Computer Hacker Nefarious Notions III

Computer Hacker

Nefarious Notions

III Prevention

Cost to Companies

Concluding Considerations

COMPUTER HACKER

Nefarious Notions

"The Hacker Ethic: Access to computers and anything which might teach you something about the way the world works - should be unlimited and total.

Always yield to the Hands-on Imperative!

All information should be free.

Mistrust authority -- promote decentralization.

Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position.

You can create art and beauty on a computer.

Computers can change your life for the better." (Levy, (1984 (1996).

"You pay the guy . . . Or we burn your store down." According to Paulson (2006), today's ransom attacks by computer hackers reflect the old protection rackets in Chicago back in the '30s. Back in time, however, hackers constituted a different breed. Before the computer age, a person who made furniture with an ax was known as a hacker. Because nails were difficult to obtain, a blacksmith had to craft them one by one. As screws had not yet been invented, and saws only sliced trees into beams and planks, a carpenter used his axe to hack wood in to table legs, to shape parts so they could be joined together with glue. (Users.telent, 2007)

Popular contemporary media routinely uses the term hacker to describe someone who endeavors to break into computer systems. Generally, this type hacker could qualify as a proficient programmer or engineer who possesses adequate technical knowledge, comprehending a security system's weak points.

Five practicable characteristics which Raymond purports qualify a person two become a hacker include (paraphrased):

A person who enjoys learning details of a programming language or system

A person who enjoys actually doing the programming rather than just theorizing about it

A person capable of appreciating someone else's hacking

A person who picks up programming quickly

A person who is an expert at a particular programming language or system, as in "Unix hacker" (SearchSecurity, 2007)

To some, the word "hacker" means "a clever programmer." To some, however the term hacker means "someone who tries to break into computer systems." Raymond, albeit denounces using hacker to describe someone who endeavors to "crack" someone else's system or implements programming or expert knowledge in some other manner to act maliciously. Raymond prefers the term cracker is for this connotation (SearchSecurity, 2007)

Hackers Chronology (Hackers Chronology, 2006).

Approximately two years after Alexander's Graham Bell invented the telephone system and it went into operation, a group of unauthorized teenagers were thrown off the network. (Hackers Chronology, 2006).

1960

"Original" hackers developed their skills and explored the potential of computing utilizing. early mainframes at Massachusetts Institute of Technology (MIT). During that particular time, hacker constituted a complimentary term for users who processed exceptional knowledge of computing. (Hackers Chronology, 2006).

1971

Prior to the ubiquitous use of computers and the Internet, "phreakers," such as John Draper, a.k.a. Cap'n Crunch, utilized the more prevalent telephone networks. He discovers that a toy-whistle permits callers to avoid billing systems for long distance calls.

John Draper (Hackers Chronology, 2006).

1976

" Freedom of Information contra security by obscurity"

(Hackers Chronology, 2006).

Steve Jobs and Steve Wozniak launch "blue boxes," which can hack into phone systems.

1983

After the 414 group hijacked into the Los Alamo research center, the FBI made its first arrests of hackers.

(Hackers Chronology, 2006).

When the movie War Games is released, it contributed to the public's perception of hackers as it glamorized the hacker.

Plovernet BBS (Bulletin Board System), a powerful East Coast pirate board, operated in New York and Florida.

"Quasi Moto," a teenage hacker, owned and operated Plovernet, which attracted five hundred enthusiastic users. This Legion of Doom bulletin board was reportedly ahead of its time, as it constituted one of the first "Invitation-only" hacking-based BBS. "It was the first BBS with security that caused the system to remain idle until a primary password was entered; and it was the first hacking BBS to deal with many subjects in close detail, such as trashing and social engineering." After this BBS experienced such heavy traffic, a major long distance company began to block all calls to its number [HIDDEN] ). Eric Corley ('Emmanuel Goldstein'), former one-time co-sysop of Plovernet, along with 'Lex Luthor', plan to found the phreaker/hacker group, Legion of Doom. (Hackers Chronology, 2006).

1984

Named after the frequency of John Draper's whistle, Quarterly publication 2600, provided a platform for hackers and phreakers (phone hackers)

During 1984, two hacker groups form:

1. The hacker .a.k.a. Lex Luthor founds the Legion of Doom in the United States to educate new generations of hackers.

2. Chaos Computer Club in Germany. (Hackers Chronology, 2006).

In one of the first arrests of hackers, the FBI busts the Milwaukee-based 414s, named after the local area code. Members reportedly completed 60 computer break-ins, which ranged from Memorial Sloan-Kettering Cancer Center to Los Alamos National Laboratory.

"Comprehensive Crime Control Act gives Secret Service jurisdiction over credit card and computer fraud."

1986

During January; Loyd Blankenship, Legion of Doom/H member ("The Mentor") is arrested. "He publishes a now-famous treatise that comes to be known as the Hacker's Manifesto."

The following was written shortly after my arrest...

/ he Conscience of a Hacker//

+++the Mentor+++

Written on January 8, 1986

Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal," "Hacker Arrested after Bank Tampering"...

Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world...

Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...

Damn underachiever. They're all alike.

I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."

Damn kid. Probably copied it. They're all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me...

or feels threatened by me...

or thinks I'm a smart ass...

or doesn't like teaching and shouldn't be here...

Damn kid. All he does is play games. They're all alike.

And then it happened... A door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... A board is found. "This is it... this is where I belong..."

I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...

Damn kid. Tying up the phone line again. They're all alike...

You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... The bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now... The world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals.

We explore... And you call us criminals.

We seek after knowledge... And you call us criminals.

We exist without skin color, without nationality, without religious bias... And you call us criminals.

You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.

+++the Mentor+++

(Hackers Chronology, 2006).

After hacking at&T's System for months, Herbert Zinn, seventeen-years-old, is arrested in September. Experts say Zinn almost crashed the entire U.S. phone network.

"Brain," the first known MS-DOS virus, which infected the boot sector of floppy disks is created. Investigators contend this virus was written by two brothers in Pakistan. (Hackers Chronology, 2006).

1988

(Hackers Chronology, 2006).

Robart Morris crashes approximately 6000 computers across the ARPANET with his worm which he claimed is unintentionally released.

In response, CERT (Computer Emergency Response Team) is founded.

The first anti-virus software is released by a code writer in Indonesia. (Hackers Chronology,

2006).

1989

The first case of cyber espionage is recognized in Germany (west). This reportedly involved the CHAOS computer club.

"Mentor releases the hacker manifesto Conscience of a hacker, which ends with the intriguing line: 'You may stop the individual, but you can't stop us all.'" (Hackers Chronology, 2006).

1990

Electronic Frontier, Freedom on the Internet advocacy group, is launched

Polymorphic viruses (which modifies themselves when they spread), along with other sophisticated kinds of viruses, such and multipartite viruses (infecting multiple locations in the machine) appear.

During the first acknowledged major computer bank hack, First National Citybank of Chicago loses 70 million U.S.$

Kevin Lee Poulsen, Hacker Dark Dante, is arrested after a 17-month search. He had obtained numerous military secrets.

Mitnick and Shimomura lock horns. (Hackers Chronology, 2006).

1993

The first Def Con hacking, was supposed to be a one-off-knees-up to bid good-bye to BBS's (outdated by the web), conference occurs in Las Vegas. This event became so popular it turned into an annual event.

Hackers hit U.S. federal web sites, including the CIA, Department of Justice, NASA and the Air Force. This isn't popular with U.S. officials. (Hackers Chronology, 2006).

1994

(3)

Vladimir Levin

Vladimir Levin, head of a Russian hacking ring, reportedly masterminded a $10 million virtual holdup of Citybank. He is arrested in London a year later and extradited to the U.S.A. (Hackers Chronology, 2006).

1995

US Defense Department experiences a quarter of a million hacks in one year.

Kevin Mitnick

Mitnick, arrested and suspected to have stolen approximately 20,000 credit card numbers, pleads guilty a year later. (Hackers Chronology, 2006).

(3)

Hackers, a movie, sparks more misconceptions about hackers' activities.

1998

Network Associates runs an anti-hacker advert during the Superbowl in the U.S. In it, two Soviet missile technicians blow up the world, unsure whether the orders came from Moscow or hackers.

Hackers claim to have cracked a military satellite system and threaten to sell secrets to terrorists

NIPC (National Infrastructure Protection Center) launched with multi-million dollar funding.

LOpht, hacking group tells Congress it could shut down the Internet in half an hour. Group calls for more intense security. (Hackers Chronology, 2006).

1999

1999 proves to be a massive year for Microsoft patches, due two hackers exploiting Windows 1998 vulnerabilities. Hence, mainstream anti-hacking software is born.

2000

During 2000, Denial of Service attacks cripple the net's biggest names.

(4)

Jon Johansen

Jon Johansen (Norway) co-authored DeCSS with two other programmers who remained anonymous, and published it on the Internet. This program decrypted DVD's so they could be run on a computer too. Johansen was arrested January 23 and charged with hacking onto other's computers. He created a program that enables people to watch (legally bought) DVD's on their own computers, rather than instead of a stand alone DVD player. The Motion Picture Association did not win this case as the E.U. law they banked on had not yet been implemented. Several years later in 2005, the justice department releases Johanson and he is acquitted because "European law explicitly allows reverse engineering when needed for interoperatibility." (Hackers Chronology, 2006).

