As Simple as Black and White
By Bonnie Ramthun

We had a visit from a White Hat at January’s meeting of the Rocky Mountain Chapter of the Mystery Writers of America.

Brian St. Denis is definitely one of the good guys – a White Hat, otherwise known as a computer security specialist. The other guys are known as Black Hats (of course.) They are the ones who hack into systems, spread viruses, and steal millions of dollars. They destroy systems, hijack identities, and cover their tracks without a trace.

…Unless there is a White Hat on their trail. On January 9th, at Sabor Latino Restaurant in Denver, Colorado, we entered a fascinating world of hackers, crackers, script kiddies, and social engineering. Our guest speaker, Brian St. Denis, managed to make this confusing twenty-first century world of computer crime and heists as clear as zeros and ones. Mr. St. Denis works for Root Group, and has previously worked for one of the largest telecommunications companies in the world, Level 3. He is a computer engineer and is a perfect White Hat – tall and handsome, with a witty sense of humor and a passion for tracking down and finding the bad guys. In the world of computer crime, it is as clear as Black and White -- Black Hats and White Hats, that is.

He introduced us to the world of computer security by giving the attendees a small test:

Which is the most accurate portrayal of computer systems in a popular movie?

Terminator II
The Net
Hackers
War Games

Which would you pick? The movie accurate in portraying the most common and dangerous form of computer attack is the 1980’s flick War Games. In the movie, Matthew Broderick uses his computer to scan random numbers in Los Angeles and see if a modem signal picks up. Then when he does find a computer modem on a phone line, he runs tools to break into the site that has picked up. Eventually he breaks into the Defense Computer system (known charmingly as WOPPER) and finds a way to log in by doing research in the library on the computer’s inventor. He didn’t actually use any fancy technical knowledge to break in – he used research on the inventor and found out his son’s name, and that is how he found the so-called “back door.” Nothing fancy, no James Bond gadgets, just some research.

This research is known as social engineering, and it is the most devastating and useful form of computer attack. Social engineering, at its simplest, is asking for information from people. World-renowned hacker Kevin Mitnick says: “It’s human nature to trust our fellow man, especially when the request meets the test of being reasonable. Social engineers using this knowledge to exploit their victims and to achieve their goals.”

Sometimes your phone may ring and you have a hang up – that could be a wrong number, or someone, like Matthew Broderick's character in War Games, may be checking to see if your phone number is a modem pick up. That’s what people actually do today, to find dial-up numbers so they can attack a system.

What if someone called you up and said they were doing some updates on your web site, or your company’s computer, and needed your password? Would you give it to them? Usually people do, particularly if the hacker has an engaging, friendly voice and can “sling the lingo,” or sound like someone who is part of your company.

Once the hacker has your name and password, they can then attack a major company – rob a bank, or break into and steal secrets from the FBI – using your name and password. Then they fade away, leaving no trace, and you are left holding the bag. This is called gaining anonymity. This is different than social engineering – this is something like breaking into your neighbor’s house to make a threatening phone call. You don’t intend to steal your neighbor’s things, you just want to use your neighbor’s place of residence.

Hackers who commit cyber crimes are also known as crackers – or criminal hackers. They are dangerous, persuasive con men who have been known to steal as much as 10 million dollars at a time, all from their home computers.

The typical hacker, Brian St. Denis informs us, is often no more than a youngster who wants to impress their friends. Often they are under age, sometimes as young as 12, and don’t intend to hurt anyone or steal anything. They can cause great damage and embarrassment, particularly if they unleash a virus, but they are seldom prosecuted because of their underage status. Companies want to prevent attacks like this because they are embarrassing – hacked by a kid! – And there is no way to recoup losses. How do you sue a 12 year old? What are you going to do, repossess his Matchbox cars? Most importantly, it is terribly humiliating to admit that your large company was hacked into by a child! Often these crimes go unreported simply because of the embarrassment factor.

Hackers who use code written by others to break into systems are script kiddies, called this because they use tools created by other programmers. Often a White Hat like Brian St. Denis will use programs that script kiddies use to help track down an attack, using the same tools directed at a Black Hat that they used against him. Some companies may actually hire a Black Hat to devise a defense against attacks, or hire a Black Hat to help them locate another Black Hat. A White Hat, hiring a Black Hat, to catch a Black Hat… it can get dizzying.

How do companies prevent hacker attacks? They set up firewalls, just like the firewalls that exist in buildings and, most familiarly, between you and the engine block in your car. If there is a fire, the firewall separates the two spaces. In the computer world, a firewall separates a company’s computer network from the outside world, or Internet.

This is the idea. Firewalls are a good protection but they cannot stop a social engineer – once they get a user name and password from a helpful employee, the company’s system is wide open. A firewall without internal protection is known as cookie model, because it is just like a cookie – crunchy on the outside, soft and gooey on the inside. Good security consists of many different levels of security, both at the firewall level –- where the company meets the Internet – and within the company. Good security needs lots of layers.

How do hackers get caught?

1.) Intrusion detection

A hacker is sometimes caught because a company has software that detects a break-in, just like a security system on a building will set off an alarm. With social engineering, where a hacker cons an employee into giving up passwords and entry information, an intrusion detection system doesn’t work. But intrusion detection is a good tool in the security specialists’ toolbox, and when used with other methods it can save a company from theft or a devastating virus.

2.) Human detection

Interestingly enough, the way most hackers are detected is through a human being noticing something “different” – like a record of someone logging into the system at 3 a.m., or a change in familiar files or file change dates. When an employee or a computer security specialist notices something “different,” that sets off the alarms and, as Sherlock Holmes liked to say, “The game is afoot!”

3.) Audits

Don’t laugh, now. Yes, noticing that you are 10 million dollars short in your bank account is a rather late way of discovering that you’ve been hacked. But audits do start a trail that a clever computer sleuth can follow right to the Margarita-sipping thief on their Mexican beach. No place is safe from a White Hat, once they’re on the trail.

Doesn’t the FBI have a handle on hacking?

Brian St. Denis says: “Don’t make me laugh! The FBI has no funding to pay the kind of money that a top rate computer security specialist can pull down in the private sector. The information that flows across the Internet at any given second is unbelievable, a massive amount of data. The FBI has very little resources to dedicate to a hacker attack. When it comes to data security, we’re on our own.”

He was then asked, “What can the FBI do?”

“Arrest the bad guys,” he responded. “When we find them, they can arrest them. That’s what they do.”

The FBI also has great statistical models and data gathering. They keep track of reported crimes and that can help a White Hat track down his Black Hat. Since laws are not well defined for computer crime, the FBI can only get involved when a crime involves National Security – like terrorist activity – or interstate crimes such as drug dealing.

Brian was asked about the FBI “listening in” on people’s e-mail and Internet traffic. The CALEA law requires that telecommunications companies provide such taps, but the sheer volume of Internet traffic makes this a dubious crime-tracking ability. The FBI or law enforcement agency has to request a warrant from a judge to place a tap on the suspect’s computer data. Then when the judge issues the warrant the FBI can tap one person’s computer for one specific crime. The chances of an FBI tap actually trapping data and being able to find out something meaningful are tiny.

Finally, Brian was asked about the concept of a “deleted” file. This was a fascinating topic and delves into the way computers store information. When you delete a file on your machine (people in the computer world always call computers “machines”) it is not really deleted. The computer simply removes the name of the file from the list you see on the screen, and that’s it. Really! The next time you save a file, however, it might overwrite the information that you have on your hard drive, since it is no longer “reserved” by your computer.

So deleting a file doesn’t really delete it after all! An encrypting tool may delete – called wiping – files, but it has to do this by filling all the information on the hard drive with blanks, or false data. In the top-secret world, a computer file is always wiped – replaced with ones and zeros, to destroy every piece of information. Most other programs don’t do this.

Another way to wipe a file – and the entire hard drive of a computer – is to place a powerful magnet anywhere near the hard drive. This will take care of that drive, probably forever. So keep magnets away from your computer! Or, if your character has the need to wipe a disk but no time, a powerful magnet would be a nifty device that would make all the computer folks reading your book nod their heads and say “This author knows what they’re talking about!”

The evening with Brian St. Denis ended quickly, with dozens of questions still left to be asked. His knowledge and skill in educating all of us was really appreciated, along with the fun and humor that he brought to all his stories. We truly enjoyed our time with him, and for those who would like to ask further questions, e-mail Chapter President Bonnie Ramthun and she will forward the questions on to Mr. St. Denis.