PART TWO
During Hack
Chapter Seven:
Public Access Computers And
Terminals..........................................................................................................
............................................71
Introduction to the Three Kinds ? CD-ROM Databases and Information Computers ?
Public Access
Terminals (PATs) ? The Bar Code Hack ? Hidden Commands ? College PATs ? Doing it
the E-Z
Way ? Shoulder Surfing ? Doing it BASICally ? Hardware Methods ? General
Purpose Microcomputers ? Breaking Free ? Freedom Means Free Roaming ? PACK
? Menu Simulation and Other Sneakiness ? Hiding Your Goody Basket ? Things to
Watch Out For
Chapter Eight:
On-Site Hacking: The TrespasserHacker..................................................................................
89
Closed-Circuit Television ? Biometric Systems ? Always a Way ? Acting for the On-
Site Hack ?
Piggybacking ? Other Successful Tricks & Antics ? Electronic Passive Computing ?
Radiation Comprehension ? Van Eck and Britton ? Ups and Downs
Chapter Nine:
Hacking At Home: Dialing Up Computers With Your
Modem...................................................99
Reality ? Who to Connect to ? Paying for the Pleasure ? Packet Switched Networks ?
Other
Networks ? Finding Dial-Up Numbers ? Dial-Up Security Measures ? Scrutinize the
Login Environment
Chapter Ten:
Electronic Bulletin Board
Systems................................................................................................105
Finding BBS Numbers ? Finding Hacker Boards ? Making Connections ? BBS Features
? BBS Exploitation ? Getting to Know You ? Bypassing BBS Security ? Running a BBS
? Midnight Masquerade ? Hack mail ? Crashing BBSs ? Trojan Horses ? Covering Up
Trojan Horse Activity ? While it is Running ? Before & After ? A Few Tips for the DoIt-
Yourselfer
Chapter Eleven:
Borderline
Hacking............................................................................................................
..........119
Hacking for Ca$h * Filthy Tricks * Bribery * Booze and Broads * Bad Feelings
Chapter Twelve:
What To Do When
Inside............................................................................................................1
23
Hacker Motivations Revisited * Operating Systems * Looking Around * Commands
to Look For
and to Use * File Transfer Protocol (FTP) * Fun 'N Games The User Network *
Becoming a Superuser * Spoofing * Cryptography and DES * Bit by Bit Program
Employment * Viruses * Covert Channels * Get Out of Jail Free * Returning to the
Scene * Mission Accomplished Almost!
PART THREE
After Hack
Chapter Thirteen:
This Lawful Land …………………………………………………………………………………...139
State Computer Crime Laws * Traditional State Crime Laws * Criminal Mischief *
Burglary *Fraud * Larceny * Theft of Trade Secrets + Receipt of Stolen Property *
Theft of Services or LaborUnder False Pretenses * Interference With Use Statutes *
Traditional Federal Crime Laws *Conspiracy * 661, 2113, 641, 912, 1343, 1361,
Etc. * Federal Computer Crime Laws, Or: It's 10:30, DoThey Know Where the
Hackers Are? * Conclusion
Chapter Fourteen:
Hacker Security: How To Keep From Getting
Caught……………………..................................145
In Researching * In Social Engineering * Dialing In * Laptop Hints * Your On-the-
Road Kit *
System Tiptoeing * Lessons From the Hospital + BBS Protection * Other On-line
Security Steps *
Security Logs * In Public and On-Site * While Off-Line: Minimizing Losses *
Maintaining Your
Computer * Keeping Your Other Stuff * Conclusion: How to Get Caught
Chapter Fifteen:
Conclusion…………………………………………………………………………………………….161
The Hacker's Ethic * My Code of Ethics * Combining Principles * My One-Person
Tiger Team *
Principles Combined * Concluding Thoughts * Some Thoughts to the Concerned
Administrator *
Some Thoughts to the Concerned Hacker
Further Reading 169
The Books * Other Sources
Glossary 173
APPENDICES
Appendix A: Explanation of Some ASCII Codes
185
Appendix B: Common Defaults
189
Appendix C: Common Commands 191
Appendix D: Novice Word List 193
Appendix E: job-Related Word List 197
Appendix F: Technical Word List 199
Appendix G: Social Security Number Listing and ICAO Alphabet 201
Appendix H: Additional R/SE Role Playing Situations 205
Introduction:
Hackers: Heroes or Villains?
by Gareth Branwyn
Hacking in the Village
"Where am I?"
"In the Village."
"What do you want?"
"Information."
"Whose side are you on?"
"That would be telling. We want... information... information... information."
"Well you won't get it."
"By hook or by crook, we will!"
Remember the '60s TV show The Prisoner? Created by and starring Patrick
McGoohan, this surrealist series was basically a platform for McGoohan to explore
his own fears of modem surve-illance/spy technology, behavioral engineering, and
society's increasing ability to control people through pacifying pleasures.
He was convinced that all this might soon mean the obliteration of the individual
(expressed in the defiant opening shout: "I am not a number, I am a free man!").
McGoohan's #6 character became a symbol of the lone individual's right to remain
an individual rather than a numbered cog in the chugging machinery of the State.
McGoohan, a Luddite to be sure, despised even the TV technology that brought his
libertarian tale to the masses. He saw no escape from the mushrooming techno-
armed State short of out-and-out violent revolution (it was, after all, the '60s!). As
prescient as The Prisoner series proved to be in some regards, McGoohan failed to
see how individuals armed with the same tech as their warders could fight back.
The #6 character himself comes close to revealing this in a number of episodes, as
he uses his will, his ingenuity, and his own spy skills to reroute #2's attempts to
rob him of his individuality.
One doesn't have to stretch too far to see the connection between The Prisoner and
the subject at hand: hacking. With all the social engineering, spy skills, and street
tech knowledge that #6 possessed, he lacked one important thing: access to the
higher tech that enslaved him and the other hapless village residents. Today's
techno-warriors are much better equipped to hack the powers that be for whatever
personal, social or political gains.
In the last two-part episode of the series, #6 finally reveals why he quit his
intelligence job: "Too
many people know too much." Again, this expresses McGoohan's fear that the
powers that be were holding the goods on him and everyone else who was bucking
the status quo at that time. He probably didn't mean "people" as much as he
meant "governments." It is this fact, that "too many
[governments/megacorps/special interest groups] know too much" that has
provided an important motivation to many contemporary hackers and has fueled
the rampant techno-romantic myths of the hacker as a freedom of information
warrior.
Let's look at a number of the mythic images of the hacker that have arisen in the
past decade and explore the reality that they both reflect and distort:
The Hacker as Independent Scientist
The first image of hackerdom to emerge in the '60s and 70s was of the benevolent
computer science student pushing the limits of computer technology and his/her
own intellect. Computer labs at MIT, Berkeley, Stanford and many other schools
hummed through the night as budding brainiacs sat mesmerized by the promise of
life on the other side of a glowing computer screen. These early hackers quickly
developed a set of ethics that centered around the pursuit of pure knowledge and
the idea that hackers should share all of their information and brilliant hacks with
each other. Steven Levy summarizes this ethic in his 1984 book Hackers: "To a
hacker a closed door is an insult, and a locked door is an outrage. Just as
information should be clearly and elegantly transported within the computer, and
just as software should be freely disseminated, hackers believed people should be
allowed access to files or tools which might promote the hacker quest to find out
and improve the way the world works. When a hacker needed something to help
him create, explore, or fix, he did not bother with such ridiculous concepts as
property rights."
While this ethic continues to inform many hackers, including the author of the book
you are holding, it has become more difficult for many to purely embrace, as the
once innocent and largely sheltered world of hackerdom has opened up onto a vast
geography of data continents with spoils beyond measure, tempting even the most
principled hackers. The Knightmare weaves his way in and out of these ethical
issues throughout Secrets of a Super Hacker.
The Hacker as Cowboy
The cowboy has always served as a potent American myth of individuality and
survivalism in the face of a harsh and lawless frontier. It is no accident that
William Gibson chose cowboy metaphors for his groundbreaking cyberpunk novel
Neuromancer (1984). Case and the other "console cowboys" in the novel ride a
cybernetic range as data rustlers for hire, ultimately sad and alone in their harsh
nomadic world. They are both loner heroes and bad assed predators of the law
abiding cyber citizenry they burn in their wake.
I don't think I need to tell readers here what impact Gibson's fictional world has had
on fueling hacker fan-tasies or what potent similarities exist between Gibson's world
and our own.
Like the cowboy tales of the wild west, the myth of the hacker as cowboy is
undoubtedly more image over substance (as are most of the myths we will explore
here), but there are some important kernels of truth: a) hackers are often loners,
b) there are many nomadic and mercenary aspects to the burgeoning cyberspace of
the 1990s, and c) it is a wide open and lawless territory where the distinctions
between good and bad, following the law and forging a new one, and issues of free
access and property rights are all up for grabs (remember the Indians?). Not
surprisingly, Electronic Frontier Foundation co-founder John Perry Barlow (a
Wyoming cattle rancher himself) chose frontier metaphors when he wrote his
landmark essay "Crime and Puzzlement" (Whole Earth Review, Fall 1990). The first
section of this lengthy essay, that lead to the birth of the EFF was entitled,
"Desperadoes of the DataSphere."
The Hacker as Techno-Terrorist
When I was a budding revolutionary in the 70s, with my Abbie Hoffman and Jimi
Hendrix
posters and my cache of middle class weapons (.22 caliber rifles, .12 gauge
shotgun, hunting bows), 1, like McGoohan, was gearing up for the Big
Confrontation. With a few friends (who seemed more interested in firearms than
revolutionary rhetoric), I used to do maneuvers in the woods near my house. We
would fantasize how it was all gonna come down and what role we (the "Radicals for
Social Improvement") would play in the grand scheme of things. It doesn't take a
military genius to see the futility of armed force against the U.S. military on its own
turf. The idea that bands of weekend rebels, however well trained and coordinated,
could bring down "The Man" was pure romance. Part of me knew this the same part
of me that was more interested in posture than real revolution and in getting laid
more than in fucking up the State. My friends and I were content to play act, to
dream the impossible dream of overthrow.
One of the first "aha's" I had about computer terrorism in the late '80s was that the
possibilities for insurrection and for a parity of power not based on brute force had
changed radically with the advent of computer networks and our society's almost
complete reliance on them. There was now at least the possibility that groups or
individual hackers could seriously compromise the U.S. military and/or civilian
electronic infrastructure. The reality of this hit home on November 2, 1988, when
Robert Morris, Jr., the son of a well known computer security researcher, brought
down over 10% of the Internet with his worm
(a program that self propagates over a network, reproducing as it goes). This event
led to a media feeding frenzy which brought the heretofore computer underground
into the harsh lights of television cameras and sound bite journalism. "Hacker
terrorists," "viruses," "worms," "computer espionage"...all of a sudden, everyone
was looking over their shoulders for lurking cyberspooks and sniffing their computer
disks and downloads to see if they had con-tracted nasty viruses. A new computer
security industry popped up overnight, offering counseling, virus protection
software (sometimes with antidotes to viruses that didn't even exist!), and work
shops, seminars and books on computer crime.
Hysteria over hacker terrorism reached another plateau in 1990 with the execution
of Operation Sundevil, a wide net Secret Service operation in tended to cripple the
now notorious hacker underground. Like a cat chasing its own tail, the busts and
media coverage and additional busts, followed by more sensational reportage,
created a runaway loop of accelerating hysteria and misinformation. One radio
report on the "stealing" (copying, actually) of a piece of information "critical to the
operations of the Emergency 911 system" for Bell South opined: "It's a miracle that
no one was seriously hurt." Of course, the truth turned out to be far less dramatic.
The copied booty was a very boring text document on some management aspects of
the Bell South system. For a thorough and lively account of this and many of the
other arrests made during Operation Sundevil, check out Bruce Sterling's The
Hacker Crackdown (Bantam, 1992).
Whatever the truth of these particular incidents, computer crime is here big time
and the boasts of even the most suspect hacker/cracker are usually at least
theoretically possible. Computer terrorism has yet to rear its head in any
significant fashion, but the potential is definitely there. This is very unsettling
when you think how many people can gain access to critical systems and how many
loony tunes there are out there armed with computers, modems, and less than
honorable intentions. Wireheads of every gauge would do well to study volumes
like Secrets of a Super Hacker to stay abreast of the game and to cover their
backsides should the proverbial shit hit the fan.
The Hacker as Pirate
Next to "cowboy," the most Potent and popular image of the hacker is that of a
pirate. Oceanographic and piracy metaphors are equally as common in cyberculture
as ones about lawless frontiers and modem-totin' cowboys and cowgirls. People
talk of "surfing the edge," and the "vast oceans of the Internet." Bruce Sterling's
near future novel about data piracy was named Islands in the Net. In it, third world
countries and anarchist enclaves operate data havens, buying and selling global
information through the world's wide
bandwidth computer networks.
Anarchist theorist and rantmeister Hakim Bey penned an essay called "Temporary
Autonomous Zones
(or T.A.Z.)" inspired by Sterling's data islands. Bey sees in the rapidly growing
techno-
sphere of our planet the possibilities for a new form of nomadic anarchic culture
that might resemble the sea-faring pirate societies of the 18th century. Using all
the resources of the global nets, individ-ual cybernauts can come together to form
tempo-rary and virtual enclaves. These bands can wreak havoc, throw a party,
exchange intelligence, or whatever else they want. Once the deed is done, the
party over, the nomadic bands simply disappear back into the dense fabric of
cyberspace. While de-cidedly romantic, the TAZ idea is attractive to many hackers
and cyberspace residents who daily feel the fluidity of movement and the potential
for invisibility offered on "the nets."
Of course, let's not kid ourselves, pirates were mainly concerned with stealing
things. In cyber-space, piracy becomes a more ambiguous and con-tested can of
worms. Are you really taking some-thing if you're simply looking at it or making a
copy of it? If you copy copyrighted material - let's say an image - and then alter it
significantly, to the point that it is almost unrecognizable, have you violated the
copyright? What if you're using it as raw materials in a piece of art, like collage?
What does stealing mean when what is stolen is nothing more than a particular
assemblage of electrical im-pulses? I regularly download recognizable audio bytes
from networks, process them in a sound edi-tor, and then use them in various
audio art projects. Am I stealing? If I publish the work commercially, THEN is it
plagiarism? All of these questions about sampling, copying, cutting, pasting, re-
purposing, and altering have become the thorny legal and ethical issues of our
cybernetic age. Hackerdom is one of the domains that is rapidly fueling the fire.
The Hacker as Biblical David
When liberal and fringe media want to feel good about hacking and cracking they
start invok-ing images of the hacker as a do-gooder David against a
military/industrial Goliath. This myth of the hacker, based on the "parity of power"
theme discussed above can bring comfort to those of us who are paranoid about
megacorporate and gov-ernment big brothers. However over-romanticized this
myth is, there is comfort to be found in the knowledge that individuals can
penetrate even the most behemoth systems. If big brother gets too big for his
britches, "Davidian" (?) hackers are standing by to do some necessary tailoring.
The Hacker as Security Informant
Another do-gooder myth revolves around the hacker as an either self-appointed or
hired security checker. Many hackers, true to their ethos of simply wanting to push
the limits of their ability and not to cause harm, will report holes in security after
they've breached them. To the hacker who is inter-ested in the gamesmanship and
challenge of pene-trating a system, tipping off the system's adminis-trators means
a new level of challenge should they ever return. Hackers who are hired for
purposes of testing system security, called "tiger teams," also work to compromise
the security of a system to find weaknesses. Often times, these hired guns are
convicted computer criminals who "go straight." Several members of the legendary
Legion of Doom, caught in the Operation Sundevil busts, formed COMSEC, a
computer security team for hire. While many hackers bristle at such turncoat
maneuvers, other more politically neutral hackers point out that it doesn't really
matter to them who they're working for as long as they get to hack.
The Hacker as U.S. Cavalry
just as Hollywood movies raised the lowly dirt-lickin' cowboy to mythic status, it is
now pre-senting hackers as a tech-mounted U.S. Cavalry, a cyberpunk version of
Mighty Mouse, here to save the day - and save the movie - in the final seconds.
Movies such as WarGames, Sneakers, Jurassic Park, and TV shows such as Max
Headroom glamorize hackers, often portraying them as misguided geniuses who
finally see the light and prevent calamities they're often responsible for in-itiating.
At the same time that the mainstream me-dia has demonized hackers, Hollywood
has ro-manticized them. John Badham's 1983 film WarGames probably did more to
stimulate interest in hacking and phone phreaking among young people than
anything before or since. Numerous
legendary hackers have credited that film as their chief inspiration and raison
d'etre. All these films have also played into the myth of the evil govern-ment and
megacorps who deserve the harassment that the hacker protagonists dish out. As
this intro-duction is being written, rumors are flying fast and furious that a number
of near-future hacker/cyberpunk TV shows are in the works. It will be very
interesting to see how Hollywood con-tinues to re-invent the hacker.
The Hacker as cyborg
Ultimately computer hacking and net navigat-ing, and the images and fantasies
surrounding them, represent something greater than the sum of the parts outlined
here. It is this writer's opinion that hackers represent the scouts to a new territory
that is just now beginning to be mapped out by others. Hackers were the first
cybernauts, the first group of people to understand that we as a species are about
to disappear into a cyberspace at least similar in function to that posited by William
Gib-son in his 80's fiction. As Manuel De Landa explains in his book War in the Age
of Intelligent Machines (MIT, 1991), we are forging a new symbiotic relationship
with machines via computers. The na-ture of this relationship and the level of
individual freedom afforded by it has a lot to do with how hackers, visionary
scientists, and the first wave of cyber-settlers go about their business. While De
Landa is very laudatory toward the "freedom of in-formation" ethic and
developmental ingenuity of hackerdom, he cautions those who wish to make too
much trouble for individuals and organiza-tions, leading to retaliation, escalation of
tensions, and increased paranoia. He writes: "...[S]orne elements of the hacker
ethic which were once indispensable means to channel their energies into the quest
for interactivity (system-crashing, physical and logical lock-busting) have changed
character as the once innocent world of hackerism has become the mul-timilliondollar
business of computer crime. What used to be a healthy expression of the
hacker maxim that information should flow freely is now in danger of becoming a
new form of terrorism and organized crime which could create a new era of
unprecedented repression. "De Landa. argues elsewhere in Machines that the U.S.
government's, especially the military's, desire to centralize decision-making power
has been seri-ously compromised by the personal computer revolution. He
speculates that those outside the military-industrial machinery have only a few
years to develop a new and truly decentralized sys-tem of networks before the
military devises a new tactical doctrine that subsumes the distributed PC.
The images of hacking: coming in under the wire of mainstream society, cobbling
together tech-nology for individual and group purposes, over-coming limitations,
and all the other real and imagined dimensions of hacking, have become part of a
new academic trend that uses the sci-fi image of the cyborg as a model of late
twentieth century humanity. These academics have embraced cyber-punk sci-fi,
the politicized image of the hacker, and postmodern ideas about posthumanism (a
future of human/machine hybridization). Anyone who spends most of their waking
hours patched into a PC and the Internet or in hacking code has felt the margins
between themselves and their machines getting very leaky. Hackers were the first
to experi-ence this " many others are now following in their digital footsteps.
Hacking has become trendy and chic among people who, if pressed, couldn't even
define an operating system. The "idea" of hacking has migrated far from the actual
act of hacking. It has become a cultural icon about decentralized power for the turn
of the millennium.
The Knightmare's Vision
Behind all these lofty notions lies the tedious and compelling act of the hack itself.
Hacker-monikered "The Knightmare" presents his complex view of hacking in
Secrets of a Super Hacker. In this classic hacker cookbook, the author has gone to
great pains to explain the massive width and breadth of hacking, cracking, and
com-puter security. With Sherlock Holmes-like compul-sion and attention to detail,
he presents the history of hacking, the how-tos of hacking, the legal and ethical
issues surrounding hacking, and his own personal reasons for hacking. Numerous
examples and "amazing hacker tales" take the reader inside
each level of the hack. Reading Secrets will change the way you look at computers
and computer se-curity. It has already been very valuable to me. I am a smarter
computer/net user now and. much more attuned to computer security.
When Patrick McGoohan conceived of The Prisoner he wanted to create a show that
would de-mand thinking. He wanted controversy, argu-ments, fights, discussions,
people waving fists in his face. You might love the show, you might hate the show
(or both), but you would HAVE to talk about it. Computer hacking and the wooly
frontiers of cyberspace are similar domains of controversy. In the true spirit of
freedom of information, Secrets of a Super Hacker is being made available to
anyone who cares to read it. It is my hope that it will help keep the debate alive
and that those who make use of its privileged information will do so responsibly and
without malice.
Be Seeing You,
Gareth Branwyn August 29,1993 Nantucket Island, Mass.
vi
PART ONE
BEFORE THE HACK
1
Page Intentionally left blank
2
"Given that more and more information about individuals is now being stored on
computers, often without our knowledge or consent, is it not reassuring that some
citizens are able to penetrate these databases tofind out what is going on? Thus it
could be argued that hackers represent one way in which we can help avoid the
creation of a more centralized, even totalitarian government. This is one scenario
that hackers openly entertain.
Tom Forrester and Perry Morrison in Computer Ethics
Chapter One:
The Basics
Reading vs. Doing
There are two ways to write a book about computer hacking.
The first is to write an encyclopedic account of every known system and its dialup
numbers, passwords, loopholes, and how to increase one's access once inside.
There is nothing particularly wrong with this approach except that by publica-tion
time much of the contents will likely be out-dated. And surely, after word leaks to
the computer sites of the world the remaining information will be rendered nonfunctional.
Such a specific approach, while exciting, is best left to periodicals,
which can keep readers updated on the constantly changing security frontier.
Indeed, there are both print and on-line publications which attempt to do just that.
The second way to write a book about com-puter hacking is to write an encyclopedic
account of the methods by which security is breached and systems penetrated.
This is a much more agreeable solution to the problem of how to distribute
changing information. The readers of such a book can then follow those methods,
those algorithms, add some of their own creativity, and will never end up facing a
situation drastically different from the ones the text has prepared the hacker to encounter.
Naturally, way-to-write-a-book Number Two is the way this book has been
written.
At some points during the course of writing this book I've found that to talk about
certain informa-tion requires knowledge of another aspect of hacking entirely. I
tried to keep this book flowing in a logical order, conducive to understanding, but
occasionally you will find ripples in the flow.
If you come across a term or situation that the book hasn't yet prepared you for,
forget about it. You'll learn soon enough. Or look in the glossary you might find
the answer you seek there. Com-puter hacking is a subject which contains a voluminous
amount of information. Repeatedly, as I prepared the manuscript, I had to
decide whether or not to go into great detail in a particular area, or allow you to
discover certain inside tricks on your own. Sometimes I compromised, sometimes I
did-n't. Some things I left out because they were too scary. When all is said and
done, the important part isn't the writing of the book, it's the reading of it, and the
actions that result from the reading. Hacking is about doing something, for yourself
and on your own. It's not about reading about doing something. I will gladly point
you in the right di-
rection, but I won't be your guide once you're on your way.
Speaking of books being read, it is often a wonder that they ever do get to that
readable finished state at all. Thank you R.S. and j for critiquing selections from
this book; thanks to the people at Loompanics for recognizing that the Constitution
does, after all, allow freedom of the press; and to the many hackers and crackers
who offered sug-gestions: Morris, Janet, Sex Pack, Carl Fox and the happy Gang Of
Demon Street.
Opening Remarks
This book will show you various methods you can use to break into computer
systems.
In some ways this is harder to do than it used to be. Nowadays people are more
strict, more cau-tious about security. That's how it seems, anyway. But there are
plenty of holes still left in any sys-tem's armor. System managers can tighten up
com-puter security as much as they want but there will always be ways to get
around their efforts. Re-member the first rule of hacking: Whatever a . hu-man
mind can achieve, another can also achieve. Whatever one mind can hide, another
can discover. People tend to think and act alike, and it is this sameness of thought
that you, the hacker, will exploit.
What is a hacker? I'm going to give a definition now, and if you don't fit the
description I give, you can just close this book and throw it away:
A hacker is a person with an intense love of something, be it computers, writing,
nature or sports. A hacker is a person who, because he or she has this love, also
has a deep curiosity about the subject in question. If a hacker loves computers,
then he or she is curious about every aspect of computers. That curiosity extends
also to the ways other people use their computers. Hackers have re-spect for their
subject. For a computer hacker that means he respects the ability of computers to
put him in contact with a universe of information and other people, and it means he
respects those other people and does not intentionally use this knowl-edge of
computers to be mischievous or destruc-tive. That sort of thing is for social-outcast
junior high school kids. The serious computer hacker simply wants to know
everything there is about the
world, and the world of computers. The True Computer Hacker is a computer
enthusiast and more importantly, a Universe enthusiast.
You should already be enthused. Are you ready to learn?
Equipment
There is only one piece of equipment you need to be a successful computer
hacker... a brain. That's right - you don't even need a computer. In fact, you might
be better off not having one as you will see later on. However, to start out you will
want to have a computer, a modem, and a tele-phone line close by so you can
connect to the out-side.
It's inconsequential what kind of computer it is. What's more important are the
modem and the communications software you use with it.
Modems And Speed
Remember the old puzzler, "Which weighs more: a pound of feathers or a pound of
lead?" Well, here's the same puzzler with a modern twist: "Which transmits data
faster: a 600 baud modem, or a 600 bits-per-second modem?" The answer, of
course, is "Both transmit data at the same rate!" But the real answer gets a little
more omplicated. Let me explain.
C IlBaud" is the measure of the rate at which a modem sends and receives
information. Below speeds of 600 baud, the baud rate is equal to bits-per-second.
Due to the restrictions of telephone equipment, high speed modems may transmit
far fewer bits-per-second than their baud rate. For example, a 2400 baud modem
may only be sending 1200 bits-per-second.
For traditional reasons, modem speed is still stated in baud. While a hacker should
be aware of the difference between baud rate and bits-per-second, the important
thing to remember about modem speed is: the faster, the better. Just don't expect
a 9600 baud modem to be four times as fast as a 2400 baud modem.
Five years ago, 300 baud moderns were quite popular. Today, 9600 baud modems
are fairly common. Higher speed modems, such as 14,400
baud and 19,900 baud, are now available in fairly inexpensive models. Many of the
services you connect to will not be able to accomodate these higher speeds;
however, a high-speed modem can always "step down" and connect at a slower
speed
when necessary.
Hacking is a hobby that requires little equipment; when it is necessary to buy
something, you should try to buy the best available. This doesn't mean you should
get what the salesperson or a magazine review says is best. It means, get what is
best suited to your needs. You will want your mo-dem to be fast. When I got my
first modem, I thought of 140 baud as being the slowpoke. Now I look at the 300
baud crawler I used to use and wonder how I ever managed to stay interested when
the words dribble across the screen at such an agonizingly slow pace.
Realize that whatever speed modem you get, it will usually run even slower than
advertised. When there is static on the line, the modem is forced to resend data
over and over until it has been sent or received correctly. Modems may run at half
their listed speed, or even slower if they're in a particularly bad mood. They get
even more snailish when you're calling long distance, or you're calling me computer
through another through another (to make your call harder to trace back to its
source), or if the remote computers are getting heavy usage.
For all of these reasons it's crazy not to get a fast modern. It will make every bit of
electronic communication much more enjoyable.
Communications Software
It's hard to find truly splendid communications software, and yet it is the software
(in conjunction with a fast, high-quality modem) which will de-termine how much
enjoyment or frustration you get from your on-line interactions.
There are lots of communications software ("terminal emulators" or "term
programs") out there.
Just because a particular package comes with your modem doesn't mean you
should feel obli-gated to use it. A good piece of telecommunications software will
have many of the following features. For the hacker, it is necessary to have all
these features. Well, maybe it's not necessary, but it will sure make your hacking
experience more pleasurable.
Handy Features
The monitor on your computer was probably specially designed for your computer.
When you dial who-knows-where over the phone, you can easily be talking to some
computer with a com-pletely different screen design than your own. Con-sequently,
certain standards (rules of behavior for monitors to follow) have been devised. If
you call up a hundred different computers, there will be many differences between
the characters each can display, the control codes used to perform various screen
functions, and so on. Your communications program, or "comm program," should
be able to adjust to a wide range of these codes and charac-ters. This feature is
known as terminal emulation. Software that can't do that will often represent data
from the remote computer in peculiar ways, or as garbage characters. Your comm
program must be able to emulate a good number of terminals, such as ANSI, VT52
and VTIOO. It is also handy for the software to have a translation table - the ability
to translate incoming and outgoing characters to other characters.
The terminal program you choose should be able to send and receive files using the
Xmodern, Ymodem, Zmodern, and Kermit protocols. A proto-col is a set of rules.
You see, if you're "ing to move files between two completely dissimilar computers,
those machines need to know how to talk to each other. These file transfer
protocols set up specific guidelines for the two computers to follow regard-ing how
the file should be sent and received. Each protocol has its own set of advantages
and applica-tions. The Zmodem protocol transfers files fast, and with good error
recovery, but it isn't as prevalent as the original Xmodem. Ymodem is another improvement
on Xmodern, but its error detection isn't as keen - only use it on clean
phone lines. Kermit is used on many university mainframes for speedy, efficient
file transfer. Make sure your terminal software has at least these four protocols.
Choose software that allows you to enter "AT" commands. ATtention commands
were developed by Hayes to allow the user to control the modem. They have been
adopted for most makes of modern. AT commands allow you to program the
modem to
dial, go on line, go off line, and perform various other functions. You should also be
able to shell to your computer's operating system while maintaining the connection
- sometimes you will want to run another program while on-line. The software
should allow you to be able to store many phone numbers, names, and comments
for a large number of dialups. You should be able to store more than just the ten
digit phone number extensions and special codes should be pro-grammable, as well
as sign-on macros for faster connections. It is also helpful to have auto-dial capacity,
which repeatedly calls a busy phone num-ber until the line is free. Overall,
the program you use must be pleasant and easy to use. If one program doesn't
suit all your needs keep several on hand and use whichever you need when you
need its special services. Generally I tend to stick with the PC Tools Desktop comm
program. It doesn't have too many advanced features, but its ease of use more
than makes up for that. ProComm Plus for the IBM and Macintosh is the Lotus 1-23
of communications, software. It's a huge package that includes every conceivable
feature you'll ever need. There are also many low price (free) alternatives in the
world of shareware and public domain software. QModem is one good shareware
communication program for IBM computers.
There is one final necessity for the hacker:
Data Capture
Your terminal program should have a data cap-ture feature. This means that as
information gets sent through your modem and put onto the screen, you should be
able to capture it in a disk file.
It's important for you to keep the data capture feature on whenever you're using
your modem. You do this for several reasons. When I'm logged in somewhere, I
like to poke into all the text files I can find, but I don't like to waste my time on the
sys-tem by actually reading them while on-line. In-stead, I turn on my data
capture, store what can be hundreds of pages of text in separate files, then sort
through the data later, offline, at my leisure. (At other times it is more appropriate
to simply transfer the files; what one does depends on circum-stances.) Data
capture is also handy to pick up control codes and text that scrolls off the screen
too fast for you to read. And sometimes text is immediately erased after it's put on
the screen, either for security reasons or due to faulty software. With data cap-ture
you retain a permanent record of that text. In any event, it's nice to have an
official record of your hacking activities that you can use for reference and research.
One time I called up a bulletin board (BBS) that was run by a local company, mostly
for the pur-pose of advertising its products. The modems con-nected, I pressed
Enter a couple times, and I got the usual random characters on the screen, then
the login prompt came on. It took a little longer than usual to get to the login
prompt, and I was wonder-ing about that, but nothing seemed really unusual so I
went about my business.
Later, I was going over the print outs I made of the break-in and I took a second
look at what at the time seemed to be just normal login garbage. In the middle of
the nonsense symbols was this: "d-b". And on the next line, sandwiched between
two plus signs, this: "ye!". On the surface this doesn't look too interesting, but
think about it: put "d-b" and "ye!" together and you get "d-bye!". What I was
looking at was the last half of the word "good-bye!".
From using the BBS I knew that "good-bye!" was the last thing one sees before
logging off. In other words, I had called the system just after someone else had
logged off, and I had gotten the tail end of their log-off message. This meant there
was something wrong with the way the remote software handled disconnections.
This meant there was a bug that could be exploited.
I logged onto the system again, and the first thing I did was go to the "User Log" to
find the re-cord of my last login to the system. The person who had been using the
BBS before me was a regular User of the system and, sure enough, according to the
log she had logged off just seconds before I was recorded as having logged in.
Later I was able to incorporate my knowledge of this flaw to make myself a system
operator by calling up and connecting soon after the real sys-tem operator had
finished a scheduled mainte-nance check. I wrote a letter explaining to him what
I had done, and how. Over the next few days we corrected the problem.
So you see, sometimes weird things happen while you're logging on or off, but
anomalies can occur at any time. The moral of this story is be pre-pared to capture
this weirdness, and be prepared to analyze it when you find it.
You never know when something out-of-the-ordinary is going to happen, like the
sys-tem operator (sysop) coming on and doing system maintenance while you
watch. I've had that hap-pen to me more than once. In fact, there was one week
in which it happened twice.
When I was in high school there was one day near the end of September that I was
sick, so I was staying home from school. Instead of rushing off to the bus stop, I
was on my computer, dialing BBSs. The first day I was sick, I had just finished
logging onto a system and was about to read my e-mail when the sysop
interrupted. "I have to do some-thing real fast," he typed, "and I'm late for
school." Then he went about doing whatever it was he had to do. He went into the
back screens of the bulletin board system program, then shelled out to his hard
drive, and came back in again. He was doing every-thing so fast I couldn't keep
track of what was go-ing on, but later, after I'd logged off, I was able to go through
the file I'd made of the event, and ana-lyze it thoroughly. The information I
learned from watching that sysop fix his system did not help me break in anywhere,
but it taught me more about how telecommunication systems work. And that's the
whole purpose of hacking.
A few mornings later, I was on another system and almost the same thing
happened. Another sy-sop was late to an appointment, but before he went he just
had to do some last minute rearranging. This time I was able to understand as I
watched what was going on: one of the things the sysop did was to validate a new
user's password (a dumb thing to do in front of somebody, but maybe he didn't
realize I could see what he was typing). Since I was capturing the event in a text
file as I watched it, there was no need for me to scramble for a pen to write down
the passwords as I saw them scroll across my screen.
An alternative to data capture is to have your printer running continuously. There
are people who do this, but it's always seemed to me to be a complete waste of ink,
paper, time (especially if you have a slow printer) and electricity. Also, a printer
won't be as efficient as your communica-tions program at capturing strange control
codes and foreign symbols. You're better off capturing data in files, then using a
word processor to sort through those files, erase what you don't need, and then
perhaps print out the rest.
Past and Future
As you read about the many facets of hacking, you will be introduced to more
equipment, tools, software and hardware that will be of interest to hackers who
wish to try their expertise in more specialized areas of interest. For now though, all
you need is the understanding that...
Days Of Yore Live On
Men you start reading through the literature of data security, you begin to get
worried.
Gone, it seems, are the days of "Joshua doors" as in the movie WarGames. Gone
are the system bugs and loopholes, the naively entered "PASSWORD" used as a
password. Gone, it seems, is the reverent awe people once held for the lone
hacker, cracking secret government databases in the middle of the night. Gone are
the lone hackers. It seems. But all of this really isn't true! As recently as just a few
years ago, Robert Morris, Jr., was hacking into computers using system bugs that
he himself had discovered. These weren't even new bugs -they were old ones that
no one had ever noticed or bothered to correct before! Who knows how many more
similar bugs like it are out there, waiting to be manipulated? And the trap doors
will always be there as well: it is the programmer's vanity that leads him to stylize
otherwise joint or corporate software by inserting covert code, either for benign,
"jokey," Easter Eggs purposes - or to wreak havoc later on. < An Easter Egg in the
computing sense is some unexpected, secret thing you can do with a piece of
software that the programmer put in but doesn't tell anyone about.> And don't
forget all the stupidity: the test accounts and demo modes, the default security
measures that nobody bothers to delete or change. In July 1987, a bunch of Chaos
Computer Club members hacked their way through the network, from an entry in
Europe, to NASA's SPAN system (Space Physics Analysis Network). These crackers
exploited a flaw in the VMS infrastructure which DEC Corporation had announced
was remedied three months earlier. There must be hundreds of VAX computers still
out there, still running the faulty parts of the operating system. Even with the
patch in place, the Chaos members reportedly were laughing themselves silly over
the often trivial passwords used to "protect" the system. Some of the passwords
were taken straight from the manu-facturer's manuals! On the one hand we have a
top secret VAX 11 / 785 computer with the full power of NASA to protect it; but on
the other hand there are approximately four thousand users of that com-puter.
Never can you get 4,000 people together and still keep secrets hushed up.
Hacking may seem harder than ever before, but it really is not. The culture may
have gotten more security-aware, but the individual user still lives in a world of
benign indifference, vanity, user-friendliness and friendly-userness. Users who are
in-the-know will always want to help the less fortunate ones who are not. Those
who aren't will seek the advice of the gurus. And so Social Engi-neering and
Reverse Social Engineering live on, as you shall discover within these pages. Ease
of use will always rule. The "dumb" pass-word will be a good guess for a long time
to come.
After all, people just don't choose 116Fk%8l0(@vbM-34trwX51" for their passwords!
Add to this milieu the immense number of computer systems operating today, and
the stag-gering multitudes of inept users who run them. In the past, computers
were only used by the techno-literate few. Now they are bought, installed, used,
managed, and even programmed by folks who have a hard time getting their bread
to toast light brown. I'm not downgrading them - I ap-plaud their willingness to
step into unfamiliar wa-ters. I just wish (sort of) that they would realize what
danger they put themselves in every time they act without security in mind.
it is a simple and observable fact that most computer systems aren't secure. If this
isn't clear now, it certainly will be once you've read a few chapters of this book.
Ironically, many of the people who operate computer installations understand that
there is a problem with system security; they just don't do anything about it. It
seems incredibly naive, but it's true. There are lots of reasons why companies don't
increase computer security. Publicly or privately, they say things like:
• Extra security decreases the sense of openness and trust which we've strived to
develop.
• Security is too much of a nuisance.
• Extra security just invites hackers who love a challenge.
• It would be too costly or difficult to patch exist-ing security loopholes.
• The reprogramming could open up new secu-rity problems.
• We've never had a security problem before!
• The information we have here is not important to anyone but ourselves; who
would try to break in
here?
• But we just had a security breach; surely they won't come back!
• Didn't all those computer hackers grow up and go on t o better things?
There are different reasons why each of these statements is either wholly or
partially incorrect. The last one is certainly false as any reader of this book should
be quick to point out. Computer hacking (as well as the misuse of computers) will
always be a contemporary issue because of the great value computers have in our
daily lives. Some of these sayings also have their validity. In any case, the people
who run computer installa-tions (call them sysops, system managers, com-puter
operators or whatever) very often believe in these things, and so the window of
opportunity is left open. With a little work we can often ride the breeze inside.
Computer Crime
I would love to honestly be able to say that computer crime does not exist in the
world - but I can't, because it does. When you're talking about the bad stuff that
people do with computers, hack-ing truly is at the bottom of the list, and it certainly
is the farthest removed from traditional crimes -things like murder and burglary
which we feel in our hearts are wrong. True hacking is victimless, so
it is in my way of thinking only vaguely a crime. Perhaps it is immoral or wrong,
but there is much worse that can be done.
Computer crimes come in seven basic catego-ries, all of which are related to the
concept of "hacking" in some way. The seven categories are financial theft,
sabotage, hardware theft, software theft, information theft, and electronic
espionage. The seventh "crime" is computer hacking.
Stealing Money
Financial theft occurs when computer records are altered to misappropriate money.
This is often done by programming the computer to route money into a particular
bank account, usually 'by the use of a salami technique.
A salami technique is a method used to steal small sums of money over a long
period of time, with the assumption that such small sums won't be missed. The
criminal reprograms the computer at a bank or some other financial institution so
that fractions of pennies will be given to a dummy ac-count.
For instance an account might hold $713.14863, where the `863" occurs because of
the multiplica-tion involved to figure interest rates. Normally the computers would
say this person has $713.15 in the bank, rounding up the 4 to a 5. However, a
computer programmed with salami in mind would slice off those extra digits and put
them into a sepa-rate account. Now the person may only have $713.14 in the
account, but who's going to notice or complain about a missing penny?
The computer is not generating new money, it's only shifting valid money to an
invalid account. This can make salami thefts hard to detect. Once the criminal's
account has grown big enough on those fractions of pennies, he or she can
withdraw the money and most likely will get away with the crime. Many thieves
have tried this form of bank robbery, and many have been caught, but dozens or
hundreds of such operations could be going on today without anyone's knowledge
(or so the ##experts" claim).
The way investigators check to see if a salami technique is being used is to have
the computer make a list of all accounts, and how many times per day over a period
of days a transaction has oc-curred with that account. Next, any account that is
accessed an exorbitant number of times per day is checked to see how much money
each of these transactions represent. If it's tiny sums, someone's up to something!
While I don't condone such thievery, I feel obli-gated to point out where computer
criminals have gone wrong in the past and how to avoid future mishaps. Instead of
reprogramming the computer to immediately transfer those fractions of pennies to
an account, they would have been wiser to sim-ply subtract the amounts and keep
track of how much money is collected in an area separate from the account files.
Then, the portions of code which print out total bank holdings should be altered to
include that hidden figure in its summation, so those minuscule amounts aren't
missed. Once the figure reaches a certain point (for instance, some random value
over one hundred or two hundred dollars) only then should it be transferred to the
thief s account. I say some "random" value so every transaction on the thief s
account won't be exactly the same and thus suspicious.
Such thievery requires access to a computer; usually these crimes are committed
by employees of the institution at which the crime occurred, and so true hacking is
not necessary. However, when an employee with limited computer access or a
com-plete outsider pulls off a financial theft, computer hacking will surely be
involved.
Sabotage
Computer sabotage is the physical destruction of computer hardware or firmware,
or the tamper-ing or erasure of information stored on a computer. The point of
sabotage may be to force a competitor out of business, or, as is sometimes done
with ar-son, to get the insurance money. Computer hacking has only limited
involvement with sabotage, since it is the goal of most hackers to keep computers
se-cure, not to destroy them. Still, sometimes sabotage does creep into hacking in
limited ways. Reverse social engineering uses what is called sabotage, but it is
actually just a bit of tomfoolery used to get a computer to temporarily misbehave.
You will read about reverse social engineering later on.
Computer vandals frequently sabotage the in-formation stored on computers after
first using hacker's methods to gain entry to them. Vandals should not be confused
with hackers, however.
Neither should those folks who introduce incorrect or misleading data into a
computer system, or oth-erwise sabotage the data stored therein. An illus-tration
of such data tampering is given by Thomas Whiteside in his book Computer Capers
(Crowell, 1978). Between 1968 and 1972 the FBI planted false adverse information
on radicals and other people who had wild political views into the computers of
credit reporting agencies, "the idea being to harass those citizens by making it
difficult, if not im-possible, for them to obtain loans or other forms of credit." For all
we know various agencies may be continuing this practice. Want your own file
verified for accuracy? Hacker to the rescue!
Various Thieveries
Hardware theft is either the stealing of the ac-tual computer or its peripherals, but
it can also in-clude the piracy of a computer's internal design. It is related to
hacking in that stolen or "borrowed" hardware may be used to procure access
codes. In the case of design piracy, a hacker might clandes-tinely monitor the
private e-mail and other com-puter files of a hardware designer in an effort to steal
innovative ideas.
Software theft or piracy is the unauthorized copying of programs protected by
copyright. Often hackers will make personal copies of software they find on a
computer system, so they can learn how it was programmed and how it works. As
with hardware piracy, there is also the aspect of wanting to get an edge on a
competitor's new line of soft-ware, and so there is the hacking connection.
Information theft may include stolen credit card numbers" TRW reports, new
product specs, lab re-sults, patient or client data, or any other data that might be
potentially valuable. Electronic espionage occurs when that information is sold to a
third party, making the hacker a spy for either another country or company. In
both cases hacker tech-niques are used to steal the information, and pos-sibly even
to make contact with the spy agency in the first place.
The Seventh Crime
Finally, there is hacking. Hackers have the abil-ity to do any of the above, but they
choose not to. Read that again carefully, and see if you can detect the paradox. The
person who perpetrates the seventh of seven computer crimes - hacking - has just
been described as a person who chooses not to commit any crimes at all. Of course,
there is that small matter of illegally breaking into other people's computers before
that choice is made. But we conveniently disregard that because we don't see any
harm in the simple act of "breaking in." Where other computer crimes are
concerned, motivations are obvious. It is obvious why a person would steal a
computer, or engage in a financial crime, or a crime of vengeance. But with pure
hacking, essentially a peaceful, harmless act, motivations might not be as apparent.
The traditional motivation for a hacker was the quest for knowledge. But nowadays
that quest may be ruled by higher motives - like money. There are hackers who
see their talent not as a hobby, but as a trade. In fact, there are a number of both
moral and immoral reasons one would provide one's hacking services for a fee.
Before we get further into the How's of hacking, let's take a brief look at the Why's.
Hacker Motivations
The IRS has a bad reputation - and it deserves it. Sure, they pretend to play fair (I
have a friend who received a refund check from the IRS for one cent; so apparently
they can be honest at times), they pretend to do things in our interest, but underneath
it all they do a lot of cheating, conniving things.
For instance, the IRS has a computer selection program called the Discriminate
Function System. DFS is a system used by the IRS to select over 80 percent of the
income tax returns which will'be audited. When the DFS selects a return for audit,
it is because the program believes there is a high probability the citizen made
improper deductions, or hasn't reported all income, or for some other rea-son
believes the filer has lied.
Now, as citizens of the United States, we are entitled to know all the laws and
regulations of our country, right? Not so, according to the IRS. The decision-
making formula (algorithm) used by the
DFS to select which returns will be audited is kept secret from us (so we can never
really know to what extent an action of ours breaks the IRS's re-turn-selection
laws).
It seems logical and fitting for the IRS to not re-veal this secret, because doing so
prevents a lot of fraud. But it also restricts our rights, and several years ago, two
outraged citizens sued the IRS to re-veal their selection formula. The citizens won
and the IRS was ordered to reveal the formula. The IRS was not ready to reveal
their secrets, and they ap-pealed their way up to the Supreme Court and still lost in
favor of the Freedom of Information Act.
But since the IRS is a crying, whining, wily baby, they refused to obey the court
orders, and ran to Congress for help. Congress, of course, immedi-ately enacted a
statute which made the IRS's audit selection algorithm immune to the Freedom of
In-formation Act.
Now, I ask you: Can you think of a better rea-son to hack than to get back at the
IRS? I'm sure that someday some hacker will surreptitiously stroll into the IRS's
computers and make off with their Discriminate Function System, and publicize it
widely for all to see and file by. <This has already happened in Australia. A
computer professional working for the Australian Taxation Commission wrote up a
guide to the confidential computer program which the commission used to
determine the legitimacy of a taxpayer's income tax form. Taxpayers could use his
guide to safely overstate the amount of deductions they claimed.>
Even if that doesn't happen, and even if that's not a hacker's main goal (which I
wouldn't expect it to be), there are plenty of motivations from which to choose.
Dissemination of information is always an hon-orable incentive to hack. According
to Tom Forester and Perry Morrison in their book on computer eth-ics (listed in the
bibliography), following the Cher-nobyl nuclear disaster, hackers in the Chaos Computer
Club "released more information to the pub-lic about developments than did
the West German government itself. All of this information was gained by illegal
break-ins carried out in govern-ment computer installations." Certainly that was a
noble and just act on their part, from our point of view.
Hackers also see themselves as preventers of disasters - computer disasters that is.
There have been several recent examples of computer security companies from all
over the world putting their se-curity products to the test. They did this by publicizing
a phone number hackers could call to try to beat the system. Sure this is
done for advertising hype, but it is also a good idea, and it gives hackers a chance
to do some computer cracking in a benign setting.
Hackers who maintain a high degree of virtue will use their illegal hacking to
prevent disasters. Once they have discovered (and misused) a secu-rity loophole in
a system, they will warn the system operator of that fact. Hackers are thus
beneficial to the world in that they act to keep the world in-formed and secured.
But we can only be assured of these traits if the hackers themselves conform to
ethical behavior. Unfortunately, due to the exciting/risky/devilish nature of
hacking, the people involved are often immature and play around in juvenile
activities such as vandalism and carding (mail ordering stuff on other people's
credit cards). These are the sorts of activities that True Hackers should strive NOT
to be associated with, as they degrade the word "hacker."
Many hackers, even some very good hackers, have done their part to give hacking a
bad name by having skewed motivations. There have been plenty of destructive
hackers, and those who just did not know when to quit.
There are also hackers-for-hire. Private citizens are willing to pay hackers to
change computerized information for them - grades, ratings, bills, access levels. Or
there are the people who want informa-tion about themselves deleted from the
record, be-cause they are in hiding. Private investigators can always use the skills
of the hacker to find addresses and phone numbers, credit ratings, and other private
concerns of clients and suspects which are con-tained on computers. Office
workers have hired hackers to scope out the personal electronic mail and files of
coworkers and competitors, to gain an edge when making a proposal or a bid.
There is not only industrial, but governmental espionage. All of the above has been
done and is being done RIGHT NOW, by hackers who hack for money.
Hackers tend to look down on other hackers who fall into this line of work. Maybe a
11
once-in-a-while job is okay, but to do it extensively and exclusively is to sell out
one's integrity.
I like to think that all people reading this book, and all hackers, will use their
talents to good ends: to promote public awareness, prevent tragedy, and to learn
new technologies and new innovations for one's own self-growth.
12
Chapter Two:
The History of Hacking
First Came Hardware
Where does one begin a history of hacking?
Do we start with the creation of the computer, by J. Presper Eckert and John
Mauchly? During World War 11 this pair of engineer and physicist approached the
US Army with a proposal for an electronic device that would speedily calculate
gunnery coordinates - a job that was then tedi-ously being done by hand. With the
government backing their way, the Electronic Numerical Inte-grator And Calculator
(ENIAC) was born in 1946. It was a year after the war's end - the machine's designed
function was now superfluous - but the dream behind its imagined future
uses lived on.
Of course, the origin of the computer - the computer for god's sake - the most
revolutionary invention since the telephone, can not be so easily summed up in a
tidy paragraph of wartime patri-otic stupor. The real story goes back further, to
Konrad Zuse, whose patent for a general-purpose electromechanical relay computer
in 1938 was turned down by the Patent Office as being not spe-
cific enough. It may have been ENIAC that spawned the next generation of
computers, but ENIAC was a one-task machine. Zuse's contraption had the feel of
modernity to it: a machine that would do... anything.
But is that where hacking began? Certainly not. The longing to do... anything has
been in the human psyche for ages. Perhaps we should begin with the
revolutionary creation of the telephone, culminat-mg with Alexander Graham Bell's
historic "acci-dent" on March 10, 1876. The telephone was not an immediate best
seller. After all, you couldn't simply buy one and place it in your house and use it.
Lines had to be installed. Networks had to be created to link home to home,
business to business, and fi-nally, state to neighboring state. Almost thirty years of
growth for the phone to spread throughout the country.
YIPL and TAP
So there was the telephone, there was the computer, and there was an undaunted
inquisitiveness in the collective human subconscious. It took an-
other war to shake that curious imagination loose onto the world, and on May Day,
1971, the Youth International Party Line became the newsletter of the fun-seeking,
disenfranchised riffraff of New York City's Greenwich Village. Abbie Hoffman and a
phone phreak who went by the handle Al Bell used YIPL to disburse information
about cracking the phone network. It was the first instance of subver-sive
information of its kind finding a wide audi-ence. Subscriptions to the journal spread
the word of this arm of the underground far away from Bleecker Street to people of
all walks of life. Today this distribution would be done by computer, and indeed, a
great deal of hacker/phreaker/anarchist material surfs around the world on the
invisible waves of cyberspace.
A few years after YIPL's inception, it became TAP - Technological Assistance
Program - when the goals of the phreaks collided with the more po-litically-minded
members of YIPL. TAP was more technical than partisan, and more suited for hackers
and their kin.
Computer Crime
The first recorded computer abuse, according to Donn B. Parker, a frequent writer
on computer crime, occurred in 1958. The first federally prose-cuted crime
identified specifically as a computer crime involved an alteration of bank records by
computer in Minneapolis in 1966. Computers were not so widespread then as they
are now, and the stakes weren't quite so high. It's one thing to have money
controlled and kept track of via computer; it's quite another to have power
controlled in this way. In 1970, many criminology researchers were stating that
the problem of computer crime was merely a result of a new technology and not a
topic worth a great deal of thought. Even in the mid-1970s, as crimes by computer
were becoming more frequent and more costly, the feeling was that the machines
themselves were just a part of the environment, and so they naturally would
become a component of crime in some instances. It doesn't matter if a burglar
carries his loot in a pillow case or a plastic bag - why should the props of the crime
determine the way in which criminologists think about the case?
This was an unfortunate mode of thought for those charged with preventing
computer crimes, because while research stagnated, the criminals, crackers and
hackers were actively racking their brains to come up with more ingenious methods
of doing things with computers they were not sup-posed to be able to do. The
criminologists could not have realized then that the computer really was an integral
part of the crime, and that the existence of these machines - and the systems built
around them - led to whole new areas of crime and think-ing about crime that had
never before been explored.
Lawmakers and enforcers, however, finally did sit up and take notice. In 1976 two
important de-velopments occurred. The FBI established a 4-week training course
for its agents in the investigation of computer crime (and followed it up with a
second course for other agencies in 1978). Also in 1976, Senator Abraham Ribicoff
and his U.S. Senate Gov-ernment Affairs Committee realized that something big
was going on, and it was important for the gov-ernment to get in on it. The
committee produced two research reports and Ribicoff introduced the first Federal
Systems Protection Act Bill in June, 1977. These reports eventually became the
Com-puter Fraud and Abuse Act of 1986. Florida, Michi-gan, Colorado, Rhode
Island, and Arizona were some of the first states to have computer crime legislation,
based on the Ribicoff bills that had devel-oped into the 1986 Act.
A year before, a major breakthrough was an-nounced at the Securicom Conference
in Cannes by a group of Swedish scientists who had invented a method of silently
eavesdropping on a computer screen from a far-off distance. But let's save this
story for later. Much later.
2600
Tom Edison and Cheshire Catalyst, two phone phreaks who had been interested in
the nether side of technology for ages, took over TAP in the late 70s. The journal
came to an end before its time in 1983 when Torn Edison's New Jersey
condominium burned to the ground, the victim of a professional burglary and an
amateurish arson. The burglars had gotten all of Tom's computer equipment, the
stuff from which TAP was born. The arson, perhaps
an attempt to cover the burglary, did not succeed. It was a sloppy fire, one which
Tom and Cheshire hypothesized had been engineered by some irate phone company
officer. A few months later, the original TAP printed its final issue. The following
year, in 1984, hacker Eric Corley (aka Emmanuel Goldstein) filled the void with a
new publication: 2600 Magazine. Ironically, Goldstein is more a rhetorician than a
hacker, and the magazine is less technical and more political (like the original
YIPL).
Networks were being formed all over, enabling hackers to not only hack more sites
but to exchange information among themselves quicker and more easily. Mo needs
published magazines? The City University of New York and Yale University joined
together as the first BITNET (Because It's Time NETwork) link in May 1981. Now
there are net-works of networks (such as Internet) connecting the globe, putting all
hackers and common folk in di-rect communication with one another.
WarGames and Phrack
A hacker named Bill Landreth was indicted for computer fraud in 1983, and
convicted in 1984 of entering such computer systems as GTE Tele-mail's electronic
mail network, and reading the NASA and Department of Defense correspondence
within. Naughty boy! His name will come up again. 1983 also saw the release of
WarGames, and all hell broke loose. Certainly there had been plenty of hacker activity
before the movie came out, but previous to WarGames those hackers were
few in number and less visible. The exciting story of David Lightman (played by
Matthew Broderick), a school-age whiz kid who nearly starts World War 111,
became the basis for many modems for Christmas presents that year. Suddenly
there was a proliferation of people on the hacking scene who were not really
hackers in expertise or spirit. Bulletin board systems flour-ished, and a large
number of boards catering to hackers, phreaks, warez dOOds (software pirates),
anarchists, and all manner of restless youth sprung up.
The online publication Phrack was founded on November 17, 1985, on the Metal
Shop Private BBS in St. Louis, Missouri, operated by Taran King and Knight
Lightning. The term "online" referred to the fact that this magazine was
distributed, not at newsstands and through the mails, but on the finews racks" of
electronic bulletin board systems, where collections of files are available for the taking.
Later, when the journal's founders went off to college and received Internet
access, the publication was distributed through list servers which can automatically
e-mail hundreds of copies of the pub-lication throughout the world. Phrack is still
dis-tributed in this way. As the name implies, Phrack deals with PHReaking and
hACKing, but it also is pleased to present articles on any sort of mischief-making.
Annual conventions, hosted by Phrack, called SummerCons, are now held in St.
Louis.
Shadow Hawk
Bill Landreth, who had been arrested in 1983, was let out on parole and there are
reports of his mysterious disappearance following publication of his guide to
computer security called Out of the Inner Circle. He left a note stating that he
would cornmit suicide "sometime around my 22nd birthday..." There was much
discussion about all this. Was it a publicity stunt, or for real? Eventually Landreth
reappeared in Seattle, Washington, in July, 1987, and he was hastily carted back to
jail for breaking probation.
The month before - on the anniversary of D-Day - a cracker named Shadow Hawk
(also identified by some press reports as Shadow Hawk 1) had been discovered by
an AT&T security agent to be bragging on a Texas BBS called Phreak Class-2600
about how he had hacked AT&T's computer system. Shadow Hawk (really Herbert
Zinn of Chicago) was an 18-year-old high school drop-out when he was arrested.
He'd managed to get the FBI, the Secret Service, the Defense Criminal
Investigative Service and the Chicago U.S. attorney on his tail for not only the
above mentioned hack, but also for invading computers belonging to NATO and the
US Air Force, and stealing a bit over $1 million worth of software. Shadow Hawk's
case is important because in 1989 he became the first person to be prosecuted
under the Computer Fraud and Abuse Act of 1986.
Shadow Hawk is just one example of how this hobby has gotten people in trouble
with the law. Around this time there were a lot of hackers being brought down by
all manner of cops: security offi-
cers for the telephone companies and other organizations, the FBI, local police and
concerned citizens. This was the time when the investigators got smart. Not that
they suddenly knew more about computers and hacking, but now they understood
that to catch a lion, one must step into its den. These police agents started logging
onto hacker BBSs and amassed huge dossiers on the people who normally used
those boards. Many warnings were issued, and many arrests were made.
In August, 1986, Cliff Stoll first set out to find out why there was a 7,50 imbalance
in the computer accounts at the Lawrence Berkeley Laboratory in California. Stoll's
efforts led to the discovery of a group of German hackers who had broken into the
computer system. In October, 1989, a book about Stoll's exploits called The
Cuckoo's Egg was published and became an instant best seller.
Organized and independent hacker activity continued for the next few years with
little public interest. There were threats in early 1988 by the West Berlin Chaos
Computer Club that they would trigger Trojan horses they had implanted into
NASA's Space Physics Analysis Network, thus causing the chaos of their name. The
threats never materialized but minor havoc was wrought anyway, as many
computers were temporarily pulled from the net until the threat could be analyzed.
The end of 1988 - November 2, to be exact -marked the beginning of a new surge
in anti-hacker sentiment. It was then that Robert Morris Jr.'s com-puter worm
began its race through the Internet. Exploiting an undocumented bug in the
sendmail program and utilizing its own internal arsenal of tricks, the worm would
infiltrate a system and quickly eat up most or all of the system's process-ing
capabilities and memory space as it squiggled around from machine to machine, net
to net.
The Electronic Frontier Foundation
The birth of the Electronic Frontier Foundation was announced July 10, 1990. EFF
is a group dedi-cated to protecting our constitutional rights; it was created as a
response to a series of rude and unin-formed blunderings by the Secret Service in
the witch hunt known as Operation Sundevil. By May, 1989, this "hacker hunt" had
led 150 Secret Service agents to serve 28 search warrants in 14 cities. They seized
23,000 disks and 42 computers, often for in-appropriate reasons. E-mail was left
undelivered. Public postings never made it to the screens of the computer
community. Many innocent bystanders (as well as criminals) were arrested.
John Perry Barlow (author, retired cattle rancher, and a lyricist for the Grateful
Dead), and computer guru Mitch Kapor, best known for writ-ing Lotus 1-2-3, were
outraged by these events (and by their own run-ins with the FBI over stolen source
code that was being distributed by the NuPrometheus League). They teamed up
with attorney Harvey Silverglate who was known for taking on offbeat causes.
Some yellow journalism by the Washington Post provided the publicity needed to
attract Steve Wozniak (co-founder of Apple) and John Gilmore (of Sun
Microsystems) who offered monetary support for the enterprise.
It was at this point that the Steve Jackson inci-dent made the headlines. An
Austin, Texas, pub-lisher of role-playing games, Jackson's business was raided by
the Secret Service because one of his games, called GURPS Cyberpunk, had to do
with a kind of futuristic computer hacking. The Secret Service called Jackson's
game "a handbook for computer crime." This was ludicrous, akin to arrest-ing Milton
Bradley because they sell Chess, which teaches kids how to wage war.
Jackson's office equipment was confiscated, he was forced to lay off half his staff,
and he very nearly went into bankruptcy. "Eventually," Jackson later wrote, "we
got most of our property back (though some of it was damaged or destroyed). The
Secret Service admitted that we'd never been a tar-get of their investigation."
Jackson sued the U.S. government (the Secret Service, two of its agents, and a
Bellcore official were named in the suit) on charges that the Secret Service had
violated his right to free speech during the office raid. Justice prevailed and the SS
was held guilty. Jackson has, since made a role-playing game about the incident.
The summer of 1990 was filled with all sorts of similar surprises. There are the
famous stories, the infamous ones, and the ones that barely made the back page.
In the middle of August, thirteen New York young adults and minors were charged
with felonies involving computer tampering, computer trespassing, and theft of
services. They had broken into the Pentagon's computers, among others, and
got a whole load of law enforcers on their tail. $50,000 worth of computing
equipment was seized, said to have been used by the hackers to do the break-ins.
Dozens of stories like this were reported then quickly faded. Other tales and other
hackers held more interest, like Acid Phreak and Phiber Optik, who became
"celebrity hackers," speaking on behalf of the hacker community for various media.
Phiber Optik was eventually arrested and sentenced to thirty-five hours of
community service in'February, 1991.
And the Craig M. Neidorf story made head-lines. We have already mentioned
Neidorf (Knight Lightning) as one of the co-founders of Phrack. Nei-dorf published
an (edited) internal BellSouth paper in Phrack and was quickly charged with
interstate transport of stolen property, with a possible sen-tence of 60 years in jail
and $122,000 in fines. What was particularly absurd was that the document was
easily and legally available (though BellSouth declared it to be full of company
secrets), and it talked about the BellSouth bureaucracy as it per-tained to 911
lines. Sixty years in jail for copyright infringement?
The EFF helped Neidorf through these troubled times (as they'd helped Steve
Jackson, and would come to aid many hackers and crackers who'd been treated
unfairly or with ignorance by the law). The U.S. dropped its case against Neidorf at
the end of July, 1990.
There are dozens or hundreds of stories about hackers every year, and there have
been for quite some time. Some are quickly forgotten; others pro-voke
controversy. Such was the case on November 6,1992, when a group of hackers,
peacefully con-vening in the food court of the Pentagon City Mall outside
Washington, D.C., were bullied and man-handled by mall security personnel, Secret
Service and FBI agents.
Hacking has had a long past and will continue to enjoy a prosperous and successful
future because of people like us who enjoy seeing what secrets are out in the world,
waiting to be unearthed.
17
Page Intentionally left blank
18
Chapter Three:
Researching The Hack
Any serious hack will involve some prepara-tory research long before the hacker
sets foot near a computer. This is simply because to hack intelli-gently, one must
have knowledge of certain facts and ideas.
With computer hacking, you should obviously have some knowledge about
computers and telecommunications (ideas) but to actually carry out a hack requires
just one fact: a phone number. Or if not a phone number, at least one way of
accessing a computer. Either case requires some research. Once you've called the
computer for the first time, some on-line research is required to tell you how you
should proceed with the hack. And finally, there is the ongoing research you will do
once you've gained access to a system, to help you make full use of the facilities
you've conquered. The "after re-search" is discussed in the chapter "What To Do
When Inside." For now, let us discuss what to do to get started.
Targeting
By targeting, I'm referring to the process by which a hacker will decide which of all
possible computer installations to attempt to breach. This may seem like a trivial
topic for many reasons, but in fact it is a topic well worth discussing.
Let's suppose you are a rookie at this game. You have gotten - through research of
some kind, or just plain luck - a piece of information you feel will be helpful in
entering a specific system. For ex-ample, suppose you've discovered through the
computer crime grapevine the phone number of a large governmental espionage
database. Naturally, it seems reasonable to call the number and see if it actually is
what you've heard it to be. On the other hand, it might be better to first research
your target to see if it's worth the time and the risk, and the phone bill. Look up
the number in a criss-cross telephone directory for that region. Criss-cross directories.,
which are available at many libraries, are books (usually non-licensed by
the phone com-pany) which list the names and addresses that go with phone
numbers. Unlike regular phone books, criss-cross directories are sorted by number
rather than name. If you can't get this sort of directory, call the operator and ask
who the number belongs to. Naturally it is preferable to use a directory on
19
your own, eliminating extraneous interaction with phone company employees
("witnesses"). If the phone number is publicly available, it probably isn't a
computer line after all, let alone a secret one.
It may seem crazy to you to go out of your way to look up a number before dialing
it, but remem-ber, it is important to get as much information as you can about a
system before you make the first call. If it really is a top-secret database, it's
reason-able to assume that your call will be traced, or at the very least, will arouse
suspicion. As a novice one tends to get excited with one's first big break -and tends
to do stupid, dangerous things. You may not yet have the expertise to alter phone
company data, or call from a pay phone, or in some other way make it seem like
you are not the person placing the call. The rookie who calls a number of this kind
after doing a bit of research might be taking a stupid risk, but that's a few steps
higher on the professional hacker's scale than the one who calls without any
preparation at all. That's just be-ing stupid, period.
So, as far as targeting is concerned, you may not want to follow up that first big
lead right away. It may be preferable to wait awhile, until you have the expertise
to do it properly. If you know some-thing about a system no one else knows, it's
very likely going to remain a secret unless you spill the beans. If you try to act on
your inside knowledge and fail, you are ruining your chances of getting in later, as
the system managers might see their mis-takes and correct them.
My word of caution is this: Don't get in over your head. Get familiar with floating
on your back before trying to scuba dive for sunken treasure or else you may end
up being the one who's sunk.
Targeting also involves other research. What if you do have some exciting secret
that will let you get in somewhere? Perhaps you should think about the best way of
reaching that system in the first place. For instance, if the system you're stalking is
on the Internet, you would have to determine a way to access the Internet
disguised as someone else before you could proceed to your main goal.
If you are enrolled at a college, or live near one and have access to your own
Internet computer account, it is a trifling matter to log mi as yourself and, from
there, attempt to connect to other systems. It's not only trifling - it's dumb!
Regardless of whether you have mischief in mind, it's irresponsible and lazy to do
hacking logged in as yourself. Before you can move out of the few directories
allowed by your minimal access level, you will have to figure out a way to
disassociate yourself with what you do. That is - and I can't repeat it enough - you
will have to find a way to connect as somebody else, and through that connection
go on to bigger things.
Breaking into major league computer systems is very often a matter of, first,
personal hacking, and second, institutional hacking. That is, first you hack a person
(figure out a way of masquerading as that person), and then you hack the
institution (figure out a way of disguising that person as a legitimate user of the
protected system).
Time, money and effort can be spent needlessly on attempts to access systems that
ultimately turn out to be dead ends. Maybe your target is a school's computer,
because you want to change your grade from an F to A. You may think your target
individ-ual would be the dean or some other school head, but as it turns out, in
many instances you would be wrong. School heads often have little or no access to
the computers which hold grades, unless they themselves teach classes. In this
case you would want to target a professor or more likely, a teaching assistant
(T.A.). They're the ones who have to do the actual inputting of grades.
Consequently you would want to research the professor or T.A. to get a handle on
what their passwords might be.
Then there's the matter of the computer. Which computer should you target for
your hack? Teach-ers, especially in math and computer science courses, will
usually tell you their computer ad-dress so you can send them e-mail. But that
isn't necessarily where you need to go to change your grade. More likely there is
some hush-hush admin-istrative computer which carries out those func-tions, and it
is that computer you would want to hack.
It seems logical to assume that the president of a university has the highest level of
computer ac-cess. But does he or she really? Does the president actually have a
computer account AT ALL? You're probably better off targeting individual
professors. One English teacher I had mentioned Kojak a cou-ple times in class,
and on several occasions made references to things that could be interpreted as
having some relation to that television show (sometimes he would use phrases that
Kojak used
in the series). Obviously, Kojak is the place to start if one is interested in forcing
one's way into this guy's account (especially since he's an English pro-fessor, and
therefore less likely to understand the value of non-real-word passwords). And
trying Kojak-related words like "Telly Savalas," "lollipop," "bald," for passwords is
the obvious way of per-sonally targeting that English teacher's account.
But is he REALLY the one you want to use in the first place? If I had been failing
that class and wanted to get into his account to change my grade, Kojak wouldn't
have helped me; as far as I was ever able to determine, it was the teaching
assistants who had control over the grading, not the profes-sors! This is why it's
necessary to target in order to achieve your intended purposes. If you have goals
in mind, do the necessary research to find out if you are targeting the right PEOPLE,
as well as the right computers.
Potential targets can often be found by reading publicly available documents about
a site. Docu-ments pertaining to "ethical use" of the system, and articles
encouraging "preventative security" are often particularly enlightening. For
instance, here's a little quote I picked up from an outdated merno-randurn about
security policies. This is one sugges-tion taken from a list of what was felt to be
neces-sary improvements in security. By the time I read the article the
improvements had already taken place, but thoughts of needing security were long
gone from the minds of those who had written the memorandum, and so security
was lax. Here's the one suggestion from the list that stuck out:
Net 19 must be isolated completely by gateways from PCs and from the
broadband.
Terminal server logins must be strictly enforced on all machines. PCs should be
implemented
which will run software that will monitor the network for signs of misuse andlor
unethical usage.
Look at the goldmine of information that is given here. We have these suggestions
for improvement, so now it should be a simple task to determine which software
was purchased to implement the suggestions. From there we can see what the
soft-ware will and will not do, find out about bugs or loopholes, and use other
means to discover ways around that software. But most interesting of all (and the
point that is related to this discussion of targeting) is the mention of "Net 19." What
is Net 19? Obviously it is something that the administra-tion wants to go out of
their way to protect. Clearly it's something well worth hacking. If you had been
the hacker to first read these words, clearly Net 19 would be the target of your
hack.
Keep in mind that I read this document from a public terminal, without having to
log in as any-body. It was accessed from a public information system. It is
information available to anybody, and look at the wonderful clue it holds for all who
see it! Now, when I read this I didn't know what Net 19 was, but I knew
immediately to target all efforts to finding that system and penetrating its security.
This is an example of accidentally found knowl-edge being put to good use. But
don't forget - I was reading through every publicly available document for the SOLE
PURPOSE of breaking into the system. The specific bit of information I found was
accidental, but my finding it wasn't.
In a way, doing this kind of on-line research -exploring every inch of the system
available to you before going after the private regions - is a kind of targeting. If
your goal is a specific private computer system, target all public systems related to
it before you begin. This can only help you in the long run. It might lead to helpful
hints, such as the mention of Net 19, or it might at least familiarize you with
various aspects of the system.
Things you should be looking for when you target a public system in this way, with
the intent of going after a correlated private system, are: how it handles input and
output; if any bugs are present and how the system reacts to them; what the command
format is (three letters? control sequence?) and what kinds of commands are
available; and machine specifications and hardware. Of course, there are numerous
other things you should either be looking for, or will unconsciously be picking up
anyway as you look around, like what the visual display is like and how long it takes
the computer to process commands. These are things that will be helpful later on,
because when you actually are trespassing, you won't want to spend hours trying to
find the help command or how to log off.
Targeting may seem not just trivial, but dis-tracting as well. After all, a scientist
can analyze a rainbow using specific technical terms that explain what a rainbow is,
how it is formed, and why it displays its colors as it does. But in a way, this
complicated description of a rainbow is completely unrelated to the rainbow being
described. The ex-planation ignores the beauty of it. The techno-jar-gon shuns the
poetic connotations that we associate with the rainbow we are so interested in
describing.
You may use similar arguments to complain that targeting and pre-thought and
planning of hacking attacks distract from the pleasure of the hack itself. If you are
a hired hacker you will need to get the job done if you expect to get paid. But
otherwise, why should we bother to discipline our-selves with such nonsense as
targeting? You're right! Certainly you're correct! There is no reason to feel
obligated to apply these suggestions that I pre-sent. There is no pressing need to
think carefully about what you do before you do it, but you should be aware of
these things as you start. At least, if you break the rules, you should understand
how following them might have helped.
Targeting specific computers that hold interest to you, and that you are sure hold
the information you seek, and targeting people who have specific access levels and
abilities - all of this is like ana-lyzing a rainbow and ending up with nothing but
gobbledygook. But in the long run, if you really want to end up at a position further
from where you started, if you want to hack for the enjoyment of it and maintain
high pleasure levels throughout the endeavor., I suggest you do these things. They
will help lessen the amount of frivolous searching and brute-force monotony needed
to get in, and will help you stay out of trouble. So, set up a gen-eral plan of action.
Make sure the goals you've out-lined are really the ones that apply to your case.
That way you'll know that what you are hackin won't turn out to be a series of blind
alleys.
I keep bringing up the point of "intentions," and it goals," but unless you're a
private investigator or some sort of muckraker, you're probably willing and happy to
break into any computer available any and all opportunities that present
themselves. This is fine too, and many hackers are so devoted (fanatical?) in their
pursuits that even if they know a computer system will offer them nothing exciting
once they get inside, they persevere because it is the thrill of the break-in itself
that drives them.
But as you can well imagine, it is much more in-teresting to break into a system
that holds secrets, than one whose contents are worthless to you. Is it worth it to
spend months trying to get into a system that contains statistics on the copulation
pat-terns of lab rats? (Not unless you happen to have an interest in that sort of
thing.) Choose your targets carefully. Getting into the system is half the fun; once
you're inside, the other half can be more exciting.
Collecting Information
Before you begin researching you should know what kind of information you should
be trying to find out. There are three topics a hacker should be concerned with:
Telecommunications in general, computer systems in general, and specific systems.
There is a certain level of understanding you should have about computers,
modems the tele-phone and human nature. Hopefully this"book will prepare you
with most of the information in these categories that you will make use of. If not -
and I readily admit this is not an all inclusive Bible of the Universe - then go around
to some local or special libraries and find out what you need to know.
Maybe there isn't anything you specifically need to know. You will still want to keep
up with the latest developments in technology as well as the organizations who run
the computers you intend to hack. Even if you think you know everything there is
to know, it can be most helpful to do a bit of reading to make sure you really are an
expert in your field, especially when dealing with such rap-idly changing fields as
computer hardware, soft-ware and telecommunications
So go to your local library. Go to the shelves with the computer books, and the
shelves with the criminal justice books, and the shelves with the business
management books. That's where you'll find the "legit" books about hacking and
computer crime. Every once in a while, take out some books on
telecommunications and look through them. You want to start getting familiar with
the various situations you'll be encountering, so look through books on the different
information services, on-line databases, computer crime, operating systems, BBSs,
and anything else that pertains to what you can do with a computer and a modern.
Look up "telecommunications" in the card catalog. Also, security," "computers,"
"hacking," "telephones," modems," and anything else you can think of that's
relevant. Also, remember to look through the
books in the reference section; you will find the most useful materials there.
Hacking is best learned by doing, but many good tricks and leads can be found in
the literature.
By the way, do you know who the biggest book publisher in the world is? The
United States government. If your library is a government depository, read through
all the relevant government publications that interest you. You'll learn a lot from
that stuff.
I'm not saying you should read every book in the library, and I'm certainly not
saying you should read all this before you begin your hacking ex-ploits. What I am
saying is that very often people don't realize the wealth of information that is available
to them free for the asking - no need to hack. And by reading these things
you will get familiar with what different computer systems look like when you log
onto them. You will get to know the kinds of commands that are available to you,
and what formats the systems use for names and pass-words. Also, you will often
find toll free numbers listed in these books - lines you can call to test out various
systems, or to get information on the sys-tems. All this information will be helpful
to you as
you proceed.
While you're at the library go to the periodicals section and take out some computer
magazines and newspapers. Borrow some that you don't normally read, or that
you've never heard of before. It is use-ful to write away for information from the
maga-zines, and to send in the Reader Service postcards to get free information.
It's amazing what compa-nies will send you, and it's further amazing to think about
all the great tips this information offers to the hacker. I'm now on several
perpetual mailing lists from various computer security companies. I know
everything I need to know about all their products, their upgrades, what businesses
use their software - and from that information, I can hack my way around their
products. Knowing how they go about catching hackers, I know how to avoid
getting caught.
Another, sometimes more practical way to use the library is to find out about
donated books. Many libraries get donations of books, either for an annual book
sale or for their shelves. A lot of those books are old technical and company
manuals for computers, software, and operating system proce-dures. The librarians
who deal with donated materials will probably look at this sort of thing and throw it
out as useless. If you make friends with them, surely they would prefer giving such
11useless" items to you, rather than discarding them. I've gotten many valuable
guidebooks, reference guides, operating systems manuals, and disks this way. I
even have a very nice and very current set of AT&T security books.
Sometimes the books you pick up have notes scribbled in the margins or on the
cover. My favor-ite note was the one that gave a phone number and group ID
access code. The access code had since been deleted, but the phone number still
worked and so did the sample visitor's password listed in that manual.
Some Unusual Research Methods
They aren't really all that unusual, because after all, anything that works - works!
Any time you get an idea for a new way of discovering more about an online system
or the people who run it you should do your best to act on that idea. In the long
run every bit of data is potentially useful. Anything you manage to find will either
help you get in your present target computer, or get in an-other one some time in
the future.
Besides, it's always a delight to find confidential data or insider secrets about a
system. Share that knowledge with other hackers and you will be re-warded with
interesting tips that will be beneficial to you.
Here are five further research methods: online computer simulators and tutorials;
sorting through trash; found disk analysis; examining screenshots; and snooping.
Remember - these research meth-ods work. Use them to your advantage.
Online Computer Simulators And Tutorials
Computer-based simulators and tutorials are often employed in teaching the ways
of the com-pany computer system. These programs mimic the computer screens
users would see if they were to log in to the actual network. Tutorials and simulators
differ from the actual network in that they talk the user through a typical use
of the system, per-
haps showing off special features available to the user. If the user isn't given a
guided tour, there is often a workbook that is to be used with a scaled-down version
of the actual system, often one with extensive help facilities to teach the new user
the ropes.
Tutorials and simulators give new users hands-on experience with the problems and
poli-cies of software they will encounter. They are very often used for training
purposes instead of the ac-tual system, or as a supplement to it. There are several
reasons for this. What if the system is still be-ing installed " or undergoing a
renovation? Or per-haps not enough terminals are connected yet for all employees
to access the actual system. Using simulators eliminates these problems since they
can be set up on any computer.
Temporary employment agencies may use software from a specific company to
pretrain their workers, especially if the agency gets a lot of jobs from a specific
company. Or regular employees may want the convenience of being able to borrow
a tutorial disk from the company library to practice on at home. Finally, a good
tutorial program or simulation can ensure that everyone receives the same quality
instructions, without leaving out im-portant details which a human instructor might
forget to teach.
How to get them? Simulation programs may be available from corporate, special or
even academic libraries. You may also get hold of one from the publisher. Write to
a software publisher,' saying you're interested in making a large purchase and ask if
a demonstration disk is available. And you may be able to procure one from a
friendly member of the company's computer department (do some social
engineeringi - pretend you're a company manager or supervisor).
Simulators and tutorials are great things for a hacker to come across; the
usefulness of them should be self-evident. They will help you learn the systems,
and perhaps reveal default entry-words, and might even come with descriptions of
system bugs.
Social engineering is the act of talking to a system user, pretending that you are
also a legal user of the system, and in the course of the conversation, manipulating
the discussion so that the user reveals passwords or other good stuff.
Sometimes you have to use your imagination to find other ways in which online
simulators can help. I was waiting in an office one day to see someone. The
receptionist stepped out for a mo-ment and I stepped behind her desk and
borrowed a computer disk I'd noticed stuck in a book. e disk held a program called
ARRSIM (ARRangement SIMulator) which was actually a copy of a program they
used on-line, only with a minuscule database of names. The program was used to
teach employees how to use the computers to arrange and schedule meetings
between custom-ers and potential contractors.
When I got home I booted it up and started playing around. At one point I tried
changing an address and the computer responded, "Supervisor Approval Required"
and put a cursor on the screen. Apparently it wanted a password. I tried the one
that was used to log into the simulator (which was scribbled on the disk label) but
that didn't work. I scanned through the disk with a file maintenance utility, but
could find no text (i.e., hidden pass-word) that I had not already seen.
Now, it occurred to me that address changes were probably something that
everyone had to do every once in a while. So why had it asked for a password
when I tried to change an address? Ob-viously the program had been designed by
your usual paranoid manager who did not trust a recep-tionist to change a name or
address by herself.
So I called my favorite receptionist at the com-pany, and after some suave insider
gossip about company matters ("So Sheila's a grandma! Was it a boy or a girl?" I
had heard her discussing this with a coworker the day I was there), I popped the
question: "Gaye, do you know what to type when it says 'Supervisor App'- "
"Oh isn't that silly!" she laughed. "It's really horrible. Type 'morris.' I don't know
why they have that there. Nobody's supposed to know about it but we use it every
day!" I thanked her and - you know what? -'morris' didn't work as a password on
the simulator (I don't think anything did). But it was the password used to get into
the actual net-work. Apparently only supervisors were supposed to be able to log
on the terminals scattered throughout the offices.
Sorting Through Trash
It isn't really a dirty job, and nobody has got to do it, but serious investigators will.
By "investigators" I refer to hackers who are research-ing a company or computer.
It really isn't all that messy going through the garbage of most places. Often you'll
find a separate bin for white paper. Some may be shredded, but mostly not. Try to
plan your trips to the trash on days following a few days of sunny weather. You
want your garbage to be in tip-top shape.
While I'm inside the dumpster I like to make stacks of the papers I find and load
them into garbage bags. Then I bring it home to examine what I've collected. You'll
find internal phone directories, names of public and private individuals, training
manuals, outdated files, letters, information about projects being worked on, and
sometimes even mention of the computer system. Much of it is help-ful, and most
is interesting too.
Even the regular trash is usually a pretty clean place to be (somewhat).
Rummaging around in the garbage bins of various companies, office centers and
other institutions, I have come across: micro-fiche, computer cards, entire boxes of
business cards, books, a dead cat (really gross), broken elec-tronic junk, and lots
and lots of, well, garbage. Of course most of it isn't helpful for the hack, but often
there is knowledge to be gained. You can find out a lot about how an organization
functions by its trash, and the way in which that trash is organized.
