Tommy Coyne

MPM Class A

111416

29/08/08

ABSTRACT

Cyber space is constantly being

WHAT AFFECT DO HACKERS
attacked or abused. There are
many criminals out there out to
achieve their ulterior motives POSE ON THE IRISH
(most of them, criminal in
nature). The first obvious ECONOMY?
motive of a crime is usually
money. Why risk getting
thrown into prison for a long
time? Because if you can get By
away with it, you’ll be many
times richer than you are
presently. Examples of
networks which when intruded Tommy Coyne
yield a lot of money can
include bank networks and
information networks.
 WHAT AFFECT DO HACKERS POSE ON THE IRISH

ECONOMY?

By

Tommy Coyne

A Dissertation submitted in partial fulfilment of the requirements for the degree of

Bachelor of Arts in Media Production Management

At

Ballyfermot College of Further Education

In conjunction with

Dublin City University

August 29th 2008

CONTENTS

ABSTRACT:

INTRODUCTION: 1

RESEARCH QUESTIONS: 3

AIMS: 5

EFFECTS: 6

STATISTICS: 7

THE BEGINNINGS: 8

WORLD WIDE WEB: 11

HACKERS: 12

BANK ACCOUNT INFORMATION: 14

CYBER TERRORISM: 16

MOTIVES: 18

TACTICS: 19

GAINING ACCESS: 20

THE CORPORATE SECTOR: 23

HACKING GOOGLE: 24

LITERATURE REVIEW: 25

CYBER CRIMINOLOGY: 26

PROTECTION: 28

IP SPOOFING & SNIFFING: 29

CONCLUSSION: 33

BIBLIOGRAPHY: 35
ABSTRACT

Cyber space is constantly being attacked or abused. There are many criminals out there out to
achieve their ulterior motives (most of them, criminal in nature). The first obvious motive of
a crime is usually money. Why risk getting thrown into prison for a long time? Because if
you can get away with it, you’ll be many times richer than you are presently. Examples of
networks which when intruded yield a lot of money can include bank networks and
information networks. With hackers growing exponentially, the threat of E-commerce
infiltration is an issue that various internet security firms have tried to overcome. With news
reports of thousands of customer’s credit card details being lost due to either a misplacement
of a laptop or hacker infiltration through secure networks, it easy to see that there is a big
problem that is affecting all financial organisations be they Irish or international. According
to the Irish Cyber crimes survey - cybercrime is virtually universal. 98% of Irish companies
(who responded to the survey) reported issues, the most common of which were viruses and
other malicious software (90%), misuse of systems (88%), asset theft (63%) and phishing
(56%). A hacker by definition believes in access to free information. They are usually very
intelligent people who could care very little about what you have on your system. Their thrill
comes from system infiltration for information reasons. Hackers unlike “crackers and
anarchist” know being able to break system security doesn’t make you a hacker any more
than adding 2+2 makes you a mathematician. Cyber-terrorism basically means the act of
carrying out terrorism using cyberspace, or in other words, the Internet. It is the hacking or
attacking of networks and computers to obtain or modify information for political and/or
social objectives or rather, a way to quickly and easily distribute propaganda and get a lot of
attention drawn to it.
 Hackers and their effect on Electronic Commerce

“Are hackers a threat? The degree of threat presented by any conduct, whether legal or
illegal, depends on the actions and intent of the individual and the harm they cause.”
Kevin Mitnick

“Today, the cyber economy is the economy. Corrupt those networks and you can disrupt a
nation.”

Condoleezza Rice, National Security Advisor to President George W. Bush,

March 22, 2001

This dissertation is intended to find out what are the effects hackers have on the Irish

economy, how much of the Irish economy is lost annually due to hackers and what

prevention measures should be enforced to protect businesses and corporations from the

hacking community. There have been many reports as of late, in the news about various

hacker activities in places like the United States, Europe and Asia. One of the latest of those

reports was of a Scottish hacker (Gary McKinnon)

“On the lookout for information about UFOs, Gary McKinnon, a Glaswegian by birth, broke
into several dozen computers used by NASA and the US military. Today, Mr. McKinnon lost
his plea to the Lords of Appeal in London to prevent his extradition to the US where the 42-
year-old may face at least 10 years behind bars. US officials accuse the man of having stolen
950 passwords and deleting documents. His crime may be treated as an act of terrorism.
McKinnon was arrested in the UK in 2002 but not charged.”
http://www.heise.de/english/newsticker/news/113593

Even in Ireland, hackers are making an appearance. The Irish hacker is a couple of years

behind their international peers when it comes to the numbers of hackers per capita. That and

the fact, that there haven’t been that many ‘High Profile Hacks’, associated with Elite

Hackers, which is surprising since there has been a massive increase of I.T. professionals

emerging within the I.T. industry.

1
Hacking is not territorial though, so international hackers from anywhere in the world can

hack a system in a matter of minutes. Irelands only saving grace is that there are not that

many multi-corporational entities worth attacking compared to international conglomerates.

The dramatic shut-down of Eircom's ISP (Eircom.net) following a successful hack attack

perpetrated by a teenager in 2000 demonstrated how even major companies can fall victim to

such attacks. The best way for businesses to avoid this type of disaster is to keep online

security on their minds and make it part of the culture of the firm. Buying sophisticated

security software is only part of the solution. Firms have to constantly monitor their security

and simulate hacking scenarios to keep secure. Due to the way security had been

implemented on these products, hackers and anybody with reasonable computer knowledge

could freely use them to access the internet. The wireless routers use a security protocol

called Wired Equivalent Privacy (WEP). This protocol requires anybody accessing the

wireless network to enter a 16-digit password. This code is generated from the serial number

of the router as well as some text which is converted to numerical values. The text used

includes eight snippets of lyrics from guitar legend Jimi Hendrix. The security problem

occurs because the unique eight digit number that is broadcast as the name of the network is

also derived from the serial number. As a result hackers simply have to look at the name of

the Eircom network to get access to it. Both downloadable tools and websites have emerged

which automatically create the 16-digit key when the network name is keyed in. Eircom

issued a statement saying it is aware of the issue and would contact all affected broadband

customers. The Netopia routers in question were the 3300 and 2247 series. Users who had

changed the default set up were unaffected by the problem. All new modems sold by Eircom

would have instructions on how to change the default WEP key while existing customers

were advised to visit www.broadbandsupport.eircom.net for instructions.

2
Eircom pointed out that accessing wireless networks without permission is a criminal offence

under the Criminal Damage Act 1991 and the Criminal Justice (Theft and Fraud Offences)

Act 2001.

Hacking isn't a kid's game anymore. It's big business. Online black markets are flush with

stolen credit card data, driver's license numbers, and malware, the programs that let hackers

exploit the security weaknesses of commercial software. Cybercriminals have become an

organized bunch; they use peer-to-peer payment systems just like they're buying and selling

on eBay, and they're not afraid to work together.

Some hackers take the direct approach. Ransom scams, in which a criminal infects a

company's systems with malware that encrypts data and then demands money to provide the

decryption key--are common in Russia. Uriel Maimon, a researcher with the consumer

division of RSA, a security vendor now owned by EMC, says he's seen a half-dozen of these

scams over the past five months.

“Last week there was a security at Ireland’s largest online recruiter. Jobs.ie reported that
last Thursday, March 27th, there was a security breach of their website and a number of CVs
were stolen. Obviously these CVs contained a number of personal details and in the wrong
hands these details could be used for illegal activities. One report mentions that up to 60,000
Irish CVs were stolen in this breech, which it is said were mostly archived CVs as opposed to
current ones.” 31 March 2008 http://www.eirjobs.com/news/

“MORE THAN a hundred Irish websites have fallen victim to hacker attacks in the last
month including one for the Irish presidency of the EU, which was developed at a cost of
over €2 million.

The EU presidency website at www.eu2004.ie is now off-line. A spokeswoman for the

Department of Foreign Affairs confirmed that the website was taken down on May 1st as
soon as the infection was discovered.”
http://www.irishtimes.com/newspaper/finance/2008/0606/1212677071145.html

3
Research Questions:

I hope to be able to find out how Ireland’s economy is affected and to what extent.

• By doing individual research of Newspaper articles.

• Previous journal articles on the Irish economy.

• Gathering of statistics from online archives.

I will use graphs to illustrate the amount of revenue that has been misappropriated from

Ireland. This study should also help to find out any information if any, on where the attacks

are originating from and what preventive measures can be taken in the future to help decrease

further internet based attacks on the economy.

Cybercrime: are you prepared for an attack?

“A new study carried out by the Centre for Cybercrime Investigation, along with the
Information Systems Security Association (ISSA) and University College Dublin's School of
Computer Science and Informatics, found over half of all Irish companies that experienced
some form of cybercrime ended up reporting losses of more than EUR25,000 as a direct
result. The survey, which included input from academics, industry and An Garda Siochana
computer experts, noted that although companies were aware of the presence of threats from
hackers and malicious programs like computer viruses, a disturbing 68 percent of
respondents said incidents are predominantly discovered only by accident and - more
worryingly - usually after the damage is already done.

“A new study carried out by the Centre for Cybercrime Investigation, along with the
Information Systems Security Association (ISSA) and University College Dublin's School of
Computer Science and Informatics, found over half of all Irish companies that experienced
some form of cybercrime ended up reporting losses of more than EUR25,000 as a direct
result.” Enterprise Ireland eBusiness Live, March 20th 2007

http://www.ebusinesslive.ie/newsletter/Story/4/791/ob.html/179
 4

AIMS

The primary aim is to determine whether cybercrime is affecting Irish organisations. This

question is answered very clearly: cybercrime is virtually universal, with 98% of our

respondents reporting issues, the most common of ISSA / UCD Irish Cybercrime Survey

2006 which were viruses and other malicious software (90%), misuse of systems (88%), asset

theft (63%) and phishing (56%). In order to gauge the impact on each organisation,

respondents were asked to identify the cost of their most significant incident. 76% of

respondents reported incidents which cost over €5,000 to correct, while costs of over

€100,000 were incurred by 22% of organisations. The most common consequences of

breaches were reported as loss of productivity (89%), loss of data (56%) and the departure of

employees through either termination or resignation (44%). Internal detection appears

dominated by chance discoveries, such as accidental detection (68%) and discovery by non-

IT employees (58%), however detection through technology is also significant, identifying

issues in 61% of organisations. 62% of overall respondents have experienced external

reporting of issues, with sources including connected organisations (46%), unconnected

organisations (58%) customers (42%), and individuals (39%). Finally, in assessing how

organisations respond to cybercrime our questions included the outcome of issues involving

internal personnel and the role of the law. Virtually all respondents (97%) reported invoking

internal disciplinary processes to deal with problems, while 39% have had employees resign

or be terminated. 18% of respondents have engaged law enforcement to deal with an internal

employee issue and of those, two-thirds have seen an investigation result in prosecution.
 5

What effect does the hacker community have on E-commerce?

With hackers growing exponentially, the threat of E-commerce infiltration is an issue that

various internet security firms have tried to overcome. With news reports of thousands of

customer’s credit card details being lost due to either a misplacement of a laptop or hacker

infiltration through secure networks, it easy to see that there is a big problem that is affecting

all financial organisations be they Irish or international. According to the Irish Cyber crimes

survey - cybercrime is virtually universal. 98% of Irish companies (who responded to the

survey) reported issues, the most common of which were viruses and other malicious

software (90%), misuse of systems (88%), asset theft (63%) and phishing (56%). The scary

part is that each of these incidents costs money - anything from €5,000, to well over

€100,000. What's even scarier is the fact that in 2006 only 42 organisations were prepared to

respond to the survey! No one wants to admit to being a victim of cybercrime (as it infers

that your IT security isn't as good as it could be), but I'm certain that there was more than 42

organisations affected in 2006.

“In one of the most high-profile cases of telecoms fraud, the phone system at the Department

of Social and Family Affairs was hijacked in 2002 and used to route international calls. This

allows callers to dial international numbers at little or no cost to the caller, as the owner of

the system foots the bill for the calls. A report by the Comptroller and Auditor General found

the department incurred significant losses, amounting to €300,000, over a single weekend.”
 6

Org

anisation information shows that the majority of responses come from organisations in

financial services (29%), IT / ICT (18%) or education (11%). Each remaining category

represents fewer than 8% of responses, however when combined, government and semi-state

bodies represent 11% of respondents

7
.
The beginnings:

The introduction of home computers in large numbers in the 1980’s was probably the

beginning of the era of premature attackers. Computers such as the commodore C64, Amiga

500, Atari ST and IBM PC’s were introduced into the bedroom of teenagers. These

computers had several advantages over other toys such as game consoles. You could program

them yourself and users were encouraged to do just that.

Recently, the term hacker has taken on a new meaning, (someone who maliciously breaks

into systems for personal gain.) Technically, these criminals are crackers (criminal hackers).

Crackers break into (crack) systems with malicious intent. They are out for personal gain:

fame, profit, and even revenge. They modify, delete, and steal critical information, often

making other people miserable.

The Internet has grown explosively, with no end in sight. At its inception as ARPANET it

held only 4 hosts. A quarter of a century later, in 1984, it contained only 1000 hosts. But over

the next 5 years this number grew tenfold to 10,000 (1989). Over the following 4 years it

grew another tenfold to 1 million (1993). Two years later, at the end of 1995, the Internet was

estimated to have at least 6 million host computers. There are probably over 10 million now.

There appears to be no end in sight yet to the incredible growth of this mutant child of

ARPANET. In fact, one concern raised by the exponential growth in the Internet is that

demand may eventually far outrace capacity. Because now no entity owns or controls the

Internet, if the capacity of the communications links among nodes is too small, and it were to

become seriously bogged down, it might be difficult to fix the problem. For example, in
1988, Robert Morris, Jr. unleashed a "virus"-type program on the Internet commonly known

as the “Morris Worm.” This virus would make copies of itself on whatever computer it was

on and then send copies over communications links to other Internet hosts. (It used a bug in

send-mail that allowed access to root, allowing the virus to act as the super-user). Quickly

the exponential spread of this virus made the Internet collapse from the communications

traffic and disk space it tied up. At the time the Internet was still under some semblance of

control by the National Science Foundation and was connected to only a few thousand

computers. The Net was shut down and all viruses purged from its host computers, and then

the Net was put back into operation. Morris, meanwhile, was put in jail.

There is some concern that, despite improved security measures (for example, "firewalls"),

someone may find a new way to launch a virus that could again shut down the Internet. Given

the loss of centralized control, restarting it could be much more time-consuming if this were

to happen again. But reestablishing a centralized control today like what existed at the time

of the “Morris Worm” is likely to be impossible. Even if it were possible, the original

ARPANET architects were probably correct in their assessment that the Net would become

more susceptible for massive failure rather than less if some centralized controls were in

place. Perhaps the single most significant feature of today's Internet is this lack of centralized

control. No person or organization is now able to control the Internet. In fact, the difficulty of

control became an issue as early as its first year of operation as ARPANET. In that year email

was spontaneously invented by its users. To the surprise of ARPANET's managers, by the

second year, email accounted for the bulk of the communication over the system. Because

the Internet had grown to have a fully autonomous, decentralized life of its own, in April

1995, the NSF quit funding NSFNET, the fiber optics communications backbone which at

one time had given NSF the technology to control the system. The proliferation of parallel
communications links and hosts had by then completely bypassed any possibility of

centralized control. There are several major features of the Internet:

• World Wide Web -- a hypertext publishing network and now the fastest growing part

of the Internet.

• Email -- a way to send electronic messages

• Usenet -- forums in which people can post and view public messages

• Telnet -- a way to login to remote Internet computers

• file transfer protocol -- a way to download files from remote Internet computers

• Internet relay chat -- real-time text conversations -- used primarily by hackers and

other Internet old-timers

10

• Gopher -- a way of cataloging and searching for information. This is rapidly growing

obsolete.

As you port surfers know, there are dozens of other interesting but less well known services

such as whois, finger, ping etc.

The World Wide Web

The World Wide Web is the newest major feature of the Internet, dating from the spring of

1992. It consists of "Web pages," which are like pages in a book, and links from specially

marked words, phrases or symbols on each page to other Web pages. These pages and links
together create what is known as "hypertext." This technique makes it possible to tie together

many different documents which may be written by many people and stored on many

different computers around the world into one hypertext document.

This technique is based upon the Universal Resource Locator (URL) standard, which

specifies how to hook up with the computer and access the files within it where the data of a

Web page may be stored.

A URL is always of the form http://<rest of address>, where <rest of address> includes a

domain name which must be registered with an organization called InterNIC in order to make

sure that two different Web pages (or email addresses, or computer addresses) don't end up

being identical. This registration is one of the few centralized control features of the Internet.

11

Hackers

A hacker by definition believes in access to free information. They are usually very

intelligent people who could care very little about what you have on your system. Their thrill

comes from system infiltration for information reasons. Hackers unlike “crackers and

anarchist” know being able to break system security doesn’t make you a hacker any more

than adding 2+2 makes you a mathematician. Unfortunately, many journalists and writers

have been fooled into using the word ‘hacker.” They have attributed any computer related

illegal activities to the term “hacker.” Real hackers target mainly government institution.

They believe important information can be found within government institutions. To them the
risk is worth it. The higher the security, the better the challenge. The better the challenge the

better they need to be. Who’s the best keyboard cowboy? So to speak! These individuals

come in a variety of age classes. They range from Secondary School Students to University

Grads. They are quite adept at programming and are smart enough to stay out of the spotlight.

They don’t particularly care about bragging about their accomplishments as it exposes them

to suspicion. They prefer to work from behind the scenes and preserve their anonymity. Not

all hackers are loners, often you’ll find they have a very tight circle of associates, but still

there is a level of anonymity between them. From the research that has been carried out, it

has been found that there is access to all manners of hacking tools and tutorials which are

readily available for the ever curious internet user. An internet user can go online and now

find through torrent sites like ‘The Pirate Bay’ or ‘Torrent Portal’ any and all information that

they may need to pull off successful hacks, ranging from beginner to elite hacker. These

would include tutorials, eBooks and then the actual hacking tools themselves (Trojans,

Viruses, and Port Scanners). The fact that the internet is basically the biggest source of free

information is also an immense draw for the curious.

12

There is also now a growing trend of introducing actual hacking courses which the below text

is an example:

Description: This course will teach students how to scan, test, break into and secure their
own systems. The lab intensive environment provides each student with in-depth knowledge
and practical experience with current essential computer systems. Students will begin by
understanding how perimeter defences work and then be lead into scanning and attacking
their own networks, no real network is harmed. Students then learn how intruders escalate
privileges and what steps can be taken to secure a system. They will also be taught about
Vulnerability Assessment, PenTesting, Social Engineering, DDoS Attacks, Buffer Overflows
and Virus Creation. When a student leaves this intensive 5-day class, he will be equipped
with a thorough understanding along with practical exposure to the subject of Ethical
Hacking.
http://www.hackerscenter.com/index.php?/Blogs/2086-Want-to-learn-to-hack-in-5-Days.html

Thanks to sensationalism, the definition of hacker has transformed from harmless tinkerer

to malicious criminal. Hackers often state that the general public misunderstands them, which

is mostly true. It’s easy to prejudge what you don’t understand. Hackers can be classified by

both their abilities and underlying motivations. Some are skilled, and their motivations are

benign; they’re merely seeking more knowledge. At the other end of the spectrum, hackers

with malicious intent seek some form of personal gain. Unfortunately, the negative aspects of

hacking usually overshadow the positive aspects, resulting in the stereotyping. Historically,

hackers have hacked for the pursuit of knowledge and the thrill of the challenge. Script

kiddies aside, hackers are adventurous and innovative thinkers, and are always thinking about

exploiting computer vulnerabilities. They see what others often overlook. They wonder what

would happen if a cable were unplugged, switches were flipped, or lines of code were

changed in a program. More recent evidence shows that many hackers are hacking for

political, competitive, and even financial purposes, so times are changing. When they were

growing up, hackers’ rivals were monsters and villains on video game screens. Now hackers

see their electronic foes as only that — electronic.

