Computer `crackers' set sights on .gov for chaos by Mark Mueller Sunday, August 1, 1999 It was the kind of threat for which computer hackers are famous, a declaration of war dripping with the risk-free bravado so common on the anonymous Internet. The warning, which appeared on a hacked Web page of the U.S. Interior Department in late May, promised unrelenting attacks against government computers to avenge an FBI roundup of hackers associated with the group Global Hell. Just weeks earlier, Global Hell had claimed responsibility for an attack on the White House's main Web page. ``Now, it's our turn to hit them where it hurts by going after every computer on the Net with a .gov,'' the message read. ``We'll keep hitting them until they get down on their knees and beg.'' That the threat was made - risking the pique of the FBI - isn't as surprising as the follow-through. In recent months, hackers, or crackers, as bad-guy hackers are known, have indeed blazed through a wide swath of government and university computers, defacing some Web sites and shutting down others. Among the high-profile targets: the U.S. Senate (twice), the Army, the Navy and the Departments of Agriculture, Labor and the Interior. Computer systems also were hit at Georgetown University, the University of Colorado, the University of Michigan and Harvard University. The most brazen of the attacks targeted the lion's den itself: the FBI Web page, which was out of service for nearly a week as programmers beefed up security on the site. Jim Settle, former chief of the FBI's computer crimes squad and now an Internet security consultant, calls the FBI strike ``an out-and-out declaration of electronic warfare.'' For some, it's a war that can't afford to be lost. The feeble network that once was the domain of a few scientists is now a robust and far-reaching behemoth that caters to hundreds of millions of people, some of whom pay their taxes, buy goods and send intensely personal information through their computers. In the wrong hands, such information could prove embarrassing or costly. Seen in its most sinister light, computer intrusion is a threat to national security. But the self-proclaimed ``warriors'' who carried out the recent attacks against government Web sites hardly sound like cyberspace shock troops. Their loose-knit groups bear names like the ``Keebler Elves,'' the ``Masters of Downloading'' and ``Hacking for Girlies.'' When they hack sites, they traditionally leave behind inane scrawlings - ``Boo! Did we scare you?'' - and ``shout-outs'' to their friends. Those familiar with the hacking subculture say such groups are generally composed of teens - and occasionally people in their early 20s - with a lot of computer equipment and too much time on their hands. ``These are just immature kids doing this from their home computers,'' said John Vranesevich, founder of Anti-Online, a group that tracks hacker activity and that has compiled dossiers on 6,000 hackers. ``It's a game to them. They make a move, and they can't contemplate how it affects people in the real world. It's not reality until the FBI bangs on their door.'' Vranesevich called the recent wave of attacks a ``temper tantrum'' over the May FBI raids, in which agents confiscated computer equipment and questioned teens in 11 cities, including Houston, Seattle and San Diego. A spokeswoman for the FBI in Boston said the New England office was not involved in the operation. Those who deface Web sites - about 1,300 sites have been defaced so far this year, according to the most reliable statistics - justify their actions by arguing they're actually doing companies and organizations a service by pointing out security deficiencies. But law enforcement authorities and others who deal with hackers dismiss the argument. ``I don't buy it,'' said Drew Williams, the founder of an AXENT Technologies' SWAT team to deal with hacker attacks. ``Any hacker group that has not been invited to test security is committing a crime.'' That assessment is shared by David Green, deputy chief of the computer crimes and intellectual property section at the Justice Department. ``This is not just electronic graffiti,'' Green said. ``They're shutting down access to Web sites, sometimes for hours, sometimes for days, and it makes it impossible for people who want access to that Web source to get it.'' Moreover, there's far more at risk than down time for Web servers, contends Peter Mell, who conducts hacker research for the National Institute of Standards and Technology, a division of the U.S. Commerce Department. ``Real harm can be done,'' Mell said. ``A lot of people download their tax forms from the IRS today. What if someone broke into the IRS Web server and changed just a single number? It would cause supreme chaos.'' Mell also pointed to electronic banking and stock trading, saying Web servers today handle increasing amounts of sensitive information. ``This isn't child's play anymore,'' he said. ``I pay my bills online. I trade stocks online. In that kind of environment, I can't afford people breaking into computers.'' The FBI heartily agrees, though it has not characterized its crackdown on hackers in quite the grandiose terms that hackers do. ``We don't have a war against hackers. We're following our mandate, which is to investigate violations of federal law,'' said Bill Carter, a spokesman for the FBI's headquarters in Washington. ``The fact that these hackers or hacker groups have their noses out of joint over this, we can't help that.'' Most hackers are not caught, but the recent raids suggest the FBI is starting to get better at tracking them. The agency has about 500 open computer crimes cases at any given time. But the federal agents' methods - charging in with warrants and bulletproof vests - worries some in the hacking community. ``For those of us in the scene for a number of years, it's starting to get scary only because we worry it's going to turn into a witch hunt,'' said Space Rogue, a member of the Boston-area group L0pht Heavy Industries, a former hacker clan that now bills itself as an electronic think tank. ``While defacements will probably continue no matter what law enforcement officials do, it would be very easy for the government to just start executing search warrants left and right, seizing computers and scaring people half to death.'' Internet watchdogs - and some hackers themselves - say that while the crackdown should continue, the real issue is computer security. Space Rogue argues that nearly all Web page defacements are carried out with known security flaws in software. As an example, he said, his group e-mailed the Army's webmaster about a flaw in its ColdFusion server software a month before someone used the hole to hack into the Army's Web site. ``It comes down to the person in charge of the machine and whether they're taking their security seriously,'' Space Rogue said. ``This sort of thing never should have happened in the first place.'' Settle, the former FBI computer crimes chief, says the danger will be far greater when those doing the hacking aren't teens out for kicks but terrorists intent on electronic warfare. ``Our computer systems today are like cars operating without safety equipment: no headlights, no bumpers, no airbags, no roofs,'' he said. ``Heck, if teenagers can do this, what can sophisticated intelligence operatives do? This is just a taste of things to come.'' The government acknowledges as much. In testimony before a congressional panel, government security experts said government computers are easy marks because employees lack training, because well-trained staff flee for the bigger paycheck of the private sector and because internal security procedures often aren't followed. ``Most federal agencies continue to lack the ability to detect against and recover from cyber attacks,'' U.S. Rep. Connie Morella (R-Md.), chair of the House Science Subcommittee on Technology, said at the June 23 hearing. To combat the deficiency, the Clinton administration last week proposed spending $1.5 billion in the next fiscal year on a sophisticated intruder warning system that would be installed on military, government and private-sector computer networks by 2003. Operating something like a burglar alarm, the system would detect break-ins, funneling that information to a central location. ``A concerted attack on the computers of any one of our key economic sectors or governmental agencies could have catastrophic effects,'' Clinton wrote in a draft cover letter accompanying the proposal. Civil libertarians and Internet privacy watchdogs already have protested the plan, saying it will give the government unprecedented surveillance powers, equipping authorities with the tools to peruse the private dispatches of the masses. House Majority Leader Dick Armey (R-Texas) joined in the criticism, deriding the plan as an opportunity for ``government peeping toms.'' No matter the government response, hackers will, no doubt, continue mounting challenges, probing for deficiencies in networks and deriding those who chase them. ``You can stop one, but you can not stop all,'' hackers wrote when they defaced the U.S. Senate Web page for the second time in late June. A more recent defacement of an obscure Venezuelan Web page repeated the theme, carrying a ``call to arms'' imploring competing hacker groups to unite to ``win this war.'' ``Remember, this is our world, not the government's,'' the page read. Time will tell. Prosecuted `cracker' a martyr to techies In hacker circles, he is a modern-day martyr, a technological tinkerer whose attacks on other people's computers amounted to harmless exploration before the FBI swooped down on him, dubbing him Online Enemy No. 1. To prosecutors and to judges, he is a dangerous miscreant whose ability to crack computer systems and whose propensity for running from the law required that he be held without bail. Kevin Mitnick, for four years the cause celebre of the Internet's dark side, could soon be going free. Mitnick, 35, who pleaded guilty in March to multiple counts of computer and wire fraud for breaking into systems and stealing software from such companies as Sun Microsystems, Novell, Motorola and Nokia, will be sentenced Aug. 9 under a plea agreement that could, with good behavior credits, allow him to leave federal prison within weeks. ``Kevin is optimistic that this case will be over and that he can get on with his life,'' said Mitnick's lawyer, Donald C. Randolph of Santa Monica, Calif. But even if Mitnick himself fades into obscurity, his cause is unlikely to follow. In the hacking community, Mitnick long ago became a symbol of what hackers term gross government over-reaction, a theme repeatedly hammered home by Randolph. ``The government prosecution of Mr. Mitnick was to carry out an agenda launched by them in the 1990s,'' Randolph said. ``The government wanted to demonstrate they were going to be tough on computer terrorism. Unfortunately, the government did not have a bonafide computer terrorist to prosecute, so they went after Mr. Mitnick, a recreational hacker who was arrested with a big splash and who became a convenient target.'' Randolph's comments could be dismissed as the arguments of a defense lawyer looking to gain sympathy for his client, but he's not the only one making them. Drew Williams, who founded Axent Technologies' SWAT team to respond to hacking incidents for clients, said the government miscalculated with Mitnick. ``I am not a Mitnick supporter at all. However, I think the government did in fact set out to make an example and instead made a martyr,'' Williams said. ``An individual's rights to due process probably got a little trampled.'' Denied bail on charges that could have initially landed him in jail for a century, Mitnick appealed all the way to the U.S. Supreme Court, where the justices declined to hear his lawyer's argument that bail should be set. Hackers have seized on the bail issue, leaving ``Free Kevin'' messages on the Web sites they hack. Recent examples include the home pages of the U.S. Senate and Greenpeace, where hackers left the tongue-in-cheek message ``Free Mitnick or we will club 600 baby seals.'' There is also a ``Free Kevin'' Web site (www.freekevin.com) that gives Mitnick updates and carries a confinement clock showing - to the second - how long Mitnick has been jailed. Randolph argues that while people should be prosecuted for breaking into systems, the law needs to be refined to distinguish between recreational hackers and information terrorists. ``I do not quarrel at all with the government's right to prosecute computer fraud and to go after computer terrorists, but it's high time they distinguish between high crimes and misdemeanors so they're not trumpeting the arrest of the century when the suspect is a kid on a laptop,'' Randolph said. Mitnick's prosecutors insist they have not overreached, that Mitnick caused millions in damage by stealing and changing information in computer systems. ``This is someone whose conduct over a 2-year period was very broad and very serious,'' Assistant U.S. Attorney Christopher Painter said. ``He hit a huge number of companies with a lot of damage. He is not the victim.'' If Mitnick does win his freedom soon, it could be short-lived. The Los Angeles County District Attorney's Office is preparing its own case against him on charges similar to the federal claim. Randolph said he's confident Mitnick, in the end, will prevail. ``In 1995, the press and the public were fooled into thinking Kevin Mitnick was this cyber bogeyman,'' he said. ``That type of argument doesn't fly in 1999. People know better.'' Sites that have been targeted Here's a partial list of Web sites that have been attacked in recent months. In most cases, the sites were defaced. In others, a flood of requests for service overwhelmed Web servers, rendering them unusable. In several of the attacks, the intruders called the acts revenge for FBI ``harassment'' of hackers.