Steven Lynch was first introduced to the joys of hunting down hackers in MIT in 1989. While working in the University's IT department he came across Australia's very own Leftist and Urvile, as they took control of the institutions servers and used them to poke holes in systems on the other side of the world. Phoenix and Electron were eventually tracked down to a flat in Melbourne, but not before Lynch spent countless hours following their clandestine progress through unsuspecting networks.

"We became aware they were using machines in the IT department to hack into machines in the US," Lynch said. "They were setting up back doors in the computers they hacked so they could get back in again later."

Lynch can't recall what alerted the university's IT department to the suspicious goings on within the university network. Nonetheless when asked by the police to keep an eye on the character's movements, he first had to figure out how to monitor their progress without giving the game away.

Accustomed to tailoring computing devices to the requirements of different faculties within the university, Lynch now modified a computer within the faculty and used it to track their progress.

"We would find out where they were going and contacted all the places they were hacking into," Lynch said. "Whenever they got close to doing any real damage the modem would mysteriously drop out."

At the same time as he was disconnecting the hackers, Lynch would hold their line into the system open, so police could trace it.

"Eventually they were tracked down and charged," Lynch said. "It was just about the first ever cybercrime conviction in Australia, and given the sheer weight of evidence we had collected they didn't have a leg to stand on."

Despite the mystique, and the challenge of tracking down the hackers these days Lynch remembers the whole process as simply exhausting.

"It was not so much of a buzz really," he said. "It was a lot of work for very little outcome."

And while surveillance has become more sophisticated in the twelve years since Lynch first hunted down a hacker, the nature and extent of hacks has also changed dramatically.

In fact, many in the industry believe the Cyber-stakeout is a dying art. Given the sheer weight and extent of potential threats to the integrity of a system most companies and institutions are content to lock out unwanted intruders and board up their entry points.

According to Lynch, who is now a senior security consultant for managed security provider eSec, the cost associated with tracking hackers these days puts it out of the reach of most organisations. What's more, given the level of secrecy which surrounds most Web based break-ins, companies rarely want to follow through and prosecute cyber criminals.

"Large corporates like banks often have more to loose by admitting there has been a breach than they would gain by finding the culprits and pressing charges," he said.

Barbed wire vrs the Honey-pot: methods of tracing and deterring hackers

A honey-pot is a server, or system designed to bait unweary hackers into what appears to be an "easy target". As the system is designed simply to attract would be hackers, any connection to the server triggers an alarm, and allows security experts to follow the intruder's movement through the site - looking for idiosyncrasies. On the one hand the intruder wastes valuable time breaking into what is essentially an empty safe, and on the other it allows security staff are able to use the information they gather to shore up their other charges.

As senior security consultant with eSec, and coordinator of the Foundstone Ultimate guide to Hacking course Jeff Paine keeps a close eye on developments in the complex world of cyber security.

Paine points out that the honey-pot server approach forms part of a wider movement in cybercrime prevention by the name of Honeynet.

"Honeynet is world wide program, which induces hackers to break into machines, just to watch what they do once they are in there," Paine explained. "It is a way to study the methods and the motives of hackers."

According to Paine the Honeynet project also allow cybercrime fighters to take a "foot print" of different hackers, and monitor for their reappearance.

"We know from the Honeynet project that some hackers simply want to break in and take control of the system," Paine said. "Others are looking for specific information, and then there are those that want to use the servers as zombies to attack other servers, or launch pads out to other servers."

However, Paine says that some of the most noxious attacks come from the least expected corners. While the zombie servers that grab the headlines are those used to launch high profile denial of service attacks, Paine has recently come across cases where spam was being illicitly redirected through an unknowing server.

"We are getting to the point where servers are compromised so soon after they are up and running that the owners simply assume the extra bandwidth costs reflect their own usage," Paine said. "Whereas they are really paying to send out thousands upon thousands of spam e-mails they don't even see."

To a certain degree Paine believes the lack of interest in tracking hackers can be attributed to the prevalence of such attacks. He believes network administrators assume attacks will ultimately aim for other targets.

"The current attitude on security reflects the belief that hackers are generally looking for a launch pad to break into other systems," Paine said.

As own data is not under threat in the wake of a clandestine visitor, many network administrators are only really interested in locking the hackers out, to protect their bandwidth and processing resources.

Tim Smith, security CTO for network integrators Dimension Data most organisations lack the computer forensics skills to appropriately track and prosecute malevolent hackers.

"Unless they are outsourcing their security to a third party it is often very difficult to track down an attacker," Smith said. "To actually get a prosecution you need an intimate knowledge of computer forensics, it is really easy for people who don't know what they are doing to destroy the relevant data."

