FEATURE • COMPUTER CRIME
Have you heard about the new tool that selects its victims automatically, steals their assets and erases all evidence before they can blink an icon? Get ready: It’s on the way…if it’s not already here.
BY DONN PARKER
|EDITOR’S NOTE: The following is part one of a two-part article on automated crime and security. Part 2 appeared in the October issue of Information Security, and can be found at here. This article is adapted from Fighting Computer Crime, a New Framework for the Protection of Information (ISBN 0-471-16-378-3). © 1998/1999 John Wiley & Sons Inc. Reprinted with permission. For more information on this book, call 1-800-CALL WILEY or visit www.wiley.com.|
For the first time in human history, computers and automated processes make it possible to possess, not just commit, a crime. Today, criminals can pass a complete crime in software from one to another, each improving or adapting it to his or her own needs. Since it could be tested repeatedly under predictable circumstances, it may become the perfect crime, one with no evidence and no basis for the victim and perpetrator to identify or confront each other. Neither would even know the crime method used and when and where it was done; it would happen before either could bat an eye (or click a mouse). The technology and know-how to launch the perfect crime are right around the corner. The only question that remains is, What can we do about it?
Behind the 8-Ball
We must anticipate that our adversaries—the abusers and misusers of information and information systems—are intelligent and more than willing to use any new technology for their nefarious purposes. With every new abusive method—Trojan horse attacks, computer viruses, logic bombs, fraud, impersonation, espionage, sabotage and so forth—they’ve put security experts and victims in a defensive, reactive mode. It’s time we think ahead to anticipate what they may be developing next: automated crime.
Automated Crime Defined
We are all familiar with the computer virus problem. Lately, many security experts are concerned about malware (a type of harmful software that includes Trojan horse and buffer overflow attacks, malicious Java and ActiveX codes, and hacker tools along with viruses and worms). Unfortunately, the "experts" rarely see the bigger picture to understand the implications of packaging complete crimes in software. Expert criminals can now package well-conceived crimes in software and give or sell them to others. In doing so, they would introduce the concept, for the first time in criminal history, of possessing and selling, buying or bartering, or just giving away complete (and potentially perfect) crimes.
Automated crimes would go far beyond the current definition of malware. They are not merely extensions of written instructions or scripts of how to execute various crimes, which might be passed from crime designers to perpetrators who must then follow the instructions each time. Automated crimes will be complete, ready-to-use, perfectly tested crimes that could select victims automatically, perform the crimes, create gains and erase all evidence—without the participation or knowledge of the designers, perpetrators or victims. Designers could develop automated crimes as extensions of powerful new vulnerability testing and intrusion tools. Automated crime may well be in the next news headline, even upstaging viruses, worms and Trojan horses.
It is with some trepidation that I describe this new phenomenon, though I won’t provide enough detail here to give anyone a recipe for a specific automated crime. The value of alerting security practitioners and potential victims outweighs the possible damage done by giving our adversaries new ideas.
In my definition, an automated crime is a complete, fully automated, ready-to-use crime—from the selection of a victim to the perpetration of the misdeed and the covering of the perpetrator’s tracks and identity—that is packaged in a single computer program (see box, below). When the program is executed, it automatically commits the crime and removes any damning evidence (including itself) before the victim can blink an icon. The creator of an automated crime can package it, test it in real environments and pass it on to any number of unknown perpetrators. The perpetrators can then execute the crime to attack any number of victims’ computers without the creator’s—or even the perpetrators’ or victims’—further involvement.
Theoretically, anyone could possess and send a copy of an automated crime program over the Internet for execution in the victims’ computers. Because the crime can be designed for bi-directional, perfect anonymity, the perpetrator need not know who the victim was, what crime occurred, what method was used or even the results of the crime. The victim, likewise, would not know the perpetrator, what method was used, and where his or her losses went. And the entire crime could take place in only a few milliseconds. An investigator would be left with no forensic evidence and no trail to follow, with the unlikely exception of matching the victim’s loss with someone else’s equal gain.
The Evolution to Automated Crime
I conceived the idea of automated crime from considering that we may possess complete business processes in software without knowing exactly what they are. Creating automated crimes will most likely begin with extending hacker tools and security testing software, such as sniffers, war dialers and intrusion testing programs like SATAN (Security Administrators’ Tool for Analyzing Networks). SATAN is a valuable security tool, but malicious hackers can use it to capture information to subvert victims’ computers for illicit purposes. In the future, computer-savvy criminals who understand computer applications will enhance and extend the functions of these and other sophisticated tools to commit totally automated crimes. You can easily see it coming, as the tools become more sophisticated and as the number of potential victims’ systems running exactly the same OSs and applications increases. With the appropriate tools and an understanding of the vulnerabilities inherent in victims’ operating and application systems, skilled criminals could design a crime package to gain root authority in victims’ computers, perpetrate criminal acts, and convert those acts to irreversible criminal gains. It could conclude by totally deleting any evidence of the crime anywhere.
There is no shortage of tools for malicious hackers, or of sources for those tools that could be used as the building blocks for automated crime. In addition to the numerous hacker Web sites and anonymity servers, a number of legitimate sources offer utility programs and services that malicious hackers can use in their attacks; many of the program tools are available free of charge. Making matters worse, anonymous ISP services such as Canada-based Zero Knowledge Systems can provide the means to maintain complete anonymity among creators, perpetrators and victims of a crime. And Internet financial services can be the means of converting criminal acts to irreversible gain.
Traditionally, criminals pass descriptions of their crime methods from one to another. Soon, anybody will be able to pass along the actual crimes perfectly and anonymously without even knowing their content or what they do. Unlike traditional criminals, who can’t really test their crimes before executing them, the creators of automated crimes have the luxury of being able to test and enhance them in completely predictable environments. Because automated crimes take place in the totally predictable world of computer systems, the rogue programs can be executed any number of times under exactly the same circumstances, and they will render the same exact result every time. In addition, just as developers create application software to fit specific business and system requirements, the creators of automated crimes can tweak their programs to fit specific situations.
Anatomy of an Automated Crime
A fully automated crime involves six steps, all carried out by a program or suite of programs executed automatically, in sequence, without human intervention (see box, below). This six-step process is one scenario of how an automated crime could take place; many variations are possible.
To accomplish the first two steps, the crime designer could use a computer program such as SATAN. First released in April 1995, this freeware program is designed to scan computers, probe for vulnerabilities and report security weaknesses in network computers that run UNIX. Because the program’s source code is readily available, a competent programmer could easily modify it to extend SATAN’s capabilities to use the vulnerabilities it finds.
Since SATAN can automatically probe many computers in a network without interruption, it can provide sufficient information to select an appropriate target computer (Step 1). A security probe in SATAN contacts the target host system using a TCP/IP-based protocol, such as SMTP, FTP or RPC (remote procedure call). Once the connection is made, SATAN explores the security posture of a targeted computer system to make decisions regarding vulnerabilities that could be pursued (Step 2). Using a technique such as IP spoofing, the tool then impersonates a trusted computer and, using the discovered vulnerability, gains root authority (Step 3).
Step 4 can be accomplished in any number of ways. For instance, a logic bomb that executes on a privileged basis when specific conditions are met within the target system is one likely technique for "delivering" the crimes. The crime program could use a Trojan horse to temporarily insert secret instructions into victim application programs.
Step 5 of the automated crime is conversion to criminal gain. "Gain," however, may be merely the satisfaction of successfully sabotaging the target computer, with no removal or conversion of information. In a financial system fraud, for instance, conversion to criminal gain might involve establishing a line of credit, while in a banking system fraud it might involve transferring funds from one bank’s computer to the perpetrator’s account in another, private bank’s computer.
The conversion—and this step—is complete when the funds are transferred and credited to the account in the other bank system. If, however, the transferring bank detects that the transfer is fraudulent and reverses the transaction before the funds are safely delivered to the criminal’s account, there is no conversion to gain. Considering the many banking regulations in place, criminals using the automated crime program may find it necessary to remove stolen funds as cash in order to achieve irreversible gains. This, of course, increases the risk and direct participation of the perpetrators as opposed to a completely automated crime.
Step 6 may be unnecessary if the crime is the hit-and-run type, in which the designers don’t care whether the perpetrators’ actions are discovered. If, however, the crime is to remain covert and the perpetrator is to remain anonymous, the last act of the program is to eliminate any evidence that would lead to detection, identification and prosecution.
Eliminating all evidence of the crime will always be a formidable task, especially in networks that log multiple copies of transactions. The automated crime designer needs to consider—and deal with—the possibility of backups, shadow and mirror copies, audit logs, residual data in peripheral buffers, discarded printer paper, printer buffer memories and data remaining in unassigned disk sectors. The crime program can, however, deal with these items individually, eliminating the most obvious first, then moving on to the less obvious and more difficult items. The designer could, for example, program the automated crime to anticipate and avoid specific criminal laws, jurisdictions with strong laws, rules of evidence and legal precedence.
As long as the automated crime does not target any specific victim, the act of creating and distributing an automated crime as described above is not classified as a crime (as far as I know) by today’s laws. The United States Criminal Code, Title 18, Article 1030§(a), (5) of the Computer Fraud and Abuse Act of 1996 states: "Whoever knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization to a protected computer, shall be punished…." This may be construed as criminalizing the transmission of an automated crime, but only if perpetrators (not necessarily the creators) use it in specific crimes against specific victims, or a prosecutor could prove their intent to do so. Creating and distributing automated crimes, and even cautiously advertising them, might not be crimes under this statute. However, I leave this to the experts on criminal law to determine.
