It's good Dashiell Hammett didn't live to see it: A wave of denial-of-service attacks sweeps the country, briefly bringing down highflying e-commerce darlings like Yahoo, Amazon.com, eBay, CNN.com, ZDNet, E-Trade and Excite. The attacks immediately become a press spectacle. The Senate hurriedly musters a select committee to consider cybersecurity. The White House openly begins to mull the possibility of appointing a cybersecurity czar. And for help in tracking down the miscreants, the FBI turns to one of its most trusted Internet security allies.
But instead of cutting at this point to the seedy Hell's Kitchen walk-up of some aging, tough-as-nails gumshoe, we find ourselves in the bright, cheery offices of AntiOnline.com, an Internet security consultancy that tracks hackers and monitors their activities from smack-dab in the middle of Beaver, Pa. And the P.I. the feds are pinning their hopes on? Why he's no more than some fresh-faced kid in his early 20s named John Vranesevich, a guy who looks like he could just as easily be working the counter at Baskin-Robbins.
But that very same fresh face also graced "Wanted" posters circulating at last July's Defcon Convention in Las Vegas -- the most celebrated hacker gathering anywhere. And it's Vranesevich's AntiOnline.com Web site that hackers love to attack above all others. By Vranesevich's own count, hundreds of hack attacks daily are pretty much the norm.
Why? Vranesevich markets his services not just to the authorities but also to companies looking to protect their systems from hackers -- which hardly seems extraordinary. And the site itself simply contains news and information for security professionals, interspersed with ads from big technology players like Microsoft and Verisign. That, too, seems benign enough. But what's not immediately apparent is that this all represents quite a shift from the site's earlier roots -- stemming from its launch while Vranesevich was still in junior high. For years, the site chiefly trumpeted hacker exploits and provided a channel for hackers to explain their actions and voice their opinions.
All that changed a couple of years back, when Vranesevich stopped praising hackers and started pursuing them. Hackers say it's because he saw an opportunity to cash in on his inside knowledge. He says it's because he came to see most hack attacks not as the heroic challenges to authority their perpetrators purport them to be but, instead, as indulgent, self-serving acts of malice. Either way, he declared war on his former comrades in arms. And the skirmishes continue to this day.
Hackers mount assaults on your Web site so relentlessly that you've included a feature visitors can use to see who's attacking at that particular moment. Does all that enmity serve as one of your best security credentials?
Perhaps to some degree. It certainly removes any doubt about whether we're in cahoots with any of these individuals.
Has anybody ever managed to get through?
As a matter of fact, yes. Just a few weeks ago, somebody got into AntiCode.com, which is our security file library where we archive some 140,000 security sites. One part of that is a community area where people are encouraged to post security information. And the software enabling that is a third-party package. Now, we went through that pretty thoroughly and we did a lot of updates, but apparently we missed one file. And some guy found a way to exploit that to upload files to the home directory -- which is how he managed to deface the site.
Did he compromise any data?
No. It was just a matter of defacing, but it was a pretty creative attack. It looked like somebody invested a good deal of time.
What I find so curious is that after struggling so hard to get into your system, some guy chooses to do nothing more than leave his mark, which seems innocuous enough.
But just because I don't lock my door doesn't mean you can come into my house and leave a note that says: "Hi, I was here."
Still, you've got to admit these people have a sense of humor. And it seems they're primarily interested in demonstrating their technical prowess.
Well, that depends. One of the things we do here is break down hacker motivations. And what you're talking about is what we call the "social motivation," which almost always revolves around peer acceptance. Generally speaking, the guys we're talking about would be out tagging their initials on shiny buildings were it not for the fact that they're already essentially doing the same thing online.
And is this the sort of motivation you suggested when you developed a perp profile for the FBI after last month's spate of denial-of-service attacks?
Profile? We did better than that. We turned over actual names.
How long a list are we talking about?
Three people. But the profile we initially produced suggested the attacks had been mounted by three to six people.
What else did your profile say?
We said the majority, if not all, of these attackers were operating in the United States. We said 35 to 100 computers had been used in the attacks. We said these people were socially motivated, since we never bought into all the speculation that this was the act of a group looking to manipulate market behavior. And we also said we thought the attackers were in their late teens or early 20s.
What told you that?
Well, for one thing, these denial-of-service attacks haven't really been around for all that long. The utilities the attackers used didn't even become publicly available until the latter part of last year. So there really wasn't a whole lot of time for these people to install their software on all these hacked computers. Imagine installing software on 100 computers. It's a time-consuming process. It's also boring and repetitive.
Now further imagine that before you install all that software, you first must break into each computer, and once you're done loading the goods you have to erase any evidence that you were ever there. That just makes an already time-consuming process a lot longer. So we believe it has to be a group of people who worked together to break into all those sites, install the software and then combine their lists into some master list.
For psychological reasons, these groups tend to always include three people or more, but almost never more than six. Because the hacker culture tends to be rather volatile and very ego-driven, groups of more than six are inherently unstable. In any event, had this group included more than six people, leaks would surely have begun to appear long before now. As for why we focused right from the start on hackers in their late teens and early 20s, that was mostly because people older than that typically won't run these sorts of risks purely for peer acceptance. That's just one of those things most people grow out of as they mature. We're also fairly certain they couldn't be any younger than their late teens simply because they've been mature enough to keep quiet.
Be that as it may, do you think they're going to get nabbed?
