Kuji Media Corporation Ltd.

The verdict in the Gary Mckinnon extradition trial was really no shock to me considering the political climate. Lets face it, this is not about hacking or security this is about politics and money. Cynical? You bet I am, having been through an almost identical situation, very similar computer intrusions and similar motives – the only difference was I was pre-terrorism mania where everything and everyone is a suspect.

Think about this, almost a decade ago machines belonging to the military, navy, army etc were broken into and this was the proof Congress needed to show that cyber terrorism existed. An unknown spy running rings of computer hackers to steal secrets for foreign governments. The fact that I was not a spy, and certainly not “possibly the single biggest threat to world peace since Adolf Hitler” didn’t really make much of a difference to the fear machine that was put in place selling the idea that cyber terrorism was a real threat.

Millions of dollars in budget increases, that is where the difference occurred. If you take the threat to be real (which it certainly wasn’t back then and highly unlikely to exist today) then this raises questions, namely;

1. Where have the mega budgetary increases actually been spent?

Education cannot be one of them, as if machines are left in a state of ‘unpatched since install’, with unpassworded points of entry – I cannot see that the money has gone to the improvement of sysadmin skills or awareness of the problems of being online.

If you compare the awareness by consumers of security threats, people have seriously woken up to the fact that unprotected they are just sitting ducks to the onslaught of manual and automated attacks.

Phishing, hacking, spam, bots, virii, worms – the majority of home users now have firewalls, anti virus software, spyware checkers etc – all of which have a much lower budget than the military. I suspect that as governments, unlike corporate entities do not have shareholders to answer to. They do not have to explain why their machines were offline and money was lost, that in fact they can just blame budget instead of actually being proactive and moving with the times.

2. If in this case as in mine, there were clearly many other hackers

with access to the same systems at the same time, why have they not been prosecuted or even mentioned?

This seems to me to be more proof of my theory that so-called super hackers are hauled in front of the courts when it is convenient for their cases to be used for ore proof of computer insecurity and the need for greater budgetary increases..

3. Where are the administrators and their bosses in this case?

In this political climate, one of the dark looming threat from the bad men all around us (as we are constantly reminded), to not secure machines properly they have committed federal offences. It is surely not good practice to have machines, sitting on the Internet, unfirewalled, unpassworded containing alleged sensitive information – and most likely a direct violation of their contract and training.

This is a sysadmins first job, to change any default passwords or to set ones where they are not needed – and certainly ensure that those machines are sitting behind a firewall. I am not trying to say that Gary was attempting to test their security, but if this was a corporate environment the sysadmin would have some major explaining to do.

4. Is the fact that the USA are fighting so hard for extradition a dig at our legal system?

Gary has admitted his guilt and wants his trial to be in the UK, so why can’t he be tried here? Could this be to do with the fact that most computer crime here (financial gain notwithstanding) is dealt with by means of fines. Do the USA see us as a soft touch? This brings the idea of two scenarios;

– Gary being tried by a jury of his peers. They hear the evidence and consider the fact that the machines were badly administrated and this is taken into consideration when sentencing.

– Gary being tried in a foreign country by a jury that hears he has ‘attacked their country’ this is bound to have a bearing on the sentencing.

A possible 70 years in prison, for what exactly? showing that in a decade the USA military have not learned, or at worst, blatantly ignored the security threats around them when it is they who tell us every day that we should be afraid.

In my case I was never debriefed by any of the authorities that I hacked, never asking how I did what I did – never asking me to comment on my peers or related community. Gary says he is guilty, why are we going to punish this man further by sending him to a foreign jail which are known for brutality against inmates: [http://www.hrw.org/reports/2001/prison/report.html]

– where is the leniency for admission of guilt? Let this guy talk to kids about how this trial has affected his life. Let this guy talk to governments.. Let this guy talk and discuss and explain.. don’t send him to a punishment likely to be worse than he would receive in this country for murder.

