Beruflich Dokumente
Kultur Dokumente
MPM Class A
111416
29/08/08
ABSTRACT
ECONOMY?
By
Tommy Coyne
At
In conjunction with
ABSTRACT:
INTRODUCTION: 1
RESEARCH QUESTIONS: 3
AIMS: 5
EFFECTS: 6
STATISTICS: 7
THE BEGINNINGS: 8
HACKERS: 12
CYBER TERRORISM: 16
MOTIVES: 18
TACTICS: 19
GAINING ACCESS: 20
HACKING GOOGLE: 24
LITERATURE REVIEW: 25
CYBER CRIMINOLOGY: 26
PROTECTION: 28
CONCLUSSION: 33
BIBLIOGRAPHY: 35
ABSTRACT
Cyber space is constantly being attacked or abused. There are many criminals out there out to
achieve their ulterior motives (most of them, criminal in nature). The first obvious motive of
a crime is usually money. Why risk getting thrown into prison for a long time? Because if
you can get away with it, you’ll be many times richer than you are presently. Examples of
networks which when intruded yield a lot of money can include bank networks and
information networks. With hackers growing exponentially, the threat of E-commerce
infiltration is an issue that various internet security firms have tried to overcome. With news
reports of thousands of customer’s credit card details being lost due to either a misplacement
of a laptop or hacker infiltration through secure networks, it easy to see that there is a big
problem that is affecting all financial organisations be they Irish or international. According
to the Irish Cyber crimes survey - cybercrime is virtually universal. 98% of Irish companies
(who responded to the survey) reported issues, the most common of which were viruses and
other malicious software (90%), misuse of systems (88%), asset theft (63%) and phishing
(56%). A hacker by definition believes in access to free information. They are usually very
intelligent people who could care very little about what you have on your system. Their thrill
comes from system infiltration for information reasons. Hackers unlike “crackers and
anarchist” know being able to break system security doesn’t make you a hacker any more
than adding 2+2 makes you a mathematician. Cyber-terrorism basically means the act of
carrying out terrorism using cyberspace, or in other words, the Internet. It is the hacking or
attacking of networks and computers to obtain or modify information for political and/or
social objectives or rather, a way to quickly and easily distribute propaganda and get a lot of
attention drawn to it.
Hackers and their effect on Electronic Commerce
“Are hackers a threat? The degree of threat presented by any conduct, whether legal or
illegal, depends on the actions and intent of the individual and the harm they cause.”
Kevin Mitnick
“Today, the cyber economy is the economy. Corrupt those networks and you can disrupt a
nation.”
This dissertation is intended to find out what are the effects hackers have on the Irish
economy, how much of the Irish economy is lost annually due to hackers and what
prevention measures should be enforced to protect businesses and corporations from the
hacking community. There have been many reports as of late, in the news about various
hacker activities in places like the United States, Europe and Asia. One of the latest of those
“On the lookout for information about UFOs, Gary McKinnon, a Glaswegian by birth, broke
into several dozen computers used by NASA and the US military. Today, Mr. McKinnon lost
his plea to the Lords of Appeal in London to prevent his extradition to the US where the 42-
year-old may face at least 10 years behind bars. US officials accuse the man of having stolen
950 passwords and deleting documents. His crime may be treated as an act of terrorism.
McKinnon was arrested in the UK in 2002 but not charged.”
http://www.heise.de/english/newsticker/news/113593
Even in Ireland, hackers are making an appearance. The Irish hacker is a couple of years
behind their international peers when it comes to the numbers of hackers per capita. That and
the fact, that there haven’t been that many ‘High Profile Hacks’, associated with Elite
Hackers, which is surprising since there has been a massive increase of I.T. professionals
1
Hacking is not territorial though, so international hackers from anywhere in the world can
hack a system in a matter of minutes. Irelands only saving grace is that there are not that
The dramatic shut-down of Eircom's ISP (Eircom.net) following a successful hack attack
perpetrated by a teenager in 2000 demonstrated how even major companies can fall victim to
such attacks. The best way for businesses to avoid this type of disaster is to keep online
security on their minds and make it part of the culture of the firm. Buying sophisticated
security software is only part of the solution. Firms have to constantly monitor their security
and simulate hacking scenarios to keep secure. Due to the way security had been
implemented on these products, hackers and anybody with reasonable computer knowledge
could freely use them to access the internet. The wireless routers use a security protocol
called Wired Equivalent Privacy (WEP). This protocol requires anybody accessing the
wireless network to enter a 16-digit password. This code is generated from the serial number
of the router as well as some text which is converted to numerical values. The text used
includes eight snippets of lyrics from guitar legend Jimi Hendrix. The security problem
occurs because the unique eight digit number that is broadcast as the name of the network is
also derived from the serial number. As a result hackers simply have to look at the name of
the Eircom network to get access to it. Both downloadable tools and websites have emerged
which automatically create the 16-digit key when the network name is keyed in. Eircom
issued a statement saying it is aware of the issue and would contact all affected broadband
customers. The Netopia routers in question were the 3300 and 2247 series. Users who had
changed the default set up were unaffected by the problem. All new modems sold by Eircom
would have instructions on how to change the default WEP key while existing customers
2
Eircom pointed out that accessing wireless networks without permission is a criminal offence
under the Criminal Damage Act 1991 and the Criminal Justice (Theft and Fraud Offences)
Act 2001.
