1994,1996 Kent E. Anderson 
Information Security Archive Index
1994,1996 Kent E. Anderson
This paper has been accessed:
times.
Current investigations into computer intrusions usually focus on individual systems and geographically localized incidents. However, in reality, many intrusions are interrelated and international in scope. To better protect systems, intrusions must be understood in their proper context; not in the isolated focus of a single incident. Key to a global understanding of these threats is classifying the various motives of individuals and groups involved. When incidents are investigated in their global context, it is possible to analyze the dynamics and patterns of interrelated incidents previously misunderstood or ignored.
This paper will summarize the author's investigations of international intrusions during the last eight years to present a classification model of attributes and motives displayed by intruders, and explain common patterns of activities. Finally, current technical trends are considered in order to understand potential future risks.
Twenty years ago, networks consisted of a small number of systems, usually connected over leased lines with low baud rates. Today, private networks with well over 100,000 systems are common. These networks are interconnected to form larger networks, such as the Internet, with over 1,000,000 individual systems.
These networks have created a revolution in communications affecting every aspect of society including business, education, travel, medicine and research. With new innovations in computer and telecommunications technology, networks will continue to grow at a phenomenal rate, as will their influence on society. With this rapid growth has come an increase in misuse.
The ability to secure and protect a single computer system is fairly well understood [14]. There is also a plethora of security tools, seminars, conferences, books and consultants available to the system administrator. However, intrusions appear to be increasing in number, the techniques have become more technically sophisticated and are having a wider impact, such as the recent "sniffer" attack on the Internet during early 1994. There are several interrelated reasons for this apparent paradox:
Geographical Distribution: Twenty years ago, computers were owned and operated by single entities such as a corporation or university. These computers were physically isolated in secure buildings where access, both physical and logical, was controlled. Today, systems are connected and logically accessible throughout the world. These systems are located everywhere; on desktops, factory floors, in labs, hotel lobbies and automobiles. Today's global networks have no borders. An individual in Asia can access and manipulate data in Europe in real time. Geographical distribution of systems makes it difficult to routinely control access to each system and authenticate legitimate users.
Size and Complexity of Networks: With a single computer system, a system administrator was able to understand the basic technology of the system, the user community and applications. Today, a single system can support hundreds of users, running many integrated, multi-vendor applications. Likewise, hundreds and thousands of small, PC-based client systems can be connected into a local area network, each of these systems are then interconnected by the thousands to form local and wide area networks. The ability to understand the systems, network topologies, points of access and the myriad of applications and users is beyond a single system administrator. This lack of control allows security weaknesses to develop or go unnoticed.
Frequency of Change: As size and complexity grows, so does the speed and frequency of changes in terms of basic technology as well as applications and uses of computers and networks. Often, a system administrator finds it impossible to keep up with the functionality of new hardware and software. Within a large network, systems, applications and databases are added and removed daily. Remote connections are constantly changing. Again, in large networks it is beyond a single system administrator to keep up with the continuous change. This allows vulnerable or unprotected entry points into the network.
Mobility and Portability: The current movement to laptop and handheld systems combined with wireless and cellular technologies has added a new dimension to the complexity and control of access to systems and networks [3, 19, 26]. Again, authentication of legitimate users becomes difficult, if not impossible. Also, tracing suspicious activity is much more difficult.
These issues, combined with other techniques such as social engineering and taking advantage of security flaws within software, create environments where weaknesses in security can develop. Also, security is usually considered as an afterthought in network design and implementation, and retro-fitting security into as existing network can be costly and time consuming. All of these weaknesses can be exploited by intruders to gain unauthorized access to systems and data.
In studying intrusions, researchers often concentrate on geographically local cases, individual intruders or particular operating systems [4, 22, 33]. While these studies provide some insight into issues which need to be addressed, intrusions need to be understood in the international and global context of today's worldwide networks. Only in this way can the larger patterns of activity be analyzed and solutions proposed.
Due to the academic controversy with the work "hacker" and the common public misconception of a "hacker" as an intelligent, well intentioned youth, the term intruder will be used to describe an individual who illegally accesses or makes unauthorized use of a system.
In this paper, the work system is used broadly to describe any digital system capable of processing and communicating information. This includes standard computer systems, voice mail systems and public and private telephone switches.