The extradition bill is being tested right in front of your eyes, it is a blatant decline in our civil liberties and a worrying step forward for our so-called democratic society.

Mathew Bevan
www.kujimedia.com

Criminal gangs taking over from amateur hobbyists

Owen Bowcott, Saturday June 11, 2005, The Guardian

Gary McKinnon is deemed to be so deviously manipulative at the keyboard that he has been banned from using the internet. He is not even allowed a passport. The peculiar bail conditions imposed this week on the 39-year-old computer systems administrator from Wood Green, north London, suggest that the law enforcement community stands in awe of his technological prowess.

Until his next court appearance, due on July 27, the tousle-haired programmer, who is fighting extradition to the United States, has been ordered to stay away from any computer connected to the web.

Mr McKinnon has gained international notoriety for his alleged ability to break into scores of sensitive US defence computers, steal secret passwords, sabotage email systems and delete military files. In the hi-tech world of online hacking, however, he is perceived as one of a dying breed of amateur hobbyists – those the Americans deride as “script-kiddies”.

Despite US prosecution claims that he perpetrated “the biggest military computer hack of all time”, Mr McKinnon’s supposed achievements are by no means unique. The attempt to extradite him to answer charges in Virginia and New Jersey is far more unusual. Systems run by Nasa, the Pentagon and the Department of Defence have long been hackers’ trophy targets. His misfortune, apparently, was to get caught, and to have carried out his explorations shortly after September 11.

According to security experts, US military sites are not the most heavily protected on the internet. They rely on the deterrent threat of legal action rather than deploying highly sophisticated software or enforcing best practice among military personnel.

Mathew Bevan, another British hacker arrested for breaches of security at Nasa and US Air Force sites, found himself similarly demonised by US lawyers as “the single biggest threat to world security since Adolf Hitler” back in 1994. The case against him eventually collapsed. Like Mr McKinnon, he was also hunting for evidence about UFOs hidden on military installations.

Mr Bevan, now 30, is an IT consultant and living in Wiltshire. “The security on US military machines is probably not much better than it was back then,” he said. “There were plenty of military machines with sensitive information that had account names with no passwords. Others had been left with the standard default passwords used by the manufacturers.

“University systems and corporations are much harder to break into than military machines: universities because there are always students testing their skills, and companies because they have shareholders demanding better security.”

In Britain, the hacking subculture that nurtured Mr McKinnon’s talents has been driven underground by diligent enforcement of the Computer Misuse Act, which since 1990 has criminalised those who gain unauthorised access to computer systems.

Mr Bevan typifies the career trajectory once pursued by teenage hackers. After years hunched alone over a computer screen, and an infamous brush with the law, he has graduated to running his own company, the Kuji Media Corporation, which offers security and technology advice.

“Hackers are a dying breed,” said Mr Bevan. “Organised criminals have cottoned on to the potential rewards. There’s viruses and trojan programs flooding out of places like Russia and Bulgaria these days.

“I get people asking, ‘Why is my machine running slowly?’ And when you look, there are 300 viruses, bits of adware [advertising programs] and trojans mucking up the system. Internet service providers should really be doing deals with security firms to provide virus-free connections.”

Mr Bevan said he spoke to Mr McKinnon in 2002, “after he was first busted”.

“He’s only been selected by US prosecutors because he’s an excellent scapegoat. Maybe the amount of recreational hacking is the same, but the volume of people on the net means far more are involved in genuinely nefarious activities.”

“Pharming”, for example, is the latest threat to the integrity of internet banking services. It has emerged from Estonia in the past few months. This cunning electronic fraud may force banks to issue customers with a new generation of identity devices.

Unlike “phishing” scams – which rely on the gullibility of those who receive emails urging them to log on to sites purporting to be their online bank and confirm passwords and account details – pharming is more insidious.

Customers’ computers are infected by a trojan program – either delivered through an innocent-looking email or inadvertently downloaded from a fake advert on the internet. When the user tries to log on to the online account, the hidden program diverts the web browser to a seemingly identical site operated by criminal gangs in eastern Europe. Their electronic identities are captured, then used to empty the accounts.

“There’s discussions about whether banks will eventually have to give out security devices for customers to plug into their computers,” said Sandra Quinn of APACS, the banking industry’s payments organisation. “Barclays have already carried out trials.”

Last year, online fraud cost British banks ?12m, an increase on previous losses. That figure was dwarfed, however, by the ?150m taken via what is known as “card not present” frauds, where goods are purchased over the telephone using stolen credit cards or simply their numbers.

The array of online threats grows all the time. Denial of service (DoS) attacks, where firms’ email systems are bombarded into overload, are frequently accompanied by blackmail demands for cash to switch off the onslaught. Last year, the bookmaker William Hill was targeted and then received a demand for $50,000 (?28,000).

“Bot” programs enable computers across the net to be hijacked by remote users who in effect turn them into “zombie” machines which can be used in DoS attacks. Keylogging programs can infiltrate computers and record the keystrokes customers make in typing in credit card numbers or passwords. The criminals behind these attacks are based mainly in eastern Europe, it is believed, because law enforcement there is relatively slack and there is a plentiful supply of skilled but poorly paid programmers.

“It’s a classic low-risk crime,” said Ms Quinn. “We have seen some police action, however, and now we are getting phishing attacks coming from China.”

Threats have also been made to call-centre staff working in the financial services sector in Britain, in an attempt to force them to record and hand over customer account details. Many companies now prevent staff from using pens or paper when they sit at their screens.

The difficulty in penetrating banks has encouraged gangs to combine online techniques with strongarm tactics. The reported theft of computer backup tapes from US financial institutions while in transit to storage facilities has generated concerns about the security of millions of customers’ accounts.

An attempt earlier this year to steal ?220m by electronic transfers from the London headquarters of the Japanese bank Sumitomo was foiled, but it sparked alarm about criminals infiltrating banks to carry out insider robberies.

“Gary McKinnon appears to be an example of the type of hacking that people have moved away from,” said Felicity Bull of the National Hi-Tech Crime Unit, which investigates major computer crime in Britain. “We know that organised crime is now hiring IT-literate workers.”

Some law enforcement agencies now question whether the Computer Misuse Act needs to be overhauled, enabling it to be used to prosecute those involved in DoS attacks.

In Washington, the secret service is the force responsible for combating online fraud and hacking. “There are still plenty of script-kiddies out there bragging about what they’re doing,” one agent, Jim Dobson, told the Guardian. Some were still at high school, he said, adding: “There’s a huge amount of information out there.”

Other threats, such as gangs in Russia targeting financial institutions, or those in Asia carrying out intellectual property thefts, have eclipsed the old-style hacker community, he acknowledged.

The rise of mobile phone technology has provided fresh opportunities for a new generation of hackers.

Meanwhile, wireless computer networks have been found to be particularly vulnerable, said Paul Carratu, whose Surrey firm carries out penetration testing to assess security systems. “People are not using the encryption devices they should.”

Last month, two British hackers, Jordan Bradley, from Darlington, and Andrew Harvey, from Durham, who belonged to an Anglo-US group called the “Thr34t Krew”, pleaded guilty in Newcastle to computer crime offences. The TK worm they released exploited a weakness in web servers and caused up to ?5.5m damage to companies using the net. They now face possible prison sentences.

It may be too soon to write off the perverse ingenuity of British hackers.

The lingo and what to look out for

Trojan (horse) An innocent-looking program concealing destructive intentions.

Pharming Hijacking online bank customers by infecting web browsers. They are redirected to fake internet sites and asked to disclose account details.

Phishing Sending out emails telling online account customers they must reconfirm IDs and passwords. When they hit reply they are sent to a cloned web page.

Key logging Programs which record keystrokes and can be used to retrieve credit card and PIN numbers.

