http://chicagotribune.com/news/nationworld/article/0,2669,SAV-0104150339,FF.html By Colin McMahon Tribune foreign correspondent April 15, 2001 TALLINN, Estonia -- Tonu Samuel says he is part of the solution to the growing threat from computer hackers and cybercriminals. The Estonian Internet company whose system Samuel hacked into says he is part of the problem. Their dispute is a small one in a small nation, but it captures the challenges facing companies and governments in the Internet age. Information that should be private and protected--telephone records, Internet passwords, credit card numbers and PINs, and medical histories--is proving vulnerable to a growing legion of hackers in Estonia and elsewhere in the former Soviet Union. Equal-opportunity hacking The hackers are not targeting only their countries' computer systems. For fun or profit, they are going after commercial and governmental targets in the West as well. Tonu Samuel knows how easy it can be. Samuel says he routinely tests--and penetrates--the security systems of some of his favorite targets, with Eesti Telefon's communication portal apparently No. 1. "How is it possible that I am always cracking their system?" Samuel said during a long show-and-tell computer session in Tallinn. "I'm just one guy. They are just too slow to secure their systems. Any schoolboy could get in." Samuel, 28, designs computer security systems for clients in the Baltic states, Europe and North America. He also hacks. Last September, Samuel allegedly broke into Eesti Telefon's portal, Hot.ee, and extracted about 60,000 user names. He told a local reporter how to do it, resulting in a newspaper article that left Eesti Telefon scrambling to calm the public's worries about online security. He says he could have told the reporter how to find the passwords to go with the user names. He did not. Then Samuel went on a live television show and hacked into the Hot.ee portal. Trouble with the law Soon police raided Samuel's home in Tallinn and confiscated his computer equipment. He was charged with illegal use of a computer network. If convicted, he could be sentenced to 2 years in prison. Samuel can explain how he did all this, but he struggles to articulate why he did it. He seems offended by any security system he considers shoddy. "I think what I am doing is right," Samuel said. "I am not doing it for money. I have never sold anything. It is just that there are some basic principles people should follow and they don't. And no one is doing anything to stop it." Actually, companies and governments around the world are spending billions to stop cybercrime. Increasingly they are concerned about hackers from Samuel's part of the world: Russia, Ukraine and other former Soviet republics. Warning from the FBI FBI officials this year specifically pointed to those countries in warning American businesses about fraud and extortion linked to credit card numbers and other consumer data. "The Cold War is over," said Ronald Dick, a veteran FBI agent named last month to direct the agency's cybercrime unit. "However, there are still certain things that linger on, and this is one of them." Russian hackers have been blamed for several high-profile cyber-attacks in recent years, their Western targets ranging from CDUniverse.com to Microsoft to NATO. At the same time, Russian police say computer-related crimes such as stealing credit card numbers or pirating software are rising dramatically at home as well. Russian hackers even broke into the giant natural gas monopoly Gazprom, temporarily seizing control of the system that manages pipeline gas flows. `They have fun' "There are a lot of bad hackers, mostly in Moscow," said Yevgeny, who declined to give his last name. He calls himself a "good" hacker and hires himself out to test software or the soundness of security systems. "They've got nothing to do, so they have fun. "The best ones are all in Ukraine," Yevgeny said. "They are in high demand from banks and other organizations, and sometimes they are taken by bandit groups against their will. There are no more clever or talented people anywhere else, not in America, not in Canada." In some ways, the Soviet government was the world's first hacker, copying Western computer technology instead of developing its own, stripping down Western software to adapt it to Soviet technology. Many Russians have an innate curiosity about how things work and an ability to adapt on the fly. "When a light fixture blows, what do people do in Finland or Europe?" asked Hillar Aarelaid, who directs Estonia's data protection agency. "They call someone to come and fix it. In Russia, the guy figures out how to fix it himself. "That is your answer as to why Russians are the best hackers." Samuel emphasized that point. As good as he might be, he said, many were better and more committed. What he could do, they could do, and more. Samuel called up a database on his ever-present laptop and within minutes displayed a dossier on a random fellow resident of Tallinn. Besides the person's basics, Samuel can find what cars she owns, her driving record, her unlisted phone number, and the addresses of friends and relatives. Another database listed the woman's telephone history; outgoing and incoming calls updated practically to the minute. "You know, if I am driving in my car and someone beeps at me, I can just find their license plate, find their phone number and call them at that moment to say, `Hey, don't beep at me anymore,'" Samuel said. "Or to do something else." Public data for sale It is the "something else" that worries Samuel, he said. Law-enforcement and government computers have been hacked to such an extent in Estonia, he said, that sensitive information on public and private individuals is available to any criminal willing to pay the price. "If all these databases are collated into one, it could be a very powerful tool," Samuel said. "If the Mafia or some criminal group wants this information, they can just pay someone to go get it." Yet criminal is exactly what Samuel is accused of being. Whether prank, attempted theft or publicity stunt, Samuel's invasion last September of Hot.ee caused considerable damage, Eesti Telefon said. "The system's configuration was changed, disabling the security solutions and enabling data to be copied," said Ain Parmas, an Eesti Telefon spokesman. Parmas rejected Samuel's claim that he was just pointing out--albeit in a public and embarrassing fashion--the flaws in the Hot.ee system. "Certainly we had to develop security management in any case," Parmas said. "But the illegally done changes to the system configuration caused a lot of additional work." Parmas also said that Hot.ee was improving its security systems and working to meet standards set by the Estonian government for data protection. Facing uncertain fate Samuel mixes bouts of regret with outbursts of defiance. He said he has lost contracts, partly because the police still have his computer and disks. Some friends and colleagues in the information technology world think he has gone too far. ("The IT brotherhood is divided on this," Aarelaid said.) Samuel is willing to bargain with prosecutors and with Eesti Telefon, he said, but the other side seems unwilling to talk. No trial date has been set. "Of course it is cool to be in the newspapers and whatever, but I want this all to just go away," he said. "I'm pretty limited in what I can do." Yet Samuel acknowledged that just recently he was snooping around in the Hot.ee system, trying to see whether some security holes had been plugged. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 02:33:52 PDT