High-stakes hacking, Euro-style
You don't have to look much further than the Chaos Computer Club to see that the stakes are higher in Europe for computer hackers. "Tron," a CCC member, was one of the great young computer minds in Europe. He was the first to take apart telephone cards and remodel the computer chips inside to make the cards self-charging -- meaning free phone calls, forever.
In November of 1998, Tron -- Boris Floricic -- was found dead in a Berlin park. Police ruled it a suicide, but family, friends, and the CCC say foul play was involved.
"Perhaps Tron refused to share his secrets with the Russian mafia," speculated one member of the computer underground who asked not to be identified. Or perhaps he just broke into the wrong computer.
No clear evidence was ever made public that supported the suggestion of foul play in Floricic's case. But even the possibility of the assassination of a computer hacker -- something U.S. hackers haven't had to face -- keeps the European computer underground a bit more sober.
The difference between the American and European hacking worlds will be a hot topic this week in Amsterdam, as the first international version of DEF CON, the annual hacking convention in Las Vegas, gets underway.
It is difficult, of course, to make sweeping statements about computer hackers across all of Europe. But there is a general impression that metered access to the Internet, antiquated hardware, and fewer get-rich-quick job opportunities make hacking in Europe a much more serious affair. For starters, Europeans hackers are usually on a mission.
"They are good phreakers because they have to be," said a hacker called ktwo, a Canadian-based security consultant who works in Eastern Europe several months of the year. "Phreaking" is stealing telephone services. "Necessity is the mother of invention, right? They have a need for Internet access and they don't want to pay million-dollar phone bills."
They also generally tend to forgo high-profile Web defacements and self-promotional notes to the media; instead, Europeans often attach their work to human rights or environmental causes. Hacker conventions there often include as many political speeches as technical seminars.
"U.S. hackers are basically proving things to themselves for ego. European hackers include a significant number of individuals motivated by political, religious, and cultural deeply held beliefs," said Gartner Group computer security analyst William Malik.
In contrast, many of the computer attackers who manage to get media attention in the U.S. tend to be "script kiddies" who spend their time defacing Web pages. Of all the Web site defacements archived by Attrition.org since 1995, nearly 3,400 have targeted sites ending with ".com," generally U.S. commercial sites. During that time, only 34 ".fr" French sites were targeted, 98 ".de" German sites, and 22 ".ie" Irish sites.
Among so called "white hat" hackers -- computer-security experts who find vulnerabilities and make their work public -- the motivation is very different on the other side of the Atlantic. According to Russ Cooper, who publishes many of the security flaws on his NTBugTraq mailing list, European writers are generally after career advancement rather than public adulation.
In America, "it's about getting fifteen minutes of fame," Cooper said. "There it's about getting a better job, about building your career." Cooper pointed to a recent case in which a white hat found a flaw in Microsoft software, noting that "what he wanted out of Microsoft was not free software but a letter to add to his resume."
There is also a sense that classically trained European computer scientists are more disciplined than computer security experts in the United States, who often are largely self-taught. Europeans must make the most of the limited computer equipment they have, forcing them to push the limits of their hardware.
Plus, computer-security professionals make lower wages than their U.S. counterparts, giving them an incentive to use their skills for their own gain.
"It's their ability to code which makes them more dangerous, and they are more dangerous," said a security consultant who protects computers at a large U.S.-based brokerage. While many hackers in the United States cut and paste snippets of computer code to attack companies, Europeans hackers are much more likely to develop unique attack code on the spot, he said. "Programmers from Bulgaria, from Russia, they are good."
And they pick big targets. In August, Eircom, Ireland's largest Internet service provider, had to change passwords for all its 240,000 customers after a hacker gained access to the company's systems. One day later, a virus writer adapted the notorious ILOVEYOU program to steal account numbers from United Bank of Switzerland customers.
Lofty targets are a long-standing tradition in Europe. Tom Talleur, now a consultant with KPMG, was in charge of new technology security at NASA nearly two decades ago when he says the Chaos Computer Club issued a bounty for anyone who could break into the Command and Control Center for the U.S. space shuttle program.
The Chaos Computer Club did not respond to e-mail interview requests. Asked if anyone ever got into the space shuttle computers, Talleur would only say "Not that I'm aware of."
In a well-known televised incident, the CCC demonstrated its ability to exploit Quicken personal financial software in 1997 by using the software to transfer funds between accounts without use of a password. Similar to high-profile U.S. hacker groups like the Cult of the Dead Cow, the CCC views itself as a research group that publicizes security problems in an attempt to call attention to them.
The CCC is probably the most well-known European hacker organization. In fact, club member Andy Mueller-Maguhn was recently elected to the board of the Internet Corporation for Assigned Names and Numbers, the organization that oversees the running of the Internet. CCC members must agree not to hack for commercial gain and to disclose security problems they discover.
In the murky virtual world of cybercrime, such overt examples of computer hacking are hard to come by; the "underground" is full of unproven tall tales and wild rumors. But both Talleur and Malik think organized crime and even government sponsorship are behind the flavor of Europe's volatile computer underground.
"We know that suspected members of organized crime and terrorist organizations have been making contact with members of the Chaos Computer Club in Berlin at their summer conference," Malik said. "The biggest concern is the pool of talented hackers in the Balkans, where the former Soviet Union concentrated its programming expertise."
For example, he said, during the Kosovo crisis Balkan hackers forced the U.S. military to stop giving out details on personnel because of fear the details would lead to harassment or offer hints for hacking.
"That's why we stopped seeing 'Capt. John Doakes from Omaha, Neb., commander of the 451st wing' and instead saw "NATO commander, bomber wing.' "
Jeff Moss, who runs the Las Vegas version of DEF CON and is hosting the European version this week, thinks economic motivation plays a big role in the ferocity of Euro attacks.
"There is not a lot of startup fever in Russia," he said. "And there are a lot of computer-skilled people. Sometimes the only employment is in shady areas."
But Talluer thinks the big difference between European and U.S. hackers is the prevalence of state-sponsored attacks. While working at NASA, he would often attempt to chase down computer attackers based in Europe. Usually, local authorities assisted in the hunt. But on at least one occasion, he was met by investigators who were "intentionally unhelpful."
"The agency was overtly cooperative, but when you sit down with someone for a beer and you get the wink, and then they say 'If we called you in the U.S. and you checked into it and found out it was your CIA doing it, would you tell us?' "
While the underground readily offers up these kinds of stories, the tales are often short on details -- so short that there are those who think they are the product of hackers, and journalists, with overactive imaginations.
"What you see there is almost all nickel-and-dime stuff," said the security expert named "ktwo," who works in Eastern European countries several months each year. "Free phone calls, free cable, free satellite TV, that kind of thing."
Stealing money from a financial organization, or valuable information from a Western company, is difficult to accomplish, and even more difficult to profit from.
"It's not as easy as anyone thinks," he said. "Say you get insider information from a Western company, how is that of value? Who do you sell it to? It's a really complex game. "
And the suggestion that computer criminals in Europe hit on loftier targets than their counterparts in the United States is a mistake, according to security consultant Joel de la Barza of Securify.com. He assists in computer crime investigations.
"I think there are more attempts in the U.S. to break in and take money," he said. "But in America there is a lot of background noise."