GEN 110 - Freshman Seminar: Computers and Society- Hacking

GEN 110 - Freshman Seminar: Computers and Society

Dr. R. M. Siegfried

Hacking

What is Hacking?

The word to hack means "to cut irregularly; to notch, to mangle; to let out for hire." In terms of computers hacking originally meant to work your way through a computer system or through a computer program in an attempt to figure out how it worked.

Steven Levy, in his book Hackers: Heroes of the Computer Revolution speaks about the earliest generation of computer hackers, many of whom worked at MIT Artificial Intelligence Lab, who spent countless hours working on computer programs. Many of these people had a profound impact on the early generations of PCs. Levy characterized these early hackers as "adventurers, visionaries, risk-takers, artists " and "the ones who most clearly saw why the computer was truly a revolutionary tool."

Hackers conducted themselves in accordance with the Hacker Ethic, which was "Access to computers - and anything which might teach you about the way the world works " should be unlimited and total. Always yield to the Hands-On Imperative." Richard Stallman, who wrote EMACS (the text editor) and started the GNU Project (which products open source software) was (and remains) one of the last guardians of the Hacker Ethic.

The most common current usage of the term computer hacker is someone who attempts to achieve access to computer systems and computer files to which (s)he is or they are not authorized. These people are also known as crackers, a term that more accurately describes their chosen activity, which is breaking into computer systems and computer files for which they do not have authorized access:

According to Levy, hacking as we understand it - that is, involving the use of computer - began to emerge only with the development of time-shared systems. Hacking then spread quickly once VDTs allowed users to interact with a machine directly rather than through the remote mechanism of card-based batch processing. Yet, even then, hacking referred to a much more noble set of activities than the criminal acts that are described by the term today. Hacking was an elite art practiced by small groups of extremely gifted individuals. It generated its own set of folk heroes, huge rivalries, eccentricities, and cult rituals. But, above all, this early form of hacking was about intellectual challenge and not malicious damage. Levy portrays this period as a sort of golden era of hacking, which mainly took place at two major sites - MIT and Stanford University in California. For most hackers at this time, their chief interest lay in understanding the innards of a system down to the last chip and the last line of the operating system. The software they wrote was for public display, use and further development and was their major source of self- esteem, challenge and socialization.[Forester, Tom and Perry Morrison, Computer Ethics: Cautionary Tales and Ethical Dilemmas In Computing, MIT Press, 1994, p. 76.]

Even within the "hacker" community (by the current definition of the term), there are gradations:

There are two types of hackers: ethical pros, who wear the "hacker" label with great pride, and CyberRambos, punks who are more correctly called "crackers".

Ethical pros are highly skilled computer professionals who hire out their skills to organizations concerned about their own network's safety. Essentially, ethical hackers will, with your full knowledge and permission, try to break into your site to find the weaknesses, and then help you fix them. Ethical hackers also are software developers who write security and firewall software, and "hack" as a way to test their products. Ethical hackers never break into a site without the owner's permission, and they do so only to help make the site more secure in the end. They do no damage, and they have very strict ethical codes governing their work.

We don't worry about ethical hackers here.

We do worry about the other kind, the kind I call CyberRambos, the ones ethical hackers despise and hate, dubbing them "crackers" because they "crack" (break) systems instead of just finding holes in them. Crackers are usually teens or early twentysomethings who break into other people's computer systems for a variety of reasons, mostly having to do with ego, showing off, status, thrills, and the challenge of doing Bad Things without getting caught. They have websites and newsgroups where they boast of their conquests to other CyberRambos. They give themselves trendy "handles," have websites full of anti-authoritarian rants, and generally just make cybertrouble, as teenagers in any subculture will do. [ http://psy.ucsd.edu/psynet/security/hackers.html]

Hackers fall into several different categories:

Network hackers - who try to break the security of computer network, either crashing web sites, altering them or destroying data:

Once hackers get onto the machines that host networks, they can alter or remove files, steal information and erase the evidence of those activities. But many hackers break security systems just to see if they can do it. They may enter the system, look at the data within and never go back. For these hackers, it's more a test of skill than an attempt to steal or alter data. [http://www.cnn.com/TECH/specials/hackers/primer/]

Software hackers - who try to break the security of popular software programs so they can be pirated:

These hackers develop their own software that can circumnavigate or falsify the security measures that keep the application from being replicated on a PC. For instance, you have a piece of software that requires a serial number to install. A software hacker does this in much the same way that network hackers attack network security. They may set up a serial number generator that tries millions of combinations of numbers and letters until it finds one that matches. The hacker could also attack the program at the assembly-code level, finding and altering the security measures. [http://www.cnn.com/TECH/specials/hackers/primer/]

What are these "system crackers" actually capable of?

Most of them simply exploit holes in the security of common Unix-based systems. These holes are well-known and well-documented, and the patches to fix them are easy to find. The only reason these people get in is that someone is too busy (or lazy) to keep up with the security issues as they're identified. In the last six years, with the explosion in popularity of the Internet, there has been a great deal more awareness of this problem, and the system cracker is finding it much more difficult to operate -- but those who do are generally the most skilled, and the most dangerous, of the bunch.

Until recently, this group has been made up almost entirely of teenage boys, whose purpose was simply to prove themselves and see what they could get away with: a digital version of joyriding. Reports indicate that this is changing; the majority are now older, and their purposes are more monetary, stealing information for themselves or to sell to other corporations, or holding it for ransom. In one widely-reported case, a cracker hijacked a British military satellite and held it for ransom.

While they can be dangerous, this group is kept mostly in check by the hundreds of system programmers and system administrators who do battle with them every day. The press these system crackers receive when they're successful is proof itself that these successes are unusual -- if they weren't, they wouldn't be news. Script Kiddies?

"Script Kiddies" is the name given to unskilled system-cracker (or virus- writer) wanna-be's who rely on tools ("scripts") written by more skilled crackers. Though they wish otherwise, they are mostly harmless, not even qualifying as a mild annoyance to anyone who has kept up with security patches. They rely on the fact that if you look at enough systems, you're going to find a few that are vulnerable.

How do they get in?

There are some common techniques that hackers will try:

Scanning - a brute force attempt to find telephone numbers connected to modems, valid credit numbers, user names and passwords. These are normally done using computer programs that automatically try various combinations, noting the ones that work. (Matthew Broderick's character used this approach in the movie War Games.)
Stolen Passwords - Many people tend to choose passwords that are easy to guess, especially if you know the people whose passwords you are trying to steal. Usernames are frequently easy to obtain (using the utility finger and other online tools). In other cases, many users will write down their passwords, sometimes even together with the user names.
Trials of passwords - Some hackers will maintain passwords dictionaries that they will try, including common nicknames, and so on.
Exploiting security loopholes - Some computer systems have dummy accounts predefined with standard predefined passwords (or no password at all). Hackers familiar with these systems know to try these security loopholes first. (Not that different from looking for a key under the doormat.)
Trojan Horses - leaving a computer set up to look like you're ready to log in to the e-mail system, except its not the communications program. It's a fake designed to look like it. Instead it grabs your user name and password and saves it and pretends to disconnect.
Network Hacking Methods - include packet sniffers and buffer overflow and Denial of Service
- Packet Sniffers
  Network data travels through network media in variable sized packets. These packets, of course, are never seen in their raw form, as a series of network protocol rules convert such packets to data that applications can interpret and display. However, before data packet arrives at the recipient's computer, the packet can be snatched out of the media by packet sniffing software.
  Because such utilities, like Telnet or SNMP, were designed to send passwords over network media in plaintext, or unencrypted form, passwords can be easily compromised using this method. Note that packet sniffers are capturing utilities, and cannot be used to actually modify any of the seized data packets. Sniffers can capture data within multiple protocols, like IP (Internet Protocol), UDP (User Datagram Protocol) and TCP (Transmission Control Protocol), allowing a single application to function well within a wide array of computing environments. [http://geekphilosopher.com/MainPage/webHackers.htm]
- Buffer overflow
  When data is sent over networks, the receiving computer must allocate enough memory to handle the incoming data packets. The space that incoming packets are stored in is called the buffer. If the operating system does a poor job of managing the buffer, or if the buffer overflows, problems occur. Because applications now check the size of the receiving data before placed within the buffer, poorly designed applications often fall prey to this type of attack.
  The Unix program Sendmail, used on the Internet for sending mail from a form to an e-mail address, has a widely known vulnerability to buffer overflows and is often attacked. If packets are sent to the destination at a high rate of speed, the computer or program can be rendered useless. This leads us to DoS attacks, which is extremely similar to the logic behind buffer overflows. [http://geekphilosopher.com/MainPage/webHackers.htm]
- DoS (Denial of Service) attacks
  Lately, Denial of Service attacks have become a popular method to overflow the destination computer system with packets of information. The purpose of a DoS attack is to utilize as many system resources as possible, disabling the system from performing any other task. This, essentially, is denying service to legitimate users.
  DoS attacks are usually performed from a very high-speed network to a network of the same speed, or slower. If the initiating network, or the network the hacker is on, is fast enough, the hacker can instruct his or her computer to flood the destination network with packets of information. This type of attack, however, gets especially hairy when we talk about distributed DoS attacks.
  A distributed attack, as you might have guessed, consists of more than one initiating network and, therefore, more than one hacker working together. A group of hackers will, at the same time and from different, high-speed networks, flood the destination system with data packets. In extreme circumstances, thousands of hackers on thousands of networks can send data to a single machine, clearly rendering it useless. These types of attacks are almost impossible to stop after it starts, as eBay and Yahoo found out a couple years ago.
  One way to gain access to more computers and, therefore, more data packets, is to send a ping request to all computers on a network. A ping is simply an electronic pulse whose sole purpose is to detect the presense of a machine by IP address. Once the destination machine receives the ping, it sends a response back to the originating system that sent the ping. That said, the hacker simply forges the initiation computer's address to the victim's IP address, sends pings out to large networks, and each computer system will send a response back to the victim's system instead of the actual sending (the hacker's) machine. This is known as a smurf attack. [http://geekphilosopher.com/MainPage/webHackers.htm]

The Notorious

Kevin Mitnick

Kevin Mitnick was regarded as one of the most notorious hackers of his time, with the news of his capture in 1995 appearing on the front page of The New York Times. He is rumored to have trashed the credit report of the attorney who prosecuted him, disconnected the phone service of the judge who sentenced him and terms of his parole required that he not work with or even touch a computer. Mitnick, was born in Los Angeles in the mid 1960s and reached adolescence in the late 1970s as the home computer revolution started. He got involved with a group of "phone phreaks", people who enjoyed discovering all the machinations of the nation's telephone system. Through his involvement with the phone phreaks, he learned the art of "social engineering." Social engineers, are hackers who pretend to work for the phone company or be computer service technicians and scam people into giving them information that gave them access to equipment, files and systems to which they were not entitled.

Mitnick has been arrested and convicted of several computer-related crimes. They include a telephone company break-in, trespassing on the campus of the University of Southern California and theft of services (computer time and ARPAnet access) as well as hacking into the computer system of computer security expert Tsutomu Shimomura and stealing hundreds of thousands of dollars in cellphone service. Mitnick recently finished his parole without incident, wrote a book on safeguarding computer and information assets and started a computer security consulting business, whose web site was recently hacked.

Masters of Disaster

The Master of Disaster were a group of gang of hackers who live in the New York City Borough of Queens who hacked into the telephone company computers. They were believed to be responsible for the crashing of AT&T's long distance network because of their attempts to alter the software.