The cybercrime paradox: Good hackers make great cops

It would seem de Guzman believed his capabilities as a hacker would ultimately win him a job in cyber security. And he wasn't all that wide of the mark.

Even in tough times a combination of TCP/IP know how, Web applications knowledge, and some Unix or NT skills provides a substantial meal ticket, especially in the cyber security rounds.

In fact one of the major difficulties faced by state-based security institutions is their capacity to attract and keep skilled staff. Des Berwick, researcher for the Australasian Centre for Policing Research says cyber policing is still fairly reliant on private and educational institutions to gather information to prosecute would be cyber criminals.

-While we cannot rely on the private sector to provide law enforcement cybercrime is certainly an area where we can work with companies to track down and prosecute criminals," Berwick said. -We also have a very strong working relationship with universities."

Poaching campaigns launched by security companies have seen up to 70 per cent of the Web-based boys in blue don civvies. However, rather that being a negative influence this level of flux has facilitated public sector efforts to work together with policing services.

Courses in cybercrime prevention are still thin on the ground, with most security professionals earning their stripes on the job. Gradually universities are writing cyber security into their syllabi and companies are providing product based security courses such as Dimension Data's ISS, Cisco, Symantec and Check Point training.

However, not all the security courses are product focused. Dimension Data also runs one and two day courses aimed at network administrators and CIOs. Defending against Computer Attacks is a monthly course which lasts one day and discusses how attacks are actually carried out, while the two day Security Fundamentals talks about specific security technologies and runs over two days.

In a similar vein managed security provider eSec is soon to run the US based Foundstone Ultimate Hacking: Hands On course in Sydney and Melbourne. Aimed squarely at network administrators and other IT professionals interested in maintaining the integrity of their systems, the course will provide theoretical and practical training in the latest hacking techniques.

Course coordinator, Jeff Paine, concedes cyber security training is always fraught with a fundamental ethical dilemma: in training people to prevent cybercrime, you also arm them with hacking skills.

-It is a dilemma faced by all educators in this area," Paine says. -In order to make sure security professionals know what they are looking for we need to show them how the hackers are getting in."

Paine also points out that specific attacks do not remain valid for very long, but serve to show network administrators what they need to be aware of.

Neil Campbell, who learnt the tricks of the trade on the Australian Federal Police computer crime team before going to work for eSec, points out the debate surrounding secrecy and cyber crime is not a new debate.

-The whole secrecy debate surrounding system vulnerabilities has been tried before," Campbell said. -But it is basically a pointless exercise."

Campbell refers to the Zardoz mailing list as a case in point. Zardoz consisted of a group of elite security administrators, who used the Internet to discuss known system vulnerabilities.

-The group became a prime target for hackers," Campbell said. -Rather than increase security protection, they ended up endangering people who were not on the list."

Hacking across borders and eras

Des Berwick, researcher for the Australasian Centre for Policing Research (ACPR), underlines the importance of technology neural legislation that targets the illegality of the act itself.

-We have to write legislation which covers technology that hasn't been invented yet," Berwick said. -Cybercrime isn't limited to illegal access either, we need to cover the full gamut of fraud, espionage, child pornography, cyber stalking and even releasing malicious viruses."

And while increasing prevalence of unwanted interruptions to corporate and home computer systems in Australia has lead to governments at both the state and federal level implementing a raft of legislation, some are concern the reaction has been poorly planned.

According to eSec's Neil Campbell the Cybercrime bill recently enacted in NSW displays some serious flaws.

-I am not convinced that they have thought the whole ramifications through," Campbell said. -It is far to broad and will allow people to be convicted without actually having committed an offence. Not only that but it is the equivalent of creating a law which convicts people for 'going equipped to steal', and most people have the tools necessary to hack into a computer system on the computers, even if they don't know how to use them."

Campbell's major concern is that the NSW law was based on Federal legislation that is to be debated following the November election. While parliament draws on a series of forums such as Berwick's ACPR for advice, politicians cannot help but be effected by the sense of urgency created suspected cyber criminals go untried because of a failure due to the legislature.

A lack of understanding of the complexities of cybercrime and IT generally is not the only trap open to legislators in Australia. The stateless, borderless world wide web enables potential cyber criminals to launch attacks from countries where legislation fails to recognise their misdemeanours as such.

For this reason not only is ACPR working to advise parliamentarians, it is also designed to develop working relationships with its counterparts in other countries. With the backing of groups like the United Nations, Interpol the G8 and APEC, the Australasian Computer Crime program is working with police forces throughout the Asia Pacific region to establish a cross-border legislative framework to prosecute cyber criminals.

Proof of the successful collaboration of such groups will come however, next time an Onel de Guzman unwittingly unleashed a virus, or a Phoenix purposefully hacks into a corporate system from a remote pacific island, and obtains your credit card number.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.