trespassing at all to get at your target computer. Van Eck has reported that he was
able to use his invention to view the contents of computer screens from dis-tances
over a kilometer away. His working group housed the device in a van which they
parked on the street, usually right in front of a target's home, without incident.
These devices give us hackers the opportunity to do what we always say we want to
do - innocently look around in computer systems without hurting, without changing,
without destroying. But Van Eck and Britton machines also deprive us of freedom
of direction, of choice. We can only use it to see what the user himself sees; there
is no chance for us to hack, only to spy. Very rarely do pass-words appear on a
computer screen, so we most likely won't even be allowed the opportunity to use a
bit of learned knowledge to coax what other excit-ing information we can from the
system unless the user chooses to allow us entry into those secret realms.
Seeing the contents of a forbidden computer screen from a kilometer away is
marvelous in and of itself when one is discussing, as we were, pulling flutters of
distant radiation from the ether. But tra-ditional hacking methods -through the
telephone -allow us to delve into the forbidden from much further away than a
kilometer. In the following section we will start looking at how a hacker can roam
through all the confidential computer systems of his neighborhood, his country,
and, if he chooses, the world.
Chapter Nine:
Hacking At Home:
Dialing Up ComputersWith Your Modem
Now we get to the stuff of which dreams are made. You flick the switch on your
computer and a few moments later it's purring away.
You press a few keys, type in a phone number and after some beeps you hear the
wonderful shriek of connection. The handshaking is fine, but you're looking for a lot
more than a handshake.
You press Enter a few times.
"What's your name?" it asks. You respond -not with your own name of course -
with someone else's.
Then you let your fingers whisper that sweet secret word through the keyboard and
the screen lights up with a luscious display.
Menus! Options! Choices to be made! Files to read and to learn from, software to
run, games to play. You let the directories sift past you, letting yourself be
mesmerized by their framework. So much to do, and then you see connections to
other sites, and more sites, and more secret files to read! You smile as you realize
something: every hack, no matter its size, leads to new hacks, new computers, new
horizons of exploration and gain.
Reality
When I say "Hacking at Home" I don't really mean it. Most computer hackers
nowadays won't hack from their houses for fear of Caller ID, line tracers, tricks,
traps and federal agents. When I say "Hacking at Home," what I'm really referring
to is the phenomenon of dial-in lines. Ways in which, if you are so inclined, without
even leaving your house, you can connect yourself with the world.
Who To Connect To
Who can you expect to connect to, calling from home? Lots of places. There are
other home com-puters,
mainframes, minicomputers, companies, government offices, clubs -you will be
able to call any organization or individual who owns a computer, and has need to
communicate via computer with other entities.
You might also find yourself calling on-line databases and pay-for-play services.
Paying For The Pleasure
A hacker named Rebel was recently telling me how enthralled he was with
CompuServe, except for one aspect - the stiff price one pays for using the service.
For this reason, CompuServe is often known as Compu$erve, with an oversized
dollar sign replacing the S. CompuServe is not the only vendor charging the public a
fortune to pay back their huge advertising budget. There are literally hundreds of
on-line services to which one may sub-scribe, or hack one's way in if that's more
your style.
Databases are available to look up any sort of data: census data, news, stock
market information, results of government research, science and tech-nology
reports, books, personal information, his-tory, and popular culture. There have
been times late at night when I needed one crucial piece of in-formation for
something I was writing, or just to satisfy my curiosity. Anybody can access one of
these databases and find what he or she needs any time of the day or night. Of
course, we must be prepared to pay through the nose. There is usually a charge to
subscribe to the service, then there may be any number of the following charges:
A display charge for each piece of data pre-sented on the screen, or a search charge
for each query made to the database.
Minute-by-minute charges as long as you stay connected to their computers.
High-speed surcharge for using a faster modem (thus gaining the ability to grab
more info per minute).
Long distance phone charges if the service doesn't have an access number in your
local-dialing area.
Many hackers refuse to pay the inflated bills
these services can run up, though they also refuse to give up the service,
particularly when so many special and useful features can be gained by dialing in.
On-line gaming, electronic mail, multiple-user chatting, bulletin boards<Many of the
fee-based services which offer bulletin boards even have a message base or two
devoted to hacking.>and a plethora of other goodies make the services attractive to
the hacker. The many ways to get past paying for them are also very attractive.
You will find many ideas through-out this book.
You'll be interested to hear about one trick a pair of high-school-age New Jersey
crackers used to get some service for free. One brand of personal computer was
being sold in a special package that included several pieces of software, along with
a trial membership to one of the on-line services. They hacked the system of one
of the stores that sold the computers and obtained a list of customers who had
bought it. Many of those customers were individual people or families, but a good
number of the computers had been bought by stores and busi-nesses. They went
to these businesses and snuck around in their back rooms and offices. Sure
enough, pushed aside on bookshelves, unopened and untouched, lay the envelope
that included the "Getting Started With StarBase On-line" manual and trial access
codes that had been included with the computer. They helped themselves.
Packet Switched Networks
There are corporations an government agen-cies all across the country that have
computers you will want to get your hands into. But you're not going to want to get
your hands into your wallet to pay for all those long distance calls. The solution?
Public Data Networks (PDNs).
A PDN is a network of hundreds of computers scattered nationwide. You call up one
local to you, then type the address of the computer system you want to connect
with. The "address" is usually something like a phone number. When you enter a
valid address, the login display for the desired sys-tem will appear. You are then
able to interact with the system as if you were directly connected to it, when in
reality everything you type is being bro-ken down into chunks of text (packets),
possibly compressed and encoded, then shipped across the country, from one
computer to the next, until it reaches its destination.
There may be hundreds of other sessions going on simultaneously from points
throughout the net-work, as thousands of users interact with the many computers
on the net. Sending messages this way is known as packet switching. The
intermediate computers that do all the work are called PADs, or Packet
Assembler/Disassemblers, because they
take incoming packets of data, strip away the en-coded insulation which tells that
PAD where the packet is headed, then reassemble the data with new directional
information, sending it further along the route.
Hackers take great glee in connecting with a PDN. Once there, a hacker can try out
various ad-dresses at random. In a matter of minutes, he will find himself with a
wide variety of login prompts to crack, all made through a local phone call.
The most well-known PDNs are Telenet and Tymnet, and there are also
international packet networks, and networks in other countries as well. Generally
you can call any one of these services to get a list of PADs in your area you can dial
in to.
Other Networks
The only other network that counts is the Internet.
Internet is an international network of net-works. There are academic networks,
government networks, businesses and organizations throughout the world, all
connected together (by PDNs) to ex-change ideas, software, technologies, gossip
and guacarnole recipes.
Before Internet there was ARPANET, a military network which has since been
replaced by MILNET (a well-guarded network of United States military sites) and
other smaller networks used by the US military. Altogether, these make up DDN,
the De-fense Data Network. DDN is now just one of many networks participating in
the Internet.
Others include the National Science Foundation NETwork (NSFNET), which includes
supercom-puter centers and other research sites funded by the NSF. CSNET is a
network established to encourage cooperation between sites doing development
work in computer science. JANET is the United Kingdom network, one of many
national networks around the world that is bridged with the Internet. Internet is
truly a global community.
Some of the pay-for-play services offer access to the Internet. Many university
computer accounts are connected to it. Basically, having an "in" with the Internet
allows one to travel around the world and back without leaving your armchair.
We were talking before about packet switched network addresses. An Internet
address is a series of code words punctuated with periods, and refers to one
particular computer in the millions that make up the Internet. A typical Internet
address might be "danielk@cs.zowie4.uboulder.edu." We can deduce that at the
University of Boulder there is a computer in the computer science department
called zowie4, and on that computer there is a per-son whose first name is Daniel,
and last name be-gins with K. The "edu" is a standard thing stuck at the end of
educational computer addresses. Other identifying components used are:
COM for commercial sites,
MIL for military sites,
GOV referring to governmental organizations,
ORG for non-profit organizations, and
NET meaning Internet administrator sites.
An Internet address may also end in a two-character country abbreviation. Some
exam-ples of these are:
AUAUstralia
IL Israel,
US United States
JP Japan
UK United Kingdom
DE Germany (tricky! DE is for DEutschland).
Finding Dial-Up Numbers
To "direct connect" with computers, you will need their phone numbers. Very often
you can call up a company and ask the switchboard operator for the computer
department and/or computer lines. If that doesn't work, try calling individual offices
at the firm and ask if they know how to access the company computer from
their home computers. If they don't know the phone numbers, perhaps they have a
terminal program on their office com-puter which has the phone number stored for
use.
Phone books are a big help. First there are the internal kind: companies and other
organizations will have a directory of people who work there, with their extension
numbers. Internal directories might also be of the kind that list numbers for the
different departments; some go so far as to list home phone numbers and
addresses of the people who work there. Names can be used to pretend
familiarity with the people you speak to when you call. But you won't even have to
call and ask for dial-up lines if those numbers are listed in the di-rectory.
A second useful source is phone company data grade line directories....
When a person speaks on the telephone, it doesn't matter if every once in a while
the voice on the other end gets a bit fuzzy, or if the tone gets momentarily higher
or lower. When you're trans-ferring data between computers, however, audio noise
can be a problem. So the telephone company has special lines which offices can
install (for a price) to ease the flow of data between telecom-munications devices
such as moderns. If you can et a data grade line telephone book, you will have 9
found a huge and wonderful collection of computer phone numbers (and fax
numbers too). Many hack-ers get theirs by scavenging.
The third way phone books can be helpful is by looking in the public white pages
and yellow pages that every phone owner gets for free. Large corn-Panies will own
big blocks of telephone numbers, with each office or extension being one digit
differ-ent from the preceding one. To call the different departments at Company J,
you would dial 390-WXYZ. The 390 stays the same for every de-partment, but the
last four digits change for each phone line. So turn on your computer and type up
a text file listing every occurrence of those last four digits you see listed for that
company in the phone book. Then sort the list and try calling everything in that
exchange that is not on your list.
It can be helpful to use a criss-cross directory for this task. Criss-cross directories
are sorted by number, not name, so if you know that Company J's numbers fall into
the 390- range, using such a direc-tory you will have an even bigger list of numbers
to avoid. This makes the job of calling every potential number much quicker and
easier.
Software is available to repeatedly dial up a se-ries of phone numbers, reporting on
whether a mo-dem is connected. These programs, often available on hacker and
cracker BBSs, are known by many names: "WarGames Dialers," "autodialers," or
"demon dialers." If you can't find such a program, write one for yourself; it's simple
to do and will cost you only a few hours of time.
Once you have your autodialer, be very careful how you use it. The phone
company security patrol
knows what you're doing when you make that many calls that quickly, and with
such precision. I've often thought it would be a good idea to com-bine one of those
computerized telemarketer ma-chines with an autodialer. That way everything
looks legit: if a person picks up, they get a short re-corded message: if a modem
picks up, they get a callback later.
Dial-Up Security Measures
Some security directors get themselves into a bind. They recognize the important
value of having direct dial-up lines for easy access, but they also understand that
anytime a person is able to call a computer directly, a security breach is not only
possible - it's unstoppable.
To overcome this, security-minded folk will not allow direct dial-up access to the
real computers. They will only allow access to an intermediary de-vice or computer
which firewalls important data from potential hackers.
For example, one may dial-up a computer whose purpose is only to check
authorization codes. When access is confirmed, the caller is trans-ferred to a line
connected to the actual computer. There, the caller may have to identify his or her
private account by username and password. As long as the password to the initial
computer is kept secure and changed frequently, the important data on the actual
computer is free from harm.
In states where Caller-ID service is legal (and even in those states where it is not,
or isn't avail-able) it is possible to set up a modem to only hand-shake with a user
who is calling from an authorized phone number. The system administrator keeps a
list of the home phone numbers and office numbers of legitimate users, and if the
computer sees that the incoming call is not from one of those, there is an
immediate disconnect. The call would also be disconnected if the caller had enabled
Call-Blocking, which disallows the Caller-ID from reading one's phone number.
Where Caller-ID is unavailable or unknown, a ring-back feature may be put to use.
Once a caller inputs correct identifying information, the host computer disconnects
and calls back a stored tele-phone number which goes with the identity that has
been entered. This is the normal way ring-back
works, but in some instances (such as the RBBS-PC electronic bulletin board
system) the ring-back op-tion means that a caller lets the phone ring X times, then
hangs up and calls back again. This time the BBS will answer the phone. If the
caller had origi-nally let the phone ring more than X times, the computer would
have ignored the call completely, thus providing a layer of security. So if you have
a number you know belongs to a computer, but there is no answer, try letting it
ring a different number of times, then call back immediately.
A host computer may also not connect a caller until a certain code is played on a
Touch Tone phone. Since the code would ordinarily be played by the terminal
program of the calling computer, this code may be very long and complicated, thus
difficult to crack by chance or force.
As you can see, all of these dial-up security measures make life difficult for the
hacker. One may social engineer the knowledge out of a legiti-mate user of the
system, but often the hacker won't even know that such extreme security measures
are in effect to begin with.
You may be randomly dialing through a range of phone numbers because you have
reason to sus-pect that a computer line exists within that range. If one of the
numbers is never answered no matter how often you call, you can surmise a ring-
back or similar device is connected to the other end. If you call one number and
hear a computer at the other end but aren't connected, suspect that the computer
is looking at your phone number and seeing if it's valid.<A knowledgeable hacker
could temporarily change his phone number to one that the computer recognizes,
by hacking the telephone system mainframes. However, it is still necessary to
know that phone number.>
(Either that, or what you're really trying to connect to is a fax machine.) Caller-11)
type sys-tems, and those which call back a phone number, will be especially
common on computer systems whose users are situated within a close regional
area. The remote system may also be trying to de-tect special tones encoded in
the modulation. Though it is a dial-in line, special equipment may be needed to
connect with it.
Sometimes the system managers get so tricky as to disguise the fact that they
have a dial-up com-puter available at all. When a user calls up to use the
computer, a special device answers the phone.
Instead of hearing the characteristic modem noises, a user might get a recorded
voice, static, or nothing at all until a specific password is sent from the calling
modem to the remote system. You can see how this would easily foil any
WarGames dialer.
AD in all, devices which inhibit access to the ac-tual computer are nothing more
than one more layer of security to get by. Luckily, the majority of computers do
not employ such tactics, and are easier to crack than a hard boiled egg.
Scrutinize The Login Environment
The login environment is the area of the remote computer which you are allowed to
access before identifying yourself as a valid user of the system.
The login environment of most computers is limited to a username and password
prompt. Some environments are more expansive, giving a general command
prompt, at which you can type any number of instructions. Those instructions
won't necessarily be carried out (you probably have to log in first) but they can be
helpful.
There are a number of common commands that one can type at a board command
prompt, and a list of these is given in Appendix C. Try typing "help" or "T' first, and
see if that does anything. A command like "users," "show users," or "who" will be
helpful, in that you can see the names of people who are on the system and try to
guess their pass-words. The advantage of having certain other conunands may not
be as apparent, nor will there necessarily be any advantage at all to the hacker.
One good thing about general command prompts is that often one is reverted back
to them after failing a login. Thus if three incorrect user-name/passwords are
entered, instead of discon-necting you, the computer will bring you back to the
command prompt for another go-round.
When you find yourself at a general command prompt with no help available, try
doing different things, paying attention to the error messages you receive. Try
entering commands in all upper or all lower case, then mixed cases. Look at the
maximum and minimum lengths of commands. See which characters are
recognized. All of this is helpful in that it narrows down the number of unknowns.
It helps you more easily figure out what you should be doing to get things moving.
If every time you
type "HELP" you get a "Line too long" error, then you know the system is probably
looking for three-letter commands. That is useful information.
If you type "CONNECT," and the system re-sponds, "The verb CONNE is not
available" it im-plies that only the first five characters of input are examined. If, on
the other hand, your entire entry is examined, advanced help may be available. For
ex-ample, if by typing "HELP" you get a list of com-mands, typing "HELP
COMMANDNAME" may give you help with that one particular command. Such help
systems are common.
Let's look at the actual entering of usemarne and password. Some terminals tell
you you're wrong when you enter a bad name, others wait until you've given both
name and password to in-form you. The first way is preferable, as it is less se-cure
and requires substantially fewer guesses to crack than the latter. The IBM VM/370
was inse-cure in this regard; it immediately informed you that the username was
no good with a "userid not in cp directory" error message. One system that I know
of (Dynix) follows the same format. First it helpfully prompts for your "Nine digit ID
code" (hint, hint, what could that be? A social security number perhaps?) and when
the correct one is en-tered, it will say, "Good morning Samantha. Now type your
password." This particular computer al-lows you to easily break into one of several
com-mand languages and reprogram the menu inter-face. It also comes equipped
with dial-in ports. Dynix is a joy to hack.
If you get a computer of the second type (one which asks you for name and
password before saying if your login is accepted), then time how long it takes to
display the password prompt on the screen. This can help you decide if a usemame
you're entering is valid or not. Let's say you try the name "Jim," and it takes two
seconds for the com-puter to respond with the password prompt. Every time you
type "Jim," it takes that long. Now try the usemame "Zzzzzzz." This is obviously a
made-up name that the computer won't be able to find in its files. If it consistently
takes longer for the password prompt to appear after typing the name "Zzzzzzz,"
you know that "Jim" is a valid usemarne, and you .;hould continue guessing
passwords for him. That is, on systems where sequential search is in effect, it
takes longer for the computer to search for a nonex-istent entry in its data files
than an existent entry.
In any case, source codes are often available, espe-cially for UNIX files, and so you
can look them up to see how the inner workings of the login prompts function.
If you have no idea what kind of username and/or password is required on a
particular sys-tem, do the same kind of checking you would do at a general
command prompt, checking for which characters and lengths are recognized.
A completely different way you might like to research the login prompt is by control
codes. Pressing certain keys, or combinations of keys, delivers codes to a remote
computer which may force it to act in ways that it was not meant to behave. For
example, you can send an ASCII code to command the remote computer to stop
reading a password file. Sometimes it is then possible to quickly retype the
password you entered, and make the computer believe it has found your input as
part of the password file, thus letting you into the system. Sometimes pressing
Control-Z (the end-of-file command) at the right time will bring strange results too.
Look up all abbreviations, weird letters and other things that appear on the screen.
Any decent library will have an encyclopedia of acronyms. (Any indecent library will
have this book.) Very often you will call up a packet switching network, find a valid
address, then get something like "Welcome to VHMSD! Password?" on the screen.
So, you do your research and find out that VHMSD stands for Viking Horn
Manufacturers of South Dakota, and the whole task of hacking the place be-comes
infinitely simpler. Remember, when you are hacking a computer, you are really
hacking the people that run the computer. Thus, if you can find out who is running
the show, you have a multitude of resources at your disposal, including all the research
tools mentioned earlier. Otherwise you're just taking random stabs at a
computer identified only by some strange abbreviation.
Chapter Ten:
Electronic Bulletin Board Systems
The Electronic Bulletin Board System (EBBS, but usually referred to simply as a
BBS) is how most people get introduced to computer telecommuni-cations. A BBS
is a computer program that anyone can set up on his or her computer. The
program watches the computer's modem, waiting for the telephone to ring. When
it does, the BBS program answers the phone. If it is another modem calling, the
two computers are connected. The person who is calling is then able to use the
computer on the other end of the line as if he or she was sitting di-rectly at that
computer's keyboard. The BBS pro-gram allows the caller to choose various options
from menus, letting the caller write messages to be displayed to other callers, read
messages, send files back and forth, or play games on the remote com-puter. In
essence, the caller actually controls the computer through the phone lines.
However it is only the BBS program that he or she is allowed to control. The BBS
program separates the caller from the computer itself. At least, it tries to.
BBSs are generally run by computer hobbyists on their home computers, and are
used as a way to share information in the spirit of the original hack-ers. Usually
there is no charge to call these up and look around, but that is at the discretion of
the person running the BBS -the system operator (sysop). Schools, libraries,
stores, user groups, churches, and organizations often run BBSs to spread the word
about activities and to keep mem-bers in touch with one another. Sometimes companies
will set up electronic BBSs as a way for cus-tomers to mail order products
from them, to see new product information, or to report problems with products or
services.
The US Congress has even set up a bulletin board system. Run on RBBS software,
the BBS was created in late 1991 by Congressman Bob Wise and his House
Government Operations subcommittee on government information, justice and
agriculture as a way for government employees to anony-mously inform inspectors
about wrong-doing at the workplace.
