Computer intrusions have more than tripled in the last two years. Who are the people trying to get their hands on your data, and why? We got answers from some experts--including hackers themselves.
From the May 2001 issue of PC World magazine
Posted Monday, March 26, 2001
He couldn't be more than 12 years old--a "tween," in the parlance of the Britney Spears generation. But that doesn't stop him from possessing the swagger of a pop star as he takes a swig of Jolt Cola, stubs out a cigarette, and squints at the screen that has held his attention for the past 6 hours.
With the sides of his scalp shaved bare, he resembles a Mad Max ruffian perched amidst yards of cable and tables piled high with jury-rigged circuit boards, souped-up laptops, and phone-surveillance equipment. He's one of hundreds of hackers who have turned the Alexis Park Resort in Las Vegas into a makeshift commando station for the annual hackers convention, Def Con (from the military's term for its levels of alertness).
Throughout the weekend, tag teams of hackers will work furiously to "get root on" (gain control of) a server the conference organizers have set up, while fending off opponents trying to oust them. It's an age-old game of capture the flag, played out on a digital field.
But it isn't all games for this underage cybersoldier. Because hacking has become nothing in recent years if not a good career move. Yesterday's hackers are today's security gurus, with more corporations counting on them for protection.
Once considered the domain of geeks and freaks, hacking now claims members ranging from the body-piercing-and-gothic crowd to the Bermuda-shorts-and-loafers contingent. The latter are hackers and ex-hackers who now work as systems administrators and consultants.
One reason there are so many types of hackers these days is that hacking--at least as manifested in its simpler forms such as Web page defacement and denial-of-service attacks (which overwhelm a site with data to prevent users from accessing it)--has never been easier.
Tools of the Trade
The Internet is filled with Web sites that offer tips and tools for the neophyte hacker. Kids, criminals, and terrorists are some of the people who avail themselves of this information--so more and more intruders are knocking at port doors.
"The barrier to entering the hacker world has become very low," says 30-year-old Jeff Moss, a former hacker and security consultant who founded Def Con. "If you have a political motivation against wheat farmers and you want to deface [their] Web page, you could just go online and learn how to [do it]."
Despite tighter Web security and stricter penalties for breaking into systems, hacking attacks have more than tripled in the past two years. The government's Computer Emergency Response Team reported about 5000 cases of corporate hacking in the United States in 1999 and more than 17,000 cases in 2000.
And those are just recorded cases; to avoid negative publicity, most companies don't report attacks. The statistics cover network break-ins (which can give a hacker access to data files), Web site vandalism, denial-of-service attacks, and data theft. The FBI estimates that businesses worldwide lost $1.5 trillion last year due to security breaches perpetrated from within and without.
The risks are personal and professional: Hackers can steal passwords and bank account numbers from your home PC or grab trade secrets from your company network. Last October, criminal hackers broke into Microsoft's corporate network and accessed source code for its software.
Hacking also poses risks for national security--sophisticated terrorists or hostile governments could conceivably crash satellite systems, wage economic warfare by interfering with financial transfers, or even disrupt air traffic control.
Good and Bad Hackers
Not all hackers have malicious intentions. Some hackers work for companies to secure their systems, and some contribute to security by notifying software vendors when they spot a vulnerability.
"Breaking things ... is easy," says Syke, a 23-year-old security professional and member of the hacking group New Hack City. "Building a solution ... is difficult, but arguably more fulfilling."
But for every hacker who swaps his black hat for a white one, dozens of others continue to keep governments and companies on their toes. In February, hackers protesting free trade broke into the World Economic Forum's system and stole credit card numbers for at least 1400 government and business leaders--including, reportedly, Bill Gates and Bill Clinton.
Moss says that hacking will get worse. "I used to say the problem was going to get worse before it would get better. Now I just think it's going to get worse. Bad software is being written faster than vulnerabilities are exposed. The trend is toward more features [in applications], and the more features you have, the less security you get."
Face it: Hackers are not going to go away. So it's worthwhile to know who they are and why they do what they do.
People see movies like War Games and think hackers are going to start World War III," says Deth Veggie, a member of Cult of the Dead Cow, one of the oldest hacking groups (since 1984). "The truth is that computer hackers for the most part are smart, bored kids."
[Editor's note: Most hackers adopt a nom de hack; we've used these in place of some real names when requested to do so.]
It's true that the majority of hackers getting attention these days are bored kids. Hackers usually start in their teens and stop by the time they're 30. But anyone can be a hacker--from the 16-year-old who defaces Web sites to the 36-year-old who sabotages a former employer's server. For their part, people in the underground say that not all hackers are true hackers.
By Any Other Name
It used to be that hacking had nothing to do with breaking the law or damaging systems. The first hackers, who emerged at MIT in the 1960s, were driven by a desire to master the intricacies of computing systems and to push technology beyond its known capabilities.
The hacker's ethic, an unwritten dictum governing the hacker world, says that a hacker should do no harm. Richard Thieme, a regular speaker at Def Con, says that a hacker should "pass through a network without a trace." But somehow that message has gotten lost in the noise of Web defacements and data thefts.
Hacker purists get riled when anyone confuses them with crackers--intruders who damage or steal data. But while some hackers are quick to claim the moral high ground, the line between hacker and cracker is often blurred. Most hackers, for instance, don't believe it's criminal to break into systems and rifle around. The law, of course, thinks otherwise.
"[J]ust because something is illegal doesn't mean it's wrong," says Veggie. "But ... once you go in and destroy data or damage the system, that's where ... you stop being a hacker and you become a criminal."
T12, a 20-year-old who admits to some questionable hacking conduct, says he wouldn't normally damage a site. But if a phone company were to illegally switch his long-distance carrier and start billing his calls at $10 a minute, he wouldn't hesitate to take action. "This is the kind of thing where I would feel free to just deface their site and make it as public as possible."
Diablo, a teenager with the Romanian hacking group Pentaguard, says that a hacker should "never abuse his powers." But, he adds, "If you penetrate a server and change the main page, nobody is hurt. The admin gets embarrassed, and that's all."
Pentaguard has defaced more than 100 Web sites--most of them government- and military-related--and Diablo says that he's careful: "I never delete [or] steal data [and] never crash the system."
This may be true, but Jon Shimabuku, manager of one site Pentaguard defaced (owned by the Hawaii state legislature), says that his office had to pay $4000 for several new large-capacity hard drives (since the police confiscated the hacked hard drives as evidence), and the site was down for a week until the drives arrived.
Signs of the Times
Hacking has definitely changed in the last 40 years. Talk to any hacker over 25, and he's likely to lament the passing of the good old days, when coding was an art form and learning how systems worked was an exercise in persistence. New hackers today are often younger and less skilled than their predecessors, and more likely to focus on showy exploits than the noble pursuit of knowledge, say older hackers.
Fosdick, a 26-year-old programmer who has been hacking since he was 11, calls the Internet generation of hackers "hollow bunnies"--like gigantic chocolate Easter bunnies "filled with nothing but air." Ten years ago, he says, hackers respected information and machines, and had to possess knowledge and skills to hack. Now novices use hacking programs without understanding them and are more likely to leave havoc in their wake.
Script kiddies receive the bulk of hacker disdain. These are the graffiti kids who download canned scripts (prewritten hacking programs) for denial-of-service attacks or paint-by-number Web defacements--the latter nearly always including shout-outs to the hacker's homies.
The risk here is that an unskilled hacker could release wanton mayhem in your systems. The hacker might download a buggy hacking tool to your network that goes awry, or execute a wrong command and inadvertently damage your machines.
But script kiddies tend to disappear after a year, says William Knowles of security training firm New Dimensions International. "This is the generation of instant gratification, and if they can't get the hang of Back Orifice [a more advanced hacking program], they get bored and move on."
Script kiddies may get attention, but experts agree that the most dangerous hackers are the ones who don't make any noise: criminal hackers and cyberterrorists.
"The truly dangerous people," says Fosdick, "are hacking away in the background, drowned out by the noise and pomp that the script kiddies and denial-of-service packet monkeys have been making."
Hacking, says Michael Erbschloe, author of the upcoming book Information Warfare: Surviving Cyber Attacks, "has evolved into professional crime. Amateur hackers are falling into the minority, [and now] the fear is the criminal and the terrorist."
These are people like the Russian cracker group who siphoned $10 million from Citibank in 1994 and the mafia boss in Amsterdam who had hackers access police files so he could keep ahead of the law.
Four years ago, Moss says, crime syndicates approached hackers to work for them. Now, with so many easy-to-use hacking tools on the Internet, criminals hardly need hackers to do their dirty work.
But the cyberelement that everyone fears most is one we've yet to see: Foreign governments, terrorists, and domestic militia groups hacking for a political cause.
The Department of Defense says its systems are probed about 250,000 times a year. Frank Cilluffo, director of the Information Assurance task force at Washington, D.C.'s Center for Strategic and International Studies, says it's difficult to tell if probes are coming from enemies seeking military data or from "ankle biters"--harmless hackers on a joyride. Regardless, he says, authorities have to investigate every probe as a potential threat.
The likelihood of obtaining top secret information in this way is small, says Cilluffo, since classified data is generally stored on machines not connected to the Net. A more problematic assault, he says, would focus on utilities or satellite and phone systems. CSIS says that 95 percent of U.S. military communications run through civilian phone networks. An attack on these systems could impede military communications.
As we went to press, Navy officials reported that last December hackers broke into a Navy research facility in Washington, D.C., and stole two-thirds of its source code for satellite and missile guidance systems. The Navy says the source code was an "unclassified" older version.
Cilluffo doesn't think that a large-scale cyberattack is imminent. But he points out that members of terrorist groups such as Hezbollah have been educated in Western universities and are capable of developing such attacks in the future.
Why Hackers Hack
Aside from criminal and political motives, the reasons that hackers hack range from malice and revenge to simple boredom. And despite the image of hackers as dysfunctional loners, many are drawn to hacking by the sense of community it gives.
Veggie, an old-timer at 27, says he found a sense of belonging in the hacking world. "I grew up in a small town and was sort of the weirdo there. What attracted me to [hacking] was that I found other people like me. I was a smart kid [but] an underachiever, because I was completely bored in high school and unhappy. And I found other smart and interesting kids out there."
Of course, a big part of hacking's attraction is the sense of power that comes from uncovering information you shouldn't possess. A hacker called Dead Addict once described to Thieme the high that comes from discovering valuable information, followed by the low that comes from realizing you can't do anything with it. "That's the trouble with being God," Thieme quotes Addict as saying. "You can look but you can't touch."
Fosdick knows a little of that rush. He says that he once broke into a hazardous waste firm and found "pretty evil insider information" that no one was meant to see. Though he didn't act on the information, he did log it for possible use later. "Just in case I felt like being socially active."
But many hackers who begin as system voyeurs graduate to more serious activities. "It's easy to be lured to the dark side when you get easy gratification messing around with AOL users," Moss says. "You're not old enough to drive a car or vote, but you can exert ... power over a network."
A lot of the reasons that hackers hack fade with age. Life fills their time, and their ethics begin to change. The majority eventually find their interest waning.
Ben Williamson, a 21-year-old systems administrator and security consultant in Los Angeles, says, "You only have three directions to go with hacking: You can keep doing the same old tricks; you can become a real criminal cracker; or you can use those skills wisely to build new software and create a more secure Internet."
Securing the Net is an interest many hackers develop (especially now that employers are hiring them for their skills). They lament that the public never hears about their positive acts, such as patching a hole on their way out of a site and letting the administrator know they fixed it.
Optyx, a 19-year-old hacker and security consultant, got his first job at 15 after hacking into a small ISP. After exploiting the hole for six months, he sent the administrator a note telling him to fix it, but the guy wrote back saying he didn't know how. Optyx sent him the patch code to seal it, and the administrator offered him a job.
But usually, Optyx says, fixing holes is a thankless task. "Most companies just focus on the fact that you hacked them and want to come after you with a lawsuit. It's made hackers reluctant to help them. Now I still fix machines, but I won't tell an administrator I've done it."
An even sorer point between hackers and vendors is the issue of releasing vulnerability exploits. These are findings about a security problem that hackers (and researchers) post on the Net.
Vendors say hackers expose the holes for anyone to exploit, and should instead report them to vendors first so they can fix them. Optyx says the hacking community frowns on people who don't notify vendors, but when they do, vendors often ignore them. "Most [software] companies won't do anything about a problem until you make it public. Then they have to fix it."
Robert Steele, a former CIA officer, says vendors have a duty to develop secure software and that hackers force them to admit their errors. "Manufacturers are grossly negligent in selling software that doesn't stand up. What if they were producing cars that were this unsafe? The software they give us is not safe to drive in cyberspace."
Veggie agrees. "Anything that's attached to the Internet is potentially hackable," he says. "And if [you're] using a Windows 95 or 98 machine, nothing that is on that computer is secure at all."
Both Veggie and Steele believe that better security is in everyone's interest, and that hackers play a crucial role in this.
"The hacker kids who are going to Def Con today are ... the software architects of tomorrow," says Veggie. "The same thing that makes them hackers makes them valuable to employers in the future."
All of this points to the fact that while hackers may be the Internet's greatest annoyance, we ignore their warning about security at our peril. As Moss notes, the network that can't guard against a bored 19-year-old hacking in his spare time can't hope to protect itself from a hostile government or tech-savvy terrorist.Kim Zetter and Andrew Brandt are senior associate editors at PC World. Michael Gowan contributed research to this piece.
Company Systems: Are You Vulnerable to Hacking?
Hackers and crackers are everywhere, but you may think your company's system is too minor for them to notice. Not true. Hackers don't always target specific machines--they scan hundreds with special programs to find any that might be vulnerable to attack. The intruder could be a teen hoping to use your system to launch an attack on a Web site, or a bitter ex-employee looking for payback.
"The Internet today is like a walk through a vineyard, with the attackers stopping here and there to pick a grape at their leisure," says Sun Microsystems' security chief, Brad Powell. "The feast is seemingly never-ending."
Even a secure company network can be riddled with holes like badly configured routers that expose data in transit to snoops. Think your firewall will protect you? Not always. Attacks at Microsoft and EBay prove otherwise. Here are tips for securing your systems.
Problem: Windows vulnerabilities. Hackers often break into computers through well-documented holes (they read security alerts, too) when users don't install patches.
Solution: Install patches. Microsoft's Critical Update Notification tells you when new patches are available. Be sure to install them on all your PCs.
Problem: Unprotected computers. Hackers often enter networks through old computers that are no longer in use. This can happen when administrators forget to disconnect an ex-employee's system from the modem or network. An older system is less likely to have the latest security patches installed. And a shared terminal that's not attached to any one employee is often overlooked when security updates are done. Any workstation that's left on and connected to both a modem and the network gives hackers one way to dial in to the machine, bypass the firewall, and gain access to the network.
Solution: Secure old computers. Inventory your systems, and unplug from the network any that no one uses anymore. If a networked computer is shared, make sure it receives the same security updates as other systems.
Problem: Lax encryption practices. You encrypt important data on your server, but you neglect to encrypt remote backups. Hackers can target data on a less-protected off-site machine that stores backups.
Solution: Encrypt data. Encrypt data every place it's stored, including PC hard drives.
Security is an ongoing task. It's not something you install and forget about, according to Powell; it's something you live.--Andrew Brandt
Future Threat: Malicious Code in Software
Malicious code embedded in software is not new; users have always run the risk of downloading a virus or a Trojan horse with shareware and games from the Net. The occasional intruder has even been found in shrink-wrapped products. But the hack into Microsoft's source code last October raises worries that popular software may be the next target.
Although Microsoft says its code was not altered (the code was compared with previous backups) it's possible that a criminal hacker could get into a software manufacturer's code and insert a Trojan horse. So unless software companies improve their security, you may find yourself the recipient of a gift horse in your next accounting package.