A classification model built on the motivations behind intrusions can provide an insight into both the patterns of activities and the scale and scope of general threats to systems and networks. This model is developed from the investigation of several thousand intrusions worldwide during the period from 1986 until the present.
This is only one of many different methodologies that could be used for classifying computer intrusions. Many papers have addressed the how of intrusions [2, 4, 17, 33]. However, the objectives of this model are to give a better understanding of why intrusions are taking place and also help to identify why certain patterns of activity are occurring. This in turn provides a basis for better measurement of risks.
As with any classification scheme, this model represents the generalization of complex human behavior. Because of this, specific exceptions can always be found which do no perfectly fit the model. With this limitation in mind, a classification system based on four motives can be developed as shown in Figure 1.
This category is based upon the activities of individuals usually acting independently in the pursuit of personal goals. The motive of these individuals can be defined as: The challenge or thrill of gaining access to a computer system.
Individual intruders may cooperate to some extent in loose associations sharing information and techniques. However, there is usually no strategic planning or organized tactics for penetrating systems or networks.
Recently publicized examples include Kevin Mitnick [17, 18, 24], Paul Bedworth [6] and Robert Morris [28].
The technical ability of these individuals generally ranges from very low (minimal user knowledge) to moderate (system administration knowledge). However, a common attribute of this category is a pattern of obsessive behavior [6, 15, 20, 24]. Contrary to the myth portrayed in the press and Hollywood that an intruder enters a few commands and gains access to a system, intrusions may take months of continuous research and many trial and error attempts. Often displaying compulsive behavior, the intruder may work 18 or more hours a day, every day, on a variety of tasks necessary to support even a single intrusion. A U.S. Federal judge has tried to sentence an intruder to treatment for compulsive behavior [18] and a U.K. jury has accepted compulsive behavior as a legitimate defense [6].
The resources available to this level of intruder are usually limited to popular, off the self PCs and peripherals.
There are two attributes distinguishing organized groups and individual intruders. First, these groups often display some degree of cooperation to:
Organized groups vary from loose affiliations with common interests (and often separate, individual goals) to highly cohesive organizations with well defined goals.
Secondly, the major motivation for this category is defined as: Entering a computer system to gain access to specific information or system and network resources.
Well publicized examples of organized groups include the German Chaos Computer Club (CCC) [7, 9, 26], the Dutch Hack-Tic group [7, 11, 16, 31], the English group 8lgm1 [1, 41], the U.S. Legion of Doom (LOD) [37, 39] and participants of the Japanese Otaku2 [15].
A classic example of a group loosely organized around access to specific information is described in the US Government's Sentencing Memorandum for several Legion of Doom (LOD) members: "The main motivation: To obtain power through information and intimidation [37]."
Organized groups may have any number of interests in information such as:
These groups typically have moderate to high (systems level) knowledge of computer and telecom systems, switches and networks. The resources available may include small networks, bulletin boards/voice mail systems and access to funds via membership dues, newsletter subscriptions and press, speaking or book royalties. As with the previous category, individuals within organized groups often display patterns of obsessive behavior.
The primary attribute and motive of the criminal category is: Access to a system for profit or unfair market share.
While activity in any of the other three categories may be subject to prosecution under criminal code, this category relates only to those involving monetary gain, such as wire transfer theft [3], industrial espionage [35], credit card theft [23] or pseudo security consultants [1, 40, 42].
Currently, this is the highest growth area both in terms of number of intrusions and monetary damage [13, 23].
Intruders within this category have technical abilities ranging from very low to high, or may recruit technical skills (either with or without the individual's knowledge of criminal activity).
As with any "for profit" criminal activity, the intruder weighs the cost (both in time and money) of using a computer to commit the crime versus using more traditional means such as a physical break in, bribery, etc.
In this final category, the primary attribute and motive is: Access to systems or information for national economic or strategic objectives.
The full scope of this category is difficult to address since most sources are limited to open press reports which are subject to distortion or misinterpretation.
However, several examples of this type of activity have been reported concerning both the former East German intelligence service [12] and the former Soviet Union [2, 33]. In both of these cases, the major focus appears to be obtaining technology formerly restricted under COCOM. More recently, other countries have been reported to have an interest in obtaining access to proprietary technical information and information that could assist in advancing national economic objectives [29, 30].