The first time I did this, I took a single green trash bag from the bin behind a bank.
Bank bags, by the way, are stapled shut with a paper receipt that tells the name of
the bank, and the time and date of disposal of the bag. The trash within is of two
types. There are smaller bags containing refuse from each individual's office in the
bank, and then there is the cytoplasm of crumpled forms and dis-carded paper
tapes from behind the counter. The interesting parts are the bags from individual
of-fices. In my first garbage heist, one banker was Japanese - he was throwing out
a Japanese newspaper and a Japanese candy wrapper in addition to his bank-
related stuff. There was also the womanon the diet, the struggling-to-make-ends
meet single mother, and the assistant bank director. Now the bank director her
garbage was very interesting. It contained a discarded lock from the vault, a box of
orange "key hole signals (style V)," some vault-key envelopes, a slip of paper with
the combination to a safe scrawled across it like a clue in a parlor mystery (12R32L-
14R in case you care), and a memorandum to "Branch Managers" from the
woman in charge of "Branch Automation," which apparently had accompanied a
disk. From that let-ter I was able to get the name, address, and room number of
the bank's Branch Automation Depart-ment and from there evolved a social
engineer through the mails (see chapter on Social Engineer-ing) which resulted in
myself getting a copy of the disk in question as well as some other very useful
information.
If you were caught hacking a trash bin, you used to be able to say that you were
"just looking for cans to recycle." Now offices pre" much recy-cle everything, so that
won't do for an excuse. The old "school" or "community project" ploy is always a
good bet: Say you are rummaging around in there doing research for a report on
government or busi-ness waste.
Before you even step out of your house the first time, do a bit of phone work to find
out what the garbage situation will be like. Call up the Solid Vyaste Department
and ask when garbage collec-tion is for the street you have in mind to plunder. If
pickup is Monday morning, that's good, since you'll be able to go at night over the
weekend, when no one is around. You don't want to end up going the day after
collection, so make that call be-fore you hop in your car.
As for recycled white paper, if there aren't any outside bins devoted specifically to
it, you might want to go to the office during the day ( if it has a publicly-accessible
area ) and take a casual look at the level of white paper in the recycling cans inside.
Do this at different times of day for a few days, and you'll get their recycling
schedule. Again, you'll want to nab white office paper when the bins are'at their
fullest.
GIRK
Of course, you can go out scavenging unarmed through the trash bins of the world,
but to facilitate and quicken results, you will most likely want to
FIG 1
A memo retreived from the garbage contains valuable information
prepare beforehand for your excursion into the trash of white collar America!
Here are the things you should consider includ-ing in your GIRK - Garbaged
Information Retrieval Kit:
Rubber gloves. Either surgical gloves, or the kind you use while washing dishes.
Though most garbage you'll be rummaging through is "clean" (white paper bins for
recycling) it's a good idea to wear some sort of thin gloves anyway. You'll also want
to wear gloves when you're at home sorting through the bags you lifted.
Ladder. I'm not talking about real ladders here, al-though you may want to use
one. Some dump-sters are very high, or are vertically-oriented, and so climbing
out of them may be difficult. Find yourself an old chair or hassock some-body's
throwing away, and take it in the trunk of your car. Then you can either put it into
the bin from outside if it looks like you'll have trouble climbing out, or you can use
it to climb into the bin in the first place. Either way, if you have to leave in a hurry
for some reason you can safely leave it behind - after all, it was garbage to begin
with, right?
Flashlight. Take a piece of rope or a strip of denim or something and fashion a
strap. Make the strap just big enough so you can easily slip the flashlight on and
off your hand. Especially if you'll be rummaging at night, you will need a powerful
flashlight to guide you through the garbage. Make sure the batteries are okay -best
thing is to use rechargeables.
Garbage bags. Not the clear kind. You must use black, brown, or similarly colored
bags for this. After all, you don't want people to see what you've got in them. If
you're just pulling manuals, memos, etc., out of the trash and are not bringing
home whole, intact bags, you should bring along at least one of your own dark-
colored garbage bags, to put everything in. You might want to take two bags,
placing one inside the other, to insure against breakage.
Appropriate clothing. Don't go rummaging through garbage bins in your Sunday
finery! Wear shoes you'll be able to climb and jump with. Wear clothes that won't
snag, old clothes, clothes that you don't care if they get destroyed.
You might want to wear a custodial type outfit, if you have it. If you know the
company maintenance staff tends to wear baseball caps, or a certain color shirt or
jacket, then by all means dress similarly. Wear dark colors, not bright pinks, reds,
or yellows that everyone's going to be staring at.
Empty soda cans. Some hackers tell security guards or other onlookers that they're
searching for aluminum cans to recycle. You might want to fill up the bottom third
of one of your garbage bags with cans, or maybe leave an open bag of cans outside
the bin so bypassers will be able to figure out for themselves that you're collecting
cans for charity.
One time I told a stodgy old guard, "The sci-ence classes at my school are
competing to see how many cans we can recycle. For every pound of cans we bring
in, our school gets three dollars. The class that brings in the most cans wins a
prize. Right now we're in second place, so I want to bring us up to first!" He walked
away and came back with a handful of empty beer cans and bottles. "Are you doing
glass too?" he asked.
Remember: don't carry unnecessary things in your pockets, or things like watches
that are going to fall off your wrist. You don't want to lose money, wallets, credit
cards, notebooks or anything else to the hungry stomach of a garbage bin, so leave
all that at home. Before you leave the house, do a pocket check. Make sure you
have nothing that could identify you and nothing you can't afford to lose. This
seems like obvious advice but I can recall at least four different messages posted by
hackers on private BBSs where they said things like, "Jeez! I just came back from
the CornpuPhone dump and I forgot to put my ring back on after I climbed out of
the can! Now I'll have to go back there tomorrow!"
On the other hand, you might want to take along a cheap watch or something that
didn't cost' much but looks expensive. Then if some curious person comes along
you can jump up and say, "Here's that stupid watch! I knew that idiot janitor threw
it out with the trash!" Also, another good idea: Take a shower when you get home!
Found Disk Analysis
When you hack you begin to find disks every-where. Some have been discarded,
mangled, warped, bent; some have been carelessly lost, in the drive of a public
computer, under a keyboard, be-hind a desk; and others you will find in their natural
place - lying around on people's desks, in disk boxes, in library reference books,
in file cabinets. You will want to be able to read data files off these disks and rerun
any programs on them.
I am not going to suggest that you actively steal disks that you find in an office or
wherever, but if you can manage to sneak one away for a few days or overnight
without it being missed, then the best of luck to you!
Before I go into what should be done with found disks, let's get our terminology
straight. Here I will be talking about microcomputer disks, which come in two
varieties: 5 1/4" and 3 1/2" disks. A disk is composed of two parts. There is the
square plastic outside, which I will refer to as the envelope, and the circular mylar
disk inside. The square envelope is simply a means of protecting the flimsy and
fragile disk within, and can be horribly mutilated without damaging data on the disk
itself. 31h" disks have a small plastic or metal door that slides open to reveal the
disk inside. 51/4" disks are unprotected in this way; their disks are exposed
through an oval hole.
WARNING!
Never put a disk of unknown origin, especially a physically damaged one, into a
good disk drive. Before examining found or damaged disks, you should get ahold of
a cheap, second-hand drive and use that for found disk analysis.
Examining bad disks can easily damage your disk drive. Never use bad, damaged or
found disks on a good quality drive!
Check Up
Begin a found disk analysis by removing the disk from its paper sleeve if there is
one, and eye-balling both sides for any distinct problems such as grooves, coffee
stains or wrinkles. It is amazing what disasters disks can live through. During the
early '80s when home computers first hit the mar-ketplace, there were warnings
everywhere: "Don't put disks by magnets, by your monitor, on your printer, or near
your telephone. Don't bend disks, don't let your fingers stray from the label..." And
on and on. Certainly you should treat disks carefully, but as we've learned since
floppy drives became in-expensive enough for anyone to afford, disks just aren't as
fragile as they were once thought to be. And certainly the plastic and Teflon they
are made of are cheap enough to throw away, meaning dis-cards are common. So
if you are rummaging through a company's trash bin and you see a man-gled disk,
take it - you might be able to get some-thing interesting off it.
If there is nothing visibly wrong with the ( 5 1/4" ) disk, but you're still wary
(because you found it in a garbage can or in a dusty place or something) you should
carefully hold the envelope with one hand while rotating the disk with the other
hand (using the hub ring). Look at the disk through the oval window as you do the
rotation. Then turn the disk over and inspect the other side the same way. For 3
1/2" disks, you will have to hold open the sliding door with a finger as you rotate
the disk using the hub ring.
If you suspect that a 5 1/4" disk is filthy, or if there is any dirt at all inside, rotating
the disk may scratch it. Instead of rotating it, do this: Push the disk to the bottom
of the envelope with your finger. Take a pair of sharp scissors or a knife and cut off
a very thin strip of plastic from the top (label) edge of the envelope. With thumb
and fingers, puff out the envelope, and ease out the disk. Don't wipe dirt off the
disk - you don't want to scratch it. Try to blow away dust and dirt, or use a hair
dryer set on low heat, or a can of compressed air.
Now look inside the plastic envelope. You will see a lining of a white gauze-like
material. If that's dirty, throw away the envelope. Take a different disk ( that
contains data you don't need any more ), slit the envelope open the same way,
remove the disk and replace it with the other round floppy. Make sure the
reinforced hub ring ( if it has one ) faces front. Now you can try using this disk on
your cheap second-hand disk drive.
For 31/2" disks, you can first carefully remove the door, then gently pry open the
plastic envelope case with a knife. Don't jam the knife into the envelope; rather
work around the edges and comers where the two halves are snapped together.
Re-move the floppy disk. Blow away any dirt, then put the disk into a clean
envelope, using tape to keep the pieces together. Replace the sliding door if you
can, but don't worry about that aspect if you have trouble doing so - most drives
will not miss it.
51/4" disks sometimes get folded or bent. They are still usable but the bending can
misalign your drive head. Not only will this ruin your disk drive, but subsequent
disks inserted may be irreversibly damaged. Therefore, never use bent disks on a
good drive, or good disks in your bad drive.
If you find a bent disk in the trash, first flatten it out as best you can. Put it on a
hard, smooth, flat surface. Cover it with a few sheets of paper, then take a heavy
book and press it down. Do NOT try to straighten disks by bending them the other
way. If the outside envelope still seems in pretty bad shape, remove the inner disk
and insert it in a good, flat envelope as described earlier.
Let's look at some of other ways a disk can be damaged but still remain
salvageable.
Damage To One Side
If the damage to a disk is limited to a single side, you will still be able to read
data from the
other side. There are two ways to do it.
The first way is to use a superzap program to selectively read tracks, piecing
together data as you find it. Superzap programs, such as DOS's DEBUG utility,
allow you to alter the data on a disk one bit at a time. If you can get your hands on
an old single-sided drive it will make your work a bit
Figure 2
Don't try this with your store bought disks! After slicing open the top, apply
pressure
to the sides (A). Then (B) slide out the disk.
Now you can repair the disk,clean it, and slide it into afresh envelope
easier: simply insert the disk bad-side-up, and read away. (In single-sided disks,
data is normally read from and written to the back of the disk - the underside, if
you hold the disk label-side up.)
A second option is to use a cosmetic disguise to hide the damaged side of the disk.
For example, suppose you have found a 51/4" disk with unremov-able blemishes on
one side only and your drive simply refuses to read the disk. Here's what you do.
Take another 51/4" disk, format it, then cut it open. Remove it from its envelope,
and tape the new disk over the blemished disk. The tape should be between the
two disks (thin double-sided tape works best). Make sure you line up the two disks
precisely. Insert the taped disks back into a clean envelope, and see what you can
make happen!
Rips And Tears
You can very carefully tape a ripped disk back together with thin transparent tape.
Make sure to only put tape on one side at a time. Once you've gotten all the data
you can off one side, you can remove the tape and repair the other side. As before,
it is imperative that you don't let the tape get onto the side of the disk which
the drive will be reading, or you could throw off your drive's read/write head, and
may get sticky stuff on it, too.
Imperfections
If a disk looks okay, but will only give you "Read Errors," it is probably physically
damaged on a microscopic level. It may have little holes or dents in it,
imperfections that are too small for the naked eye to see. You can push past bad
spots on a disk by manually rotating the disk inside. If the damage is limited to a
small area of the disk, it may be that the damaged segment is the part the drive
tries to read first. If you manually rotate the disk a little to the left or right, the
new section of disk which you reveal may not have that damage and may there-fore
be readable. Keep rotating the disk, a little at a time, until you've found a spot that
is readable.
If you never find a readable spot, perhaps you've been duped! Maybe the disk is
blank, or it isn't suitable for your computer. Or maybe it's single sided and you've
inserted it with the wrong side facing the drive's read/write head.
A disk that you find in the trash bin may hold corporate data, proprietary software,
maybe even a tutorial or simulation like we discussed earlier.
You never knew there was an archaeology side to computer hacking, did you? But
that's exactly what all of this is; we are looking into people's lives to see what they
think about, to find out what's im-portant to them, and to learn from their experiences.
Hacking a damaged disk that you have un-earthed from a trash bin will lead
you to details you would otherwise never have imagined existed. I highly
recommend the exercise for the thrill value, and for the intellectual workout to be
gained from this pursuit.
Examining Screenshots
The photographs of computers you see in books, magazines, system
documentation, promotional literature such as posters and pamphlets, government
publications and booklets, as well as the pictures of computers available on
television documentaries, news shows and commercials -can all contain valuable
hacking information.
Computer photos might show just the screen (or monitor), or the entire computer,
including keyboard, CPU and accessories. Or the picture might depict an actual
computer in its natural envi-ronment with perhaps an operator visible.
The first group, essentially "screenshots," can be helpful in showing you what it
looks like to be in-side a particular system that you have never really accessed.
This can clue you in on what accessing style the system uses, if the password is
displayed on-screen as it is typed, username and password styles, what features
are available, and much more, depending on what the photographs are attempt-ing
to illustrate. Similarly, in user manuals and other instructional aids, drawings of
screens are often found containing the same information, also default login codes,
text specifics, error messages, and other handy stuff.