13

Hackers who perform malicious acts don’t really think about the fact that human beings are

behind the firewalls and Web applications they’re attacking. They ignore that their actions

often affect those human beings in negative ways, such as jeopardizing their job security.

Hackers and the act of hacking drive the advancement of security technology. After all,

hackers don’t create security holes; they expose and exploit existing holes in applications.

Unfortunately, security technology advances don’t ward off all hacker attacks, because

hackers constantly search for new holes and weaknesses. The only sure-fire way to keep the

bad guys at bay is to use behaviour modification to change them into productive, well-
adjusted members of society. Good luck with that. However you view the stereotypical

hacker, one thing is certain: Some people always will try to take down your computer

systems through manual hacking or by creating and launching automated worms and other

malware. You must take the appropriate steps to protect your systems against them.

Bank Account Information

I’m sure if you’re like most people you have web banking of some kind. You probably pay

your bills online via your banks website. Most banks require you to use 128bit encryption

browsers to do your banking online. This form of banking online does encrypt your

information and protect it from otherwise prying eyes of the world that may wish to gain

access to such vital information. This should further illustrate how powerful the encryption

method is: 40-bit encryption means there are 240 possible keys that could fit into the lock

that holds your account information. That means there are many billions (a 1 followed by 12

zeroes) of possible keys. 128-bit encryption, means there are 288 (a three followed by 26

zeroes) times as many key combinations as there are for 40-bit encryption.

14

That means a computer would require exponentially more processing power than for 40-bit

encryption to find the correct key. That’s a very powerful method of encrypting data sent

from your machine to the banks machine. Unfortunately it’s useless to you once your

computer has been compromised.

Question: How?
One of the features of a “Trojan” is a key logger. The principle behind this is all keystrokes

pressed will be recorded and sent back to the “hacker.” What sort of information do you enter

when you are banking online? Most banks have a login screen of some kind, where you type

in your username and password. Here’s where it gets interesting. This means that once you

type your login and password for your online bank account the “hacker” now has access to

that. You’re probably asking yourself well “How do they know what bank I’m with?” This

information is easily achieved by doing what is called a screen shot. This gives the “hacker” a

picture of your desktop and all windows currently open at the time. The screen shot would

look like this.

15

From that screen shot they can tell what site you are at (in which case it would be your bank).

From there it’s just a matter of logging into your bank account and doing whatever they want.

As you can see although you are on a secure web site, it still doesn’t protect your information

once your computer is compromised. Perhaps there are some of you who do not use online

banking. Perhaps you use another program for managing your finances. There is a variety of

programs out there available for financial purposes. Problem is that once a “hacker” has
access to your system, they have access to those files. They can copy the files from your

computer to theirs and browse through them at their leisure.

Cyber terrorism

Cyber space is constantly being attacked or abused. There are many criminals out there out to

achieve their ulterior motives (most of them, criminal in nature). Since computers are so

powerful nowadays, many very powerful and complex software programs exist to facilitate

these criminal acts. In addition to that, these programs are very user-friendly are easy to use.

So much so that even people who are new to computers can use these software to carry out

abuse. Cyberterrorism basically means the act of carrying out terrorism using cyberspace, or

in other words, the Internet. It is the hacking or attacking of networks and computers to

obtain or modify information for political and/or social objectives or rather, a way to quickly

and easily distribute propaganda and get a lot of attention drawn to it. An important criterion

in classifying an act as cyberterrorism is that it spawns fear amongst the masses and it should

cause at least some damage to people or property. Acts which cause damage to non-critical

structures or are just a nuisance are not acts of cyberterrorism. Cyberterrorism causes a lot of

financial damage. They usually affect huge numbers of people. Cyberterrorism is a very

serious crime as it can cause problems to many people at any one time. It has crippling effects

on the economy.

16

By crippling a country’s economy, a cyber terrorist can also potentially weaken the country

for a military attack to be successful. Attacks on e-commerce websites such as Yahoo and

eBay caused over a US$1 billion in losses as these sites work on the basic, clichéd principle,

“Time is Money”. Every second these sites are down, they are potentially losing thousands of

customers. Imagine if each customer spent €100 in purchases each. They would be losing

millions of Euro’s per second! Because of the real and imaginary threats hackers pose, an
entire industry exists that is dedicated to stopping the hacker. Seminars are held every week

across the world where computer security experts tell government and corporate managers

what they need to fear and how they need to stop it. Even the United States government has

created a "Cyber Czar" position responsible for protecting their critical infrastructure from

hacker attacks. Such efforts to develop security measures are not without good reason.

Computer viruses are damaging, and every day different hackers across the world find their

way into computer systems they are not supposed to enter. Still, to throw all hackers into the

same negative category too easily simplifies what is a complex situation. In fact, many who

would consider themselves "true" hackers define their identity in large part by their creation

of (or positive additions to) computer systems that are the backbone of today’s technology

infrastructure, and by their opposition to those that seek to control information and access to

technology that many, not just hackers, believe should not be controlled. In fact, some

exceptionally skilled, more socially and politically conscious hackers, discouraged by the

actions and policies of governments they feel to be arrogant, corrupt and oppressive, are

increasingly lending their skills to political or social causes. Working individually or in

virtual collectives and sometimes associated with established non–governmental groups

(NGOs) or other political activists or associations, these hackers, also called hacktivists, are

hacking for a cause. Using hacker tools already available or creating their own, they are

targeting those governments responsible for what they consider political, economic, or social

injustice or oppression.

17

Motives

The first obvious motive of a crime is usually money. Why risk getting thrown into prison for

a long time? Because if you can get away with it, you’ll be many times richer than you are

presently. Examples of networks which when intruded yield a lot of money; can include bank
networks and information networks. This type of business deals a lot with money and any

intruder who gets super-user access into the system can conveniently change the details of the

user accounts within the network or even silently transfer the money over to his bank

account. With super-user access and enough skills, the hacker can even remove any trace

whatsoever of the transaction ever taking place. In the movie “Hackers”, the master hacker

sent out a virus which silently transfers very small amounts of money from hacked user bank

accounts. Nobody ever suspects anything as the amount is small when looked at individually,

but collectively, the amount is enough to make the master hacker a millionaire.

Personal Information

Sometimes hackers are not out for an easy way to get rich. Rather, they’re out for power. Just

like not all criminals commit crimes for money. Some steal information in order that their

own companies can become powerful. Similarly, personal data like your passport number,

your user id and password to some secure server or even to your bank account can make the

hacker both more powerful and/or richer. In some countries, just by knowing the passport

number of a person, you can check what books he has loaned out from the library, what

school he was posted to and even get to cancel his mobile account. That is pretty scary. What

more if a hacker silently intrudes a network and spies on the user of that network for any

typed user ids and passwords or even passport numbers?

18

The hacker will ultimately become “God’ after being granted such divine powers as to affect

the lives of those he stole personal information from. It can even become a form of blackmail.

Tactics - Sniffing Passwords

Perhaps the most common loss of computer privacy is the loss of passwords. Typical users

type a password at least once a day. Data is often thought of as secure because access to it

requires a password. Users usually are very careful about guarding their password by not

sharing it with anyone and not writing it down anywhere. Passwords are used not only to

authenticate users for access to the files they keep in their private accounts but other

passwords are often employed within multilevel secure database systems. When the user

types any of these passwords, the system does not echo them to the computer screen to ensure

that no one will see them. After jealously guarding these passwords and having the computer

system reinforce the notion that they are private, a setup that sends each character in a

password across the network is extremely easy for any Ethernet sniffer to see. End users do

not realize just how easily these passwords can be found by someone using a simple and

common piece of software.

Sniffing Financial Account Numbers

Most users are uneasy about sending financial account numbers, such as credit card numbers

and checking account numbers, over the Internet. This apprehension may be partly because of

the carelessness most retailers display when tearing up or returning carbons of credit card

receipts. The privacy of each user’s credit card numbers is important.

19

Although the Internet is by no means bulletproof, the most likely location for the loss of

privacy to occur is at the endpoints of the transmission. Presumably, businesses making

electronic transactions are as fastidious about security as those that make paper transactions,

so the highest risk probably comes from the same local network in which the users are typing
passwords. However, much larger potential losses exist for businesses that conduct electronic

funds transfer or electronic document interchange over a computer network. These

transactions involve the transmission of account numbers that a sniffer could pick up; the

thief could then transfer funds into his or her own account or order goods paid for by a

corporate account. Most credit card fraud of this kind involves only a few thousand dollars

per incident.

Sniffing Private Data

Loss of privacy is also common in e-mail transactions. Many e-mail messages have been

publicized without the permission of the sender or receiver. It is not at all uncommon for e-

mail to contain confidential business information or personal information. Even routine

memos can be embarrassing when they fall into the wrong hands.

Gaining Access and Securing the Gateway

Sniffing Low-Level Protocol Information

Information network protocols send between computers includes hardware addresses of local

network interfaces, the IP addresses of remote network interfaces, IP routing information, and

sequence numbers assigned to bytes on a TCP connection.

20

Knowledge of any of this information can be misused by someone interested in attacking the

security of machines on the network. See the second part of this chapter for more information

on how these data can pose risks for the security of a network. A sniffer can obtain any of
these data. After an attacker has this kind of information, he or she is in a position to turn a

passive attack into an active attack with even greater potential for damage.

Hacking is said to have cost the global economy an estimated $1.2 Billion Niccolai (2000).

Hacking caused and still causing till the moment bankruptcy to plenty of companies, that’s

because companies are being hacked plenty of times which leads to the loss of customer

confidence or belief in the security capabilities of the company Furnell (2002). Banks (1997)

believes that companies are a main target for hackers who break into their systems to steal

trade information or customer’s payment details. Pipkin (1997) focuses on denial of service

and the effects on companies. The company server will be broken due to huge traffic causing

customer frustration and hurt the company reputation. Same for software theft that causes

bankruptcy to companies which spend millions to develop and create software that sadly later

on is stolen and copied for cheap prices. The main problem is that some companies hire or

use hackers to break into other competitor systems to steal precious information Randall et al.

(2000). Thomas and Loader (2000) discuss the effect of hacking on E-commerce. Web sites

for online selling are being hacked for the sake of getting customer and company information

which then used for nefarious purposes.

Hacker’s access information sent to Irish jobs agency:

Personal Information supplied by job applicants to online recruitment agency Jobs.ie has

been illegally accessed by internet hackers. It is understood that the hackers used an illegally

obtained log-in and password given to employers who are registered with Jobs.ie to access

21

the job applications area of the site. They then downloaded personal information from CVs

submitted, along with job applications. Most of the stolen information relates to archive CVs

rather than those of people now looking for jobs. The company, which is owned by
businessman Denis O'Brien, has in recent days contacted those affected to warn them of the

possibility that they may receive e-mails from people using their information.

"All of the people affected have been contacted and informed of the situation. We have urged

them to exercise extra vigilance with inbound e-mails in the coming weeks to ensure online

security," Olivia Kelly.

With the electronic commerce spreading over the Internet, there are issues such as non

repudiation to be solved. Financial institutions will have both technical concerns, such as the

security of a credit card number or banking information, and legal concerns for holding

individuals responsible for their actions such as their purchases or sales over the Internet.

Issuance and management of encryption keys for millions of users will pose a new type of

challenge. While some technologies have been developed, only an industry-wide effort and

cooperation can minimize risks and ensure privacy for users, data confidentiality for the

financial institutions, and non repudiation for electronic commerce. With the continuing

growth in linking individuals and businesses over the Internet, some social issues are starting

to surface. The society may take time in adapting to the new concept of transacting business

over the Internet. Consumers may take time to trust the network and accept it as a substitute

for transacting business in person. Another class of concerns relates to restricting access over

the Internet. Preventing distribution of pornography and other objectionable material over the

Internet has already been in the news. We can expect new social hurdles over time and hope

the great benefits of the Internet will continue to override these hurdles through new

technologies and legislations.

22

The World Wide Web is the single largest, most ubiquitous source of information in the

world, and it sprang up spontaneously. People use interactive Web pages to obtain stock
quotes, receive tax information from the Internal Revenue Service, make appointments with a

hairdresser, consult a pregnancy planner to determine ovulation dates, conduct election polls,

register for a conference, search for old friends, and the list goes on. Hackers investigating a

target can use munged site values based on the targets name to dig up Google’s pages (and

subsequently potential data) that may not be available to Google searches using the valid

‘site’ operator.

The Corporate Sector

For the moment, set aside dramatic scenarios such as corporate espionage. These subjects are

exciting for purposes of discussion, but their actual incidence is rare. Instead, I'd like to

concentrate on a very real problem: cost. The average corporate database is designed using

proprietary software. Licensing fees for these big database packages can amount to tens of

thousands of dollars. Fixed costs of these databases include programming, maintenance, and

upgrade fees. In short, development and sustained use of a large, corporate database is costly

and labour intensive. When a firm maintains such a database onsite but without connecting it

to the Internet, security is a limited concern. To be fair, an administrator must grasp the

basics of network security to prevent aspiring hackers in this or that department from gaining

unauthorized access to data. Nevertheless, the number of potential perpetrators is limited and

access is usually restricted to a few, well-known protocols. Now, take that same database and

connect it to the Net. Suddenly, the picture is drastically different. First, the number of

potential perpetrators is unknown and unlimited. An attack could originate from anywhere,

here or overseas. Furthermore, access is no longer limited to one or two protocols. The very

simple operation of connecting that database to the Internet opens many avenues of entry.