In the absence of clear-cut laws, mitigating automated crime will require a new and far more sophisticated level of information security. In particular, we may have to develop security software agents that will automatically engage in the battle of avoiding, deterring, preventing, detecting, mitigating, recovering from and engaging in immunization against future attacks. Antivirus programs and intrusion detection systems are only limited types of automated security. The automated security program (or suite of programs) must operate in computer time without human intervention. It must not only mitigate an entire crime, but do so without unnecessary harm to systems. It must use an acceptable amount of resources, and possibly start and finish before any human could be aware that any problem and its prevention has occurred.
Furthermore, the automated security program must record and preserve legally acceptable evidence for analysis and action, such as prosecution or civil litigation. The program itself must also be protected from unanticipated detection and compromise by the automated crime. Finally, the search for perpetrators would probably require effort external to the victim’s computer using what little evidence is in hand.In Part 2 of this article, I will explore each of the components within this automated security strategy in further detail.
Donn Parker, CISSP, is a senior management systems consultant (retired) for the Information Security Program at SRI Consulting.
…of this article, appearing in the October issue, will explain the concept of automated security: theories and practices for defending against automated crime.
Today, a complete crime can be packaged in a single computer program—Crime-in-a-Box for $39.95.
For more than 75 years, we have been automating business processes, selling them, improving and perfecting them, and running them over and over. Why not automate business crimes as well? Innocent or not-so-innocent users could download them as freeware through the Internet. Or, they could buy them in software stores from a shelf of four-color, shrink-wrapped boxes. One might be labeled Get Rich Accounts-Payable Fraud; another, Payroll Checks Fraud; and another, E-Mail Espionage.
You can now possess a crime—possibly legally. No law would be broken until you launch one of these programs from your computer. But who will catch you? Such a crime can be executed repeatedly by many perpetrators different from the designer and creator.
Using one of the above examples, here’s how an automated crime might work: While browsing the Internet, you encounter an offer for Get Rich, a freeware program. Out of curiosity, you download and execute it. The first (and only) screen displayed says, "GET RICH! How much money do you want?" You decide to play the game and key in "$34,000." "Where do you want it?" glows out at you from the screen. So you enter the name, Internet address and account number of your bank (very risky, but you do it anyway). After you hit the Start key, the screen disappears, and nothing more happens. It’s all over. You forget about it until the next day, when you discover that your bank account balance is $27,200 greater than it was yesterday. You try to find the Get Rich program, but it’s gone from your computer. When you try to find it again on the Internet, it’s no longer available from the same source. Next you find that your bank received the money in a transfer from an offshore bank from a numbered, secret account. End of story, at least from your perspective.
Now consider this event from the victim’s perspective. A small company in Hong Kong is one of the thousands of customers using a well-known commercial accounts-payable software package in their online computer. The head accountant comes into work one morning and discovers an out-of-balance debit suspense item of $34,000 in the double-entry bookkeeping system. He looks at the transaction log. Nothing there. He looks at the audit log. Nothing there, either. He looks at the payments register. Nothing. He gets desperate and even looks for debits in the receivables and credits in the payables. Nothing. The bank tells him the $34,000 was sent on to an irreversible destination. End of story. (I have purposely omitted one more step required by the program to short-circuit the bank reconciliation and the use of an anonymizer ISP. However, an offshore banking consultant assures me it is possible.)
Now consider the incident from the perspective of the Get Rich designers. George wrote the victim selection and intrusion program section, Jill wrote the accounts-payable fraud code that attacks a well-known commercial software package, and Mark handled the network funds transfer and anonymizer. They had a friend put it on a freeware Web site. Mark’s girlfriend created an offshore private bank and every time money mysteriously appeared and passed through the bank—in this case, $34,000—she brought the automatically deducted 20 percent cut to him in cash. Twenty percent of the swag, tax-free, for each time an unknown perpetrator ran Get Rich. Is this the perfect crime, or what?
6 Steps To Automated Crime
1. Scan or search to find computers containing the desired assets to attack.
2. Find the vulnerability in the selected system(s) in preparation for the attack.
3. Use that vulnerability to gain entry, resources and authority.
4. Engage in an abusive or criminal activity.
5. Convert that activity to some form of gain for the perpetrator and/or loss to the victim.
6. Eliminate evidence to avoid discovery of the perpetrator and the criminal activity, and create bi-directional anonymity among the providers, perpetrators and victims.