Malware Umbrella term for assorted malicious software programs which sabotage your computer.

Zombies Online computers that have been infected by trojans and can then be remotely controlled to churn out spam emails at targeted sites.

Bots Programs used to infect and control computers which are then turned into zombies.

By Margaret Ryan – BBC News

As a Briton faces possible extradition to the US for alleged computer crime, a former hacker, whose prosecution collapsed, talks about the lure of breaking into systems.

Matthew Bevan had stood accused of mounting a determined “information warfare” campaign against the US air force and leading defence contractors in 1994.

The case against Mr Bevan collapsed
US Senate hearings were initially told the security breaches were the work of highly skilled foreign agents.

Mr Bevan, whose hacker alias was Kuji, was charged with conspiracy and faced accusations of being an Eastern European spy.

But the truth was somewhat more prosaic, said the 30-year-old computer consultant.

“I was just a kid in my bedroom hunting for UFO information.”

Then a computer programmer for an insurance firm, he says he had previously been bullied and had felt ostracised by his peers.

“But the computer system was a place where I was king and showed power.

“In the real world I had none and I was quite defenceless. I didn’t deliberately cause any damage.”

Thrill of the chase

But the amateur hacker’s pastime landed him in court in the UK after his activities came to the attention of the US authorities and the British police tracked him down.

Mr Bevan can only talk about his own experiences – but his case, he believes, was overblown from the start as he was portrayed in the States as a spy running rings of spies.

It’s like a parent finding their child’s diary. You know you shouldn’t look at it but you just can’t help yourself

“At the time I was ‘the single biggest threat to world security since Adolf Hitler’,” he said.

By the time his case came to court the allegations made against him had died down.

The case against him finally collapsed in 1997 after the judge was told he posed no threat to security.

Another, a 16-year-old defendant, was fined £1,200 after admitting breaking into a number of US military systems.

Mr Bevan, who now lives in Wiltshire, freely admits that, for hackers, successfully breaking into systems provides an ego boost.

Reports claiming that UFO were being held secretly at American military installations had set the young hacker down the path of trying to find out more.

“It’s an adrenalin rush. It’s like a parent finding their child’s diary.

“You know you shouldn’t look at it but you just can’t help yourself.

“You know it’s wrong but you still do it. It becomes addictive,” he explained.

Competitive element

More than a decade on Mr Bevan understands the havoc hackers can cause in compelling companies to install more security, but resents the suggestion his actions were done out of malice.

“It’s like a spider’s web – once you break into one machine you can compromise a few accounts.

The search for UFOs prompted Mr Bevan’s hacking

“You may go into a machine not with the intent to find anything but just as a staging ground for another computer system.”

“It’s a case of ‘how many computers can I hack into in two hours?’ We used to have competitions.”

But he claimed hackers had been “tainted” by the rise in identity theft and viruses.

For the hacker, he argued there is an ethical code that information should be free and there are strict rules about using that information.

He believes companies have to accept some responsibility for hacking, arguing insurance firms would not generally pay out on insurance claims if it could be shown that not enough care had been taken in guarding against it.

To this day he believes his arrest was politically motivated, suggesting hacking cases make headlines when companies want funding to fight cyber crime.

“In my cynical view the powers that be decided ‘we’ll have you two and make a good example of you'”, he said.

Childhood pursuit

He says he had already left hacking behind him before the day he was arrested at work.

Since his case was dropped the world of hacking has changed but he believes the potential for disruption remains stronger than ever as young people become ever more computer literate.

“When I was doing it people didn’t have net access in the UK. I was dialling up to the States,” he said.

For many hacking is a young person’s pursuit that they eventually grow out of, he suggested, but before they do the potential for disruption is incalculable.

“They [children] are smart and can develop skills that adults can’t keep up with,” he said.

Channel 4 – The Heist.. got 1.7 million viewers for each episode..

Wasn’t quite what I had hoped for, but hey.. you do the show you put your life in the hands of the directors and editors… wasnt too bad.. but apparently most of what I said and did had to be cut out for “legal reasons”… bah…. Look out for some snippets on this site someday of the bits “too hot for tv”… 80)

Ok, so I may be lazy and not update this site (All you studying A Levels– work harder than I did heh) I have been busy, and there is a three part channel 4 programme due soon.

Channel 4 broadcast date (may change) of Mon.July 12th 9pm. Programme will be called ‘Cat and Mouse’ or ‘The Heist Society’..

Basically a group of ‘experts’ are brought together and set a task of performing a robbery under strict conditions and as real life as possible. Very similar to performing penetration exercises, only the top brass know whats going on.. so essentially it *IS* a real life test of the organisation.

Each episode covers a different robbery/task… and in each I am the technology guru / hacker…. tune in and let me know… nothing like a bit of James bond — (G.Morgan would be proud !!)

Apart from that there are sure to be some interesting things popping up after that… I might digitise some of the older progs I have done and put them up, for old time’s sake..

By TED BRIDIS
Associated Press Writer

WASHINGTON – Federal authorities have cracked the case of an international hacker who broke into roughly 100 unclassified U.S. military networks over the past year, officials said Monday.

Officials declined to identify the hacker, a British citizen, but said he could be indicted as early as Tuesday in federal courts in northern Virginia and New Jersey. Those U.S. court jurisdictions include the Pentagon in Virginia and Picatiny Arsenal in New Jersey, one of the Army’s premier research facilities.

The officials declined Monday to say whether this person was already in custody, but one familiar with the investigation, who spoke only on condition of anonymity, said investigators consider the break-ins the work of a professional rather than a recreational hacker.

Authorities planned to announce details of the investigation Tuesday afternoon.

Officials said U.S. authorities were weighing whether to seek the hacker’s extradition from England, a move that would be exceedingly rare among international computer crime investigations.

Officials said this hacker case has been a priority among Army and Navy investigators for at least one year. One person familiar with the investigation said the hacker broke into roughly 100 U.S. military networks, none of them classified. Another person said the indictments were being drafted to reflect break-ins to a “large number” of military networks.

In England, officials from the Crown Prosecution Service, Scotland Yard and the Home Office declined comment Monday.

A civilian Internet security expert, Chris Wysopal, said that a less-skilled, recreational hacker might be able to break into a single military network, but it would be unlikely that same person could mount attacks against dozens of separate networks.

“Whenever it’s a multistage attack, it’s definitely a more sophisticated attacker,” said Chris Wysopal, a founding member of AtStake Inc., a security firm in Cambridge, Mass. “That’s a huge investigation.”

The cyber-security of U.S. military networks is considered fair, compared to other parts of government and many private companies and organizations. But until heightened security concerns after the Sept. 11 attacks, the Defense Department operated thousands of publicly accessible Web sites. Each represented possible entry-points from the Internet into military systems unless they were kept secured and monitored regularly.

It would be very unusual for U.S. officials to seek extradition. In previous major cyber-crimes, such as the release of the “Love Bug” virus in May 2000 by a Filipino computer student and attacks in February 2000 by a Canadian youth against major American e-commerce Web sites, U.S. authorities have waived interest in extraditing hacker suspects to stand trial here.

Once, the FBI tricked two Russian computer experts, Vasily Gorshkov and Alexey Ivanov, into traveling to the United States so they could be arrested rather than extradited. The Russians were indicted in April 2001 on charges they hacked into dozens of U.S. banks and e-commerce sites, and then demanding money for not publicizing the break-ins.

FBI agents, posing as potential customers from a mock company called Invita Computer Security, lured the Russians to Seattle and asked the pair for a hacking demonstration, then arrested them. Gorshkov was sentenced to three years in prison; Ivanov has pleaded guilty but hasn’t been sentenced.

But the Bush administration has toughened anti-hacking laws since Sept. 11 and increasingly lobbied foreign governments to cooperate in international computer-crime investigations. The United States and England were among 26 nations that last year signed the Council of Europe Convention on Cybercrime, an international treaty that provides for hacker extraditions even among countries without other formal extradition agreements.

There have been other, high-profile hacker intrusions into U.S. military systems.

In one long-running operation, the subject of a U.S. spy investigations dubbed “Storm Cloud” and “Moonlight Maze,” hackers traced back to Russia were found to have been quietly downloading millions of pages of sensitive data, including one colonel’s e-mail inbox. During three years, most recently in April 2001, government computer operators watched as reams of electronic documents flowed from Defense Department computers, among others.

In 1994, two young hackers known as “Kuji” and “Datastream Cowboy” were arrested in England on charges they broke into the U.S. Air Force’s Rome Laboratory. They planted eavesdropping software that allowed them to monitor e-mails and other sensitive information.

(Copyright 2002 by The Associated Press. All Rights Reserved.)

23/3/2001

By Percy Mashaire

Do you still remember the Love Bug, a virus that wrought havoc
throughout the Information Highway and caused millions of dollars in damage? You may or may not remember, but the threat is far from over. ?The number of potential attackers is increasing,? says Matias Impivaara, a wireless security solutions marketing manager at F-Secure, a Finnish security software provider which has branches in Asia, Europe and North America.

The emergence of mobile Internet has brought wireless security concerns to the fore. As companies develop and link their infrastructures to the wireless world, they have become more vulnerable to security threats. ?The more complex [the systems are] the greater the threat,? says Impivaara. Experts maintain that WAP (wireless application protocol) gateways are particularly vulnerable to attacks by viruses, spam (unsolicited messages) and file theft. ?There?s nothing about WAP that enables enterprises to say ?we?re secure,? one expert, Matthew Bevan of Kuji Media Corporation, is quoted saying. He believes that currently it is too expensive for hackers to penetrate the system, but that once the technology gets more applicable and available the temptation to break in will be much greater.

Bevan believes that any data that does not travel through a fixed link is particularly vulnerable. Like Impivaara, he points out that mobile terminals (mobile telephones and other handheld devices) are currently plagued by insecurity. ?A WAP device is really just a mini-computer that anyone can hack into if they can write code small enough,? he is reported saying. According to Impivaara, F-Secure has adopted ?a proactive? approach towards wireless security. Recently the company signed an agreement to provide anti-virus WAP software for Sonera Zed, a subsidiary of the troubled Sonera Corporation. The system monitors HTTP content for viruses and filters out undesirable material from the network traffic. F-Secure has also developed security software for PDAs (personal digital assistants).

Nokia, has in the meantime teamed up with anti-virus software provider, McAfee, to provide security for its Nokia Network Application Platform. The two companies are working together to prevent network viruses originating from laptops from being transmitted to networks.

Gartner, a technology research company, believes that wireless viruses will not be an issue until 2005. That?s not too far off and companies must be ready and prepared to confront the threat.

06:05 Monday 27th December 1999
Will Knight

People may associate it with the US, but
hacking – both legal and illegal – is an international phenomenon. And Britain has its own distinct history of computer exploits

Hackers are often thought of as sinister computer criminals or a grubby and degenerate social underclass. In reality the history of hacking includes some of the greatest technological and intellectual innovations in modern times alongside the better-publicised computer crimes. Many prefer to draw a line between experimentation and programming, on the one hand, and illegal or destructive computer activity (often referred to as “cracking”) on the other.

Hacking is intricately linked with the emergence of the open- source movement, the development of the Internet and the creation of computers, as well as the emergence of a new techno-savvy subculture. The contribution that Brits have made to this saga has been woefully under-represented in the histories of hacking that have proliferated on the Web.

Here, then, are some of the milestones of British hackerdom.