II. Methods

Definitions:

Firewall breaches:

Malware:

Phishing Schemes: soliciting sensitive information, frequently for identity theft, by posing as a legitimate company or charity. (Paulson, 2006)

Ping sweeps:

"If you're able to think like a hacker, you're able to prevent some of the attacks that are happening," Aaron Cohen, argues. Cohen, founder of a new academy in a viable field of security companies dedicated to helping the government and corporations keep data safe from increasingly sophisticated attacks by cunning computer hackers. Paulson, 2006) Ralph Echemendia, Cohen's lead instructor, began initially hacking when a teenager. He first hacked ham radios and instigated "phone freaking," and then began hacking computers. Along with his current work with/for the military and Fortune 500 companies, Echemendia also heads an underground hacker meeting in Florida. In this setting, people do not reveal their names. Here, Echemendia obtains real-world information from hacker associates. At times, and he has tried to convince some of those he "works" with to try the legal side of hacking. They are amazed that some companies will actually pay people to hack them. (Paulson, 2006)

At one time in history, however, the thought of a hacker being paid by companies was not so foreign. In fact, "a 'good hack' is a clever solution to a programming problem and 'hacking' is the act of doing it," according to Eric Raymond, compiler of the New Hacker's Dictionary. Raymond, who also recognizes a hacker as a clever programmer. (SearchSecurity, 2007)

"Key-logging software often is installed on systems when an individual simply views e-mails or clicks links that look and seem like reputable sites," the March 23, 2007 article, "DOD INVESTIGATES HACKING of TROOPS' PERSONAL COMPUTERS," notes Defense Finance and Accounting Service officials to explain. "Hackers then are able to detect passwords and other personal information." Customers have a responsibility to implement measures guard their personal information from thieves and scammers, all on and off line. (INDSTRY GROUP 91, 2007)

According to the Federal intelligence report, Defense Department officials recently "launched an investigation into recent computer hackings of service members' home computers that compromised personal information and led the redirection of funds from their military pay accounts." (INDSTRY GROUP 91, 2007)

Officials report that during an eight months period, accounts of approximately two dozen Defense Finance and Accounting Service "myPay" participants were accessed by unauthorized personnel. The compromise for the myPay program, which allows DFAS users to manage pay information, along with leave and earnings statements, as well as W-2s online, most likely ensued from personal information "stolen from home computers via spyware and keystroke-logging viruses," DFAS officials stated.

Computer security

Computer security involves the prevention and detection of unauthorized users or "intruders" from accessing any part of a computer system. Detection helps a computer owner determine whether an intruder attempted to break into his/her system, and if so whether or not they succeeded, as well as what they may have accomplished. Even though information or communications on a computer may not be "top secret," most people do not want strangers to read their e-mail, use their computer to attack other systems send forged email from their computer, or examine personal and/or business information stored on computer (particularly financial statements). (Home Network . . ., 2007)

Home internet users are less likely to be attacked in 2007 than in 2006, Lisa Lerer (2006) reports in Hackers Headed for Home. Contemporary hackers however are more likely targeting users to search for money, according to Symantec, a computer security firm. Symantec estimates computer hackers target home users 86% of the time versus 93% in 2006 because of poor security features.

"The home user is just a great deal less prepared to deal with attackers than enterprise, who's had to deal with them for quite some time," (Lerer, 2006) notes that Alfred Huger, senior director of engineering at the Symantec's security response division, stresses.

Hackers target personal home computers for personal information to use in financial crimes (e.g. identity theft) Huger points out: "We've seen some [attacks] that are sensitive to 1,200 or 1,300 different banks and credit card companies' Web sites." (Lerer, 2006). Another target lucrative target for committing fraud by hackers consists of the financial services industry.

Web browsers, such as Microsoft's Internet Explorer, constitute a popular route of attack since information comes from different sources. Hackers attack web-based applications approximately 69% of the time according to Symantec. Popular security alternatives, in 2006, contained flaws documented by Symantec as: Mozilla Firefox (17), Microsoft's Explorer (38), and Apple Safari (12). Microsoft addresses flaws and distributes repairs within 9 days of the infection; while Mozilla and Apple Safari take 1 day or less. (Lerer, 2006)

Computer hackers or intruders are also known as attackers, or crackers sometimes do not care about a person's identity but want to gain control another computer to launch attacks on other computer systems. When a person gains control of another computer this provides them with the ability to hide their actual location while they launch attacks, frequently against government or financial systems' computers. Any computer connected to the Internet may be targeted. Hackers may obtain the ability to actions on the computer and/or inflict damage to a computer by reformatting the hard drive or changing personal or business data. (Home Network . . ., 2007)

