TUCoPS :: Cyber Law :: s_hacker.txt

Computer crime and hackers: How do you estimate the undetected?



by M. E. Kabay, Ph.D.

How do you estimate the undetected?

That's a tough question, and it comes to mind when we try to guess how  
much damage is being caused to information systems users by hackers.   
Information security specialists informally estimate that 80-85% of  
all computer crime is carried out by employees of the victimized firm.   
Most of these criminals are authorized to access the computer system,  
and many can legitimately access the software and data they used in  
their crimes.

The problem is that these estimates are based exclusively on the cases  
that are detected and revealed.  Sally Meglathery, manager of data  
security, audit and contingency planning at a major New York firm and  
president of the Information Systems Security Association, Inc (ISSA),  
an international non-profit group of security managers, was asked  
(Eckerson, 1990), "How many large user organizations really experience  
security problems, and how much money do they really lose?"  She  
replied, "That's hard to tell.  I've read that security breaches cost  
companies $550 million a year, but I don't think anyone really knows.  
Besides, a lot of companies don't report losses from security  
breaches because of the negative publicity that usually follows."

In statistical parlance, we are basing our estimates of the computer  
criminal population on a biased sample:  the ones we know about.

What about all the ones we don't know about?  Are there really  
armies of sinister figures covertly breaking and entering into our  
computers?  Isn't that paranoia?

     Today, there is virtually no system or network, either  
     telecommunications or mainframe computer, that has not been  
     compromised.  Tens of thousands of juveniles, equipped with home  
     computers and modems, regularly make attacks on systems.  
     Hundreds of adults, motivated by the potential for financial  
     gain, openly aid and abet the hackers.  A new breed of criminal  
     is emerging and unfortunately appears to be here to stay.  You  
     can be sure that they are out there right now trying to crack  
     your system! (Maxfield, 1985)

Is believing in sinister figures paranoia if they exist?

For Cliff Stoll, an astrophysicist at the Lawrence Berkeley Laboratory  
in California, the sinister figures existed.  He tells a fine tale in  
his engaging, informative and intelligent best-seller, The Cuckoo's  
Egg.  Seconded from the astronomy section to the computing section  
because of budget cuts, he began a mundane assignment tracking down a  
75-cent discrepancy in the system accounting routines and ended up  
fighting an international ring of determined spies who were cracking  
computer systems all over the United States.  Incidentally, he plays  
himself in a televised version of his story shown on the U.S. Public  
Broadcasting System in the acclaimed NOVA series of science programs;  
it's called "The KGB, the Computer and Me" (Anonymous, 1990b).

History and Current Status  

According to Bloombecker (1986), computer hacking has some of its many  
roots in the evolution of the interstate phone system.  When direct  
distance dialing (DDD) was implemented in the late 1950s, AT&T began  
using audible tones which conveyed switching and billing information  
for the phone network.  These tones can occasionally still be heard  
in the background of a switched phone line when we dial a 
long-distance number; listen for a rapid series of faint sounds  
shortly after you finish dialing or punching the touch-tone buttons.   
The "blue box" became popular around 1961 as a method for avoiding 
long-distance costs.  This device generates the tones used for  
internal communications by the phone system and sent false  
information to the billing office. Thus thieves were able to defraud  
the phone company of their long-distance phone charges.  These people  
became known as "phone phreaks".

Even today, experts say, phone fraud is still a problem.  Eckerson  
(1990) asked Meglathery, "We hear a lot about threats to data  
networks, but what are the big problems with voice nets?"  Meglathery  
answered, "Credit cards are the biggest problem.  Evidently, some kids  
in New York are using binoculars to read the calling card numbers of  
people who are making calls at pay phones.  Phone companies have had  
to write off hundreds of thousands of dollars of bad credit card calls  
as a result."

A recent variation is the voice-mail hacker.  Many organizations use  
sophisticated computer-controlled internal phone systems that give  
every user a private mailbox for storing verbal messages.  In a recent  
case, two teenage brothers from Staten Island, NY caused an estimated  
$2.4 million in lost business and extra work by hacking into  
International Data Group's voice-mail system in New Hampshire (Molloy,  
1990).  The youngsters, angry at not having received a poster promised  
with their magazine subscription, penetrated system security, changed  
mailbox passwords and deleted advertising copy left by phone.  At  
first, technicians assumed there must be a problem with the system.  
However, the vandals began leaving offensive and even obscene outgoing  
messages ostensibly from company employees.  When customers complained  
about the tasteless greetings, management finally realized the system  
was under attack.  The pests were finally trapped by putting a trace  
on the toll-free 800 phone number.