“Hacking might be characterised as ‘an appropriate application of ingenuity’. Whether the result is a quick-and- dirty patchwork job or a carefully crafted work of art, you have to admire the cleverness that went into it.” — Eric Raymond, The Hacker’s Dictionary

1940

Alan Turing and other cryptanalyts apply the scientist’s theory of The Universal Turing Machine at the Government Code and Cipher School (GC&CS) at Bletchley Park to crack the German military’s legendary Enigma code. These tweed and corduroy cyber-cowboys received virtually no public acknowledgement for their exploits because of national secrecy as well as the lack of mean handles such as “laser boy” or pHr3Ak!n tUr1N9.

1952

Government Communications Headquarters (GCHQ) located in Cheltenham takes over from GCCS as Britain’s answer to the US’ NSA (National Security Agency). In charge of developing and implementing computer surveillance technology, GCHQ still plays a vital role fending off the malevolent forces of freelance British hacking.

1960

BT introduces Switched Packet System (SWP) paving the way for increased phone hacking.

1981

IBM introduces the first Personal Computer (PC)

1982

Thieves hack into the telephone line at Lloyds bank in Holborn in order to disable its alarm system.

1983

Head of the metropolitan computer crime unit Ken McPherson predicts that in 15 years all fraud would be computer related.

1984

Ribert Schifreen and Steve Gold break into BT’s prehistoric Prestel messaging system and gain unlawful access to the personal account of beloved royal patriarch Prince Philip. Estimated to have cost Prestel customers a grand total of ?11, Schifreen and Gold are fined ?750 and ?600 respectively.

1988

Peter Sommer creates the influential classic “The Hacker’s Handbook” under the pen-name of Hugo Cornwall. Although now largely outdated, the book is a testament to the heritage of phone phreaking in Britain and contains memorable guides to subverting all manners of computer and telecommunications networks.

The “Mad Hacker”, also known by the slightly less intimidating handle Nick Whitely, is arrested and accused of running amok on the computer systems of the Ministry of Defence and MI5. Whitely claimed to have gathered evidence of Conservative government surveillance of the Labour party and CND. Despite this extraordinary behaviour, Whitely served only two months in prison in 1990.

1990

Briton Tim Berners-Lee co-invents the World Wide Web, paving the way for thousands of script kiddie Web site defacements and denial of service attacks.

The Computer Misuse Act is amended to make it illegal to gain unauthorised access a personal computer or to alter the data on a personal computer without permission. Only a handful of individuals have, however, even been charged under this act. It remains far more practical to prosecute for software piracy and bizarrely even for stealing electricity.

1992

A group of three hackers calling themselves the Little Green Men are arrested, although one famously escapes prosecution after pleading computer addiction.

1994

This is the year when a couple of Limey computer tricksters give the might of the US government a bit of a shock. Matt Bevan and Richard Pryce, AKA Kuji and Datastream Cowboy, made headlines in the national press when they broke into the computer network of a modest little American government compound called the Pentagon.

Group of Russian hackers are arrested in London after breaking into the computer systems at Citibank and stealing more than $10m, one of the few instances of computer fraud that have reached the papers. The International Chamber of Commerce recently admitted it was aware of a number of cases of organised computer extortion and theft. Hardly surprisingly, however, no other British financial institution has ever come clean and admitted to having been targeted by computer hackers.

1996

Conservative Party Web site is cracked in Britain’s first ever politically inspired piece of Web defacement.

1997

Coldfire (Leon Fitch) is arrested after alleged hacking activities. While on bail, he is charged with cloning cellular phones.

A group called Milw0rm, containing a number of British hackers, targets Indian nuclear bases at the time of India’s controversial nuclear testing.

Paul Spiby is arrested and accused of nefarious telephone activities.

Pipex Dial 0800 loophole allows free unauthorised Internet access until details of the flaw were inadvertently published in underground magazine Port Sniffer.

1999

Endorsing the view that one politician is as good as the next, another bunch of crackers deface the Labour Party’s site, much to the annoyance of the supposedly techno-savvy new government.