Computer hackers routinely discover new vulnerabilities or "holes" in computer software to exploit. As software becomes more and more complex, it becomes increasingly difficult to meticulously test computer systems' security. As holes are discovered, however computer vendors generally create patches to counter problem(s). It is up to the computer owner, nevertheless to secure and install needed patches, or properly configure software to perform more securely. The majority of computer break-in incident reports might have been avoided if system administrators and users had insured their computers' patches and security fixes were up-to-date. (Home Network . . ., 2007)

Additionally, a number of software applications possess default settings which allow other users to access an individual's computer unless he/she changes his/her settings to make them more secure. These applications may include chat programs which permit outsiders to execute commands on an individual's computer or web browsers that could allow someone to position harmful programs on their computer that run when they click on them. (Home Network . . ., 2007)

Unlike the majority of home computer systems, corporate and government networks are routinely protected by a number of security layers which range from network firewalls to encryption. Generally, they also usually employ support individuals who maintain the accessibility, as well as the network connections' security. (Home Network . . ., 2007)

"The Firewalls FAQ (http://www.faqs.org/faqs/firewalls-faq/) defines a firewall as 'a system or group of systems that enforces an access control policy between two networks.' In the context of home networks, a firewall typically takes one of two forms:

Software firewall - specialized software running on an individual computer, or Network firewall - a dedicated device designed to protect one or more computers." (Home Network . . ., 2007)

Antivirus software searches for patterns in a computer's files or memory that signify the potential of a known virus' existence. "Antivirus packages know what to look for through the use of virus profiles (sometimes called 'signatures') provided by the vendor." As new viruses are discovered each day, an antivirus' depends on it processing the latest virus profiles installed on a computer to enable it to search for recently discovered viruses. (Home Network . . ., 2007)

Three primary areas which constitute concern for information security aptly apply to home Internet users, as well as to government or corporate networks include:

"Confidentiality - information should be available only to those who rightfully have access to it

Integrity -- information should be modified only by those who are authorized to do so Availability -- information should be accessible to those who need it when they need it." (Home Network . . ., 2007)

Specific security risks which may arise from intentional misuse of a computer by computer hackers via the Internet, while other risks possess the potential to harm a computer it even when it is not connected to the Internet, such as hard disk failures, power outages, etc... The primary methods computer hackers employ to gain control of home computers include the following: (Home Network . . ., 2007)

1. Trojan horse programs

2. Back door and remote administration programs

3. Denial of service

4. Being an intermediary for another attack

5. Unprotected Windows shares

6. Mobile code (Java, JavaScript, and ActiveX)

7. Cross-site scripting

8. Email spoofing

9. Email-borne viruses

10. Hidden file extensions

11. Chat clients

12. Packet sniffing (Home Network . . ., 2007)

1. Trojan horse programs (also known as "social engineering") present a common way for intruders to trick a computer owner into installing "back door" programs, which can permit computer hackers to have ready access to computer without the owner's/operator's knowledge. Hackers can change a computer's system configurations, as well as infect the computer with a virus

2. Back door and remote administration programs, once installed, permit other individuals to access and control a computer. Computer hackers routinely use three common tools on Windows programs to gain access to a computer: BackOrifice, Netbus, and SubSeven. Denial of service

3.Denial-of-service (DoS) attack, another form of attack, causes a computer to crash or become so active processing data that an owner/operator is unable to use it. In the majority of instances, however the latest patches counter and prevent this type attack. It is important to note that in addition to being the target of a DoS attack, it is possible for your computer to be used as a participant in a denial-of-service attack on another system.

4. Being an intermediary for another attack describes what another computer becomes when hackers take a computer over and use it as a launching pad to attack other systems. Distributed denial-of-service (DDoS) tools are regularly used in this way. After the hacker installs an "agent" (frequently through a Trojan horse program) into a computer, it runs on the compromised computer, waiting for its next instructions. When numerous agents are running on various computers, "a single 'handler' can instruct each agent to launch a denial-of-service attack on a specific system. Consequently the ultimate target of the attack is not the initial computer that is compromised, computer, but someone else's.

5. Unprotected Windows shares: "networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet." As site security on the Internet is interdependent, when a computer is compromised, it creates not only conflicts for the computers owner but also poses a threat to other Internet sites. On the Internet. The 911 worm is an illustration of another threat which processed a destructive, malicious code.

6. Mobile code (Java/JavaScript/ActiveX) constitutes programming languages which permit web developers to write code, executed by a web browser. In most instances, the code is useful, albeit it can be used by intruders to collect information, for example identify specific web sites a computer operator visits. The code may also run malicious code on a computer. A computer Operators' may disable Java, JavaScript, and ActiveX in his/her web browser, a recommended action when visiting unfamiliar or on trustworthy web sites. Mobile code within email programs may also incorporate risk as some mail programs utilize identical code as web browsers to display HTML.