Well, like I said, we turned over three names and explained to the FBI why we think these are the responsible parties. But one of the things that's hurt this case has been all the publicity seekers. Here you have all these security companies that came out and did investigations, only to announce their findings to the press before going to the FBI. So, in the course of monitoring hacker postings to the IRC [Internet Relay Chat], we came across someone in the security industry posing as mafiaboy, obviously in hopes of finding [someone] who would try to contact him. But while he was trying to figure out who mafiaboy's friends were, some other security companies were posing as mafiaboy's buddies to see if they could get in touch with him directly. So these two security companies ended up having several interesting conversations with each other. It was really funny, actually. I spent many a night watching the IRC space, just howling. But, unfortunately, this also helped to create a very confusing picture for the FBI.
Is there anything that could be done to stop distributed denial-of-service attacks?
Not really. That's what's so funny about all this.
Don't you think the recent attacks may have raised awareness enough to encourage people to start thinking about plugging the holes hackers can use to hijack their computers?
That's never going to happen. Honestly. There's always going to be someone like my mother who doesn't know about the latest Windows 98 service package she needs to install. There are so many people online anymore that that's become unrealistic.
So that leaves you to lurk in the dark recesses of the IRC in hopes of gathering all the hacker intelligence you can?
I wouldn't use the word "lurk." We simply monitor public IRC space -- about 142,000 forums at present. That includes Web pages, forums, IRC channel newsgroups, mail lists -- you name it.
On your Web site, you talk about how the intelligence you gather can be used to stop attacks before they start. Walk us through how that works.
That can happen in many different ways. One obvious example came about when we could see that a group was planning to attack the FAA's [Federal Aviation Administration's] Web site and we had a good idea of how they meant to go about it. So we simply called the FAA and said, "We know of a hacker group that in 15 minutes plans to break into your site using this vulnerability. You might want to patch it." That was pretty straightforward. At other times, we've obtained more subtle clues. One individual's motivations, for example, might tell us what sort of targets they're likely to go after.
You've also advocated that your clients, and I quote, "turn the hacker culture against itself to eliminate the threat once and for all." That sounds deliciously intriguing. But is it legal?
Sure, it's legal. Why wouldn't it be? You have these people who are hiding their true identities while they're getting ready to commit felonies against you. So if you can assume your own hidden identity and somehow convince them not to proceed, I don't see what the problem is. This may come as a shock, but if I were to represent myself as being from AntiOnline.com, there aren't a whole lot of people who would want to talk to me about what they're doing. So what we try to do is simply play the culture against itself. The culture inherently is built upon people seeking to protect their anonymity. But what that means is that disguises are the norm. So when yours is convincing enough, you can fit right in.
But when operating under this assumed identity, I take it you're not only gathering intelligence but also fomenting dissent.
Why not? A perfect example was when we were trying to break the CD Universe case. What we managed to do was invent people who were part of the scam. And we invented people who could make buys as well as people who could sell, and the whole nine yards. That gave us a way to monitor potential suspects for a while until we could find out what they liked, what they disliked, what their political beliefs were, what sort of jargon they used and all the rest of it. Then, using that, we were able to create a best friend for them who believed the same things, talked the same way and could quickly gain acceptance.
These sound like classic police techniques, only applied in cyberspace.
Absolutely. Basically, we caught the guy who did the CD Universe hack [in which 350,000 credit card numbers were made public] in much the same way an FBI agent would bring down a drug ring. The techniques are classic, but they're not used very often in the digital realm. There are a lot of adaptations that need to be made, of course. And you really need to understand the culture -- just like the people who do undercover work for the FBI need to know a lot about the gangs they intend to infiltrate.
And clearly most cops don't have a clue when it comes to the Internet -- which leads me to wonder what's going to happen once somebody begins to engage in some real cyberterrorism. Is our so-called New Economy ready for that?
Real cyberterrorism? No way. We're not ready for that. And I think the best evidence of that came from something called Project Eligible Receiver, which was sponsored by the DOD [Department of Defense] and carried out by the NSA [National Security Agency]. The NSA hackers managed to gain access to systems which they could have used to shut down the entire Pacific command fleet, shut down a significant portion of the nation's power grid and basically send the whole country into a spin. So I think that shows pretty conclusively that we're vulnerable. But at least we recognize that and are taking steps to try to mitigate that vulnerability.
And what do those steps entail?
You know, the No. 1 thing is education. With any given network, the weakest security link is always the end-user. So when the Melissa virus was making the rounds, the word went out telling people not to open up e-mail attachments. And that stopped the spread of the virus cold in its tracks. Some people still have to be told not to give out their password when somebody calls, no matter who they represent themselves to be. In the DOD, one of the biggest security concerns has to do with what we call "slippage," which happens whenever data coming from a secured, classified network finds its way onto an unclassified network.
So data slips really do sink ships?
Yeah. Write that one down. As you know, a certain former CIA director has already been called on the carpet for that very thing.
But in any event, isn't network security something of an oxymoron?
Yes. We live in extraordinary times. Security right now is a folk art. It really is. If you hired four different security firms today and asked them to secure the same network, each would come back with a different solution. And probably a year from now, each would be compromised in a different way.
Does that mean we're just a bunch of e-commerce lemmings about to take the plunge?
Yes, I'm afraid so. E-commerce right now is a very dangerous thing. After reading recently about online voting in Arizona, I've had recurring nightmares about electing President [Kevin] Mitnick. I mean, if everything else can be hacked, surely a voting system can be broken into. I think, in general, we're rushing forward much too fast. The Internet was originally designed for the free exchange of information between a large number of people -- scientists and researchers, mostly. Now, all of a sudden, the Internet has become commercialized. But it's still a long way from being industrial strength. So should you be nervous? Yes, very nervous.
Shares