The Art Of War And E-Commerce Essay, Research Paper
The Art of War and E-Commerce
How Secure are our Secured Transmissions?
Sun-Tzu Wu is the reputed author of the Chinese classic Ping-fa (The Art of War), written approximately 475-221 B. C. Penned at a time when China was divided into six or seven states that often resorted to war with each other in their struggles for supremacy, it is a systematic guide to strategy and tactics for rulers and commanders. In doing business on the Internet during this time of rampant computer viruses and hacker attacks it may be wise for us to follow some of his tactical principles in order to insure the safety of ourselves and our future clients.
Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.
In a chilling article entitled Big Brother is Watching Bob Sullivan of MSNBC recounts a tale during a recent visit to London: Only moments after stepping into the Webshack Internet caf in London s Soho neighborhood, Mark asked me what I thought of George W. Bush and Al Gore. I wouldn t want Bush running things, he said. Because he can t run his Web site. Then he showed me a variety of ways to hack Bush s Web sites. That was just the beginning of a far-reaching chat during which the group nearly convinced me Big Brother is in fact here in London. “I don t know if he can run the free world, Mark said. He can t keep the Texas banking system computers secure.
So-called 2600 clubs are a kind of hacker boy scout organization there are local 2600 chapters all around the globe. It is in this environment, and this mindset, that London s hackers do their work. They do not analyze computer systems and learn how to break them out of spite, or some childish need to destroy: Mark and friends see themselves as merely accumulating knowledge that could be used in self-defense if necessary. They are the citizen s militia, the Freedom Fighters of the Information Age, trying to stay one step ahead of technology that could one day be turned against them.
Jon-K Adams in his treatise entitled Hacker Ideology (aka Hacking Freedom) states that hackers have been called both techno-revolutionaries and heroes of the computer revolution. Hacking “has become a cultural icon about decentralized power.” But for all that, hackers are reluctant rebels. They prefer to fight with code than with words. And they would rather appear on the net than at a news conference. Status in the hacker world cannot be granted by the general public: it takes a hacker to know and appreciate a hacker. That’s part of the hacker’s revolutionary reluctance; the other part is the news media’s slant toward sensationalism, such as, “A CYBERSPACE DRAGNET SNARED FUGITIVE HACKER.” The public tends to think of hacking as synonymous with computer crime, with breaking into computers and stealing and destroying valuable data. As a result of this tabloid mentality, the hacker attempts to fade into the digital world, where he-and it is almost always he-has a place if not a home.
In his self-conception, the hacker is not a criminal, but rather a “person who enjoys exploring the details of programmable systems and how to stretch their capabilities.” Which means that he is not necessarily a computer geek. The hacker defines himself in terms that extend beyond the computer, as an “expert or enthusiast of any kind. One might be an astronomy hacker” (Jargon File). So in the broadest sense of his self-conception, the hacker hacks knowledge; he wants to know how things work, and the computer-the prototypical programmable system-simply offers more complexity and possibility, and thus more fascination, than most other things.
From this perspective, hacking appears to be a harmless if nerdish enthusiasm. But at the same time, this seemingly innocent enthusiasm is animated by an ideology that leads to a conflict with civil authority. The hacker is motivated by the belief that the search for knowledge is an end in itself and should be unrestricted. But invariably, when a hacker explores programmable systems, he encounters barriers that bureaucracies impose in the name of security. For the hacker, these security measures become arbitrary limits placed on his exploration, or in cases that often lead to confrontation, they become the focus of further explorations: for the hacker, security measures simply represent a more challenging programmable system. As a result, when a hacker explores such systems, he hacks knowledge, but ideologically he hacks the freedom to access knowledge.
Political hackers are another group considering themselves modern freedom fighters. Hacktivists have officially moved from nerdish extremists to become the political protest visionaries of the digital age, a meeting at the Institute of Contemporary Arts in London was told on Thursday.
Paul Mobbs, an experienced Internet activist and anti-capitalist protestor, will tell attendees that the techniques used by politically minded computer hackers — from jamming corporate networks and sending email viruses to defacing Web sites — has moved into the realm of political campaigning. Mobbs says that the term “Hacktivism” has been adopted by so many different groups, from peaceful Net campaigners to Internet hate groups, that it is essentially meaningless, but claims that Internet protest is here to stay. “It has a place, whether people like it or not,” says Mobbs.
Steve Mizrach in his 1997 dissertation entitled Is there a Hacker Ethic for 90s Hackers? delves into this subject in great detail. He describes the divergent groups of hackers and explains their modus operandi:
Who is the Computer Underground?
I define the computer underground as members of the following six groups. Sometimes I refer to the CU as “90s hackers” or “new hackers,” as opposed to old hackers, who are hackers (old sense of the term) from the 60s who subscribed to the original Hacker Ethic.
Hackers (Crackers, system intruders) – These are people who attempt to penetrate security systems on remote computers. This is the new sense of the term, whereas the old sense of the term simply referred to a person who was capable of creating hacks, or elegant, unusual, and unexpected uses of technology. Typical magazines (both print and online) read by hackers include 2600 and Iron Feather Journal.
Phreaks (Phone Phreakers, Blue Boxers) – These are people who attempt to use technology to explore and/or control the telephone system. Originally, this involved the use of “blue boxes” or tone generators, but as the phone company began using digital instead of electro-mechanical switches, the phreaks became more like hackers. Typical magazines read by Phreaks include Phrack, Line Noize, and New Fone Express.
Virus writers (also, creators of Trojans, worms, logic bombs) – These are people who write code which attempts to a) reproduce itself on other systems without authorization and b) often has a side effect, whether that be to display a message, play a prank, or trash a hard drive. Agents and spiders are essentially ‘benevolent’ virii, raising the question of how underground this activity really is. Typical magazines read by Virus writers include 40HEX.
Pirates – Piracy is sort of a non-technical matter. Originally, it involved breaking copy protection on software, and this activity was called “cracking.” Nowadays, few software vendors use copy protection, but there are still various minor measures used to prevent the unauthorized duplication of software. Pirates devote themselves to thwarting these things and sharing commercial software freely with their friends. They usually read Pirate Newsletter and Pirate magazine.
Cypherpunks (cryptoanarchists) – Cypherpunks freely distribute the tools and methods for making use of strong encryption, which is basically unbreakable except by massive supercomputers. Because the NSA and FBI cannot break strong encryption (which is the basis of the PGP or Pretty Good Privacy), programs that employ it are classified as munitions, and distribution of algorithms that make use of it is a felony. Some cryptoanarchists advocate strong encryption as a tool to completely evade the State, by preventing any access whatsoever to financial or personal information. They typically read the Cypherpunks mailing list.
Anarchists – are committed to distributing illegal (or at least morally suspect) information, including but not limited to data on bombmaking, lockpicking, pornography, drug manufacturing, pirate radio, and cable and satellite TV piracy. In this parlance of the computer underground, anarchists are less likely to advocate the overthrow of government than the simple refusal to obey restrictions on distributing information. They tend to read Cult of the Dead Cow (CDC) and Activist Times Incorporated (ATI).
Cyberpunk – usually some combination of the above, plus interest in technological self-modification, science fiction of the Neuromancer genre, and interest in hardware hacking and “street tech.” A youth subculture in its own right, with some overlaps with the “modern primitive” and “raver” subcultures.
So should we fear these geeky little mischief-makers?
The New York Post revealed recently that a busboy allegedly managed to steal millions of dollars from the world s richest people by stealing their identities and tricking credit agencies and brokerage firms. In his article describing this event Bob Sullivan says, Abraham Abdallah, I think, did us all a favor, for he has exposed as a sham the security at the world s most important financial institutions. The same two free e-mail addresses were used to request financial transfers for six different wealthy Merrill Lynch clients, according to the Post story. Merrill Lynch didn t notice? Why would Merrill accept any transfer requests, indeed take any financial communication seriously at all, from a free, obviously unverified anonymous e-mail account? I m alarmed by the checks and balances that must be in place at big New York brokerage firms.
Rather than being a story about a genius who almost got away, this is simply one more story of easy identity theft amid a tidal wave of similar crimes. The Federal Trade Commission has received 40,000 complaints of identity theft since it started keeping track two years ago, but the agency is certain that represents only a fraction of real victims. This is a serious problem, long ignored by the industry. If fact, just last year the credit industry beat back a congressional bill known as The Identity Theft Protection Act, claiming it would be too expensive for them. Clearly there has to be more leveling of the playing field. We have to hold banks and credit unions accountable.
Last month the U.S. Federal Bureau of Investigation (FBI) was again warning electronic-commerce Web sites to patch their Windows-based systems to protect their data against hackers.
The FBI’s National Infrastructure Protection Center (NIPC) has coordinated investigations over the past several months into organized hacker activities targeting e-commerce sites. More than 40 victims in 20 states have been identified in the ongoing investigations, which have included law enforcement agencies outside the United States and private sector officials.
The investigations have uncovered several organized hacker groups from Russia, the Ukraine, and elsewhere in Eastern Europe that have penetrated U.S. e-commerce and online banking computer systems by exploiting vulnerabilities in the Windows NT operating system, the statement said. Microsoft has released patches for these vulnerabilities, which can be downloaded from Microsoft’s Web site for free.
Once the hackers gain access, they download proprietary information, customer databases, and credit card information, according to the FBI. The hackers subsequently contact the company and attempt to extort money by offering to patch the system and by offering to protect the company’s systems from exploitation by other hackers.
The hackers tell the victim that without their services they cannot guarantee that other hackers will not access their networks and post stolen credit card information and details about the site’s security vulnerability on the Internet. If the company does not pay or hire the group for its security services, the threats escalate, the FBI said. Investigators also believe that in some instances the credit card information is being sold to organized crime groups.
Defend yourself when you cannot defeat the enemy, and attack the enemy when you can.
Scott Culp in a detailed list of security precautions on Microsoft s Web page suggests that there are ten immutable laws of security.
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore. It’s an unfortunate fact of computer science: when a computer program runs, it will do what it’s programmed to do, even if it’s programmed to be harmful. When you choose to run a program, you are making a decision to turn over control of your computer to it. That’s why it’s important to never run, or even download, a program from an untrusted source and by “source”, I mean the person who wrote it, not the person who gave it to you.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore. In the end, an operating system is just a series of ones and zeroes that, when interpreted by the processor, cause the machine to do certain things. Change the ones and zeroes, and it will do something different. To understand why, consider that operating system files are among the most trusted ones on the computer, and they generally run with system-level privileges. That is, they can do absolutely anything. Among other things, they’re trusted to manage user accounts, handle password changes, and enforce the rules governing who can do what on the computer. If a bad guy can change them, the now-untrustworthy files will do his bidding, and there’s no limit to what he can do. He can steal passwords, make himself an administrator on the machine, or add entirely new functions to the operating system. To prevent this type of attack, make sure that the system files (and the registry, for that matter) are well protected.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer.
He could unplug the computer, haul it out of your building, and hold it for ransom.
He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I’ve configured the BIOS on my computer to prompt for a password when I turn the power on. No problem if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways).
He could remove the hard drive from your computer, install it into his computer, and read it.
He could make a duplicate of your hard drive and take it back his lair. Once there, he’d have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, it’s almost certain that he would succeed. Once that happens, Laws #1 and #2 above apply
He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.
Always make sure that a computer is physically protected in a way that’s consistent with its value and remember that the value of a machine includes not only the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a bad guy could gain. At a minimum, business-critical machines like domain controllers, database servers, and print/file servers should always be in a locked room that only people charged with administration and maintenance can access. But you may want to consider protecting other machines as well, and potentially using additional protective measures.
If you travel with a laptop, it’s absolutely critical that you protect it. The same features that make laptops great to travel with small size, light weight, and so forth also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File System in Windows 2000 to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% certainty that your data is safe and the hardware hasn’t been tampered with is to keep the laptop on your person at all times while traveling.
Law #4: If you allow a bad guy to upload programs to your web site, it’s not your web site any more. This is basically Law #1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his machine and running it. In this one, the bad guy uploads a harmful program to a machine and runs it himself. Although this scenario is a danger anytime you allow strangers to connect to your machine, web sites are involved in the overwhelming majority of these cases. Many people who operate web sites are too hospitable for their own good, and allow visitors to upload programs to the site and run them. As we’ve seen above, unpleasant things can happen if a bad guy’s program can run on your machine.