An individual is apprehended for alledgedly gaining illegal access to a 0800 number created by a BT employee and enjoying the luxury of totally free Internet access (the case is ongoing).

Computer hacking appears to have entered public consciousness (albeit with particularly negative connotations) to such an extent that even the technophobic Tory party blames hackers for the exposure of its shady financial dealings.

British cyber activists attempt to co-ordinate even the most technologically inept into a mass denial of service attack on the World Trade Organisation. Misfires somewhat, but still illustrates the growing importance of computer “misuse” to the average Brit.

06:06 Tuesday 21st November 2000
Will Knight

The UK’s most infamous “black hat” hacker,
trying to go straight?

A UK hacker who made a name for himself cracking commercial Web servers and posting political messages on corporate sites, says that he/she is now keen to move into legitimate security work.

“Herbless” says that he (or she) is hoping to land some paid work but has already helped many companies secure their networks — free of charge. The benevolent ex-hacker claims not to be a malicious individual and says his “black hat”, or illegal, activities have never stretched to stealing personal or financial information.

Herbless says that he has only ever revealed a vulnerability when he’s felt that security has been completely ignored and argues that his past misdemeanours should not be seen as a black mark against his character. “I would argue that they are assuming that ‘wrong’ and ‘illegal’ are the same thing, which is not always the case,” says Herbless in an email.

“All that time I was also helping companies secure their networks. If I was in the network of a company and discovered credit card details or such things, I would immediately inform the systems administrators making sure that the general public didn’t find out until the problems were fixed.”

The activities of Herbless nevertheless caught the imagination of the public and the press because of the political nature of the defacements and the high profile targets. In September, Herbless broke into a number of Web sites belonging to HSBC bank and posted pages criticising the government over fuel taxation. Herbless also struck UK government Web sites to protest about the government’s stance on smoking.

The uncomfortable nature of this past behaviour leads some experts to question whether Herbless would make a trustworthy employee for any computer security company.

Matt Bevan, who was arrested in 1997 for breaking into computers belonging to the Pentagon, has since founded his own security company, Kuji Media Corporation. He suggests that even if Herbless doesn’t choose to reveal his past misdeeds he could face a tough time. “His illegal activity may come back and bite him,” he says.

Another consultant, Neil Barrett of security firm IRM, has seen one recent security evaluation by Herbless. He says that although he has technical ability, this doesn’t detract from his dubious past “He’d have to work in a team and they’d have to be able to trust him not to do something stupid,” he says.

The presence of hackers with a dark past within legitimate companies has become a controversial topic in recent months, with some companies stating that they would never employ someone who has been involved in criminal activities. Some experts, however, believe that previously “black hat” hackers inevitably find their way into companies.

15:27 Thursday 30th November 2000
Will Knight

Says security break-in at two international servers not its fault

Computer security firm Network Associates was left embarrassed after two of its corporate Web site were defaced Wednesday although it claims it is not its fault.

A group calling itself Insanity Zine defaced the Brazilian homepages of two Network Associates sites: www.nai.com.br and www.mcafee.com.br. The defacement represents as a major embarrassment for a company that produces software designed to protect computer systems from security threats.

A spokesman for Network Associates in London, however, defends the situation saying that, unlike the company’s other International Web sites, these Brazilian sites are held at a separate ISP in Brazil. The spokesman says Network Associates chose to host the sites in Brazil because it makes their performance more efficient for Brazilian users.

“It is embarrassing,” he says. “Our Brazilian sites are hosted by an ISP over which we don’t have as much control as we’d like. We’re obviously now going to have to look at hosting it ourselves.”

Matt Bevan, a computer security expert with his own consultancy, Kuji Media, says the incident should be a warning for other large companies. “Maybe it is a wake-up call for companies with other parts around the world. It looks bad for them.”

The page featured outbursts in English and Spanish claiming to have taken control of the company’s software. The Network Associates spokesman says that the company’s internal network was not infiltrated and none of its software could have been altered. “They just changed a page, that’s all,” he says.