readenglishbook.com » Computers » Approaching Zero, Paul Mungo [good summer reads TXT] 📗

Book online «Approaching Zero, Paul Mungo [good summer reads TXT] 📗». Author Paul Mungo



1 ... 24 25 26 27 28 29 30 31 32 ... 40
Go to page:
the police, Popp had perpetrated a scam

that could have grossed him over $7.5 million, assuming that each of the twenty

thousand recipients of the diskette had sent the “lifetime” license fee. More

realistically, it was estimated that one thousand recipients had actually

loaded the diskette after receiving it; but even if only those one thousand had

sent him the minimum license fee, he still would have earned $189,000.

 

The police also discovered a diskette that they believed Popp intended to send

out to “registered users” who had opted for the cheaper, $189 license. Far from

being an antidote, it was another trojan and merely extended the counter from

90 boot-ups to 365 before scrambling the hard disk. In addition, there was

evidence that the London mailing was only an initial test run: when Popp’s home

in Ohio was raided, the FBI found one million blank diskettes. It was believed

that Popp was intending to use the proceeds from the AIDS scheme to fund a

mass, worldwide mailing, using another trojan. The potential return from one

million diskettes is a rather improbable $378 million.

 

The police also had suspicions that Popp, far from being mentally unstable, had

launched the scheme with cunning and foresight. For example, he had purposely

avoided sending any of the diskettes to addresses in the United States, where

he lived, possibly believing that it would make him immune to prosecution under

American law.

 

But the case was never to come to trial. Popp’s defense presented evidence that

his mental state had deteriorated. Their client, his British lawyers said, had

begun putting curlers in his beard and wearing a cardboard box on his head to

protect himself from radiation. In November 1991 the prosecution accepted that

Popp was mentally unfit to stand trial. To this day, the Computer Crime Unit

has never successfully prosecuted a virus writer.

 

For Popp, whatever his motives and his mental state, the AIDS scheme was an

expensive affair—all funded from his own pocket. The postage needed to send

out the first twenty thousand diskettes had cost nearly $7,700, the envelopes

and labels about $11,500, the diskettes and the blue printed instruction

leaflets yet

another $11,500—to say nothing of the cost of registering PC Cyborg

Corporation in Panama, or establishing an address in London. To add insult to

injury, not one license payment was ever received from anyone, anywhere.

 

Popp’s scheme was not particularly well thought out. The scam depended on

recipients of his diskettes mailing checks halfway around the world in the hope

of receiving an antidote to the trojan. But, as John Austen said, “Who in their

right mind would send money to a post office box number in Panama City for an

antidote that might never arrive?” Or that may not be an antidote anyway.

 

It seems unlikely that anyone will ever again attempt a mass blackmail of this

type; it’s not the sort of crime that lends itself to a high volume, low cost

formula. It’s far more likely that specific corporations will be singled out

for targeted attacks. Individually, they are far more vulnerable to blackmail,

particularly if the plotters are aided by an insider with knowledge of any

loopholes. An added advantage for the perpetrators is the likely publicity

blackout with which the corporate victim would immediately shroud the affair:

every major corporation has its regular quota of threats, mostly empty, and a

well-defined response strategy.

 

But at present, hacking—which gives access to information—has proven to be

substantially more lucrative. Presentday hackers traffic in what the

authorities call access device codes, the collective name for credit card

numbers, telephone authorization codes, and computer passwords. They are

defined as any card, code, account number, or “means of account access” that

can be used to obtain money, goods, or services. In the United States the codes

are traded through a number of telecom devices, principally voicemail

computers; internationally, they are swapped on hacker boards.

 

The existence of this international traffic has created what one press report

referred to colorfully as “offshore data havens”—pirate boards where hackers

from different countries convene to trade Visa numbers for computer passwords,

or American Express accounts for telephone codes. The passwords and telephone

codes, the common currency of hacking, are traded to enable hackers to maintain

their lifeline—the phone—and to break into computers. Credit card numbers are

used more conventionally: to fraudulently acquire money, goods, and services.

 

The acquisition of stolen numbers by hacking into credit agency computers or by

means as mundane as dumpster diving (scavenging rubbish in search of the

carbons from credit card receipts) differs from ordinary theft. When a person

is mugged, for example, he knows his cards have been stolen and cancels them.

But if the numbers were acquired without the victim knowing about it, the cards

generally remain “live” until the next bill is sent out, which could be a month

away.

 

Live cards—ones that haven’t been canceled and that still have have credit on

them—are a valuable commodity in the computer underworld. Most obviously, they

can be used to buy goods over the phone, with the purchases delivered to a

temporary address or an abandoned house to which the hacker has access.

 

The extent of fraud of this sort is difficult to quantify. In April 1989

Computerworld magazine estimated that computer-related crime costs American

companies as much as $555,464,000 each year, not including lost manhours and

computer downtime. The figure is global, in that it takes in everything: fraud,

loss of data, theft of software, theft of telephone services, and so on. Though

it’s difficult to accept the number as anything more than a rough estimate, its

apparent precision has given the figure a spurious legitimacy. The same number

frequently appears in most surveys of computer crime in the United States and

is even in many government documents. The blunt truth is that no one can be

certain what computer fraud of any sort really costs. All anyone knows is that

it occurs.

