Commentary: beware the security zealot

The little miscreant that could, #1Curador was "bragging," Davis said, and that made him mad. "In hacker terms, Curador had the maturityof a child," Davis added.
Written by ZDNet Staff, Contributor
The little miscreant that could, #1
Curador was "bragging," Davis said, and that made him mad. "In hacker terms, Curador had the maturity of a child," Davis added. "He went off on a grandiose track to let the world know of his skills at breaking into e-commerce sites."

Davis operates a small computer security company, HeXedit, in Ottawa, Ontario, and taps into affiliations with some of the world's most respected computer security people. He contacted several of the firms that Curador had hit and asked if, in exchange for setting their systems up correctly, they would send him the logs of the attack. Everyone agreed. In the ensuing days and weeks, Davis continued to gather evidence of how and where Curador operated.

After two months, the Royal Canadian Mounted Police and the FBI finally got involved. They contacted Davis, who willingly turned over all of the evidence - names and locations, logs and the trails, everything. The FBI agent thanked him profusely and said Davis would see his name in "bright shining lights" in the FBI press release. The next day the release went out. There was no mention of Davis.

Michael Vatis, director of the National Infrastructure Protection Center (NIPC), the FBI's "computer crime central," was quoted by the news media about how his group had captured Curador. In an interview with Brian McWilliams of Internet News, Vatis stated: "Computer crime investigations are difficult and resource intensive, but anyone who underestimates the skills and tenacity of our agents does so at his own peril. This case demonstrates that cyber criminals can not hide behind international boundaries to escape justice."

It took James Atkinson, a security specialist, two hours to pinpoint the real name, address and phone number of "Mafiaboy," the Canadian 15-year-old who allegedly initiated a denial-of-service attack on CNN — one of a series of DOS attacks on large Web sites across the U.S. early this year.lou beach

The little miscreant that could, #2
Mafiaboy seemed to be just your normal 15-year-old Canadian kid, from your normal, well, perhaps not all that normal, Canadian family. As it would turn out, when the Mounties tapped the family phone, they overheard Mafiaboy's father allegedly plotting to have a business associate assaulted - the family may need some work on problem-solving skills.

James Atkinson, president and senior engineer of the Boston-based Granite Island Group (www.tscm.com), a technical counter-intelligence firm that finds bugs, wiretaps, eavesdropping devices and other technical surveillance threats for government and corporate clients, was hired by a West Coast company that felt its computers had been used as an "intermediary" in a DOS attack.

In 42 hours of backbreaking, minute analysis of details, Atkinson tracked the intrusion from day one. "I went through thousands of pages of log files, ferreted out exactly where they had come from, how they got in. I went 'upstream' of the ISPs and had the systems administrators trace the penetrations further. In some cases I had to trace through a dozen different computer systems and networks through which the vandals had routed the attack, in their attempt to cloak their identity."

Atkinson tracked the intrusion to Mafiaboy, who also went by the nicknames "NiGhTmArE," "Gangster," "Gangster-Clan," "Canadian Gangster" and "Brain Buzz." He'd even listed his real name, home phone number and e-mail address on his Web site, to which he'd point people when on Internet Relay Chat.

Atkinson wrote the report for the company that had hired him. The company, which had been asked by the FBI to provide its logs, handed them over along with Atkinson's written report. The FBI greeted the report with great suspicion. "How do you know these things?" Atkinson recalled one FBI agent demanding. "Because I went to your schools," Atkinson said he responded. "Because I've taught at your schools. You're ill-prepared to deal with things such as this."

Why the hostility? "The FBI is grossly ill-equipped to handle any technology-based crime," Atkinson says. "They have, maybe, three competent computer experts in the entire bureau."

Four patterns emerge here:

First, there is a pattern of pathological narcissistic behavior exhibited by Curador and Mafiaboy - "grandiosity" in Davis' terminology. Atkinson sees Mafiaboy and others like him as "a confederation of kids who all get together and talk about what bad-asses they are."

Second, computer software is lousy with flaws, and the systems administrators and chief executives of most companies aren't investing adequate time, effort or money into computer security. In the military, this is referred to as offering the enemy "aarget-rich environment."

Third, federal authorities' efforts at stopping computer crime are laughable. In both cases, they had to be told by private individuals where to look and for whom. The NIPC asks for "partnerships" and then stiffs the investigators who actually solved the crime of any credit. It's been doing this for decades. HeXedit and Granite Island Group ought to bill the FBI and NIPC for doing the federal agents' work.

Yet, that suggestion opens the door to my fourth, perhaps gravest, concern: welcoming in a whole group of cybervigilantes.

Yes, I trust Chris Davis, James Atkinson and a few others. But do we really want a whole bunch of computer private eyes - vigilantes, like "Lou Ciper" - Lucifer, get it? - who claims to have tracked hackers down, broken into their homes, stolen their computers and even, he claimed, resorted "to baseball bats" to even the score.

There are thousands of claimants to the title of computer security expert. We're lucky if 100 really qualify. And none of them carries a baseball bat or takes out ads showing the covers of magazines promoting the "hacker" scare. It isn't the teenybopper narcissists you have to worry about. It's the professional computer criminals - insiders and outsiders -who are using what doesn't belong to them from your computer or from your business.

Heed the sergeant's wise warning on old Hill Street Blues: "Let's be careful out there."

Lewis Z. Koch has been an investigative reporter for over 30 years. Currently he is a special correspondent for CyberWire Dispatch. He can be reached at lzkoch@ mediaone.net. In a certain way, the "hunters" couldn't have been more different. Ex-hacker Chris Davis was responsible for cornering the Welsh teenage Curador - the 18-year-old computer security consultant turned computer criminal - who thought it was cool to snare credit cards from mom-and-pop Web sites and post them where all could see and admire his cunning. It took Davis two days to locate Curador's name, address and phone number.

Editorial standards