When an organization or an individual has a security or privacy breech from the internet we often assume it was done either by a young male with intimate knowledge of computers and the networks they are on or by a “script kiddie” who got the equivalent of a skeleton key that someone else has made so they can let themselves into your life in some way. When these people do attack it is often just once and then they are off. They are best stopped by “locking the doors” because how they get in to where they are not supposed to be is by wandering around and trying doors to see if they have been left open or using old key cards that should have been changed ages ago.
We know about these people. Books have been written on stopping them. Businesses have been formed based solely on stopping them. Software has been written to seek and destroy their tools but yet there are more of them than ever before. One thing people keep as a secret in the security world is this:
Breaking into computers is fun.
Most of us can thank VMWare and Xen for both keeping our skills up and keeping that money making “white hat” on our heads as we ride off into the sunset having saved the day and taken home a check but we had fun doing it and the person whose work we were mitigating had fun giving us work. It is like that Warner Brother’s cartoon with Sam and Ralph, with both sheepdog and wolf working for the same company but one to protect the sheep and one to try to eat them.
Not all hackers have skill. Not all hackers even know that they can go online to get tools that they need to break in to places. Not all hackers have fun doing what they do. They do it for reasons that make computer security people, firewalls and anti-virus software useless. They do it because they have a compulsion to do it. They do it because they feel they have to. They do it because they are often mentally ill. They are also impossible to stop using conventional methods.
The “low tech” security risk can be especially difficult because often these people have all the time in the world. When you have an obsession and unlimited free time you can get creative in ways a more technological savvy person will not bother with.
One group I did work for had a problem. They had a fellow who used their website to send messages to a women he had “fallen in love with” but who had rejected his advances. He decided that she visited this website (she didn’t..it escalated to the point of me talking with her by phone) and that he would send out communications to try to get her attention.
What he did instead was disrupt the website that he used as a “stalker pulpit”. He was denouncing the woman and all other forms of injustice against him and slowly turning the focus of the site away from it’s intended purpose to be about him and his failed love life.
Then he started to solicit users of the website to contact the woman through her place of business and that was when I was contacted to stop him.
What logs did I have to look at? None. What did he break into? Nothing at all? But imagine you run a burger place and someone comes in and decides to set use your booth as a space to promote their religion. If you do not move to stop it, you risk having your customers going elsewhere to get away from being preached to. In a burger place that is easy, you kick them out, and maybe contact the police if needed. On a website with open registration that is more difficult.
The first thing I did was try to block the IP addresses this person posted from. He then moved from his home to cyber cafes. I even found a cyber cafe with security cameras in their IP block that were open to the internet. I remember this well because this cafe had a giant tree growing in the middle of it. So when he would log on from that IP I would type in the IP of the camera with my browser and see him sitting at a computer logging into the website he was banned from.
I then decided I needed more information so I contacted the woman who was the object of his obsession. She had never met him but she did have a restraining order and he had his own case officer with the RMCP. She then told me a creepy story about how one night she had heard rustling in the bushes near her house and she thought nothing of it but when she went outside the next day on her porch was a picture of her stalker dressed in an all white suit (like Mr. Roark from Fantasy Island). I should have kept my mouth shut but I told her that he kept on posting pictures of himself dressed in all white with cryptic messages which must have meant he still thought she read the website. I should have known this would frighten her. I had forgotten that to her this was person trying to invade her life but I was seeing everything as just facts and coincidence and forgot myself and I still feel bad about doing that.
She contacted the RCMP case worker (I don’t know what the official title is since I am not Canadian) and suddenly website activity stopped, but six months later it started again.