4. Being compromised by a fraud or other crime on the Web often involves a series of seemingly innocent steps, a sequence of calculated moves. Learn to question why a stranger is trying to gain your trust. Beware of e-mail contacts you cannot find by other means later.
5. Use the principle "simplify, simplify" in evaluating claims. When choosing between a complex explanation and a simpler one for an event, pick the simpler one. If someone's story is too involved, they may be pulling your leg. So, go after unfiltered information directly; eliminate information go-betweens. (The SEC recently reached an administrative settlement with Fast-trades.com, a site that allegedly manipulated four securities in February and March 1999 through its stock recommendations. The site attracted over 9,000 users. The lesson becomes avoid the pack and check out the facts on your own.)
6. Always have in place a disaster plan for dealing with rumor mills and extortion plots, especially during sensitive periods like IPO's and new product releases. Obviously, any contingency plan will vary based upon a company's business, but it should include responses to the attack, dealing with the press, and most important, responding to your Internet audience. As the Internet grows in clout, it becomes a sole news source for many. Time may not allow for a traditional media counter-campaign, and even so, it may miss your most vital audience. So plan your Internet response in an emergency carefully, especially if your business is Internet-based. Another chance to put out the fire early may not appear.
Ronald L. Mendell is a Certified Internet Security Specialist. Employed at Netpliance, Inc. in Austin, Texas, he also works as a writer and researcher specializing in security and investigative issues. Charles C. Thomas published his most recent book, Investigating Computer Crime: A Primer for Security Managers, in 1998. (http://www.ccthomas.com)
SecurityPortal is the world’s foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net ™