Project Equalizer

Project Equalizer involved a group of West German hackers who eventually hacked their way into a computer system at the Lawrence Berkeley Laboratory. Their breach was discovered by system administrator Cliff Stoll because of a 75-cent accounting error that he tried to correct. Eventually, they were caught. But it was due almost entirely to Stoll's single-minded dedication to tracking them down and gaining the cooperation of Federal and West German investigators. When they were caught, they were attempting to sell U. S. defense-related computer data to the East German Secret Police.

Personality Characteristics of Hackers

The most obvious common `personality' characteristics of hackers are high intelligence, consuming curiosity, and facility with intellectual abstractions. Also, most hackers are `neophiles', stimulated by and appreciative of novelty (especially intellectual novelty). Most are also relatively individualistic and anti-conformist.

Although high general intelligence is common among hackers, it is not the sine qua non one might expect. Another trait is probably even more important: the ability to mentally absorb, retain, and reference large amounts of `meaningless' detail, trusting to later experience to give it context and meaning. A person of merely average analytical intelligence who has this trait can become an effective hacker, but a creative genius who lacks it will swiftly find himself outdistanced by people who routinely upload the contents of thick reference manuals into their brains. [During the production of the first book version of this document, for example, I learned most of the rather complex typesetting language TeX over about four working days, mainly by inhaling Knuth's 477-page manual. My editor's flabbergasted reaction to this genuinely surprised me, because years of associating with hackers have conditioned me to consider such performances routine and to be expected. --ESR]

Contrary to stereotype, hackers are not usually intellectually narrow; they tend to be interested in any subject that can provide mental stimulation, and can often discourse knowledgeably and even interestingly on any number of obscure subjects -- if you can get them to talk at all, as opposed to, say, going back to their hacking. [ http://jargon.watson-net.com/section.asp?f=personality-characteristics.html]

What Does the Law Say?

Under the Computer Fraud and Abuse Act, as amended in 1996, states:

Whoever --

having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation, willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains:
intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1- year period;
knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
1. intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
2. intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;
knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if--
1. such trafficking affects interstate or foreign commerce; or
2. such computer is used by or for the Government of the United States;
with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer;

shall be punished as provided in subsection (c) of this section. [http://www.rent-a-hacker.com/hacklaw.htm]

How Do You Protect Yourself?

"[The] human factor is truly security's weakest link"- Kevin Mitnick

Some Guidelines For Protecting Yourself and The Network

First: Choose good passwords. Our security is only as good as our weakest password. Don't let it be yours!
Second: Make sure that you know who has access to your lab and office computers. Are students or strangers ever left alone with networked computers? Think about your lab routines; modify them if necessary so only authorized personnel have access to your computers.
Third: Don't share your password. If someone needs access and they do not have their own password, send me a note and I will set them up with one. If you have files you need to share, contact me and we can set up a secure shared folder on your computer or on the server, instead of you giving out your password.
Fourth: Some labs have a single lab login and password for shared resources. I know this is convenient, but it is also very insecure. If you use this method for shared access, come talk to me. I can often come up with alternate methods to do the same thing, without several folks sharing the same account. (That is, after all, my job.) One example: I can set up a lab GROUP, instead of a lab user, and make all the individual accounts members of that group. You can then access resources belonging to that group with your own private password. I can easily add members as you get new lab folks in, or delete them from the group as they move on, without having to change the password for the entire lab.
Fifth: If for some reason you do have a single lab password, please make sure you change it every time someone who knows the password leaves, graduates, whatever.
Sixth: If you set up a shared folder on your computer, always make sure you use a password to protect it.

[http://psy.ucsd.edu/psynet/security/hackers.html]

How To Pick A Good Password

DON'T use these in your password!

If you use any of the following, it's just a matter of time before some cyberpunk finds you:

Words found in any dictionary, English or foreign language;
Standard abbreviations in any language;
Proper names, any language, including nicknames, but ESPECIALLY names of family members, friends, spouses, famous folk;
Character names, place names, catch phrases, or buzzwords from any movie, book, or other popular media;
Personal info such as important dates (like a birthday), pet names, nicknames, boat names, hobby terminology, phone or license numbers, favorite sayings, mottos, what it says on your favorite teeshirt;
Passwords you have used on other systems, particularly passwords you use for internet sites and online shopping;
Acronyms of any of the above. For example, say you like Star Trek. You think that WNOHGB4 would be a great password--random, right? Mixture of letters and numbers, right? Wrong. "Where No One Has Gone Before" -- it's been done. Been cracked. Trust me.
Sports phrases, people, terms, and so forth.

DO choose a password that has the following:

Characteristics of a good password:

A combination of letters, numbers, and/or symbols;
At least six characters, preferably eight;
Mixed upper and lower cases;
Not too much repetition ("xdxd...." is not a good one, for example);

Examples of Secure Passwords

CAVEAT: Do NOT, under any circumstances, use one of these examples as a password for yourself on any computer system!!! Hackers are smart enough to spot a departmental web page titled "Choosing a Secure Password" and make note of the contents...
mBh4C1tg
Ps1t;F4mt
(At this point, you think I'm nuts.)

Good passwords are not simply word salad; they are alphanumeric combinations that you can create mneumonic devices for...

Mneumonic for first one: my Bunny hunts 4for Carrots 1n the ground. Mneumonic for second one: Piaget stinks 1 think; Freud 4for me and thee.

Get the idea? Have fun making up something you will remember that looks like gibberish when you type it. Become worthy of being a research project for the memory and cognition folks.

Strategies to help you remember, from a Professional Password Rememberer It's my job, after all, to remember gadzillions of passwords :) ...

However, I don't remember your passwords: even if I assign you one, I make myself forget it to ensure your security. But server passwords, workstation passwords, network passwords--they are all different. If I forget a password, I'm in BIG trouble. So here are some tips that have worked for me:

First of all, give yourself a little credit. You remember random character strings all the time: phone numbers. Just by being here at the university you've demonstrated an ability to learn and remember vast quantities of useful info.
Secondly, take the attitude that passwords must be LEARNT, not simply recalled. Reclassify the concept of passwords in your mind from something that should be "easy to remember," to something that ought to be cryptic and secure. Big difference. Put them in long-term memory, in the skills part of your memory, not in the short-term place where you have to keep reloading the info from that scrap of paper in your wallet all the time! Make yourself LEARN the password, just as you learn any other unfamiliar stuff you have to memorize. How do you remember parts of the brain? By reciting them over and over to yourself. Through the use of tricks and mneumonic devices. Sheer brute force. Whatever works, right? Same tricks apply to learning new passwords.
Thirdly, learn to care enough to learn. We all learn the stuff we care about learning, so learn to care about your passwords. Think about why they are important. Think about the consequences of a hacker breaking in and wiping your hard drive, or shutting down the psy server for a month.
Fourth, use whatever memory tricks help you. If creating stupid nonsense phrases to match the garble of characters helps you, go for it. If you are able to nimbly switch numbers and letters around in your mind, create passwords by scrambling letters around, substituting numbers for letters, substituting symbols for letters, and so forth. Caveat: Teenage cyberpunks love to substitute numbers for vowels in their writings: Th3y Th1nk 1t l00ks C00l. It's OK to do this in passwords, as long as you ALSO do at least one more thing to make the password secure: use a symbol or two, intentionally misspell something, write it backwards, inside out, and truncate it. Random sequences are obviously the best, but the reality is that if you do any of the above, your password will be 100 times better than the password of a lab assistant I know who used Mom's maiden name. Or the Silicon Valley CEO who used his wife's name. (I mean, come ON, folks!!)

[http://psy.ucsd.edu/psynet/security/passwd.html]

{Back to the Notes Index]