This category of intrusions has the greatest variety and complexity of methods and resources. Often, the resources available (equipment, manpower and technical knowledge) are only limited by cost versus the potential gain, similar to criminal activity.
Close examination of the motivation behind intrusions shows several important international differences:
In Europe, organized groups often have a political or environmental motive, while in the United States a more "anti-establishment" attitude is common, as well as simple vandalism.
In recent years, there appears to be a growth in industrial espionage in Europe [12, 38] while the United States is seeing an increase in criminal (fraud) motives [23].
In Easter Europe, Russia and many third world countries, the telecommunications infrastructure limits activity compared to other areas of the world. However, Eastern Europe and Russia have serious problems with computer viruses3 [8] and Russia is also having some problems with criminally motivated intrusions such as wire transfer fraud [25]. This promises to rapidly change with the current investment in digital telephone technology worldwide and the expansion of the Internet [32].
While intrusions originating from Asia are far fewer in number, industrial espionage appears to be a significant growth area [5,15, 29, 30].
Technically, in past years intruders within the United States often accessed systems via the telephone system (i.e. dialups); Europeans generally used packet-switched networks (i.e. X.25, X.29). However, this difference in narrowing as European countries implement digital telecommunications networks [10, 27] and the U.S. uses packet-switched networks to a greater extent.
As stated before, the classification model presented above is a generalization of complicated and varied activity. In real life, the distinct lines between groups are blurred. There is not a complete separation between categories; each influences and may motivate the other. Also, information and methodologies flow between categories.
A simplified diagram of the dynamics between the various categories is shown in Figure 2. In general, the upper levels can influence and manipulate the lower levels, while information and methodologies developed in the lower levels are used by the upper levels.
Additionally, the pyramid shows a potential evolution whereby an intruder may begin at the lower levels and moves upward over time.
Intruders use a variety of techniques to penetrate a system. Password guessing, social engineering, mapping (sequential dialing of telephone numbers looking for modems) and Trojan horses are a few examples of such techniques.
While a significant effort has been made by network security professionals to understand these methods as they apply to a single intrusion, they do not usually investigate the wider context of how an incident observed on one system is often related to other, enabling intrusions at many other locations. These enabling intrusions often jump across academic, research, corporate and government sponsored networks, as well as the networks of commercial service providers and the telecommunications carriers. Additionally, these enabling intrusions often cross international borders.
Information concerning these local incidents are gathered by network security professionals and then shared and studied though a variety of industry and professional associations, journals and conventions. Rarely are the linkages between incidents studied in their full context. Consequently, remedial efforts to secure systems are often focused at the site and individual system level without addressing the broader threats to global networks. As stated before, many security problems are directly related to issues in the design, implementation and management of large, distributed networks. Therefore, network security problems continue to exist and increase even with significant local effort to protect individual systems.
One such phenomenon usually overlooked is the development of a virtual, underground network of systems by the intruder. This network is composed of systems the intruder has previously penetrated and compromised. In other words, the intruder has subverted the security mechanisms of many systems and, unbeknownst to the legitimate owners of the systems, has gained defacto control and created a virtual network of compromised systems.
The intruder continues the process of penetrating and compromising new systems until many systems have been subverted. Individual systems may belong to different organizations or companies, may reside in different countries or be located in different networks. However, these systems now comprise a virtual "network" of systems available for the use of the intruder as shown in Figure 3.
Statistically, an individual intruder will have upwards of 100 systems previously compromised and available for illicit use within the underground network. Organized groups often have access to 1000 or more systems at any one time. This collection of systems allows the intruder to address several issues described below.
After penetrating a system, the intruder has four major concerns:
When looking at specific patterns of international intruder activity, most can be explained in terms of these four concerns. For example, Figure 4 shows a traditional pattern of activity used to maintain anonymity and reduce the cost of the illegal activity.
This example shows a classic method to attack a new target system, T1. The intruder first accesses a previously penetrated system (belonging to the "underground network"). This system is then used as an enabling system to connect to a second, previously penetrated system and so on. the intruder "leapfrogs" from one system to another through the network. In most cases, each of these systems are owned by different organizations, agencies or corporations and frequently are located in different countries. This complicates tracing since different laws are involved for each system as well as different law enforcement agencies, telephone carriers/PTTs, time zones and languages.
In most cases, the intruder will leapfrog through three to five systems before attempting to attack the target system. In this way, if the target system T1, detects the attempted penetration, they will only see the activity coming from system N3. In turn, system N3 only sees activity from system B2, and so on. Less than three systems makes tracing the activity back to the intruder easier. More than five systems begins to degrade network performance for the intruder.
Figure 4 also shows how an intruder avoids at least some of the telecommunication charges. In a classic example, system A1 will be physically close to the intruder so that only local toll charges are paid. However, all the other systems in the chain are usually dispersed geographically as much as possible and the legitimate owner of each system pays for the telecom charges for the connection to the next system. This allows the intruder to attack a system anywhere in the world and only pay for a local connection.
To complicate tracing further and reduce the risk of any individual system owner seeing a suspiciously large telecom charge, the intruder will only maintain this connection for a short time (5 to 15 minutes is common). After that time, the links are terminated and a new one is established using the same methodology but completely different systems from the intruder's underground network. In this way, the target system sees the attack coming from many different sources worldwide while, in reality, there is only a single intruder.
Finally, in an attempt to confuse tracing further, the intruder may release the information to access a penetrated system on a bulletin board or other semi-public forum. This usually results in hundreds of attempted accesses from many different intruders making it difficult to separate and identify the activity of the original intruder.
As stated above, this is a traditional pattern of attack. However, from the intruders point of view, there are several weaknesses. First, if the owner of system A1 discovers the activity, tracing is not difficult. Secondly, it is time consuming to keep up a sufficient number of systems in the underground network since system administrators eventually discover the illicit activity and secure the system. The intruder must continually penetrate and compromise systems just to maintain the illicit network. Therefore, there is currently a trend towards attacking the telecommunications infrastructure in order to provide more direct connections to the target systems with less cost and reduce even further the chances of detection and tracing [17, 20, 34, 35, 37].
An example of this is described in the US Government's Sentencing Memorandum for several LOD members: "...telephones link all computers throughout the world to each other and a mastery of the telephone system would allow the defendants to break into computer systems virtually anywhere [37]."
Figure 5 shows just one of many different possible attacks on the telephone infrastructure which makes tracing very difficult, gives the intruder the ability to detect any monitoring and allows remote, long distance connections without paying toll charges.
In this example, the intruder uses two terminals (or PCs) with modem connections to gain entry to a local office switch via a regional switching control system from a "Setup & Monitoring Terminal". On the local switch, the intruder creates a non-existent telephone number: One which is not associated with a wire pair. To make tracing difficult, the intruder then creates a call forwarding service for the false number and forwards that number to the target.
With access through the same regional switching control system, the intruder can also re-direct billing, thereby eliminating telecommunication charges. This can be done for each illicit connection in the hope that the legitimate subscriber will not notice a single, incorrect charge.
Figure 6 shows an example of the call flow. The intruder, calling from 555-1000, dials the non-existent number (555-2000) created within the switch. This automatically forwards to the target system (555-3000), where an attack can take place.
At the same time, the intruder uses the access to the regional switching control system via the "Setup & Monitoring Terminal" to detect any activity such as a law enforcement trace. The trace will only show a non-existent number (555-2000). If further investigation is done, the intruder will detect this activity on the terminal monitoring the regional switching control system. The trace or the connection to the target can the be terminated by the intruder.
Another important and common pattern is the transfer and storage of information. Often, when intruders are interested in the information stored in a system, they will want to obtain a copy of the information for later use or more detailed searching. Even with the increase of disk storage density available off the shelf for PCs, intruders find they lack the space to store large amounts of stolen information. Therefore, they will use other, third-party systems for temporary storage. This is shown in Figure 7.
In this example, the intruder finds information of interest in system An. This information is then copied to system Bn. In some cases, the information may be copied and stored on multiple systems, all unbeknownst to the legitimate owners of the systems. At a later time, the intruder can access the stolen information and examine it or transfer it to other locations. Also, the intruder can make the information available to another intruder or interested third party by simply giving the location of the system where the information is stored (such as the telephone number of a modem) and how to access the system (e.g. a User ID and password). In this way, information can be stolen, transported across international borders and sold with the intruder never having physical possession of the documents and the owner of the information may never know it was stolen in the first place.
Finally, the intruder must balance all of these activities with network performance. As stated earlier, most intruders maintain a link to the target system only for a short time, therefore, they require quick response times and connections to carry out their objectives.
