[iwar] [fc:An.Education.in.Hacking]

From: Fred Cohen (fc@all.net)
Date: 2002-05-31 12:17:25
Next message: Fred Cohen: "[iwar] [fc:The.War.in.All.its.Online.Glory]"
Previous message: e.r.: "Re: [iwar] The government must be crazy /Retorte"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200205311917.g4VJHPQ24977@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Fri, 31 May 2002 12:17:25 -0700 (PDT)
Subject: [iwar] [fc:An.Education.in.Hacking]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

An Education in Hacking
At Dan Clements' Fraud Museum, businesses can see how online scamsters
operate. It's all very informative -- maybe too much so 
By Alex Salkever, Business Week, 5/28/02
<a href="http://www.businessweek.com/technology/content/may2002/tc20020528_8754.htm">http://www.businessweek.com/technology/content/may2002/tc20020528_8754.htm> 

Netrepreneur Dan Clements is a museum curator, only you won't find him
working at the Met or the Louvre. Rather, Clements is the CEO of
CardCops.com, an online credit-card fraud-prevention site. In February,
2001, Clements and CardCops opened the cyberdoors of their own online
Fraud Museum, which contains what Clements judges to be most egregious
examples of crime in the annals of hackerdom. 
It's quite a display. One exhibit on the site details -- with explicit
instructions and screen shots -- how to find and compromise vulnerable
Web servers. Another exhibit shows software used to create fake
credit-card numbers. Then there are the displays of fake Web pages used
to dupe surfers into offering up credit-card numbers or other personal
information to scammers. 
More than 1,300 businesses and individuals have paid a $30 initiation
fee and $10 monthly subscription to enter the museum and other
restricted parts of the site. Clements says he counts among his paying
members the FBI, which wasn't available to comment for this story after
several requests, and American Express, which wouldn't confirm that it's
a member. A spokesperson cited the small transaction size. 
SPREADING THE WORD. Membership has been growing at a pretty impressive
clip, too -- in part due to Clements' own flare for showmanship. In
mid-April, he posted a Web site filled with fake credit-card numbers.
Then he seeded chat rooms that he considered likely to be frequented by
the online-fraud underground with links to his site, telling visitors in
effect, "Come and get 'em." 
For Clement, this was research for a possible new museum exhibit. The
goal was to see how quickly word spread, as well as to track the
geographical distribution of the people clicking on his site. After two
days, he had collected 1,600 Internet protocol addresses, a number that
serves as a unique identifier to every device connected to the Web, as
well as to internal company networks from 75 countries. 
The stunt grabbed tech-news headlines. But is Clements going too far? A
growing chorus of detractors thinks so. They say CardCops provides
information so specific that it could serve as a tutorial for those
seeking to break into the online-fraud game. What's more, critics claim
that CardCops is long on hacker techniques but short on ways businesses
can actually protect themselves. 
WHO BENEFITS? "The site is a profit center exploiting fraud," says Julie
Fergerson, vice-president for emerging technologies at online-payment
processor ClearCommerce. "The way the site is currently designed, it's
more beneficial to the fraudsters than to the merchants they claim to
try and protect." Fergerson is also the chairperson of
MerchantFraudSquad, an industry trade group dedicated to helping
merchants stamp out online fraud. 
Clements strongly disagrees. After all, the germ of CardCops started in
the late 1990s, when he and partner Mike Brown found that their
online-advertising business was getting decimated by scammers, who were
concocting fake Web sites to manufacture phony ad traffic. "We felt a
long time ago that education is the key to making the Internet safe. You
can't keep the information locked up. Then no one learns," Clements
says. 
Clements and Brown tracked down one of the scammers. Rather than turn
the person in, however, they paid him to disclose how he scammed them.
"We wanted to find out about the process to protect our advertisers,"
recalls Clements. With the information they gleaned, the duo launched a
site in 1999 designed to help advertising agencies fend off this
problem. 
CAN OF WORMS. The site later switched its name from Adcops to CardCops
and shifted its emphasis to online credit-card fraud, billing itself as
a merchant's resource center. "The same guys that wrote these scripts to
defraud advertising companies moved on to [credit-card fraud]," explains
Clements. 
Soon the site morphed into an educational center. CardCops caught little
notice until Clements opened the Fraud Museum -- and with it a big can
of worms. But Clements argues that the subscription price actually
screens out criminals, who are loath to pay for anything on the Web. 
For their money, CardCops customers aren't getting all that slick a
production. The site is rife with broken links and misspellings. Many
sections haven't been updated for months. It's a strange counterpoint to
Ads360.com, the polished advertising site and business of which Clements
remains a part-owner. 
THE DOPE IS OUT THERE. Most of the things people find on CardCops they
can find for free on the public Internet, Clements asserts. That's
clearly true. I performed a basic Google search using three specific
terms relating to credit-card fraud and turned up dozens of public sites
claiming to offer number-generation software, which uses algorithms to
generate fake credit-card numbers. However, "It would take [people]
weeks to bring it all together in one place," Clements says. 
That may be true, but is this convenience also an attraction for
fraudsters? That's what concerns me. Clements surely is
well-intentioned. He allowed me a cyberstroll through the Fraud Museum,
and it's certainly interesting and educational. Still, some of the
exhibits struck me as detailed enough to give the wrong people a pretty
good idea of how to hack into Web servers. 
Though much of this information is out there, the key to a free and
unfettered Web, especially for business, is safety and best practices.
True, many people can derive good use from such information, helping to
make their sites safer, as Clements points out. But I don't think
publishing such explicit information in such an easy-to-access format
falls on the right side of good judgment.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tied to your PC? Cut Loose and
Stay connected with Yahoo! Mobile
http://us.click.yahoo.com/QBCcSD/o1CEAA/sXBHAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:The.War.in.All.its.Online.Glory]"
Previous message: e.r.: "Re: [iwar] The government must be crazy /Retorte"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT