the bookshelf

Nov 1, 2000 12:00 PM, Jeanne Bonner

Like a good thriller, Richard Power's book interweaves the history of cybercrime with mystery, intrigue, and espionage. Power's book operates on several levels: tell-all expose revealing the juicy adventures of fearless hackers; detailed history of the modern computer era and the dawn of cybercrime; and virtual conference of the computer world's brain trust, including Donn B. Parker, formerly of the National Security Agency, and Sarah Gordon of IBM's Thomas Watson Research Center.

Power covers infamous crimes such as the Phonemasters case which manipulated major telecommunication companies and cyber celebrities such as the Internet Liberation Front, Legion of Doom and Masters of Deception. The book is a who's who of old-school hacking. Power uncovers the details of a laundry list of cybercrimes, many committed by disgruntled employees and causing hundreds of thousands of dollars in damage. He explores recent cyber phenomena, including distributed denial of service (DDoS) which plagued the Amazon, Yahoo and eBay Internet sites in February 2000. He even diagrams the problem to show how it works.

Power does well to include a glossary. Standard terms throughout the book include not only hackers but crackers, phreakers, hactivism, cyberterrorism, sniffer program and smurfing.

A chapter, entitled "Inside the Fortune 500", seeks to determine to whom in an organization the information security unit should report. Power assembled a roundtable on the topic with members of the Computer Security Institute Advisory Council. Participants include IT experts from Columbia University, PriceWaterhouse, Dow Chemical and Rockwell International. Opinions run the gamut from suggesting that IS report to the internal audit staff to having the department report directly to the CEO. Even if the reader walks away without an answer to the tricky question, she will at least have heard a number of expert opinions.

The book is thorough, including three appendices, a glossary and a detailed index. Two of the appendices cover U.S. and international treaties, and computer and cybercrime publications and resources.

An appendix follows up on the case of Juan Cesar Ardita, explored in a previous chapter. Ardita was a 29-year-old Argentine hacker who was charged by the U.S. Justice Department in 1996 with breaking into Harvard University's computer network. The appendix publishes an affidavit sworn by Peter Garza, a special agent with the Naval Criminal Investigative Service. It details Ardita's myriad attempts to gain unauthorized access to various government and educational networks and the files he installed on different user accounts, including a sniffer program which culls user log-in data. Apparently fascinated by these wild hacker stories, Power devotes a good portion of the book to recounting how various top-secret government and corporate networks were compromised. Part detective and part gossip columnist, Power relishes the salacious details, indeed publishing conspiratory phone conversations between hackers in their entirety and enumerating the passwords used, the unauthorized programs installed and the ensuing damage.

In addition to its exhaustive account of the history of cyber crime, the book provides practical information. In a chapter entitled "Countermeasures," Power delineates 16 practices employed by companies to implement the risk management cycle. These practices include recognizing information resources as essential organizational assets and developing practical risk assessment procedures to link security to business needs. In the information protection assessment kit (IPAK) developed by the Computer Security Institute's advisory panel, companies are instructed to examine risk through company-wide practices including personnel practices, physical security procedures and back-up and recovery measures. Employees who are terminated, for example, should be given exit interviews in order to recover smart cards, ID badges, portable computers and keys. Sensitive documents should never be tossed whole; they must be "shredded, burned or otherwise mutilated."

Power is the editorial director at the Computer Security Institute (CSI) in San Francisco. He publishes a monthly newsletter called Computer Security Alert.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue