Interesting People mailing list archives
life in cyberspace
From: David Farber <farber () central cis upenn edu>
Date: Wed, 2 Mar 1994 14:23:49 -0500
PUBLICATION DATE Tuesday. March 1, 1994 EDITION NASSAU AND SUFFOLK SECTION DISCOVERY PAGE 61 OTHER EDITIONS 67 C HEADLINE LIFE IN CYBERSPACE COMPUTERS IN THE ^90s The Password Is `Loopholes^ BYLINE Joshua Quittner LENGTH 102 Lines YOU'D THINK that Polytechnic University, in Brooklyn, one of the finer technical schools in the country, would know how to safeguard its computer system against hacker intrusions. And you'd think the same of New York University's Courant Institute, which hosts the mathematical and computer science departments. But a teenage Brooklyn hacker, who calls himself Iceman, and some of his friends say they invaded the schools^ Internet-connected computers and snatched the passwords of 103 students. Iceman called me last week to say he and his friends have been using the passwords since Jan. 24 to joyride on the Internet, and read the students^ private e-mail and computer files. The passwords could not be used to get into administrative accounts where academic grades could be changed. Officials at the universities said it will take time to verify the claims. But they say they are treating Iceman's story as if it were true. The officials admitted that the loopholes the hacker claims to have exploited exist, are obvious and accessible. "Academic computers are not very well protected. And students practice the least safe computing habits of anyone," said Richard Mandelbaum, director of the center for Advanced Technology in Telecommunications at Polytechnic. Internet break-ins have been a national news story lately, with reports that unknown intruders have purloined more than 10,000 passwords in a burst of activity during recent months. The Federal Bureau of Investigation is investigating, since so many "federal-interest computers" are attached to the wide-open Internet and since it is a crime to possess and use other peoples^ passwords. Many large commercial and university systems, including one run by Xerox^ prestigious Palo Alto Research Center, have temporarily disconnected from the Internet in an attempt to secure their systems. Experts now believe that a group of young hackers who call themselves The Posse are responsible for the break-ins, though who they are and what they're after is unclear. Some people believe the crew is merely collecting passwords for bragging rights, while others suspect more insidious motives. Their approach is more sophisticated, from a technical standpoint, than Iceman's. But the result is the same. Despite widespread warnings on the Net, Internet intrusions persist, in part because the global web of interconnected networks was founded on a philosophy of openness, and in part because people use easy-to-guess passwords. Now Iceman, who's 18, has nothing to do with The Posse, never heard of it, in fact. He hangs with a group of budding New York City hackers who call themselves MPI. I met him two years ago on a story; I don't know his real name or address, though he calls periodically to claim one conquest or another in cyberspace. He's not a bad kid - he's not venal, he doesn't want to hurt anyone, he's just exploring, he says - but he is a kid, as intoxicated by trespass as any teenager. Iceman told me it was simple to steal 103 passwords on the universities^ systems since each password was a common word or name. "Computer" was one password, he said. "Friends" was another. Two people used the word "Christ" and one used the first eight letters of the word "Antichrist." "Stooge," "Dragon" (used by two people), "Superman," "Hatred," "Vengence," "Ripper" and "Baseball" were all passwords. This violates the first rule of selecting passwords: Never use a plain word or a name. Pick a password that mixes numbers and letters. "Take the word, `baseball,^ " Iceman said. "If the person who used that as a password just substituted ones [the numeral] for els [the letter], I wouldn't have guessed it in a million years." If Polytechnic University and the computer science department of NYU can't get their students to practice "safe computing," what chance does America Online, Prodigy or CompuServe have with its millions of new and presumably unsophisticated users coming onto the net for the first time? Mandelbaum said that new students at Polytechnic are given a pamphlet that urges them to choose a password that isn't a name or a dictionary word. "Students often don't do that, even at a technical university," he said. Iceman said that cracking the passwords was child's play. Using a legitimate account from another Polytechnic student, Iceman and a friend, on their home computers, dialed into a Polytechnic mainframe called Newton. Once there, they called up a file that stores the passwords for 3,646 students. The password file, of course, is encrypted, using a secret formula that translates each password into a 13-character code. But for the past year, Iceman has been building a "dictionary" of common words and names. Each word in Iceman's lexicon is also encrypted, using the same, commercially available encryption software that Polytechnic, NYU and most other academic computer systems use. Iceman then instructed his IBM-clone, 486-chip computer to compare the encrypted words in his dictionary to the encrypted passwords on the Polytechnic system. Simple. Seven hours later, he said, the computer yielded 93 matches. Gene Spafford, a computer science professor and security expert at Purdue University, in Indiana, said that encrypting passwords and storing them in publicly readable files has been standard procedure for years and has become a problem only with the advent of powerful desk-top computers. "The encryption method was so slow when it was originally designed 20 years ago it was no threat to do what this person was talking about," Spafford said. "It would take too long to encrypt a dictionary to do passwords." The universities said they would warn their users to change their passwords, and said other plans were under way to make intrusions more difficult. What did Iceman and company do with the passwords? He said mostly, they enjoy reading other people's files and e-mail. "Every once in a while," he said, "you get something interesting." NET TIPS Choosing a password: The cardinal rule of selecting a password is never use a word or name. If you pick a password based on random letters and numbers - khe235X, for instance - you'll never remember it, though. One trick is to pick a name and substitute numbers for letters. David could become da51d ("v" being the Roman numeral for 5, and "1" being a common substitution for "i." Others prefer to mingle symbols such as * into the password, as in dav*id. Likewise, many computer operating systems are case sensitive, so a hacker using a dictionary-cracker program on the word "baseball" probably wouldn't catch bAsEbAlL. **END OF STORY REACHED** ENTER N(next story), C(next context), T(total story), NT(next take) PT(prev take), S(save), QUIT(switch databases), EXIT(terminate display) /
Current thread:
- life in cyberspace David Farber (Mar 02)