http://chicagotribune.com/news/nationworld/article/0,2669,SAV-0104150339,FF.html
By Colin McMahon
Tribune foreign correspondent
April 15, 2001
TALLINN, Estonia -- Tonu Samuel says he is part of the solution to the
growing threat from computer hackers and cybercriminals.
The Estonian Internet company whose system Samuel hacked into says he
is part of the problem.
Their dispute is a small one in a small nation, but it captures the
challenges facing companies and governments in the Internet age.
Information that should be private and protected--telephone records,
Internet passwords, credit card numbers and PINs, and medical
histories--is proving vulnerable to a growing legion of hackers in
Estonia and elsewhere in the former Soviet Union.
Equal-opportunity hacking
The hackers are not targeting only their countries' computer
systems. For fun or profit, they are going after commercial and
governmental targets in the West as well.
Tonu Samuel knows how easy it can be.
Samuel says he routinely tests--and penetrates--the security systems
of some of his favorite targets, with Eesti Telefon's communication
portal apparently No. 1.
"How is it possible that I am always cracking their system?" Samuel
said during a long show-and-tell computer session in Tallinn. "I'm
just one guy. They are just too slow to secure their systems. Any
schoolboy could get in."
Samuel, 28, designs computer security systems for clients in the
Baltic states, Europe and North America. He also hacks.
Last September, Samuel allegedly broke into Eesti Telefon's portal,
Hot.ee, and extracted about 60,000 user names. He told a local
reporter how to do it, resulting in a newspaper article that left
Eesti Telefon scrambling to calm the public's worries about online
security.
He says he could have told the reporter how to find the passwords to
go with the user names. He did not.
Then Samuel went on a live television show and hacked into the Hot.ee
portal.
Trouble with the law
Soon police raided Samuel's home in Tallinn and confiscated his
computer equipment. He was charged with illegal use of a computer
network. If convicted, he could be sentenced to 2 years in prison.
Samuel can explain how he did all this, but he struggles to articulate
why he did it.
He seems offended by any security system he considers shoddy.
"I think what I am doing is right," Samuel said. "I am not doing it
for money. I have never sold anything. It is just that there are some
basic principles people should follow and they don't. And no one is
doing anything to stop it."
Actually, companies and governments around the world are spending
billions to stop cybercrime. Increasingly they are concerned about
hackers from Samuel's part of the world: Russia, Ukraine and other
former Soviet republics.
Warning from the FBI
FBI officials this year specifically pointed to those countries in
warning American businesses about fraud and extortion linked to credit
card numbers and other consumer data.
"The Cold War is over," said Ronald Dick, a veteran FBI agent named
last month to direct the agency's cybercrime unit. "However, there are
still certain things that linger on, and this is one of them."
Russian hackers have been blamed for several high-profile
cyber-attacks in recent years, their Western targets ranging from
CDUniverse.com to Microsoft to NATO. At the same time, Russian police
say computer-related crimes such as stealing credit card numbers or
pirating software are rising dramatically at home as well.
Russian hackers even broke into the giant natural gas monopoly
Gazprom, temporarily seizing control of the system that manages
pipeline gas flows.
`They have fun'
"There are a lot of bad hackers, mostly in Moscow," said Yevgeny, who
declined to give his last name. He calls himself a "good" hacker and
hires himself out to test software or the soundness of security
systems. "They've got nothing to do, so they have fun.
"The best ones are all in Ukraine," Yevgeny said. "They are in high
demand from banks and other organizations, and sometimes they are
taken by bandit groups against their will. There are no more clever or
talented people anywhere else, not in America, not in Canada."
In some ways, the Soviet government was the world's first hacker,
copying Western computer technology instead of developing its own,
stripping down Western software to adapt it to Soviet technology.
Many Russians have an innate curiosity about how things work and an
ability to adapt on the fly.
"When a light fixture blows, what do people do in Finland or
Europe?" asked Hillar Aarelaid, who directs Estonia's data protection
agency. "They call someone to come and fix it. In Russia, the guy
figures out how to fix it himself.
"That is your answer as to why Russians are the best hackers."
Samuel emphasized that point. As good as he might be, he said, many
were better and more committed. What he could do, they could do, and
more.
Samuel called up a database on his ever-present laptop and within
minutes displayed a dossier on a random fellow resident of
Tallinn. Besides the person's basics, Samuel can find what cars she
owns, her driving record, her unlisted phone number, and the addresses
of friends and relatives.
Another database listed the woman's telephone history; outgoing and
incoming calls updated practically to the minute.
"You know, if I am driving in my car and someone beeps at me, I can
just find their license plate, find their phone number and call them
at that moment to say, `Hey, don't beep at me anymore,'" Samuel
said. "Or to do something else."
Public data for sale
It is the "something else" that worries Samuel, he
said. Law-enforcement and government computers have been hacked to
such an extent in Estonia, he said, that sensitive information on
public and private individuals is available to any criminal willing to
pay the price.
"If all these databases are collated into one, it could be a very
powerful tool," Samuel said. "If the Mafia or some criminal group
wants this information, they can just pay someone to go get it."
Yet criminal is exactly what Samuel is accused of being.
Whether prank, attempted theft or publicity stunt, Samuel's invasion
last September of Hot.ee caused considerable damage, Eesti Telefon
said.
"The system's configuration was changed, disabling the security
solutions and enabling data to be copied," said Ain Parmas, an Eesti
Telefon spokesman.
Parmas rejected Samuel's claim that he was just pointing out--albeit
in a public and embarrassing fashion--the flaws in the Hot.ee system.
"Certainly we had to develop security management in any case," Parmas
said. "But the illegally done changes to the system configuration
caused a lot of additional work."
Parmas also said that Hot.ee was improving its security systems and
working to meet standards set by the Estonian government for data
protection.
Facing uncertain fate
Samuel mixes bouts of regret with outbursts of defiance.
He said he has lost contracts, partly because the police still have
his computer and disks. Some friends and colleagues in the information
technology world think he has gone too far. ("The IT brotherhood is
divided on this," Aarelaid said.)
Samuel is willing to bargain with prosecutors and with Eesti Telefon,
he said, but the other side seems unwilling to talk. No trial date has
been set.
"Of course it is cool to be in the newspapers and whatever, but I want
this all to just go away," he said. "I'm pretty limited in what I can
do."
Yet Samuel acknowledged that just recently he was snooping around in
the Hot.ee system, trying to see whether some security holes had been
plugged.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Mon Apr 16 04:36 CDT 2001