High-Tech Crimes Revealed: An Interview with Stephen Branigan
Seth: Who are your real-life influencers? Fictional influencers? (With regard to this book's subject, that is.)
Steven: Real life influencers:
Police: Sergeants J. Cheney and Richard "Fox" Foster taught me all the real-life lessons of patrolling the streets that the academy hadn't.
Network security: My friends Bill Cheswick, Matt Blaze, Steve Bellovin, Avi Rubin, and Hal Burch have helped shaped my views on how to conduct secure networking and secure computing.
Legal: Scott Charney and Martha Stansel-Gamm have each led the Computer Crime and Intellectual Property Section of the Department of Justice, and they always seem to know how to balance the competing forces of protecting the innocent and convicting the guilty.
Seth: If you can give us a name and brief summary, who was the most talented hacker you ever caught and what did he/she/they do?
Steven: I'm generally uncomfortable with giving the names of the hackers caught, as I would be hesitant to provide the names of anyone I arrested. It's better for the subjects, should they wish, to provide that information.
With that said, I believe that one of the best was the "hot-ice" character detailed in Chapter 2 of my book. Technically very competent, and able to maneuver across country boundaries very well. The character "Bob" from Chapter 6 was possibly the brightest hacker I ever met.
Seth: Do you attend any hacker conferences? What's your opinion about their focus and content? Have you ever been tagged in "Spot the Fed"?
Steven: Actually, I haven't been to a single hacker conference. I guess it's because I would expect to be handed a "Fed" T-shirt at the door as I walked in!
Seth: There's a lot of discussion in this book about the motivators of a hacker, and most of it is right on! I myself would fall into the curious category. :) However, IMHO, these are the same motivators that drive almost everything and everyone.... What motivated you to write this book?
Steven: Motivations for me? Here goes:
I think that computer crimes are very misunderstood. This book explains who does them, why they do them, and what the impacts can be.
Further, I know that as people become more aware of what computer crimes are, they will be able to make better decisions about how to protect their networks.
Seth: Throughout the book, chance seems to play a paramount role in finding and catching talented hackers. What's your experience with the reality of this unnerving concept? What chance do we have if we never see them coming?
Steven: An over-used clich applies here: It's better to be lucky than good. I believe that there's an element of luck in catching criminals. And that really is a frightening concept.
The good news is that criminals always take a chance when they commit a crime. We can use that in our favor. That's why I'm a big fan of improved logging and surveillance. Audit trails are an incredible resource for trying to catch a hacker after you discover the problem.
Seth: The book discusses how to handle a break-in and the significant damage that can be done by not following proper protocol. However, in many of your cases, you have prior evidence of hacker activity. What's the proper protocol for addressing a computer that may or may not be a hacker tool-for example, troubleshooting a malfunctioning computer and finding 3GB of warez and four rootkits causing the problem?
Steven: I would suggest that in a couple of the cases, it wasn't that there was initial evidence of hacker activity. For example, in Chapter 3, our friend Wesley's hacking was discovered because he hadn't paid his rent.
Let me say that it was the methodical investigations that ultimately led to us uncovering the hacker activities in Chapters 1 and 3.
My best advice is to walk that fine line between trust and suspicion when investigating computer malfunctions. Maybe it's nothing, or maybe it's the work of a hacker...
Seth: While it would be nice for everyone to get fair play with the FBI when a hack occurs, they're limited on time and resources, and not everything requires FBI-level attention. Based on your experience, what kind of support/interest can a SOHO user expect from the authorities (local police, FBI, state police, and so on)?
Steven: I agree that not everything needs FBI-level attention! That's a very important point. Law enforcement really, really wants to do the right thing. I have been very fortunate to have worked with many cops around the world who work hard to protect their citizens.
Many state and local police agencies are getting much better at handling computer crime issues. They're very interested in dealing with these issues, and the issues they deal with directly translate into the training they'll receive in the future!
My best advice, should you find yourself in a position where you need [law enforcement assistance], is to be sure to take the time to explain how the crime has affected you personally.
Seth: I grew up in a cop's family, and I know a little of how being a cop changes your perspective on life. I can see some of this perspective in your book, and it's a refreshing reading experience, especially since most other books are written by "hackers." What's your take on these other books?
Steven: I spent a lot of time reading publications such as 2600, phrack, and the like. To be honest, I have never really been sure what the justification is for hacking into telephone systems, cellular systems, banks, and so on.
Whether it's invasion of privacy, theft of services, or even fraud, computer crimes usually result in real victims. I think that is often missed with the anonymity that computers and the Internet provide.
Seth: This book addresses the options available to a company after a system compromise. What's your personal recommendation to companies facing that catch-22 situation where they learn their server is host to hacker activity, but they can't shut it down until the end of the day or even week?
