TEXT: COMPUTER CRIME: HACKERS by M. E. Kabay, Ph.D. How do you estimate the undetected? That's a tough question, and it comes to mind when we try to guess how much damage is being caused to information systems users by hackers. Information security specialists informally estimate that 80-85% of all computer crime is carried out by employees of the victimized firm. Most of these criminals are authorized to access the computer system, and many can legitimately access the software and data they used in their crimes. The problem is that these estimates are based exclusively on the cases that are detected and revealed. Sally Meglathery, manager of data security, audit and contingency planning at a major New York firm and president of the Information Systems Security Association, Inc (ISSA), an international non-profit group of security managers, was asked (Eckerson, 1990), "How many large user organizations really experience security problems, and how much money do they really lose?" She replied, "That's hard to tell. I've read that security breaches cost companies $550 million a year, but I don't think anyone really knows. Besides, a lot of companies don't report losses from security breaches because of the negative publicity that usually follows." In statistical parlance, we are basing our estimates of the computer criminal population on a biased sample: the ones we know about. What about all the ones we don't know about? Are there really armies of sinister figures covertly breaking and entering into our computers? Isn't that paranoia? Today, there is virtually no system or network, either telecommunications or mainframe computer, that has not been compromised. Tens of thousands of juveniles, equipped with home computers and modems, regularly make attacks on systems. Hundreds of adults, motivated by the potential for financial gain, openly aid and abet the hackers. A new breed of criminal is emerging and unfortunately appears to be here to stay. You can be sure that they are out there right now trying to crack your system! (Maxfield, 1985) Is believing in sinister figures paranoia if they exist? For Cliff Stoll, an astrophysicist at the Lawrence Berkeley Laboratory in California, the sinister figures existed. He tells a fine tale in his engaging, informative and intelligent best-seller, The Cuckoo's Egg. Seconded from the astronomy section to the computing section because of budget cuts, he began a mundane assignment tracking down a 75-cent discrepancy in the system accounting routines and ended up fighting an international ring of determined spies who were cracking computer systems all over the United States. Incidentally, he plays himself in a televised version of his story shown on the U.S. Public Broadcasting System in the acclaimed NOVA series of science programs; it's called "The KGB, the Computer and Me" (Anonymous, 1990b). History and Current Status -------------------------- According to Bloombecker (1986), computer hacking has some of its many roots in the evolution of the interstate phone system. When direct distance dialing (DDD) was implemented in the late 1950s, AT&T began using audible tones which conveyed switching and billing information for the phone network. These tones can occasionally still be heard in the background of a switched phone line when we dial a long-distance number; listen for a rapid series of faint sounds shortly after you finish dialing or punching the touch-tone buttons. The "blue box" became popular around 1961 as a method for avoiding long-distance costs. This device generates the tones used for internal communications by the phone system and sent false information to the billing office. Thus thieves were able to defraud the phone company of their long-distance phone charges. These people became known as "phone phreaks". Even today, experts say, phone fraud is still a problem. Eckerson (1990) asked Meglathery, "We hear a lot about threats to data networks, but what are the big problems with voice nets?" Meglathery answered, "Credit cards are the biggest problem. Evidently, some kids in New York are using binoculars to read the calling card numbers of people who are making calls at pay phones. Phone companies have had to write off hundreds of thousands of dollars of bad credit card calls as a result." A recent variation is the voice-mail hacker. Many organizations use sophisticated computer-controlled internal phone systems that give every user a private mailbox for storing verbal messages. In a recent case, two teenage brothers from Staten Island, NY caused an estimated $2.4 million in lost business and extra work by hacking into International Data Group's voice-mail system in New Hampshire (Molloy, 1990). The youngsters, angry at not having received a poster promised with their magazine subscription, penetrated system security, changed mailbox passwords and deleted advertising copy left by phone. At first, technicians assumed there must be a problem with the system. However, the vandals began leaving offensive and even obscene outgoing messages ostensibly from company employees. When customers complained about the tasteless greetings, management finally realized the system was under attack. The pests were finally trapped by putting a trace on the toll-free 800 phone number. Another root of modern hacking is time-sharing. This operating system development arose in the early 1960s and allows a multitude of users the illusion that they have the undivided attention of a computer. Thousands of university students became involved in using, modifying and creating sophisticated operating systems, thereby gaining life-long interest in computing machinery and telecommunications. With modems to allow easy communications through ordinary, voice-grade switched telephone lines, the stage was set for the birth of the modern hacker. The forced breakup of AT&T around 1980 spawned hundreds of local phone companies (sometimes called BOCs, or Bell Operating Companies) who had to pass billing codes from company to company as each long-distance call flashed across the continent. Unfortunately, notes Bloombecker, AT&T failed to make its ANI (automatic number identification) feature available to the BOCs, so it became much more difficult to track fraudulent use of the interstate phone system. Finally, the advent of packet switching networks (e.g., TELENET, TYMNET, and DATAPAC) increased the ease with which hackers could reach across great distances to attack host computers. Hackers in major cities could simply dial a local call to a handy access node and then try hacking their way into any computer on the network--even on the other side of a continent. No more long-distance calls. Furthermore, on most networks, there are no logon IDs for network use proper; instead, the host is billed for connect time and then bills its users. If a hacker fails to connect properly to a host, there are no penalties at all. Techniques ---------- Hackers depend on public or private access ports. If your computer cannot be accessed outside your offices, you're probably safe against hackers. It is the combination of switched (dialup) telephone lines and inexpensive modems that makes hacking a hobby. To locate telephone numbers, hackers either find them or learn them. I once saw a telephone number printed out as a banner posted on a computer room wall (through the glass windows, another no-no) in letters a foot high. It was the dialup modem. To learn phone numbers, hackers ask each other. It seems that hacker bulletin board systems (BBS; see below) routinely traffic in stolen modem numbers. Even without relying on other hackers, if a hacker knows that a particular target organization uses a particular exchange (e.g., 342-xxxx), h/she can use a brute-force method to find the modem: just have a computer program dial every number in the exchange and record all the numbers that have carrier signals. The modem identifies VOICE or NO CARRIER (no answer) and CONNECT 1200 or CONNECT 2400, so it isn't hard to figure out what's on each number. Once the modem has located a carrier signal, the hacker can try logging on. Hackers become expert at identifying the type and operating system of computer they've reached. Some systems, especially simple BBS, announce precisely what kind of hardware and software they are running on right from the start, even without appropriate IDs. These systems are practically begging for hackers to use their specialized knowledge of hardware and software to bypass security. Others have characteristic prompts; e.g., the : that follows a carriage return is a giveaway for either an HP3000 or a TANDEM. The prompt character can be changed in some operating systems. Some operating systems have overly helpful error messages; the default set for may lead a hacker step by step through the logon process (see box). A system manager should change the messages to substitute something like *INVALID* for all these helpful messages. +---------------------------------------------------------------------+ A HACKER/COMPUTER DIALOGUE (lowercase is what the hacker types, UPPERCASE is computer response): : :logon EXPECTED HELLO, :JOB, :DATA, OR (CMD) AS LOGON. (CIERR 1402) :hello HELLO EXPECTED [SESSION NAME,] USER.ACCT [,GROUP] (CIERR 1424) :hello manager HELLO MANAGER EXPECTED ACCOUNT NAME. (CIERR 1426) :hello manager.system HELLO MANAGER.SYSTEM NON-EXISTENT ACCOUNT. (CIERR 1437) :hello mgr.sys HELLO MGR.SYS ACCT EXISTS, USER NAME DOESN'T. (CIERR 1438) :hello manager.sys ENTER USER (MANAGER) PASSWORD: ENTER USER (MANAGER) PASSWORD: ENTER USER (MANAGER) PASSWORD: INCORRECT PASSWORD. (CIERR 1441) NO CARRIER [message from modem] +---------------------------------------------------------------------+ Techniques for guessing passwords range from brute-force battery to sneaky psychology. One brute-force approach would try words drawn from an online dictionary; passwords like ROVER and DOLLY would pop up eventually during the search. An even more exhaustive search would generate all possible random sequences of the ASCII symbols, starting with short combinations and letters only and then moving on to longer ones including special symbols. A more subtle approach works by learning about the user of a particular password. "Dumpster diving" involves searching through rubbish looking for discarded information that can give clues to probable passwords; researching the user's background can lead to possible words too. These techniques don't work unless the user has foolishly chosen words that have personal meaning; e.g., names of spouse and children or of favorite sports. Brute force methods will work efficiently only if the operating system allows unlimited, rapid retries after password failures. The HP3000, for example, puts a message on the system console after every bad logon attempt. After three password failures, the system prevents further attempts until a configurable delay has expired (e.g., 2 minutes by default). Recent developments in password technology may improve our chances against hackers (Alexander, 1990a). A mechanical engineer, Earl R. Collins Jr, has devised a system using a symbol matrix for enforcing access codes. Both computer and user need a copy of a a square grid containing many codes. The computer randomly selects any two locations on the grid, defining a rectangle; the user would have to name the codes on the other two corners of the rectangle. The number of possible rectangles and codes is so large as to be virtually uncrackable by brute-force methods. In the example of logon dialogue shown in the box, the computer hung up its modem. A hacker would have to redial to get through for another try, slowing down the process and either frustrating the human or giving an operator on the targeted computer a chance to set up some counter-measures. Psychology ---------- Maxfield (1985) classifies different groups of hackers as follows: o Pioneers: people who were fascinated by the evolving technology of telecommunications and explored it without knowing what they were going to find. These people included few criminals; o Scamps: hackers with a sense of fun. These people do no overt harm (but see later in "Who Cares?"); o Explorers: motivated by their delight in finding out what computer system they have broken into--the further away physically or the more secure, the better. The children in the movie "War Games" were excited because they broke into NORAD computers; o Game players: enjoy defeating copy protection and seek systems with games to play. Hacking may seem like an intelligence test to them--a way to demonstrate their power. One hacker was trapped by enticing him with a game deliberately left on a bank computer--he played for hours while the police and the phone company traced his phone call; o Vandals: these malicious folk deliberately cause damage for no apparent gain to themselves. The 414 Gang from Milwaukee broke into the Sloan-Kettering Institute's computers and wiped out cancer patients' records and scientists' research data--some fun, eh? o Addicts: these compulsive nerds may also be addicted to narcotics, and some hacker BBS post information on drugs as well as on modems, passwords and vulnerable systems. What strikes me about hackers their arrogance. These people seem to feel that their own pleasures or resentments are of supreme importance and that normal rules of behavior simply don't apply to them. Take the recent case in which the 17-year old caused $2.4 million damage because he didn't get a poster from Gamepro magazine for video game players (Alexander, 1990b). Is this the response of a balanced adolescent to failure to receive a free poster? The standard reference work on psychiatric disorders (APA, 1980) defines the Narcissistic Personality Disorder in these terms: The essential feature is a Personality Disorder... in which there are a grandiose sense of self-importance or uniqueness; preoccupation with fantasies of unlimited success; exhibitionistic need for constant attention and admiration; characteristic responses to threats to self-esteem; and characteristic disturbances in interpersonal relationships, such as feelings of entitlement, interpersonal exploitativeness, relationships that alternate between the extremes of overidealization and devaluation, and lack of empathy.... ...In response to criticism, defeat or disappointment, there is either a cool indifference or marked feelings of rage, inferiority, shame, humiliation, or emptiness.... Entitlement, the expectation of special favors without assuming reciprocal responsibilities, is usually present. For example, surprise and anger are felt because others will not do what is wanted; more is expected from people than is reasonable. Notice that the 17-year old who trashed the voice-mail system had a confederate aged 14; we can imagine the sort of hero-worship the older boy basked in as he boasted about damaging the publisher's interests. In another case, three Atlanta men in their early 20s were convicted of repeatedly breaking into BELLSOUTH computer systems, listening to private conversations, and stealing confidential data (Alexander, 1990c). They were members of "The Legion of Doom," a group of about 15 expert hackers. The three were sentenced to 14, 14, and 21 months in jail respectively. They must pay restitution of $233,000 each. It is significant to me that, aside from belonging to the comic-book style Legion of Doom, these people identified themselves on the hacker networks using grandiose "handles" such as "The Leftist," "The Prophet," "The Urvile," and "Necron 99." "Urvile" means something like "ultimate evil" and "Necron" has connotations of death and computers mixed together (sounds like a new heavy-metal band). Other hackers (Alexander, 1992) identify themselves as "Garbage Heap, Nightcrawler Demogorgon, Dark Angel and Time Lord. They said their ages range from 15 to 23 years old...." Does this sound mature? During the 1990 December holiday season, some 25 hackers gathered for their "Christmas Con" in a hotel near Houston airport (Anonymous, 1990). "After consuming too many beers and pulling fire alarms, the group was kicked out of the hotel." This sort of behavior may be associated with Antisocial Personality Disorder. The essential feature is... a history of continuous and chronic antisocial behavior in which the rights of others are violated.... (APA, 1980). Dr Percy Black, Professor of Psychology at Pace University in New York, commented that there may be an underlying theme in all of these cases: the search for a feeling of power, possibly stemming from a deep-seated sense of powerlessness (Black, 1991). These acts therefore serve as over-compensation for inferiority feelings. He added that the apparent immaturity of the hacker may be an expression of unresolved feelings of resentment and powerlessness that all of us must overcome as we grow up. The hackers are trying to tell themselves, "I can too." These ideas are associated with the work of the psychologist Alfred Adler. Hackers may be seeking a high--a peak experience. There is some evidence that young people require a higher level of stimulation than most adults. Some people have an abnormally high need for stimulation even in adulthood. Dr Black explained that antisocial behavior may be related to inadequate endogenous stimulation; i.e., these people's brains don't provide the normal arousal that keeps normal people feeling that life is interesting. Thus some children and adults may engage in unacceptable acts because they crave any kind of stimulation, regardless of whether it is noise, acclaim or even punishment. I heard a fascinating lecture by a Professor Csikszentmihalyi at the February 1987 Annual Meeting of the American Association for the Advancement of Science. Csikszentmihalyi described "autotelic" experiences as those in which the goal lay within the activity itself. Such actions are carried on for long periods without obvious extrinsic rewards. Some examples he cited include painters, composers, rock-climbers, surgeons and mathematicians. Many of us who have programmed know full well how absorbing the work can be; I remember looking at my watch at 17:30, turning back to a program I was writing, then looking at my watch again what seemed like a moment later. It was 23:30. Now, that was an autotelic experience. Perhaps for hackers, hacking is an autotelic experience. After all, they have unambiguous goals and feedback (two of the characteristics Csikszentmihalyi identified) and seem to persist in their attacks. Stoll tracked his German hackers for a year. Hacking may be in part an exaggeration of the normal response to the give and take of computer usage. Hacker Bulletin Boards ---------------------- Maxfield (1985) estimates that half of all private BBS cater to software pirates. He notes that underground systems usually have elaborate security (better than many legitimate organizations' security) and some sections hidden from normal users. Entry into the inner sanctum of pirated passwords, break-and-entry techniques for specific operating systems, and dialup modem numbers for specific victims requires contributing a piece of illegally-obtained information. Maxfield thinks that some BBS are being infiltrated by organized crime syndicates because of the potential for selling stolen computer components, blackmail, and narcotics distribution. Pirate BBS operators have been known to threaten the lives of undercover investigators who have infiltrated their systems. Why Should We Care? ------------------- At the simplest level, hackers steal. They steal resources that could be used for more productive work. Some hackers cause obvious damage: they destroy or damage data. But Cliff Stoll identified the fundamental problem caused by hackers: they destroy the climate of trust which allows effective communications via computer networks. Stoll was originally reluctant to cooperate with law-enforcement officials. Anyway, he got little encouragement from them at first. Nonetheless, he finally came to the conclusion that the hackers were hurting him and every other user of INTERNET, the loosely-run, non-commercial network linking thousands of scientific and educational institutions around the world: Networks aren't made of printed circuits, but of people. Right now, as I type, through my keyboard I can touch countless others.... My terminal is a door to countless, intricate pathways, leading to untold numbers of neighbors. Thousands of people trust each other enough to tie their systems together.... Like the innocent small town invaded in a monster movie, all those people work and play, unaware of how fragile and vulnerable their community is. It could... consume itself with mutual suspicion, tangle itself up in locks, security checkpoints, and surveillance; wither away by becoming so inaccessible and bureaucratic that nobody would want it anymore. What Should We Do? ------------------ Everyone concerned about the health of the computer-using community can contribute to making it harder for hackers to hack. o First, protect your own system. o Use passwords properly; change them now and then. o Don't give away passwords or modem telephone numbers without good reason. o If you run a computer system, convince yourself and management of the value of a good security monitor and audit trail. o Keep your system clock accurate so you can coordinate with other users if you have to track a hacker. o Keep helpful hints out of your logon sequence. o Identify holes (e.g., passwordless users with powerful capabilities) in your security system; use commercially-available audit programs and plug the holes. o Put a warning message into your logon welcome text to threaten legal action against unauthorized users of your system. Finally, report attacks against your system to your local police force. In commenting on the Atlanta case (Alexander, 1990c), William Cook, Assistant US Attorney in Chicago, had a message to victims: "...it is worthwhile for you to cooperate when unjustly violated by people who hack into your system...." All of us share responsibility for combatting hackers. Let's work to prevent their nefarious deeds and respond decisively when our systems are attacked. References ---------- Alexander, M (1990a). Devising matrix-based computer security. Computerworld 24(46):22 (90.11.12) Alexander, M (1990b). 'Finger hackers' charged with voice-mail crime. Computerworld 24(46):46 (90.11.12) Alexander, M (1990c). Hackers draw stiff sentences. Computerworld 24(48):1 (90.11.26) Alexander, M (1992). Challenge, notoriety cited as impetus for virus developers. Computerworld 26(6):1 (92.02.10) Anonymous (1990a). Stoll to star in NOVA adaptation. Computerworld 24(38):18 (90.09.17) Anonymous (1990b). What was in their stockings? INSIDE LINES section, Computerworld 25(1):98 (91.01.07) APA (1980). DSM-III: Diagnostic and Statistical Manual of Mental Disorders, Third Edition. American Psychiatric Association (Washington, DC). P. 315 ff. Black, P (1991). Personal communication. Bloombecker, J (1986). A security manager's guide to hacking. DATAPRO REPORTS ON INFORMATION SECURITY, report #IS35-450-101. Csikszentmihalyi, M. (1990). Flow: The Psychology of Optimal Experience. Harper & Row (New York). ISBN 0-06-016253-8. Eckerson, W (1990). IS security exec tells of risks, strategies. Network World 90.09.03:21* Fisher, S (1990). Bringing Bill of Rights into Computer Age. BYTE 15(9)28 (90.09)* Maxfield, J (1985). Computer bulletin boards and the hacker problem. EDPACS, The EDP Audit, Control and Security Newsletter, October 1985. Published by Automation Training Center, 11250 Roger Bacon Drive, No. 17, Arlington, VA 22090. Molloy, M (1990). Police arrest teens for wreaking havoc on publisher's voice mail. Network World 90.11.12:6* Stoll, C (1990). The Cuckoo's Egg: Tracking a spy through the maze of computer espionage. Pocket Books (New York). ISBN 0-671-72688-9 --- * References located and retrieved from DIALOG using electronic database search but not verified by physical lookup in journal of origin.