Also, when transferring large quantities of data, network performance is critical. Otherwise, long connection times are required, allowing potential tracing.
In the next few years, several key technical changes will take place which may have a significant impact on international intrusions:
Increased Connectivity: The number of systems, the size of networks and the number of interconnections between networks around the world will continue to grow at a phenomenal rate. Eastern Europe, Russia, the Middle East and many third world countries will expand and modernize their telecommunications infrastructure. This will allow greater connectivity of systems within these geographical areas and to the outside world.
Several government sponsored initiatives are also driving this growth such as the Singapore's IT 2000 initiative, the U.S. Government's efforts to create an information "super highway" and similar projects within the European Union.
Merger of Telecommunications and Computers: A key technological development is the merger between the telecommunication and computer industries. Existing security issues in both technologies will affect the other to a greater degree in the future.
Mobile and Portable Computing: The trend towards smaller, more powerful and less expensive laptop PCs will allow more people to take significant computing and storage capabilites anywhere. Also, wireless communications technologies such as cellular telephones and modems and wireless LANs are currently being implemented throughout the world.
Both of these developments will greatly increase the difficulty in tracing and physically locating an intruder.
While progress has been made within the telecommunications and computer industries towards improving security of information and access to computing and communications systems, problems still exist. Since many studies of intrusions are limited to the local site level, solutions are designed for single systems or small networks and do not scale well to large, global networks. This problem is combined with a general lack of understanding of the degree of interconnection between individual networks, the speed at which technology is changing and the growth in network size. Additionally, security is often an afterthought in the implementation of networks.
If these trends continue with the addition of new technologies and future growth, network security problems will continue to increase in both the number of incidents and the resulting damages and costs.
A global understanding of the threats and risks facing today's worldwide networks can help to define the problem in its proper context, leading to more effective solutions.
1 8lgm stands for "Eight-Legged Groove Machine"
[3] "ATM Scam Goes to Trial", Open Systems Today, October 12, 1992.
[6] Brooke, C., "Addict", Daily Mail, p. 14, March 18, 1993.
[12] "Economic Espionage", Capital, October, 1992.
[14] Gasser, M., "How to Build a Secure Computer System", Van Nostrand Reinhold, New York, 1988.
[15] Greenfield, K., "The Obsession of the Otaku", Los Angeles Times, p. 40, September 12, 1993.
[16] Hack-Tic, "Hacking the Pentagon?", Hack-Tic Magazine, 16-17, 1992.
[17] Hafner, K. and Markoff, J., "Cyberpunk", Simon & Schuster, New York, 1991.
[19] King, D., "Risks of Cellular Speech", Risks-Forum Digest, Vol. 13 Issue 89, Novermber 2, 1992.
[20] Littman, J., "The Last Hacker", Los Angeles Times Magazine, p. 18, September 12, 1993.
[22] Owen, R., "Catching a Hacker", Access, 1st Quarter, p. 29, 1992.
[24] Rebello, K., "Sensitive Kid Faces Fraud Trial", USA Today, p. 1B, February 28, 1989.
[27] Schmittner, M., "Kostenlos Telefonieren: Ruf Doch mal an", Der Spiegel, #34, p. 205, 1992.
[29] Schweizer, P., "Friendly Spies", Atlantic Monthly Press, New York, 1993.
[30] "South Korean Spy Agency to End Political Surveillance", Bangkok Post, March 11, 1993.
[32] Sterba, M., "Eastern and Central European Networking", Boardwatch, February, 1993.
[33] Stoll, C., "The Cuckoo's Egg", Doubleday, New York, 1989.
[34] "Telephone or Time Bomb?", Information Week, December 7, 1992.
[36] Travis, P., "Stop, Thief!", Information Week, p. 32, November 30, 1992.
[38] "US Intelligence Chief Targets Foreign Industrial Espionage", Bangkok Post, March 11, 1993.
[39] US Special Grand Jury Indictment: US v. Riggs and Neidorf, April, 1987.
[40] Violino, B., "Hackers for Hire", Information Week, p. 48, June 21, 1993.
[41] Ward, S., "Hackers Given Six Months for Intellectual Joyriding", The Independent, May 22, 1993.
[42] Warren, P., "Hackers and Banks in Secret Talks", Computer Talk, October 22, 1990.
Information Security Archive Index