TEXT:
COMPUTER CRIME: HACKERS
by M. E. Kabay, Ph.D.
How do you estimate the undetected?
That's a tough question, and it comes to mind when we try to guess how
much damage is being caused to information systems users by hackers.
Information security specialists informally estimate that 80-85% of
all computer crime is carried out by employees of the victimized firm.
Most of these criminals are authorized to access the computer system,
and many can legitimately access the software and data they used in
their crimes.
The problem is that these estimates are based exclusively on the cases
that are detected and revealed. Sally Meglathery, manager of data
security, audit and contingency planning at a major New York firm and
president of the Information Systems Security Association, Inc (ISSA),
an international non-profit group of security managers, was asked
(Eckerson, 1990), "How many large user organizations really experience
security problems, and how much money do they really lose?" She
replied, "That's hard to tell. I've read that security breaches cost
companies $550 million a year, but I don't think anyone really knows.
Besides, a lot of companies don't report losses from security
breaches because of the negative publicity that usually follows."
In statistical parlance, we are basing our estimates of the computer
criminal population on a biased sample: the ones we know about.
What about all the ones we don't know about? Are there really
armies of sinister figures covertly breaking and entering into our
computers? Isn't that paranoia?
Today, there is virtually no system or network, either
telecommunications or mainframe computer, that has not been
compromised. Tens of thousands of juveniles, equipped with home
computers and modems, regularly make attacks on systems.
Hundreds of adults, motivated by the potential for financial
gain, openly aid and abet the hackers. A new breed of criminal
is emerging and unfortunately appears to be here to stay. You
can be sure that they are out there right now trying to crack
your system! (Maxfield, 1985)
Is believing in sinister figures paranoia if they exist?
For Cliff Stoll, an astrophysicist at the Lawrence Berkeley Laboratory
in California, the sinister figures existed. He tells a fine tale in
his engaging, informative and intelligent best-seller, The Cuckoo's
Egg. Seconded from the astronomy section to the computing section
because of budget cuts, he began a mundane assignment tracking down a
75-cent discrepancy in the system accounting routines and ended up
fighting an international ring of determined spies who were cracking
computer systems all over the United States. Incidentally, he plays
himself in a televised version of his story shown on the U.S. Public
Broadcasting System in the acclaimed NOVA series of science programs;
it's called "The KGB, the Computer and Me" (Anonymous, 1990b).
History and Current Status
--------------------------
According to Bloombecker (1986), computer hacking has some of its many
roots in the evolution of the interstate phone system. When direct
distance dialing (DDD) was implemented in the late 1950s, AT&T began
using audible tones which conveyed switching and billing information
for the phone network. These tones can occasionally still be heard
in the background of a switched phone line when we dial a
long-distance number; listen for a rapid series of faint sounds
shortly after you finish dialing or punching the touch-tone buttons.
The "blue box" became popular around 1961 as a method for avoiding
long-distance costs. This device generates the tones used for
internal communications by the phone system and sent false
information to the billing office. Thus thieves were able to defraud
the phone company of their long-distance phone charges. These people
became known as "phone phreaks".
Even today, experts say, phone fraud is still a problem. Eckerson
(1990) asked Meglathery, "We hear a lot about threats to data
networks, but what are the big problems with voice nets?" Meglathery
answered, "Credit cards are the biggest problem. Evidently, some kids
in New York are using binoculars to read the calling card numbers of
people who are making calls at pay phones. Phone companies have had
to write off hundreds of thousands of dollars of bad credit card calls
as a result."
A recent variation is the voice-mail hacker. Many organizations use
sophisticated computer-controlled internal phone systems that give
every user a private mailbox for storing verbal messages. In a recent
case, two teenage brothers from Staten Island, NY caused an estimated
$2.4 million in lost business and extra work by hacking into
International Data Group's voice-mail system in New Hampshire (Molloy,
1990). The youngsters, angry at not having received a poster promised
with their magazine subscription, penetrated system security, changed
mailbox passwords and deleted advertising copy left by phone. At
first, technicians assumed there must be a problem with the system.
However, the vandals began leaving offensive and even obscene outgoing
messages ostensibly from company employees. When customers complained
about the tasteless greetings, management finally realized the system
was under attack. The pests were finally trapped by putting a trace
on the toll-free 800 phone number.
Another root of modern hacking is time-sharing. This operating system
development arose in the early 1960s and allows a multitude of users
the illusion that they have the undivided attention of a computer.
Thousands of university students became involved in using, modifying
and creating sophisticated operating systems, thereby gaining
life-long interest in computing machinery and telecommunications.
With modems to allow easy communications through ordinary, voice-grade
switched telephone lines, the stage was set for the birth of the
modern hacker.
The forced breakup of AT&T around 1980 spawned hundreds of local phone
companies (sometimes called BOCs, or Bell Operating Companies) who had
to pass billing codes from company to company as each long-distance
call flashed across the continent. Unfortunately, notes Bloombecker,
AT&T failed to make its ANI (automatic number identification) feature
available to the BOCs, so it became much more difficult to track
fraudulent use of the interstate phone system.
Finally, the advent of packet switching networks (e.g., TELENET,
TYMNET, and DATAPAC) increased the ease with which hackers could reach
across great distances to attack host computers. Hackers in major
cities could simply dial a local call to a handy access node and then
try hacking their way into any computer on the network--even on the
other side of a continent. No more long-distance calls. Furthermore,
on most networks, there are no logon IDs for network use proper;
instead, the host is billed for connect time and then bills its users.
If a hacker fails to connect properly to a host, there are no penalties
at all.
Techniques
----------
Hackers depend on public or private access ports. If your computer
cannot be accessed outside your offices, you're probably safe against
hackers. It is the combination of switched (dialup) telephone lines
and inexpensive modems that makes hacking a hobby. To locate
telephone numbers, hackers either find them or learn them. I once
saw a telephone number printed out as a banner posted on a computer
room wall (through the glass windows, another no-no) in letters a
foot high. It was the dialup modem. To learn phone numbers, hackers
ask each other. It seems that hacker bulletin board systems (BBS;
see below) routinely traffic in stolen modem numbers. Even without
relying on other hackers, if a hacker knows that a particular target
organization uses a particular exchange (e.g., 342-xxxx), h/she can use
a brute-force method to find the modem: just have a computer program
dial every number in the exchange and record all the numbers that have
carrier signals. The modem identifies VOICE or NO CARRIER (no answer)
and CONNECT 1200 or CONNECT 2400, so it isn't hard to figure out
what's on each number.
Once the modem has located a carrier signal, the hacker can try logging
on. Hackers become expert at identifying the type and operating system
of computer they've reached. Some systems, especially simple BBS,
announce precisely what kind of hardware and software they are running
on right from the start, even without appropriate IDs. These systems
are practically begging for hackers to use their specialized knowledge
of hardware and software to bypass security. Others have
characteristic prompts; e.g., the : that follows a carriage return is
a giveaway for either an HP3000 or a TANDEM. The prompt character can be
changed in some operating systems. Some operating systems have overly
helpful error messages; the default set for may lead a hacker step by
step through the logon process (see box). A system manager should change
the messages to substitute something like *INVALID* for all these
helpful messages.
+---------------------------------------------------------------------+
A HACKER/COMPUTER DIALOGUE
(lowercase is what the hacker types, UPPERCASE is computer response):
:
:logon
EXPECTED HELLO, :JOB, :DATA, OR (CMD) AS LOGON. (CIERR 1402)
:hello
HELLO
EXPECTED [SESSION NAME,] USER.ACCT [,GROUP] (CIERR 1424)
:hello manager
HELLO MANAGER
EXPECTED ACCOUNT NAME. (CIERR 1426)
:hello manager.system
HELLO MANAGER.SYSTEM
NON-EXISTENT ACCOUNT. (CIERR 1437)
:hello mgr.sys
HELLO MGR.SYS
ACCT EXISTS, USER NAME DOESN'T. (CIERR 1438)
:hello manager.sys
ENTER USER (MANAGER) PASSWORD:
ENTER USER (MANAGER) PASSWORD:
ENTER USER (MANAGER) PASSWORD:
INCORRECT PASSWORD. (CIERR 1441)
NO CARRIER [message from modem]
+---------------------------------------------------------------------+
Techniques for guessing passwords range from brute-force battery to
sneaky psychology. One brute-force approach would try words drawn from
an online dictionary; passwords like ROVER and DOLLY would pop up
eventually during the search. An even more exhaustive search would
generate all possible random sequences of the ASCII symbols, starting
with short combinations and letters only and then moving on to longer
ones including special symbols. A more subtle approach works by
learning about the user of a particular password. "Dumpster diving"
involves searching through rubbish looking for discarded information
that can give clues to probable passwords; researching the user's
background can lead to possible words too. These techniques don't work
unless the user has foolishly chosen words that have personal meaning;
e.g., names of spouse and children or of favorite sports.
Brute force methods will work efficiently only if the operating system
allows unlimited, rapid retries after password failures. The HP3000,
for example, puts a message on the system console after every bad
logon attempt. After three password failures, the system prevents
further attempts until a configurable delay has expired (e.g., 2
minutes by default).
Recent developments in password technology may improve our chances
against hackers (Alexander, 1990a). A mechanical engineer, Earl R.
Collins Jr, has devised a system using a symbol matrix for enforcing
access codes. Both computer and user need a copy of a a square grid
containing many codes. The computer randomly selects any two locations
on the grid, defining a rectangle; the user would have to name the
codes on the other two corners of the rectangle. The number of
possible rectangles and codes is so large as to be virtually
uncrackable by brute-force methods.
In the example of logon dialogue shown in the box, the computer hung up
its modem. A hacker would have to redial to get through for another try,
slowing down the process and either frustrating the human or giving an
operator on the targeted computer a chance to set up some
counter-measures.
Psychology
----------
Maxfield (1985) classifies different groups of hackers as follows:
o Pioneers: people who were fascinated by the evolving technology
of telecommunications and explored it without knowing what they
were going to find. These people included few criminals;
o Scamps: hackers with a sense of fun. These people do no overt
harm (but see later in "Who Cares?");
o Explorers: motivated by their delight in finding out what
computer system they have broken into--the further away physically
or the more secure, the better. The children in the movie "War
Games" were excited because they broke into NORAD computers;
o Game players: enjoy defeating copy protection and seek systems
with games to play. Hacking may seem like an intelligence test
to them--a way to demonstrate their power. One hacker was trapped
by enticing him with a game deliberately left on a bank
computer--he played for hours while the police and the phone
company traced his phone call;
o Vandals: these malicious folk deliberately cause damage for no
apparent gain to themselves. The 414 Gang from Milwaukee broke
into the Sloan-Kettering Institute's computers and wiped out
cancer patients' records and scientists' research data--some fun,
eh?
o Addicts: these compulsive nerds may also be addicted to
narcotics, and some hacker BBS post information on drugs as well
as on modems, passwords and vulnerable systems.
What strikes me about hackers their arrogance. These people seem to
feel that their own pleasures or resentments are of supreme importance
and that normal rules of behavior simply don't apply to them. Take
the recent case in which the 17-year old caused $2.4 million damage
because he didn't get a poster from Gamepro magazine for video game
players (Alexander, 1990b). Is this the response of a balanced
adolescent to failure to receive a free poster?
The standard reference work on psychiatric disorders (APA, 1980)
defines the Narcissistic Personality Disorder in these terms:
The essential feature is a Personality Disorder... in which there
are a grandiose sense of self-importance or uniqueness;
preoccupation with fantasies of unlimited success; exhibitionistic
need for constant attention and admiration; characteristic
responses to threats to self-esteem; and characteristic
disturbances in interpersonal relationships, such as feelings of
entitlement, interpersonal exploitativeness, relationships that
alternate between the extremes of overidealization and
devaluation, and lack of empathy....
...In response to criticism, defeat or disappointment, there is
either a cool indifference or marked feelings of rage,
inferiority, shame, humiliation, or emptiness.... Entitlement,
the expectation of special favors without assuming reciprocal
responsibilities, is usually present. For example, surprise and
anger are felt because others will not do what is wanted; more is
expected from people than is reasonable.
Notice that the 17-year old who trashed the voice-mail system had a
confederate aged 14; we can imagine the sort of hero-worship the older
boy basked in as he boasted about damaging the publisher's interests.
In another case, three Atlanta men in their early 20s were convicted
of repeatedly breaking into BELLSOUTH computer systems, listening to
private conversations, and stealing confidential data (Alexander,
1990c). They were members of "The Legion of Doom," a group of about
15 expert hackers. The three were sentenced to 14, 14, and 21 months
in jail respectively. They must pay restitution of $233,000 each. It
is significant to me that, aside from belonging to the comic-book
style Legion of Doom, these people identified themselves on the hacker
networks using grandiose "handles" such as "The Leftist," "The
Prophet," "The Urvile," and "Necron 99." "Urvile" means something like
"ultimate evil" and "Necron" has connotations of death and computers
mixed together (sounds like a new heavy-metal band). Other hackers
(Alexander, 1992) identify themselves as "Garbage Heap, Nightcrawler
Demogorgon, Dark Angel and Time Lord. They said their ages range from 15
to 23 years old...." Does this sound mature?
During the 1990 December holiday season, some 25 hackers gathered for
their "Christmas Con" in a hotel near Houston airport (Anonymous,
1990). "After consuming too many beers and pulling fire alarms, the
group was kicked out of the hotel." This sort of behavior
may be associated with Antisocial Personality Disorder.
The essential feature is... a history of continuous and chronic
antisocial behavior in which the rights of others are violated....
(APA, 1980).
Dr Percy Black, Professor of Psychology at Pace University in New
York, commented that there may be an underlying theme in all of these
cases: the search for a feeling of power, possibly stemming from a
deep-seated sense of powerlessness (Black, 1991). These acts
therefore serve as over-compensation for inferiority feelings. He
added that the apparent immaturity of the hacker may be an expression
of unresolved feelings of resentment and powerlessness that all of us
must overcome as we grow up. The hackers are trying to tell
themselves, "I can too." These ideas are associated with the work of
the psychologist Alfred Adler.
Hackers may be seeking a high--a peak experience. There is some
evidence that young people require a higher level of stimulation than
most adults. Some people have an abnormally high need for stimulation
even in adulthood. Dr Black explained that antisocial behavior may be
related to inadequate endogenous stimulation; i.e., these people's
brains don't provide the normal arousal that keeps normal people
feeling that life is interesting. Thus some children and adults may
engage in unacceptable acts because they crave any kind of
stimulation, regardless of whether it is noise, acclaim or even
punishment.
I heard a fascinating lecture by a Professor Csikszentmihalyi at the
February 1987 Annual Meeting of the American Association for the
Advancement of Science. Csikszentmihalyi described "autotelic"
experiences as those in which the goal lay within the activity itself.
Such actions are carried on for long periods without obvious extrinsic
rewards. Some examples he cited include painters, composers,
rock-climbers, surgeons and mathematicians. Many of us who have
programmed know full well how absorbing the work can be; I remember
looking at my watch at 17:30, turning back to a program I was writing,
then looking at my watch again what seemed like a moment later. It
was 23:30. Now, that was an autotelic experience.
Perhaps for hackers, hacking is an autotelic experience. After all,
they have unambiguous goals and feedback (two of the characteristics
Csikszentmihalyi identified) and seem to persist in their attacks.
Stoll tracked his German hackers for a year. Hacking may be in part
an exaggeration of the normal response to the give and take of
computer usage.
Hacker Bulletin Boards
----------------------
Maxfield (1985) estimates that half of all private BBS cater to
software pirates. He notes that underground systems usually have
elaborate security (better than many legitimate organizations'
security) and some sections hidden from normal users. Entry into the
inner sanctum of pirated passwords, break-and-entry techniques for
specific operating systems, and dialup modem numbers for specific
victims requires contributing a piece of illegally-obtained
information. Maxfield thinks that some BBS are being infiltrated by
organized crime syndicates because of the potential for selling stolen
computer components, blackmail, and narcotics distribution. Pirate
BBS operators have been known to threaten the lives of undercover
investigators who have infiltrated their systems.
Why Should We Care?
-------------------
At the simplest level, hackers steal. They steal resources that could
be used for more productive work. Some hackers cause obvious damage:
they destroy or damage data. But Cliff Stoll identified the
fundamental problem caused by hackers: they destroy the climate of
trust which allows effective communications via computer networks.
Stoll was originally reluctant to cooperate with law-enforcement
officials. Anyway, he got little encouragement from them at first.
Nonetheless, he finally came to the conclusion that the hackers were
hurting him and every other user of INTERNET, the loosely-run,
non-commercial network linking thousands of scientific and educational
institutions around the world:
Networks aren't made of printed circuits, but of people. Right
now, as I type, through my keyboard I can touch countless
others.... My terminal is a door to countless, intricate
pathways, leading to untold numbers of neighbors. Thousands of
people trust each other enough to tie their systems together....
Like the innocent small town invaded in a monster movie, all
those people work and play, unaware of how fragile and vulnerable
their community is. It could... consume itself with mutual
suspicion, tangle itself up in locks, security checkpoints, and
surveillance; wither away by becoming so inaccessible and
bureaucratic that nobody would want it anymore.
What Should We Do?
------------------
Everyone concerned about the health of the computer-using community can
contribute to making it harder for hackers to hack.
o First, protect your own system.
o Use passwords properly; change them now and then.
o Don't give away passwords or modem telephone numbers without good
reason.
o If you run a computer system, convince yourself and management of
the value of a good security monitor and audit trail.
o Keep your system clock accurate so you can coordinate with other
users if you have to track a hacker.
o Keep helpful hints out of your logon sequence.
o Identify holes (e.g., passwordless users with powerful
capabilities) in your security system; use commercially-available
audit programs and plug the holes.
o Put a warning message into your logon welcome text to threaten
legal action against unauthorized users of your system.
Finally, report attacks against your system to your local police force.
In commenting on the Atlanta case (Alexander, 1990c), William Cook,
Assistant US Attorney in Chicago, had a message to victims: "...it is
worthwhile for you to cooperate when unjustly violated by people who
hack into your system...." All of us share responsibility for
combatting hackers. Let's work to prevent their nefarious deeds and
respond decisively when our systems are attacked.
References
----------
Alexander, M (1990a). Devising matrix-based computer security.
Computerworld 24(46):22 (90.11.12)
Alexander, M (1990b). 'Finger hackers' charged with voice-mail crime.
Computerworld 24(46):46 (90.11.12)
Alexander, M (1990c). Hackers draw stiff sentences. Computerworld
24(48):1 (90.11.26)
Alexander, M (1992). Challenge, notoriety cited as impetus for virus
developers. Computerworld 26(6):1 (92.02.10)
Anonymous (1990a). Stoll to star in NOVA adaptation. Computerworld
24(38):18 (90.09.17)
Anonymous (1990b). What was in their stockings? INSIDE LINES section,
Computerworld 25(1):98 (91.01.07)
APA (1980). DSM-III: Diagnostic and Statistical Manual of Mental
Disorders, Third Edition. American Psychiatric Association
(Washington, DC). P. 315 ff.
Black, P (1991). Personal communication.
Bloombecker, J (1986). A security manager's guide to hacking. DATAPRO
REPORTS ON INFORMATION SECURITY, report #IS35-450-101.
Csikszentmihalyi, M. (1990). Flow: The Psychology of Optimal Experience.
Harper & Row (New York). ISBN 0-06-016253-8.
Eckerson, W (1990). IS security exec tells of risks, strategies.
Network World 90.09.03:21*
Fisher, S (1990). Bringing Bill of Rights into Computer Age.
BYTE 15(9)28 (90.09)*
Maxfield, J (1985). Computer bulletin boards and the hacker problem.
EDPACS, The EDP Audit, Control and Security Newsletter, October 1985.
Published by Automation Training Center, 11250 Roger Bacon Drive, No.
17, Arlington, VA 22090.
Molloy, M (1990). Police arrest teens for wreaking havoc on
publisher's voice mail. Network World 90.11.12:6*
Stoll, C (1990). The Cuckoo's Egg: Tracking a spy through the maze of
computer espionage. Pocket Books (New York). ISBN 0-671-72688-9
---
* References located and retrieved from DIALOG using electronic database
search but not verified by physical lookup in journal of origin.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
