We've all seen television police dramas where the detectives nab the criminal by determining who has the means, the motive, and the opportunity to commit a crime. They ask questions such as "Did the suspect have the means to commit the crime? What did they have to gain? Did they have the opportunity to carry out the crime?" We can view trends in cyber attacks by looking at these same three categories: means, motive, and opportunity.

To commit an Internet-based crime, intruders need either personal expertise or some of the many tools so freely available through the Internet.

The means for attacking computer systems has changed over the years. Ten years ago, intruders attacked computer systems primarily "by hand." For example, they tried to guess passwords by brute force techniques such as repeatedly trying to login to an account by using a dictionary of passwords. They also used social engineering methods to trick people into revealing passwords. Today, there are password cracking tools that encrypt dictionary words and their variations (such as replacing the letter "o" with the digit "0") to try to discover passwords. These tools are easy to use and often GUI (Graphical User Interface) based. If you can spell Internet, you can probably use one of these tools.

The level of sophistication of intrusion tools has become high and is getting higher. Intruders have harnessed the power of the Internet itself, building automated tools to coordinate large-scale attacks involving hundreds of hosts targeted against key Internet sites. These tools are well documented and freely available on the Internet. Members of the intruder community share programs and improve on each other's work.

Sophisticated tools have given birth to a class of script kiddies, intruders who use tools to break into computer systems although they lack the knowledge to craft the tools themselves or to even understand the nuances of their inner workings. There have been reports of break-ins where the script kiddies used a sophisticated tool to gain access to one operating system but then typed commands that work only on another operating system.

It is the combination of knowledge and tools that makes up the means to do the job at hand.

Motives for computer attacks have evolved just as the means have. In the early years of the Internet (then called the ARPAnet), there were no .com sites, only government and university sites (.gov and .edu), which contained research information. In 1981 only 213 computers were connected to the Internet. The small network made it easy for researchers at diverse locations to cooperate on work to their mutual benefit. There was a collegial atmosphere of sharing among people who either knew each other or knew of each other.

Contrast that to today's Internet. The January 2001 Internet Domain Survey (www.isc.org/ds/) reports that .com sites make up more than one-third of the Internet, which has now passed the 109-million computers mark. You can find nearly everything on the Internet today-proprietary information about companies and people, corporate strategic plans, access to financial resources, and most commercial products-information that attackers are motivated to steal and/or alter.

Along with the increase in valuable information, computer power has increased. From the days of the VAX-11/780 with its 1 MIPS (million instructions per second) processing power to 2Ghz (gigahertz) Pentium IV processors, power has increased more than 1,500%. As a result, attackers can steal computer cycles, and do so without the knowledge of the computer owner.

In the current environment of the Internet, attackers are motivated to steal computer cycles and attack computers in other ways (including compromising information and creating a denial of service by clogging the network). They may do it out of curiosity or "bragging rights." They may do it for power or money, or for political/ideological reasons.

Long gone are the days of users and administrators knowing and trusting each other. Users on the Internet are anonymous, and their number grows daily. The atmosphere is not collegial, and trust is neither automatic nor always warranted.

Opportunities for computer attacks are readily available for two reasons: the number of vulnerable systems on the Internet and the ease of connecting to the Internet. Ten years ago, there were about 300,000 hosts on the then ARPAnet; today there are over 109 million. Even if the same percentage of vulnerable hosts exists, that's nearly 25,000% more vulnerable hosts today.

The number of computers on the Internet and the difficulty of configuring them securely mean that attackers have more chances of finding a way into systems than they did a decade ago. Along with low-cost Internet access, computers are inexpensive and the price is dropping. This means that more attackers can afford both the computer and Internet access needed for an attack.

Also, there are many more opportunities for computer access. Some libraries provide free Internet access. Schools invite their students' families to use its computing facilities one evening a week. These Internet access points are a convenient and helpful service, but they are also an opportunity to commit a crime, and are readily available to anyone so inclined.

This is all it takes to commit a crime on the Internet:

• Means - the tools are there, nicely catalogued and ready to go
• Motives - with so much on the Internet, motives are there, whether the priority is money, curiosity, politics, or power
• Opportunity - there are many, many access points to the Internet, most inexpensive and some free

PDF (printable) version