Hacking isn't a kid's game anymore. It's big business. Online black markets are flush with
stolen credit card data, driver's license numbers, and malware, the programs that let hackers
organized bunch; they use peer-to-peer payment systems just like they're buying and selling
Some hackers take the direct approach. Ransom scams, in which a criminal infects a
company's systems with malware that encrypts data and then demands money to provide the
decryption key--are common in Russia. Uriel Maimon, a researcher with the consumer
division of RSA, a security vendor now owned by EMC, says he's seen a half-dozen of these
“Last week there was a security at Ireland’s largest online recruiter. Jobs.ie reported that
last Thursday, March 27th, there was a security breach of their website and a number of CVs
were stolen. Obviously these CVs contained a number of personal details and in the wrong
hands these details could be used for illegal activities. One report mentions that up to 60,000
Irish CVs were stolen in this breech, which it is said were mostly archived CVs as opposed to
current ones.” 31 March 2008 http://www.eirjobs.com/news/
“MORE THAN a hundred Irish websites have fallen victim to hacker attacks in the last
month including one for the Irish presidency of the EU, which was developed at a cost of
over €2 million.
3
Research Questions:
I hope to be able to find out how Ireland’s economy is affected and to what extent.
I will use graphs to illustrate the amount of revenue that has been misappropriated from
Ireland. This study should also help to find out any information if any, on where the attacks
are originating from and what preventive measures can be taken in the future to help decrease
“A new study carried out by the Centre for Cybercrime Investigation, along with the
Information Systems Security Association (ISSA) and University College Dublin's School of
Computer Science and Informatics, found over half of all Irish companies that experienced
some form of cybercrime ended up reporting losses of more than EUR25,000 as a direct
result. The survey, which included input from academics, industry and An Garda Siochana
computer experts, noted that although companies were aware of the presence of threats from
hackers and malicious programs like computer viruses, a disturbing 68 percent of
respondents said incidents are predominantly discovered only by accident and - more
worryingly - usually after the damage is already done.
“A new study carried out by the Centre for Cybercrime Investigation, along with the
Information Systems Security Association (ISSA) and University College Dublin's School of
Computer Science and Informatics, found over half of all Irish companies that experienced
some form of cybercrime ended up reporting losses of more than EUR25,000 as a direct
result.” Enterprise Ireland eBusiness Live, March 20th 2007
http://www.ebusinesslive.ie/newsletter/Story/4/791/ob.html/179
4
AIMS
The primary aim is to determine whether cybercrime is affecting Irish organisations. This
question is answered very clearly: cybercrime is virtually universal, with 98% of our
respondents reporting issues, the most common of ISSA / UCD Irish Cybercrime Survey
2006 which were viruses and other malicious software (90%), misuse of systems (88%), asset
theft (63%) and phishing (56%). In order to gauge the impact on each organisation,
respondents were asked to identify the cost of their most significant incident. 76% of
respondents reported incidents which cost over €5,000 to correct, while costs of over
breaches were reported as loss of productivity (89%), loss of data (56%) and the departure of
dominated by chance discoveries, such as accidental detection (68%) and discovery by non-
organisations (58%) customers (42%), and individuals (39%). Finally, in assessing how
organisations respond to cybercrime our questions included the outcome of issues involving
internal personnel and the role of the law. Virtually all respondents (97%) reported invoking
internal disciplinary processes to deal with problems, while 39% have had employees resign
or be terminated. 18% of respondents have engaged law enforcement to deal with an internal
employee issue and of those, two-thirds have seen an investigation result in prosecution.
5
With hackers growing exponentially, the threat of E-commerce infiltration is an issue that
various internet security firms have tried to overcome. With news reports of thousands of
customer’s credit card details being lost due to either a misplacement of a laptop or hacker
infiltration through secure networks, it easy to see that there is a big problem that is affecting
all financial organisations be they Irish or international. According to the Irish Cyber crimes
survey - cybercrime is virtually universal. 98% of Irish companies (who responded to the
survey) reported issues, the most common of which were viruses and other malicious
software (90%), misuse of systems (88%), asset theft (63%) and phishing (56%). The scary
part is that each of these incidents costs money - anything from €5,000, to well over
€100,000. What's even scarier is the fact that in 2006 only 42 organisations were prepared to
respond to the survey! No one wants to admit to being a victim of cybercrime (as it infers
that your IT security isn't as good as it could be), but I'm certain that there was more than 42
“In one of the most high-profile cases of telecoms fraud, the phone system at the Department
of Social and Family Affairs was hijacked in 2002 and used to route international calls. This
allows callers to dial international numbers at little or no cost to the caller, as the owner of
the system foots the bill for the calls. A report by the Comptroller and Auditor General found
the department incurred significant losses, amounting to €300,000, over a single weekend.”
6
Org
anisation information shows that the majority of responses come from organisations in
financial services (29%), IT / ICT (18%) or education (11%). Each remaining category
represents fewer than 8% of responses, however when combined, government and semi-state
The introduction of home computers in large numbers in the 1980’s was probably the
beginning of the era of premature attackers. Computers such as the commodore C64, Amiga
500, Atari ST and IBM PC’s were introduced into the bedroom of teenagers. These
computers had several advantages over other toys such as game consoles. You could program
Recently, the term hacker has taken on a new meaning, (someone who maliciously breaks
into systems for personal gain.) Technically, these criminals are crackers (criminal hackers).
Crackers break into (crack) systems with malicious intent. They are out for personal gain:
fame, profit, and even revenge. They modify, delete, and steal critical information, often
The Internet has grown explosively, with no end in sight. At its inception as ARPANET it
held only 4 hosts. A quarter of a century later, in 1984, it contained only 1000 hosts. But over
the next 5 years this number grew tenfold to 10,000 (1989). Over the following 4 years it
grew another tenfold to 1 million (1993). Two years later, at the end of 1995, the Internet was
estimated to have at least 6 million host computers. There are probably over 10 million now.
There appears to be no end in sight yet to the incredible growth of this mutant child of
ARPANET. In fact, one concern raised by the exponential growth in the Internet is that
demand may eventually far outrace capacity. Because now no entity owns or controls the
Internet, if the capacity of the communications links among nodes is too small, and it were to
become seriously bogged down, it might be difficult to fix the problem. For example, in
1988, Robert Morris, Jr. unleashed a "virus"-type program on the Internet commonly known
as the “Morris Worm.” This virus would make copies of itself on whatever computer it was
on and then send copies over communications links to other Internet hosts. (It used a bug in
send-mail that allowed access to root, allowing the virus to act as the super-user). Quickly
the exponential spread of this virus made the Internet collapse from the communications
traffic and disk space it tied up. At the time the Internet was still under some semblance of
control by the National Science Foundation and was connected to only a few thousand
computers. The Net was shut down and all viruses purged from its host computers, and then
the Net was put back into operation. Morris, meanwhile, was put in jail.
There is some concern that, despite improved security measures (for example, "firewalls"),
someone may find a new way to launch a virus that could again shut down the Internet. Given
the loss of centralized control, restarting it could be much more time-consuming if this were
to happen again. But reestablishing a centralized control today like what existed at the time
of the “Morris Worm” is likely to be impossible. Even if it were possible, the original
ARPANET architects were probably correct in their assessment that the Net would become
more susceptible for massive failure rather than less if some centralized controls were in
place. Perhaps the single most significant feature of today's Internet is this lack of centralized
control. No person or organization is now able to control the Internet. In fact, the difficulty of
control became an issue as early as its first year of operation as ARPANET. In that year email
was spontaneously invented by its users. To the surprise of ARPANET's managers, by the
second year, email accounted for the bulk of the communication over the system. Because
the Internet had grown to have a fully autonomous, decentralized life of its own, in April
1995, the NSF quit funding NSFNET, the fiber optics communications backbone which at
one time had given NSF the technology to control the system. The proliferation of parallel
communications links and hosts had by then completely bypassed any possibility of
• World Wide Web -- a hypertext publishing network and now the fastest growing part
of the Internet.
• Usenet -- forums in which people can post and view public messages
• file transfer protocol -- a way to download files from remote Internet computers
• Internet relay chat -- real-time text conversations -- used primarily by hackers and
10
• Gopher -- a way of cataloging and searching for information. This is rapidly growing
obsolete.
As you port surfers know, there are dozens of other interesting but less well known services
The World Wide Web is the newest major feature of the Internet, dating from the spring of
1992. It consists of "Web pages," which are like pages in a book, and links from specially
marked words, phrases or symbols on each page to other Web pages. These pages and links
together create what is known as "hypertext." This technique makes it possible to tie together
many different documents which may be written by many people and stored on many
This technique is based upon the Universal Resource Locator (URL) standard, which
specifies how to hook up with the computer and access the files within it where the data of a
A URL is always of the form http://<rest of address>, where <rest of address> includes a
domain name which must be registered with an organization called InterNIC in order to make
sure that two different Web pages (or email addresses, or computer addresses) don't end up
being identical. This registration is one of the few centralized control features of the Internet.
11
Hackers
A hacker by definition believes in access to free information. They are usually very
intelligent people who could care very little about what you have on your system. Their thrill
comes from system infiltration for information reasons. Hackers unlike “crackers and
anarchist” know being able to break system security doesn’t make you a hacker any more
than adding 2+2 makes you a mathematician. Unfortunately, many journalists and writers
have been fooled into using the word ‘hacker.” They have attributed any computer related
illegal activities to the term “hacker.” Real hackers target mainly government institution.
They believe important information can be found within government institutions. To them the
risk is worth it. The higher the security, the better the challenge. The better the challenge the
better they need to be. Who’s the best keyboard cowboy? So to speak! These individuals
come in a variety of age classes. They range from Secondary School Students to University
Grads. They are quite adept at programming and are smart enough to stay out of the spotlight.
They don’t particularly care about bragging about their accomplishments as it exposes them
to suspicion. They prefer to work from behind the scenes and preserve their anonymity. Not
all hackers are loners, often you’ll find they have a very tight circle of associates, but still
there is a level of anonymity between them. From the research that has been carried out, it
has been found that there is access to all manners of hacking tools and tutorials which are
readily available for the ever curious internet user. An internet user can go online and now
find through torrent sites like ‘The Pirate Bay’ or ‘Torrent Portal’ any and all information that
they may need to pull off successful hacks, ranging from beginner to elite hacker. These
would include tutorials, eBooks and then the actual hacking tools themselves (Trojans,
Viruses, and Port Scanners). The fact that the internet is basically the biggest source of free
12
There is also now a growing trend of introducing actual hacking courses which the below text
is an example:
Description: This course will teach students how to scan, test, break into and secure their
own systems. The lab intensive environment provides each student with in-depth knowledge
and practical experience with current essential computer systems. Students will begin by
understanding how perimeter defences work and then be lead into scanning and attacking
their own networks, no real network is harmed. Students then learn how intruders escalate
privileges and what steps can be taken to secure a system. They will also be taught about
Vulnerability Assessment, PenTesting, Social Engineering, DDoS Attacks, Buffer Overflows
and Virus Creation. When a student leaves this intensive 5-day class, he will be equipped
with a thorough understanding along with practical exposure to the subject of Ethical
Hacking.
http://www.hackerscenter.com/index.php?/Blogs/2086-Want-to-learn-to-hack-in-5-Days.html
Thanks to sensationalism, the definition of hacker has transformed from harmless tinkerer
to malicious criminal. Hackers often state that the general public misunderstands them, which
is mostly true. It’s easy to prejudge what you don’t understand. Hackers can be classified by
both their abilities and underlying motivations. Some are skilled, and their motivations are
benign; they’re merely seeking more knowledge. At the other end of the spectrum, hackers
with malicious intent seek some form of personal gain. Unfortunately, the negative aspects of
hacking usually overshadow the positive aspects, resulting in the stereotyping. Historically,
hackers have hacked for the pursuit of knowledge and the thrill of the challenge. Script
kiddies aside, hackers are adventurous and innovative thinkers, and are always thinking about
exploiting computer vulnerabilities. They see what others often overlook. They wonder what
would happen if a cable were unplugged, switches were flipped, or lines of code were
changed in a program. More recent evidence shows that many hackers are hacking for
political, competitive, and even financial purposes, so times are changing. When they were
growing up, hackers’ rivals were monsters and villains on video game screens. Now hackers
13
Hackers who perform malicious acts don’t really think about the fact that human beings are
behind the firewalls and Web applications they’re attacking. They ignore that their actions
often affect those human beings in negative ways, such as jeopardizing their job security.
Hackers and the act of hacking drive the advancement of security technology. After all,
hackers don’t create security holes; they expose and exploit existing holes in applications.
Unfortunately, security technology advances don’t ward off all hacker attacks, because
hackers constantly search for new holes and weaknesses. The only sure-fire way to keep the
bad guys at bay is to use behaviour modification to change them into productive, well-
adjusted members of society. Good luck with that. However you view the stereotypical
hacker, one thing is certain: Some people always will try to take down your computer
systems through manual hacking or by creating and launching automated worms and other
malware. You must take the appropriate steps to protect your systems against them.
I’m sure if you’re like most people you have web banking of some kind. You probably pay
your bills online via your banks website. Most banks require you to use 128bit encryption
browsers to do your banking online. This form of banking online does encrypt your
information and protect it from otherwise prying eyes of the world that may wish to gain
access to such vital information. This should further illustrate how powerful the encryption
method is: 40-bit encryption means there are 240 possible keys that could fit into the lock
that holds your account information. That means there are many billions (a 1 followed by 12
zeroes) of possible keys. 128-bit encryption, means there are 288 (a three followed by 26
zeroes) times as many key combinations as there are for 40-bit encryption.
14
That means a computer would require exponentially more processing power than for 40-bit
encryption to find the correct key. That’s a very powerful method of encrypting data sent
from your machine to the banks machine. Unfortunately it’s useless to you once your
Question: How?
One of the features of a “Trojan” is a key logger. The principle behind this is all keystrokes
pressed will be recorded and sent back to the “hacker.” What sort of information do you enter
when you are banking online? Most banks have a login screen of some kind, where you type
in your username and password. Here’s where it gets interesting. This means that once you
type your login and password for your online bank account the “hacker” now has access to
that. You’re probably asking yourself well “How do they know what bank I’m with?” This
information is easily achieved by doing what is called a screen shot. This gives the “hacker” a
picture of your desktop and all windows currently open at the time. The screen shot would
15
From that screen shot they can tell what site you are at (in which case it would be your bank).
From there it’s just a matter of logging into your bank account and doing whatever they want.
As you can see although you are on a secure web site, it still doesn’t protect your information
once your computer is compromised. Perhaps there are some of you who do not use online
banking. Perhaps you use another program for managing your finances. There is a variety of
programs out there available for financial purposes. Problem is that once a “hacker” has
access to your system, they have access to those files. They can copy the files from your
Cyber terrorism
Cyber space is constantly being attacked or abused. There are many criminals out there out to
achieve their ulterior motives (most of them, criminal in nature). Since computers are so
powerful nowadays, many very powerful and complex software programs exist to facilitate
these criminal acts. In addition to that, these programs are very user-friendly are easy to use.
So much so that even people who are new to computers can use these software to carry out
abuse. Cyberterrorism basically means the act of carrying out terrorism using cyberspace, or
in other words, the Internet. It is the hacking or attacking of networks and computers to
obtain or modify information for political and/or social objectives or rather, a way to quickly
and easily distribute propaganda and get a lot of attention drawn to it. An important criterion
in classifying an act as cyberterrorism is that it spawns fear amongst the masses and it should
cause at least some damage to people or property. Acts which cause damage to non-critical
structures or are just a nuisance are not acts of cyberterrorism. Cyberterrorism causes a lot of
financial damage. They usually affect huge numbers of people. Cyberterrorism is a very
serious crime as it can cause problems to many people at any one time. It has crippling effects
on the economy.
16
By crippling a country’s economy, a cyber terrorist can also potentially weaken the country
for a military attack to be successful. Attacks on e-commerce websites such as Yahoo and
eBay caused over a US$1 billion in losses as these sites work on the basic, clichéd principle,
“Time is Money”. Every second these sites are down, they are potentially losing thousands of
customers. Imagine if each customer spent €100 in purchases each. They would be losing
millions of Euro’s per second! Because of the real and imaginary threats hackers pose, an
entire industry exists that is dedicated to stopping the hacker. Seminars are held every week
across the world where computer security experts tell government and corporate managers
what they need to fear and how they need to stop it. Even the United States government has
created a "Cyber Czar" position responsible for protecting their critical infrastructure from
hacker attacks. Such efforts to develop security measures are not without good reason.
Computer viruses are damaging, and every day different hackers across the world find their
way into computer systems they are not supposed to enter. Still, to throw all hackers into the
same negative category too easily simplifies what is a complex situation. In fact, many who
would consider themselves "true" hackers define their identity in large part by their creation
of (or positive additions to) computer systems that are the backbone of today’s technology
infrastructure, and by their opposition to those that seek to control information and access to
technology that many, not just hackers, believe should not be controlled. In fact, some
exceptionally skilled, more socially and politically conscious hackers, discouraged by the
actions and policies of governments they feel to be arrogant, corrupt and oppressive, are
(NGOs) or other political activists or associations, these hackers, also called hacktivists, are
hacking for a cause. Using hacker tools already available or creating their own, they are
targeting those governments responsible for what they consider political, economic, or social
injustice or oppression.
17
Motives
The first obvious motive of a crime is usually money. Why risk getting thrown into prison for
a long time? Because if you can get away with it, you’ll be many times richer than you are
presently. Examples of networks which when intruded yield a lot of money; can include bank
networks and information networks. This type of business deals a lot with money and any
intruder who gets super-user access into the system can conveniently change the details of the
user accounts within the network or even silently transfer the money over to his bank
account. With super-user access and enough skills, the hacker can even remove any trace
whatsoever of the transaction ever taking place. In the movie “Hackers”, the master hacker
sent out a virus which silently transfers very small amounts of money from hacked user bank
accounts. Nobody ever suspects anything as the amount is small when looked at individually,
but collectively, the amount is enough to make the master hacker a millionaire.
Personal Information
Sometimes hackers are not out for an easy way to get rich. Rather, they’re out for power. Just
like not all criminals commit crimes for money. Some steal information in order that their
own companies can become powerful. Similarly, personal data like your passport number,
your user id and password to some secure server or even to your bank account can make the
hacker both more powerful and/or richer. In some countries, just by knowing the passport
number of a person, you can check what books he has loaned out from the library, what
school he was posted to and even get to cancel his mobile account. That is pretty scary. What
more if a hacker silently intrudes a network and spies on the user of that network for any
18
The hacker will ultimately become “God’ after being granted such divine powers as to affect
the lives of those he stole personal information from. It can even become a form of blackmail.
type a password at least once a day. Data is often thought of as secure because access to it
requires a password. Users usually are very careful about guarding their password by not
sharing it with anyone and not writing it down anywhere. Passwords are used not only to
authenticate users for access to the files they keep in their private accounts but other
passwords are often employed within multilevel secure database systems. When the user
types any of these passwords, the system does not echo them to the computer screen to ensure
that no one will see them. After jealously guarding these passwords and having the computer
system reinforce the notion that they are private, a setup that sends each character in a
password across the network is extremely easy for any Ethernet sniffer to see. End users do
not realize just how easily these passwords can be found by someone using a simple and
Most users are uneasy about sending financial account numbers, such as credit card numbers
and checking account numbers, over the Internet. This apprehension may be partly because of
the carelessness most retailers display when tearing up or returning carbons of credit card
19
Although the Internet is by no means bulletproof, the most likely location for the loss of
electronic transactions are as fastidious about security as those that make paper transactions,
so the highest risk probably comes from the same local network in which the users are typing
passwords. However, much larger potential losses exist for businesses that conduct electronic
transactions involve the transmission of account numbers that a sniffer could pick up; the
thief could then transfer funds into his or her own account or order goods paid for by a
corporate account. Most credit card fraud of this kind involves only a few thousand dollars
per incident.
Loss of privacy is also common in e-mail transactions. Many e-mail messages have been
publicized without the permission of the sender or receiver. It is not at all uncommon for e-
memos can be embarrassing when they fall into the wrong hands.
Information network protocols send between computers includes hardware addresses of local
network interfaces, the IP addresses of remote network interfaces, IP routing information, and
20
Knowledge of any of this information can be misused by someone interested in attacking the
security of machines on the network. See the second part of this chapter for more information
on how these data can pose risks for the security of a network. A sniffer can obtain any of
these data. After an attacker has this kind of information, he or she is in a position to turn a
passive attack into an active attack with even greater potential for damage.
Hacking is said to have cost the global economy an estimated $1.2 Billion Niccolai (2000).
Hacking caused and still causing till the moment bankruptcy to plenty of companies, that’s
because companies are being hacked plenty of times which leads to the loss of customer
confidence or belief in the security capabilities of the company Furnell (2002). Banks (1997)
believes that companies are a main target for hackers who break into their systems to steal
trade information or customer’s payment details. Pipkin (1997) focuses on denial of service
and the effects on companies. The company server will be broken due to huge traffic causing
customer frustration and hurt the company reputation. Same for software theft that causes
bankruptcy to companies which spend millions to develop and create software that sadly later
on is stolen and copied for cheap prices. The main problem is that some companies hire or
use hackers to break into other competitor systems to steal precious information Randall et al.
(2000). Thomas and Loader (2000) discuss the effect of hacking on E-commerce. Web sites
for online selling are being hacked for the sake of getting customer and company information
Personal Information supplied by job applicants to online recruitment agency Jobs.ie has
been illegally accessed by internet hackers. It is understood that the hackers used an illegally
obtained log-in and password given to employers who are registered with Jobs.ie to access
21
the job applications area of the site. They then downloaded personal information from CVs
submitted, along with job applications. Most of the stolen information relates to archive CVs
rather than those of people now looking for jobs. The company, which is owned by
businessman Denis O'Brien, has in recent days contacted those affected to warn them of the
possibility that they may receive e-mails from people using their information.
"All of the people affected have been contacted and informed of the situation. We have urged
them to exercise extra vigilance with inbound e-mails in the coming weeks to ensure online
With the electronic commerce spreading over the Internet, there are issues such as non
repudiation to be solved. Financial institutions will have both technical concerns, such as the
security of a credit card number or banking information, and legal concerns for holding
individuals responsible for their actions such as their purchases or sales over the Internet.
Issuance and management of encryption keys for millions of users will pose a new type of
challenge. While some technologies have been developed, only an industry-wide effort and
cooperation can minimize risks and ensure privacy for users, data confidentiality for the
financial institutions, and non repudiation for electronic commerce. With the continuing
growth in linking individuals and businesses over the Internet, some social issues are starting
to surface. The society may take time in adapting to the new concept of transacting business
over the Internet. Consumers may take time to trust the network and accept it as a substitute
for transacting business in person. Another class of concerns relates to restricting access over
the Internet. Preventing distribution of pornography and other objectionable material over the
Internet has already been in the news. We can expect new social hurdles over time and hope
the great benefits of the Internet will continue to override these hurdles through new
22
The World Wide Web is the single largest, most ubiquitous source of information in the
world, and it sprang up spontaneously. People use interactive Web pages to obtain stock
quotes, receive tax information from the Internal Revenue Service, make appointments with a
hairdresser, consult a pregnancy planner to determine ovulation dates, conduct election polls,
register for a conference, search for old friends, and the list goes on. Hackers investigating a
target can use munged site values based on the targets name to dig up Google’s pages (and
subsequently potential data) that may not be available to Google searches using the valid
‘site’ operator.