7. Cross-site scripting, which can be implemented by a malicious web developer "may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry." When the web site responds to the inquiring individual, the malicious script transfers to his/her browser. A computer operator may possibly expose his/her web browser to malicious scripts when:

He/she follows web page links; postings; e-mail messages without knowing their links.

He/she utilizes an untrustworthy sites interactive forms.

He/she views online forums such as discussion groups, forums, or other animatedly generated pages where users post HTML text tags. (Home Network . . ., 2007)

8. Email spoofing occurs when an email message seems to originate from a particular place, while in reality it evolved from another. This tactic is frequently used to try to trick a person in to releasing sensitive information, for example passwords. An example of a spoofed e-mail would be an e-mail masquerading as a request from a system administrator to change a password, threatening an account will be suspended if this is not done. This could also be veiled as a request from an authoritative individual for a copy of a password file or other personal, sensitive information. (Home Network . . ., 2007)

9. Email borne viruses, as well as other variations of malicious code are frequently passed on in e-mail attachments. Prior to opening any attachments, a computer operator needs to ensure he/she knows where the attachment originally originated from. Just recognizing the sender's address is not enough. One malicious virus, the Melissa virus easily spread specifically) spread precisely because it originated from an address familiar to the recipient's address.

10. Hidden file extensions, an option that Windows operating systems contain is enable by default. A computer user, however may disable this option to permit Windows to display extensions. A number of email-borne viruses have exploited hidden file extensions. "The first major attack that took advantage of a hidden file extension was the VBS/LoveLetter worm which contained an email attachment named 'LOVE-LETTER-for-YOU.TXT.vbs'. . . . Although files attached to the email messages sent by these viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other file types, the file is [in fact] a malicious script or executable (.vbs or .exe, for example)."

11. Chat clients who use Internet chat applications, such as instant messaging applications and Internet Relay Chat (IRC) networks, expose themselves to a method that permits information to be transmitted bi-directionally between computers linked by the Internet. As a chat client opens him/her self up for the exchange of executable code, they experience risks similar to those of email clients. (Home Network . . ., 2007)

12. Packet sniffing, executed by a packet sniffer, a program which captures data from information packets traveling through the network. The arrested data may be passwords; user and/or proprietary information traveling over the network in clear text. After a packet sniffer captures a massive amount of information, pewter computer hackers can launch a multitude of attacks. (Home Network . . ., 2007)

The following recommendations are deemed as "best practices" for home users

1) if a person works from home he/she needs to regularly contact his support server

2) Use virus protection software

3) Use a firewall

4) Do not open unknown email attachments

5) Do not run programs of unknown origin

6) Disable hidden filename extensions

7) Keep all applications (including operating system) patched

8) Turn off computer or disconnect from the network when not in use

9) Disable Java, JavaScript, and ActiveX if possible

10) Disable scripting features in email programs

11) Make regular backups of critical data

12) Make a boot disk in case computer is damaged or compromised (Home Network . . ., 2007)

III. Prevention

Drive-by Hacking?

"A report on e-crime recently published by the Metropolitan Police, which deals with the majority of e-crime in the UK pointed out that e-crime is the most rapidly expanding form of criminality, encompassing both new criminal offences in relation to computers (viruses and hacking) and 'old' crimes (fraud and harassment) committed using digital or computer technology." "Drive-by hacking . . ., 2007" According to this report, identity theft cost the UK economy approximately GBP1.7bn a year.

Regarding Web-drive-by attacks: even though these attacks do not personally harm a user, they do harm a person as/when his/her personal data is stolen or when someone completely overtakes his/her computer. Raimund Genes, CTO of Anti-malware of Secure Content Management firm Trend Micro stresses that a browsing particular websites may be as dangerous as risks accompanying a walk down an alley on a dark night.

Due to contemporary malware threats which constantly change and evolve, users are being more and more adversely affected when they merely visit a web site. More each day, Web threats are being determined as the next kind of threat users need to be wary of. A number of websites "contain potentially dangerous downloaders which install themselves on" a user's PC without him/her noticing or getting permission. Once installed, the downloaders are able to monitor and steal a person's passwords, along with bombarding him/her with targeted spam.

This particularly implicates some corporate users, who daily, as part of their job, brows numerous web sites. Recently, at the World Economic Forum in Davos, Vint Cerf, one of the leading fathers of the Internet and other Internet experts discussed the Internet's future. Cerf expressed concerns about home Internet control and cyber crime. He stated his belief that up two perhaps one 4th of computers on the net "may already be used by cyber criminals in so-called botnets." "Drive-by hacking . . ., 2007"

The question arises: how does one have determined which websites are safe, and which web sites to avoid? "Drive-by hacking . . ., 2007"

In the March 12, 2007 article, "Feds Hit 3 Hackers in Stock 'Pump and Dump'" Mark (2007) reports details regarding three individuals from India and Malaysia being in a U.S. federal court with masterminding an international, online "hack, pump and dump" fraud plot to begin hijacking brokerage accounts.

Approximately 60 customers, along with nine brokerage firms became victims. One brokerage firm reported losing more than $2 million. TDA AmeriTrade, E*Trade, Firstrade, ChoiceTrade, Options/Express, TradeKing and TerraNova were among the online brokerage firms that were affected. The Department of Justice (DoJ) reports this case as the first where individuals were arrested overseas due to their involvement in an online brokerage intrusion scheme committed in the U.S.

"Hackers who prey on American investors, Fetters (2007) cites Christopher Cox, chairman of the Securities and Exchange Commission, to stress, "no matter what continent they're operating from -- are meeting their match . . . We will go anywhere on earth to stop these thieves and hold them accountable."

Suspicious Activities

When a company or person detects suspicious activity, they need to immediately notify their financial institutions so reversals can be quickly made to accounts that have been hacked. (INDSTRY GROUP 91, 2007)

Important Security Information

Click Here for information on Protecting Your Personal Data

Read Important Security Information before logging in to better protect your myPay PIN, DFAS has installed a VIRTUAL KEYBOARD for you to enter your myPay PIN. This keyboard reduces threats from malicious software (e.g. spyware, keyloggers, etc.). The virtual keyboard displays the keys in random order and requires you to click on the appropriate key with your mouse. To learn more about this feature, see our Security FAQs.

(Important Security, 2007)

System Security

36) How secure is my data on myPay?

This is a Department of Defense (DOD) computer system. This computer system, which includes all related equipment, software, networks, and network devices, is provided only for official U.S. Government business.

DOD computer systems may be monitored by authorized personnel to ensure that their use is authorized to manage the system, to facilitate protection against unauthorized access, and to verify security procedures. During these activities, information stored on this system may be examined, copied and used for authorized security purposes, and data or programs may be placed into this system. Use of this or any other DOD interest computer system constitutes consent to monitoring at all times.

The unique combination of Login ID, PIN, and a DOD-specific telephone number used to access myPay makes myPay as secure as using an automated teller machine (ATM) at a bank. myPay users must use a browser with Secure Socket Layers (SSL) protocol with 128-bit encryption software (strong encryption). This combination prevents information from being retrieved by someone else while it is being transmitted.

While myPay uses a variety of security features to protect your data in our system, it is also important that you do everything you can to protect data from being compromised or captured on your computer, especially when using personal computers at home. Here are several things you should consider to protect your data not only when using myPay, but any electronic commerce activity (e.g. online banking, credit card purchases, etc.):

1. Install operating system and application software (e.g. Internet Explorer) updates regularly. Many of these updates are issued to fix security problems which have been identified.

2. Install and use anti-virus software and personal firewalls. Keep this software updated. The correct use of these programs can help protect your system from being compromised by malicious software (e.g. software which can capture information processed on your computer, etc.). The DOD CERT makes this type of software available for DOD active employees (military and civilian) at:a.https://www.jtfgno.mil/antivirus/home_use.htm

(This link can only be used from a Department of Defense computer)

b.http://www.mcafee.com/dod/

3. Do not store your various User-IDs and passwords in files on your computer. If someone gains access to your computer this is the type of information they look for and would aid them in accessing your account.

4. After using your browser (e.g. Internet Explorer, etc.) to access a site where you process sensitive information (e.g. myPay, your bank account, etc.) close all of your browser windows and restart a new browser session. Sometimes the browser can hold that information in memory (e.g. cache, etc.) and some web sites know where to look to find it.

5. Be very careful when installing software that gives others access to your computer. Remote service software or peer-to-peer software used for file sharing can create unintended openings into your computer that outsiders can use if the software is not configured correctly. (Important Security, 2007)

Virtual Keyboard

(Important Security, 2007)

67) What is a Virtual Keyboard?

The Virtual Keyboard is one of many Security features myPay has introduced to protect your data in our system. The advantage of using the Virtual Keyboard, with keys that display in random order each time you log on, is that others are deterred from learning your Personal Identification Number (PIN).

When Java-Script is enabled, each time you arrive at myPay to log on, you will be presented with this Virtual Keyboard to enter your PIN. You'll use your mouse with the Virtual Keyboard to enter the characters contained in your PIN. (a restricted Access PIN will require an Alpha character entry).

To Login to myPay using the Virtual Keyboard:

1. Type your Login ID under Account Access on the homepage. Do not press the Enter button.

2. Next, click on the numbers and letters of your PIN using the Virtual Keyboard on the screen. (Each number and/or letter will appear as an asterisk in the textbox above the Virtual Keyboard.) When you have finished, click the "Go" button.

3. If you enter an incorrect number or letter while using the Virtual Keyboard, press the Virtual Keyboard Backspace button. You can also Tab to the Virtual Keyboard Backspace button and select it by pressing the Space Bar. The Virtual Keyboard Backspace button will erase the last number or letter that you entered. If you wish to clear all the numbers/letters that you have entered, press the Clear button on the Virtual Keyboard, or Tab to the Clear button and press the Space Bar.

***for Keyboard Users***

If you are a Keyboard User who does not use a mouse, you must rely on the Tab button and the Space Bar to enter your PIN. You cannot use the arrow keys to select the numbers/letters on the Virtual Keyboard.

a. Tab to the first number or letter of your PIN.

b. Press the Space Bar. An asterisk representing the first number will appear in the PIN textbox.

c. Tab to each subsequent number or letter of your PIN and press the Space Bar.

d. If you enter an incorrect number or letter, press the Tab key until you can select the Virtual Keyboard Backspace button. The Virtual Keyboard Backspace button will erase the last number or letter that you entered.

e. If you wish to clear all of the numbers and letters that you have entered for the PIN, click the Tab key until you can select the Clear button.

f. When you have finished entering your PIN using the Virtual Keyboard, click the Tab key until you can select the "Go" button. (Important Security, 2007)

Nick Brookinsn (2003), director of Information Technology at Computer Builders Warehouse in Warren, Michigan reports that during the two years between 2001 in 2003, security threats to information systems increased 65 per cent. The number of network intrusions quadrupled. Although the following seven steps may appear simple, they prove particularly effective for helping small business owners and an network administrators keep their systems protected.

1. Implement a firewall -- a firewall is a barrier that keeps hackers and viruses out of computer networks. Firewalls intercept network traffic and allow only authorized data to pass through.

2. Develop a corporate security policy -- Establish a corporate security policy that details practices to secure the network. The policy should direct employees to choose unique passwords that are a combination of letters and numbers. Passwords should be changed every 90 days to limit hackers' ability to gain possession of a functioning password. When someone leaves the company, immediately delete the user name and password. The corporate policy should outline consequences for network tampering and unauthorized entry.

3. Install anti-virus software -- All computers should run the most recent version of an anti-virus protection subscription. Ideally a server should be configured to push virus updates out periodically to all client systems move up movement move two times the three times. Employees should be educated about viruses and discouraged from opening e-mail attachments or e-mail from unknown senders.

4. Keep operating systems up-to-date -- Upgrade operating systems frequently and regularly install the latest patches or versions of software, which are often free over the Web. If you use Microsoft Windows, check www.windowsupdate.com periodically for the latest patches.

5. Don't run unnecessary network services -- When installing systems, any non-essential features should be disabled. If a feature is installed but not actively used, it is less likely to be updated regularly, presenting a larger security threat. Also, allow employees to use only the software they need to do their job effectively.

6. Conduct a vulnerability test -- Conducting a vulnerability test is a cost-effective way to evaluate the current security program. This test highlights flaws and limitations in the program, and experts can offer suggestions for improvement. The best method for conducting a vulnerability test is to contact a computer consulting company and provide access to your system for a day or two. This will provide ample time for network appraisal and follow-up discussion and planning.

7. Keep informed about network security -- Numerous books, magazines and online resources offer information about effective security tools and "lessons learned." Also, the Web provides ample and very current information about security -- type in the key words "network up security." (Brookins, 2003)

IV. Cost to Companies

During the first six months of 2006, one Internet security company, Symantec noted an 81% increase in phishing messages as it documented more than 150,000 unique phishing messages. Computer Economics estimates that during 2005, viruses and other malicious code attacks produced $14.2 billion in damages. In the case of ransom attacks, when computer hackers infiltrate a company's computers, they may threaten to devastate a company's network or furnish the company's information to a competitor unless they're paid. Mark McManus, vice president of research for Computer Economics, points out that in such cases, people frequently prefer not to report being attacked by a computer hacker. (Paulson, 2006)

Computer worms and viruses not only cost companies valuable time and cleanup costs, within the last few years, they have caused insurance premiums to increase. As they have been overwhelmed with hacking-related claims during the past few years, numerous insurance have cut hacking losses "from general-liability policies, forcing companies to spend extra for 'network risk insurance,' which costs about $5,000 to $30,000 a year for $1 million in coverage." (Swartz, 2003)

BobSteinberg, corporate attorney, notes that insurers are insisting that if policyholders do not invest in stand-alone hacker policies, they will not be protected. As computer-crime losses reportedly increased 25% to $2.8 billion in the U.S.A. during 2003, this constitutes a dangerous challenge. (Swartz, 2003)

Computer worms such as Slammer, which clogged global Internet traffic, affirm Corporate America's ongoing dependence on the Internet and the vulnerability of its computer networks.

The Code Red worm in 2001 cost an estimated $2 billion in cleanup and damages. (Swartz, 2003)

American International Group, the largest network-security insurer, reportedly created the first stand-alone coverage for viruses and credit card and ID theft. During 2002, Hiscox, a Lloyd's of London syndicate began to market a policy for telecommunications, media and technology companies to cover losses from viruses and hackers. Chubb provides a policy for "e-theft, e-vandalism and e-extortion." In one particular plan during 2002, Zurich North America reported it will pay a reward for information which leads to the conviction of cyberterrorists.

Today's and Tomorrow's Threats

Experts note that massive, headline-grabbing viruses appear to be decreasing, nevertheless lower profile targeted attacks seem to be increasing. Consequently, companies have to work harder to counter computer hackers' attacks and keep their networks secure. According to Chris Painter, deputy chief of the Department of Justice's Computer Crime and Intellectual Property section: "Those lone gunman hackers are still out there, though they're doing it for more explicit monetary reasons now." As finances constitute the motivation for the more organized criminal groups, they prefer to keep a low profile, and in turn, aim at more specific targets. (Paulson, 2006)

On the other hand, sometimes it is not known whether a ransom threat is true or merely a rumor. For instance, During April 2007, news headlines read: "Half-Life hacker holds Valve to ransom." (Ferret, 2007) the hacker, who calls himself, Maddox, is reportedly unhappy with the digital distribution system Valve pioneered for games and told the world that: "If you [Valve] want me to remove these files you can e-mail me at (address removed) and I prefer you come with something good unless you want me to expose ALL of the customers their information."

To stress his point, Maddox released screenshots of Valve's internal administrative system onto the web, accompanied by details of user accounts. Maddox the hacker also presented specific tips for a person to set up their own 'CyberCafe' account with Valve, not a normal everyday opportunity's, unless someone is actually running a CyberCafe.

Ferret (2007) also notes that the mystery hacker also threatened to compose a spreadsheet of all Valve's user base credit card data and present it to hackers online, which would prove to be a major problem for the massive number of Valve customers who purchased games online. Although this researcher checked online regarding that the validity of that threat made to Valve, as well as the outcome, no additional information could be secured.

CrimethInc, a unique contemporary protester, surreptitiously works by his computer screen's hello. He, along with the "Black Hat Hackers Bloc," a group of politically active "hacktivists" reportedly vowed to disrupt the Republican convention electronically by taking down 'Republican Web sites, e-mail servers, phones and fax lines, alter electronic billboards and cause what he calls unspecified "financial disruption.'" (Childress, 2006)

The "hacktivists" reportedly hope to recruit hackers across the U.S., with as they share instructions how to initiate electronic disruptions. Interesting to note however, as soon as CrimethInc pressed the send button to rally his call to arms against the Republicans, his e-mail account dissipated.

As CrimethInc shared his strong belief that Republicans should not have the right to "be able to put forth their propaganda," the New York police computer-crime unit has initiated a watch for threats. Paul Browne, a spokesman for the special unit stressed that any malicious activity will be taken seriously." (Childress, 2006)

Some other hackers who disagree with CrimethInc, who purportedly perceives himself as David fighting Goliath complain "he gives hacktivism a bad name and violates their code to defend free speech."

Ruffin, hacktivist, compares shutting down someone's web site to shutting them down in a town hall meeting. He posits that if a person has an issue with a political opponent, he/she creates a better argument and publicizes his/her point. Some are convinced that CrimethInc's group is determined enough to cause damage, which is reportedly possible. Something such as crashing a Web site for several hours during peak times could dramatically disrupt the GOP's convention plans." (Childress, 2006)

During the upcoming convention, the Electronic Disturbance Theater, a well-established hacktivist group, plans to stage a "virtual sit-in" on a Republican site. They plan to utilize an identical tactic used to bring down the World Economic Forum's site during 2002, running software to flood servers with requests for Web sites. This group's director, Ricardo Dominguez, approves CrimethInc's quest to mixing code and politics. He does, however proclaim he cannot completely endorse a hacktivist protester, who would choose to remain anonymous. "Real hacktivists," Dominguez insists, "log on to be counted." (Childress, 2006)