Steven: Hmm... No matter which option you choose, at some point the other option will have seemed better! It's a tough call that needs to be made by the business leaders with expert consultation from their technical people, because either option is a business-impacting operation. Usually it depends on the severity of the suspected attack and the ability to investigate while continuing operations. Those are the most relevant factors.
Seth: One of the first pages in the book outlines your work experience based on your attire. I noticed that you served time as a cop (pun intended). How has this helped and hindered your computer security experience?
Steven: Served time indeed!
Helpful: Law enforcement encourages you to document your activities, and that's very helpful for computer security.
It taught me to follow up on even the smallest of suspicious items. I remember very well the story from my academy days of a police officer who broke a large cocaine ring just by stopping a car with an expired inspection sticker. That one stop led to the discovery that the driver's license was revoked. That led to finding there was a warrant for his arrest. And that led to the subject giving up information...
It taught me that even when you may think someone has done something wrong, always treat all people equally until you have proof.
Harmful: I get suspicious very easily, perhaps too easily.
Seth: On the subject of careers, what advice can you give to people who find computer security an attractive field? Is there a fast path to getting a job as a forensics specialist with a police department?
Steven: Free advice (and remember, money back if you are not delighted!):
I will limit this to legitimate jobs with the police, and exclude the attractive career of confidential informants.
Law enforcement is looking for reliable, trustworthy people with excellent technical skills. Look into a computer security or forensic problem and help solve it. Present your results at a conference. That will help to get you noticed.
Seth: On the same subject, you [wondered] why anyone would write a program like NetStumbler. Why do you think NetStumbler was written?
Steven: I have no idea why it was written and given away for free! While I imagine that curiosity and conquering the technical challenge inspired the initial writing, I'm not sure why the authors didn't release it as a commercial product.
Seth: What are your interests outside your industry?
Steven: Sports. In particular, soccer (which I play often), baseball, and football. I find that I'm always learning from playing or watching team sports.
Seth: Have you ever downloaded an "illegal" MP3?
Steven: I have tried napster/aimster and gnutella. I discovered that it was incredibly easy to find and download MP3s. They certainly proved a serious threat to the music industry. I downloaded "The Cars-Door to Door" (from a CD that I had already purchased). The quality of the download was not very good. The version I ripped from my CD was better.
Ultimately, it's important that artists have the chance to be rewarded for their work. That's why downloading copyrighted MP3s is wrong, and is a problem for the industry. And that's why I'm pleased to see that iTunes, Musicmatch, Wal-mart, Amazon.com, and others are now selling MP3 singles over the Internet. I think that most people want to do the right thing and pay for a song, and now they have the opportunity to do so. I think that this will be the most effective strategy to get the majority of the people to stop illegal copying of music.
Seth: The book discusses some of the difficulties authorities face as a result of boundaries. How is globalization changing this situation? Are things getting easier for the good guys when trying to track down and stop the bad guys? Or is globalization not affecting this arena?
Steven: Globalization and the Internet are inseparable. I am cautiously optimistic about the progress that has been made over the past few years with multinational organizations such as the G-8, North Atlantic Treaty Organization (N.A.T.O.), and the Organization of American States (OAS). They're working very hard at making transnational computer crime investigations easier for law enforcement.
Seth: Government and big business are repeated targets for the hackers in the book. Are they easier targets, and are they aware of the threats of a hacker attack? How are they dealing with it?
Steven: I don't think it's that they're easier targets. I think that both government and big business are attractive targets because they're perceived to have interesting information. They're also better able to detect attacks than home users are. Not many home users track the number of times hackers are attacking them. But I do! Just a quick look at my August 2004 stats reveals that this one system was attacked 154 times in one month!
The best I've seen are dealing with the threats by:
Improving awareness among their people
Improving the technology that they use to secure their networks
Re-architecting their infrastructure to limit the damage from a single hacker attack
Seth: What's your normal workday like? Do you spend a lot of time traveling?
Steven: There's no such thing as a normal workday for me! I'm devoting my efforts to growing CyanLine, my new company which is focused on "untethered" security.
Seth: What are some of your favorite security books?
Firewalls and Internet Security: Repelling the Wily Hacker by William Cheswick, Steven M. Bellovin, and Aviel D. Rubin (Addison-Wesley, 2003, ISBN 020163466X)
Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Cliff Stoll (Pocket, 2000)
Masters of Deception: The Gang That Ruled Cyberspace by Michelle Slatalla and Joshua Quittner (Perennial, 1996)
Seth: Do you ever work with "Whitehat" hackers? What do you think of this practice (hacking with the intention of bringing security holes to light, without the intention to cause harm)?
Steven: I am a little uncomfortable with the term Whitehat hacker. I love the computer security research community that has proven their ability to discover weaknesses and bring them to light in a way that doesn't cause harm. They're successful because they're self-policing and they use peer review. Without these controls in place, it's hard to ensure that you're truly not causing harm.