23
For example, database access architecture might require the use of one or more foreign

languages to get the data from the database to the HTML page. I have seen scenarios that

were incredibly complex. In one scenario, I observed a six-part process. From the moment

the user clicked a Submit button, a series of operations were undertaken:

• The variable search terms submitted by the user were extracted and parsed by a Perl

script.

• The Perl script fed these variables to an intermediate program designed to interface

with a proprietary database package.

• The proprietary database package returned the result, passing it back to a Perl script

that formatted the data into HTML

Anyone legitimately employed in Internet security can see that this scenario was a disaster

waiting to happen. Each stage of the operation boasted a potential security hole.

How Hackers Use Google to hack:

Example: A hacker is interested in sensitive information about “ABCD Corporation”, located

on the web at http://www.ABCD.com. Using a query like ‘Site: ABCD’, may find mistyped

links (http://www.abcd) instead of (http://www.abcd.com) containing interesting information.

There is a system out now that is under the concept of a honey-pot which is a computer

system on the internet that is expressly set up to attract and trap people who attempt to

penetrate other peoples computer systems. In order to learn about how new attitudes might be

conducted, the maintainers of a honey-pot system, monitor, dissect and catalogue each attack,

focusing on those attacks which seem unique.

 24

A simple entry like “inurl: admin inurl: userlist”, could easily be replicated with a web-based

honey-pot by creating an index.html page which referenced another index.html page in a

/admin/user list directory. If a web search engine like Google was instructed to crawl the top-

level index.html. This link would satisfy the Google query of “inurl: admin inurl: userlist”,

eventually attracting a Google searcher.

Literature Review:

In the study, “A Qualitative Analysis of Advance Fee Fraud E-mail Schemes”, Holt and

Graves discuss the implications of a study for law enforcement and computer security,

exploring the mechanisms that are employed by scammers through a qualitative analysis of

412 fraudulent email messages. Criminals utilize the Internet to perpetrate all manner of

fraud, with the largest dollar losses attributed to advance fee fraud e-mail messages. Half of

all the messages also request that the recipient forward their personal information to the

sender, thereby enabling identity theft. The findings demonstrate that multiple writing

techniques are used to generate responses and information from victims.

Maura Conway quotes Denning in her paper “Cyberterrorism and Terrorist 'Use' of the

Internet” that “Cyberterrorism is the convergence of cyberspace and terrorism. It refers to

unlawful attacks and threats of attacks against computers, networks and the information

stored therein when done to intimidate or coerce a government or its people in furtherance of

political or social objectives. Further, to qualify as cyberterrorism, an attack should result in

violence against persons or property, or at least cause enough harm to generate fear. Attacks

that lead to death or bodily injury, explosions, or severe economic loss would be examples.

Serious attacks against critical infrastructures could be acts of cyber-terrorism, depending on

their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance

would not." 25

Cyber Criminology: Evolving a novel discipline with a new journal’

In the study, “A Qualitative Analysis of Advance Fee Fraud E-mail Schemes”, Holt and

Graves discuss the implications of this study for law enforcement and computer security,

exploring the mechanisms that are employed by scammers through a qualitative analysis of

412 fraudulent email messages. Criminals utilize the Internet to perpetrate all manner of

fraud, with the largest dollar losses attributed to advance fee fraud e-mail messages. Half of

all the messages also request that the recipient forward their personal information to the

sender, thereby enabling identity theft. The findings demonstrate that multiple writing

techniques are used to generate responses and information from victims. The World

Intellectual Property Organisation (WIPO) has developed several treaties to assist in the

protection of copyrights. Specifically, WIPO has three treaties that preclude the unlawful

taking of copyrighted material: The Copyright Treaty, The Performers and Producers of

Phonograms Treaty, and The Databases Treaty. Regardless of these treaties, Rao (2003)

showed that the international piracy rates increased in the years of 2000 and 2001. Therefore,

piracy is a worldwide behaviour. Because of the attributes of the Internet, piracy took place in

almost complete deceit making the tracking of rates nearly impossible. However, an industry

groups had estimated that software piracy accounted for nearly 11 billion dollars in lost

revenue and contributed to loss of jobs and reduced government revenues (Business Software

Alliance, 2003). Whatever approach hackers take, most malicious hackers prey on ignorance.

They know the following aspects of real-world security: The majority of systems that hackers

want to attack aren’t managed properly.

The computer systems aren’t properly patched, hardened and monitored as they should be.

Hackers often can attack by flying below the average radar of common firewalls, IDS and

authentic systems.

26

• Hack attacks are usually carried out after typical business hours and can be carried out

slowly, which makes that much harder to detect.

• Company’s defences are often weaker during off-peak hours which have less

intrusion monitoring and less physical security.

• Access through proxy servers is the most common form of intrusion.

A proxy server is simply a program that relays data from one system to another. There is a

number of free proxy servers available designed to offer the users some type of "anonymity"

or access to "restricted" websites. For example, if your IP address was 1.1.1.1 and you

connected to the internet through a proxy server with an IP address of 2.2.2.2 everyone would

see you as connected to the internet with IP 2.2.2.2 not 1.1.1.1. Or at least that is the idea.

There are a whole host of applications for proxy servers and issues associated with them.

Although many are used to privacy or anonymity this is not necessarily a feature or benefit.

For example, many proxy services are designed to pass on the

HTTP_X_FORWARDED_FOR value, which would tell any server you connect to through

the proxy service that you are using a proxy server at 2.2.2.2, but your real IP is 1.1.1.1. This

is useful in many business applications where the objective of the proxy service is not

privacy, but something else. How do you know if that proxy server you are using for privacy

passes this variable or not? Since a proxy server relays data through the proxy server system,
it is possible for data to be logged and/or modified. If you want to have real fun, modify the

code in a proxy server to change all the letters "i" to "a" and see someone try to use it. Not

useful, but very illustrative of the power the operator of a proxy server have. When you enter

your login and password, it will be relayed through the proxy server, but will it be logged

too? How will you ever know? Now the proxy server can provide a real benefit when you

want to access blocked websites say from China or your school.

27

Of course any decent blocking program would easily decode the proxy packet and block the

sites direct or through a proxy server. Now there are some real dangers of proxy servers and

that is with respect to crime. I have seen some enticing sales pitches for a public proxy server

you can setup for people to access blocked sites. Basically the pitch goes like this... install

our program and watch the money roll in as users use your proxy on your server to access

blocked sites. That also means that when someone uses your proxy to commit credit card

fraud or hack into something, the victim will see the IP address of your server not the bad

guy! Open proxy servers are another bad idea. This might be installed by spyware or they

might be installed by mistake. They will turn your computer into a proxy server and you

might not even know it! There are many people that scan the internet for open proxy servers

about publish lists of open proxy server IPs.

Protection

There is a new phenomenon emerging on the Internet. Security consults are now being done

(although perhaps not in great number) from remote locations. This is where someone in the

same city (or another city) tests, defines, and ultimately implements your security from the

outside. In other words, it is done from a location other than your offices or home. I have a

couple points to make regarding this type of procedure:

• Scan or penetration testing is commonly done from a remote location. The purpose of

penetration testing (at the end of the day) is to simulate a real-time attack from the void.

There is no replacement for doing this from a remote location. In this limited area of concern,

at least, analysis from a remote location is warranted and reasonable.

28

• All other forms of security testing and implementation should be done onsite. Implementing

security from a remote location is not a secure method and may result in security breaches.

As much as the idea may seem attractive to you, I would strongly advise against having any

firm or individual handle your security from a remote location. If your network is large and is

meant to be as secure as possible, even the existence of a privileged user who can gain remote

access to do maintenance work is a security risk. (For example, why would one cut a hole

through a firewall just for the convenience of off-site work?)

Avoiding Transmission of Passwords

In some sense, the prevention of sniffing by installing hardware barriers may be considered

the last line of defence in a security system. When building medieval fortresses, the last line

of defence was typically the most formidable but could only protect those who would be left

inside after the outer defences had been breached. In dealing with sniffing, the first line of

defence is simply not to transmit anything sensitive on the network in the first place. The

local hardware defences may limit intrusion into the local systems. However, if authorized

users may access those systems from remote locations, one must not transmit sensitive
information over remote parts of the Internet lest the information be sniffed somewhere along

the way. One extreme that preserves security is simply not to permit access from remote

locations. Also, the most formidable defences against inward directed attack do nothing to

provide for the security of one leaving the area being protected. Legitimate Internet sessions

initiated inside a network with those outside must also be protected.

29

IP Spoofing and Sniffing

The most glaring security hole beyond simple loss of privacy is the opportunity for a sniffer

to gather passwords. The best way to deal with this problem is simply not to transmit clear-

text passwords across the network. Simply transmitting an encrypted password that could be

captured and replayed by a sniffer is also not acceptable. Several different methods are in use

to provide this kind of protection:

• The rlogin family of protocols

• Using encrypted passwords

• Zero knowledge authentication

Information protection does not always protect information systems from harm. Designers

may decide to shred paper, burn electronic media, or even blow up computers. Shredding

paper prevents leakage of potentially harmful information in paper form, burning used floppy
disks prevents their contents from being read and exploited and blowing up electronic devices

is used in smart bombs as a cost -effective way to keep the information technology used to

guide the bomb from getting into enemy hands. Information protection has been, is, and will

likely always be a study in tradeoffs.

Designers trade costs against potential harm, long term for short term, people solutions with

technical solutions, integrity with availability with privacy, and one person's harm for another

person's benefit. Discussions should also include how current security policies and practices

are impacting how well an agency’s network environment is able to protect both its

information and employees.

30

For example, organizations that fail to institute anonymous surfing practices when their staff

members use the Internet for official business may unintentionally disclose their operating

system, browser version, physical address and other sensitive information. Adversaries can

use this information to uncover a government organization’s confidential plans and

jeopardize their entire operation. Additionally, once an enemy knows an agency’s IP address,

they can start scanning and attacking its network directly, endangering the organization’s data

and infrastructure. Addressing these kinds of practices during the summit will put any

conversation about the technical aspects of a network’s security architecture in perspective.

Most people probably want to feel that their computers are safe, and many people in the

computer security business try to get money for helping them feel that way, but frankly, a

good psychologist might be less expensive. Relatively few organizations or individuals

behave as if they really want to be kept from harm, especially if it costs them something or if

they haven't just been harmed. In many organizations, effective information protection

requires cultural change. This is one of the hardest sorts of change for most people to make
because it requires that they find new ways of thinking about issues, that they gain a new

level of awareness about things around them, and that they act based on this awareness.

Information protection can't be left to someone else. This doesn't work, no matter who you

are in an organization. In the information age, information protection is everyone's problem.

From the highest ranked officer in the largest organization to the lowest paid office clerk,

everyone has responsibility for information protection, and protection will not be fully

effective until everyone assumes their responsibility What is often disconcerting is how much

an organization freely contributes to the hacker's weapon stockpile. Most organizations are

haemorrhaging data; companies freely give away too much information that can be used

against them in various types of logical and physical attacks. Here are just a few common

examples of what a hacker can learn about an organization, often in minutes:

31

• The names of the top executives and any flashy employees they have by perusing their

archive of press releases.

• The company address, phone number, and fax number from domain name registration.

• The service provider for Internet access through DNS lookup and trace route.

• Employee home addresses, phone numbers, employment history, family members, previous

addresses, criminal record, driving history, and more by looking up their names in various

free and paid background research sites.

• The operating systems, major programs, programming languages, specialized platforms,

network device vendors, and more from job site postings.

• Physical weaknesses, vantage points, lines of sight, entry ways, covert access paths, and

more from satellite images of your company and employee addresses.

• Usernames, e-mail addresses, phone numbers, directory structure, filenames, OS type, Web

server platform, scripting languages, web application environments and more from Web site

scanners.

• Confidential documents accidentally posted to a Web site from archive.org and Google

hacking. Flaws in your products, problems with staff, internal issues, company politics, and

more from blogs, product reviews, company critiques, a competitive intelligence services.

Another solution is to use encrypted passwords over the network. You must use caution,

however, when simplifying this technique. Even with encryption, a sniffer can still record the

encrypted password and decipher the encrypted password at his or her leisure. One way

around this is to use an encryption key that involves the current time.

32

If the sender and receiver are closely synchronized, the sniffer must replay the encrypted

password within one tick of the two machines’ shared clock. If the sender and receiver are

widely separated, however, this technique becomes less practical and effective because

shared clocks will lack sufficient time resolution to prevent an attacker from using a quick

replay. One way around this lack of close synchronization is to set a limited number of

attempts at typing the password correctly. It also does not suffice to simply encrypt the

password with an algorithm using a key that allows an attacker to determine the encryption

key. The attacker would decrypt it for repeated use at a later time. Some protocols use an

encryption technique equivalent to the one used by the UNIX password program when it

stores passwords in the password file. This encryption technique is no longer considered

particularly secure against brute force cryptographic attacks where all likely passwords are

encrypted with the same algorithm used by the password file. Any two words that encrypt the
same must be the same. Hence, poorly chosen (for example, dictionary words) or short

passwords are particularly easy to crack by brute force.