Another root of modern hacking is time-sharing.  This operating system  
development arose in the early 1960s and allows a multitude of users  
the illusion that they have the undivided attention of a computer.  
Thousands of university students became involved in using, modifying  
and creating sophisticated operating systems, thereby gaining 
life-long interest in computing machinery and telecommunications.  
With modems to allow easy communications through ordinary, voice-grade  
switched telephone lines, the stage was set for the birth of the  
modern hacker.

The forced breakup of AT&T around 1980 spawned hundreds of local phone  
companies (sometimes called BOCs, or Bell Operating Companies) who had  
to pass billing codes from company to company as each long-distance  
call flashed across the continent.  Unfortunately, notes Bloombecker,  
AT&T failed to make its ANI (automatic number identification) feature  
available to the BOCs, so it became much more difficult to track  
fraudulent use of the interstate phone system.

Finally, the advent of packet switching networks (e.g., TELENET,  
TYMNET, and DATAPAC) increased the ease with which hackers could reach  
across great distances to attack host computers.  Hackers in major  
cities could simply dial a local call to a handy access node and then  
try hacking their way into any computer on the network--even on the  
other side of a continent.  No more long-distance calls.  Furthermore,   
on most networks, there are no logon IDs for network use proper;   
instead, the host is billed for connect time and then bills its users.   
If a hacker fails to connect properly to a host, there are no penalties  
at all.


Hackers depend on public or private access ports.  If your computer  
cannot be accessed outside your offices, you're probably safe against  
hackers.  It is the combination of switched (dialup) telephone lines  
and inexpensive modems that makes hacking a hobby.  To locate  
telephone numbers, hackers either find them or learn them.  I once  
saw a telephone number printed out as a banner posted on a computer  
room wall (through the glass windows, another no-no) in letters a  
foot high.  It was the dialup modem.  To learn phone numbers, hackers  
ask each other.  It seems that hacker bulletin board systems (BBS;  
see below) routinely traffic in stolen modem numbers.  Even without  
relying on other hackers, if a hacker knows that a particular target  
organization uses a particular exchange (e.g., 342-xxxx), h/she can use  
a brute-force method to find the modem:  just have a computer program  
dial every number in the exchange and record all the numbers that have  
carrier signals.  The modem identifies VOICE or NO CARRIER (no answer)  
and CONNECT 1200 or CONNECT 2400, so it isn't hard to figure out  
what's on each number.

Once the modem has located a carrier signal, the hacker can try logging  
on.  Hackers become expert at identifying the type and operating system  
of computer they've reached.  Some systems, especially simple BBS,  
announce precisely what kind of hardware and software they are running  
on right from the start, even without appropriate IDs.  These systems  
are practically begging for hackers to use their specialized knowledge  
of hardware and software to bypass security.  Others have  
characteristic prompts; e.g., the : that follows a carriage return is  
a giveaway for either an HP3000 or a TANDEM.  The prompt character can be 
changed in some operating systems.  Some operating systems have overly  
helpful error messages; the default set for may lead a hacker step by  
step through the logon process (see box).  A system manager should change 
the messages to substitute something like *INVALID* for all these 
helpful messages.


(lowercase is what the hacker types, UPPERCASE is computer response):

:hello manager  
:hello manager.system  
:hello mgr.sys     
:hello manager.sys  




NO CARRIER [message from modem]


Techniques for guessing passwords range from brute-force battery to 
sneaky psychology.  One brute-force approach would try words drawn from  
an online dictionary; passwords like ROVER and DOLLY would pop up  
eventually during the search.  An even more exhaustive search would  
generate all possible random sequences of the ASCII symbols, starting  
with short combinations and letters only and then moving on to longer  
ones including special symbols.  A more subtle approach works by  
learning about the user of a particular password.  "Dumpster diving"  
involves searching through rubbish looking for discarded information  
that can give clues to probable passwords; researching the user's  
background can lead to possible words too.  These techniques don't work  
unless the user has foolishly chosen words that have personal meaning;  
e.g., names of spouse and children or of favorite sports.

Brute force methods will work efficiently only if the operating system  
allows unlimited, rapid retries after password failures.  The HP3000,  
for example, puts a message on the system console after every bad  
logon attempt.  After three password failures, the system prevents  
further attempts until a configurable delay has expired (e.g., 2  
minutes by default).

Recent developments in password technology may improve our chances  
against hackers (Alexander, 1990a).  A mechanical engineer, Earl R.  
Collins Jr, has devised a system using a symbol matrix for enforcing  
access codes.  Both computer and user need a copy of a a square grid  
containing many codes.  The computer randomly selects any two locations  
on the grid, defining a rectangle; the user would have to name the  
codes on the other two corners of the rectangle.  The number of  
possible rectangles and codes is so large as to be virtually  
uncrackable by brute-force methods.

In the example of logon dialogue shown in the box, the  computer hung up 
its modem.  A hacker would have to redial to get  through for another try, 
slowing down the process and either  frustrating the human or giving an 
operator on the targeted computer a  chance to set up some 


Maxfield (1985) classifies different groups of hackers as follows:

o    Pioneers:  people who were fascinated by the evolving technology  
     of telecommunications and explored it without knowing what they  
     were going to find.  These people included few criminals;  
o    Scamps:  hackers with a sense of fun.  These people do no overt  
     harm (but see later in "Who Cares?");  
o    Explorers:  motivated by their delight in finding out what  
     computer system they have broken into--the further away physically  
     or the more secure, the better.  The children in the movie "War  
     Games" were excited because they broke into NORAD computers;  
o    Game players:  enjoy defeating copy protection and seek systems  
     with games to play.  Hacking may seem like an intelligence test  
     to them--a way to demonstrate their power. One hacker was trapped  
     by enticing him with a game deliberately left on a bank 
     computer--he played for hours while the police and the phone  
     company traced his phone call;

o    Vandals:  these malicious folk deliberately cause damage for no  
     apparent gain to themselves.  The 414 Gang from Milwaukee broke  
     into the Sloan-Kettering Institute's computers and wiped out  
     cancer patients' records and scientists' research data--some fun,  

o    Addicts:  these compulsive nerds may also be addicted to  
     narcotics, and some hacker BBS post information on drugs as well  
     as on modems, passwords and vulnerable systems.

What strikes me about hackers their arrogance.  These people seem to  
feel that their own pleasures or resentments are of supreme importance  
and that normal rules of behavior simply don't apply to them.  Take  
the recent case in which the 17-year old caused $2.4 million damage  
because he didn't get a poster from Gamepro magazine for video game  
players (Alexander, 1990b). Is this the response of a balanced  
adolescent to failure to receive a free poster?

The standard reference work on psychiatric disorders (APA, 1980)  
defines the Narcissistic Personality Disorder in these terms:

     The essential feature is a Personality Disorder... in which there  
     are a grandiose sense of self-importance or uniqueness;  
     preoccupation with fantasies of unlimited success; exhibitionistic  
     need for constant attention and admiration; characteristic  
     responses to threats to self-esteem; and characteristic  
     disturbances in interpersonal relationships, such as feelings of  
     entitlement, interpersonal exploitativeness, relationships that  
     alternate between the extremes of overidealization and  
     devaluation, and lack of empathy....  
     ...In response to criticism, defeat or disappointment, there is  
     either a cool indifference or marked feelings of rage,  
     inferiority, shame, humiliation, or emptiness....  Entitlement,  
     the expectation of special favors without assuming reciprocal  
     responsibilities, is usually present.  For example, surprise and  
     anger are felt because others will not do what is wanted; more is  
     expected from people than is reasonable.

Notice that the 17-year old who trashed the voice-mail system had a  
confederate aged 14; we can imagine the sort of hero-worship the older  
boy basked in as he boasted about damaging the publisher's interests.

In another case, three Atlanta men in their early 20s were convicted  
of repeatedly breaking into BELLSOUTH computer systems, listening to  
private conversations, and stealing confidential data (Alexander,  
1990c).  They were members of "The Legion of Doom," a group of about  
15 expert hackers.  The three were sentenced to 14, 14, and 21 months  
in jail respectively.  They must pay restitution of $233,000 each.  It  
is significant to me that, aside from belonging to the comic-book  
style Legion of Doom, these people identified themselves on the hacker  
networks using grandiose "handles" such as "The Leftist," "The  
Prophet," "The Urvile," and "Necron 99." "Urvile" means something like  
"ultimate evil" and "Necron" has connotations of death and computers  
mixed together (sounds like a new heavy-metal band).  Other hackers 
(Alexander, 1992) identify themselves as "Garbage Heap, Nightcrawler 
Demogorgon, Dark Angel and Time Lord.  They said their ages range from 15 
to 23 years old...." Does this sound mature?

During the 1990 December holiday season, some 25 hackers gathered for  
their "Christmas Con" in a hotel near Houston airport (Anonymous,  
1990).  "After consuming too many beers and pulling fire alarms, the  
group was kicked out of the hotel."  This sort of behavior  
may be associated with Antisocial Personality Disorder.

     The essential feature is... a history of continuous and chronic  
     antisocial behavior in which the rights of others are violated....  
     (APA, 1980).

Dr Percy Black, Professor of Psychology at Pace University in New  
York, commented that there may be an underlying theme in all of these  
cases:  the search for a feeling of power, possibly stemming from a  
deep-seated sense of powerlessness (Black, 1991).  These acts  
therefore serve as over-compensation for inferiority feelings.  He  
added that the apparent immaturity of the hacker may be an expression  
of unresolved feelings of resentment and powerlessness that all of us  
must overcome as we grow up.  The hackers are trying to tell  
themselves, "I can too."  These ideas are associated with the work of  
the psychologist Alfred Adler.

Hackers may be seeking a high--a peak experience.  There is some  
evidence that young people require a higher level of stimulation than  
most adults.  Some people have an abnormally high need for stimulation  
even in adulthood.  Dr Black explained that antisocial behavior may be  
related to inadequate endogenous stimulation; i.e., these people's  
brains don't provide the normal arousal that keeps normal people  
feeling that life is interesting.  Thus some children and adults may  
engage in unacceptable acts because they crave any kind of  
stimulation, regardless of whether it is noise, acclaim or even  

I heard a fascinating lecture by a Professor Csikszentmihalyi at the  
February 1987 Annual Meeting of the American Association for the  
Advancement of Science.  Csikszentmihalyi described "autotelic"  
experiences as those in which the goal lay within the activity itself.  
Such actions are carried on for long periods without obvious extrinsic  
rewards.  Some examples he cited include painters, composers, 
rock-climbers, surgeons and mathematicians.  Many of us who have  
programmed know full well how absorbing the work can be; I remember  
looking at my watch at 17:30, turning back to a program I was writing,  
then looking at my watch again what seemed like a moment later.  It  
was 23:30.  Now, that was an autotelic experience.

Perhaps for hackers, hacking is an autotelic experience.  After all,  
they have unambiguous goals and feedback (two of the characteristics  
Csikszentmihalyi identified) and seem to persist in their attacks.  
Stoll tracked his German hackers for a year.  Hacking may be in part  
an exaggeration of the normal response to the give and take of  
computer usage.

Hacker Bulletin Boards   

Maxfield (1985) estimates that half of all private BBS cater to  
software pirates.  He notes that underground systems usually have  
elaborate security (better than many legitimate organizations'  
security) and some sections hidden from normal users.  Entry into the  
inner sanctum of pirated passwords, break-and-entry techniques for  
specific operating systems, and dialup modem numbers for specific  
victims requires contributing a piece of illegally-obtained  
information.  Maxfield thinks that some BBS are being infiltrated by  
organized crime syndicates because of the potential for selling stolen  
computer components, blackmail, and narcotics distribution.  Pirate  
BBS operators have been known to threaten the lives of undercover  
investigators who have infiltrated their systems.

Why Should We Care?   

At the simplest level, hackers steal.  They steal resources that could  
be used for more productive work.  Some hackers cause obvious damage:  
they destroy or damage data.  But Cliff Stoll identified the  
fundamental problem caused by hackers:  they destroy the climate of  
trust which allows effective communications via computer networks.

Stoll was originally reluctant to cooperate with law-enforcement  
officials.  Anyway, he got little encouragement from them at first.  
Nonetheless, he finally came to the conclusion that the hackers were  
hurting him and every other user of INTERNET, the loosely-run,  
non-commercial network linking thousands of scientific and educational   
institutions around the world:

     Networks aren't made of printed circuits, but of people.  Right  
     now, as I type, through my keyboard I can touch countless  
     others....  My terminal is a door to countless, intricate  
     pathways, leading to untold numbers of neighbors.  Thousands of  
     people trust each other enough to tie their systems together....

     Like the innocent small town invaded in a monster movie, all  
     those people work and play, unaware of how fragile and vulnerable  
     their community is.  It could... consume itself with mutual  
     suspicion, tangle itself up in locks, security checkpoints, and  
     surveillance; wither away by becoming so inaccessible and  
     bureaucratic that nobody would want it anymore.

What Should We Do?  

Everyone concerned about the health of the computer-using community can  
contribute to making it harder for hackers to hack.

o    First, protect your own system.

o    Use passwords properly; change them now and then.

o    Don't give away passwords or modem telephone numbers without good  

o    If you run a computer system, convince yourself and management of  
     the value of a good security monitor and audit trail.

o    Keep your system clock accurate so you can coordinate with other  
     users if you have to track a hacker.

o    Keep helpful hints out of your logon sequence.

o    Identify holes (e.g., passwordless users with powerful  
     capabilities) in your security system; use commercially-available  
     audit programs and plug the holes.

o    Put a warning message into your logon welcome text to threaten  
     legal action against unauthorized users of your system.

Finally, report attacks against your system to your local police force.  
In commenting on the Atlanta case (Alexander, 1990c), William Cook,  
Assistant US Attorney in Chicago, had a message to victims:  "...it is  
worthwhile for you to cooperate when unjustly violated by people who  
hack into your system...."  All of us share responsibility for  
combatting hackers.  Let's work to prevent their nefarious deeds and  
respond decisively when our systems are attacked.


Alexander, M (1990a).  Devising matrix-based computer security.  
Computerworld 24(46):22 (90.11.12)

Alexander, M (1990b).  'Finger hackers' charged with voice-mail crime.  
Computerworld 24(46):46 (90.11.12)

Alexander, M (1990c).  Hackers draw stiff sentences.  Computerworld  
24(48):1 (90.11.26)

Alexander, M (1992).  Challenge, notoriety cited as impetus for virus 
developers.  Computerworld 26(6):1 (92.02.10)

Anonymous (1990a).  Stoll to star in NOVA adaptation.  Computerworld  
24(38):18 (90.09.17)

Anonymous (1990b).  What was in their stockings?  INSIDE LINES section,  
Computerworld 25(1):98 (91.01.07)

APA (1980).  DSM-III:  Diagnostic and Statistical Manual of Mental  
Disorders, Third Edition.  American Psychiatric Association  
(Washington, DC).  P. 315 ff.

Black, P (1991).  Personal communication.

Bloombecker, J (1986).  A security manager's guide to hacking.  DATAPRO   

Csikszentmihalyi, M. (1990).  Flow:  The Psychology of Optimal Experience.  
Harper & Row (New York).  ISBN 0-06-016253-8.

Eckerson, W (1990).  IS security exec tells of risks, strategies.    
Network World 90.09.03:21*

Fisher, S (1990).  Bringing Bill of Rights into Computer Age.  
BYTE 15(9)28 (90.09)*

Maxfield, J (1985).  Computer bulletin boards and the hacker problem.   
EDPACS, The EDP Audit, Control and Security Newsletter, October 1985.   
Published by Automation Training Center, 11250 Roger Bacon Drive, No.   
17, Arlington, VA 22090.

Molloy, M (1990).  Police arrest teens for wreaking havoc on   
publisher's voice mail.  Network World 90.11.12:6*

Stoll, C (1990).  The Cuckoo's Egg:  Tracking a spy through the maze of   
computer espionage.  Pocket Books (New York).  ISBN 0-671-72688-9

* References located and retrieved from DIALOG using electronic database  
search but not verified by physical lookup in journal of origin.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH