Is the unwritten message that “Cyber Crime Does Pay” the message we are sending to cyber criminals?

Banks always report a robbery, but currently businesses still don’t report cyber crime. According to the FBI and Computer Security Institute, only 34% of businesses surveyed in their 2002 Computer Crime and Security Survey reported intrusions to law enforcement.

Meanwhile cyber criminals remain free to commit crimes costing business millions of dollars each year. Malicious code and hacking has cost $13.2 billion dollars worldwide.

Don Pipkin believes we all need help in understanding the legal recourse that companies have at their disposal to help cyber criminals “pay”.

He is the author of a new book called “Halting the Hacker, Second Edition”. His book shows business and IT managers what laws are being broken and what companies need to prosecute an intrusion or data theft. Don is also an Information Security Architect for the Internet Security Division of Hewlett-Packard and an internationally renowned security expert.

Q: What is the profile of a typical cyber criminal or a hacker?

Pipkin: Hackers today have really expanded over just a few years ago. We have those that attack for visibility - website vandalism, the viruses, the things that once they're hit you know they've been hit. These attacks are done for the notoriety or to prove to their friends that they can do it.

There's a whole other class of attack that is not visible where someone is trying to steal information - credit card information or corporate secrets. Those types of attacks are as stealthy as possible so they can grab information. This is the kind of attack corporations must protect themselves against. Even though viruses are expensive for corporations to clean up, it's the ones where information of what's going on inside the company is revealed that can be really devastating.

Q: What are some examples of the most common types of cyber crimes against corporations?

Pipkin: Companies have issues with internal attacks. People who know where the information is are looking to steal secrets to resell them: things like customer lists or credit card information, which is a very broad attack to sell those numbers. There's a huge market out there for stolen credit card numbers.

Q: Do you see cyber crime growing or is the software industry's clampdown causing crime to decline?

Pipkin: Crime has certainly been growing online the last few years. There is a lot less likelihood that a criminal who uses the Internet to launch a crime will be captured. It's hard to identify where those attacks come from. It's hard to prove who actually instituted these. There is also a bit of reluctant among companies to prosecute crimes or to make them public. So the Internet has made a safer environment for these attacks.

The industry is still playing a catch-up game and focusing on the areas where companies are spending money to clean up things. There are a lot of website security products out there. But there aren't as many companies addressing the heavy security problems of securing the environment where you keep your valuable corporate information.

Q: Offline companies are very aggressive about going after criminal activity. Why is there such reluctance to pursue and prosecute people who were doing cyber crimes?

Pipkin: Part of it is the difficulty in capturing someone who is performing a cyber crime. You do have to work back through so many companies like Internet service providers who have to track where someone is coming from. The crime crosses so many geographic boundaries, which raises the complexity of tracking these people down and reduces the likelihood of prosecution and the success of being able to make a presentation to the judge or jury to successfully show that these were the people are actually causing the events.

Q: Internet technology seems to be very traceable. It’s surprising to me that we haven't been able to develop a better system to track crimes. Do you see the industry, the operating systems, and the governing bodies coming up with some overall protocols that will enable better tracking?

Pipkin: There is a difference between those who don't want to be tracked and the everyday user. Also, the Internet, being an international resource, struggles to develop protocols of how things should be done. How different countries look at the issues of privacy is significantly different.

From country to country, certain protocols will or won't be allowed because countries where privacy is strongly valued don't want the information tracked. Then there are countries where the government itself wants to maintain a view of what all its online citizens are doing.

Q: Do you see particular countries being a source of cyber crime?

Pipkin: Yes. Countries where Internet access is fairly limited, do not have the financial requirements to have a good national network. If you look at a lot of the historical hacking, it involves the phone system. Lots of countries still have very antiquated phone systems that are easy to break into. If fact, a lot of the systems that become antiquated in the U.S. are sold into these Third World countries who were just getting into this technology. So I don't think were going to see a big improvement in the global environment until there is more of equity in global technology as it pertains to the Internet.

Q: Is the face of a cyber criminal The Lone Wolf or organized mobs?

Pipkin: The face of the cyber criminal varies depending on the crime. With credit card theft, there are a lot of organizations doing it. Website vandalism and virus writers are more Lone Wolf. Sometimes they are activist groups with whatever they are up in arms to make a statement about.

Q: One of the hot topics is cyber terrorism. Do you see that as a significant threat as it is portrayed in the media? What are the targets we should be worried about?

Pipkin: The military has been doing research for a long time on cyber warfare - how they can use computer and network technologies to improve their position in a military campaign. There are certain areas where we should be concerned. If you think back to the Y2K episode of a few years ago, there were a lot of areas we were concerned would just stop because of old technology. If today those areas are still running old technology, they are vulnerable to a cyber attack. So to think about the embedded systems out there, the controlled pipeline distribution or water systems, those are more likely to be compromised. The question is what will terrorists do with these technologies that would help their agenda. There was a case in Australia awhile back where a sewage disposal computer system was broken into. So they faced a sewage problem in the town until they could get the system restarted.

Q: Has there been any examples of a true cyber terrorist attack in the U.S.?

Pipkin: There was a report of a flood control system in a dam in the West - the information was somewhat over dramatized. There haven’t been any reports of a serious attack. The military has not implemented an offensive cyber attack.

Q: Do you see groups outside the United States developing the skills needed to do this?

Pipkin: There are a lot of countries that have cyber warfare troops within their military. They're certainly looking at what they can do to disrupt communication logistics' so that equipment doesn't get to the right place at the right time. The first step is "Can we cause chaos within a campaign?" Then it becomes more aggressive such as "Can we cause damaged to systems by misrouting information or sending false information?"

Q: For our peace of mind, tell me our military has equal or greater units that are focusing on the cyber terrorist area.

Pipkin: Absolutely. We spend a lot of time and money looking at the offensive and defensive side. The government has pulled a lot of its communication on to secure, highly encrypted, military-only networks. The military has looked at how to prevent it as well as how we can use technology to enhance our position.

Q: Tell us about your book – “Halting the Hacker”.

Pipkin: My book looks at how services are attacked and how someone would gather information, and gain access and privileges. The examples and tools in my book are very much focused on the Linux and Unix environment, mainly because there are a lot of open source things that can help you.

(Dana Greenlee is producer and co-host of the WebTalkGuys Radio Show. WebTalkGuys, a Seattle-based talk show featuring technology news and interviews. It is broadcast on CNET Radio in San Francisco and Boston, on the web at CNET Radio, WebTalkGuys Radio, Sonic Box and via the XM satellite network and the telephone via the Mobile Broadcast Network.  Past show and interviews are also webcast via the Internet at http://www.webtalkguys.com).

PC World magazine names WebTalkGuys "Best of Today's Web Hidden Gems" in their August 2002 issue.