can be used to breakfreefrom the menu, then either
alter the menu or the application programs
to collect private user data.
Finally, think about this. Perhaps you don't need any of this advice at all. Over the
past two weeks, every day that I've visited a certain school's computer rooms,
there was at least one instance where I would switch on a terminal and find it stuck
inside somebody's account. Apparently the account owners didn't know that
shutting off the terminal does not log them out of their account. Occasionally I
would find more than one terminal left in a logged-in state. It was a hacker's
paradise!
Doing It BASICally
If you have an account - or if you go into the computer lab and find someone else's
account logged in and abandoned -you can write a simple BASIC program to
simulate the login procedures, then leave it running. Here is a very simple
example:
10PRINT "Welcome to Y University Cornputer Network!"
20PRINT
30INPUT "Name? "; N$
40INPUT "Pass? 10; P$
50REM Now store these two variables in a file
60REM and logoff from the account, giving an error
70REM message. Or, use the inputted data to have
80REM the program login to the system.
90REM Finally, delete this program.
Remember to program in necessary time de-lays, if it usually takes a few seconds
for commands to register. Also remember to have the program print asterisks (or
periods, or dashes, or whatever's appropriate) on the screen instead of the user's
password.
Sometimes commands are available to users be-fore logging on, like allowing them
to see who else is currently logged on. You may or may not be able to program
phony responses to a user's queries. The program doesn't have to be extremely
elabo-rate, however, as most users will probably just sit down and login right away.
You might want to sit around in the computer room awhile and look to see what
commands get used the most, so you will be able to program simulations of them.
After the user is done typing his name and password, the program should store the
information, and exit out of your account. If you wrote the program in another
person's account (like the ones I mentioned finding logged in already) then the
program will have to transmit the data to you
somehow < Methods to covertly transmit data are discussed in the chapter "What
To Do When Inside.". > After all, once you log out of that account, you won't be
able to get back in again. On the other hand, the operating system might allow you
to save the file in your own directory if given the right access codes, or if you can
make your own account temporarily less secure, allowing others to write to your
directory.
Hacker security is very important -you never know what superuser is spying on
your activities. Therefore, it would be wise to encode volatile in-formation like
other people's passwords before they get stored in a file in your personal directory.
I use a simple code, such as storing 13 + ASCII code of each character, with every
other number stored being random. So for the name/password combi-nation
SM=RS/RANGERS my program would store 96 90 86 97 85 82 95 96 / 95 78 91 84
82 95 96, with random numbers between each of these num-bers.
An expansion of these ideas is found in an up-coming chapter.
Hardware Methods
One thing I've done is to take an old, unused terminal I found hiding in a basement
storage facil-ity, and wire it up to a portable computer. At about four in the
morning I smuggled the thing into the computer lab, and replaced a terminal that
was already there with my own, connecting the cable to the portable.
I hid the portable under the table. It was a wooden table with an overhang. I used
an electric stapler to make an old pair of cut-off jeans into a pouch that hung down
from the underside of the table, and I enclosed the portable within it. I had the
portable programmed to save on disk the first ten characters that appeared after
"Usernarne:" and "Password:". Basically, the portable acted as a rnonitoring device,
working between the terminal and the mainframe. It worked well.
The only thing that didn't work out was when I replaced the computer room's
original terminal a week later. The guy thought I was trying to steal it.
There have been hackers who've taken old terminals, opened up the plastic casings,
and hidden little computers inside the terminals! There was not enough room in
the terminals I was using to do that, but in certain situations that would be a
preferable thing to do. Make sure the computer you put in and any wiring
associated with it stays sepa-rated from the internal goings-on of the dumb
terminal. When hackers hide portables in this way, they are generally putting their
computer inside an otherwise hollow, bulky base of the terminal.
General Purpose Microcomputers
Now we come to the third We of Public Access Computer from that list I gave
several pages back: the General Purpose Micro. I'm going to be talking here about
IBMs and MS-DOS machines, although nowadays we're seeing more and more Macs
out in the open for public use. Of course, all techniques I discuss can be translated
to any computing envirorunent.
Let's say you call up your local library and make an appointment to use a computer
there, for word processing or business or whatever. Ordinar-ily these are non-
network machines, although if there's more than one they may be connected to the
same printer, or to some other peripheral. At col-leges, the word processing
software may be on a non-writable disk -on some sort of mainframe or
minicomputer. There are also businesses set up now where people can go to rent
time on a com-puter to type up their r6sum6s or reports, and have them printed
out on a good quality printer. Set-ups such these can be exploited to the hacker's
benefit.
Breaking Free
The first thing you'll notice is there's some kind of menu system on these micros.
The people who run the joint don't need some snot-nose kid coming along and
formatting their hard drives or leaving behind obscene messages, so certain
protective de-vices are used to guard against such activities. It is generally a trivial
matter to get out of the menu program, even though its very existence -at least
partially - is to keep you from doing just that.
If the computer is turned on already and at the main menu, look on the screen for
any indications of commands that shouldn't be there, such as "Alt-X to Quit." Try it
- does it work? You might
exit the menu, only to get a message like this: "Error! Press any key to return to
Menu." What happened is this: when the computer was first turned on in the
morning, the menu system was called up by the ALJTOEXEC.BAT file. By typing
Alt-X, you have been returned to the AUTOEXEC.BAT shell, and are experiencing
the next line of that BAT file. Simply Ctrl-C your way out of there.
Even if it doesn't say on the screen how to leave the menu, you will want to try
various function keys, the Ctrl-Break key, the Escape key, and differ-ent
combinations of Alt and Ctrl with C, X, and Q.
Often menu systems will have you enter a password before allowing you to exit to
the operat-ing system. If this is the case with the one you're hacking, by all means
try various passwords -starting with blank lines, the name of the building or
company, and other obvious work-related and business-like words.
Computer systems are at their weakest when they're moving from one program to
another, so try choosing a menu item and using Ctrl-C as soon as it's selected.
Actually, for best results you should repeatedly tap Ctrl-C and the Ctrl-Break key
simul-taneously.
If none of this works, turn the computer off, then turn it on again and see if you
can Ctrl-C or Ct4-Break your way out of the ALJTOEXEC.BAT startup procedures.
Alternately, you should have your own program disk ready to boot. If both of these
tactics fail, use the menu system to run the various programs listed and see if any
of them have an escape to the operating system.
For WordPerfect, you can shell out with Ctrl-F1. Wordstar allows shelling or single
commands to be entered with Ctrl-K, F.
Freedom Means Free Roaming
Once you are able to exit the menu system you will be able to explore the
computer.
If there are lots of computer-wise people around, or people looking over your
shoulder, or people in charge running all over the place, then you'll want to get
back to authorized sections of the computer ASAP so you're not discovered in the
private parts and thrown out of the building.
My recommendation is to copy everything relevant to your cause onto floppies, then
take them home to examine them at your leisure. This is akin to the burglar who
steals the entire unopenable safe so he can work on it in his basement with noisy
power tools and blow torches.
Copy the AUTOEXEC.BAT file and the menu system first of all, and any directories
you find containing files with BAT, DOC or TXT extensions; miscellaneous disk
utilities (especially public domain-type programs); security, maintenance, or
updating programs; anything having to do with telecommunications; memory
resident programs; other explanatory text files.
Especially if the computer's on a LAN, there may be a D: drive, F: or H: or an L:
drive, or some higher-lettered drive that you wouldn't ordinarily even think of
looking for.
Check for hidden files and directories. Copy them, too, if you find any. Also see if
any files have been deleted, and try to recover them if they appear applicable to
your needs.
Depending on the situation -the computer, the place of business, other relevant
factors -you may or may not find anything on the computer. Often it's worth
hacking a public computer like this just for the thrill of getting by security
measures. However, the computers are often so poorly pro-tected that even this
thrill is a minor one.
Many times I've found public domain and shareware utilities that I'd never seen
before, so it's worth doing this just to see if you can pick up any-thing new along
these lines. You may even pick up some valuable programming hints or ideas -
some of the batch and script files you'll find can be im-pressively complex.
Another thing that's common is to find in-house programs on the system -things
like employee schedulers, databases, or other programs that are not available for
public use, and are reserved for use by the managers of the business or library.
If the computer has telecommunications or networking abilities, there may be
handy phone numbers or sign-in protocols you will be able to use.
If you have encountered prompts for passwords in your exploration of the
computer, try to find out where the master list of passwords is stored on the disk.
One time I broke out of a public
menu program in a special library, and after looking around awhile, found a
carefully hidden file called PASSWDS. I typed it to the screen and was surprised to
find a list of about six user names, along with passwords, addresses and other
personal information for each name. Naturally I was overjoyed, but to this day I
haven't figured out why they were there. I tried those names on all the systems in
the area without success. I tried fingering the people ("finger" is a UNIX command
that allows you to look up information about system users) on the major
computers, to no avail. The people listed in the file seemed to not exist anywhere I
looked for them! Perhaps someone was just using the file as a test or demo, or on
some private computer system... but then why was the file hidden away so well?
Sometimes you will discover red-herring clues of this kind, trails that seem to lead
nowhere. It's all part of the nature of being what you are. Hacking is frequently a
matter of intense research, with the goal being to establish a hypothesis, a question
that needs answering. Once you have decided on a question ("Will this password
list work on the Raamses 3?" "Does the President of Moroll Corporation have a
secretary with system access?"), then you can do higher level research and try to
answer
it.
PACK
When you go out on a public hacking expedi-tion, you'll want to be prepared by
taking along your PACK: Public-Accessible Computer (hacking) Kit. This kit should
include:
Plenty of blank, formatted disks, in both 3%" and 51/4" sizes, so you can quickly
copy the menu's security programs. Make sure these disks are the proper density
for the drives you will be using.
Auxiliary programs, such as superzappers and other utilities. You will also want to
bring any special programs you have written (such as menu simulations, as
discussed in the next sec-tion). Public domain programs are available to shut off
the internal speaker. This can be useful if you're hacking a computer that lets out a
loud and suspicious beep every time a wrong pass-word is entered.
Other tools: A Swiss Army knife is good, or at least bring a little screwdriver. Very
often, es-pecially on CD-ROM workstations, you will find locks or covers placed over
the disk drives to limit access. A large, unbent paper clip is handy for hacking
Macs. If you have to leave in a hurry, you can slip the end of the paper clip into the
hole next to the disk drive, and your disk will pop out. That's often the fastest way
to eject a disk.
Menu Simulation And Other Sneakiness
For protection and simplification purposes, just about all general-purpose public
computers will boot up to a menu program. There are three fruitful programming
ideas the hacker can employ with these:
• altering the menu,
• altering the menu program, or
• creating your own simulation of the menuing system.
Menu programs will have a menu-editing op-tion. This allows the people who
maintain the computers to create menu categories such as "Business Programs,"
"Word Processing," and the like, and to add and edit the programs available for
public use. The way to work menus to your advan-tage is to use the editing feature
to add or change an option that will appear to be taking the user into an area where
a password is required. However, what the menu will really do is take that user to
a program that you wrote, that simulates an envi-ronment the user is familiar with.
The user inno-cently enters his user ID and password (which your program stores),
then an error message is given and the user is returned to the menu. Later, you
can go to where the computer hid the passwords and lDs, and retrieve them for
your personal use.
The first question is, how does one edit the menu?
The menu-editing feature may be part of a sec-ondary program, such as
INSTALL.EXE or SETUP.EXE. You may also be able to do editing di-rectly from the
menu program itself, by pushing a function key or control code.
Problems start arising because you were not meant to be able to change the menu
setup on pub-
licly available computers. The menu-editing feature may have been eliminated
once the menu was set up, or a password might be required to do any-thing.
Maybe you can re-install the program, recreat-ing the present menu from scratch,
while putting in your own additions (to be discussed soon, hold your horses!).
Alternately, you might be able to use a text editor or superzap program to change
the file where menu information is stored. If you start get-ting error messages
when you try to change the file, the ATTRIB command might have been used to
"lock" the file. Just type "attrib filename -r" to un-lock it (on MS-DOS systems).
The way these menu programs work is, the per-son doing the editing must supply a
short phrase that will be displayed on the screen. He then must choose a file to be
executed when that phrase is se-lected, possibly providing a drive path, and other
information.
Suppose you want to infiltrate a university computer system. Your initial target is a
public computer with word processing, spreadsheet and telecommunications
abilities. When someone sits down and selects "Telecommunications" from the
menu, he or she is either connected to a host server, or asked which computer he
or she would like to connect to. Then the connection is made.
That's what it's going to look like is happening. What actually happened was that
when the user pressed "T" for "Telecommunications," the menu ran a program that
you snuck onto the system, instead of actually connecting to the network.
The program you put on should look like it's doing whatever normally happens
when someone selects "Telecommunications." For example, it might prompt for
which computer the user wants to connect with, and then pretend to connect to
that computer. Your program then presents the name and password prompts, and
saves those lovely words to disk!
Next, you can have the program give an error message and return the user to the
main menu, but that looks suspicious and will cause the people in charge to take a
closer look at their computer setup.
You'll be better off having your little simulation program being called from a batch
file. When it's through executing, have the next step in the batch make a real
connection to the system. It might be possible to have the batch file feed in the
name and password the user entered, thus eliminating any trace of weirdness.
Otherwise, have it print the standard "password not valid" message, and then
connect to the network.
In other situations, the "Telecommunications" option will bring the user to a
commercial terminal package such as ProComm Plus or SmartCom. Again, it is
easy to make your own fake version of one of these programs. But there is a catch.
When the user enters your fake terminal program, he will select a phone number
from the list, and attempt to dial it. He will be awfully suspicious and confused if
the speaker is on and yet no dialing sounds come out of it! (Remember, you
somehow have to make the program appear to dial out, so you can then simulate
the network that is called. Then the user will enter his password thinking he has
actually ac-cessed the network.)
The most reasonable way to solve this dilemma is to have the program give an
exotic error message like:
Operating Error 2130: Line Noise Interference.
Shut off your speaker and try again.
Of course, this message should closely conform to the other error messages that
the terminal pro-gram actually puts out.
Once the user shuts off the speaker, the pro-gram can then pretend to dial out, and
give the standard login screen for that network. The name and password is taken
and quietly stored to disk, and then an error message is given and the user is
logged off.
You may want to have the computer just put a lot of garbage and random
characters on the screen after the name and password are entered. Make it look
realistic -like the kind of line noise that we've all gotten at one time or another
but make it excessive. The user will be forced to log off al-most immediately. If he
doesn't, or if he tries doing anything, just have the computer display the stan-dard
"Logged off. Good-bye!" message. It may be possible at that point to have the
computer load the real terminal program, so it will look like nothing very unusual
has occurred.
It is unusual to find commercial terminal pack-ages on public computers, mostly
because that would lead to people coming in and placing calls to halfway around the
world. But offices and busi-
nesses might have them, so consider these ideas when you think about hacking on-
site.
Let's go back to the menu program.
The menu program might not be a commer-cially available one. It might have been
designed in-house, or in an interpreted language such as BA-SIC, or for some other
reason the source might be readily adjustable. The program might be just a batch
file.
If any of these are the case, you will be able to effortlessly change the menu
program itself, either by building subroutines that store names and pass-words, or
by adding a telecommunications option if one is lacking.
The final variation on the menu ploy is to com-pose a simulation of the menu. That
is, if you are not able to change the already-existing menu, you will have to write a
program that looks like the es-tablished menu, but with your own embellish-ments
on it.
It can take a while to replicate the menu pro-gram. If the menu uses pop-up
windows you will have to write routines for screen dissolves, or pro-gram-in
windows that explode open and implode to a close. You will have to carefully take
note of screen colors and special characters displayed, how the actual program
handles invalid data, and other peculiarities of the menu.
While the programming may be difficult, you are better off using your own menu
because that will make it easier to hide the captured passwords and other goodies
that are the goals of this project in the first place.
Hiding Your Goody Basket
All of the above menu methods, as well as many of the techniques explained earlier
regarding simulating network login sequences and capturing keystrokes, result in a
file being saved to disk. There are two things you have to worry about: That your
file will be discovered, and that your file will be read. Let's look at how we can
prevent both of these from occurring.
The thing is, since most of this takes place on public computers, anyone at all may
locate your precious files. This includes the people who run the computer labs,
those who fix the computers, other hackers, and the oh-so-curious general public.
It also includes the computer itself.
Most public computers you encounter will have a self-cleaning routine installed.
Weekly, monthly, or perhaps every night, the computers will have all their old data
files erased, to keep room on the drives for new material.
Most public word processing computers have notes attached that beg people to
bring their own disks on which to save their work, but there usually is a special
USERS directory, or some other area where anyone can save files.
The cleaning program is used to clear away old files from this directory. The
program will often scan the rest of the drive, clearing away files that users have
stored in other directories. Often on public computers you will see dozens of empty
di-rectories scattered about; usually these directories have human names to them.
These are private di-rectories that people made for themselves in the hopes that
other users wouldn't read or delete their files - never realizing that their files would
be de-leted by the computer. Often the cleaning program is too dumb to recognize
that the directory, too, should be deleted.
Before you put your altered menu program or whatever onto a public computer, you
must do some experimenting to see what kind of cleaning system it has, if any.
There's no sense in spending hours on a project only to have it erased soon after
it's implemented.
If a cleaning program does exist on the computer, you should have it copied over,
along with everything else, from your initial investigation of the computer. Take a
look at the program; there will be plenty of ways to defeat it. The cleaner probably
has a data file that holds information on which directories it should examine, what
should be done with the outdated files it detects, what cal-endar date constitutes
"oldness," and other perti-nent variables. You may be able to use this file to your
advantage by adjusting it so that your own special directory or program will be
ignored by the cleaner.
If the computer activates the cleaning program automatically, your explorations
might lead you to find the trigger that sets it off and causes it to delete certain files
and not others. For example, the cleaning program could be connected with a
logoff function, so that before the computers are shut
down for the night, the drives are scanned and un-wanted files are removed. The
cleaner could also be activated as part of a start-up routine, or a regu-larlyperformed
maintenance check. In any case, a careful exploration of the files on the
system will reveal the pattern they follow. Once you find the program that sets the
cleaner off, you will be able to make alterations to your own file so that it is ignored,
rather than deleted.
Often the cleaning program is an all-or-nothing monster that wipes out everything
in its path as it crosses the hard drive. However, there are consid-erate versions
that only delete old files. You can get around these gentler kinds by writing a
simple program. Here is an example of an MS-DOS batch file that changes the date
of your hidden goody basket in the example (a text file called "filename") to one far
in the future. Append this batch file to the end of the AUTOEXEC.BAT, or to the
point in the system's maintenance routines directly before the cleaner is activated.
Your file will never be erased.
@echo off
ctty nul
date < commandl > temp edlin temp < cornmand2 date 12-31-1999 edlin filename
< command3 edlin commandl < command3 edlin command.2 < command3 edlin
command3 < command3 date < temp, del *.bak
del temp.* ctty con
For this to work, you need to make up three auxiliary files. Here we are calling
them commandl," "command.2," and "command3," but you would want to name
them something more in-nocuous. "Commandl" contains a single carriage return
(Control-M). "Cornmand3" is a file containing only the letter e. "Command2" is a
bit longer:
2d
I rCurrent date is
1rSun
Irmon
IrTue
IrWed
IrThu
1rFri
IrSat
e
The batch file works by using the "date" command to change the date to December
31, 1999. EDLIN is invoked to save the password file (containing the goods), and
the three auxiliary files, under this new date to protect them. a y, the date is
returned to normal. Note that MS-DOS can be set up to display the date under
various formats. You might have to alter the batch file and "Command2" if your
target computer is set up in an irregular way. Also, realize that "temp" is a common
filename. You would do best to use something exotic in your own program.
AUTOEXEC.BAT files get changed often, and a batch file like this sample is bound to
be noticed by the maintenance staff. To keep your coding discreet you may want to
keep this and similar batches in a separate file far away on the hard drive from the
AUTOEXEC. BAT. At the point in the AUTOEXEC where your Trojan batch would
have been executed, you can use the DOS "call" command ("call BATCH.BAT" will
execute your Trojan and, once it's done, return to the ALJTOEXEC batch file). Your
batch file can be suitably camouflaged as described below, and there is now only
one imposter line in the AUTOEXEC batch for a maintenance worker to notice.
Also remember that under certain operating systems, such as MS-DOS, the
"ATTRIB" command can be used to make filenames invisible in the directory listing
("attrib FILENAME +h" turns on the hide factor). ATTRIBing a filename is not really
secure, as there are many ways someone can either accidentally or purposely find
out about invisible files on a hard drive. But eliminating the name the from the
directory certainly does much to halt casual discovery of your Trojan files.
Things To Watch Out For
I'm going to list a few things to be careful of when you implement a program of this
kind. My remarks will be directed toward this program in particular, but they are
far-ranging enough to be
applicable to just about any program like this that you hide on a system.
First, make sure EDLIN is there, as well as DE-BUG, TREE and other external DOS
commands. They may not be available on the computer you are using, and you can
end up with a mess on your hands, and discovery of your intentions. When you
attempt to copy these files you may find that the DOS directory has been write
protected. In that case you may have to put the necessary commands in an
alternative directory. This might expose them to the ravages of the clean-up
program. If the cleaner does delete these external commands you will have to
figure out some solution to get them onto the disk and protect them from the
cleaner. This batch only works on text files - EDLIN will mess up binary files.
Second, you will have to make sure beforehand that the DOS directory is in the
PATH. What that means is, for a particular file to be executable, it must either be
located in the current directory, or in a directory that has been predefined (usually
by AUTOEXEC.BAT) as a place for the operating sys-tem to look for files to execute.
This is no problem of course -just add a PATH or CD statement be-fore the first
EDLIN - but it is something you could easily overlook, especially if you had to add
the special commands yourself to an unusual or unfamiliar directory.
Also notice before installing any programs: will there be enough space on the disk?
Enough mem-ory? Does the program try to create the temp file in a locked
directory? (If so, open temp in a USERS di-rectory, or some other writable one.)
Does a file named "temp" already exist? How about "Corrunandl," "Command2" and
"Command3"? There are alternate ways to use this program. In-stead of having
the date-changer execute before the clean-up program, it could be run every time
the password file gets updated. Though it takes a few seconds to run and that time
might be enough to noticeably slow down the user's application pro-gram. Recall
that this program is meant to be used in conjunction with some sort of Trojan horse
you've installed; the horse itself will slow down the computer somewhat already,
the combination of the two programs might be too much to go unnoticed.
The clean-up program might use some other criteria which helps it decide which
files to save and which to throw away. You will have to use similar programming
techniques to thwart its ad-vances accordingly.
If there is no special clean-up program, the hard drive will be cleaned by an actual
human being. That human being might not be clever enough to look outside the
designated USERS directory for files, but you have to act as if that person is as
clever as you. Anyhow, you never know who else is using a public computer, so
you will have to take measures to hide your precious password files from view.
Here are a few suggestions:
Change the hidden-file attribute so that it is not listed in the directory.
Place it in an obscure directory or in an unreach-able one. Try this experiment. Put
the following commands into a batch file:
:Start
mkdir dir
cd dir
goto Start
and then execute it from the root directory. After sixteen nestled directories named
"dir" are created you will get an error message. Press Control-C and look at what
has been created. You will find that within the innermost directory it is impossible
to make any more directories -there's a limit to what the computer has been
programmed to handle. However, you can use a disk management utility or your
own system calls to prune and graft many more directories inside the deepest one.
Those grafted directories will be impossible to see or ac-cess from the DOS shell. If
the clean-up program uses the DOS command TREE to scan all the direc-tories, it
will crash or freeze once it gets to those il-legally nestled directories you put there.
You don't want that to happen: that would lead to discovery of your secret files
hidden within that directory. Accordingly, this trick requires that you have the
programming prowess to write prune-and-graft programs on your own. Your Trojan
horse would have to be able to move the data file from its pro-tected position, then
back again afterward.
One thing you are certainly DOS-sophisticated enough to handle is to camouflage
the files you want to protect within their directories. DON'T use
87
filenames like SECRET.PSW or HACKER.HA! Use a bit of creativity when naming
them. Go into one of the applications directories and see if there are any patterns
to file namings. If you see for example, that a spreadsheet has files named
AFGRABL.OVL, AFGRAB2.OVL, AFGRAB3.OVL, then name your files AFGRAB4.OVL,
AFGRAB5.OVL, etc. Do you think anyone will bother to look at them then? You
might want to split up the files, putting each in a separate directory; don't forget to
specify the proper drive paths in the batch file that uses these files.
Trojan horses on public access computers can be an excellent way to slowly-butsurely
collect passwords for your enjoyment. However, all will be for naught if,
when you come back the next day to see what you've reaped, all of your files are
gone. Protect yourself, and your handiwork.
Keep in mind as you read about these special programming tricks, that I'm not
implying you should actually sit out in the open and edit menus or sift through files
looking for passwords. Never do that! You must always first make a preliminary
examination of the computer as I described earlier. You will have already copied
over the important and unusual files -in this initial exploration of the computer -
and you should have the entire menu program at your disposal. At home and at
your Iei-sure, you can write the programs necessary for this kind of hacker attack.
Then, once you've finished the programming and editing required, you can go back
for a second session at the public computer, this time secretly installing your
mutated versions of their programs onto the system. This reduces the amount of
time you will have to spend in a public place doing questionable things to somebody
else's computer. It also reduces the chance of error in the things you do.
You must be especially careful with computers that are meant to be used only for
short periods of time. Guest registers, as described earlier, are used for the few
moments it takes for a person to enter his or her name and identification number.
You will look extremely suspicious fiddling around there for forty minutes, taking
notes and inserting disks.
It is not the other users you have to be wary of: they couldn't care less about you,
and if anything, will probably mistake you for someone who works in the building.
Depending on where you are, you
might not even have to worry about being caught by the office or lab managers,
computer aides, or whatever the official designation is for the people in charge. If
it's a college computer lab being moni-tored by one or two students, they might be
curi-ous, but won't pry as long as you don't stay longer than you're supposed to at
the computers. It is al-most never a good idea to come right out and admit you are
snooping around for the express purpose of gathering data to be used in hacking. A
comment such as, "Oh, I just wanted to see how they did this batch file," or some
other appropriate explanation, is a good enough excuse for most such people.
Some computers are public; many more are private. That is the topic of the next
chapter.
88
Chapter Eight:
On-Site Hacking:
The Trespasser-Hacker
In the previous section we discussed methods of exploring publicly available
computers, but there is another.side to on-site hacking. It is one that you might
think would be best left to spies and thieves, but one that you can actually
participate in yourself. I'm referring to the on-site hacking of, not public
computers, but private ones. Basically, I'm referring to trespassing.
It is risky and possibly dangerous to walk into a company headquarters and simply
start using the computers you find there. But it's also thrilling! It is an electrifying
experience to first maneuver one's way into a restricted place and then, while
there, to explore both the building itself and its computer system.
Sometimes, on-site hacking is a necessity. In many situations, computers will not
be connected to outside phone lines. More secure setups might use some facet of
the hardware to validate authen-ticity. You might have to use a particular kind of
terminal or modern, or install a certain security chip to access the system. In these
cases you would have to hack on premises. Furthermore, reverse social
engineering often requires admission to the computing site. Hacking is about
computers; there are lots of reasons why a hacker will need to be able to touch and
see those computers in person.
You might think it would be virtually impossible to do this, but more often than not
it can be an easy thing to do. For example, security expert Robert Farr, in his book
The Electronic Criminals, explains how he penetrated the "heavily guarded company
headquarters... [of] ... a well-known office machine company" to win a bet. Farr
also tells an anecdote of his entry into a vault at the Bank of England: "There I was
standing inside a vault con-taining millions of dollars with a bewildered look on my
face, wondering what to do next."
Farr did it with prethought, planning, and sometimes blundering. You can do it too.
In some ways it is easier to enter large organizations like this than the local
insurance office or small busi-ness. Wherever you go, you will often have cameras,
guards and possibly biometric devices (see below) to deal with. All of these
can make it tough
89
for a hacker to get close enough to even touch acomputer on site, let alone
infiltrate it.
Closed-Circuit Television
My home computer broke a little after 5:00 p.m. one night. I called up the store
where I bought it, trying to reach the service and repair department. Nobody
answered the phone. Finally I spoke with someone in the computer department
who assured me that people would be in the store until 9:00 p.m. to deal with my
broken computer. So I drove over there, lugged my computer downstairs to the
repair department and - guess what? The place was empty.
The door was open and unlocked, the lights were on, thousands of dollars worth of
broken appliances were lying around, and there were two of the store's terminals up
and running. All I had to do was step behind the counter and I'd be able to see
what made them tick. But surely someone was there? I yelled for assistance. I
rang the bell. I walked behind the counter and into the back areas of the shop.
The place was absolutely devoid of life. And there were those two terminals
there....
The only thing that stopped me from fooling around with them were the hidden
security cam-eras I spotted. Now, as it turns out, I did some checking around the
store until I managed to find a room that appeared to house the viewing monitors
associated with the store's security cameras. Natu-rally no one was paying any
attention to them, so I went back downstairs, closed the door behind me, and had
my way with those terminals. Even though the monitors were not being watched, it
was good that I had seen those hidden security cameras. You, too, should be wary
of such things when you attempt to hack on private property.
The correct terminology for security cameras is Closed-Circuit Television, or CCTV.
Both black & white and color transmissions can be sent over pri-vately owned
cables from distances of a few feet to hundreds of miles. Usually black & white is
used, as it is less expensive and color is generally an un-needed feature. No
licensing is required for most private CCTV installations, so given the relative
cheapness of the technology, such security meas-ures can be found in many
settings.
The cameras employed may be either openly visible or hidden (as my department
store cameras were). Another approach is to place an empty cam-era frame in an
obvious location, while hiding an actual camera in an unusual spot. A trespasser
will then cringe from the dummy camera, straight into view of the well-placed real
camera. Dummy cam-eras may also be used to give a false sense of high-security,
when in reality only a few, or maybe no security precautions are in place. If you
see some cameras visibly panning back and forth, but one or two remaining
stationary, it is likely those motionless ones are either broken or fake.
Many cameras, especially ones used out-of-doors, will be contained in some sort of
housing. This housing may be a conventional metal box, or one more suited for
covert surveillance. For example, cameras are often placed in housings made to
resemble a light fixture, smoke detector, loudspeaker, or utility box. Cameras may
also be placed behind grillwork, pipes, or a one-way rnir-ror, or hung from the
ceiling inside a translucent plastic dome.
If you are trespassing you must be aware that hidden cameras exist, but you
shouldn't necessarily try to seek them out. After all, you don't want to give a
camera a full-frontal shot of your face and body. You're better off, when walking
where you oughtn't, to walk tall and proud, but don't stare at the corners or ceilings
of rooms. If a shape pro-trudes from a wall or ceiling, pay it no mind - it won't do
you any good to stare.
Note that many surveillance systems are not all that great. Images picked up may
be fuzzy, dark, full of shadows, and generally hard to see. Others, however, give
perfect views of a point or an area within the camera's range. Concealing a camera
may hinder its usefulness. Placing a concealing grillwork in front of a camera will
result in a loss of detail in the images the camera picks up. Hidden cameras are
more likely to be stationary and fo-cused on a single point, such as an entrance or
exit, or a particular point in a hallway.
You often see cameras outside buildings, near rooftops or over doorways. These
will be protected from the elements with suitable housings, sun-shields, fans,
wipers, and/or defoggers. Outdoor cameras are often contained in a white or
alurni-nurn housing with vents on the sides. If they are outside, they will have
night viewing capabilities, and so you may be detected even before you enter the
building. I remember walking across the lawn
of a Johnson & Johnson building one rainy night, and as I got closer to the building,
I looked up to see two guards with their faces pressed against the glass, staring at
me.
If you absolutely must trespass a building or its property to get to its computers,
try to go at night during a thunderstorm. Visibility will be poor, you can use your
umbrella as a face-shield, and if you get chased away they will be reluctant to
chase you very far.
Biometric Systems
Controls based on personal characteristics are the ultimate in computer access
control -when they work properly. Known as biometric systems, these devices
limit access to a computer or the computer room by verifying physical attributes of
a person. A biornetric system may look at any one of these individual traits to
verify user identity: fin-gerprints, voiceprint, handwritten signature, palm print,
hand geometry, or retinal patterns.
Biometric systems are costly to implement, but they are not always as accurate as
television would have one believe. For example, a legitimate user's voiceprint may
be rejected because of a change in voice pattern or voice speed due to illness or
stress, or because of interference from outside noises. One system I tested would
occasionally offer responses to the noise my finger made as it scratched the microphone!
Similarly, finger and palm print technology can be thrown for a loop due to cuts and
scratches on the hand, dirt on the hands, bandages and blisters, or scrapes in the
glass tray on which a user places his finger or palm for scanning. Signature and
handwriting analysis systems sometimes fail to pick up nuances in pressure, style
and velocity; people do not always write their names the same way every day. I
imagine this would be especially true for someone rushing into the computer room
to print out a report three hours past deadline. Hand injuries could also make a
person's signature look different.
Hand geometry devices -those which meas-ure the length and translucency of
fingers -don't seem to have much going against them, although again a Band Aid
or scraped machine tray could easily cause the rejection of an otherwise legitimate
system user. Finally there are retinal pattern rec-ognition systems, which look at
the pattern com-posed by blood vessels in the eyes. These too have been shown to
be reliable in their accep-tance/rejection rates when user cQmplicity is high.
I point out the flaws in these systems so you will get a feeling for what it must be
like to work in a building where you're required to get your eye-balls scanned every
time you want to walk through a door. Or imagine being in a place where you have
to speak foolishly aloud to switch on the computer. The first few times it may be
seen as a novelty, but soon these gadgets become another ho-hurn part of office
life. Add to that the time delays these devices cause, the frustration when they
don't work prop-erly, the feeling of subservience that comes from having to remove
gloves and glasses, speak dis-tinctly into a microphone, present a clean hand, or
hold one's face immobile, and you will find a bunch of people who - even under the
strictest of security conditions - are sick of the whole damn thing!
Unless there is some incentive for workers to use these biometric devices -for
example if their time cards will be punched depending on the time they register in,
or if their actions are being moni-tored by guards - unless there is a motivation to
follow the rules, you know very well that everyone is going to try their hardest to
break them. People like showing how friendly they are. People like to show that
they are not a part of the stupid bureauc-racy that runs the place -they like
holding doors open for others, even for strangers. They don't mind allowing others
to use their own clearance to gain access to a room. Nobody wants to look like she
is so caught up in protocol that she has ceased being a human being! And after a
while, people don't Re that their humanness has been reduced to a digitized picture
of their thumbs, or the snaky red rivers in their eyes.
So, you will sometimes find these costly ma-chines turned off and unplugged.
You'll find gar-bage cans placed in the doorways to prevent them from shutting
anyone out. You will find helpful, smiling personnel who will open doors for you and
hold doors open behind them to let you through -even when they've never seen you
before in their lives.
Look what has happened here, and what does happen: the most effective way of
ensuring user legitimacy is overthrown by the users themselves. Well, that's good
for you, the hacker. Don't abuse the access that has been offered you by being
mali-cious in your explorations of the facilities you find laid out before you.
Always A Way
Think about the enormous amount of power government possesses over us. Think
of the billions of dollars it can spend to pry into our lives, to pho-tograph us, record
our movements and our daily activities. Think of all the expertise available to such
a powerful entity. Anything that government - or big business, or anyone in power
for that matter -wants to know about, wants to happen, or wants to change, will
become known to it, will happen, or will be changed.
When we start to think about all the covert ac-tions going on around us, and all the
myriad ways in which we don't even know we are being ma-nipulated or spied
upon, we begin to think of gov-ernment agencies as unbreakable, unstoppable...
unhackable. And even if we think we have a chance at hacking it, we know we will
end up in prison.
But all of that is simply untrue!
Government agencies are limited in what they can do and in what they know. You
only have to look as far back as Operation Sun Devil a few years ago, when Steve
Jackson got his games taken away because they were thought to be a menace to
socl-ety. Sure, the Secret Service and the FBI may be powerful, but maybe they
arefeeble-minded too.
We read about all these scary spy gadgets that have been developed that can read
our lives like a README.DOC. We hear about the "impenetrable" government
computer systems that have been set UP, and we are scared away because they
sound so hermetically protected. For example, we know that any transmission of
an interesting nature has a 100% chance of being intercepted. Therefore, all those
spy guys in Washington have set up ul-tra-secure network links in an effort to
protect their valuable secrets. Their most safeguarded lines are fiber-optic cables
buried deep below the surface of the earth and sealed in gas-filled pipes. These are
strictly isolated systems -no connections to outside phones or computers, so no
hackers can gain access by dialing in. Even if a hacker were to dis-cover where the
(unmarked) underground lines are, and even if that hacker were to manage to dig
down undetected, and cut open the pipe to tap the cable, the drop in gas pressure
instantly sounds an alarm.
This is heavy protection, and sounds like it would be impossible to hack, especially
when you realize that even if there were some way to get at those lines, you still
need various levels of permis-sions, passwords and access codes to reach the
highest and most secret classifications of data.
But think again. Never forget that behind every complicated system, is nothing
more than some human beings. And what are human beings if not fallible? In the
case of this seemingly impenetrable system, we can imagine the humans who sit
night after peaceful night, watching their TV monitors, waiting for the alarm to
sound that signals a breach. They're probably asleep more often than awake,
especially if the temperature and humidity is high in their work area. If ever the
alarm did sound, they probably would ignore it, or wouldn't know what to do. Or
they would take a quick look out the window and go back to sleep.
Even if the guards did go out and check the wires to make sure everything was
okay, do you think they would continue checking them after five or six false
alarms? "The boy who cried wolf' trick always works, especially on a dark and
stormy night. No guard is going to go out sloshing through the mud and rain to
investigate an intruder he knows won't be there. There is always a way. Don't be
fooled by first appearances.
And here are some more ways you can beat the security:
Acting For The On-Site Hack
On-site hacking requires some acting ability -the ability to act like you have a valid
reason for being where you shouldn't be and undertaking questionable activities
while there. There's nothing difficult about this -just pretend you own the place.
Strut down the center of hallways holding your head high. Smile and say hello to
the people you pass. I learned this trick in school, where we needed hall passes
while classes were in session if
we wanted to leave the classroom. All throughout junior and senior high, I never
got stopped once by a teacher or hall monitor for not being in class, simply because
I acted as if I was on some official mission for the principal. (It helped that I was a
"good kid.")
So do your best to keep your cool. Have a reasonable story prepared in case you
are stopped and questioned, and try to tell it without fumbling for words. Here's a
hint to help you do that.
After rehearsing a story in your head for the umpteenth time and finally repeating it
aloud to a security guard, the quickness with which words come to your mouth may
seem to you to be too well-prepared, too fake to your ears, and you start throwing
in "uhhmm"s and "uhhhhh"s to slow yourself down. Don't do that - it sounds really
bad and it takes away from your credibility and sincer-ity. Talk at a normal pace.
Say your prepared script without worrying if it sounds fake. And throw in some
company insider lingo or gibberish to give yourself an extra believability edge.
Piggybacking
There are two kinds of piggybacking. Electroluic piggybacking is dialing up a
computer and finding yourself connected to the account of the last person who
logged off. Physical piggybacking is using another person's access to gain entry to
a computer or computer room.
One way of getting in at hospitals, offices and other buildings which require the
insertion of a magnetic card to gain access is to stand around and wait for someone
with access to open the door for you. Many offices stay open late at night and on
weekends, for people who need to come in to clean or work overtime. I especially
like going into big office buildings on Sundays. Just wait around outside until you
see a car pull up, then time yourself so you will be behind the employee as he or
she heads toward the door. Let the person unlock the door and hold it open for
you. If you can get in, the whole building is yours for the asking. There may not
even be a maintenance crew around to get in your way.
The thing is, though, you have to plan ahead to be successful at this and not arouse
suspicion. If you're going to try piggybacking your way into an office building,
dress like an office worker. Perhaps carry a briefcase or a lunch bag.
I know these things are possible because I have done them. I spent last week at
the regional head-quarters of a large bank, doing temporary work for them. From
the moment I drove into the parking garage I was inundated with all sorts of
warnings about security measures. First there were the signs hanging up in the
parking garage about how my car would be towed if I parked there without a
hangtag. A guard was sitting in a little booth near the entrance of the place. I
went over and explained to him that I was a temp worker and I didn't have a
hangtag. He told me not to worry about it, that they don't really tow cars unless
there is some problem with them, like if they are double parked.
Then I went into the building, up to the seven-teenth floor, and came out of the
elevator facing a locked door that required a magnetic card to get in. A sign
informed me that I was supposed to buzz the receptionist and have her open the
door for me, but there was no receptionist sitting at the desk. I waited a few
moments until an office worker ap-proached the door from the other side, held it
open for me, then went on his way.
The entire week I 'got in and out of the office without a security card, and in fact
later on I even found a concealed door that allowed entrance to the same offices,
without a key or card of any kind.
So you see, piggybacking - the use of another's legitimate access to gain entry into
a building or computer - is an on-site hacker's best friend!
Other Successful Tricks & Antics
There have been hackers (and thieves and spies) who dress as one of the
maintenance crew to get into a place and get closer to the computers there. Grab
yourself a ladder and a can of paint, and see if there's any work you can pretend to
be doing. This sort of impersonation works best in large companies where no one
will question you, because everyone assumes you're there because someone else
wants you there. As long as you act like you belong, you will be accepted.
One hacker/spy completely re-wallpapered the employee lounge while learning
codes, names, and procedures over a five day period. You may not have the
stamina or the patience to invest in a
93
scheme such as this, but similar actions can be worked effectively on a smaller
scale. Besides, you may find that you're suited to being a delivery boy or sandwich
girl for a few days.
You can gain access to dozens of offices by signing up at a few temporary agencies.
Then, even if the jobs you are assigned don't take you near a computer you will be
able to later use your temp-ing as justification for a return visit to the site. That is,
you wouldn't necessarily come out and tell people you're there on another
temporary as-signment -you would let them think it, mean-while roaming freely
around the building.
Cubicles are great -I love cubicles! Because once you're in one of those gigantic
gray ice-tray rooms, you have the entire area to explore: no locked doors and lots
of comers to hide behind. If you ever trespass into an office of cubicles, you can
roam from one cube to the next, finding passwords taped to ink blotters and stuck
to walls. You can find pictures of kids, people's names, hobbies, etc., from which to
guess more passwords. You can eas-ily eavesdrop and find out inside dope on
people, as well as shoulder surf with ease. Yes, to a hacker, those yucky gray
cubicles can be wonderful!
Sometimes you will be trying helplessly to hack an on-site computer, but for
whatever reason the data you type refuses to be entered. Note that on some
terminals (or computers), non-standard data entry keys are used. Thus, instead of
pressing Re-turn or Enter following a command, you type Fl, or Home, or Insert. I
know, it's crazy, but I've seen it.
On-site hacking doesn't only have to imply the hacking of computers behind closed
doors. In air-ports one can often find unattended terminals. Step behind the
counter and you can hack until you're chased away.
Before concluding this section on the hacking of private and on-site computers, I
want to touch on an area that is connected to the subject by a tenuous thread.
Electronic Passive Computing
I don't like to use the term, but active computer hacking can be thought of as a
"sport," or a game that is to be won by the hacker. That's the way many hackers
view this activity of hacking - as an intellectual exercise in which the hacker tries to
out-think either the computer, the user, the Goliath corporation, or the computer
designer.
Passive computing, or "lounging," is like watching a sporting event on television,
rather than going out to the field and playing the game your-self. Passive
computing is the act of eavesdropping -monitoring computer usage and
surreptitiously collecting the information that is transferred.
In seventh grade I was amazed, the first day of my intro to computers class, when
the teacher told us that each of our Apple computers were con-nected to his. Thus,
by a flick of a switch he could send any of our screens to his computer monitor, to
make sure we did the work we were assigned and didn't goof off. He was screening
our screens! Some paranoid bosses do just that to their employees to-day, to make
sure they do the work they're as-signed.
Actually, it's no great technological feat to con-nect two or more monitors to the
same computer and switch between them. If you have access to the computer your
target will be using, you can attach an RF adapter to the back and secretly run the
cable to another monitor or television set. Then sit back and watch as what occurs
on your target's screen unfurls on yours. You won't get to see your target's
password, since it will be covered by asterisks, dots or spaces as it is typed - but
you can get other in-formation this way. This is a good technique if your target has
a lot of encrypted files for which you don't have the key. Monitoring your target
like this will let you read whatever he reads; and if he de-crypts his files, you get to
read them, too.
It may not be possible to sit down close to the target at your own monitor and
watch. You may have to attach a broadcaster to the RF connector, and listen from
outside the building with a re-ceiver, which in turn is connected to a viewing
screen.
If you hook up a VCR to your monitor, you'll get a hard copy of your target's
activities. It may even be possible to directly connect the VCR to the computer
your target will be using. If you do so, it is best to have a remote way of turning
the VCR on and off, so you don't record while the computer is idle. If the target has
a regular schedule you can simply program the VCR to tape at a certain time.
There's no law saying all screen output has to go to a screen -if for some reason
you can't use any of the above techniques. An alternative is to
have information sent to a printer buffer. Make sure that either the printer is fast
or the buffer is large. Otherwise the target's computer will slow down tremendously
and he won't know why. Also, of course, the printer has to be located far away
from the target, preferably in another room or an-other building entirely.
As an example of one limited way in which this can be accomplished, consider the
"print from key-board" option found on many word processors. "Print from
keyboard" causes that several thousand dollar machine to act like any old junky
typewriter, printing characters directly as they are typed on the keyboard.
While your target slips away from his word processor for a coffee break, you can
slip over and activate the "print from keyboard" feature. From then on, anything
further he types within the pro-gram will be sent to the printer. As I said, this is of
limited use, but it shows one more way that even impromptu situations can be
exploited by the cornputer-knowledgeable investigator.
By printing "Shift-PrintScreen" on any DOS computer, the "print from keyboard"
mode will be activated. However, if the printer is not ready, the system may hang
up.
As an example of passive computing which is really very active, in that hacking is
required, it might be reasonable to log on to a network and use programming to
direct the target's output to your own terminal. If you have the target's password,
the host computer would have to be tricked into allowing the same user to be
logged on twice si-multaneously. Additional programming might be required if the
computer refuses to send the target's output to your screen, or if the target is
getting your output.
If you have a password other than the target's, some programming could send the
target's screen to yours, or yours to the target's (if you want to get into
simulation). On UNIX systems, you would be thinking in terms of altering already
existing pro-grams such as TALK or WRITE to get the job done. These two
programs induce a link between two separate accounts. Any time two accounts are
joined, there is a potential for misuse of that link-age. But these programs are
written with security in mind; the hacker's job is to rewrite the programs,
eliminating the security measures.
Another option is to make use of monitoring software which is commercially
available - or write some yourself, to satisfy your own personal needs. Managers of
offices routinely spy on their secretaries, data entry clerks and other computer
operators through the use of software which stores key presses. Other monitoring
software keeps track of which programs are being used and how, often time-
stamping such information as well. Doing this form of research does not, as you
might at first think, necessitate going back to your target's com-puter to see what
keystrokes have been recorded. I hot-wired one such keystroke-capturing program
to print a weekly report to a hidden directory. When secretly installing the program
(visiting the site, posing as a confused user who had a vi-rus-attacked disk that
needed repairs), I also al-tered the computer's startup file which executes upon
login. I altered it to look for that hidden re-port on certain days and e-mail it to me
through an unknowing third party. Now I get weekly reports on this one poor
system manager's every last key-stroke!
I didn't think of it at the time, but it would've been a good idea to add a few lines to
the startup batch to look for the existence of a piece of mail from me containing a
few key words which would signal the program to remove all incriminating files and
program lines from the computer.
You might ask, "Why would you need such a thing -don't you have the guy's
password and everything from reading those weekly lists of his keystrokes? You
can delete the evidence yourself." Good question, and actually I do have his password,
but it took a long time to get it.
You see, the keystroke-capturer can only go into effect once the user has logged in
and the startup file is executed - by then there is no need to enter one's password.
(You can tell that even though I put a lot of thought into this hack, there were a lot
of things which I didn't ever consider be-fore the actual results starting coming in.
Hacking often involves making assumptions and then see-ing how one's
assumptions were wrong.) It took awhile, but eventually I did get the password,
when the system manager invoked a second sub-shell within his logon.
Tapping the phone line or intercepting micro-wave transmissions are always open
options, or bugging the phone if the modem is coupled to it.
Then you get the added bonus of hearing the tar-get's voice-phone conversations as
well. Printer, modem, monitor, and other computer cables can also be tapped to
good effect. One nice method is to tap the modem line, making a recording of any
modem calls that take place. You go home, call the number that the tapped
computer called, and play back the recording for the remote computer to hear.
Remember, the high-pitched squeals and cries in the recording you made will
include that lawful user's access codes. Your goal will be to synchro-nize the
playing of the recording with the remote computer's prompting. If you can get it
right, you get yourself in.
You know, once someone gets their computer all plugged in and set up, it is only on
very rare oc-casions that they ever look at the backside or un-derneath it again,
especially since they probably have a messy tangle of cords running out the back,
an office cleaning staff to keep it dusted, and the back of the computer pushed
against a wall. That RF adapter or extra wire coming out will surely go unnoticed
for a long while.
Radiation Comprehension
If you like to watch television while you use your computer, you may have noticed
something funny happening when the channel is turned to certain stations. With
the computer on, channel two on my television is complete static, while channels 3
and 4 get decreasingly snowy. This happens when electromagnetic fields radiating
from my computer and cables are picked up by the televi-sion antenna. If I'm
watching channel 2, 1 can even make out a very fuzzy representation of what I see
on the computer screen.
There is a simple reason for this happening. The various components of a computer
-amplifiers, cables, the coupling between cables, the power supply to power line
coupling, switching transis-tors, the ground loop, internal wires, and even printed
circuit boards -all act as antennae to con-duct electromagnetic radiation. The
components, cables and whatnot will not only pick up the radia-tion, but transmit it
as well, sometimes re-emitting it at some distance from the source equipment.
Nearby electrical wiring and metal pipes can further act as antennae.
Computers operate at radio frequencies and so they are also radio transmitters.
That's why the Federal Communications Commission must ap-prove all computers
(and many other electronic appliances) before they can be sold in the United
States. The FCC wants to make sure those radio emissions aren't strong enough to
interfere with other licensed radio receivers (such as television sets). In fact, there
have been cases of unregistered computer monitors whose screens have been
picked up on the next-door-neighbor's television set. This sort of thing is more
likely to occur when the neighbor has a black and white television and the computer
has a composite monitor, because a black and white set can more easily adapt the
syn-chronization signals that it picks up from a com-posite monitor (especially if the
TV has an antenna amplifier attached).
When my television receives computer fre-quencies, it is doing so accidentally.
Imagine the consequences of someone setting out to purposely receive radiated
information. Indeed, such a thing is possible, and has been going on for quite some
time. For years the Department of Defense has stashed away its most hush-hush
computers and communications devices in copper-lined rooms to prevent radiation
leakage. They have also pro-duced guidelines for a security standard called
TEMPEST ( Transient Electromagnetic Pulse Emanation Standard. ) which defines
how military computers are to be constructed so that the radiation leaking from
them is minimal.
Special military computers might be well pro-tected, but your run-of-the-mill PC or
terminal is not. The FCC ensures that equipment won't inter-fere with other
equipment; it makes no promises that equipment is safe from prying eyes. In fact,
those eyes don't even have to be at the scene of the crime. There is an electronic
marvel called the Van Eck device which picks up your favorite leaked radiation and
projects it onto a television screen. Hook up a VCR to the television and you've got
a living document of everything that goes on in your target's computer account.
Van Eck And Britton
In 1985 a group of Swedish engineers, led by one William "Wim" Van Eck,
presented a paper called "Electromagnetic Radiation from Video Dis-play Units: An
Eavesdropping Risk?" at the Securi-corn Conference in Cannes. The paper, which
was published in Computers and Security 4, described how one could easily and
inexpensively convert a normal television set into a non-trespassing, pas-sive
device to intercept and reconstruct the infor-mation from any digital device, most
notably com-puters. Scientist Don Britton had already gone public with a virtually
identical device in 1979, but it was the Van Eck paper that got people to sit up and
take notice.
We were talking before about how you could set up a radio receiver to pick up the
mess of sig-nals coming from cables, wiring and circuit boards. This is possible,
yes, but you would end up with an unintelligible mishmash of signals. It would be
dif-ficult to separate and decode the various signals -though not entirely impossible.
Doing so would enable you to determine what a distant computer was "thinking" as
those electrical pulses shot through its system.
"Pulses" is the key term here. We all know the story about how computers are
digital beasts, proc-essing streams of ones and zeroes to create the fabulous
tapestries of color and sound that we get to appreciate every time we boot up a
copy of the latest Sierra game.
In reality, there aren't actually tiny Is and Os coursing through the wiring. What's
going on is a high or low electrical current passing through. We think of these high
and low currents as being Is and Os because it is convenient for us to imagine them
this way. Any electrical device is going to have radiation emissions. But only a
digital device, like a computer, will have pulses of high and low. Keep all this in
mind while we take a little side trip.
Computer screens operate on the pointillist school of display painting: what you see
as con-tinuous shapes and lines on the screen is actually composed of thousands or
millions of tiny dots, called picture elements, or pixels for short. Each dot is a little
speck of some substance that glows (fluoresces) when energized, and the inside of
the screen is covered with the stuff.
Video control circuitry located either within the monitor or plugged into the
computer, controls the position of an electron gun, which repeatedly scans the
screen top-to-bottom, firing an electron where appropriate to energize a bit of the
fluorescent sub-stance. Light up the appropriate pixels and keep them lit, and you
end up with glowing dots that can combine to form the lines, characters, symbols
and graphics that make up our daily experience with visual computer output.
You may ask yourself, "Well, once a pixel is lit up, how do you darken it to clear
that portion of the screen?" The answer is simple. Hitting the phosphorescent
matter with an electron only pro-duces a very brief burst of glow before extinguishing.
That's why the electron gun must systemati-cally scan the entire screen sixty
times a second to constantly refresh the image appearing on it. If we wish to
cancel a pixel or series of pixels, we simply discontinue firing an electron at that
section of the screen.
Every time the beam fires we get a high voltage pulse of electromagnetic emission.
Britton's and Van Eck's idea was to simply use a television re-ceiver to listen for
those bursts of high voltage as a monitor emits them, and have the television respond
by firing a pixel in the corresponding place on its own screen -thus ending
up with a display screen that exactly matches, pixel by pixel, that of the target
computer.
A good thing for a spy to have, huh?
The problem is that while a television can receive those bursts of high voltages,
they don't know what to do with them. There's nothing inherent to a high pulse
that signals where on the receiving television that pixel should go. <Actually, such
signals are readily available from the mishmash, because the originating monitor's
synchroni-zation components also generate signals as they func-tion. However, the
pulses are too weak to pick up from a distance.>
The Van Eck or Britton devices bestow this function upon any lowly TV receptor, by
producing an artificial syn-chronization signal. Two adjustable oscillators are used
to create the vertical (picture) and horizontal (line) synchronization. For technical
reasons, proper reception requires a constant re-tuning of the oscillators. This
could theoretically be done by hand, but this is the computer age: the signals are
mathematically combined and fed into a logic cir-cuit which performs the job
automatically.
The difference between Britton's and Van Eck's designs are that Britton based his
system on United States NTSC technology, while Van Eck's model is based on
European PAL receptors, using European voltages, and includes a built-in digital
frequency meter. If you have the tech knowledge you can build one of these for
$10 to $15.
Models are also commercially available through spy shops.
Besides the oscillators and the logic processing sync restorer board, you will want to
hook up a di-rectional antenna to help focus in on exactly what you're after.
Someone using one of these devices should be able to fine-tune their receiver to
the point where multiple CRTs within the same room may be distinguished. This is
due to differences in the components making up the monitors. Pieces that come off
of different assembly lines or from different countries will have varying radia-tionemitting
characteristics. Your suitably engi-neered Van Eck or Britton device can
discriminate between the several traits presented. Just pick one line of signals
which you wish your machine to follow, and off you go.
Ups And Downs
Share this on your favourite network
Posts