 

154 APPROACHING ZERO [WYRWA ??????]

 

erably older than the 150 or so adolescent Olivers she gathered into her ring.

As a woman, she has the distinction of being one of only two or three female

hackers who have ever come to the attention of the authorities.

 

In 1989 Doucette lived in an apartment on the north side of Chicago in the sort

of neighborhood that had seen better days; the block looked substantial, though

it was showing the first signs of neglect. Despite having what the police like

to term “no visible means of support,” Doucette was able to provide for herself

and her two children, pay the rent, and keep up with the bills. Her small

apartment was filled with electronic gear: personal computer equipment, modems,

automatic dialers, and other telecom peripherals.

 

Doucette was a professional computer criminal. She operated a scheme dealing in

stolen access codes: credit cards, telephone cards (from AT&T, MCI, Sprint, and

ITT) as well as corporate PBX telephone access codes, computer passwords, and

codes for voicemail (VM) computers. She dealt mostly in MasterCard and Visa

numbers, though occasionally in American Express too. Her job was to turn

around live numbers as rapidly as possible. Using a network of teenage hackers

throughout the country, she would receive credit card numbers taken from a

variety of sources. She would then check them, either by hacking into any one

of a number of credit card validation computers or, more often, by calling a

“chat line” telephone number. If the chat line accepted the card as payment, it

was live. She then grouped the cards by type, and called the numbers through to

a “code line,” a hijacked mailbox on a voicemail computer.

 

Because Doucette turned the cards around quickly, checking their validity

within hours of receiving their numbers and then, more importantly, getting the

good numbers disseminated on a code line within days, they remained live for a

longer period. It was a very efficiently run hacker service industry. To

supplement her income, she would pass on card numbers to members of her ring in

other cities, who would use them to buy Western Union money orders payable to

one of Doucette’s aliases. The cards were also used to pay for an unknown

number of airline tickets and for hotel accommodation when Doucette or her

accomplices were traveling.

 

The key to Doucette’s business was communication—hence the emphasis on PBX and

voicemail computer access codes. The PBXs provided the means for

communication; the voicemail computers the location for code lines.

 

PBX is a customer-operated, computerized telephone system, providing both

internal and external communication. One of its features is the Remote Access

Unit (RAU), designed to permit legitimate users to call in from out of the

office, often on a 1-800 nunlher. and access a long-distance line after

punching in a short code on the telephone keypad. The long-distance calls made

in this way are then charged to the customer company. Less legitimate users—

hackers, in other words—force access to the RAU by guessing the code. This is

usually done by calling the system and trying different sequences of numbers on

the keypad until stumbling on a code. The process is timeconsuming, but

hackers are a patient bunch.

 

The losses to a company whose PBX is compromised can be staggering. Some

hackers are known to run what are known as “callsell” operations: sidewalk or

street-corner enterprises offering passersby cheap long-distance calls (both

national and international) on a cellular or pay phone. The calls, of course,

are routed through some company’s PBX. In a recent case, a “callsell” operator

ran up $1.4 million in charges against one PBX owner over a four-day holiday

period. (The rewards to “callsell” merchants can be equally enormous: at $10 a

call some operators working whole banks of pay phones are estimated by U.S. Iaw

enforcement agencies to have made as much as $10,000 a day.)

PBXs may have become the blue boxes for a new generation of phreakers, but

voicemail computers have taken over as hacker bulletin boards. The problem

with the boards was that they became too well known: most were regularly

monitored by law

enforcement agencies. Among other things, the police recorded the numbers of

access device codes trafficked on boards, and as the codes are useful only as

long as they are live—usually the time between their first fraudulent use and

the victim’s first bill—the police monitoring served to invalidate them that

much faster. Worse, from the point of view of hackers, the police then took

steps to catch the individuals who had posted the codes.

 

The solution was to use voice mail. Voicemail computers operate like highly

sophisticated answering machines and are often attached to a company’s

toll-free 1-800 number. For users, voicemail systems are much more flexible

than answering machines: they can receive and store messages from callers, or

route them from one box to another box on the system, or even send one single

message to a preselected number of boxes. The functions are controlled by the

appropriate numerical commands on a telephone keypad. Users can access their

boxes and pick up their messages while they’re away from the office by calling

their 1-800 number, punching in the digits for their box, then pressing the

keys for their private password. The system is just a simple computer,

accessible by telephone and controllable by the phone keys.

 

But for hackers voice mail is made to order. The 1-800 numbers for voicemail

systems are easy enough to find; the tried-and-true methods of dumpster diving,

social engineering, and war-dialing will almost always turn up a few usable

targets. War-dialing has been simplified in the last decade with the advent of

automatic dialers, programs which churn through hundreds of numbers, recording

those that are answered by machines or computers. The process is still

inelegant, but it works.

 

After identifying a suitable 1-800 number, hackers

1 ... 24 25 26 27 28 29 30 31 32 ... 40
Go to page:

Free e-book «Approaching Zero, Paul Mungo [good summer reads TXT] 📗» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment