GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


archive:news:hcc
                    HOW `CRACKERS' CRACK                                      
                     by Rory J. O'Connor                                      
                Mercury News Computing Editor                                 
                                                                              
   Police, prosecutors and most of the press call them                        

"hackers." Computer cognoscenti prefer the term "crackers."

                                                                              
   Both sides are talking about the same people, typically                    

young men, whose fascination with computers leads them to gain access to computers where they don't belong.

                                                                              
   A few crackers make headlines, like Robert T. Morris Jr.,                  

son of a top computer security expert for the supersecret National Security Agency, who let loose a "worm" program on a national network of university, research and government computers in 1988.

                                                                              
   There are also notorious crackers like Kevin Mitnick, who                  

was under investigation at the age of 13 for illegally obtaining free long-distance phone calls and was sentenced to prison in 1989 for computer break-ins.

                                                                              
   Then there are legions of far more ordinary crackers who                   

simply use their knowledge of computers to "explore" intriguing corporate or government computers or simply to go for the electronic equivalent of a joy ride and impress their friends.

                                                                              
   But they all share something: an air of mystery. How do they               

do it?

                                                                              
   At a recent conference on computer freedom and privacy,                    

computer expert Russell L. Brand gave a four-hour lecture on the inner workings of computer cracking.

                                                                              
   His basic message: Cracking is not as hard as it seems to an               

outsider, and it often goes undetected by legitimate users of "cracked" computers.

                                                                              
   "Just because you don't see a problem is no reason to think                

a problem hasn't occurred," Brand said. "Generally it's a month to six weeks before (operators) notice anything happened and usually because the cracker accidentally broke something."

                                                                              
   Home computers aren't in danger from crackers because they                 

aren't accessible to outsiders–and because they aren't interesting to crackers. Instead, they target mainframes and minicomputers that support many users and are connected to telephone lines and large networks.

                                                                              
   Understanding how crackers work and what security weaknesses               

they exploit can help system managers prevent many break-ins, Brand said. And the biggest problem is carelessness.

                                                                              
   "When I started looking at break-ins, I had the assumption                 

that technical problems were at fault," he said. "But the problem is human beings."

                                                                              
   The "Cracker": Most crackers are not bent on stealing either               

money or secrets but will target a particular computer for entry because of the bragging rights they will enjoy with fellow crackers once they prove they broke in. Typically, the computer belongs to a corporation or the government and is considered in cracking circles to be hard to penetrate. Often, it is connected to the nationwide NSFNet computer network.

                                                                              
   The attack: Crackers can attack the target computer from                   

home, using a modem and a telephone line. Or they can visit a publicly accessible terminal room, like one on a college campus, using the school's computer to attack the target through a network. At home, the cracker works undisturbed and unseen for hours, but phone calls might be traced.

                                                                              
   The resources: If the target computer is nearby, the cracker               

may look through the owner's trash for valuable information, a practice called "dumpster diving." Discarded printouts, manuals or other paper may contain lists of accounts, some passwords, or technical data more sophisticated crackers can exploit.

                                                                              
   The target: The easiest way to enter the target is with an                 

account name and its password. Passwords are often the weakest link in a computer's security system: Many are easy to guess, and some accounts have no password at all. Sophisticated crackers use their personal computers to quickly try thousands of potential passwords for a match.

                                                                              
   The cover: To make calls from home harder to trace, crackers               

might use stolen telephone credit-card numbers to place a series of calls through different long-distance carriers or corporate switchboards before calling the target computer's modem.

                                                                              
   The way in: Many crackers take advantage of "holes" in the                 

operating system, the software that controls the basic operations of the machine. The holes are like secret doors that either let crackers make their own "super" accounts or just bypass accounts and passwords altogether. Five holes in the Unix operating system account for the bulk of computer break-ins–yet many installations have failed to patch them.

                                                                              
   The network: Most large computers are connected to several                 

others through networks, a chief point of attack. Computers erect barriers to people but often completely trust other computers, so attacking a computer through another computer on the network can be easier than attacking it with a personal computer and a modem.

                                                                              
   Ill-used passwords let many pass                                           
                                                                              
   Passwords are the security linchpin for most computer                      

systems. But these supposedly secret keys to computer access are easily obtained by a determined cracker.

                                                                              
   The main reason: Users and system managers often are so                    

careless with passwords that they are as easy to find as a door key left under the welcome mat.

                                                                              
   Part of the problem is the proliferation of computers and                  

computerlike devices such as automated teller machines, all of which require passwords or personal identification numbers. Many people must now remember half a dozen or more such secret codes, encouraging them to make each one short and simple.

                                                                              
   Often, that means making their passwords the same as their                 

account name, which in turn is often the user's own first or last name. Such identical combinations are called "Joe" accounts, and according to computer expert Russell L. Brand, they are "the single most common cause of password problems in the world."

                                                                              
   These `secret' keys to computer access are easily obtained                 

by a determined cracker. The main reason: Users and system managers often are so careless with passwords that they are as easy to find as a key left under the welcome mat.

                                                                              
   Knowing there are Joes, a cracker can simply try a few dozen               

common English names with a reasonable chance that one will work. Armed with an easily obtained company directory of employees, the task can be even easier.

                                                                              
   Joe accounts also crop up when the system manager creates an               

account for a new employee, expecting that the user will immediately change the given password from his or her name to something else. But users often fail to make the change or aren't told how. Sometimes, they never use the account at all, providing not only easy access for the cracker but an account where the owner won't notice any illicit activity.

                                                                              
   Even if crackers can't find a "Joe" on the computer they                   

want to enter, there are several other common ways for them to find a password that will work:

                                                                              
   - Many systems have accounts with no passwords or have                     

accounts for occasional visitors to use where the ID and password are both GUEST.

                                                                              
   - Outdated operator's manuals retrieved from the trash often               

list the account name and standard password provided by the operating system for use by maintenance programmers. Although it can and should be changed, the password seldom is.

                                                                              
   - "Social engineering"--in effect, persuading someone,                     

usually by telephone, to divulge account names, passwords or both–is a common ploy used by crackers.

                                                                              
   - Crackers are sometimes able to obtain an encrypted list of               

passwords for a target computer, discarded by the owners who mistakenly believe the coded words aren't useful to crackers. While it's true they are difficult to decode, it is easy for a cracker to use a personal computer to take a potential password and encode it. Because most passwords are ordinary English words, crackers can simply run a personal computer program to encode the contents of an electronic dictionary and identify any entries that match passwords on the coded list.

                                                                              
   - In another form of deception, crackers set up public                     

bulletin board systems whose real purpose is to snag passwords. Because many people tend to use the same password for all their computer accounts, the cracker can simply wait until someone who has an account on the target computer also sets up an account on the bulletin board. The cracker then reads the password and tries it on the target system.

                                                                              
   While individual users can't delete dormant accounts from                  

their computers or keep an eye on the trash, they can be intelligent about what passwords they use. Brand suggests users choose a short phrase that's easy for them to remember and then use the first two letters of each word as the password. As added protection, users who are able should mix uppercase and lowercase letters in their passwords or use a punctuation mark in the middle of the word.–Rory J. O'Connor

                                                                              
   The rights of bits                                                         
                                                                              
   Constitutional scholar Laurence H. Tribe, widely considered                

the first choice for any Supreme Court vacancy that might arise under a Democratic administration, proposed a fairly radical idea recently: a constitutional amendment covering computers.

                                                                              
   Tribe's proposal for a 27th Amendment would specifically                   

extend First and Fourth Amendment protections to the rapidly growing and increasingly pervasive universe of computing. Those rights would be "construed as fully applicable without regard to the technological method or medium through which information content is generated, stored, altered, transmitted or controlled," in the words of the proposed amendment.

                                                                              
   I am not a constitutional scholar, but I have to believe                   

that what's needed is not a change in the Constitution, but instead a change in the thinking of judges in particular and the public in general.

                                                                              
   Tribe acknowledges that he doesn't take amendments lightly,                

pointing to the ridiculous brouhaha over a flag-burning amendment as an example of what not to do to the basic law of the land. But like many people who are more deeply involved in the world of computers, Tribe sees the issue of civil liberties in an information society as a crucial one.

                                                                              
   The question is not whether the civil liberties issue is                   

serious enough to be addressed by some fundamental legal change. The question is really how to get people to see that communicating with a computer is speech, and that to search a computer and seize data is the same as searching a house and seizing the contents of my filing cabinet.

                                                                              
   People seem to have trouble making these connections when                  

computers are involved, even though they wouldn't have trouble recognizing a private telephone conversation as protected speech. Yet most telephone calls in this country are, at some time in their transmission, nothing more than a stream of computer bits traveling between sophisticated computers.

                                                                              
   Admittedly, computers do make for some complications where                 

things like search and seizure are concerned.

                                                                              
   Let's say the FBI gets a search warrant for a computer                     

bulletin board, looking for a specific set of messages about an illegal drug business. Because a single hard disk drive on a bulletin board system can contain thousands of messages from different users, the normal method for police will be to take the whole disk, and probably the computer as well, back to the lab to look for the suspect messages.

                                                                              
   Of course, that exposes other, supposedly confidential                     

messages to police scrutiny. It also interrupts the legitimate operation of what is, in effect, an electronic printing press.

                                                                              
   Certainly, in the case of a real printing press that used                  

paper, such police activity would never be allowed. But a computer is involved here, which to some appears to make the existing rules inapplicable.

                                                                              
   But in a case like this, we don't need a new amendment, just               

the proper application of the Bill of Rights.

                                                                              
   As a more practical matter, the chances of amending the                    

Constitution are slight. It was the intent of the framers to make the task difficult, to prevent just such trivial things as flag-burning amendments from being tacked onto the document. Even the far more substantial Equal Rights Amendment did not survive the rocky road from proposal to adoption. I doubt Tribe's amendment would fare any better.

                                                                              
   Tribe says he hopes his proposal will spur serious                         

discussion of civil rights in the information age, and I suspect that is his real–and laudable–motive.

                                                                              
   I'm not dead set against amending the Constitution if that's               

what it takes to extend the Bill of Rights to computing. I just believe that Americans are capable of figuring out that we don't need it.

/data/webs/external/dokuwiki/data/pages/archive/news/hcc.txt · Last modified: 2000/08/13 04:07 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki