Beginning in the fall of 1999, a number of Internet-related businesses and financial institutions in the United States suffered computer intrusions or "hacks" that originated from Russia. The hackers gained control of the victims' computers, copied and stole private data that included credit card information, and threatened to publish or use the stolen credit cards or inflict damage on the compromised computers unless the victims paid money or gave the hackers a job. Some of the companies gave in and paid off the hackers. Some decided not to. The hackers responded by shutting down parts of their networks and using stolen credit card numbers to order thousands of dollars' worth of computer equipment. THE LURE is the true, riveting story of how these Russian hackers, who bragged that the laws in their country offered them no threat, and who mocked the inability of the FBI to catch them, were caught by an FBI lure designed to appeal to their egos and their greed. The story of the sting operation and subsequent trial is told for the first time here by the Department of Justice's attorney for the prosecution. This fascinating story reads like a crime thriller, but also offers a wealth of information that can be used by IT professionals, business managers, lawyers, and academics who wish to learn how to protect systems from abuse, and who want to respond appropriately to network incidents. It also provides insight into the hacker's world and explains how their own words and actions were used against them in a court of law; the evidence provided is in the raw, uncensored words of the hackers themselves. This is a multi-layered true crime story, a real-life law and order story that explains how hackers and computer thieves operate, how the FBI takes them down, and how the Department of Justice prosecutes them in the courtroom.
Amazon Exclusive: Q&A with Author Steve Schroeder
| Steve Schroeder, author of The Lure |
Why did you write The Lure
I wrote The Lure primarily because it is a great story. Had the events not actually happened, they would make the basis for a good novel. I worked hard to keep the language accessible so that non-techies could enjoy it.
In addition, when the case was prosecuted, it generated a lot of publicity--most of it positive--and my colleagues and I who worked on it began to get invitations to speak about the investigation and trial. We appeared at universities and security conferences throughout the nation, and two of us, Phil Attfield and I, were even invited to Taipei to make presentations. Each time that we did so, the attendees would pester us for materials to use in their own training programs. There is, it seems, a dearth of real-world computer crime materials available for training. The reason for the short supply of real logs and other forensic evidence is simple. Computer intrusion cases are complex, and most of them are settled by means of a guilty plea prior to trial, as was the case in the [Kevin] Mitnick prosecution. Under Federal privacy laws governing criminal investigative files, those files are protected from public disclosure unless they are admitted into evidence at a trial or other court proceeding. Consequently, the logs and other forensic evidence in the vast majority of cases are not available for use in training and classroom settings. This book is an effort, among other things, to make much information available.
Your career as a prosecutor began before cybercrime became well known. What was it like to make the move into dealing with this new kind of crime?
I believe that learning is a lifelong process that helps to keep one engaged. About two-thirds of the way through my career, I had an opportunity to redefine myself when the agencies with which I was working on two major fraud cases began using databases to organize the evidence. I had to learn how to manipulate the databases from the command prompt in order to keep up. So, when two young hackers broke into the Unix-based computer system at the Federal Courthouse in the early '90s, I got the case. ("Didn't Schroeder work with computers?") I began working closely with the Computer Crime Unit in the Department of Justice, and was able to go to a number of weeklong computer and computer crime training sessions, including one at the FBI Academy. As I began to work almost exclusively on computer crime issues, my job was not to become a techie but to learn enough so that I could talk to and understand the techies. Because it was such a new field, one who concentrated on it could quickly rise above the pack. It was a lot of fun.
What's the most difficult problem that law enforcement faces when confronting computer crime?
Computer crimes, in many respects, are crimes without borders. In any event, computers do not recognize borders and computer crimes are commonly multi-jurisdictional. So simply figuring out how to obtain evidence from another state or nation is a constant problem. In addition, the difficulty in obtaining evidence from other legally constituted government entities compounds the ultimate problem in computer crime cases--attribution. While it is usually possible to identify the computer from which criminal acts are being committed by obtaining connectivity logs, law enforcement must also prove whose butt was in the chair in front of that computer at the relevant time. This is often not a technical problem, but one more familiar to traditional police work.
The two Russian hackers you helped capture and put away had cracked and manipulated systems around the world, while apparently untroubled by the laws of Russia. Are national borders a constant challenge when dealing with international cybercriminals? Do some countries provide havens for computer crime?
National borders are a constant challenge. Our multiple attempts to get help from the Russian authorities in the case which is the subject of The Lure went unanswered. The situation today is much better than it was then. The United States is working actively with nations all over the world, encouraging them to enact computer crime statutes and working out the procedures by which digitized evidence can be quickly preserved and exchanged between nations.
Because international law often requires reciprocity (acts must be crimes in both jurisdictions), it is critical that as many nations as possible enact computer crime statutes. In the mid '90s I was unable to extradite a young scoundrel from New Zealand who had caused immense damage to the University of Washington network, because hacking was not a crime in his own country. (It is now.) There are certainly still countries in the world where attacks on computers located somewhere else are not prosecuted.
Even at the state level in this country there are barriers. The states only have jurisdiction (legal authority) to compel evidence within their own borders. While they can get evidence from other states through cooperative agreements, the process can be cumbersome and expensive.
How well are governments and the law able to keep up with the rapid advances in technology?
Federal law has done surprisingly well in keeping up. The Federal Computer Fraud and Abuse Act was enacted in 1984, and has been amended a number of times, usually to expand its coverage. The Act's definitions (of "computer," for example) were broad enough to continue to apply even as the technology continued to evolve. Congress also enacted the Stored Communications Act in 1986, establishing privacy protections for email, nearly ten years before it was commonly used.
Governments struggle to keep up with technology. Equipment and training are often given a low priority, especially in these days of declining revenues. This will continue to be a serious problem.
The two hackers exploited security holes that, at least in some cases, were relatively common at the time. What's your opinion on the state of credit card and computer security today?
The two hackers in the book exploited vulnerabilities that were known and for which patches had been published. One software package (SQL) installed with a user name of "sa" for system administrator and a blank password field. Approximately one-quarter of the packages were installed on business servers without those fields being changed. That made it trivially easy for hackers to break into those systems. The high incidence of system administrators' not keeping their networks current as to upgrades and security patches continues to be a problem. It is commonplace to read in the news about the compromise of a large database of credit card transactions. Many companies, however, especially the larger ones like Amazon.com and PayPal, do an excellent job of protecting the private financial information of their customers.
With your experience in combating computer crime, what advice would you offer to readers concerned for the security of their own accounts or businesses?
- Keep your anti-virus software up to date. Anti-virus software that is out of date is only marginally better than no protection at all.
- Use a firewall.
- Use a complex password that is at least 12 characters long and does not consist of common words or names. It should contain upper- and lowercase letters as well as numbers and characters. You can use the first letters of words in a sentence, a phrase, or even a line of poetry as a memory aid.
- Make sure that your Wi-Fi hub has good security and can only be accessed by registered machines.
- Shred unsolicited credit card offers and other financial documents. Better yet, contact the credit reporting agencies and tell them not to release your information unless you actually apply for credit.
- Small business proprietors need to understand that the use of SSL encryption or other "secure" services such as "https" protect data from being compromised only while it is in transit, but do nothing to secure the information while it's in storage on their own servers.
- Small businesses often ignore the need for good, professional security measures because they are expensive for the business and inconvenient for the users, and do not generate revenue. A single system "incident," however, can cause catastrophic losses for a small or medium-sized business. Good security for your system is a wise and prudent investment.
- Transaction records should be strongly encrypted in storage, as well as in transmission, or removed entirely from machines that are accessible from the Internet as soon as they have cleared.
- Upgrades and security patches to operating systems and other software must constantly be kept up to date.
And yes, I do use my credit card on the Internet.