Other BBSs are private ones, the phone num-bers to which are not made widely
available. For example, the FBI runs the National Crime Informa-tion Center (NCIC)
which makes use of a BBS to keep track of wanted persons, missing persons, and
people with criminal records. Franchise businesses such as fast food places often
use BBSs to upload inventory or financial data to their company head
quarters on a daily basis. And of course, there are otherwise "public" BBSs which
maintain silence be-cause the people who use them do so for illegal purposes.
Access to most BBSs is controlled by a name/password combination. When you call
up a BBS you are asked to enter your name, or NEW if you have not called before.
If you are a new user, you will be asked if you wish to register for the, sys-tem and,
if so, you will be asked some questions, welcomed to the system, perhaps given a
short tour, and shown the rules of the house ("Please keep messages clean... No
discussion of illegal activities such as computer hacking, fone phreaking, stolen
credit card numbers, etc...").
After that, you might be given guest access to the BBS until the sysop can validate
your request for admission, or you might be logged off and asked to call back the
next day. This isn't always the case, of course, but sysops like to make sure you
are who you say you are - if you registered with a phony phone number, they want
to know about it. They want to make sure the people they will be allowing to use
their computer can be trusted.
Electronic bulletin boards are important to the computer enthusiast and to the
hacker for many reasons. They enable us to communicate (possibly anonymously
or serni-anonymously) with other computer users. We can learn from those who
have more experience than us, and we can use BBSs to help newcomers to the
world of computing.
And of course, there are the immoral and illegal ways of using BBSs, ways to exploit
them and the people on them for your benefit, ways to make con-tact with the
underground and deviant computer users of the world, including hackers.
Finding BBS Numbers
Once you find one B13S number, you will auto-matically have literally thousands to
choose from. The sysops of BBSs are not competitive. They don't care if you use
their system exclusively, or if you call up every BBS in existence. Thus, you will almost
always find a BBS list on any BBS you call. The list may be nationwide or
local, and will detail BBS names, phone numbers, perhaps the sysop's name and
special features of the systems. BBSs also usually have a BBS message center, or
a place where other sysops can advertise their BBSs-
So once you call up that first BBS, you will have the phone numbers for many more.
The trouble, for beginners, is finding that first number.
To start with, if you know anyone who has a computer and a modem, ask them if
they have any BBS numbers.
Many computer users groups, libraries, relig-ious organizations and schools have
BBSs. The companies that manufacture moderns and other telecommunications
equipment, as well as the software companies, often have BBSs. If one isn't
advertised in the packaging, call them on the tele-phone to ask if they have one.
Hayes, for instance, has a nation-wide 1-800 BBS you can call to get product
information and lists of BBSs from all over the country. The number is 1-800-USRAYES.
Computer magazines often list BBS numbers. There are many books on
telecommunications, some of which have listings of BBSs across the country in an
appendix. There are also several computer phone books that give listings. Additionally,
you might find BBSs advertised on com-munity bulletin boards or in
neighborhood com-puter stores.
Finding Hacker Boards
The most adept hacker BBSs will not advertise themselves, but don't worry: Once
you establish yourself as a knowledgeable hacker, you will learn of their existence
and they will welcome you with open arms.
There are plenty of hackers and wannabe-hack-ers who will openly advertise their
BBSs as catering to the kind of thing you are looking for. Perhaps they have
worthwhile information. Probably you'll log onto these boards and find nothing
more than some no-brain kids cursing at each other. You can ask on overtly
hacker/criminal boards if the mem-bers know of any other hacker boards (or look in
the BBS listings there), but you probably shouldn't stick around on overtly criminal
boards, as they are more likely to be busted. Since they generally don't contain
anything but publicly-available or useless information, don't feel you're missing out
on much by shunning these places.
Occasionally you will find an electronic conver-sation with some intellectual value to
it. Embrace it, add to it, and pretty soon you'll find yourself accepted into its
underground. If you find such a BBS, one whose members proclaim themselves to
be hackers, and yet the conversation is smart and con-servative, you can bet that
there are secret sub-boards lurking behind trap doors, where all the real-hacking
news gets discussed. Prove yourself as a worthy member of the above-ground
community, and after awhile the sysops and assistant sysops will vote you into their
elite society. To be accepted as a hacker you must be willing to exchange information.
You must have good information to share and to give.
If you log on to a respectable PBS which you suspect contains a secret hacker
subsection, acci-dentally try a different unlisted command each time you log on.
(Don't do more than one per login, to avoid generating suspicion.) If you find a
com-mand that works, and you're asked for a password, then you'll know you're on
the right track. Talk to the sysop or other group members about your feelings on
hacking, and ask them what they think about it. Modestly tell of your hacking
achievements. You will already have impressed them by finding the secret section,
but you don't want to agi-tate them by hacking it out. <One of the criticisms that
law enforcement officers make about hackers is that they say we live by a double
standard: That we think it is no crime to violate other people's privacy, but we can't
stand the thought of being probed ourselves. Well, I don't find a need to defend
myself If a hacker can get through the safeguards I've set up, that's fine, because I
know that hacker will not damage me by it.As far as hacking a hacker BBS is
concerned, since the users of that BBS do not know you, they don't know that your
intentions are honorable. Thus, to invade them is to get their guard up. In your
talking to the sysop you might want to mention that you refrained from hacking the
hole that you found, in order to reassure them that you are a fellow hacker and not
a cop.>
And you certainly don't want to post a public message stating that you found their
trap door; you can bet there are plenty of others without that secret access who are
also roaming about. Talk to the sysop and assistant sysops privately about your
find, via e-mail or on-line chats.
Making Connections
Many of the BBSs you encounter will be strictly legit operations. There will be no
talk of hacking, no trading of break-in secrets, and certainly no sensitive
information of any kind being distributed to newcomers. You will have to start by
jumping into already established, possibly ho-hum conversations.
Be polite, try to be helpful. Add thoughtful comments to the discussion. Having an
experi-enced hacker as a friend will do more to boost your skill in that area than
anything else - except per-haps some persistence, research and luck.
Soon you will have a few favorite systems that you'll call on a regular basis, but you
should also be constantly branching out, trying all the new sys-tems you find, your
goal being to eventually find an access into the "computer underground."
There is no single, organized underground per se, but there are groups of hackers
and others inter-ested in technology scattered here and there. They will keep their
conversations of illegal activity se-cret, so it will be difficult to find them. The
message boards they use to communicate will often remain hidden to the
uninitiated, and the BBSs on which the most interesting tales are traded will not
have their phone numbers publicized at all. Your best bet is to keep searching. If
you start to get the feel-ing that someone on one of the bulletin boards may be
inclined to deviant computing, you may want to send him or her a private message
(tactfully) asking if he or she is interested in that sort of thing and if so, would that
person want to trade information? But remember: any message you send on a BBS
can be read by the sysop, co-sysops, and possibly other system managers lower
down the hierarchy, so be discreet if the people who run the show are antihacker.
A lot of people own computers with modems, and you will run into a lot of different
kinds of people on electronic bulletin boards. If you look in the right places you are
sure to find computer hackers. What may be more difficult is getting them to
accept you as one of their own. Hackers like to show off, but they don't usually like
to ex-plain how they do their tricks. You will have to demonstrate to them that you
are a thoughtful, re-sourceful, logical person who can hack just as good
as they can - and one who has information to share.
As you wander through the bulletin board for-est, keep track of where you've been.
Keep a list of the different BBSs, making note of the software used to run each
BBS, and what features are avail-able on each one. Particular features to keep
track of are file transfer capability, extent of BBS list, user lists, and doors.
BBS Features
BBSs are more than just bulletin boards - that is, they are more than just a place to
write and read messages.
BBSs with file/ transfer sections will allow you to upload (send) computer programs
and files to the BBS, and download (receive) files from the BBS computer. Many of
the more serious BBSs have re-nounced file transfers as a waste of good time and
disk space, but this feature is still common, espe-cially with sysops who cater to
software pirates (or bootleggers) who deal in software that has had its copy
protection removed.
There are various kinds of user lists and logs on BBSs. These range from user
responses to a poll or questionnaire, to a little introductory message from the user,
to brief one or two word descriptions of the user's affiliations and interests. Often
usage logs are available; these will let you see who logged onto the BBS before you
arrived there. These usage logs may go back to the beginning of the day, or
farther.
"Doors" are used to go outside of the BBS pro-gram. When you walk through a door
(by selecting a command from a menu) you enter a completely different
program. Usually doors are used to play games on-line, but any kind of program
can be ac-cessed through doors. It all depends on the BBS software being used,
and the whims of the sysop.
Other BBS features include:
• Graffiti walls. These allow users to put up a short note, advertisement, or a joke.
• E-mail (electronic mail). Lets users send private messages to other users of the
system.
• Chat (also called "page operator"). Allows you to have an on-line conversation
with the sysop, if the
sysop is at home.
Text file libraries. These contain anecdotes, jokes, "Welcome to the BBS,` handy
information, technical files and other sorts of things that people might like to read.
Once you get started BBSing, you'll get a handle on the kinds of things you tend to
find on BBSs... and the ways you can exploit them to your mis-chievous hacker
advantage!
BBS Exploitation
It used to be, long ago, that if you wanted to break into a computer system, it was
easy to exploit bugs in the system software, or default passwords, to work your way
in. Nowadays, things are a bit tougher. Those bugs and default passwords have,
for the most part, been done away with.
Oh, they're still there if you know what you're doing -but unfortunately, for the
most part you'll be stuck if you rely on those methods. What you have to do is
exploit the new line of system bugs.
Unless you have some phobia, you are not afraid of being struck by lightning every
time you leave your house. That's just not the kind of thing that makes sense to
worry about, so you probably don't worry about it at all. But what if someday you
were struck by lightning? That would change your perspective on things, wouldn't
it?
My point is this: the weakest link in any secu-rity system is the people involved in
making sure everything stays secure. Joe Blow, the average computer user,
doesn't care about security matters -why should he? He has no reason to even
think about security. He's never had files erased by a vi-rus, never had his credit
card numbers stolen, or his DIALOG account breached. Joe Blow is the weak link.
How is Joe Blow - the weak link - to be ex-ploited? Joe is a typical computer user -
and a typical human being. He's a bit into computers, but not a fanatic like maybe
you are. He's human, so he has trouble remembering fifty different passwords. So
he uses the same password for every computer system and BBS with which he has
an account. Joe uses easily guessed passwords, or maybe none at all. He's not a
computer whiz, so he doesn't always understand what's going on when people start
talking computer language to him - this makes him vulnerable to being exploited.
And guess who's going to be exploiting Joe Blow? Yes, you.
Getting To Know You
What I'm about to say here will sound like her-esy to some, downright evil to
others, and superfi-cially it will appear to break the very fundamentals of the
hacker's code of ethics. Well, in some ways it does, but there are a lot of things I
say in this book that are like that. It's true: life often breaks it's own rules.
Sometimes you have to break your own rules to have some fun. So any-way,
here's my warning: Watch out! Taboo subject ahead!
If you've followed my earlier advice, you have this huge list of BBS numbers, and
you've been calling them all to get more numbers. Why did I say to do this?
Because the people you will meet on these systems are people who are into BBSing.
A lot of them have accounts on other local systems or a-tabases, or at their jobs, or
schools.
If you call up Fred's BBS, and you go to the "Computers" Discussion area, and Joe
Blow is there talking about CompuServe, you have just found out a very significant
clue! All you have to do now is find out what password Joe uses on Fred's BBS.
More than likely it's the same one he uses for Com-puServe and every other
computer account he owns (not to mention, this password is probably the key he
uses to encrypt files). This is easier said than done, of course.
This is what you should do. Many BBSs have a listing of which users have signed
on to that BBS, where they live, what their interests are and what they do for a
living. These lists are like gold to a dedicated hacker. Use your program's data
capture facility to record the most useful lists you find, then edit them down and
print out the essentials.
Let's say you're looking through your captured user list from Fred's BBS, and you
see Joe Blow's en-try. Under interests, Joe put down "bowling, SCUBA diving, Star
Trek & lacrosse." Now you have some clues. It's more than likely that Joe Blow's
password is a word taken from one of these areas of interest.
When you look through these user profiles, you are learning more about these
people, you are get-ting to know them. It is vastly easier to figure out the
password of someone you know than the password of a complete stranger.
If you've been having conversations with these people on the bulletin boards,
you've found that some are computer experts and some are not. Ob-viously, it's
better to try to focus on someone who is not an expert BBSer -although some
expert users are so smug they become complacent and lazy, and so perhaps
become better targets. Use your judg-ment. A newcomer will be more likely to
choose a bad password. Newcomers (or people disinterested in computers) will
tend to choose certain obvious passwords over and over again.
To sum up: If you find out what things a user (especially a new user) is interested
in, it's "easy" to guess his or her password. If you know that person uses a
computer at work or school, it's likely the same or a similar password is used for
both sys-tems.
I'm not trying to suggest that guessing a pass-word is simple. It's not - you have
to have pa-tience, and a lot of time on your hands. But there are faster, smarter -
and consequently, more technical -ways of getting into Joe Blow's BBS ac-count
than a brute force attack. Let's look at these.
Bypassing BBS Security
Even though BBSs employ security features, there are at least eight factors which
serve to make them vulnerable to any resourceful hacker. These security loopholes
are:
• Hacker is familiar with the remote hardware.
• BBS run on home computer.
• Hacker is familiar with the BBS software.
• Hacker is familiar with the people involved.
• Diversity of people involved.
• File transfer section.
• Hacker knows when sysop is and is not watching.
• Hacker knows usage patterns.
Each of these vulnerabilities offers numerous opportunities for a hacker to break
into the BBS of his or her choice. Taken as a whole, it should be pretty much
impossible for a hacker to NOT be successful at a BBS breach.
Unlike other hacking situations -such as when dialing up a large government
computer for the first time - you will be familiar with practi-cally every aspect of the
BBS you select to hack. BBSs often have a menu option that gives you the
rundown on what equipment is being used to op-erate the system. The brand of
software will also be known to you, and from regular conversations with the sysops
and users, a personal familiarity will develop. Knowing all these facts gives you a
great advantage in the writing and uploading of Trojan horse programs, in the
seeking out of bugs to profit by and, yes, in the guessing of passwords.
BBSs will generally tell you upon login whether or not the sysop is available to chat.
Naturally there is no guarantee that the sysop is not present when the notice says
he's not present, but the "Sysop is IN" sign can at least warn you of when you
should definitely be most cautious.
Even if the sysop appears to be unavailable, the BBS software itself might be
watching you like a hawk, printing out your every move, or every at-tempt at
crashing the software. For example, RBBS-PC bulletin board software allows the
sysop to keep a continuous printout on each caller's name, files exchanged, and
error messages that oc-cur. As we will see later in this chapter, this can be
troublesome depending on the type of attack you wage against the BBS.
Running A BBS
The least difficult way to collect passwords is to have people give them to you. If
you start up your own BBS, that is exactly what will happen.
But being a sysop takes a lot of work, and it also involves the use of your computer,
modem, tele-phone line(s) and possibly even your printer. That leaves little
equipment to hack with!
The original three motivations for hacking local BBSs were for: 1) the excitement
and curios-ity-satiating value of it, 2) the opportunity for low-risk practice and, 3)
to obtain passwords which might also be used by the same users on other computer
systems. When you set up your own,BBS, the first two of these reasons are suddenly
gone. Only the third -password collection -remains, and there are more
efficient ways of collecting passwords than this. However....
There are some advantages for the hacker who runs a BBS, whether or not the
hacker is willing to abuse the trust users place in the sysop. For exam-ple, the
hacker can set up a BBS specifically as a place for other hackers to pose questions
and ex-change information. If you decide to do this, you will want to make sure
you are overly wary in your advertising and in your group's initiation proce-dures,
to ensure that you're not accepting law en-forcement officials or hostile hackers
onto your board. So as not to get too off the topic, I will come back to the security
subject later, at the end of this chapter.
Running a BBS -or at the very least, setting one up on your system, even if you
don't go public with it - will teach you more about how BBSs op-erate than anything
else. It's always beneficial to a hacker, and soothing to the true hacker's mindset,
to be fully conscious of how a computer system works. Also, you can try setting up
a limited BBS and practice breaking into it from a friend's house, or challenge
others to do so (you're best off making this challenge only to close friends). This
will show you what can and cannot be done on the particular BBS software you're
running, and might teach you something about hacking as well. Then you can go
out and infiltrate other systems which run the same software. And you can alert
other sysops to the se-curity risks inherent in their systems. I've never run a BBS
by myself -I've never wanted to devote a computer and phone Me, nor my time,
toward the maintaining of a bulletin board system. But I have been an assistant
sysop with full operating abilities on several BBSs, and in so doing I've seen a lot of
tricks that people have tried in an effort to break into those systems.
Midnight Masquerade
One night, at around 1:30 a.m., the Treacherous Den BBS received a visit from a
hacker. The hacker tried logging in a few times using my handle, The Knightmare.
The sysop of the system, my friend DR dendryte, was sitting there watching the
hacker go at it unsuccessfully until finally he pressed the function key which
brought the two of them to chat mode. The following is a transcript of the ensuing
conversation, copied exactly as it appeared in the sysop's printout, but with
unnecessary carriage re-
turns removed. [My own comments are in brackets, like this.]
SysOp wants to Chat!
This is DR dendryte, Who RU?
this is Knightmair i Forgot my password. Log me on.
[At this point, DR dendryte knew for certain he was dealing with an impostor. He
knew that I never called that late at night, and that I would never for-get my
password, considering that it was the same password I'd been using for several
years. DR den-dryte, however, decided to play along.]
How Did you forget your password??!
I dont know it just slipped my mind. i guess! I can't just give out passwords like
that you don't have to you can just log me in.
If you're really The Knightmare then tell me, what is your REAL NAME?
[A pause, and them]
don't you trust your own best friend & co-sysop?
come on
i cant beleive you!!!!!
You are definitely NOT The Knightmare...
[Here DR dendryte was referring to the hacker's bad spelling and grammar; DR
dendryte knew that I am meticulous in my on-line chat writing.]
he never makes stupid spelling mistakes like that, or uses bad grammar or
[Here, both are trying to type at once. DR dendryte lets the cracker speak:]
That does igt! I don't want to be your friend anymore! just delete me off the BBS.
If you are really who you say you are, let's go voice!
[That is, DR dendryte is asking the hacker to turn off his modem and pick up the
telephone - go voice.]
i Don't believv you don't trust me
GO VOICE
Theres no phone in the room..
Sure there is! On the bookshelf next to you!
It broke
HA!! You should have said, "WHAT book-shelf?" There IS no bookshelf in the room!
HA HA HA HA HA A
+++
[Click.]
The next day, when DR dendryte told me this story I said, "You should have told
him, 'I AM The Knightmare!' That would've really embarrassed him!"
Impersonations of this kind might work, but only if you are already intimately
familiar with the person you are attempting to impersonate. In this instance, the
hacker chose to login as me, correctly assuming that I would not be at the sysop's
home at midnight. Perhaps the hacker also supposed that DR dendryte would be
asleep.
It seem's to me that a ruse like this is more likely to work on a large corporate
computer, where no-body knows each other and workers may not have the great
love for their computer system that sysops have for theirs.
Hackmail
The Treacherous Den BBS was a particularly sweet target for hackers to try and
infiltrate. It was
a large system, with many users (many of whom were sysops of other BBSs), and it
had dozens of games and digitized pornographic pictures that could be downloaded.
The system was run off a pirated copy of a popular BBS software package, but DR
dendryte had altered it so that it appeared to have been officially registered in his
name. Once a long-time user of the system asked DR dendryte an innocuous but
technical question about the BBS, over the phone. DR dendryte told him to hold on
a minute, he would look up the answer in the manual.
"Oh, you bought it?" the user asked, apparently referring to the BBS software.
"Yeah," DR dendryte replied, referring to the in-struction manual, which he had
found ait a used book store for a quarter.
DR dendryte answered the user's question, chatted awhile longer and then hung up.
He didn't think any more of the conversation until the follow-ing month, when a
cardboard envelope arrived in the mail. It was a disk envelope, with a corn-puterprinted
return address label affixed that gave the address of the company that
produced the BBS software. DR dendryte opened the envelope. Inside was a letter
addressed to DR dendryte's real name, and signed by the author of the BBS
software, the man who also owned and had started the com-pany. The letter read:
Dear Mr. L__ H__:
K__ Software has adopted a new software upgrade policy. All customers who have
pur-chased non-entertainment packages from be-fore July 1986 are entitled to a
yearly free up-grade.
This new version of your software is fay compatible with all previous ones. To
upgrade, simply insert the enclosed diskette and type START.
Thank you for purchasing fine quality K__ Software. We hope to have you again as
our customer in the future.
Very Truly Yours
(Signature)
P__ I. B__
Not only did DR dendryte know immediately that this was a total crock, but he knew
who had had the gall to send it to him. At once he reduced login access for that
user he had spoken with on the phone, down to one-time visitor status. Then he
wrote a nasty note and e-mailed it to him. That particular user was the only
person, aside from myself, who knew about the manual. But of course, I already
knew that DR dendryte had not bought the software, but had obtained the manual
through alternate means. The user had assumed incorrectly that because DR
dendryte had the book, he must have bought the BBS.
Upon examination of the disk that had been mailed to him, we found that the disk
contained eight files:
There was a text file which explained all the "wonderful and exciting features you
will enjoy having on your new version of L BBS Software." There was an instruction
file called START, which read the contents of that text file. START would then
"update" the old version of the software with its "new" version.
There were four files on the disk that exactly matched ones found in the actual BBS
software (apparently these were there to misdirect our at-tention), and a fifth
progFam that matched closely but not exactly! (It is possible to compare two files
by using the "comp" command under MS-DOS, or by using a relevant feature of a
Norton or Norton-type program.) Finally, there was a blank file called T on the disk,
which served no purpose at all.
It took us hours to figure out what the user had programmed his "new" version to
do. As it turned out there were two things different. A copy of the user information
file was programmed to be e-mailed to a user the first time he logged on; a trap
door had also been inserted that would give tem-porary operating system access to
anyone who typed control-E, control-X, control-1, control-T, con-trol-! at the
username prompt.
You won't be able to pull a stunt like this unless you can gain access to the source
code for the soft-ware, as he must have been able to do (unless you want to
recreate from scratch an entire bulletin board system).
112
Once again, another of those pesky hacker attacks was thwarted!
Crashing BBSs
On another BBS that I was a part of, the sysop would come home from school every
day to find his system had crashed. It had simply frozen up and would have to be
rebooted. Eventually he found out from someone that there was a bug in that
version of that particular BBS. A "\x" typed at the password prompt caused
everything to halt. Key por0ons of the BBS software were written in easily
changeable, interpreted BASIC. To remedy the problem I simply added a line after
the prompt that would disconnect anyone who tried typing in the dreaded 'Ax."
It worked.
I've always wondered about that "\x." Why would such a harmful thing be there? I
can't imag-ine the programmer putting it in purposely, unless perhaps it was a
means to bother unlawful users of his software. Maybe it was some trap door that
had gone awry. Maybe if I had studied the program more I would have figured out
its meaning.
Maybe - this is a credible possibility - that bug had been placed there by the person
who had given the copy of the software to the sysop, or by the pirate who had first
bootlegged it, or by anyone at all along the line. Pirated software travels so rapidly
across the country and around the world that literally thousands upon thousands of
persons might have had the chance to add the 'Ax" thing and distribute the buggy
code. Hey - are you starting to get an idea there? I know I am!
You could either write your own BBS program or alter a currently existing one, with
some secret features such as an exit to DOS, or whatever trap doors tickle your
fancy. You could put in a line which checks to see if a very obscure and unlikely
control code is entered at the login prompt, and if so, highest system access is
gained.
A twist to this tactic is to write or change a terminal program, which you give to the
user. When it receives an internal code while connected to your BBS, you gain
access to the calling com-puter. For example, a user would be running your special
terminal program while calling your BBS. The BBS, would send a code to the
caller's modem, which would allow you to wander around the caller's hard drive. To
cover up the fact that you're roaming around in there, entry would have to take
place during a long file transfer or, if it is a slow modem, during those time lags
between modem action. The terminal program could continue pre-tending to
receive data while you surfed the remote user's drives.
PRODIGY, a graphic-oriented interactive, on-line service, was accused of engaging
in a variation on this theme in the summer of 1991. Users were finding personal
data buried inside the software that is used to dial up PRODIGY. After complaints
and outrage, PRODIGY's senior vice president mailed out a utility to those
concerned, which would erase non-essential data from the service's terminal
software. In an accompanying letter he sincerely asserted:
As we have stated publicly and written on-line, the PRODIGY software does not
read, collect or transmit to PRODIGY Services Company any information or data
that is not directly connected to ur use of the service. We want to assure you yo
that we will continue to work to safeguard the privacy of all of our members.
Maybe theirs doesn't do those things - but yourscan!
Years ago, one group of enterprising hackers distributed their own homebrewed,
broken termi-nal program for the Macintosh line. The program gave users the
convenient option of allowing them to store passwords and other login procedures
on disk so that one would never have to worry about forgetting them. The
information was stored in en-crypted form on a hidden part of the disk. The program
was developed to "go bad" after several phone numbers and passwords were
stored, the hope being that users would send back the disks, and the hackers would
end up with a bunch of precious login information.
This should be taken as more theory than actual practice: PRODIGY can get away
with requiring users to boot from their software because of the unique graphics and
mouse interface provided. Unless you work something like that into your term
program, who's going to want to bother in-stalling and learning your software when
they are already familiar with one or several commercial
packages? In fact, this is what happened to that group of hackers. Initially there
was great interest in their terminal program (which they gave away free), but no
one wanted to go through the trouble of using it. The problem was, the hackers
gave the program out to experienced users who had already developed an intimacy
with one or more commer-cial programs. No one needed the hacker's terminal
package, and so what seemed to be a great idea net-ted the hackers nought.
As for the first idea -changing a BBS to in-clude trap doors - now that is a viable
possibility. There will always be plenty of people looking to set up their own
bulletin board system, or who are looking for ways of acquiring new software.
Distri-bution is less of a problem than the programirang, especially considering that
you will not only have to interject code for the trap door but, for best re-sults,
determine a way to hide that code from inter-ested eyes.
Trojan Horses
It is usually easy for a hacker to infiltrate a BBS with some version of a Trojan
horse program. The hacker writes a program which performs some interesting
function, such as playing a game or putting pretty pictures on the screen. Hidden
in that program are instructions to read BBS password files, or carry out some other
covert operation. The hacker then uploads the program to a BBS and -here's the
important part - hopes the sysop runs the program.
You will want to procure a copy of the BBS program before writing a Trojan horse,
so that you know exactly what those secret instructions should be doing.
Otherwise, how will you know what files to look in or where to go on the disk for
information?
What kinds of things can you program a Trojan horse to do? Here are some
suggestions:
Have it secretly reprogram the BBS itself to in-clude a trap door. If the BBS
program is written in an interpreted language, you can have the Trojan horse add
some lines which would give you sysop ccess upon entering some code word. This
actu-ally has been done on a popular Commodore 64 bulletin board system that
was written in BASIC.
You can program the Trojan horse to look into the password file and send data
contained in it back to you somehow. Many BBSs have a text file section. You can
have your program encrypt the passwords as it routs them out, then append them
to the end of one of the text files. Then you simply log on, view the files, obtain
the encrypted pass-words and decode them. People reading the text files on-line
will interpret the seeming random characters as line noise or harmless file
corruption.
Another way to get password information back to yourself is to use the BBS's e-mail
function. To avoid suspicion (because sysops love to read the e-mail users send to
each other) you should, again, encode the information and imbed it within an otherwise
bormg piece of e-mail.
A Trojan horse may contain a rough version of some key portion of the BBS
program itself. The Trojan then extracts that piece of itself, copying over the
legitimate version already on disk.
Covering Up
Trojan Horse Activity
There are two things you have to worry about when you upload a program
containing a Trojan horse to a system:
1 That your Trojan horse will be discovered while it is running.
2 That it will be discovered either before or after it has run.
I will talk about each of these problems in turn.
While It Is Running
The rational hacker has an easier time of this than does the malicious system
crasher. You see, if junior Joe writes a program to covertly format hard drives,
something has to be happening on-screen to divert the user's attention while the
hard disk drive light flashes on and on and on.... It takes quite a while to format a
hard drive. junior Joe has to clev-erly devise some non-interactive time-killer that
will hold interest for the length of the format or file de-letions. The time-killer could
be a pornographic display (perhaps accompanied by digitized sound effects: "Ohhh!
Ooooh baby! Yummm-mee ... !") or a digitized musical score, or perhaps the
program could send graphics to the printer. Meanwhile, you
will be using rapid-action Trojan horses (sprinters) which do their thing in short,
quick bursts.
Never have your program access the hard drive (or any unauthorized peripheral) for
what the sy-sop will think is no reason. When the Trojan horse is actually going
about its business, there should be a note on the screen to misinform the sysop as
to what the program is doing. For example, if the Trojan horse is hidden in a game,
you could have it display the message, "Saving your new high score...", while the
program changes around user access files (or whatever your horse is trained to do).
Don't forget, the program actually should be saving the user's high score as well,
and the entire drive access time should be very short. As soon as the Trojan horse
is finished operating, the program should erase the note from the screen; this will
en-sure the drive access time goes unsuspected. If possible, have the note be
erased midway through the Trojan horse's activities, to deliver the illusion of very
quick drive access.
Another way to access the drive unnoticed is to have the program say something
like this when it is started up:
AutoCheck Virus Detection Program v1.3 (c)opyright 1992 Paul Bradley Ascs.
Scanning file FILENAME.1 for viruses
Scanning file FILENAME.2 for viruses
Meanwhile, the Trojan horse will be scanning the computer's hard disk for
passwords!
For FILENAME.1, FILENAME.2, etc. in the above, substitute names of the program
and data files that were uploaded with the application. A nice extra touch is to not
have the ellipses ( ) writ-ten to the screen immediately. Instead, have the periods
appear one at a time between disk accesses, to make it appear that the program is
really scan-ning through the different files.
Trojan horse activities can also be covered up under befitting circumstances by such
messages as:
Opening data file
Reading data
Saving selections before quitting
Loading text
Messages should always follow naturally from whatever's taking place on the visible
program.
Trojan horses that perform BBS functions (such as changing passwords) should do
so via direct disk access if possible, and not by utilizing the BBS program. That lets
you bypass any security logs and printouts that are made of suspicious activity.
Before & After
Sysops, system administrators, and even regu-lar u-,ers are now wise to the
hazards of bulletin board file transfers. They understand at the very least the
threat of viruses, and so are more likely nowadays than ever to examine a program
care-fully before using it.
This means they will use a virus scanner to check your uploads for viruses. This is
almost a given, but it is nothing to be feared since the avail-able virus detection
programs will not locate your Trojan horse in an otherwise valid file. What you do
have to be careful of, is that the sysop or system manager will manually examine
your uploads for filthy words or erratic programming.
As before, malicious crashers and system van-dals have a bigger job ahead of them
than you. They have text they have to hide within their programs. For instance,
who hasn't heard of a virus or logic bomb that screams "GOTCHA!!" as it overwrites
the File Allocation Table? Programs are available that specifically look for this sort
of thing in files. Even if the sysop doesn't have one of those pro-grams, if he or she
is cautious enough, that crasher's "GOTCHM!" will certainly be discovered before the
program is ever run.
Your Trojan horses won't have as much to hide. AU the text in your programs will
be text that gets written sensibly to the screen anyway, text that is either part of
the application program, or text that looks like it comes from the program, but is
actu-ally used to blanket your Trojan horse. Also, your program won't have any
"format &' commands sticking out like sore thumbs. Thus, your job is easier than
the crasher's, though it's far from being a snap.
There may be commands in your program to read or write, or to rename private
BBS files. These
commands, and more importantly, the filenames, must not be discovered by the
sysop. It is not good enough to use a simple one-letter-higher cipher to encode
commands and filenames; for there are programs which can scan a file and display
read-able text it contains. If you just push everything up one letter higher (i.e.,
"PASS" becomes "QBTT"), those programs will still locate this encoded text -and the
sysop might be smart enough to discover what it means. You're better off encoding
text using numbers, symbols or foreign alphabets.
A program you upload may be an uncompiled source listing or a batch file. In this
case, you will have to do some fancy fingerwork to keep your Trojan horses hidden.
NEVER simply upload a batch file in its raw form. Imagine if you were the sysop
who got this from a user:
cd BBS\USERS
open USERINFO.TXT
read USERINFO.TXT: User #44
set systemlevel 3 == systemlevel 99
close
exit
This isn't real code. It's meant to illustrate the kind of brazen attempt at upgrading
access that would catch a sysop's attention.
One way to eliminate this problem is to have the main application program create
batch files and other programs it needs. The batch commands start out as encoded
gibberish in the application pro-gram. A subroutine is called, which opens a text
file, decodes the commands, fills the file with them, then goes about its business.
The creation and use of the file should probably be done on separate oc-casions, to
keep illegal drive access time low.
Also for easily-readable sources, the Trojan horse part should not be standing right
in front or at the end of the listing. Put it deep within the pro-gram. Add
comments that will tend to mislead the careless reader. Remember, if your cover
program is particularly clever, the sysop may want to ana-lyze it, to see how you
achieved such a wonderful thing! This means your cover program could be under
some heavy scrutiny; and your Trojan horse could be discovered by accident.
Consider having your program delete the Tro-jan horse after it has been executed.
That is, have the last few steps the Trojan horse takes be to erase itself from the
program.
Alternatively, have the sysop delete the applica-tion prograrn (and thus the Trojan
horse). This can be tricky: how can you get the sysop to delete all those files you
uploaded, without letting on that something shady is going on below the surface?
Ways this can come to pass are by having the ap-plication program be something
that you know the sysop already owns, or something similar yet infe-rior to the
sysop's version.
Or you could just write the sysop some e-mail, saying that you found a potentially
dangerous bug in the program, "so if you would delete it I will send you a corrected
version." This can only be done when the application you sent is a compiled
program, elsewise the sysop would be able to correct the problem himself -wouldn't
he!
A particularly paranoid sysop might transfer any uploaded files to a different
computer before he tries them out. Or the directories could be set up different than
expected, or the BBS might be set up to upload files to a floppy instead of the hard
drive. Take these things into consideration when you program, and have your
Trojan horse only work when the computer is set up as it is supposed to be. That
is, it will only run when it has access to the password files, or whatever else is
necessary for the Trojan horse to function. It's also necessary to do this because, if
the application that hides your Tro-jan horse is good enough, the sysop will make it
available for other users to download.
A Few Tips For
The Do-It-Yourselfer
We talked earlier about hacker BBSs. What if you make a dedicated effort at
finding a suitable BBS on which you can learn and share, but none turns up in your
search? You may want to start a BBS of your own to suit your needs. Get ahold of
the proper software, gather your most trustworthy friends together, and put
together your own bulle-tin board system!
Running your own system means that you won't get much use out of your home
computer and the telephone line to which it is connected. This would be no
problem if all you did on your computer was hack, since your hacking can be
taken on the road through the use of laptops, pub-licly available computers and the
like. But you most likely use your computer for other sports: game playing, word
processing, programming, and legal modem usage. Consider this before you get all
ex-cited about setting up a BBS.
One way to get around this problem - and to simultaneously overcome many of the
problems that arise when one sets up a BBS - is to use your hacking skills to break
into a mainframe far away from your house, and use it for the site of your electronic
bulletin board.
Whatever home you give to your system, you should install it with a false front to
make it look legit, and a back side that encompasses the private area for accepted
hackers only. Invite the hackers whom you know to be wise and trustworthy into
the inner sanctum, while leaving the rest of the board open for unknowns to
explore.
I have seen some fantastic BBSs go up, only to fail miserably. And I've seen so-so
BBSs that quickly establish themselves as the "in" place to be. As a hacker BBS,
you won't experience this to such a great extent since you aren't going to advertise
as much as a generalized BBS would - after all, you re trying to keep out all the riffraff.
But you will still want new users to come and enjoy them-selves, and if they
turn out to be the kind of folks you'd like to invite behind the scenes to your secret
hacker sub-section, all will benefit by it.
The strategy for getting users to come in and stay awhile is to set up your BBS,
turn it on, then leave it on. Many first-time sysops, excited with the prospect of
running their own system, continually take their BBS off-line to make
improvements. Don't do that! If someone calls and finds no com-puter is there to
pick up, they aren't going to call back a second time.
Advertise your BBS on other BBSs whose mem-bers you would like to have on
yours.
Have members of your BBS run scouting mis-sions to the above-ground hacker
BBSs. You will find out what, if any, useful information is ex-changing hands over
there, and you may be lucky enough to discover a hacker who is worthy of becoming
a member of your club.
Before you allow an unknown hacker into the secluded realm of your hacker sub-
boards, you should make doubly and triply sure that he or she is not a cop. Real
hacker BBSs verify their members by having them go through an initiation
procedure which includes recommendations from respected hackers, full disclosure
by the hacker of personal information so that it can be checked, and an autobiography
detailing what he or she has done, and what he or she can contribute to
the group. Don't be fooled! Verify that this self-proclaimed hacker is not an FBI
agent by checking out credit ratings, telephone company data, and positions on
other computer systems. You will have to use every inch of your hacking skills to
ensure that the personal information that you are given matches a real hu-man
being. This isn't paranoia -it is common sense. Many, many hackers have been
fooled by impostors pretending to be hackers. The safest thing is to not accept new
members into your BBS; but that may not be the smartest thing because it
eliminates a possible world full of information that will never expose itself to you.
Exploring electronic bulletin boards can be a pleasant pastime. It can sharpen your
skills and teach you much about a lot of things. There is such a startlingly large
number of BBSs around that a hacker could find himself spending all hours of the
day and night connected to them, never to enjoy the thrill of the hack itself.
Considering the dangers of hacking, that might not be such a bad fate.
In an upcoming section we will explore more ways you the hacker can protect
yourself from the law. But for now let's get back to hacking - some of the best and
most useful techniques are yet to come!
117
BLANK PAGE
118
Chapter Eleven:
Borderline Hacking
I want to talk about some non-hackerish ways of dealing with hacking problems.
There are times when some need forces a hack to be accomplished under time
constraints. When that is so, the usual time consuming methods may fail us, and
so one must resort to desperate measures. For the most part this is a topic related
to doing hacking as a job, which I feel is important to bring up because lately being
a hacker-for-hire has become an issue in the hacking world.
Hacking For Ca$h
There are hackers who have "made good," be-coming security consultants for
corporations and governments. These turncoats have received criti-cism from two
directions. From the hackers: "How dare you do this to us!" (Rebuttal: "Obviously
you are not a real hacker. A True Hacker would delight in trying to outwit another
hacker's attempts to beef up security.") From the law-abiding citizens: "We couldn't
trust him before, why should we trust him now?" and "Just because you know how
to break into systems doesn't mean you know how to prevent them from being
broken into." These are all valid points.
If you wish to enter this line of businessf you are not alone. Companies have paid
as much as $20,000 - possibly more - to have a hacker at-tempt to gain access to
their computers. "Tiger teams" is the term for groups of hackers or some-times
lone hackers who are hired by an organiza-tion to put their security to the test. If
you decide to pursue such a path, you will want to project an air of professionalism
and sincerity. You have to prove to them you are a competent hacker, but you
can't let them know that there is a rebellious spirit inyour heart.
Remember that computers are vulnerable not only to crackers. There are also
viruses, improper computing environments, loose-lipped employees and other
hazards that can make even a tightly sealed ship sink. Preparing the owners for
any catastrophe will earn you extra respect and recommendations for other jobs.
To touch on the second criticism of the "law-abiders," it is important to offer
solutions to any se-curity loopholes you uncover in your investigation. You are a
hacker, so you know how hackers think.
You know their minds and their methods, and so, yes, you have the expertise to
recommend action that will prevent invasion of their system. Explain to your
employer why it is important that each of your suggestions be followed. Tell them
what you did to get in, the weaknesses you saw, and the po-tential trouble spots for
the future.
Other suitable clients are private individuals who are concerned with the
information being stored on them in databases. Hackers have been hired to alter
phone numbers, find unlisted num-bers and addresses, remove fines, look up
license plate data and change school grades, among other jobs. Hacking a
business's computers under con-tract for that business is a perfectly legal occupation,
but when you start helping people access and perhaps change their data files,
you have stepped into the unlawful zone. Therefore, you should be very careful
about who you deal with and how much you let those people find out about
yourself.
Hacking is a hobby. Once you start getting paid for it you run into a problem: What
happens if you can't complete a job?
True, nothing should be too tough for the Super Hacker like you, but occasionally
you might have a deadline or unexpected difficulties and the system that looked so
fragile when you began now looms as a large and impenetrable monster that is
beyond your capabilities. That's where foul play comes in. Hopefully you won't
have to resort to anything less than hacker's methods. On the other hand, if you
have reached a point where you must choose be-tween balking the job or finishing
it in an untradi-tional way, you might decide to do the latter to keep your good
reputation intact.
Besides, there's no sense in restricting yourself to hacker techniques when the bulk
of penetrators are going to use these uncouth methods anyway. If a company is
paying you to stop intruders, you'll want to make certain that there really is no way
that these blunt methods, commonly used by non-hackers to gain access, will be
viable. Therefore, you might have to try them out on the system you are being
paid to protect.
Filthy Tricks
These tricks are filthy because they are the kinds of things a rank amateur would
do. These
"techniques" are strictly for non-hackers. I'd go so far as to say these are the kinds
of things a non-computer-user would do! When I say 10computer user," I mean
someone who uses a com-puter because they want to, as opposed to someone who
does so from necessity.
Often these tricks are used as a precursor to some sort of theft, or espionage -
topics which lay on the fringe of true hacking only because they in-volve
computers. A true hacker must know these tricks exist, but would use them only
as a last resort - and then only with severe motivation to break in.
Bribery
You might not want to bribe the system admin-istrator, but there will probably be
some underlings who also have "God access," who may be willing to lend same to
you, for a price. I would suggest you use bribes to pay for access to the system,
rather than bribing the person to carry out computer work for you. After all, you
want him to remain unin-volved in your affairs; if you're spying by com-puter, the
last thing you need is a company insider knowing that you're doing so.
Have the bribe pay for either access to that per-son's account, or to a newly created
superuser ac-count. If the latter, only log on when the bribee is not on duty, so
that he or she won't get curious and look to see what you're up to.
Offering money in exchange for a specific serv-ice to be performed (like offering
$500 to change a grade from an F to an A) is even tackier, and more dangerous,
than just paying for system access. For Instance, in 1973 a computer operator
employed by the Illinois Driver Registration Bureau was given a $10,000 bribe to
steal a tape reel which contained personal information about drivers registered in
that state. Considering that Departments of Motor Vehicles are some of the easiest
and safest of,corn-puter systems to hack into using social engineering, it was both
foolhardy and expensive to pay that much. My source of information on this case
does not mention whether or not the people who offered the bribe were
apprehended, but just the fact that we know about the bribe implies they were not
successful. (Or at the very least, that future at-tempts would be less likely to
succeed.) This is why
you should hack if you can hack, and use other methods ("filthy tricks") only as a
last resort - and then only to get into the computer, not as payment for the
information you seek.
Besides, with system access 'you can try-before-you-buy, and you will be sure to
get your money's worth, especially since once you have logged on, you can create
your own superuser ac-count that the person you bribed doesn't know about.
Booze And Broads
Yes! It sounds like science fiction but it's true! There have been reported cases of
crackersgaining access to computers by supplying alcohol,drugs and even
prostitutes to the security person-nel at a company. An article
by Douglas Waller inthe May 4, 1992, issue of Newsweek reported that a Japanese
competitor to a "Midwestern heavy manufacturer" had outbid them one too many
times. Upon investigating, it was found "that theJapanese firm had recruited one of
the manufacturer's midlevel managers with a drug habit to passalong confidential
bidding information." This sortof dealing sounds risky to me, because who
knowswhat someone's liable to do once you've gottenthem drunk or high? But
that's why I'm sayingthese are the "techniques" used by the computer illiterate.
Bad Feelings
This isn't exactly a dirty trick, but it feels like one. If you can manage to find
yourself a worker who feels maligned by the company, possibly one who is about to
leave, especially one with pro-gramming ability - then you've got it made. Play up
his or her bad feelings toward the company. Remind them how the company
screwed them, didn't recognize their good work, and continuously passed them
over. Without being specific, say you want to help them get revenge on the
company. Of course, a hacker does no such thing, but if you can incite the
disgruntled employee into action, he will get the blame for your own hackerish
misconduct. (I know, I'm cruel sometimes.) In any case, employees who are
moving on to greener pastures, or those who are disgusted with their bosses, are a
great source of inside informa-tion, including company lingo, phone directories
procedures and policies and, of course, passwords. If your goal is to penetrate a
system run under top notch security, getting a friend on the inside may be your
only hope. But an ex-employee doesn't have to leave angry to be of use. Anytime
you hear of an employee either quitting or being fired there is the opportunity to
find out that blessed data. Af-ter all, computer accounts live on long after an
employee has left a company. Once someone has left the company, what does he
care whether you use his password or not?
121
BLANK PAGE
122
Chapter Twelve:
What To Do When Inside
It seems straightforward enough. You're inside? Great! Take a look around! Of
course that is what you'll do in most cases, after getting into a system and patting
yourself on the back. But then what? To answer this we will have to begin with a
re-thinking of our goals and morals.
Hacker Motivations Revisited
The true hacker is motivated by her or his de-sire to learn, to understand, to
cleverly and harm-lessly outwit.
Others who use hacker techniques might do so because they have a desire to learn
about their competitor's secrets; to understand why they keep getting underbid
every time; or to cleverly outwit the company or individual who they feel owes
them something, and enact revenge upon them.
So let's see what we have here. There is the free-thinking, computer-enthusiast
hacker, the eco-nomic espionage hacker, the politico-espionage hacker, the out for
revenge cracker, and finally, the hacker for hire. Most often these assorted infiltrators
will have breached security with a low-level account. This is because accounts
with low security clearance are the most prevalent, and many hacker tricks focus on
the naive user who is more prone to having a low-level account.
The hacker for hire and the hacker spies will have target computers, perhaps even
specifically-targeted people in mind. They will want to go after either a particular
username/password combina-tion, or any access big enough to allow covert entry
into their target's account.
Vandals and revenge hackers obviously would love to attain higher access than
what they came in on, but unless they are sufficiently skilled, they will probably opt
for the quick hit-and-run. That is, they will be content to break in under any
password, do whatever damage is possible, send some nasty e-mail, and leave.
Probably they will continue com-ing back over and over again until they are either
arrested or shut out for good. If these "hackers" do have targets in mind (like the
president of the com-pany or whomever) they will most likely settle happily into
whatever lower-level role they find themselves in. If they have any skills or
computer know-how though, watch out.
The true hacker may or may not want to take the hack all the way to the top. He
or she may feel it is not worth the effort for the amount of work that seems
necessary to increase a low system access to a higher one. This isn't giving up, it's
being practi-cal. If the knowledge to be gained seems minimal or available
elsewhere, there's no point in wasting time trying to get it. Or, the hacker may not
feel se-cure enough in his knowledge of the computer, its users, or operating
system to feel confident in his ability to achieve higher access. This is a valid
feeling, and an intelligent one; if the hacker realizes he is somehow ignorant, then
he can stop and do what is necessary to learn what he does not already know. If
something like this comes up it's probably only a matter of research to put the
hacker back on the track toward superuser status. As the hacker BrainMan put it: I
know the computer will be there for a long time to come. I like hacking, but I also
like exploration. Sometimes I feel I'd rather wait for another day to do the
exploration, the bookwork or social engineering, that will get me into an account,
and I'd rather do some real exploration of a computer right now.
Besides increasing one's status in the system, a hacker has many options to choose
from once in-side. A hacker may:
• Read the documents that are available, and run the programs.
• Download files.
• Notify the system administrator of the presence of a security problem.
• Learn about the computing environment.
• See if other computers may be contacted from this one.
• Cover his ass.
Or a hacker might simply log off and never return.
If you have managed to work your way into some data that you feel might have
market value, you might consider selling that data and thereby fund your next big
computer purchase. I recom-mend strongly against doing so. Becoming a spy -for
anyone -becomes a serious and dangerous business. It also helps to further
degrade the image of the hacker in the public's eye, and will serve only to make
matters worse for hackers in the long run -and you in the short run -if you are
caught.
Although most courts and CEOs would dis-agree, I personally believe that there is
no harm done in reading through whatever files are on a system, so long as no one
is hurt in the process. At least, I don't think reading private files is a crime any
worse than hacking one's way in, in the first place. You will have to construct your
own set of ethics to guide you; I sincerely hope those ethical constraints are based
firmly on the principles of the hacker ethic that both opens and closes this book.
Logging off and never returning is something the more fanatic and paranoid hackers
tend to do. It is akin to B & E without the E, and I can not see how they can
morally condone the "B" (breaking in) while shunning the "E" (entering). I suppose
the hackers who disconnect without system interaction do it either because all that
matters to them is get-ting in, or because they are intensely seared of dis-covery.
The other options I mentioned -increasing status, helping the sysops, and the
learning -all require different degrees of familiarity with the computer system you
have entered. Let us think about where you might find yourself, and what should
you do when there.
To begin with, the account you have hacked yourself in with can be a single user
account, a group account, root account, or "special account."
If it's a root account, congratulations! You now have the ability to do whatever you
want. The root account is held by the system administrator (or one of several
"sysadmins"). It may also be called by different names: avatar account, god
account, sysadmin, superuser, demigod account, sysop ac-count, or admin. Or you
may never even know you've gotten into the root until you find you can do stuff
only the Computer Gods high upon Mount Input/Output should be able to do.
A "group account" is one used by many people. It might be a departmental or store
account, where everyone in a particular store or department can log in under the
same name/pass combo. Depend-ing on the situation' those who are of a certain
rank or job may have their own shared account. For ex-ample, many companies
like to set up limited ac-counts for secretaries, typing pool or temps. Other group
accounts appear in places where terminals are available to a number of employees,
but where
employees have differing levels of security clear-ance. Thus, all may be able to
search a database, but only those who log in with a certain password can enter new
data, or can change the way the da-tabase is structured.
"Special accounts" include guest or demo ac-counts that allow one to take a sneak
peek before subscribing to a service. They may be testing ac-counts put in by
system programmers. Special ac-counts may also take one directly to a program,
rather than logging you to an operating system prompt. Programs are set up this
way for tutorial purposes, to dispense information, or so access to a particular
application may be more freely available. If the account you've managed to hack is
a special account, you might have to break out of it illegally and enter the operating
system if you expect to in-crease your access level.
In any case, before any action can be taken you must understand what kind of
access you have, what privileges you're entitled to, and how they can be exploited
to your advantage. This may mean you'll need an intimate knowledge of the
machine and its software. Before we can proceed there's one teeny weeny concept
you must have full compre-hension of. I've just mentioned it twice now -the
operating system.
Operating Systems
Okay, clear your mind of any thoughts you've ever had about computers. We're
going to start at the very beginning.
Let's say you had a computer that only did one thing. For instance, think of a coin
operated arcade game. That's a computer which plays but a single game. With a
one-game computer, as soon as you push the on switch, the game can start
running. Af-ter all, there's nothing else to do with the machine except play that
game.
Now let's add a second thing to our computer. Let's say, not only does the
computer play a game, it also does word processing. So we now have a two-task
computer.
What happens when we push the on switch? Does it go right to the game? It can't
-what if we wanted to do word processing? You see, now we have to make a
choice. When we turn on the com-puter, we now have to specify somehow whether
we want the game or word processing. How do we let the computer know where to
go?
Well, we could have two separate switches, meaning any time I press the left
switch, the game goes on and when I press the right switch, the word processor
goes on. That may be a good solution for a little while, but what if I want to add a
third thing to my computer? Or a fourth? Do I keep adding more switches?
What I do is, instead of adding hardware switches, I add a third program, a
software switch. The third program is called the operating system (or OS), and
when I push the computer's switch, the computer will automatically turn on the
operating system program.
The operating system is a program that lets me choose between the game or the
word processor. For example, when the operating system is started it may put a
prompt on the screen such as, "Which program?" to which I would reply, "Game" or
"Word Processor."
As you are well aware, this is basically what happens in real-world operating
systems. In the early days of computing, when computers didn't do much more
than run a few select programs, the controlling software was called "the monitor."
As computers became more complex, there came the need to control multiple
users, many peripherals, security, and an interlacing of program function-ings. The
monitor grew to become an all-encompassing program which did a lot more than
just allowing the user to choose between a few programs. And so the term
"operating system" is now used to describe this complicated piece of software.
Operating systems control the functioning of the entire computer; they control how
resources will be allocated to the tasks at hand, how memory is used, which
programs are to be run and in what order. It is the absolute master-control
program; when you understand it, you have the understand-mg necessary to
master the computer.
Some operating systems you are most likely to run into are "UNIX," "MS-DOS" or
"P&DOS" (on IBM compatibles), "PRIMOS," "RSTS" (on Digital Equipment
Corporation's PDP-11 minicomputers), and "VMS."
It is important to understand operating systems because:
1. If you don't know the commands and syntax that control the computer, you
won't be able to get the
computer to do anything.
2. When you understand how an operating sys-tem works, you will be better able to
look for bugs in it.
Bugs
invariably lead to security loopholes, which lead to a happier you.
3. You want to be familiar with the limitations of the operating system's security, so
that you can exploit
those limitations.
4. When you know how an operating system works, you will know what the
computer's managers can do to
trip you up, keep track of your whereabouts, and keep you from coming back.
All of this leads up to one big THEREFORE...
Therefore, if you want to be a REAL HACKER, you have to actually know something
about computers. If you want to control a computer, you have to know how to
tame the software which controls that com-puter -you have to understand very
fundamental things about its operating system.
Sure, a hacker may be able to get bv using so-cial methods and a tidbit of
programmmg here and there, but there is no escaping the fact that real hacking
requires real knowledge. And I'm talking about seV-taught knowledge. You have to
go out and learn this stuff on your own.
Does this sound intimidating? Then maybe you don't have what it takes to be a
hacker.<Hey, I'm talking Big Manuals here -thousands of pages long, and written
in the ghastliest corporate/tech-nical mumbo jumbo imaginable.>
Realistically, there is no way to make a 100% guarantee that a particular computer
system is safe from intruders. It is theoretically possible to break into any system.
A good hacker should be able to break into most systems. An even better one will
be able to get into all of them. And the absolute finest hacker will not only be able
to enter every com-puter he encounters, but will be able to do some-thing
constructive once inside to make the trip worthwhile.
I mean, it's one thing to hack one's way into an on-line database. It's another
thing entirely to fig-ure out how to alter records in that database, and to do so
without being caught.
If you want to have the ability to enter any sys-tem that you encounter and take
action once inside,
then you must become knowledgeable about its OS. At the simplest level that
means knowing the basic commands that any user of the system requires on a day-
to-day basis to interact with files, to send and receive mail, and to perform any
needed action on the machine.
A hacker needs to know the obscure commands as well, and should also be familiar
with any files, software and directories commonly found on ma-chines under that
OS. He needs to know how the manuals are structured and the "jargon" of the OS.
He needs to know who uses such an OS and how they use it. And he needs to
know the meanings of error messages.
But we still haven't gotten to the hard part yet. You see, all of the above is just the
tip of the ice-berg. After all, all of this information is easily avail-able from
standard sources such as manuals and design specification guides. What a hacker
needs to know about an OS is the secret stuff that doesn't come in the manuals, or
if it is printed there it is so technical and obscure that it is information decipherable
only by a select few. Those lists of "basic things a hacker should learn"
describe what the OS is and what it does. But a hacker -to effectively enter and
exploit any system he or she encounters -needs to know how the OS works, and
why it works as it does.
Operating systems are so huge that they can never be adequately checked to
ensure that every single bug has been worked out. They are some-times altered to
include features or functions that a particular computer manager finds desirable,
but those alterations open up security holes. Sometimes multiple programmers
working on different parts of the system don't communicate about vital as-pects
and so distant processes may explode if forced into contact. Additionally, the
software that is used may have been designed for the plain-Jane version of the OS
and so incompatibilities (and hence glitches) develop. Or two or more pieces of
software being used together may open up sources of insecurity.
The casual user is oblivious to all of these pos-sible security breaches. A hacker
may be oblivious to them, but if the hacker has a fundamental under-standing of
the operating system which underlies all these sources of intrusion, then that
hacker will, with a bit of thought, realize where the traps are and how they can be
usefully manipulated.
Needless to say, this book is not going to sud-denly turn into an explanation of the
technical as-pects of every single operating system, and a true hacker wouldn't
want it to be. So, go out there and find some operating system you can get
acquainted with. Learn its basic commands, but then go a Step beyond that and
learn how those commands were programmed. Figure out ways you could simulate
the command without typing it directly at the OS prompt. What happens to
memory when the com-mand is executed? Are there ways to change mem-ory?
These are the kinds of things that are impor-tant to a hacker who wants to
accomplish big dreams.
Examples of such techno-oriented hacker meth-ods abound throughout the rest of
this chapter. The reason is simple and unavoidable: the best things in life are often
not free. You have to work hard if you want to do great and exciting things after
invading a system. Sure, you may find it convenient to learn certain things only as
the need arises, such as a particular shell programming language, or the way an
application works. But when you lack knowl-edge about underlying principles of the
operating system, you are hacking blindly -you are just as oblivious to the
exploitable faults and flaws of the system as any other user.
Let's get away from all this heady stuff for awhile and go back to the impetus for
this discus-sion of operating systems: After you get in, what the hell comes next?
Looking Around
What should you expect to find, once you've made it onto a system or network? A
whole lotta things!
There may be files to read, programs to run, or ways to move about from one
computer to another, or one network to another.
Try looking for backup files and files that have been automatically saved on a timed
basis. Some text editors leave behind files like this that are readable by anyone
who happens to pass by. If the sysadmin has been editing the password file, or
some other file containing sensitive data, you could be in luck. Electronic mail is
often not automati-cally deleted, and it accumulates in (perhaps hid-den) files on
disks. Deleted files may not be deleted right away, but become hidden or moved to
a spe-cial directory.
See if you can find evidence of security logs. One of the most common errors for a
user to make while logging in is to type the password at the username prompt. If
you can find a readable secu-rity log it will often contain records of these login
errors. For example, if George Washington tries logging into his UNIX account with
his password, "cherrytree," but he types a little too fast, the following ensues:
WashingtonUs [Enter]
ername:cherrytree [Enter] Password:
George realizes he has messed up. He has typed his name before the login prompt,
and he has put his password (quite visibly) on the "Usernarne:` line. He presses
Enter a few times to clear every-thing, but the damage is already done.
Somewhere in the administrative directories, there is a log file that reads:
Unsuccessful login of user cherrytree @ Tue,
Mar 24,1992,14:16:03
Now you just have to go through the various users on the system until you find the
one who uses this password.
Security logs may also keep track of files sent and received, errors resulting from
unauthorized commands, new accounts or new users being granted superuser
status.
Speaking of security, thefirst thing you should do any time you log in to an account
for the first time is try to get a sense of who this person is whose account you are
borrowing (assuming you don't already know). When you log on you will most
likely be greeted with a message telling you the last time that account had been
active, and possibly which location or server the user had con-tacted it through.
If the message tells you that the legitimate user logged in recently then you may
have a problem. Note the time of day the account was used and try to hack around
it. Try logging in two times simul-taneously on two separate computers and see
what happens. Do you get an error message the second time? Is it possible to
detect the presence of another
person using the account with you concurrently? You want to know such things
because you want to be able to deal with having the account holder co-incidentally
log on at the same time as you.
Let's look at this first scenario. You are logged into the account... the actual user
tries logging in but gets a "User hjones already logged in on port 116" message.
You have no way of knowing that this has occurred, but you can prepare for its
eventuality by sending an e-mail message to the ac-count, purportedly from the
system manager, and leave it unread. So if the legitimate account holder were to
log in she would find something like this waiting for her:
Message #01
From 1513 SuperUser
To AUUSERS@calli.poo.n-til
Some faulty wiring has led to problems with several of our port connection verifier
circuits in the subchart group C of the local network system. If you receive a
message upon login that you are already logged on, please hang up and try again in
a few minutes.
We are sorry about this problem and we are doing what we can to correct it, but
this will take time. It was a matter of choosing between a bit of inconvenience for a
while, or shutting down the system entirely. I hope you will agree it is better to
have some bugs in the sys-tem than no system at all.
We expect the problem to be cleared up before March 3rd. Thanks for your
cooperation.
Often users will have personal history logs stored in their directory. There may be
history re-ports detailing command activity, newsgroup readership, file transfers or
files deleted. These can show you when and how the legitimate user is us-ing the
system, and also the level of competence of the user.
If your account has been used very infre-quently, then you know that the actual
account owner poses very little threat to you -although it also means the system
manager is now a threat, since he will suddenly see tons of activity from an account
that had never before been active.
On the other hand, if the account holder is in there night and day, you will have to
be more wary of him than of the sysop -after all, any hacking you do from that
account will get lost in the shuffle.
Commands To Look For And To Use
Most operating systems come with extensive online help. On UNIX, you can type
"man com-mandname" to see the manual page for a com-mand. Also helpful is
"apropos" which will display a list of commands that are related to a given word.
For example, "apropos password" lists all the com-mands, programs and variables
that have some-thing to do with passwords. You can then use "man
commandname" to find out what each one means.
On TOPS machines you can type "help" or "help commandname" for on-line
information.
Process commands tell you what is being done on the system and, generally, who is
doing it. UNIX lets you type "ps -f` ' to see how other people are using the
computer. Using such commands will give you a feel for what options are available
to you. Also, it will show you which users have access on other computers, if they
are logged into them from the one you are on. If you're extremely lucky you might
even find an encryption key poised in the list of processes. If a person has typed
some-thing like "crypt key < filename" that entire com-mand, including the key,
will appear in the listing. Unfortunately, the crypt program acts to remove the key
from the listing once it is activated, but there is a brief period when the key is
public data, there for all to see. A "daemon" program could search for such
occurrences (See glossary).
"Telnet" is a program that allows you to connect to other computers. Earlier it was
mentioned that the account you've entered is most likely a low-ac-cess account.
The reason a hacker bothers with regular user accounts in the first place is to give
him or her a safe place to do real hacking. From that account you can do all the
things you would never do from your legitimate account, like telnet to Pen-tagon
computers and start a brute force attack. UNIX also has a "cu" (Call Up) command
which allows the user to call up a specified phone number.
Calling one computer from another enables the hacker to avoid being traced. It
also might be the
most practical solution to the problem of connect-ing to a certain computer, since
some computers can only be accessed through other networks.
File Transfer Protocol (FTP)
FTP is a program that allows users to copy files back and forth between two
computers, usually two computers connected via the Internet. Strictly BITNET
users will need to use e-mail instead of FrP to transfer files.
After typing "ftp" to start the program, one can input any computer address and try
to connect with it. A username and password will be asked for. Many sites offer an
anonymous FI'P directory -users can log in with the username "anonymous" and
have access to all the text files and rograms that the site administrator has made
available.
Often an anonymous FTP site is set up like a trading post. An incoming directory is
set up with anonymous write and execute permission, but usually not read
permission. Users can then upload files they want to share with others without
those others knowing the files are available. The system operator can evaluate the
files before making them publicly available.
One common security hole with anonymous FTP is that two auxiliary directories
called "etc." and 'bin" are often owned by the FTP account. If this is the case, and if
they are not write protected, any user could upload their own malevolent ver-sions
of system programs and batches.
Fun'N Games
You might see Xtrek or Empire, or any number of on-line, multiuser games
available on the com-puters you crack, especially those at colleges. Be-cause the
games are multiuser, passwords are re-quired to access them, and it should be
noted that often the password-storing mechanism on the games is not as secure as
it should be; the pass-words are sometimes placed in a plaintext file. We know that
people tend to use the same password wherever they go. Think about it.
The User Network
USENET is to local BBSs what the Taj Mahal is to anthills.
USENET is an Internet BBS that encompasses thousands of discussion groups and
millions of postings. On USENET, you don't just have a "computers" bulletin board,
you have boards talk-ing about software, about hardware, viruses, hack-ers,
individual operating systems and printers and spreadsheets and ethics and... you
name it. Each topic area is called a newsgroup. There are groups engaging in talk
about music, cars, sex, SCUBA diving, crime, parachuting, television, books, bestiality,
flowers - it makes one dizzy to think about it all.
Some newsgroups are moderated. That is, some controlling organization edits the
postings or picks and chooses which messages will be given display time. Most
groups are an unmoderated free-for-all.
One accesses USENET by running a news pro-gram such as "readnews," "news," or
"nn." You can read the posted messages, or write one of your own. Messages are
sent out to all other participat-ing sites worldwide, which means if you have a
question about anything, USENET offers a huge in-temational forum through which
to find an answer.
Becoming A Superuser
Breaking into a system isn't worth anything if you find yourself in an empty home
directory with such a low access level that nothing fun is allowable. Men you hack
into a low-level account belonging to a data entry clerk or some other restricted
user, you will want to raise your access to the highest it can go. This is
accomplished by doing research from the inside, spoofing, programming tricks, or
social engineering.
As far as research is concerned, you will want to look around the system you've just
penetrated and see what options are available to you. Read all files; run all
programs. Most technical hacks in-volve bugs in established software. Generally
this software is of a kind that interacts with other users' accounts in some way.
Thus mailing and "chatting" programs are susceptible, as well as text editors. If
you find a programming language of any kind you should be in Hacker's Heaven, as
there are hun-dreds of variations on programming tricks you can use while inside to
gain better access. Let's start with spoofing.
Spoofing
Spoofing usually refers to sending electronic mail in such a way that it looks like
someone else was the one who sent it. Spoofing can also refer to any act whereby
a hacker impersonates another user. Let's stick with the first, more common definition
for a while, and look at some ways in which spoofed e-mail can benefit the
low-level hacker who wants to make good for himself.
One prototypical scam is to spoof an e-mail letter from the system operator. Susie
User, a highly powerful person on the system, is on-line, going about her usual
business. She checks her mailbox and is surprised to find a letter has just been
mailed to her from the system administrator. The letter talks about how, because
of security breaches, they will now be issuing new passwords every six weeks.
"Your new password is D4YUL," says S.U.'s e-mail. "You can change it yourself with
the 'SET -PASS' command. Remember it! Don't reveal it to anybody! Computer
security is an important issue that can not be taken lightly!"
A few moments later you notice that Susie has issued a SET-PASS command, and a
few moments later you log on in her name, thus achieving her higher security
privileges. It works every time! The trick is, you have to know how to spoof to do
it.
Before you can spoof e-mail, you have to understand how such a thing is possible.
Now, if you've ever used any sort of electronic mail program, whether on a
mainframe or local BBS, you know that to send mail, the user enters basically three
pieces of information: destination, subject and the body of the letter. Some mail
programs allow fur-ther complexities, such as the inclusion of other text files or
programs, return receipts, etc., but let's just concern ourselves with the most
primitive of mail-ing programs, as those are the ones that get the most usage.
When you send electronic mail to another user, the computer automatically places a
heading on top of the letter, which identifies it as having come from you. To spoof
e-mail you will want to some-how change that heading, so it looks as though the
letter was written by the person in charge of the system.
Usually one sends mail by running a mail pro-gram. The mail program includes a
text editor and facilities to send mail to other users. But in many cases you don't
have to use a special mailing program to send mail. There is usually a fundamental
shell progran-uning command that allows you to send text or a file, into a file on
another user's direc-tory. This is what the mailing program does: it sends the text
of your message into a file called MAIL.TXT or something similar, and when Susie U.
executes her mail program, it will display the contents of the file MAIL.TXT.
As you can imagine, it is a simple task to open a text file, type in a header that
looks like a header from a superuser's letter, then add your own text to the bottom
of the file. Next you use the "send file" command to put this file into another user's
direc-tory. Make sure the directory you put it in is one with higher access privileges
than your own!
Sometimes the operating system itself foils this scheme. For example, one of the
Internet protocols requires the two computers involved with the mail transfer to
compose the letter headers. To spoof on the Internet, one would connect to a host
through port 25, which is how e-mail is transferred to a site. Normally only two
computers connect in this way; there may be security safeguards in place, but if
there are not, you can pretend to be a computer sending the commands to
generate an e-mail mes-sage. This includes "mail from" and "rcpt" which es-tablish
who the sender and recipient are. Use "help" to get yourself through this.
Earlier I mentioned that spoofing is also con-sidered to be any form of on-line
impersonation of another.
Many multi-user systems let users chat with each other by way of a command
called TALK or WRITE, or something similar. When you issue a TALK command, a
message appears on the recipi-ent's screen, saying that you wish to talk. If the
other user wants to talk with you, he or she issues the TALK command also. Then
whatever you type appears on the other one's screen and vice versa. It may also
be possible to filter the contents of a file onto another's screen by way of a TALK
command. The hacking possibilities are endless!
One popular trick is to TALK a message like, "SYSTEM FAILURE. SHUT OFF YOUR
TEW41-NAL WITHOUT DISCONNECTING TO PREVENT FURTHER DAMAGE.
SYSADMIN," onto another
person's screen. When they hang up, you piggy-back a ride on their account.
As with e-mail spoofs, you can't actually use the TALK command to put text on
another user's screen. You have to go into the source code of the TALK program,
see how it writes to another screen, and use those commands. This bypasses the
safety features inherent in the TALK command. (If you use the actual TALK
command to send this sample error message, the other party will see that it's you
sending the message, not the Sysadmin. You have to emulate the TALK header
which announces the name of the user sending text. You also want to go down to
the fundamental "send text" statements because you don't want the user to have
the option of not talking with you.)
It's a recognized fact that spoofing accounts for a good majority of system security
failings, mainly because they're so easy to do once you've gotten on-line and taken
a look at the software source codes and manuals. Another trick relies on TALK-ing
a message that an intelligent terminal will un-derstand. When you use a TALK
command you aren't putting words into the OS prompt's mouth - the OS is simply
putting what you type onto the remote terminal's screen. One way to get around
that depends on the remote hardware. Some intel-ligent terminals have a Send or
Enter escape se-quence that tells the terminal to send the current line to the
system as if the user had typed it in from the keyboard. You can use TALK to send
a message that contains a suitable escape sequence to do naughty things like e-
mail confidential documents back to you and the like.
Not only e-mail and TALK, but other com-mands are also known to be rife with ways
they can be misused to a hacker's benefit. Anytime you come across a command
which allows interaction with another terminal, study it closely to see how it can be
manipulated.
Look at programs, too, to see if they can be used to communicate out of your own
directory. The GNU-EMACS text editor (used on UNIX computers) allows you to
send the file you are working on to another person's directory. If you happened to
name that file ".login",(Under UNIX, "Jogin" is the name of the batch file that gets
executed once a user logs into his or her account.) then whenever that user logged
on, that ".login" batch would execute. And if part of that "Jogin" included mailing
the user's secret stuff to your account, so much the better.
Cryptography And DES
Reverting to old tricks, brute force attacks can allow you to decrypt password files
on your own time, on your own terms. Even with your meager account you should
be able to copy an encrypted password file off a machine you've hacked and onto a
safer one. At the very least, you should be able to view the contents of a password
file, even though it is encrypted.
Then you compile a copy of the decryption software, altering it so it will read in a
word from a specially-prepared dictionary file, use that as a key, and print the
result. UNIX source code listings are available for every facet of the OS. Even if
you can't get a decryptor of the type used by the computer to code the password
(and other) files, you can still go to the manual, see which encryption algorithm is
used, and write a program yourself that follows that algorithm. Brute forcing
encryption keys on a password file is much faster than forcing one's way onto the
system in the first place. Soon you should have found a key that unlocks the code,
and soon you will have the superuser password!
Brute force may not always be a necessity. There is reportedly a well-known
inversion to the encryption algorithm used on certain OSs, includ-ing older versions
of VMS. Sorry to say, I don't know exactly what this inversion method is. I do
know there are ways to algorithmically reverse the effects of a "crypt" command in
UNIX. That com-mand uses the World War 11 Enigma coding algo-rithm, which
was devious for its time but no match for modern supercomputers. Sure, it still
takes a while to do the inversion, but it is possible to do it if you have a computer
with enough horsepower.
However, the crypt command isn't used all that much because everyone knows how
vulnerable it is. Mostly "crypt" is left around for sentimental rea-sons. The
encryptor that is most often used to en-code passwords is a version of the federal
Data En-cryption Standard (DES). The UNIX variation of DES is "defective" in that
brute force attacks for en-cryption keys are close to impossible. How does it defeat
brute force attacks?
As we all know, UNIX password files are openly available for anyone to read, copy,
or print out, but the passwords themselves are stored in an encrypted form. Well,
that's not exactly right. The password file actually does NOT contain any passwords
at all. What happens is, when a user logs in for the first time and enters a
password, UNIX uses the first eight characters of the pass-word as an encryption
key to encode some constant (say, a long random number).
Another reason why DES was chosen to encrypt passwords is that when the DES
algorithm is implemented in software form, it is slow. This means it will take more
time to run a brute force attack.
Staying with this topic a bit, it's unsettling to note that the Data Encryption
Standard also may not be as secure as it was once believed to be. DES was based
on a security system called Lucifer, de-veloped by IBM for the National Bureau of
Stan-dards in 1973. Before being released as the USA's official (standard) code,
the top-secret National Se-curity Agency had their say in the matter, reducing the
complexity of the encoding algorithm and keeping certain aspects of its design
under wraps. This looked mighty suspicious! Why would the NSA go out of its way
to proclaim the code secure while simultaneously making it less secure? Critics
warned that a back door had probably been built into the system.
In early 1992, two Israeli scientists announced that they had found a way to beat
the system. If someone knows the encoded message, certain mathematical
techniques can be applied to infer the key used to encrypt the message. Then
other coded texts which use the same key can be easily read.
In any case, it is well known that much better codes have been produced since the
1970s.
Some systems make it difficult to brute force the plaintext out of an encrypted file,
because the en-cryption key supplied by the user is not what en-codes the text.
Rather, it is used to encode some random sequence of characters. Those
characters encode the text.
You don't have to be smart to be a hacker, you just have to be clever. But to crack
data encryption algorithms you must be clever, smart and mathematically-inclined.
Lucky for us people who don't have calculators for brains, there are so many other
ways to read encrypted files than by breaking the code! I'll stick with Van Eck and
his cronies, thank you.
Bit By Bit
Let's say you find yourself in some rinky-dink little account one evening, with just
about zero ac-cess to anything interesting. On this hypothetical system you are
able to read the passwords file, but of course to change it is out of the question.
You can see that your account's password has been encrypted (in the file) as
"fg(kk3j2." If you had the ability to load the password file into a text edi-tor, you
could replace the sysadmin's encrypted password with yours ("fg(kk3j2"), then save
the file. Well, naturally you can't do that. You could get as far as loading the file
into a text editor and chang-ing it: but to save like that is impossible without superuser
status. Or is it?
The system security may be such that it only makes validation checks at the
highest level of in-teraction. So the high level commands to delete, move, execute,
or alter files are disallowed if the user does not have a certain security clearance;
the actual machine level commands to move the read/write head to a particular
location, let's say, may not be halted in the least. If this were true for the whole
available storage arena, every file could be completely read or rewritten bit by bit.
If pro-gramming or disk maintenance software is avail-able to you on-line, you
might then be able to use it to alter individual storage locations -to change the
system administrator's encrypted password to your own.
On the other hand, you might find that security prevents even low level instructions
from being performed. Don't give up too soon! It may be that onl parts of the
storage arena have been protected, while others -due to forgetfulness, bugs,
impos-sibility or impracticality -have been left unsecure. If so, you may not be
able to change the passwords file, but perhaps it would be possible to move files to
another user's private directory, or to change files that are already there. This
opens up a whole world of possible Trojan horses and back doors.
If security seems to prevent all illegal access from taking place, perhaps it is
possible to trick a process with superuser security clearance into do-ing the work for
you. A simple program, such as a
game, could be written, containing instructions to secretly alter passwords.
Compile and save the program, making access to it available only to superusers.
Then move the file into a public directory. Eventually some superuser will come
along and execute it, thus enacting the portions of your program which, if you had
run them yourself, would have resulted in error messages and perhaps a few more
ticks on the security log.
Program Employment
Most programs that are employed by hackers are of the Trojan horse variety. And
the classic Trojan horse example is one which uses the faults of others to achieve
its goal. Generally this means using undisciplined PATH commands.
Most modem operating systems allow you to arrange your files in an organized
fashion by the use of directories and subdirectories. This makes finding where you
left a file easy, but it causes problems when you get sick of typing in long
pathnames to change from one directory to an-other.
The solution is in PATH commands. A PATH command says to the OS, "if you don't
find that file in the current directory, look over there... Thenlook there.... And
there." In other words, you specify a path which the OS can follow to find files.
That way you don't have to be in a file's directory to ac-cess that file.
PATH commands are usually put into batch files which are run at login. They are
especially used on big machines which contain lots of files and tons of directories.
In those cases, especially if the user is a maintenance operator and needs ac-cess
all over the place, there might be a lot of direc-tories specified in the PATH.
Sloppy search paths, especially ones which look at all or most of the directories on a
system are of extreme importance to the hacker. The hacker starts by rewriting a
program that gets used often and putting a Trojan horse into it. The program is
then put into a directory that is likely to be in a super-user's path. A privileged
user or program, such as a superuser shell script, may innocently chance upon, let's
say, your "date" program instead of the It official" version stored in the OS
directory. It is ac-cessed, and your hidden code does its thing.
Trojan horses can do a lot of things. They can collect passwords, simulate login
prompts ( Also, think about Trojan horses in terms of the multi-user games
discussed earlier -obtaining those pass-words, etc.) remove read/write protection
from files, or fake system crashes (and when the user shuts off his terminal and
walks away, you type in the secret control code which causes the Trojan horse to
uncrash back to the user's account). Trojan horses should definitely make up the
majority of a hacker's tool kit. But there is another, different means of gaining
higher access by employing programs, and that is with the use of computer viruses.
Viruses
A virus is born from the cross breeding of three other families of programs: the
Trojan horse, the worm, and the logic bomb.
A logic bomb is a piece of code hidden within a larger program. Usually it is no
more than a simple IF/THEN statement. IF such-and-such is true, THEN do
something. Judging by the name, logic bomb, you can guess what that "something"
usually entails.
The classic example of a logic bomb being put to use is when a system programmer
is fired for in-adequate job performance, or for some other hu-miliating reason. A
few days after he walks away, the head honchos at the firm get a message from the
programmer: "Pay me X thousand dollars be-fore July 31st and I'll tell you how to
save your software and records from total annihilation." The programmer has, you
see, implanted a logic bomb that will detonate at that certain date.
A worm is a program with one purpose: to rep-licate itself. All it does is look at its
environment, see where it can make a copy of itself, and it does so. Then there are
two copies of the worm. Each of those reproduces, and there are four. Four quickly
become eight, and so on. Soon an entire computer or network is clogged with
hundreds or even thou-sands of unstoppable reproduction machines.
Then there's the virus. A virus comes from the mating of these two other breeds.
When a worm takes on a logic bomb aspect to it, you get a pro-gram that will
replicate as much as it can, and then explode when "something" happens. The
whole
thing hides itself within an application program, as a Trojan horse.
Logic bombs are dangerous, but at least they are contained. Worms and viruses on
the other hand, are unpredictable. Therefore, I say a true hacker will never release
a worm, because they are too destructive with no purpose. A true hacker may
release a virus if it can move harmlessly throughout a system, erasing itself as it
goes, mak-ing sure it never backtracks to where it's been be-fore.
A virus can be programmed to e-mail pass-words to a specific address, or it can be
used as a battering ram to brute force new passageways into computer systems.
There are lots of ways in which hackers can use viruses, but it is difficult to use
them safely.
There have been rumors of a microcomputer virus which, if it exists, would gladden
the heart of many a hacker. The virus is called the AT&Tack Virus. Once it copies
itself onto a computer, it tries to find a Hayes brand or compatible modem. If one
exists, it silences the modem's speaker and dials a Preprogrammed number.
Apparently then whoever is at the telephone number it calls has remote access to
your computer.
To me, this seems like nothing more than a rumor. Indeed, as of this writing none
of the commercially available virus detection software makes any mention of an
AT&Tack Virus. Besides, it seems to me this sort of thing would work better as a
Trojan horse in a graphics display program, rather than as a virus.
Covert Channels
One of the fun things about using Trojan horses and viruses is the designing of
covert channels to get the data they collect back to you in some read-able form.
Consider a virus that attaches itself to the login program and thus collects
passwords. It does no good to have this virus halfway across the world with no way
to get back that list of pass-words it is reaping. One method has already been
mentioned: the virus can periodically e-mail you a list of passwords. Take heed not
to have that e-mail sent to any account where you can be identified.
It would also be a good idea to encrypt the mail before it is sent. One problem with
encryption is that a key is required. Anyone finding your virus or Trojan horse will
easily figure out what the key is and be able to interpret e-mail or temporary files
that the virus/Trojan horse produces. So you have to encrypt the key... which
requires another key... which means more hiding needs to be done... an-other
key.... Well, this could go on forever. Make the best of the situation.
If you're going to be encrypting anyway it may be easier to have your virus or
Trojan horse send the encoded data to an unmoderated newsgroup. Disadvantage:
You have to spoof the post, or some-one may notice that this user (who is
unknowingly activating your virus or Trojan horse) is posting a lot of "garbage" to
the group.
You may also have the encrypted file uploaded to the incoming directory of an
anonymous FIT site somewhere. Make certain files can be downloaded from that
directory, because as mentioned earlier, often the ability to download from such
directories is turned off for security reasons.
To send short messages (like a single password)(Normally a Trojan horse or virus
would send back to you three pieces of information: username, password, and the
address of the computer where that usemame-/password was valid. However, if
you targeted a,spe-cific individual by giving that individual sole access to your
Trojan horse, then only a password would be needed.
Of course, viruses and Trojan horses don't have to be messengers for only password
information. You may be a hacker, but you may also be a spy, a crasher, or whoknows-
what-else. As far as I know, the informa-tion you need covertly passed back
to you could be virtually anything.) you may have your rogue program rename a
world-changeable file to that message. By "world-changeable," I am referring to
the security protections placed on that file -set it to very low protection, so that
anyone can change its attributes. Your Trojan horse/virus will come into your directory
under the disguise of various users from all around the network, and attempt
to rename that file to that message. You don't want your Trojan horse/virus to
generate an error message. (You can set up a process to constantly run in the
back-ground, monitoring the state of that file. As the file's name changes, the
background process stores the new name, then gives the file its original name,
thus allowing another copy of your Trojan horse or virus the opportunity to send its
message.)
Other short messages can be sent a bit at a time. For example, the existence of file
X in a certain directory means that your rogue program is sending the digit one. If
the directory is empty, the file deleted, a zero bit is being transmitted. A
background process is running in your home directory to monitor the appearance
and disappearance of that file. When enough zeros and ones accumulate, the
program translates them into a character of the message.
The extended ASCII code uses eight bits to define a character. For instance,
01000001 represents the capital letter A. 01000010 is B ', and so forth. For your
virus or Trojan horse to send an eight character password, 64 deletions and
creations of file X would be needed. Those bits would be sent one at a time,
whenever the rogue program had the opportunity to do so unnoticed.
Get Out Of jail Free
Okay, all of that is fine if you've broken in by discovering someone's username and
password but what if the only access you've found to a machine is that of a
command account or information setup? Then you have to see what can be done to
break out of this jail of a program and get down to the level of the operating
system. Probably this will be difficult to do. It will be less so if you've done any
serious programming in the past.
As a programmer, you know what kind of bugs and errors crop up, and what kinds
of things to look for to make them appear. If you're stuck in an account that runs
an info program, let's say, you will want to try every unconventional, unexpected
thing you can think of, in the hopes that you'll find something the programmer
didn't think to guard against. Then hopefully you'll get an error in . essage and
crash out to the OS prompt.
Things to try:
Give bad, inappropriate, unrequested, or extremely long input to prompts,
especially alphabetic answers to numeric questions. Or when asked to supply a
number, that will be analyzed by a function, try an incredibly small or large one.
Try responding with break signals, either Control-Z, Control-C, or possibly Control-
P. Try executing "Find" commands that will search out of bounds of available
resources, or that will look beyond the alphabet. See if it's possible to set up
programs for nonexistent hardware or memory capabilities.
If there is any sort of text editing facility, such as a program to send mail to sysops,
do what you can to compose a batch file, and see if it's possible to send your
message as a command that must be executed. Also with text editors, try to
compose excessively long letters. If the editor has special text revision functions,
write up a huge paragraph then cut and paste a copy underneath it. Then cut and
paste those two paragraphs underneath, etc., until the program either crashes or
doesn't allow you to continue. If the latter, see what happens when you try saving
or sending the whole mess.
You may be in a program that is made to look like a simple operating system or
control program, essentially a menu with the list of options either unavailable, or
callable with a HELP command. Thus, you're given a prompt and asked to enter a
command. Some application commands allow appending to them the name of a file
on which you intend to work. For instance, to edit STORY.DOC with a word
processor, you might type the cornmand "WORD PROC STORY.DOC,` to run the
word processor with STORY.DOC already loaded in it. On an on-line system, try to
crash a program that allows such execution by giving it too much data, ("WORDPROC
STORY.DOC FILEONE FILETWO...") or by giving it inappropriate data. Some
examples:
WORD PROC WORD PROC WORD -PROC \directoryname WORD -PROC
nonexistent-filename
WORD-PROC /etc/date [or other command]
The "inappropriate data" tactic has been used successfully in the recent past.
Another bug that's been exploited is excess command stacking. Command stacking
is the placing of multiple commands on one line. Commands may be separated
with spaces, semicolons, slashes, or a number of other punctuation symbols. The
parser which interprets the stacked commands may break down if too many
commands are given it. The line editor may not allow you to enter so many lines
that this occurs, but through programming tricks you can
probably get an unwieldy stack of commands sent as though from the keyboard.
If there is a language or compiler available, then it should be possible to POKE
some values into places that would be better left unprodded. Alternatively, you
might find yourself able to compile code into specific areas of memory, overwriting
the code which is impeding your progress. Or your code might cause the program
to jump to a new location, where further instructions can be carried out.
Finally, see if you can load a program into a mail writer or other editor, or into a
superzap program, and alter it so that when it rum, it will crash.
Bugs in software are most likely to occur if the software in question:
• Is new (i.e., version one or thereabouts, or being Beta tested).
• Was hastily slapped together to make some fast money or to comply with the
advertisements or demands.
• Has remained the same for years despite hardware or other changes.
• Is being renovated.
• Is not commercially available.
When you're hopping around on the networks you encounter, stop and read the
notes that accompany new versions of old software. These will generally list, not
just the improvements made, but sometimes the reasons for the improvements
(i.e., if there was an exploitable bug in the earlier version). By the time you read
the upgrade note, most sites will probably have already upgraded to the new
version, but given the tremendous number of computers running today, more than
a few won't have heard that a new version of their software has been released.
Returning To The Scene
The prudent hacker will build himself or herself a trap door to allow easy entry if
further penetrations are required. Mainly this means setting up a dummy account
to use in successive hacks. After all, there is no guarantee that the account you
used the first time will still be valid the next time you login, or that the password or
some other critical item won't have been changed, barring your entrance. If you
have gained access not through a password, but through some fluke hidden
command or technical means, you will definitely want to add a trap door just so you
don't have to go through all that rigmarole the next time you want to get in.
On many operating systems, programs can be set to run even after the user has
logged off. Sometimes the program can be put on a timer, to begin execution at a
specified future time. Writing a suitable program and then running it under one of
these commands can make your return easier to accomplish.
Mission Accomplished... Almost!
Hey! Look at what you've done!
You've done your research, found your computer, broken in, and now, you've
dabbled around inside. These four components are what hacking is all about. This
is what it means to be a hacker.
But there is also a fifth level of hacking to consider.
These first four parts had to be done in linear order, one following the other. The
final part is really not final at all. It is something you should be doing from the very
beginning, thinking about every step of the way.
Because you see, this thing you've done, this hacking, is illegal. And so you must
protect yourself.
So now let's look at what exactly it is about hacking that our society considers
wrong. Then we will see how we can keep on hacking forever unscathed. Finally,
we will tie up loose ends and look ahead to your future as a hacker.
136
Part Three
AFTER HACK
137
Blank Page
138
Chapter Thirteen:
This Lawful Land
There are lots of fraud investigators, special agents, Secret Service people, FBI
guys and all manner of local, state and federal enforcement officials roaming around
cyberspace, waiting to trip you up. There are also private citizens who love hacking
but don't love the idea of being criminals, so they hack the hackers, building up
dossiers, which they then turn over to the authorities.
Getting caught can make you famous, maybe even throw some money your way. It
can also take away a good part of your life, your money, your reputation, your
computing equipment, and your hopes for the future. Let's take a look at the laws
that cause this state of affairs.
State Computer Crime Laws
Every state except Vermont has explicit laws forbidding computer crime. They are
all pretty much alike in that they start out by defining what a computer is, and
defining various terms relating to computers and computer crime. Then they list
the specific offenses the law prohibits, and the penal-ties associated with those
illegal activities.
You can easily find out what the situation is for your state. just so you know what
kind of things cops and lawyers are talking about when they talk about state
computer crime laws, let's take a look at a typical anti-hack statute.
The Wisconsin statute on computer crimes ("Chapter 293, Laws of 1981, 943.70"
for you law-book gurus) lists eight possible naughty things a person can do with a
computer. The first six have to do with "computer data and programs," the sixth
being the willful, knowing, and unauthorized disclosing of "restricted access codes
or other restricted access information to unauthorized person[s]." The first five bits
of software naughtiness detail the willful, knowing, and unauthorized modification,
destruction, accession, possession, or copying of computer data, computer
programs, or "supporting documentation."
The final offenses have to do with the hardware aspect. "Whoever willingly,
knowingly and with-out authorization," either modifies, destroys, uses, takes or
damages a computer, computer system, network, equipment or supplies related to
comput-ers, is guilty under this statute.
There are eight different penalties listed, depending on whether the act in question
is consid-
ered a misdemeanor or a felony under the law. The magnitude of the crime is
based on how much damage was caused money-wise, how much threat to others
there was, and whether the hacker did the deed with intent to defraud or obtain
property. Penalties range from life imprisonment (sheesh!) to various fines in the
$500410,000 range.
Traditional State Crime Laws
just because your state doesn't have a law that specifically forbids snooping around
in someone else's computer, doesn't mean what you're doing is completely legal.
Prosecutors will try to convict hackers on violations of any law, even if there's a
large void between the hacker's actions and the original intent of the law. In some
circumstances, the prosecutors may feel there is not a good enough case against a
hacker using the computer laws. For other reasons -such as a rural jury -
prosecutors will press the issue of guilt, but try to sidestep the technical aspect of
it. They will charge a hacker with infractions of traditional crime laws, such as
malicious mischief, burglary, larceny, and what-ever other nasties they can squeeze
into play.
There are problems applying traditional laws to modern "crimes," and the focus
changes from whether Hacker X is guilty or innocent, to whether Hacker X is guilty
of that particular crime. Can hacking be considered a kind of burglary? In a blue
collar computer crime, such as the theft of the ac-tual hardware, there is no
question whether or not a law has been broken. On the other hand, if a hacker
steals records from a database, do the bur-glary statutes still apply? What if the
hacker didn't actually deprive anyone of their information, but only made a copy of
it for him or herself? Is this a different issue?
These topics have been addressed differently in different court cases. If you are
ever unfortunate enough to be tried for hacking-related offenses, the judge's
decision will be based on the exact defini-tions of "software," 'burglary," and other
key words for your particular state. If the state has no com-puter crime statutes,
then "software" may not be defined; in that case it is up to the judge entirely to
decide what these terms mean.
Since we do have 50 states worth of laws to consider, in addition to federal laws,
space constraints dictate that we not list every single statute and definition that
might apply to a hacker's trial. For the specifics you will have to do your own
research into your state's laws. Here is a generalized overview of traditional
crimes, and how they can be applied to convict you of computer hacking. I want to
stress this point of "generalizations." All the definitions of law to fol-low are
simplifications of the laws throughout the land. Individual states add their own
personal quirks and nuances to these laws -minutiae on which both surprise
verdicts and legal loopholes are based.
Criminal Mischief
Also called malicious mischief, this is the will-ful destruction of someone else's
property. You may say to yourself, "Gosh, as long as I don't pur-posely go around
acting like a jerk, how can they convict me on that one?" Good question.
To be able to say that malicious mischief has occurred, three things must be
present: a real hu-man action, evidence that the action has caused damage to
someone else's property, and that the damage is observable to a bystander. That's
the traditional definition. Well, any bystander can see a smashed storefront
window, but how many "average bystanders" can easily see how an algo-rithm has
been changed in a program to allow ac-cess to anyone named "Borges"?
The thing is, a hacker may change software or password files to gain entry to a
system, but it is often hard to determine whether or not such an ac-tion has caused
"willful destruction" of that file. In-deed, the software may not actually have been
al-tered to any detectable degree, and the hacker him-self may not have done any
noticeable actions at all. Can one then honestly say that criminal mis-chief has
occurred? And yet, the hacker may have left the software in an altered,
"destroyed" state.
The answers to such questions remain to be adequately determined.
Burglary
For most states, burglary is the unauthorized breaking and entering of the real
property of an-other with intent to commit a crime. Again there is
a problem, in that we have to decide whether or not to accept an operating
computer network as prop-erty. The act of entering one's usemame/password is
often metaphorically associated with that of un-locking and opening a door to one's
house, but does that analogy exist to such a degree that the unauthorized entry
into a computer directory is committing a burglary?
It is generally conceded that the attempt to prosecute such an act under traditional
burglary statutes becomes futile. It may become slightly less futile if there is a
clear intent on the hacker's part to commit a crime. Again, make sure the world
knows your intentions are benign, and be sure to follow that path.
Of course, the physical breaking and entering of a building, with the intention of
using the comput-ers there to hack, is a more clear-cut matter. Don't expect to
wiggle out of that one on as many techni-calities.
Fraud
Fraud is easy to define: any sort of deception, cheating or unfair behavior that is
used to cause injury to another person. Using someone else's password is fraud,
since you are falsely represent-ing yourself, and the "injured person" (computer)
reasonably believes you to be that person to the ex-tent that you are given
privileges you should not have received.
But to be convicted of fraud it must be shown that because of the deception, the
victim had dam-age done to him or her. What happens in the case where a
computer manager knows it's a hacker on the line, and yet the manager is unable
to prevent damage from occurring? Since there is no deception, there is no fraud.
That may be intent to defraud, and perhaps not fraud itself.
Social engineering is clearly fraud if informa-tion gained from the exchange is used
to enter a computer, and some injury can be proven. Actu-ally, fraud is universally
cited in any instance of computer crime, no matter what methods were used or
what the outcome of the "crime." You can see then the importance of not causing
"injury" to a computer. In all of these cases, it is essential that it can be
established that no damage (or alteration) was done, and none was intended.
Larceny
Larceny occurs when two conditions hold true: A piece of property has been
criminally taken and carried away from another person, and the inten-tion of so
doing was to permanently deprive the owner of his or her property.
Again, problems arise when applying this to computer hacking. Think about a case
where a hacker inserts a GOTO statement in a program to bypass the section where
the program asks for login information. Has the hacker effectively deprived the
administrators on that system of that section of code -that piece of property?
Addi-tionally there is the problem of determining if the intent was to leave the
GOTO in permanently, and not only that, whether or not such an action consti-tutes
"taking" away of property. After all, the in-termittent code is still there, only the
access to it has been temporarily eliminated.
Larceny may be applied to the stealing of time on a computer, to stolen telephone
service or elec-trical power. In these cases it would seem the law-yers are doing
their best in a trying situation - a situation in which they realize the hacker has not
done any harm, and yet they want to symbolically punish the hacker for invading
their computers.
Theft Of Trade Secrets
Theft of trade secrets - also called "misappropriation" of trade secrets - may be contained
in the larceny laws of the state if a trade se-cret is defined as a kind of
property, or it may be the principal construct of its own statute. Misap-propriation
of trade secrets might be the better of the two names, as it more accurately reflects
the na-ture of the law: either the physical taking of secrets, or the unauthorized
copying of them, may be viewed as a violation.
So if a hacker has printouts of some top secret laboratory reports, that information
has been mis-appropriated, copied by an individual unauthor-ized to do so.
If this law is subsumed into the general larceny statute, a prosecuting complication
might arise. We are then back to the question of whether or not it
can be shown that the hacker intended to perma-nently deprive the owner of his
property. We both know that computer hackers generally don't have any intention
of deprivation - just learning. We know that, but we can't expect judges and juries
to understand.
Finally, let's end this section on a good note. If the accused hacker leaves no trace
of his or her en-tering a system, then it is typically the case that theft of trade
secrets can not be seriously consid-ered as having taken place. Thus, hackers
should make certain that all files and printouts which con-tain data that one might
regard as trade secrets, are either purged, burned or hidden very well.
Receipt Of Stolen Property
Let's describe this one by mentioning its three parts: (1) The stolen property must
have been re-ceived by (2) someone who knows or should rea-sonably suspect that
the property was stolen, and (3) the receiving has been done with the intent of
permanently depriving the owner of his property.
As with trade secret theft, ROSP may be in-cluded in the larceny laws, or it may
have its very own statute to call its own. Regardless, ROSP is a good crime to catch
hackers by. Here's w :
ROSP is applicable for almost any stolen prop-erty or "property," including trade
secrets, infor-mation, goods and services, high credit ratings (been hacking TRW
lately?), computer time, pass-words, and files. If you've got any of these, or anything
else for that matter, you've got ROSP to deal with.
Theft Of Services Or Labor
Under False Pretenses
Theft of Services Under... Boy, I thought I had to abbreviate when discussing
Receipt of Stolen Property! TOSOLUFP is basically a form of larceny whereby you
trick someone into letting you have something. For instance, TOSOLUFP might
occur when a hacker gets access to an on-site computer by showing a guard a fake
ID badge.
Similarly, any false representation of a fact with the intention of obtaining the
property of another is TOSOLUFP. Additionally it must be shown that the victim's
judgment relied on acceptance of that false representation and because of that
reliance, suf-fered some injury -such as loss of computer time or monies which
would be paid by a legal user of the system.
Interference With Use Statutes
If someone does something so another person can't use his or her property (with a
resulting loss to the property owner) then it is said that an "interference with use"
statute has been broken. In the hacking sense, if a cracker were to change
password files so others couldn't log on, or tamper with a piece of source code, or
use another person's usemame and password, an IWUS may be said to have
occurred. Sometimes these are called anti-tampering laws.
As we have seen with the other traditional laws as they apply to hacking, there are
of course no clear ways to overlay centuries old terminology onto modem situations.
An IWUS can apply even if there is no visible damage as a result of tampering.
Even the installation of a back door may be pun-ishable, regardless of whether
other users know this illegal mode of entry exists.
Traditional Federal Crime Laws
A crime may become a federal crime if it takes place on or involves federal
property, or if there is a vested federal interest in the crime. There are fed-eral
laws which don't necessarily refer to comput-ers, yet are acceptable for use in the
prosecution (persecution?) of computer hackers. Note that these laws, as well as
the laws described in following sections, are applicable only when the computers
you hack are related to the federal government in some way.
Conspiracy
Conspiracy (aka 18 USC #371, if you like numbers) takes place when two or more
individuals combine to agree upon or plot an unlawful act, or to commit a lawful act
in an unlawful manner. The law goes on to state it is unlawful for these two or
more people to plan to defraud the US government, or any federal agency.
This means that a bunch of criminals who use hacker's techniques to make money
appear in their checking accounts will be accused of conspiracy if the bank or
financial institution involved is a mem-ber of the Federal Deposit Insurance
Corporation.
In any case, if you are a member of any sort of group which discusses hacking, or if
you've ever discussed hacking or other illegal activities with anyone, you are a
potential victim of this law.
661, 2113, 641, 912, 1343, 1361, Etc.
Other federal laws may also apply in select cases of computer hacking. Applicability
of these laws depends on the nature of the "crime," what computers were being
hacked, where the hacking took place, and how the hacker went about break-ing in.
For example, laws 18 USC 661 & 2113 have to do with thefts committed within a
special maritime jurisdiction and burglary of a bank respectively. Other laws deal
with post offices, fortifications, harbor-defense areas, and federal property in general.
These are special laws that will apply only if you have, let's say, "burglarized"
the information in a post office database, or committed some other special-area
offense.
United States Code 641 applies to the theft of federal property (is information
property?) or re-cords. USC 912 makes it unlawful to obtain "a thing of value" by
impersonating a federal officer or employee. I would guess entering a federal employee's
password is considered impersonation.
Number 1343 on the books says you can't use wire communications to execute or
attempt to de-fraud or scheme to obtain property under false pre-tenses, when the
message crosses state lines. 1361 prohibits malicious injury to federal property,
and 2071 disallows the concealment, mutilation or re-moval of public records. All of
which a computer cracker is likely to do, if on a federal computer.
There is law after statute after law, all dealing with specific issues like these. It
doesn't seem worthwhile to go through every last one of them. Suffice it to say, if
you get caught by the feds, they have a lot of legalese they can use to say why
what you were doing was wrong. I'm not saying you should go out and memorize
every bill that's ever been passed that might have some remote connection to
computer law. I'm saying you should realize that computer hacking can be a risky
business. Use your head. Don't make the mistakes that others have made. If
you're lucky, you'll be hacking with-out harm for as long as you want.
Federal Computer Crime Laws, Or:
It's 10:30, Do They Know
Where The Hackers Are?
Finally, there are the federal laws which specifi-cally relate to computer crime that
one must be wary of. The Counterfeit Access Device and Com-puter Fraud Act of
1984 (18 USC 1030) was the first law that explicitly talked about computer crime.
As you might expect, it is a law that can be applied to just about any government
hack. It prohibits un-authorized access to data stored on any "federal in-terest
computer," and specifically mentions finan-cial records and national secrets as info
not to mess around with. This law allows for fines up to $10,000 or up to 10 years
imprisonment if it's a first offense.
Two years later, two computer crime acts were passed by Congress. The Computer
Fraud and Abuse Act of 1986 defined more situations in which hackers could be
prosecuted, by talking more about financial houses and medical records, targeting
computers involved with interstate crimes, com-puters belonging to certain financial
institutions, and other federally owned computers. There are also provisions for the
trafficking in passwords with intent to defraud computer owners. Most in-teresting
to the hacker, I believe, is that The Com-puter Fraud and Abuse Act of 1986 makes
it illegal to use other people's passwords, or even to use one's own password
improperly - that's where the "fraud" part of the title comes from.
One sort of strange requirement that this law makes is that it can only be applied to
crimes where the victim has lost $1,000 or more due to the crime. Since you are
going to be hacking under a set of ethical constraints, this law doesn't apply to you
at all then (i.e., no computer you hack will lose any-thing from your explorations).
This facet of the Act is made even more interesting when you realize that the
Senate Judiciary Committee, in their report on the Act, explained that a cracker
doesn't have to actually steal data to be prosecuted under the law
143
-he or she only has to read the data. Makes you wonder what they're thinking
since it's beyond my comprehension how anyone can prove that reading some data
caused $1,000 worth of damage. But then, I'm no lawyer.
The Computer Security Act of 1987 is a do-nothing law that requires security
standards to be developed for classified and unclassified federal data, and requires
that security plans and periodic security training be implemented on federal computer
systems containing sensitive information.
Conclusion
I was going to apologize to all the lawyers out there, for the way I've manhandled
these descrip-tions of all the above laws. But really, why should I apologize to
lawyers?
Now let's talk about what we as hackers can do to protect ourselves; then we won't
have to worry about any of the above.
144
Chapter Fourteen:
Hacker Security:
How To Keep From Getting Caught
Hacking is fun. Hell, it's exhilarating. But it's also illegal, sometimes immoral, and
usually pun-ishable. Even if what you're doing is perfectly inno-cent you'll be hard
pressed to find an acceptable ex-cuse for it in court. The very least that might happen
is the security holes you utilized the first time around might get patched up.
More serious pun-ishments inflicted by the courts can include com-munity service,
fines and even prison, as we've seen. Informal punishments include the unofficial
destruction of your equipment by law enforcement officers, and being blacklisted
from tech-related jobs.
Consequently, the prudent hacker has two goals in mind while hacking. Number
one: don't get caught. Number two: if you do, don't make it count. This chapter
will present strategies the care-ful hacker will follow to ensure both situations are
true.
Hacking - to use one's curiosity about corn-puters to push them beyond their limits
-involves not just techrrical knowledge but also the hacker's mindset. Part of the
mindset must deal with keep-ing oneself safe, or else the rest of it has been all for
naught. Accordingly, the strategies here should not just be known rotely and
followed, but expanded upon to apply to new situations. Remember, there have
been many computer criminals who've been sent to prison. True, some have even
hacked while in prison. Some even learned to hack in prison. But you don't want
to go to prison. So when you're on-line, in public, in private, or just living through
your life, make sure you apply these guidelines.
In Researching
There may be local ordinances in your area forbidding machines or people to
continuously dial up numbers and disconnect, as with an autodialer program which
searches for dial-in lines. If you make the calls yourself it's better to say a simple,
"Sorry, wrong number," than just hanging up and annoying all those people.
Remember the 'Itpers-prosit rule: The more people you get angry at you, the more
likely it is you'll be persecuted, and the more likely it is you'll be prosecuted.
In Social Engineering
Some social engineering and most reverse engi-neering requires authorized user
contact over the telephone or through the mail. This is obviously risky since you
are giving out your address or tele-phone number to people whom you are about to
defraud. Hackers have utilized several ingenious methods to overcome this
problem.
Once I found a small business with a technical-sounding name that would be closed
for a few weeks over the summer. By doing some hacking, some research, and
rubbing my lucky rabbit's foot I was able to come up with the code that released
messages left on their answering machine. That gave me a way to have people
contact me without them knowing who I was.
I put up some phony advertising for a com-puter network, instructing people to call
and leave their name and vital data. I could call up the ma-chine whenever I
wanted, punch in the magic code and listen to those messages. When the store reopened,
I called them up, saying I was from the phone company. I told the store
owner that some lines got crossed, so they n-dght get some weird calls.
Some hackers will simply change a pay phone to residential status and work out of
there.
In order to work a social engineer through the mails, you could rent a private mail
box or mail drop. One hacker found a cheaper solution. He noticed that the P.O.
Box underneath his in the college mail room was always empty. Apparently it was
unassigned. The mailboxes are open in the back so workers can stuff the mail into
them. This hacker took an unbent clothes hanger and a metal clip, fashioned them
together into a grabber that he could slide into his box and go fishing into the
mailbox below his. Later I showed him how to de-termine the combination of the
box, so he wouldn't have to do all that. For a long while the box re-mained unused,
and he was able to get all the se-cret mail he wanted sent there.
Dialing In
"If you don't want it known, don't use the phone."
- Nelson Rockefeller
When you're new it may be okay to dial up re-mote computers from your house,
but once you've been around a while you'll never know if your phone is being
tapped or your computer usage be-ing monitored. So when you're past your
hacking childhood, make sure to never make an illicit call from your own house, or
from any number that can be traced to you.
Even when you are new to hacking, you could be in trouble. Imagine if you become
a regular on the TECHRIME-USA BBS, right about the time an FBI officer is planning
to bust the sysops for con-ducting illegal business on their board! You don't want
to get involved with that, especially if you haven't done anything illegal. Even
scarier than that are serni-reliable rumors which have been cir-culating through
branches of the technical under-ground which imply that the phone companies
routinely monitor and record modern conversations which pass through their lines.
This is supposedly done automatically by detectors which listen for modem tones,
and will then turn on a recording device to keep a record of the call. Even if the
gos-sip turns out to be false, consider this: (1) We obviously have the technology to
do such a thing and, (2) it is well known that the NSA records many, many phone
calls.
So... If you must associate with known com-puter culprits, or with established
hackers, do so as covertly as possible.
Not calling from your house means calling from someplace else. That means you
may want to splurge for a portable laptop computer. While you're at it, buy an
acoustic coupler and an external modem to go with it. All this should run you about
one or two thousand dollars -a lot less than the cost of retaining an attorney to
defend you in court.
The acoustic coupler is necessary because not every place you hack will have a
telephone jack to plug into. The external modem is needed to plug the coupler into.
While many laptops come with mo-dems included, they are generally internal
models, and so can not be coupled to a telephone handset.
Now that you have your equipment, where should you take it? There are plenty of
places. At night and over the weekend you can sneak into many big office buildings
and, if the right door happens to be unlocked, sit yourself down at a cu-bicle and
chug away.
Two summers ago, I was walking past my local municipal center a little past 9 p.m.,
and I noticed that every office had their windows open. Every of-fice -at night!
Their air conditioner must have malfunctioned during the day, as it had been incredibly
hot. Needless to say, if I'd been in the hacking mood I would've scrambled
through a window and hooked up my portable to a tele-phone. I could have been
making illegal computer B & Es while making a physical B & E, all just a few doors
down from a bustling police station - and with no one being the wiser.
If you have money laying around, or if you have a hacking expense account, you
can always hole up in a hotel or motel to do your hacking.
The money problem is one which gets to hack-ers in other ways. Phone bills add up
fast, which is why most serious hackers are phreaks too. A phreak is someone who
hacks the telephone net-works. One of the major aspects of phreaking is the
producing of code tones which signal the telephone system to perform special
functions, such as place long distance calls for free. Phreaking is definitely a major
area for hackers to investigate, and the tele-phone system -and especially the
computers which run the system -is something which all hackers should become
intimately familiar with.
Many hackers will say that any hacking other than hacking the computers which run
the tele-phone system is child's play. This is true to some extent. The telephone
computer networks are in-credibly large, sprawling, wonderful masses of in-tricate
functions, enormous databases, technical operations and blinding wizardry which
makes hacking anything less look pitiful.
Once the phone line leaves your house it goes to a local switching center. This
center controls all phones in your neighborhood, which may mean as many as
15,000 telephone lines. Each neighborhood switch is managed by its own
computer. These computers are the essential targets of the phone company
hacker; if you can access the computer, you can access every phone that it
switches. You can turn phones on and off, reroute calls, change numbers. You
could, if you were not a hacker, wreak quite a lot of havoc.
There are also switched networks which con-nect the computers that run switches.
From there you can go to regional maintenance systems such as COSMOS (which
sends out instructions to create and HI phone numbers among other things) and
MIZAR (the local MIZAR actually does the work that COSMOS sets up).
Once you've gotten familiar with the intricacies of these telephone computers, you
can use them in ways to protect yourself. For instance, you know you probably
don't want to place hacking phone calls from your house. What you can do is
connect to a neighborhood switching computer, take the phone numbers of some
local pay phones, and de-activate their need for coins. You then use the pay
phones to call or hack any place in the world.
Or you can use a MIZAR -which, as far as is known, does not keep records of its
activities, unlike COSMOS -to temporarily change your pre-sent phone number to
that of a nearby church. If your call gets traced, you'll be sending the feds on a
wild goose chase.
I want to make the point that dialing in to a re-mote computer is not as safe as it
feels. Communi-cating through a telephone or through a computer sometimes
gives you a false feeling of protection, especially when you become good at hacking
and phreaking, and turn from confident to cocky. Don't let that happen to you.
Remember to always follow these safety rules.
Don't set up patterns of behavior. Always call from a different place, at different
times of day.
When is a good time to call? Ask hackers this and each one will give you a different
answer. Late night is good because system administrators will probably have gone
home already -but then, so too have most valid users, so you'll stand out like a
clown at a funeral. You can try hiding yourself within the bustle of heavy usage
times, like mid-morning and afternoon, but then the main-frames will be at their
slowest, your activity can easily still be noticed, and the account you've hacked may
be unavailable for your usage. There really isn't any perfect time to call. Some
research into how the company structures its computer guard duty may help.
Time how long you're on the phone with a ma-chine. A phone trace is
instantaneous if you're lo-cal, and takes just a half a tweak longer if you're calling
from far away. But it's still not wise to stay on a single line half the day. Move
around a lot, calling from different phone numbers, to different
access numbers. If your target has multiple dial-in lines, randomly choose from all
of them.
Laptop Hints
Since you'll be calling from who-knows-where on your portable laptop, here are
some suggestions to help you get connected.
When in unfamiliar domain, such as an office, hotel, schoolroom after hours, or
otherwise, your laptop is of infinite value - so long as you can get it to work. Never
plug your modem into an unfa-miliar phone setup until you've verified that doing so
won't bum out your equipment. Many offices have installed their own electronic
phone systems, called PBXs, to facilitate special functions such as in-house dialing
and phone menus, or to block certain phones from making long distance calls.
Some of these PBXs place a current into the telephone wires that is powerful
enough to damage your delicate modem. To see if the line you have in mind is
safe, try plugging in a really cheap phone first. If it works, your modem should,
too.
PBX-networked phones may not work with your modem because of special audible
or numeric codes used in local routing procedures. If you get a dial tone on your
cheap test phone but your mo-dem won't work, you can assume that it's the PBX
system at fault.
To correct the problem you have to plug the modem into the phone jack, and
connect the room phone (not your cheap one) to the modem (you may need a
special double port for this). To use the modem you place the call using the room
tele-p . hone, and when you hear remote computer ringing, turn your modem online
and hang up.
Alternatively, devices can be bought to process signals as they go between the
telephone handset and the modem. The device converts ordinary mo-dem signals
so they will work on digital systems such as a PBX. This may be a more suitable
alter-native if you find yourself having to bypass PBX phones a lot.
Sometimes you can find yourself in a place with a telephone, but no plug-in jack for
your modem. For instance, if you are using the phone from a public fax or
automatic teller machine. In these cases, unscrew or pry Off the mouthpiece of the
phone and use a cable with attached alligator clips to connect the red and green
wires from your modem wire to the two silver mouthpiece contacts in-side the
telephone handset. This can easily generate a poor signal, so if you have the actual
telephone (not just the handset) available for vandalism, take apart the entire case
and clip your red/green mo-dem wires to the red and green cable leads from the
telephone's transformer. You will then have to hold down the switchhook on the
telephone to place the call.
Your On-The-Road Kit
Make sure you have this stuff with you when you go hacking on the road:
• A laptop, or otherwise portable, computer. Must have a modem. Preferably two:
an internal, and an
external with acoustic coupling cups.
• One small, cheap, reliable telephone for testing line voltages. You can use a
commercial tester for this, but
the phone comes in handy in places like motels, where you may want to connect
to a telephone but the
acoustic coupler won't fit on the phone they supplied.
• An extra phone cord, with an RJ-11 modular clip at one end (the standard, square
telephone plug-in
thingy) and with alligator clips at the other end.
Wire cutters, screwdrivers, and assorted coil cords with various size ports.
System Tiptoeing
Even the best intentioned, the most honorable and nondestructive of hackers are
thought of as evil by the managerial population. This means that if you're caught
breaking into computers that don't belong to you, expect some trouble. Even if the
hacking you were doing is completely benign you are likely to be punished in some
way. I've seen re-Ports that estimate the cost of computer crime per year is $3
billion to $5 billion dollars - and that's on the low end. Other sources list figures as
high as $100 billion.
Even the $3 billion figure, to me, seems pumped up for insurance purposes, but the
people who run businesses and government don't see it that way. Government and
industry people will realize that most computer crimes go unreported,
and so the true cost is likely to be much higher than the official estimate. Even if
these dollar amounts are bogus, that's what people believe, and so they will be
even more inclined to prosecute someone who they believe is contributing to that
multi-billion loss every year.
Let's take a brief interlude here and examine the case of the Greenwood Family
Hospital BBS.
"Pretty Theft" is the name of a hacker I used to communicate with infrequently.
One day she sent me a message on a BBS asking if I knew how to get into the
computers of a certain hospital that was in my area. I was puzzled, because that
hospital was the easiest thing in the world to get into -in fact, it was one of my
earliest successful hacks.
When you logged onto the system, you were greeted with this informative message
(names and numbers are fictitious, of course).
Welcome to GFH-NET!
300-2400 baud (123)456-7890
GREENWOOD FAMILY HOSPITAL
GFH-NET IS MAINTAINED BY ROGER CORNWALL AND HAROLD LIPNICK QUESTIONS
OR COMMENTS? E-MAIL TO THEM!!!
WHAT IS YOUR NAME? TYPE IN FIRST AND LAST:
WHAT IS YOUR PASSWORD? TYPE <RETURN> ON A
BLANK LINE IF YOU DON'T HAVE ONE:
A few months after I began actively hacking, I was using my computer and
watching the evening news when a story came on about the governor breaking his
arm and being rushed by helicopter to a hospital. I thought to myself, "Hey,
hospitals must use computers, right? I can probably get into one!" So I got the
supposedly private number for the Greenwood Family Hospital Network, and I called
up, and I got that welcoming screen. Guess what I did next?
It's not too hard to figure out what I did! Natu-rally, I typed in ROGER CORNWALL
for my name. Unfortunately, the real Roger Cornwall had a password of some sort;
pressing Return on a blank Me just got me an error message. So I tried HAROLD
LIPNICK. Again, no go.
I went into the kitchen, got out the phone book, looked up the telephone number of
Greenwood Family Hospital, and I called it. A woman an-swered:
"Greenwood, may I help you?"
"Yes, please," I said, "Is Tom there?"
'Who?"
"Uhm.... There's some guy there I spoke with earlier... Your supervisor or
somebody?"
"Lee Brown., you mean?" she asked.
"Oh yeah, I guess that's it. I don't know where I got Tom from. Uh, is he there?"
"Nope. Lee left at five."
"All right, thanks."
"Bye-bye."
I went back to my computer and called back GFH-NET and tried LEE BROWN for the
name. Once again, I was out of luck. However, after a few more phone calls to the
various numbers listed for the hospital, I came up with a guy (a resident) who had
not bothered with a password.
GFH-NET turned out to be nothing special after all. It had nothing to do with
hospital billing, pa-tient records, or anything else pertaining to the ac-tual running
of the place. Mostly it was like a doc-tor BBS. From what I could make of it, it was
medi-cal students discussing problems with the doctors on the system. No file
transfers or anything; just a very simple messaging system. It was no big deal, but
it was fun to get into.
The next day I looked through the doctors in the yellow pages, and I found about
eight listed who had Greenwood Hospital addresses. Out of those names, three had
no password.
So anyway, I was puzzled as to why Pretty Theft couldn't get on there. I called it
up for the first time in years, and to my surprise found this nasty logon screen
awaiting me:
USE OF THIS SYSTEM IS
RESTRICTED
TO AUTHORIZED PERSONNEL
ONLY!
EVERYONE ELSE MUST HANG UP
NOW!
149
All useful information was gone! AU that re-mained was an angry note and a non-
useful arrow prompt.
I tried some of the old names I'd figured out way-back-when, and found that all of
them had passwords now. I tried some more social engineer-ing, but everyone I
spoke to kept their mouths shut about everything. (Later I was able to get onto the
real hospital system with the help of some nice re-ceptionists in the administration
department.)
I e-mailed a letter back to Pretty Theft. I asked her what had happened there. The
next day I got her reply:
Last month a friend of mine was in the hospital, so I wanted to see if I could change
his bill. I remembered you giving me the number two years ago or something, so I
looked it up in my book and I was surprised I still had it. I knew the name of my
friend's doctor, and when I was there visiting him, I got the names of lots more
from the paging system (you know, "Calling Dr. Bower...") and from charts on the
walls. Then I went on the system and was try-ing all these names, when the sysop
came on and threw me off. Every time I tried getting on after that he kicked me
off. Next morning at about 8:00, 1 finally got on. One of the doctor's names I tried
had the name as a password too. Well as I guess you know, I couldn't change my
friend's hospital bill, but I couldn't do any-thing much else either... after giving my
name and password, it just froze. That night I tried it again, and there was a
message before it asked for your name. It said, MOST OF THE IM-PORTANT FILES
HAVE BEEN DELETED BY SOMEONE OR SOMETHING. THE SYSTEM WILL BE DOWN
FOR A WHILE -ROGER. A week later I tried it again, and the phone just rung. I
didn't do anything to it, but I guess the sysop thought I or someone else deleted
the files. A few days ago I called back for no reason, and, well, you know. I guess
they got smart?
Yes, Pretty Theft was right. They had gotten smart, and because of it, security was
tightened. It is for this reason that hackers should not announce their arrival to a
system, nor do anything to attract anyone's attention. There is only one case,
really, when you would want to show yourself to the system operator, and that is
when you've found out everything there is to know about a system and are never
going to call back again.
Incidentally, Roger and Harold had gotten smart in some respects, but remained
dumb in oth-ers. Through continued perseverance I was able to get onto GFH-NET
again. As it turns out, I'd gotten smarter too; the medical conversations between
doctors and students seemed a lot more compre-hensible than they had been just
two years before. Maybe it was the students getting dumber?
There was also an old bulletin posted from one of the sysops. It explained as much
as he knew about what had happened (which wasn't much). mostly it said that
certain files were deleted, and many of the bulletins were replaced with obscene
musings on female anatomy. From what he said, it sounded like the files could
have been erased by either a clumsy system operator, or perhaps a ma-lignant
hacker. I did a little investigating, and found that although it was not listed in the
main menu, pressing 'T" brought me to a defunct file transfer system. With a few
minutes of thinking, it was easy to see how someone could've uploaded a program
that would delete whatever files were in the root directory after a rebooting of the
system.
The next day I typed up a long letter to the sy-sops at the hospital, explaining
everything, what they could do to correct the problem, and how other security
breaches could be curtailed. I signed it, "Sincerely, Polly Wanza Hacker." Then I
called back the BBS and uploaded it to them. Soon after, I got this message from
Pretty Theft:
"There's a new logon screen at the hospital. It says: "THANX POLLY! - SIGNED R.C.
& H.L."
I couldn't have been happier.
Lessons From The Hospital
You already know system operators don't want you on their system. That's why
you have to hack in the first place. But if you make it known that you're there, you
will compound your difficultiesconsiderably.
On GFH-NET, the sysops went crazy when they realized their computers were being
abused, and they made it a lot harder to get into. On a little BBS like that, you
might not care whether or not you get in, but if you're dealing with something big
- like some government agency - you don't want to start messing around.
If you do show yourself in any way -like by a million log entries of "USER FAILED
LOGON PROCEDURE" from when you tried every word in the dictionary as a
password -the sysops are go-ing to get concerned, at the very least. Concerned
sysops mean no information will be given out over the phone. It may mean
changing every legitimate user's password, or cleaning up dead accounts that might
otherwise facilitate entry.
Alternately, if you have a nice feeling about a certain system, and don't want to see
it get hurt (and you don't mind possibly eliminating your chances of ever getting
back on it), you would be wise to consider informing the system operators about all
the little quirks you know about their precious system.
Many times, they won't believe you. They won't even bother trying what you
suggest they try, either because they have a huge ego that can't be wrong, or
because they think it's some kind of a trick, or god knows why else. But if they do
believe you, and they take your advice, they will be quite grateful and, if you ask,
might give you a low-level account on the system, or some handy tips. Tell them
you'll be their unofficial security advisor. Some of them can be quite good about it,
though others will think you're up to no good no matter what.
BBS Protection
This section deals with the two issues of secu rity for the hacker involved with
BBSs: hacker as -user, and hacker as sysop. These are actually inter-twined
issues, as sysops of one BBS will generally be users of other BBSs. You should take
these safety precautions on all BBSs you use and run, and should not hang around
systems which do not employ a high degree of hacker security.
Do not post messages concerning illegal activi-ties on any BBS where you don't feel
completely se-cure. This means it's bad practice to brag about your hacking
exploits in private e-mail as well as public message bases. If you are actively
involved with BBSing, by all means become good friends with non-deviant systems,
if only to maintain a balanced perspective of your computorial existence. But make
sure that what you say on those boards does not implicate you in any way with any
crime.
Don't get me wrong. I don't want to imply that posting messages about hacking on
a hacker BBS guarantees safety, because it doesn't, of course. When you start
sharing secrets on a hacker BBS, you'd better make sure the sysop takes all of the
following safety precautions: user screenings, a false front and hidden back boards,
double blind anonymity, encryption, and affidavits of intent.
The most important aspect of any hacker group, club, or BBS, is secrecy. A true
hacker BBS will not advertise, because it does not need new members. A hacker
BBS will seem to be a very homey, fam-ily-style BBS up front, but type a code word
from off the menu, enter a password or two, and you en-ter the hidden realm.
Hacker BBSs should further protect themselves by only allowing specified users to
enter the secret parts of its domain, to prevent unauthorized hackers or pseudo-
hackers from breaking in to your meeting place.
Any hacker BBS which does not take this mini-mal precaution of pretending to be
legitimate, is ju-venile, dangerous, and not something you want to be a part of.
Going up the scale of stupidity just a bit, I've seen plenty of "hacker" BBSs which
allow access to the hidden part by entering words like "DEATH" and, yes, even
"PASSWORD" as passwords. Need-less to say, the information found on such
boards is very low content, and usually consists of the vari-ous users calling each
other dickheads.
No new users should be allowed on a hacker BBS unless one or several existing
members can verify that the potential user is not a cop, will abide by the club's law
of conduct, has information to share, and will not be a big blabbermouth. As a sysop,
you will enjoy composing the list of rules that govern the way the BBS takes in
new members. Remember, any new member should not even know that the BBS
exists until the time when he or she is accepted into it. That will keep out law enforcement
people, and keep in only the best hackers available.
Once a member has been verified as clean, his or her private information should be
destroyed from the computer records. In fact, think about the BBSs on which you
are a current member. Are there any which are likely to be busted in a raid? Even
if
you aren't doing anything wrong on the system even if nobody on the system is
doing anything illegal you know very well how mixed-up the feds get when it comes
to computers. You don't want your name brought into a computer crime trial, even
if the case is thrown out of court before it begins. So if you're a member of any
subculture BBS, tell the sysop, to replace your personal infor-mation (name,
address, phone number) with false-hoods.
If you ever register with a BBS but decide not to call back, make sure to inform the
sysop that you want your information deleted. (Verifying that such information has
been altered or deleted is one legitimate reason for hacking a BBS. Legitimate, that
is, from a hacker's ethical point of view.) It is important to do all this, because
there are impos-tors out there who are very good at catching hack-ers when they
least expect to be caught. In June of 1987, an AT&T security official logged onto a
Texas BBS and found messages from a hacker boasting about how he'd gotten into
a certain company's computer system. This led to the hacker's arrest.
Note that since the hacker undoubtedly used a handle on the BBS, and it was a
hacker board, the official might have hacked himself to get the hacker's real name.
In any case, make sure your real name, address and other identifying data never
stray to unsafe waters.
Before we start talking more about what you can do as the sysop of a hacker BBS,
let's conclude with a real life example of what happens when hackers DON'T follow
the advice I've listed above. In 1986 a BBS called simply and arrogantly, "The
Board," came into being in Detroit. The Board was run off an HP2000 computer,
and attracted hackers and crackers (and would-be hackers and wannabe crackers)
from all over. On August 20, the follow-ing ominous message appeared on The
Board when oneloggedin:
Welcome to MIKE WENDLAND'S I-TEAM
sting board!
(Computer Services Provided by BOARDSCAN)
66 Megabytes Strong
300/1200 baud - 24 hours.
Three (3) lines = no busy signals!
Rotary hunting on 313-XXX-XXXX
If you called up that day and read the newest messages posted, you would have
been surprised to find these little darlings staring you in the face:
Board: General Information & BBS's
Message: 41
Title: YOU'VE BEEN HAD!!!
To: ALL
From: HIGH TECH
Posted: 8/20/86 @ 12.08 hours
Greetings:
You are now on THE BOARD, a "sting" BBS operated by MIKE WENDLAND of the
WDIV-TV I-Team. The purpose? To demon-strate and document the extent of
criminal and potentially illegal hacking and telephone fraud activity by the so-called
"hacking community."
Thanks for your cooperation. In the past month and a half, we've received all sorts
of in-formation from you implicating many of you in credit card fraud, telephone
billing fraud, vandalism, and possible break-ins to govern-ment or public safety
computers. And the beauty of this is we have your posts, your E-Mail and -most
importantly - your REAL names and addresses.
What are we going to do with it? Stay timed to News 4. 1 plan a special series of
reports about our experiences with THE BOARD, which saw users check in from
coast-to-coast and Canada, users ranging in age from 12 to 48. For our regular
users, I have been known as High Tech, among other IDs. John Maxfield of
Boardscan served as our consultant and pro-vided the HP2000 that this "sting" ran
on. Through call forwarding and other conven-iences made possible by telephone
technology, the BBS operated remotely here in the Detroit area.
When will our reports be ready? In a few weeks. We now will be contacting many
of you directly, talking with law enforcement and se-curity agents from credit card
companies and the telephone services.
It should be a hell of a series. Thanks for your help. And don't bother trying any
harassment. Remember, we've got YOUR real names.
Mike Wendland
The I-team
WDIV, Detroit, MI.
Board: General Information & BBS's
Message: 42
Title: BOARDSCAN
To: ALL
From: THE REAPER
Posted: 8/20/86 @ 3.31 hours
This is John Maxfield of Boardscanl. Welcome! Please address all letter bombs to
Mike Wend-land at WDIV-TV Detroit. This board was his idea.
The Reaper (a.k.a. Cable Pair)
Is any comment required?
You can see from this that the people who come after hackers - the people who will
be coming af-ter YOU -are not all Keystone Cops. Maxfield knew enough to pick
'1001" handles like The Reaper and Cable Pair. The newuser password to get into
The Board was HEL-N555,Elite,3 -a quite hip password considering its origin.
Maxfield, and others like him, are as into hacking as we are. They are
knowledgeable of the culture and the lingo and the way we think. This last is
particularly hurtful, and it means you can't allow yourself to think like everyone
else. You won't become an elite hacker without the strength of your entire common
sense working for you. When you call up BBSs, be sure and exercise that strength.
Now let's talk about exercising First Amend-ment rights.
We do have the right to run our own BBS, and to exchange information on it. On a
hacker board, that information is likely not going to be the kind of thing you'd read
to your mother.
Disclaimers, such as, "This BBS will not tolerate any unlawful discussion of blah
blah blah..." are Boardscan is a company headed by John Maxfield, which seeks out
and destroys hackers and their ilk.
worthless, but you may want to throw them around anyway to complement my next
sugges-tion: Many of the traditional laws which hackers get nailed on have to do
with "harmful intent." That is, can it be shown that the hacker or cracker will-ingly
caused damage to a computer?
If you are running a hacker BBS or club, you might then consider having members
sign an affi-davit which makes their good intentions known. Members should sign
an agreement stating that they would never willfully damage another's com-puter
or its contents, that any information ex-changed on the BBS was for knowledge
value only and that none of the illegal activities discussed will be actively pursued,
etc. Basically this should be a way to let the members feel they are actively participating
in your code of ethical hacker conduct which should be prominently
displayed upon login to the BBS. Signing such a goody-two-shoes affi-davit may
not get you out of legal trouble, but it will do two things. It will stress the point
that a member who does not follow the agreement is un-worthy to be a part of your
hacker BBS or club. And to a jury, it will help convince them that you all are just a
bunch of innocent hobbyists being persecuted by the Big Bad System.
It has been suggested that sysops should have their members sign an agreement
that, in the event of a raid by law enforcement officials, users would join a lawsuit
against the officials to win back mo-nies to pay for destroyed equipment, lost time,
false arrests, the hassle, and everything else that goes along with being persecuted
by Big Brother.
Current e-mail should always be kept on-hand, so that you can use the terms of the
Electronic Communication Privacy Act to your favor. The ECPA ensures that
electronic mail that was sent within the past 180 days is private and requires a
warrant for an official to search and read it. Note that individual warrants are
required for each user who has e-mail stored on your BBS, thus increasing the
amount of paperwork required by The Law in going after you and your gang of
happy hackers.
So, if your users have signed an agreement, and sample e-mail is stored for each
user (it may be fudged e-mail whose time and date of origination gets automatically
updated every 180 days), you want to make all of this known to invading offi-cials.
Make a message such as the following avail-
able to all users when they log in for the first time, and every time they use the
system:
A SPECIAL MESSAGE TO ALL
LAW ENFORCEMENT AGENTS:
Some of the material on this computer system is being prepared for public
dissemination and is therefore "work product material" protected under The First
Amendment Privacy Protec-tion Act of 1980 (USC 42, Section 2000aa).
Violation of this statute by law enforcement agents is very likely to result in a civil
suit as provided under Section 2000aa-6. Each and every person who has such
"work product ma-terial" stored on this system is entitled to re-cover at least
minimum damages of $1000 plus all legal expenses. Agents in some states may
NOT be protected from personal civil liability if they violate this statute.
In addition, there is e-mail which has been in storage on this system for less than
180 days. Such stored electronic communications, as de-fined by the Electronic
Communication Pri-vacy Act (ECPA), are protected by the ECPA from unauthorized
accesses -such as seizure by government officials -without warrants specific to
each person's e-mail. Seizing the computer where this BBS resides would represent
such an unauthorized access. There are civil actions which may be taken
against law enforcement agents under provisions of the Act. You can find them in
USC 18, Section 2707. On this system you can expect up to X people to have
stored e-mail. Each of them is entitled to collect a minimum of $1000 plus all legal
expenses for violations of Section 2700 and 2703. Note that all users of this
system have already agreed in writing that their pri-vacy is well worth the hassles
of court. We will sue YOU.
Perhaps the agency you work for might pay your legal fees and judgments against
you, but why take chances? If you feel the need to go af-ter our private and legally
protected e-mail, or take actions which would deny e-mail access to our users (such
as seizing our hardware), get appropriate warrants.
It is the policy of the sysop of this system to cooperate with law enforcement
agents -though we will not be involved in entrap-ments, and will not respond to idle
threats. Please bring it to my attention if you discover illegal activities on this
board, because as cura-tor of this museum I will not tolerate it.
"Hacking the hacker is the ultimate hack," John Maxfield has said. Maxfield is a
computer security consultant well known as a hacker tracker, and the one who
helped organize The Board sting de-scribed above. John scans BBSs looking for
hacker activity, and when he finds it, he informs the com-pany that is being hacked
about the problem. You know how insecure computers can be, and when you post
messages or send e-mail on a BBS you are in effect opening yourself up for the
world to see. Don't let some hacker tracker see something about you that you'd
rather keep private. When you roam around cyberspace, do so discreetly.
Other On-line Security Steps
In real life and detective fiction, the real enemies to a person's well being are
patterns in that person's life. Having a regular schedule of activity may make life
easier for you, but it also allows others to find you when you are trying to hide, and
notice you when you are trying to remain inconspicuous.
As an example, consider the case of the oilman who would ask the system manager
to mount tem-porary backup tapes every time he began a com-puting session. The
oilman would then read from the tapes posted by the system manager before
starting his work. The manager got suspicious fast: it was pretty evident that the
oilman was looking for data that others before him had backed-up onto those tapes.
That industrial spy, like many other hackers and crackers, was caught because he
followed a pattern.
Criminals (and hackers) like to formulate plans of action. But remember, any plan
you conceive should have elements of randomness to it. Don't allow yourself to
always call at a certain time, from
the same workstations or telephones, because one day you will arrive at your
favorite hacking loca-tion and find someone standing there with a pair of handcuffs.
Once I got a list of Social Security numbers from sitting in on a computer class on
the first day: the professor handed around a sign-up sheet for stu-dents to list their
name and number so that ac-counts could be made for them on the computer
system. I waited until the accounts were made, then I had to go in and try them
out. But trying them all at one time would have been too suspi-cious. Instead, I
tried a new one every few hours, a different name each time, so it would look as
though different people were trying it out.
The system was secure in that it asked me to change my password upon first login.
After doing so I was able to use the operating system's pass-word-changing
command to go back to the Social Security number so the original user could get in.
But in each user's directory I left behind a hidden program that I could use for
remote file viewing and playtime later on.
If you ever get into a situation where you can't change the password back to its
original form, try re-entering the password as some variation on the Social Security
number. For 123-45-6789 you might enter 123456789 or 123-45-6780 or 123-4567890,
as if the typist's finger has slipped. If security precau-tions require a capital
letter or something, use one that is close to the last digit in the ID.
It is equally important that your modus operandi change as you move from one
hack to the next. As you know, once you're into a system you should do what you
can to create a new account for yourself. But make sure you always use a different
name and password, and make anything you input about your fictional persona as
noncommittal as possible. It is a minor point, but one of the things investiga-tors
noticed when tracking down computer cracker Kevin Mitnick was that the words he
used were often identifiable American vernacular, thus imply-ing that he was in fact
American (i.e., a spy from a Third World country probably wouldn't use the
password "RENANDSTIMPY").
Security Logs
It is easy to get manufacturers of security prod-ucts to mail you everything you
would ever want to know about the things they sell. Here I am con-cerned mostly
with software which quietly moni-tors the activity on a system, audits the system
re-sources for misuses and irregularities, and keeps a disk-based or printed log of
usage. Someone at the company takes a look at the log, then says to him-self,
"Hey! Mr. Poultry has been logging on every night at three in the morning. That
seems unusual... Better have a chat with him..." Suddenly you're in an unsafe
position, and you never even knew it was coming.
From your research into a particular computer you are looking to hack, you will
know which se-curity products are in force (by calling system op-erators feigning
that you are a computer consult-ant, or by looking through the company's library of
reference manuals). Get the descriptive literature from the manufacturer so you'll
know what silent enemy you are up against.
Security logs -if they are in place and actually attended to -will alert
administrators to any pat-terns which you create. Well, you're not going to create
any patterns, but you're probably going to create some problems, and those too,
will show up on the security log's report.
If you plan to stay on a given computer for any length of time, for instance if you
plan to use that computer as a springboard from which to jump around through the
network, you must discover the security auditor and render it useless.
Don't destroy the auditor, simply reprogram it to ignore you when you log on. Or
find out how it keeps a record of events and see what can be done to eliminate your
own tell-tale traces. This should be piece of cake, considering that if you're in the
position to do these sorts of things, you most likely already have root access.
If you have been logging on in a similar way for a while, you might want to change
previous log en-tries to reflect a more random login schedule. You may also be able
to use a date or time setting corn-
mand to control how the security monitor judges your behavior.
WARNING!
There have been many, many instances of hackers carefully editing out personal
sections of audit records, only to find to their horror that they've deleted more than
they should have. Or hackers who were trying to be helpful by cleaning up a messy
program or fixing a typo in a memo, and having some disaster occur. You know
you should always keep backups. The backup rule applies every time you use a
computer, especially computers which aren't yours. If you feel you must alter a file
that doesn't belong to you, alter a backup of that file. When you're done, make
certain your changes are perfect, delete the original file and then rename the
backup.
One simple task that most auditors and many secure operating systems will
perform is the re-cording of unsuccessful login attempts. Again, re-search is
needed to see how your particular target computer responds to inaccurate logon
inputs. Some programs will let you try three or four user-name password
combinations before resetting and saving the last attempt. In that case you would
try to always make your last login attempt something innocuous. Or to be safer,
don't type anything for your last allowed login attempt. Instead, press Con-trol-C
or Control-Z or whatever it is you can use to break back to the previous level of
interaction.
Auditing programs can be a nuisance if you're running a big job, such as a brute
force password generator. If you're able, try to write these pro-grams so that they
get around the security logs. Going directly to the hardware may be one solution to
this problem. Another, depending on what kinds of things the log is keeping track
of, would be to rename suspicious commands, so that the log either won't know to
record those commands under their new name, or if the supervisor reads through
the log printouts, he or she won't notice any question-able activity going on.
Printed logs are a big problem. Any hacker worth his salt, can go in and fiddle with
records which have been stored on a tape or disk. But what if the security monitor
makes a real-time printout of events as they occur? Then, my friend, you are
stuck. Once a deed is done, it is trapped on that page for life.
The thing to do is catch any mistakes before you make them. Limit the number of
illegal or questionable activities you perform until you can find a way to disable the
printer. You may be able to use software switches to program the printer to print
everything in a nonexistent font, or if it's a multi-color printer, in a color that has
no ink car-tridge or ribbon. Of course, since you're probably doing all this over the
phone, you might not know what equipment is being used. However, it might be
possible to reroute print jobs to an electronic storage medium, or to an unused
port; that is, tell the computer to print stuff out on a printer that doesn't exist. At
times it may even be possible to trick the computer into thinking it's printing to the
printer when actually it's printing back through its own modem - and so you end up
receiving re-Ports of your own activities as you go about your business.
A more troublesome form of paper log is some-times used by organizations to keep
track of who does what, when, and why. Some companies insist that each
employee enter telephone calls in a log. A monthly review and a comparison of the
log with phone bills is done - and if anything doesn't match up, well, you can figure
out what happens next. If you sneak into an office to make long dis-tance calls,
you can be easily trapped with such a log, since you probably won't know about it.
Even if you're dialing in from home (or a phone booth), a log can trip you up. If
you use a company's corn-puters to call other computers, that might be a toll call
which would show up on the phone bill, but not in the employee log.
Companies may keep logs to verify employee comings and goings, and use of
equipment. Stay on top of things because the littlest errors lead to the biggest
downfalls.
In Public And On-Site
Doing any sort of hacking-related function in public or on-site -altering public
access comput-ers (PACs) or public access terminals (PATs), sabo-taging for reverse
social engineering (RSE), doing in-person social engineering (SE), using a
university's computing facilities, or simply doing research at a library -is riskier
than doing the same sorts of things at home. Not only do you have all the threats
that a home-based hacker has, you have the additional concerns of whether or not
you will be recognized or apprehended.
Use proven burglar's techniques when selecting spot to do public hacking. When a
burglar enters a house, the first thing he does is scope out all the exits. Don't sit
down at a computer from where you won't be able to escape easily in more than
one di-rection. And just as a burglar is always glad to see tall shrubbery to hide
behind, you should try to sit at computers that are hidden in some way; with people
or objects sitting in front of you, and hope-fully a wall behind you, so no one can
look over your shoulder.
Always be ready to leave a public hack at a moment's notice, and never get so
involved with your work that you forget where you are. Remem-ber, that's what
happens to regular users when shoulder surfing takes place -they forget where
they are and they let people see the secret things they're doing. A hacker must
always be more secu-rity-aware than a regular user.
Take care to have a decent story prepared if youre trespassing, or if your actions
will seem fishy to a passer-by. Make sure you dress the part of your story.
Regardless of your story, clean dressy clothes are always a plus.
Finally, one should always keep in mind that a computer room is very likely
occupied by at least one hacker or cracker at any given moment. Be alert to
shoulder surfers, and to other tricks of the trade. When I sit down at a public
terminal I always press the Break key a few times, and log off several times before
logging in - just in case someone has set up a simulation trap.
Be cautious, too, upon log out. Some terminals, such as the Tektronix 4207 and
others, maintain a buffer of the screen display. Often that buffer is not cleated,
even after log out. What that means is, some unsuspecting soul walks away from
the ter-minal, but leaves behind a record of every action taken during his or her
session. Anyone can go over to that terminal now and access, read, even print out
dozens or hundreds of screenfuls of data.
Share this on your favourite network
Posts
