The Art of Computer Hacking

By:Kristin Lancaster

Table of Contents

Introduction

It is estimated that there are over 30,000 hacker-oriented sites on the Internet today. The term "hacker" was first coined in the 1960's at MIT but today, it does not have a universal definition. Early uses of the word "hacker" referred to a highly- skilled and dedicated computer programmer who enjoys learning how to stretch the capabilities of computer systems. Hackers have recently been described in derogatory manners because of their tampering and hindering of government and commercial businesses. Those people that tend to use hacking as an act of theft, embezzlement, or destruction have created a new category of "computer crime" that seeks to define how to punish those that damage a system. Some hackers work for the government to find vulnerabilities in the system that could be discovered by foreign terrorists and fix the problem so that secret information is kept confidential. This paper will trace the history and methods of hacking along with famous hackers of today and the laws that prosecute them.

A History of Hacking

In 1878, the first teenage hackers were thrown off the new telephone system by enraged authorities. In the early 1960's, huge mainframe computers such as MIT's artificial intelligence lab, became the first computers hacked. Also, the Pentagon created the original Internet to help engineers and researchers share their weapons development achievements.

In the 1970's John Draper makes free long distance calls and is arrested for phone tampering. Phone hackers ("phreaks") start the Youth International Party Line/Technical Assistance Program (YIPL/TAP) to make free long distance calls. Homebrew Computer Club begins making "blue boxes" to hack into the phone system and two members later go on to found Apple Computer (Steve Wozniak and Steve Jobs).

In 1982, William Gibson coins the term "cyberspace" and the first arrest of hackers occurs after the "414 Gang" commits 60 computer break-ins.
In 1984, Congress passes the Comprehensive Crime Control Act giving the Secret Service jurisdiction over credit card and computer fraud. "Legion of Doom" (US) and "Chaos Computer Club" (Germany) are the first hacker groups formed. 2600:The Hacker Quarterly is founded to help share hacker tips.

In 1986, federal authorities pass the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act.
At the University of Pittsburgh, the Computer Emergency Response Team investigates the hacker attacks on computer networks. Kevin Mitnick is convicted of damaging computers of MCI and Digital Equipment security officials and sentenced to one year in prison.

In 1988, "Prophet" cracks BellSouth AIMSX computer network and is arrested by the Secret Service. In 1990, a national crackdown on hackers starts after AT&T long distance service crashes on Martin Luther King Day. Kevin Lee Poulsen ("Dark Dante") is captured for stealing military documents. Notorious hackers such as "Phiber Optik","Acid Phreak", and "Scorpion" are apprehended in New York.

In the late 1990's, hackers deface federal Web Site including: NASA, U.S. Department of Justice, U.S. Air Force, CIA, and others. The Defense Department finds there were 250,000 attacks by hackers in 1995 alone. The Electronic Frontier Foundation is founded to uphold civil liberties (especially free speech). Hackers hit Microsoft's NT operating system and Yahoo! to show the bugs in the systems.

In 1998, Anti-hacker ad runs during Super Bowl XXXII (costing 1.3 million dollars). The U.S. Justice Department reveals their way of protecting the nation's telecommunications, technology, and transportation systems...The National Infrastructure Protection Center.

Motives of Computer Hacking

Hackers are motivated to attack computer systems in six different ways.

1. For amusement and bragging rights
2. To add import features to their own programs
3. To steal software by removing copy protection
4. To gain access to password controlled areas
5. To add plug-ins to software
6. To steal computer programming code

Some malicious hackers send viruses such as the Microsoft Word Melissa virus. This email virus sends a list of pornographic web sites to all the people in the address book of the infected user and fools people by seeming like the message is from a friend. An "autospam" virus called "ShareFun" was detected in March of 1997, which sent millions of messages creating backup in the systems networks.

Some hackers are angry at political administrations and therefore attack .gov sites (FBI, Interior Department, and US Senate attacked for this reason.) After NATO jets hit the Chinese Embassy in Belgrade, Chinese hackers hit US government sites also. The CIA was deemed by one successful hacker as the "Central Stupidity Agency" for not upgrading its security.

Some hackers are hired by security agencies to test vulnerabilities. The National Security Agency performed a test in which 35 hackers attempted to achieve "root level" or complete access to the Department of Defense's systems. They broke into 36 different sections which could have potentially turned off power to areas and shut down phone networks. They also gained access to Navy cruiser systems that told the coordinates and destinations of ships. The Defense Department acknowledges between 60 and 80 attacks a day but most attempts are not detected. (1 in 150 are detected) Foreign terrorists could receive information about troop movements and weapons purchases without the US government even knowing.

Between 70 and 80% of all hacks are on systems that have not updated their security codes which are sent to companies by computer managers and network administrators. Senator Jon Kyle (chairman of technology) reported that nearly 2/3 of US government systems have security holes. Tools for hackers are readily available on the Internet today and only needed to be downloaded in some cases.

Modern Day Hackers

One of the first hackers, Richard Stallman, began exploring the systems of MIT's Artificial Intelligence Lab in 1971 while he was an undergrad at Harvard. He later founded the Free Software Foundation because he believes software should not be private.

In 1969, Dennis Richie and Ken Thompson created UNIX while working in Bell Labs computer science operating group. Both Dennis and Ken have their own web pages.

In the 1970's, John Draper discovers a Captain Crunch toy whistle creates the 2600 hertz tone necessary to make free telephone calls.

Phiber Optik (Mark Abene) founded the Masters of Deception hacker group and was arrested for computer tampering. He pleaded guilty to breaking into the computer system of Southwestern Bell and served 10 months in jail. He was voted one of the city's smartest 100 people by New York magazine.

Robert Morris, the son of a chief scientist at the National Computer Security Center, created an Internet worm in 1988 that crashed 6,000 computers by replicating itself and overloading their systems. He was fined $10,000.

One of the most famous hackers, Kevin Mitnick, stole hundreds of data files from system administrator Tsutomu Shimomura who eventually caught Mitnick. Mitnick copied 20,000 credit card numbers from Motorola and was convicted once 1989 and again in 1995. He was the first computer hacker on the FBI's Most Wanted list. He has shown to be a repeat offender because of his "computer addiction". Supporters of Mitnick say the four years he has spent in jail waiting for a trial is longer than what those who commit violent crimes (robbery and assault) have to wait. On September 14,1998 the New York Times web site was defaced to protest Kevin Mitnick's arrest and detainment in jail. Kevin Mitnick was declared by the prosecution responsible for the 1.5 million dollars of damage to the company he stole from but eventually only was fined $4,125. This site usually had 150,000 visitors a day but had to be shut down this day due to this defacement.

In 1990, Kevin Poulsen took over all the telephone lines going into a radio station in order to assure he would be the 102nd caller and win a Porsche. He writes many articles concerning cybercrime on his web page.

In 1994, Vladimir Levin,as part of a Russian hacker gang, broke into Citibank's computers and made unauthorized transfers that amounted to $10 million stolen from other customer's accounts.

In New York last year, 18 year old Jay Satiro altered America Online data and programs that would cost $50,000 to fix and is facing a charge of first degree computer tampering and 5-15 years in prison.

Computer hacking groups are common because hackers share information they attain to show how skilled they are. The Masters of Deception were accused of computer tampering and wire fraud and faced fines and five years in jail. They all met through a computer bulletin board called "Kaos" and were know to periodically "harass and intimidate" computer administrators. MOD was found guilty of selling passwords to other hackers. One eighteen year old Alfredo de la Fe was charged with using these passwords to steal credit reports and selling them to private investigators.

Phiber Optik (Mark Abene) claims as part of MOD he stole celebrity credit reports and set up pranks to turn other hackers' phones into pay phones that said "Please deposit 25 cents." He also broke into Southwestern Bell where he installed "backdoor" programs that cost the company $370,000 to fix. The Master of Deception broke into the Senate web site in response to a roundup of alleged computer hackers of another hacker group, Global Hell.

The Boston group L0pht claims they can disconnect you from the Web and acquire your personal information from bank transitions to credit cards. L0pht claims to be a consumer advocacy group because they break into software systems and post instructions of how to do so but this helps hackers and security officials alike. L0pht does offer a solution to network administrators on how to close the security loophole. This group claims to be part of the "white hats" or good hackers while Cult of Dead Cow is a "black hat" group that allows corruption to continue. This group sells Back Orifice 2000 program which enables hackers to control another computer from afar like an invisible spy. This way the hacker can change files without the user or security knowing.

One hacker group called "The Phonemasters" caused about $1.85 million in business losses. After pleading guilty to theft, possession of unauthorized calling-card numbers, and unauthorized access to computer systems the group was sentenced to fines and 4 years in prison.

Some hackers seem to be just competing for attention from the news media. Conferences such as Defcon (2,000 hackers in 3 days) and Chaos Communication Camp (1,800 hackers) are highly publicized These conferences are organized to share information not only between hackers but for security officials and administrators. The International Hackers Zone competition in Singapore offers $10,000 to the first hacker who can break into a server connected to the Web that is running security products. Through this conference companies get free testing of their products and systems. Unfortunately, this sends out message that hacking is okay and encourages more people to try it.

Though these hacker activities may be interesting to recognize, officials assert that the biggest threat to computer security is disgruntled employees who already have "root access" to the company's systems. These employees may seek revenge by sabotaging the systems to cause expensive damage to the company in downtime and repairs. The largest computer fraud ever attempted involved an employee of The First National Bank of Chicago attempting to transfer $70 million to his own account.

Computer Laws

Hacking is a felony in the US and most other countries. Computer crime is any illegal act which involves a computer system where the computer is an object of a crime, an instrument used to commit a crime, or a repository of evidence related to a crime. According to computer law a person commits an offense if the person intentionally or knowingly:

Some offenses that constitute computer crime are:

1. Intrusion of the public switched network
2. Major computer network intrustion
3. Network integrity violation
4. Privacy violation
5. Industrial espionage

In May of 1998, President Clinton proposed an initiative to help US agencies develop cyberprotection plans and establish links with industry groups. Also in that year, Janet Reno announced that a National Infrastructure Protection Center would be managed by the FBI to protect against information warfare. Attacks by individuals to terrorists both domestically and internationally would be addressed and the corporation would be linked to CERT. Unfortunately, many companies fail to report break-ins because of the negative publicity they will receive.

Security Measures

Many security measures are available to protect against hackers.

1. Firewalls: Software that only allows authorized traffic in or out of a company. Hackers use a technique called IP spoofing (assuming a different IP address) that allows the hacker to pass through the firewall.
2. SATAN: Security Administrator Tool for Analyzing Networks determines any vulnerable points in security systems. Unfortunately, SATAN is available on the Internet and it is able to be run remotely, so hackers can run it on a company's computer system in order to break in.
3. Encryption: Server software such as Linux Free S/WAN offer a way to secure data through strong encryption and tunneling of secure networks.

Computer security can also be based on common sense rules that should be follow in companies depending on computer security.

1. Restrict access to computer terminals by alarms and monitor with closed circuit TV.
2. Use machine readable access cards, difficult passwords, and ID numbers for access to all systems.
3. Strong security should involve biometric systems that read fingerprints or facial features through a scanner and deny access to unauthorized users.
4. All data transmitted over telecommunication lines should be encrypted (scrambled into an unreadable format so interceptors can't read it.)
5. Shred all data with important codes to deter hackers from "dumpster diving" to find passwords.
6. Purchase insurance that covers computer fraud.
7. Constantly make backups of data files and programs that hackers could erase.
8. Stay up to date in computer security new by visiting web sites like AntiOnline.
9. Hire a computer emergency response team to protect system, detect attacks, and react to them.
10. Cooperate with law enforcement (even if it is bad publicity) in order to enforce legal liabilities of hacking.

Conclusion

The world of computer security is becoming increasingly important as the Internet becomes an important part of businesses, the government, and the economy of the U.S. Some computer expert claim that the Y2K problem will give even more opportunity for hackers to attack. Media coverage not only recognizes hackers, but also makes more kids want to learn to hack. Computer security is a management problem that can be fixed with measures such as monitoring and firewalls. In order to be able to trust the information infrastructure, we must secure computers by making hacking a more serious offense and acknowledging system's vulnerabilities so they can be fixed.

Email me!!