The paper is broken up into the following sections:
You can navigate to each section by clicking the appropriate one.
Laura has been fiddling with computers for 9 years and, just like many familiar with the "Net," has a very interactive Homepage that includes numerous photographs of herself. A few weeks ago, a visitor at her site decided to download Laura's picture, which can be done to all images on the internet, and place it on his own Homepage under the section entitled "hot babes." Meanwhile, Laura is unaware that this has happened until a few days later when the mysterious visitor found out that she was on-line and established contact with her. He taunted her and said crude things. Little did he know that Laura was well versed in the ways of the internet. So, while he was throwing epithets at her via the internet, she was able to access his computer and bypass his security mechanisms. Laura entered all of his programs and placed a lock on them so he could no longer use his system, a perfect means for revenge. He no longer had access to his own files, nor did he mess with her Homepage again.
How was Laura able to enter this visitor's computer and lock down his files? What type of experience does one need to be able to manipulate a personal Homepage or a corporate system? The basic background essential to being a hacker, also known as a cybersneak (more neutral), will be examined here along with some sites on the Internet providing tips on hacking. The underlying question behind "Hacking 101" is whether it is ethical and/or legal. Public perception of hackers is quite negative, but many who are hackers do not see themselves as villains. Many computer users have the skills to manipulate a system, but rarely use them, as in Laura's situation. There are two sides to hacking, the cat (security agents) and the mouse (the hackers) both trying to outdo the other.
The New Hackers Dictionary defines a hacker as "A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary." (http://www.hackerscatalog.com/) Not everyone who enters a system without permission is there to do damage. Many get personal satisfaction by knowing that they have entered a system, but do not overstep their boundaries. There are also places on the internet where ordinary people on a simple PC can obtain personal information about people and corporations. An experienced computer user can also tie up a system by flooding it with tons of inquiries in a short amount of time, shutting down a system or preventing the "real" customers from accessing a site. Although the potential for deviance always exists, the exploits of hackers like Kevin Mitnick are the exception, and few use their knowledge for this purpose.
On Christmas day, 1994, at 2:09 PM, three computers in San Diego owned by Tsutomu Shimomura, a computer security specialist, began downloading information about computer hacking and defenses to a mysterious computer. The intruder would have escaped were it not for a program on Shimomura's computer that recorded every detail of the intruder's route to the computer files. After completing the crime, the hacker sent a message to Shimomura's voice mail taunting him: "My technique is the best. . . Your technique will be defeated. Your technique is no good." (Joe Flower, "Catching Kevin and His Friends," New Scientist, 2 September, 1995, p.23)
Shimomura decided to track down this taunting intruder. A month later some of the stolen files showed up in the Well, a San Francisco-based on-line system. Shimomura and his team staked out the Well and waited for the intruder to strike again. Soon thereafter, someone invaded the computers of the San Jose-based Netcom On-Line Communication Services and copied 20,000 credit card numbers, using techniques similar to those used to break into his computer. Shimomura traced the cellular phone signal used by the intruder to Raleigh, North Carolina. With the help of a technician from the local cellular phone company, Shimomura and the FBI apprehended Kevin Mitnick on February 15, 1995 in his apartment. He is still in prison to this day. Numerous hacker-sites on the internet attempt to gain public support for his release. They claim his civil rights are being abused. (See http://www.2600.com) This gives rise to the debate about ethical hacking.
Most hackers insist that they are not out to destroy companies and governments, but practice what they call "ethical hacking". They are in it for the intellectual stimulation and not with a malicious goal in mind. Many of them alert companies whose sites they have hacked, and inform them of the security hole. Agents of a Hostile Power is a group of hackers dedicated to "ethical hacking", whose aim is to help companies find holes in their systems. They find holes and inform the companies about them. Another group named "Hack the Lies" is attempting to present hackers in a more positive light than they have been portrayed in the media. Notorious hackers like Kevin Mitnick are the exception. The security analyst I spoke with stated that the high-profile hackers who break into big company computers "get caught, because there are so many people going after them." He worries mainly about teenagers who just play pranks, but when caught are more difficult to prosecute. Where do they obtain these skills?
It takes time and patience and a bit of skill to be a hacker. According to a web-site's link entitled "HOW TO BE A HACKER" it takes:
"a minimum of 2-3 lifetimes, or maybe, slightly less. Some have done in only one lifetime, but there is much to learn. Hacking requires the application of one's brain power combined with knowledge gained thru exploring and experience. No hacker is ever complete, one just evolves. Hacking is a commitment to learning." (http://www.hackerscatalog.com/)
You cannot simply decide to be a hacker. People who work with UNIX systems or C programming have the prerequisites to hack, but once again, not all choose to use their knowledge.
