December 01, 1998
Chch fraud squad out to nail hackers
by David Armstrong

Catching computer hackers is time-consuming and costly, especially if
offenders cannot be prosecuted, but new case-law research could give
Christchurch police legal tools to clamp down on electronic vandals and

New Zealand has no laws to control electronic trespass and vandalism, says
Detective Michael Chappell, of the Christchurch fraud squad, who
specialises in information technology crimes. 

Hackers are socially inept people hell-bent on taking out their
frustrations on others. -- Detective Michael Chappell, Christchurch fraud

[Complete stereotyping. We all know that many hackers are far 
from this description.]

However, while researching the setting up of a Computer Crime Unit, he has
found English case law of people infecting other people's computers with
viruses, who were charged with intentional damage. Mr Chappell will use
this precedent for a case he is preparing. 

[We go from 'hacking', straight into infecting someone with a computer
virus, which is not done via illegal entry into another system most of 
the time. This transition suggests our 'expert' is not educated in 
computer security matters.]

After 2 years investigating hackers and the fraudulent use of computers,
he categorises hackers in two groups: socially inept people "hell-bent on
taking out their frustrations on others", and those using others' Internet
accounts or credit cards to binge-surf the Net for free. 

[And no third group of 'curious kids poking around other 
networks'? This classification into two limited groups is pathetic.]

PC owners can minimise the chances of becoming victims of damage or fraud,
he says. 

Hacking is not rampant, but the high number of people using the Net raises
its awareness. 

The two incidents reported in recent weeks -- the deletion of 4500
websites on Ihug's server, and the infiltration of Xtra accounts -- caused
a stir. 

[Caused more than a stir. No doubt it is the reason he has
classified hackers into the TWO categories.]

Hackers who use someone else's password and ID for Net access can be
charged with fraud, says Mr Chappell. Catching them involves analysing
phone-use logs and asking Internet service providers (ISPs) to trace

Mr Chappell has dealt with six complaints of this nature in Christchurch
in the last two weeks. A typical unauthorised access bill is about $300. 

[Earlier in the article, it says tracking down these perps is
costly. No doubt because he is willing to charge hundreds an hour to 
catch these 300 dollar crimes.]

Hackers can get into accounts by several means, he says. They can run
automatic phone-calling software looking for active modems at the other
end, or they may run a credit-card number generator and use the result to
sign up with an ISP, and run an account for a month or so until they are

[Neither of those methods will get you into an account.]

In the most recent scare, a "sniffer"  program, crudely named "Back
Orifice", enters a PC as a virus through an e-mail attachment, and reports
back details such as passwords. (An antidote can be downloaded from 

[Back Orifice is a remote access trojan. The 'sniffer' it 
contains is only one feature. Entering a PC as an attachment is not 
a virus. It relies on the user executing the program, which is 
characteristic of a TROJAN.]

Mr Chappell suspects that some instances of hacking originate from
dishonest staff in ISPs. He believes it is no coincidence that most
incidents occur on inactive accounts, so account owners do not notice the
unusual use for several months. 

When ID and password lists surface, they circulate around groups, so
several hackers can use the same account simultaneously. 

Mr Chappell sees hacking as a modern form of anarchy. A specialist crime
unit will be needed, he says, if the police are to keep up with and stop
these wired criminals.  "Until we get some adequate statutes, we're

Making your PC safer

People with PCs connected to the Internet can take precautions to minimise
their exposure to hacking, says Mr Chappell. 

 [@] Cancel your ISP account if you no longer use it. 

 [@] Run Web virus detection software. 

[Web virus detection software? Why not run 'virus 
detection software'? Why does the word 'web' have to be included with
everything this guy does?

 [@] If you receive an e-mail from someone you don't know which has an
attached document or executable file, do not run the program until you
identify and verify the sender. Preferably delete the e-mail. 

[Unfounded paranoia. Instead of deleting the mail, just don't
view or run the attachment. Or run a virus scanner on the files being

 [@] When you are not connected to the Net, turn off your external modem,
or disconnect your phone connection if you have an internal modem. 

 [@] Change your password at least every few weeks, and never disclose it
to others. 

 [@] Check your phone bill carefully, looking for unusual Internet

[Local phone calls to your ISP do not show up on your phone
bill. Long distance calls do not identify if they were voice or data.
This kind of advice once again suggests the 'expert' has only a passing
familiarity with computer security.]