Book Excerpt
Chapter 1-Built For Speed
Pages 14- 21
Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity
White Hats, Black Hats, Gray Hats
Mafiaboy
The year is 1999-the close of the twentieth century. “Livin’ la Vida Loca,” Harry Potter, and The Blair Witch Project dominate pop culture. John F. Kennedy, Jr., piloting a small plane to a Martha’s Vineyard wedding, crashes; his wife, her sister, and he die in the tragic accident. Major news organizations hype what turns out to be an inert Y2K threat. Antitrust regulators bear down on Microsoft for using illegal monopolistic practices, while tech darlings Amazon.com and Netscape help inflate the dot-com bubble. Internet stocks launch into the stratosphere.
As dynamic as 1999 was, it was a comparative age of innocence when it comes to Internet security. Online shopping and online banking were in a nascent stage. Hacking was the dominion of computer geeks, invariably young males, seeking bragging rights. In the anonymity of cyberspace, the frail nerd pushed around by jocks in the schoolyard could log on to the Internet and emerge as a giant among peers by contriving the cleverest ways to exchange copyrighted music or to cheat at video games. In cyberspace, ethics became pliable, and reality altered, especially for impressionable teenage boys, says Ohio University telecommunications professor Mia Consalvo, author of Cheating: Gaining an Advantage in Video Games.
The introverted lad who would never dare to shoplift a CD from a music store or cheat playing a board game with flesh-and-blood acquaintances might think nothing of pirating a first-run movie or finding a shortcut to beat a popular online game.
“We now have kids who grew up as digital natives,” says Consalvo. “This is the first generation to grow up with computers in the home since the time they were born. They’ve grown up knowing that it’s easier to get away with things online, and there can be a little bit of confusion about what’s right and what’s wrong, especially during the teen years when you’re sorting out your identity anyway.”
As the new millennium dawned, the splashiest way to achieve geekdom immortality was to advance beyond piracy and cheating and create a headline-grabbing piece of malicious software, or malware, as antivirus companies called it.
In May 1999, the Melissa e-mail virus would establish a new malware high-water mark. Melissa lured naive victims into opening viral e-mail attachments with messages like “Check this!! This is some wicked stuff,” or “Question for you. It’s fairly complicated so I’ve attached it.” Clicking on the attachment activated a brilliantly invasive packet of coding. Melissa made copies of itself, which it then e-mailed to the first fifty names in the infected computer’s e-mail address book. Thus the next fifty potential victims would receive copies of the tainted attachment thinking it sent by a trusted source. If just a handful of the fifty fell for it, followed by a handful after that, and a handful after that, and so on, the e-mail virus would spread exponentially.
Indeed, Melissa propagated so rapidly that the e-mail systems at Microsoft, Intel, Lockheed Martin, and other big corporations crashed under the sheer volume of e-mail generated by the virus. Melissa’s author, David L. Smith, thirty, of Aberdeen Township, New Jersey, would ultimately spend twenty months in jail for infecting hundreds of thousands of computers with Melissa, which he reportedly named after a favorite stripper.
A bit old to be a hobbyist hacker, Smith, who worked as a troubleshooter at AT&T Labs, bragged in hacker chat rooms about spreading viruses under the bad-guy nickname Kwyjibo. But he also maintained a good-guy persona, using the name Doug Winterspoon to help people clean up infections caused by the evil Kwyjibo. “He had a bit of a Peter Pan complex,” says Roger Thompson, cofounder and CTO of Exploit Prevention Labs, one of a cadre of virus hunters who helped track down Smith.
Some hackers would consider a couple of years in lockup a small price to pay for securing a place in hacking lore. And if imitation is the highest form of flattery, then Smith secured the preeminent accolade: many of Melissa’s techniques were to become commonplace in e-mail worms to follow.
The Love Bug, also known as the ILOVEYOU virus, for instance, copied Melissa’s propagation engine. The author was Onel de Guzman, twenty-four, a lovesick student at the Amaconda programming institute in Manila’s upscale Makati district. Guzman’s claim to fame was concocting the compelling e-mail subject line “ILOVEYOU” and the irresistible attachment “LOVE-LETTER-FOR-YOU.TXT.vbs,” partly to impress an instructor whom he had a crush on.
De Guzman took psychological manipulation, or “social engineering,” as psychologists and law enforcement officials call it, to another level. ILOVEYOU sped westward from the Philippines, tricking workers into clicking on the attachment as they arrived at the office to start their workday. Following the arc of the rising sun, the Love Bug triggered an avalanche of e-mails around the globe, crippling systems and causing $5 billion in damages.
De Guzman’s masterstroke carried some nasty twists. It corrupted picture and music files and installed a password-stealing program. Why? De Guzman, who escaped punishment because his home nation lacked computer-hacking laws, would later reveal in a CNN interview that he launched the virus partly as a joke, but mostly to test his programming skills. De Guzman insisted that he was a creative programmer, not a malicious hacker, who aspired to a career in the tech field.
“If I may have done something wrong, if I stirred up a controversy, then I would like to apologize for it,” de Guzman told CNN. But he also blamed Microsoft for releasing sloppily built copies of its ubiquitous PC operating system, Windows. “The liability should lie in the hands of the software developers that come out with programs that are defective,” he told CNN.
De Guzman’s indignation-and his eagerness to expose security flaws in Windows-reflected a deep antipathy toward Microsoft that was widely held in the hacker community. This sentiment had been festering since the mid-1980s.
Back then, an upstart Harvard drop out named Bill Gates turned the chummy techie community upside down by lambasting the common belief that software should be cheap or free. Gates coined the phrase “software pirates” to describe anybody who didn’t pay Microsoft for its “intellectual property.” Gates went on to become the richest man in the world, in large part by using illegal tactics to crush the competition and monopolize the market for Windows, the operating system running 90 percent of the world’s personal computers, and for the Office suite of clerical programs, and Internet Explorer Web browser, which command similar market shares. Microsoft would prosper, despite being heavily sanctioned by antitrust regulators in the United States and Europe for resorting to illegal anticompetitive practices.
One ramification of Microsoft’s prosperity was that by the start of the twenty-first century, Windows would become the favorite target of hackers and malware writers. Three categories of Windows hackers, each with distinctive motives, emerged: white hats, black hats, and gray hats.
White hats were good-guy hackers who took to incessantly exposing new Windows vulnerabilities. White hats argued that the intense scrutiny would compel Microsoft to take security more seriously and patch security flaws with more alacrity. Black hats were the bad guys. Black hats searched for vulnerabilities, too, but were just as apt to wait for the white hats to discover them, then take advantage. Gray hats were somewhere in between, sometimes contributing to the cause of good, other times behaving more like black hats.
In this frenzied world of conflicting motivations, a kind of arms race took shape among white hats, black hats, and gray hats. Each group hustled to be the first to find the next gaping Windows security hole, referred to as a “vulnerability.” The number of known Windows vulnerabilities-flaws that could be exploited over the Internet-would balloon tenfold in four years, from 417 in 1999 to 4,129 in 2002, according to theCERT Coordination Center. (CERT is the U.S. Computer Emergency Readiness Team, a quasi-governmental organization established in 2003 at Pittsburgh’s Carnegie Mellon University to help protect the nation’s Internet infrastructure.)
Hackers were forced to pick sides in a polarized debate over when to disclose a newly discovered security hole. Proponents of “full disclosure” championed the practice of broadly announcing new vulnerabilities immediately upon discovery, the better to compel Microsoft (or other software vendors whose products were found lacking) to expedite a security patch. Opponents of full disclosure advocated notifying the software vendor first and giving the vendor a grace period of several weeks to prepare a patch before publicly announcing the new flaw.
Whether for or against full disclosure, white hats and gray hats-who referred to themselves as “researchers”-soaked up the stature gained from being the first to announce a new security hole. As with the virus-writing community, vulnerability researchers coveted bragging rights. Black hats, of course, were all for full disclosure since it broadened their opportunities to wreak havoc.
Each new Windows vulnerability made public was like opening a previously unnoticed trap door to hundreds of millions of Internet-connected PCs. As Microsoft scrambled to keep up with patches, black hats gravitated to the easiest holes to exploit. A flurry of attacks made the headlines in 2000 and 2001. The Anna Kournikova virus masqueraded as a photo of the celebrity tennis star. Bubble Boy infected PCs as soon as the user opened the e-mail; no need to click on the attachment. Nimda used five different methods to infect PCs and to self-propagate. SirCam bored into corporate servers.
It became trivial for hackers of modest technical savvy to infect Internet-connected Windows PCs in the home and in corporate settings. Yet the implications were profound. An intruder essentially usurped full control of the infected PC. It became the common practice of black hats to leave a back door open on an infected PC through which any intruder could install and run any program.
It almost seemed as if the youths who dabbled in copyright piracy and video game cheating had progressed to more serious forms of politically motivated hacking, sort of like advancing to hard narcotics after becoming inured to a gateway drug. Sarah Gordon, a senior researcher at Symantec Security Response, and an expert on the psychology of virus writers and hackers, doubts that a strong correlation can be drawn between simple cheating and more malicious forms of hacking. But she concedes it’s plausible.
“In some cases, yes, they will trip down that path,” says Gordon. “On the Internet, there are no other people involved, and no one you can see. There’s just enough depersonalization and desensitization to come up with an excuse [to cheat or hack] with very little inner conflict.”
Hacking began to cause increasingly heavy collateral damage. Hackers began routinely installing a small program, called a bot, short for robot. A bot sits on the hard drive and receives instructions from a controller over an IRC (Internet relay chat) channel. An IRC channel is nothing more than a private instant messaging line-the same technology used for popular public instant messaging services such as AOL’s AIM, Microsoft’s Windows Live Messenger, and Yahoo! Chat.
A hacker in command of an IRC channel through which dozens, hundreds, or even thousands of bots report for duty, is called a bot herder. Among black hats, one measure of skill became how good you were at assembling large bot herds and using them to launch so-called DDoS (distributed-denial-of-service) attacks.
In a DDoS attack, the controller instructs all of the bots in a bot herd to simultaneously flood a targeted Web address with repeated nuisance messages, thus crippling the Web site. In February 2000, a black hat calling himself Mafiaboy installed bots on computers at Yale and Harvard universities and used them to crash CNN’s Web site for four hours and create chaos at the Web sites of Yahoo, eBay, Amazon, Dell, Excite, and E-Trade. He bragged in chat rooms that the FBI would never catch him.
With help from the Royal Canadian Mounted Police (RCMP), the FBI traced Mafiaboy to a large Montreal home in an upscale subdivision astride the Club De Golf St. Raphael. A dozen RCMP agents raided the residence at 3 a.m. and arrested a fifteen-year-old boy, who instantly became a cause célèbre, the subject of editorial cartoons and a Free Mafiaboy campaign. Mafiaboy pleaded guilty to fifty-six criminal counts related to the attacks and was sentenced to eight months in a detention home.
Mafiaboy’s father told reporters the youth played sports and had other interests. “He’s not fixated on computers to the point where it would damage his health,” the father said. “I think he learned a big lesson and he’ll put it to good use.”
As the Mafiaboy furor subsided, Code Red slithered into the headlines. Code Red was created to take advantage of a security hole in Microsoft’s IIS software, used to serve up Web pages. The IIS vulnerability had been discovered by a black hat-turned-white hat, Marc Maiffret, cofounder and chief hacking officer of eEye Digital Security.
This is how Maiffret describes how he became a vulnerability researcher: “The short version is: Bad home life, computers were an escape, learned about phone phreaking, eventually led to hacking, eventually led to doing illegal things, which caused me to be raided by the FBI when I was seventeen, which caused me to have a wake-up call to do something with my life, in which I cofounded eEye, became the chief hacking officer, and have been one of the people shaping the security landscape ever since.”
Maiffret had advised Microsoft about the flaw in IIS in early 2001. He waited patiently to take credit for it on June 18, once Microsoft had a patch ready. At the time, simply issuing a patch didn’t mean the patch would get installed on all vulnerable machines in a timely manner. Patches can crash programs and foul corporate systems, and in 2001 they weren’t a high priority for many companies.
In mid-July-Friday the thirteenth, to be exact-twenty-five days after Microsoft released the IIS patch, Maiffret and some colleagues, energized by swigs of a megacaffeinated soft drink, worked through the night to reverse engineer Internet traffic logs from an IIS Web server that had bogged down. They uncovered an automated program that was snaking around the Internet in search of unpatched IIS Web servers. Each time the program found one, it posted “HELLO! Hacked By Chinese!” on the Web page.
Maiffret christened the program Code Red, a reference to the Asian defacement “and because Code Red Mountain Dew was the only thing that kept us awake while we disassembled the exploit.”
Unlike an e-mail virus, Code Red spread on its own with no action required by the PC user. Maiffret and his cohorts had uncovered the first major self-propagating worm.
Code Red did double duty. It also organized infected machines into bot herds standing at the ready to launch DDoS attacks against designated Web addresses. Its first target: www.whitehouse.gov, the White House’s Web site.
Code Red compromised 225,000 IIS Web servers in half a day, and set up a DDoS attack to shut down www.whitehouse.gov. The White House dodged the attack. Yet, Code Red would linger on the Internet for years, breaking into millions of PCs. And it established a model for what would become a familiar cycle. Vulnerability researchers would find a fresh security hole; Microsoft would issue a patch; black hats would race to exploit as many PCs as possible before the patch got widely distributed.
“No one was really patching their systems, or aware of the threat that their businesses were exposed to by running Microsoft software,” says Maiffret. “Code Red was the wake-up call not only to an industry but truly to the entire world, which had grown dependent on computers and Microsoft.”