There are many holes in systems through which not only cybersneaks who have vast knowledge of computer systems, but also the ordinary Web-surfer can gain access. Information about a system can be obtained in a legal manner, such as through an ftp (file transfer protocol) program. An ftp program, like "finger" and "fetch," can find out the ftp address of a server just by connecting to the main server to find out all of the addresses-information related to the server.
Then a simple password generator program, available on the internet, can help to crack a user or server password. A password generator allows you to enter any personal information about a user into the program, which then attempts to log-in using all possible combinations of this information, such as birth date, maiden name, or sports teams. If this does not work, the program attempts to break the password using all the words in the dictionary. Some servers will freeze accounts where repeated log-in attempts have been made, but many do not. Sometimes a password generator is not even necessary because some accounts are set up without personalized passwords, and instead access is gained by typing in "visitor," "guest", or "test". There is an enormous amount of personal information about people and systems on the internet that can be obtained legally, making the art of breaking in that much easier.
The "hacking" or "cybersneak" culture is one that centers around the elitism of knowledge. Those involved are confident people, usually young males, who prefer not to discuss hacking matters with people not familiar with the lingo. Simon Davies, director of Privacy International, says that hackers are "impressed with their own cleverness. . .they are just glorified nerds." ("Sabotage in Cyberspace" Focus, 14 Sept, 1996, p. 13) Those belonging to such circles have a firm grasp of UNIX, an operating system which makes it easier for users to connect to other computers, and computer languages, such as "C" and "Java". In order to find and then exploit a hole in a system, one has to understand the makings of the system and the language that generates the programs. These people spend the vast majority of their lives in front of computer screens, thereby attaining the knowledge necessary to break in to systems. Many systems almost invite hackers due to their sloppy security measures.
Complete security on the internet is nearly impossible, for there are often holes in systems, whether technical or human (i.e. sabotage). The key concept on the internet is "trust". Since systems often "trust" one another, when an intruder breaks into one system, he automatically has access to the systems that the trusted system has access to. For example, if System A trusts users from System B and System B trusts System C, then a hacker who breaks into A has access to both B and C. All a hacker needs to do is gain access to one component in a string of trust, then they can enter all the trusted systems.
Kevin Mitnick took advantage of the trust chain between Shimomura's three computers to break in. He gained access to the server that had a trust relationship to the X-terminal which in turn contained the hacker-security files.
Finding the hole in a system entails either physical legwork or time spent staring at the computer screen searching for holes. Physical legwork includes using such tactics as "social engineering," which involves calling a system administrator and claiming to be a legitimate employee and asking them to change their password, and thus gaining access through the front door. "Dumpster diving" is another alternative. This entails going through corporate basements looking through computer printouts for lists of passwords, system diagrams, organization charts, hardware and software descriptions, or anything else that can guide them.
Many hackers find the legwork method crude and instead attempt to twist "doorknobs" through the internet to find holes. The holes include directories containing passwords that are accessible to the public. Also a good target are old versions of "fingered" (an ftp program), which contained a notorious flaw that hackers exploited. These older versions did not limit the size of programs that could be sent to a host, thereby enabling hackers to send large programs into innocent systems. As mentioned earlier, accounts set up with passwords such as "visitor" or "guest" allow hackers to gain access easily. Holes are just that; small windows of access that allow a hacker to get a foot in the door.
One way to exploit a weakness is through a discussion group where the moderator can create an "rc file" to do certain tasks for anyone who joined the group. An intruder could enter the moderator's account and write code into the "rc file" that would commandeer the account of anyone visiting the group. They could send instructions such as "send your password" or "copy all this account's email to another address" all in "C" code, a language which is not readable in English, and hence is difficult to detect discrepancies in.
Tips on how to familiarize oneself with systems and various means for exploiting them can be found in hacker magazines on the internet. Magazines such as Phrack, 2600, and 10pht provide up to date news on arrested hackers as well as information about new techniques for exploiting systems. In its introduction Phrack states: "Since 1985, Phrack has been providing the hacker community with information on operating systems, networking technologies, and telephony, as well as relaying other topics of interest to the international computer underground." (http://www.fc.net/phrack.html)
The CIA, the FBI, the US Airforce and even the US Justice Department have all been hacked, and had their sites altered:
A computer security specialist working for a clearing house, who did not want his name mentioned, said that the major liability for them is to verify the identity of the customer. This verification is vital because they are dealing with millions of dollars per transaction, and the company wants the customer to be liable for the purchase (i.e. to not be able to repudiate the deal if the purchase turns out to be a loss). Since using the internet to make transactions would be cheaper, a means for securing transactions must be found by these firms.
There are numerous ways to secure transactions. Encryption is a method that encodes a transaction that can only be de-coded by someone who knows the password and has the proper decoding program. Another way is to limit the access time of visitors to a particular site. By only allowing them access for a short period of time, there will be enough time to complete a transaction, but not enough time for an unauthorized user to perform malicious acts. At the above mentioned clearing house, a visitor to the site needs to go through nine different steps before access is granted; an access which is still limited. The steps include filling out an identification form, which is checked with the security server. When the clearance is given, the server sends a certificate back to the customer's browser which carries the necessary encryption codes. Then the customer can send secure (encrypted and non-reputable) transactions to the clearing house for a predetermined time. The next big question for the firm is who to trust with the list of encryption key-codes?
In 1995 a program called SATAN (Security Analysis Tool for Auditing Networks) was released on the internet, free of charge for anyone to download. SATAN was put out on the internet by Dan Farmer and Wietse Venema in an effort to make the internet more secure. The program scans systems at high speed for common known vulnerabilities, such as the ftp directory and password files. This program shows administrators the holes in their systems, and how to secure them, but it is also a powerful tool for cybersneaks. In response to this threat, programs like "Gabriel" and "Courtney" were created to detect when a system is being probed by SATAN. Other security probing programs available are 1) COPS (Computer Oracle and Password System), similar to SATAN but focusing on the user, and 2) TCP Wrapper, which informs the system manager of holes that turn up and is also able to provide information on the hacker attempting to break in.
The above mentioned probing programs usually recommend using a firewall to secure holes. A firewall is similar to constructing several walls around the server, allowing visitors to access only the peripheral walls through gateway machines, which do a security check. Its purpose is to isolate an organization's internal network from the internet. The firewall filters the messages to allow only those authorized to enter. It provides one with centralized control of the computer environment. Type enforcement or least privilege is the firewall security mechanism that gives every program on the system permission to do only those things it requires to do its job.
There are two sides to the internet security equation. Behind the walls sit the security agents who are trying to stop unauthorized entry while keeping their authorized customers happy. On the outside of the walls are numerous computer geniuses, or cybersneaks, who try to find holes in these systems often just for the thrill of finding them, and not with any malicious intentions. Hackers can easily take advantage of people who naively place valuable material in cyberspace, just like Laura shut down her attacker's computer who was sending her dirty messages. In conclusion, the hacking culture is not always as bad as they are portrayed in the media, though they keep the cats (security specialists) on their toes.
Ä Masquerading or spoofing is the use of fake identification, such as an alternate username, to avoid detection when performing unauthorized activities. Messages can be modified to change access requirements for a particular system.
Ä Denial of service is when an entity is altered so it cannot perform its proper function, such as the standard operation of a network. This can be done by generating mass traffic going into a system or suppressing it.
Ä Insider attacks are when legitimate users of a system have malicious intentions. They often have access to password files or system blueprints that make breaking in quite simple.
Ä Outsider attacks are done by unauthorized users who use other means to gain access such as wire-tapping, intercepting emissions, masquerading as authorized users, or bypassing access control mechanisms.
Ä A trapdoor is a backdoor into a system created to allow the intruder to enter when he wishes.
Ä A Trojan horse can record information such as passwords in a file and periodically mail them to the intruder.
Books
Ä Pabrai, Uday O. and Gurbani, Vijay K. Internet and TCP/IP Network Security: Securing Protocols and Applications, New York: McGraw-Hill, 1996.
Articles
Ä Brake, David, "Return to sender, address unknown," New Scientist, 21 September 1996, p. 8.
Ä Flower, Joe, "Catching Kevin and His Friends," New Scientist, 2 September, 1995, p. 22-27.
Ä Holderness, Mike, "Hackers come in from the cold," New Scientist, 20 November, 1993, p. 22-23.
Ä Stewart, Ian, "Mathematical Recreations: Proof of Purchase on the Internet," Scientific American, February 1996, p. 124-125.
Ä Thomsen, Dan and Schwartau, Winn, "Is Your Network Secure?" Byte, January 1996, p. 155-156.
Ä Ward, Mark, "Sabotage in Cyberspace," New Scientist, 14 September, p.12-13.
Web Sites
Ä http://www.hackerscatalog.com/
Ä http://www.fc.net/phrack.html
Other Sources
Ä Interview with a computer securities officer at a Wall Street firm.
Click here to return beginning of the article