meet the hackers

[William Knowles <wk () C4I ORG>]

http://www.darwinmag.com/read/120100/hackers.html

BY DAINTRY DUFFY

Not all hackers are bad guys. But understanding what motivates them
can make you less vulnerable to an attack.

On the surface, the Web is a slick marketing and commerce tool. As you
surf through sites like Yahoo and Amazon.com, the online world looks
clean and orderly, the perfect place for your business to set up shop.
But drill down a bit, beneath the special-interest sites and chat
groups, and you'll unearth a colorful crew of subterranean Web
dwellers known as hackers, crackers, phreakers and script kiddies.
They travel covertly in and out of websites, looking in your shopping
carts, reading your e-mails and occasionally announcing their presence
by defacing a website, flooding servers (computers that host services
on a network) or diverting credit card numbers for their personal use.

While these folks are generally grouped under the generic umbrella of
"hackers," they have very different agendas and skill sets (see "Cast
of Characters", left).

We recently spoke with three experienced hackers who cut their teeth
in the underground hacking world and are now plying their trades in
computer security as consultants. All three are also on the staff of
Attrition.org, a website that displays defaced webpages, provides
information about recent hacks and has been accused of everything from
being a hacker gang to an FBI front. Jericho (a.k.a. Brian Martin,
27), Dev/Null (real name withheld, 28) and Cancer Omega (a.k.a. Jay
Dyson, 38) shared with us some of their experiences within the hacker
community, explaining what companies truly have to fear from hackers
and what they should do to protect themselves.


DARWIN: How did you first get into hacking?

Jericho: I've been into computers since I was 8 years old. But as far
as playing around on networks or whatever, I was 18 or 19.

Dev/Null (a.k.a. Null): I've been interested in computers since my dad
bought me an Apple IIE when I was 10. And I have been on the Internet
since my freshman year in college in 1990. I was an English major and
I hung out with a bunch of hackers. They taught me what to do on a
computer, and I kind of went from there. I'm pretty much self-taught.

Cancer Omega (CO): My father was a field engineer for IBM so I was
raised around computers. I was first exposed to them when I was 6, and
I just thought they were magic. In 1979 I put together my first
computer system, and I've been hooked ever since.

What appealed to you about it?

Null: With the Internet and computers, I could start learning and
never stop. It's absolutely fascinating to ride the wave of the
technology as it changes, learning things that are brand new. This was
something that my father didn't know how to do.

Jericho: I guess it was my curiosity; looking to see if I could make
the system do more than it advertised; seeing what else was out there;
just learning how the different kinds of systems worked.

Did you ever cause any significant damage?

Null: I have not done much in the way of illegal hacking. I don't feel
like I need to go barging into someone else's stuff just to learn new
things, and I don't have that power-trip mentality where it's so neat
to break into other people's stuff because then I'm more powerful than
they are. I can't say that I've never done anything illegal, but I
also speed when I get in my car.

Jericho: It never occurred to me, "Oh hey, I could mess this system
up" or, "I could delete this file."


But you were going places that you weren't supposed to go, and you
knew that was illegal.

Jericho: At times yes, but when I was doing it, the computer crime
laws were fairly vague. There was very little prosecution, very little
investigation, not that that excused it, but...what I was doing wasn't
with any big criminal intent.

CO: I only did that when I was under 18 because I was very familiar
with the ways the laws worked. I did go to a few places that I didn't
really belong, but we all agreed on a modified Hippocratic oath. We
were operating under a trust relationship, and we would not betray
that trust to the point where damage was done. Our philosophy was, If
you have this skill, consider it a gift and don't abuse it. And most
of all, don't abuse other people. There's a difference between
somebody who knows a martial art and an outright bully.


What made you decide to take a legitimate job in computer security?

Null: Well, jobs started opening up. Nobody had any idea what the
Internet was going to be until the Web exploded around '94 and '95. It
was then that I realized, Hey, I don't have to be a librarian for the
rest of my life. I can probably get away with doing this computer
stuff.

CO: The way I got into it, as a career, was that the computer industry
grew up and realized that security was actually a concern.


What do your parents think? Did they always know about your hacking
habit?

Jericho: Hmm...my parents had a little suspicion. They never asked me
about it, and after the fact, they looked back and said, "Well, it was
a risk you took, it was your decision." They're very happy with my
career now.

Null: Oh yeah, [my parents] think it's great. When I was first trying
to explain to them what the Internet was, they didn't understand, and
they were actually very suspicious of the whole thing. They figured
that if I was talking to someone who lived in Singapore, then somebody
must be paying the long-distance bills. It was very difficult to
explain to them that it's not like that. There was a long period of
adjustment, but in the last several years as I've been publishing
papers and have started to be looked on as an authority, they're very
impressed. My mom thinks it's cool. She tells all of her PTA friends
that her kid is a hacker.

CO: My father told me, "You ought to stop screwing around and get
serious because what you're doing is never going to amount to
anything." He was old school. Because he worked for IBM, his
philosophy was you do it the company's way and don't even think about
trying something outside the box.


Attrition.org publicizes hacking incidents on a part of its site known
as the "Mirror." Doesn't that just encourage more hacking?

CO: I think the Mirror's biggest contribution to the community is to
show beyond a shadow of a doubt that security through obscurity does
not work. There are sites out there that nobody's heard of until they
get hit. So if you think nobody's going to spank your site because
you're just a mom-and-pop operation, you've got another thing coming.
Ninety percent of the sites on the Mirror are just that.

Null: None of us are particularly impressed with people who deface
websites. Most of what we do it for is a historical record, and we've
got some very high-profile sites that have gotten hit. If these people
can get hit, anyone can. In my view, our Mirror underscores the
importance of having good security.


Who are most hackers these days? Are they the geeky-loner types
hacking in their parents' basements? Or is that just a media clich?

Null: Oh, that is such a clich! All you have to do is look at any
articles about DefConthe big hacker convention every year in Vegas.
That'll dispel that myth in a heartbeat. You've got 5,000 hackers
descending on Vegas for a weekend. These are not basement-dwelling
types. These are fun people. Of course you're going to have the geeky
loners, but there are also plenty of very clean-cut frat-guy types who
are damn good at what they do.

CO: A hacker is someone who has a real love of the technology and
knows it on a very intimate level. The term first got bandied about at
MIT and at Berkley where people understood the technology so
intimately they could literally navigate around it in the dark.
Through this knowledge they started making modifications, basically
hack jobs in order to accomplish objectives that were really quite
legitimate. Back in those days the term hacker was really quite a
compliment. Now because of popular use, people have come to mistake
these script kiddies (or as some people call them script monkeys or
packet monkeys) as being hackers when in fact they're not. That's like
saying that someone who can start a car is a mechanic. These are just
teenagers with a lot of angst and a computer; they're not hackers.
They have never authored anything original. They may know how to run
scripts, but anybody who can type can run a script.


Do they primarily work alone or within groups?

Jericho: A lot of what we see is that they're group-oriented. Most of
them are probably scared to work alone. There's been a group called
Hack Wiser; G-Force Pakistan continues to deface with its political
message; recently there have been pro-Napster group hacks.

Null: A lot of people work together to a degree and then work on their
own as well. For instance, I'm part of Attrition, but when I'm writing
an article or doing a penetration test of a network, I'm generally on
my own. But I can go to the contacts I have and ask for help if I get
stuck.


What motivates most hackers? Is it largely done for sport with a few
bad apples thrown in?

Null: I think it's the love of learning something brand new. It's the
same thing that motivates some guys to take apart carsto find out what
makes them tick. Here's a brand-new computer technology that not very
many people understand. Great! Give it to me! Let me look at it, let
me take it apart, let me see why it does what it does so that I can
learn about it.

Jericho: And then there are a few bad apples thrown in....


Is there a hacker code of ethics?

CO: Yes there is: Do no damage. If you have to go in someplace and
you're not authorized to do so, leave it in better shape than you
found it. In fact, there have been systems at NASA that were breached,
where the hacker actually left a nice note to the systems
administrator saying, "Hi! Here's how I got in, here's how I fixed
it." You don't go looking to break into machines, but every now and
then there are some you just fall into.


What's the most important thing businesspeople should understand about
how hackers think?

Jericho: It takes the hacker mentality to test all of the ways into a
network. True hackers don't give up. They explore every possible way
into a network, not just the well-known ones.

Null: The bad guys don't particularly care what damage they do. When
you're spray-painting your name on an overpass, you don't care about
the guy who's going to have to scrub it off. For the most part, these
guys are not out to attack your company personally; they just came
across your company, and it wasn't secure enough and so you got taken
down.


What kind of hacking poses the biggest threat to companies?

CO: A lot of the script kiddies out there are immediately noticed
because the first thing they do is deface the websiteI don't worry
about those people. The people I worry about are the ones you don't
know are there, the ones who are just slightly manipulating the data
to suit their own ends. Those are the people to be really concerned
about. If your company has data out there [on the Internet] that is
strictly out there for your convenience, that same convenience makes
it that much easier for an unauthorized user to access it. You need to
start seriously considering just how much that convenience is worth to
you because it may cost you the validity of your data. It could even
cost your company's reputation.


What are the biggest red flags or invitations for a hacker to break
into a site? What makes it really tempting?

Null: One unsecured machine. A couple of years ago, eBay got taken
down. They had firewalls, they had really tight security, but they had
one backup machine that was outside of their firewall. They had
forgotten it was there. Somebody used that machine to get through
their firewall because it was trusted, and they basically owned eBay's
network. What makes you a target is having a glaringly weak link in an
otherwise secure network. If your network is very secure, you've
obviously got something to hide, and if you've got one machine out
there that's wide open, somebody's going to take that out and through
that machine, they're going to hit the rest of your network.

Jericho: Just having a big [corporate] name can do it, boasting that
you're secure or boasting that you have security. If there's a vendor
with some kind of product like a firewall or intrusion-detection
system, a lot of hackers want to show them up, just to prove that
there are weaknesses.


What can companies do to make their systems as unappealing and
unassailable as possible?

Null: The most important thing a company can have is a security
policy. If you have a good security policy and you follow it
diligentlyyou make sure that all of your machines are up to patch,
your passwords are good passwords, your people are following basic
security practices and they're not hooking modems up on their
desktopsthen you're fine. You're safe. It doesn't take a genius to
have a secure network, it just takes diligence. Aside from having a
really good policy and sticking to it, companies probably need a
security person on their payroll. I'm not just saying that to make the
demand for my position increase; security is really a constant thing.
If you don't have someone who at least knows security, then in a month
or two, you may be wide open and not know it because new
vulnerabilities come out all the time.

CO: There's an old joke: Two guys run into a bear in the forest and
the bear starts chasing them. One of the guys stops and tightens the
laces on his shoes. The other guy says, "What are you doing? You can't
outrun the bear!" The first guy says, "I don't have to outrun the
bear, I just have to outrun you!" By the same token, your company just
has to be more secure than the easy prey that's sitting out there. To
do that, you have to shut off all unnecessary services, start
requiring encryption for your log-on and authentication, and establish
a granularity of your network. People in accounting don't need access
to [information in] the engineering group.


Do you see any benefit to living in a world with hackers?

CO: Crackers do get bad-mouthed and people say they're just vandals,
but they are actually showing that most sites have absolutely no
security. I'll give you an example. I wouldn't call this a hack, more
of a prank, but we had an [e-mail] distribution list that went to all
personnel at a NASA center and there was literally no authentication
on it. Someone sent e-mail to this list impersonating the director of
that NASA center. From the message itself, people recognized
immediately that it was a hoax. But imagine if someone with malicious
intent sent out a seemingly legitimate letter with an attachment that
said please download and run this. The consequences would have been
devastating. And if it weren't for our little local hacker, what would
prevent foreign nationals from disrupting our corporate online
presence in a very large way?


How easy is it to break into the typical Fortune 500 company site?

Null: The typical Fortune 500 company usually has given some thought
to security, if only because its shareholders demand it. However, I
have never seen a site that I couldn't recommend some improvements on.
Most companies in general could probably be gotten into within 24
hours if somebody was really dedicated.


The Liberty virus is now moving into PDAs, and people predict that
cell phones will soon succumb to similar viruses. What do you see as
the greatest future risks to security?

Null: I think that companies are going to find out that their biggest
problems will be things that they've trusted for years. I don't know
if you're aware of this, but it is possible to hack into a network
through a printer. The printer has an infrared port on it, and your
Palm Pilot has an infrared port on it. If I'm walking through your
building with my Palm Pilot, my Palm Pilot can talk to your printer.
Your printer is connected to your network. Your machines trust your
printer. If I can own your printer, I can own your network. As
technology grows, there's all this talk about having more and more
things hooked up to the Internetlike being able to turn on your coffee
machine without leaving your desk. Well, what happens if somebody owns
your coffee machine? Machines, like your printers, that have always
been considered harmless won't be for long. I know some people who are
brilliant at finding these vulnerabilities. And that's what they're
working on.

CO: The greatest future danger is the greatest past and present
danger: exploitation of trust relationships. Applications, whether
wireless or mail programs, operate on the trust that everyone is going
to play nice. Lo and behold, not everyone is going to play nice
anymore because we have these little miscreants running around doing
evil things. So we have to take the world as it is. Right now, every
trust relationship we have defined as an implicit rule can no longer
apply. All of the viruses rely on a certain amount of trust, and it
will continue to be the largest threat to security. We can't stand
around and say we'll just make tougher laws. When we had a rise in
burglaries we didn't make tougher laws, we made tougher locks.
Likewise, we have to make tougher locks out in cyberspace.


Senior Writer Daintry Duffy vows never to hook her coffee machine up
to the Internet. She can be reached at dduffy () darwinmag com.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".