Conclusion

There are many possible ways that a hacker can gain access to a seemingly secured

environment. It is the responsibility of everyone within an organization to support security

efforts and to watch for abnormal events. We need to secure IT environments to the best of

our abilities and budgets while watching for the inevitable breach attempt. In this continuing

arms race, vigilance is required, persistence is necessary, and knowledge is invaluable. Our

findings in relation to the detection of cybercrime strongly suggest that organisations need

assistance in this area, with 67% of respondents reporting that accidental detection and

employee reporting are their most common means of detection.

33

Given the significant impact of cybercrime we hope to see improvement in this figure, for

example with a greater number of organisations detecting issues through routine IT checks,

security products or audits. Increased awareness of hacker attacks is also growing as internet

security agencies are working together in a combined manner such as (the honey-pot

initiative), and with a constant updating of a security companies knowledge and inter agency

cooperation , hackers will find it a lot harder to break into once easy and unprotected systems.

The hacking black market is still a profitable enterprise though with insider, company secrets

being at the top of the most requested and sought after commodity. With the fact that hackers

can receive up to €500,000 for system infiltration software, the monetary gain is, in the

hacker’s eyes, a lot more rewarding.

 34

Bibliography

Banks, Michael A. (1997), Web psychos, stalkers, and pranksters: How to protect yourself
online, Arizona (USA), The Coriolis group.

Chakrabati, Anirban and Manimaran, G. (2002),

Internet infrastructure security: A Taxonomy, IEEE Network, November/December 2002,

P.13.

CNET (2001), FBI “hack” raises global security concerns [online]. Available from:
http://news.com.com/FBI+%22hack%22+raises+global+security+concerns/2100-1001_3-
256811.html [Accessed 14th December 2004].

Conway Maura (2002) Cyberterrorism and Terrorist 'Use' of the Internet, First Monday,
volume 7, number 11 (November 2002)

URL: http://firstmonday.org/issues/issue7_11/conway/index.html
Crucial paradigm (2003), Hacking attacks-How and Why [online], Crucial paradigm.
Available from: http://www.crucialparadigm.com/resources/tutorials/website-web-page-site-
optimization/hacking-attacks-how-and-why.php [Accessed 7th December 2004].

Darlington, Roger. (2001) Crime on the net [online], United Kingdom, Darlington, Roger.
Available from: http://www.rogerdarlington.co.uk/crimeonthenet.html [Accessed 4th
December 2004].

Digital Guards data base (2001), Glossary [online]. Available from:

http://www.digitalguards.com/Glossary.htm [Accessed 10th December 2004].

Furnell, Steven. (2002), Cybercrime: Vandalizing the information society, Boston; London:
Addison-Wesley.

Himanen, Pekka. (2001), The hacker ethic and the spirit of information age, Great Britain,
Secker & Warburg.

Jaishankar, K. (2007) ‘Cyber Criminology: Evolving a novel discipline with a new journal’
International Journal of Cyber Criminology Vol 1 Issue 1 January 2007

35

Jewkes Yvonne (2006). Comment on the book 'Cyber crime and Society’ by Majid Yar, Sage
Publications.

Levy, S. (1984), Hacker: Heroes of the computer revolution, New York: Bantam Doubleday
dell. Cited in: Taylor, Paul A. (1999), Hackers: Crime in the digital sublime, London,
Routledge.

Mann, David and Sutton, Mike, (1999). NetCrime. More Change in the Organisation of
Thieving, British Journal of Criminology, vol. 38, no. 2, Spring 1998.

Marotta, M.E. (1993), ‘online with the super hacker’.

Available from: http://www.kzsu.stanford.edu.uwi/post/mercury.html. Cited in: Taylor, Paul

A. (1999), Hackers: Crime in the digital sublime, London, Routledge.

McClure, Stuart. Et al. (2003), Hacking exposed: Network security secrets & solutions,
Fourth edition, Berkley, California (USA), McGraw-Hill/Osborne.

McKenzie, S. (2000). Child Safety on the Internet: An Analysis of Victorian Schools and
Households using the Routine Activity Approach. A thesis submitted to the University of
Melbourne, February, 2000.
http://www.criminology.unimelb.edu.au/research/internet/childsafety/index.html

Niccolai, James. (2000), Analyst puts hacker damage at $ 1.2 billion. Available from:
http://archive.infoworld.com/articles/ic/xml/00/02/10/000210icyankees.xml [Accessed 7th
December 2004].

Ninemsn (2004), North Korea ‘has 600 computer hackers’ [online], [national Nine news].
[SCI Tech news]. Available from: http://news.ninemsn.com.au/article.aspx?id=19653
[Accessed 10th December 2004].

Oxford English Dictionary. (1995), Concise, 9th edition. Oxford.oup.

Pipkin, Donald L. (1997), Halting the hacker: A practical guide to computer security, United
States of America, Prentice Hall.

Randall, Nichols K. et al. (2000), Defending your digital assets: Against hackers, crackers,
spies and thieves, United States of America, McGraw-Hill.

Seebach, Peter. (1999), Care and feeding of your hacker [online], Seebach, Peter. Available
from: http://web.demigod.org/~zak/geek/hack.shtml [Accessed 6th December 2004].

36

Selwyn, Neil and Gorard, Stephen. (2001), 101 key ideas in information technology, United
Kingdom: United States of America: Hodder and Stoughton-McGraw-Hill.

Seo, Jung.U. (2001), Toward the global information society opportunities and challenges
[online], [minister of science and technology, Republic of Korea]. Available from:
http://web.ptc.org/library/proceedings/ptc2001/plenary/seo.html [Accessed 10th December
2004].

Server pipeline (2004), Simulated hacker attacks [online], Server pipeline, Available from:
http://www.nwc.serverpipeline.com/trends/trends_archive/46200228 [Accessed 15th
December 2004].

Sterling, Bruce. (2004), The hacker crackdown: (Law and disorder on the electronic frontier),
McLean, Virginia (USA), Indypublish.com.

Taylor, Paul A. (1999), Hackers: Crime in the digital sublime, London, Routledge.

Thomas, Douglas and Loader, Brian D (eds.) (2000), Cybercrime: Law enforcement, security
and surveillance in the information age, London: Routledge.

Thomas and B. Loader (Eds.), Cyber crime: Law Enforcement, Security and Surveillance in
the Information Age, London.
Williams, Sam. (2002), Free as in freedom: Richard Stallman’s crusade for software,
Farnham, Sebastopol, California: O’Reilly.

37