For the moment, set aside dramatic scenarios such as corporate espionage. These subjects are
exciting for purposes of discussion, but their actual incidence is rare. Instead, I'd like to
concentrate on a very real problem: cost. The average corporate database is designed using
proprietary software. Licensing fees for these big database packages can amount to tens of
thousands of dollars. Fixed costs of these databases include programming, maintenance, and
upgrade fees. In short, development and sustained use of a large, corporate database is costly
and labour intensive. When a firm maintains such a database onsite but without connecting it
to the Internet, security is a limited concern. To be fair, an administrator must grasp the
basics of network security to prevent aspiring hackers in this or that department from gaining
unauthorized access to data. Nevertheless, the number of potential perpetrators is limited and
access is usually restricted to a few, well-known protocols. Now, take that same database and
connect it to the Net. Suddenly, the picture is drastically different. First, the number of
potential perpetrators is unknown and unlimited. An attack could originate from anywhere,
here or overseas. Furthermore, access is no longer limited to one or two protocols. The very
simple operation of connecting that database to the Internet opens many avenues of entry.
23
For example, database access architecture might require the use of one or more foreign
languages to get the data from the database to the HTML page. I have seen scenarios that
were incredibly complex. In one scenario, I observed a six-part process. From the moment
• The variable search terms submitted by the user were extracted and parsed by a Perl
script.
• The Perl script fed these variables to an intermediate program designed to interface
• The proprietary database package returned the result, passing it back to a Perl script
Anyone legitimately employed in Internet security can see that this scenario was a disaster
waiting to happen. Each stage of the operation boasted a potential security hole.
on the web at http://www.ABCD.com. Using a query like ‘Site: ABCD’, may find mistyped
There is a system out now that is under the concept of a honey-pot which is a computer
system on the internet that is expressly set up to attract and trap people who attempt to
penetrate other peoples computer systems. In order to learn about how new attitudes might be
conducted, the maintainers of a honey-pot system, monitor, dissect and catalogue each attack,
A simple entry like “inurl: admin inurl: userlist”, could easily be replicated with a web-based
/admin/user list directory. If a web search engine like Google was instructed to crawl the top-
level index.html. This link would satisfy the Google query of “inurl: admin inurl: userlist”,
Literature Review:
In the study, “A Qualitative Analysis of Advance Fee Fraud E-mail Schemes”, Holt and
Graves discuss the implications of a study for law enforcement and computer security,
exploring the mechanisms that are employed by scammers through a qualitative analysis of
412 fraudulent email messages. Criminals utilize the Internet to perpetrate all manner of
fraud, with the largest dollar losses attributed to advance fee fraud e-mail messages. Half of
all the messages also request that the recipient forward their personal information to the
sender, thereby enabling identity theft. The findings demonstrate that multiple writing
Maura Conway quotes Denning in her paper “Cyberterrorism and Terrorist 'Use' of the
unlawful attacks and threats of attacks against computers, networks and the information
stored therein when done to intimidate or coerce a government or its people in furtherance of
violence against persons or property, or at least cause enough harm to generate fear. Attacks
that lead to death or bodily injury, explosions, or severe economic loss would be examples.
would not." 25
In the study, “A Qualitative Analysis of Advance Fee Fraud E-mail Schemes”, Holt and
Graves discuss the implications of this study for law enforcement and computer security,
exploring the mechanisms that are employed by scammers through a qualitative analysis of
412 fraudulent email messages. Criminals utilize the Internet to perpetrate all manner of
fraud, with the largest dollar losses attributed to advance fee fraud e-mail messages. Half of
all the messages also request that the recipient forward their personal information to the
sender, thereby enabling identity theft. The findings demonstrate that multiple writing
techniques are used to generate responses and information from victims. The World
Intellectual Property Organisation (WIPO) has developed several treaties to assist in the
protection of copyrights. Specifically, WIPO has three treaties that preclude the unlawful
taking of copyrighted material: The Copyright Treaty, The Performers and Producers of
Phonograms Treaty, and The Databases Treaty. Regardless of these treaties, Rao (2003)
showed that the international piracy rates increased in the years of 2000 and 2001. Therefore,
piracy is a worldwide behaviour. Because of the attributes of the Internet, piracy took place in
almost complete deceit making the tracking of rates nearly impossible. However, an industry
groups had estimated that software piracy accounted for nearly 11 billion dollars in lost
revenue and contributed to loss of jobs and reduced government revenues (Business Software
Alliance, 2003). Whatever approach hackers take, most malicious hackers prey on ignorance.
They know the following aspects of real-world security: The majority of systems that hackers
Hackers often can attack by flying below the average radar of common firewalls, IDS and
authentic systems.
26
• Hack attacks are usually carried out after typical business hours and can be carried out
• Company’s defences are often weaker during off-peak hours which have less
A proxy server is simply a program that relays data from one system to another. There is a
number of free proxy servers available designed to offer the users some type of "anonymity"
or access to "restricted" websites. For example, if your IP address was 1.1.1.1 and you
connected to the internet through a proxy server with an IP address of 2.2.2.2 everyone would
see you as connected to the internet with IP 2.2.2.2 not 1.1.1.1. Or at least that is the idea.
There are a whole host of applications for proxy servers and issues associated with them.
Although many are used to privacy or anonymity this is not necessarily a feature or benefit.
HTTP_X_FORWARDED_FOR value, which would tell any server you connect to through
the proxy service that you are using a proxy server at 2.2.2.2, but your real IP is 1.1.1.1. This
is useful in many business applications where the objective of the proxy service is not
privacy, but something else. How do you know if that proxy server you are using for privacy
passes this variable or not? Since a proxy server relays data through the proxy server system,
it is possible for data to be logged and/or modified. If you want to have real fun, modify the
code in a proxy server to change all the letters "i" to "a" and see someone try to use it. Not
useful, but very illustrative of the power the operator of a proxy server have. When you enter
your login and password, it will be relayed through the proxy server, but will it be logged
too? How will you ever know? Now the proxy server can provide a real benefit when you
27
Of course any decent blocking program would easily decode the proxy packet and block the
sites direct or through a proxy server. Now there are some real dangers of proxy servers and
that is with respect to crime. I have seen some enticing sales pitches for a public proxy server
you can setup for people to access blocked sites. Basically the pitch goes like this... install
our program and watch the money roll in as users use your proxy on your server to access
blocked sites. That also means that when someone uses your proxy to commit credit card
fraud or hack into something, the victim will see the IP address of your server not the bad
guy! Open proxy servers are another bad idea. This might be installed by spyware or they
might be installed by mistake. They will turn your computer into a proxy server and you
might not even know it! There are many people that scan the internet for open proxy servers
Protection
There is a new phenomenon emerging on the Internet. Security consults are now being done
(although perhaps not in great number) from remote locations. This is where someone in the
same city (or another city) tests, defines, and ultimately implements your security from the
outside. In other words, it is done from a location other than your offices or home. I have a
penetration testing (at the end of the day) is to simulate a real-time attack from the void.
There is no replacement for doing this from a remote location. In this limited area of concern,
28
• All other forms of security testing and implementation should be done onsite. Implementing
security from a remote location is not a secure method and may result in security breaches.
As much as the idea may seem attractive to you, I would strongly advise against having any
firm or individual handle your security from a remote location. If your network is large and is
meant to be as secure as possible, even the existence of a privileged user who can gain remote
access to do maintenance work is a security risk. (For example, why would one cut a hole
In some sense, the prevention of sniffing by installing hardware barriers may be considered
the last line of defence in a security system. When building medieval fortresses, the last line
of defence was typically the most formidable but could only protect those who would be left
inside after the outer defences had been breached. In dealing with sniffing, the first line of
defence is simply not to transmit anything sensitive on the network in the first place. The
local hardware defences may limit intrusion into the local systems. However, if authorized
users may access those systems from remote locations, one must not transmit sensitive
information over remote parts of the Internet lest the information be sniffed somewhere along
the way. One extreme that preserves security is simply not to permit access from remote
locations. Also, the most formidable defences against inward directed attack do nothing to
provide for the security of one leaving the area being protected. Legitimate Internet sessions
29
The most glaring security hole beyond simple loss of privacy is the opportunity for a sniffer
to gather passwords. The best way to deal with this problem is simply not to transmit clear-
text passwords across the network. Simply transmitting an encrypted password that could be
captured and replayed by a sniffer is also not acceptable. Several different methods are in use
Information protection does not always protect information systems from harm. Designers
may decide to shred paper, burn electronic media, or even blow up computers. Shredding
paper prevents leakage of potentially harmful information in paper form, burning used floppy
disks prevents their contents from being read and exploited and blowing up electronic devices
is used in smart bombs as a cost -effective way to keep the information technology used to
guide the bomb from getting into enemy hands. Information protection has been, is, and will
Designers trade costs against potential harm, long term for short term, people solutions with
technical solutions, integrity with availability with privacy, and one person's harm for another
person's benefit. Discussions should also include how current security policies and practices
are impacting how well an agency’s network environment is able to protect both its
30
For example, organizations that fail to institute anonymous surfing practices when their staff
members use the Internet for official business may unintentionally disclose their operating
system, browser version, physical address and other sensitive information. Adversaries can
jeopardize their entire operation. Additionally, once an enemy knows an agency’s IP address,
they can start scanning and attacking its network directly, endangering the organization’s data
and infrastructure. Addressing these kinds of practices during the summit will put any
Most people probably want to feel that their computers are safe, and many people in the
computer security business try to get money for helping them feel that way, but frankly, a
behave as if they really want to be kept from harm, especially if it costs them something or if
they haven't just been harmed. In many organizations, effective information protection
requires cultural change. This is one of the hardest sorts of change for most people to make
because it requires that they find new ways of thinking about issues, that they gain a new
level of awareness about things around them, and that they act based on this awareness.
Information protection can't be left to someone else. This doesn't work, no matter who you
From the highest ranked officer in the largest organization to the lowest paid office clerk,
everyone has responsibility for information protection, and protection will not be fully
effective until everyone assumes their responsibility What is often disconcerting is how much
an organization freely contributes to the hacker's weapon stockpile. Most organizations are
haemorrhaging data; companies freely give away too much information that can be used
against them in various types of logical and physical attacks. Here are just a few common
31
• The names of the top executives and any flashy employees they have by perusing their
• The company address, phone number, and fax number from domain name registration.
• The service provider for Internet access through DNS lookup and trace route.
• Employee home addresses, phone numbers, employment history, family members, previous
addresses, criminal record, driving history, and more by looking up their names in various
• Usernames, e-mail addresses, phone numbers, directory structure, filenames, OS type, Web
server platform, scripting languages, web application environments and more from Web site
scanners.
• Confidential documents accidentally posted to a Web site from archive.org and Google
hacking. Flaws in your products, problems with staff, internal issues, company politics, and
more from blogs, product reviews, company critiques, a competitive intelligence services.
Another solution is to use encrypted passwords over the network. You must use caution,
however, when simplifying this technique. Even with encryption, a sniffer can still record the
encrypted password and decipher the encrypted password at his or her leisure. One way
around this is to use an encryption key that involves the current time.
32
If the sender and receiver are closely synchronized, the sniffer must replay the encrypted
password within one tick of the two machines’ shared clock. If the sender and receiver are
widely separated, however, this technique becomes less practical and effective because
shared clocks will lack sufficient time resolution to prevent an attacker from using a quick
replay. One way around this lack of close synchronization is to set a limited number of
attempts at typing the password correctly. It also does not suffice to simply encrypt the
password with an algorithm using a key that allows an attacker to determine the encryption
key. The attacker would decrypt it for repeated use at a later time. Some protocols use an
encryption technique equivalent to the one used by the UNIX password program when it
stores passwords in the password file. This encryption technique is no longer considered
particularly secure against brute force cryptographic attacks where all likely passwords are
encrypted with the same algorithm used by the password file. Any two words that encrypt the
same must be the same. Hence, poorly chosen (for example, dictionary words) or short
Conclusion
There are many possible ways that a hacker can gain access to a seemingly secured
efforts and to watch for abnormal events. We need to secure IT environments to the best of
our abilities and budgets while watching for the inevitable breach attempt. In this continuing
arms race, vigilance is required, persistence is necessary, and knowledge is invaluable. Our
findings in relation to the detection of cybercrime strongly suggest that organisations need
assistance in this area, with 67% of respondents reporting that accidental detection and
33
Given the significant impact of cybercrime we hope to see improvement in this figure, for
example with a greater number of organisations detecting issues through routine IT checks,
security products or audits. Increased awareness of hacker attacks is also growing as internet
security agencies are working together in a combined manner such as (the honey-pot
initiative), and with a constant updating of a security companies knowledge and inter agency
cooperation , hackers will find it a lot harder to break into once easy and unprotected systems.
The hacking black market is still a profitable enterprise though with insider, company secrets
being at the top of the most requested and sought after commodity. With the fact that hackers
can receive up to €500,000 for system infiltration software, the monetary gain is, in the
Bibliography
Banks, Michael A. (1997), Web psychos, stalkers, and pranksters: How to protect yourself
online, Arizona (USA), The Coriolis group.
CNET (2001), FBI “hack” raises global security concerns [online]. Available from:
http://news.com.com/FBI+%22hack%22+raises+global+security+concerns/2100-1001_3-
256811.html [Accessed 14th December 2004].
Conway Maura (2002) Cyberterrorism and Terrorist 'Use' of the Internet, First Monday,
volume 7, number 11 (November 2002)
URL: http://firstmonday.org/issues/issue7_11/conway/index.html
Crucial paradigm (2003), Hacking attacks-How and Why [online], Crucial paradigm.
Available from: http://www.crucialparadigm.com/resources/tutorials/website-web-page-site-
optimization/hacking-attacks-how-and-why.php [Accessed 7th December 2004].
Darlington, Roger. (2001) Crime on the net [online], United Kingdom, Darlington, Roger.
Available from: http://www.rogerdarlington.co.uk/crimeonthenet.html [Accessed 4th
December 2004].
Furnell, Steven. (2002), Cybercrime: Vandalizing the information society, Boston; London:
Addison-Wesley.
Himanen, Pekka. (2001), The hacker ethic and the spirit of information age, Great Britain,
Secker & Warburg.
Jaishankar, K. (2007) ‘Cyber Criminology: Evolving a novel discipline with a new journal’
International Journal of Cyber Criminology Vol 1 Issue 1 January 2007
35
Jewkes Yvonne (2006). Comment on the book 'Cyber crime and Society’ by Majid Yar, Sage
Publications.
Levy, S. (1984), Hacker: Heroes of the computer revolution, New York: Bantam Doubleday
dell. Cited in: Taylor, Paul A. (1999), Hackers: Crime in the digital sublime, London,
Routledge.
Mann, David and Sutton, Mike, (1999). NetCrime. More Change in the Organisation of
Thieving, British Journal of Criminology, vol. 38, no. 2, Spring 1998.
McClure, Stuart. Et al. (2003), Hacking exposed: Network security secrets & solutions,
Fourth edition, Berkley, California (USA), McGraw-Hill/Osborne.
McKenzie, S. (2000). Child Safety on the Internet: An Analysis of Victorian Schools and
Households using the Routine Activity Approach. A thesis submitted to the University of
Melbourne, February, 2000.
http://www.criminology.unimelb.edu.au/research/internet/childsafety/index.html
Niccolai, James. (2000), Analyst puts hacker damage at $ 1.2 billion. Available from:
http://archive.infoworld.com/articles/ic/xml/00/02/10/000210icyankees.xml [Accessed 7th
December 2004].
Ninemsn (2004), North Korea ‘has 600 computer hackers’ [online], [national Nine news].
[SCI Tech news]. Available from: http://news.ninemsn.com.au/article.aspx?id=19653
[Accessed 10th December 2004].
Pipkin, Donald L. (1997), Halting the hacker: A practical guide to computer security, United
States of America, Prentice Hall.
Randall, Nichols K. et al. (2000), Defending your digital assets: Against hackers, crackers,
spies and thieves, United States of America, McGraw-Hill.
Seebach, Peter. (1999), Care and feeding of your hacker [online], Seebach, Peter. Available
from: http://web.demigod.org/~zak/geek/hack.shtml [Accessed 6th December 2004].
36
Selwyn, Neil and Gorard, Stephen. (2001), 101 key ideas in information technology, United
Kingdom: United States of America: Hodder and Stoughton-McGraw-Hill.
Seo, Jung.U. (2001), Toward the global information society opportunities and challenges
[online], [minister of science and technology, Republic of Korea]. Available from:
http://web.ptc.org/library/proceedings/ptc2001/plenary/seo.html [Accessed 10th December
2004].
Server pipeline (2004), Simulated hacker attacks [online], Server pipeline, Available from:
http://www.nwc.serverpipeline.com/trends/trends_archive/46200228 [Accessed 15th
December 2004].
Sterling, Bruce. (2004), The hacker crackdown: (Law and disorder on the electronic frontier),
McLean, Virginia (USA), Indypublish.com.
Taylor, Paul A. (1999), Hackers: Crime in the digital sublime, London, Routledge.
Thomas, Douglas and Loader, Brian D (eds.) (2000), Cybercrime: Law enforcement, security
and surveillance in the information age, London: Routledge.
Thomas and B. Loader (Eds.), Cyber crime: Law Enforcement, Security and Surveillance in
the Information Age, London.
Williams, Sam. (2002), Free as in freedom: Richard Stallman’s crusade for software,
Farnham, Sebastopol, California: O’Reilly.
37