Knowing error messages and knowing the lay-out of the screen will make you a
more believable system administrator or low-level user when you attempt some of
the social engineering tricks men-tioned later in this book, especially if the
computer system in question is one that is closed to outsiders. Seeing examples of
logins will give you ideas on
how to go about a brute force attack. If a user name is shown or illustrated, it may
be a valid one. Even if lower down on the screen all you get for pass-word
information is a row of asterisks ("password:
it will still help you in determining the length passwords are required to be. If in
separate photos taken from separate sources, both pass-words are shown being
covered by eight asterisks, that is a good indication that either there is a de-fault
eight-character password used to demonstrate the system, or that passwords are a
maximum length of eight-characters.
Style of usernarne is important too, and will usually be visible. Seeing examples of
usernarnes lets you know if first and last names are required, if uppercase letters
are needed, whether abbrevia-tions or company names or group names are used for
usemames.
Photographs that include more than just the screen often show the keyboard being
used (look for misplaced or special keys), keyboard overlays, the kind of computer
setup, and possibly messages taped to the CPU or monitor. A more generalized
shot may show the computer's surroundings. Is it in a closed office, or are many
terminal operators working together in close proximity? What books are there on
the shelves? You may be able to see things of interest hanging on a wall, or lying
around on the desk. A user might be in the picture; is he or she wearing a name
tag? Are pictures of a family present, or items suggesting a hobby, such as a
mounted baseball or a fishing rod? All avail-able data can be put to use by a
hacker.
When I refer to the computing environment, I am, of course, only referring to
pictures of comput-ers in their natural environments, as opposed to staged photos
in advertisements, like the kind showing a Macintosh in your typical teenager's
room. Newspaper and magazine articles are often accompanied by the kind of
computer photo you will want to analyze.
Seeing these things - signs of family life, books and hobbies, a typical user and
what he or she is wearing - gives clues to passwords. The specific kind of computer
may suggest ways of breaking in using known bugs or loopholes. The computing
environment also will allow the social engineer to pretend familiarity with an
otherwise private room or office inside a building.
An additional way computer photographs can help is by looking to the bottom,
usually in the caption, to where the source of the photo is listed. The source may
give a photographer's name, in which case that photographer may be discreetly
pumped for information, or it may give clues as to a relevant city, business or
organization. This can help in determining phone numbers, means of ac-cess, and
also passwords.
These are just some of the ways in which close magnifying glass work will help you
find out more about your intended target system. You can see why it is a good idea
to videotape as many corn-puter-related TV shows as you can; you can always fast-
forward through the boring parts. Freeze framing a specific scene may help give
insight into the hidden side of a system and the people who run it.
If you get a lot of static on your television when you freeze a frame, try cleaning
the VCR. If that doesn't clear up the problem, it may be the audio component of
the tape that is interfering with the video picture. Try taping just the video part of
the tape you want to freeze. One way to do this is to connect two VCRs together
using just the Video In/Video Out cable, ignoring the audio link. Copy the relevant
portion of the tape, and you will have a picture without accompanying sound to
muddy the screen.
You should only have an audio problem like this if there's a lot of background sound
to begin with, like loud narration or loud music going on.
Here's an example of how this kind of photo-graphic detective work pays off:
A hacker named Bellee was watching a behind-the-scenes-at-the-police-station
show on her local cable channel. A close-up on a computer screen re-vealed the
last three digits of a phone number that was being dialed by modem. The rest of
the num-ber was invisible due to glare on the screen. Bellee knew the police
databank being called was head-quartered in a specific town in Maryland, because
the officer giving the tour had mentioned it. Some of the access codes being typed
to get into the da-tabank were easily visible or inferable by all who watched the
show, but some weren't. A bit of h-brary research got Bellee the three-digit
exchanges that were local to the township the cop had men-tioned. Bellee then
dialed each of those exchanges until she found the correct phone number. (Because
she had the last three digits from the television Just seeing the computers can be a
boon, and show, she only had to call each exchange 10 times to fill in the missing
digit.)
Once she got through, she was able to use the login information she knew (a
precinct number, municipality and state were needed) and hack the part she didn't
(she knew she needed an eight-letter password from the TV show). So watching
televi-sion paid off for Bellee.
Even widely syndicated shows can mess up by inadvertently revealing important
clues to an observant audience. Anyone who happened to be watching a certain
episode of Geraldo Rivera's Now It Can Be Told news show in late 1991 would have
seen a story on a group of hackers and how they broke into a military computer.
Several times dur-ing the course of the story the camera came close to the
computer's screen, where the electronic address of the computer they had hacked
was visible. The story also reported that the hackers had added an account to the
system under the name "dquayle," with no password. As you can imagine, soon
after the segment aired the account was closed up. As of this writing there is
definitely no "dquayle" account on the system (I just called and checked), and some
of the more common ways of gaining access to the system have been noticeably
shut down. For ex-ample, it is no longer possible to call up anony-mously and
retrieve files from that system.
Snooping
You can go on tours of a lot of places, either of-ficially or unofficially. A tour might
be one that is regularly run for wide-eyed kiddies and their par-ents, or it may be
one specially set up for you be-cause you say you are a journalist who wants to do
an article on the company. While taking your tour you will be gleaning valuable
information about the computer rooms, and about the person conducting the tour.
That's all good information that can be put to use in guessing passwords. If you're
suave enough, you can talk a proud com-puter owner into showing off the power of
his ma-chine or the new game he's gotten. This can only help you when you go
home that night and hack the place.
seeing the screen setup is helpful as I've outlined above.
Now here's a hint I like to make use of, though I get to do so only irregularly. We
are all familiar with the phenomenon of phosphorus burnout. That is, when one
image is displayed for an extended period of time, the image gets burnt into the
screen. Very often menus get burnt into the screen, and so occasionally I've been
in places where there is an old terminal that used to be for employees only, but has
been moved into a publicly accessible spot. Many of the functions available for staff
use only are visible on the screen and can be put to use or hacked. (You might have
to fiddle with the bright-ness controls to see what it all says.) Other times I've
snuck a peek at the computer behind the counter, and although an innocuous
screen was being displayed at the time, there was worthwhile stuff barely visible,
burnt into the screen.
Many businesses, institutes and organizations run what are called special libraries.
These gener-ally concern themselves only with the product or service which is the
group's field of interest, but also include valuable details on the group itself. For
instance, a company library might have manuals in it to the company's unique
computer system. Often there is a helpful listing of what programs are available on
the mainframes. Such a program list-ing might include mention of what security
prod-ucts are enabled, and you can write to the maker of those security products
for details.
Snooping around buildings undergoing recon-struction can be worthwhile, as can
snooping around buildings whose occupants are moving to a new building.
In such cases, doors are found wide open, with computers and manuals laying
around all over the place.
I remember one building I went to that was temporarily vacated due to
construction, which had tons of cartons, desks and workstations out in the corridors
(they were repainting offices). I found masses of passwords stuck to keyboards by
Post-It Notes, and passwords scribbled on desk blotters, and taped to the underside
of drawers. It was amazing that people could leave their secrets lay-ing out in the
open like that, and yet it happens all the time.
From snooping around the lounge in a school building, I came up with handy
reference manuals,
Figure 3
Secret information that must be used every day (such as access codes) is
oftenfound hiding on little scraps of paper:(A) on a cork board, (B) attached to the
side or top of the monitor, (C) on nearbyfile cabinets or other furniture,(D) under
blotter, (E) under mouse pad, (F) in desk drawer, or (G) underneath the the desk.
decade-old literature from a defunct computer users group, programmers' guides,
and other stuff. This wasn't all necessarily useful for hacking pur-poses, but it was
interesting to read. And it was in-teresting to rescue it from its dusty box on the
top shelf of a closet.
In that same building I found a little room whose door was closed and had four
signs attached to it. The first, formal and engraved said, "Computer Room." The
rest were menacing, either hand lettered or printed by computer: "Keep this door
locked at all times!" "For authorized persons ONLY!" And lastly, another stem
reminder, "ALWAYS lock this door when you leave!" Needless to say, the door was
unlocked.
Inside there was a huge and informative operating system reference manual and
two PCs, each of
which had modems. From surfing the hard disks on one of those computers, I
found that the termi-nal program was set up with script files <A "script" is a file
that you use with a terminal program. You set up the terminal program so that
when you log onto a system, the contents of the script file are sent to that system.
So if you have to go through some long and convoluted login procedures, you can
put the commands into a script and have the computer automatically log in for you.
This is handy, both for legitimate users, and for hackers who happen to gain access
to those script files.> that contained phone numbers, passwords and other login
procedures. Always look for such things when you snoop.
Snooping can bring to you those tutorial and simulation disks, as well as damaged
disks, trash
33
and insider literature which one can only get from either being employed by a
company, or by snooping around. It adds a bit of physical excite-ment to the
usually passive art of hacking, and it gets you away from the eyestrain of computer
screens for a while.
It is not always necessary to research before a hack, but it is always helpful.
Research in any form doesn't have to be undertaken with a particular hack in mind.
Like my random snoopings of the torn-apart building and the university lounge,
general explorations can lead to fruitful information. In other words, all hacking
doesn't have to be done on computers. There is also such a thing as the person
who hacks -joyously -life.
34
Chapter Four
Passwords And Access Control
Three dominant classes of access control have developed to protect computer
installations.
They are:
• knowledge-based controls (passwords)
• possession-based controls (keys)
• controls based on personal characteristics (biometric devices)
Possession-based controls have to do with things the user owns, like a physical key
or mag-netic card. Sometimes there is a metal clip of a pe-culiar shape that must
fit into a hole in the com-puter before the computer will operate. A "key" could also
be an identification badge, or a signed letter from a person of high status in the
company, granting permission to access a site.
Biometric devices are those which look at some trait of a potential user and
compare it to traits previously recorded, such as fingerprints, signa-ture, or
geometry of the hand.
These two forms of computer security may be designed for remote access control,
although usu-ally they are implemented at the site where the computers are
located to limit access to either the computer room or the computer itself. Thus,
de-scriptions of biornetric and physical keys will be further developed in the on-site
hacking section of this book.
The first class of access control - also the most common - is knowledge-based.
That is, control is limited to those persons who can prove they have knowledge of
something secret, usually a pass-word. Discovering that password constitutes a
large portion of hacking. Here, then, is everything you need to know about
passwords: how they work, how they are stored, and how they are bro-ken.
Passwords
The cheapest and easiest way to protect any kind of computer system is with that
old standby: the password. Even computers that under normal circumstances have
no need for security features o . ften come equipped with password protection
simply because it feels good to use and doesn't cost much in terms of time, effort or
storage space to implement. Furthermore, systems which are pro-tected by other
means - by magnetic cards or by software alternatives such as encryption - will
double or triple the security of their assets through the use of a password system.
Thus, on practically all computer setups you are likely to encounter passwords of
one form or another.
Passwords are usually thought of as the en-trance keys to a computer system, but
they are also used for other purposes: to enable write access to drives, as
encryption keys, to allow decompression
of files, and in other instances where it is important to either ensure that it is the
legitimate owner or user who is attempting an action.
There are seven main classifications of passwords.
They are:
• User supplied passwords
• System generated random passwords
• System generated random passcodes
• Half and halves
• Pass phrases
• Interactive question-and-answer sequences
• Predetermined by code-indicating coordinates
If you intend to hack a computer installation you will first have to figure out which
of these seven password
types are used by that system. The first type is the most common; generally users
are asked to think up a personal password for themselves.
System generated random passwords and codes may be of several kinds. The
system software may supply a completely random sequence of characters - random
to the point of cases, digits, punctuation symbols and length all being deter-mined
on the fly - or restraints may be used in the generating procedures, such that each
passcode conforms to a prearranged constitution (like "abc-12345-efgh" where
letters and numbers are randomly generated). Or, computer-produced passwords
may be taken randomly from a list of words or nonsense syllables supplied by the
pro-gram authors, thus creating passwords like nah.foop" or "car-back-tree".
Half and halves are partially user-supplied, while the rest is composed by some
random proc-ess. This means that even if a user supplies the eas-ily-guessed
password "secret," the computer will tack on some abstruse gibberish at the end,
forming a more secure password such as "secret/5rhll".
Pass phrases are good in that they are long and hard to guess, but easily
remembered. Phrases may be coherent, such as It we were troubled by that," or
they may be nonsensical: "fished up our nose." Pass phrases are used when the
manager of a site is particularly security-conscious. Usually you don't see pass
phrases required by a system, although the programming required to enforce a
pass phrase rule is trivial.
Related to the pass phrase concept is the phrase acronym, which security experts
have been ap-plauding as a short but equally safe form of pass-word. In a phrase
acronym, the user takes an easily remembered sentence, phrase, line from a song
or poem or other such thing, and uses the first letter of each word as the password.
For example, the acro-nyms for the two pass phrases above would be wwtbV and
"fuon." You can see that innovations in password theory such as this will greatly increase
the difficulty hackers will encounter in fu-ture electronic espionage.
The sixth password type, question-and-answer sequences, requires the user to
supply answers to several (usually personal) questions: "Spouse's maiden name?",
"Favorite color?", etc. The com-puter will have stored the answers to many such
questions, and upon login will prompt for the an-swer to two or three of them.
These ques-tion/answer sessions can be delicious to the hacker who is intimately
familiar with the user whom he or she is attempting to impersonate. Systems
which use question-and-answer sequences also tend to be programmed to interrupt
users while online every X minutes, and require them to answer a question to
reaffirm their validity. This can get pretty annoy-ing, especially if someone's in the
middle of an ex-citing online game when it happens. Q&A is used only rarely
nowadays. When it was first proposed it seemed like a good idea, but the
bothersome fac-tor has resulted in this method being pretty much phased out.
Passwords which are predetermined by code-indicating coordinates usually rely on
some external device, such as the code wheels used to de-ter software piracy. In
any case, a set of key prompts are offered by the computer, and the user is
required to return the appropriate responses to them. You'll often see this type of
password being used on a system with once-only codes.
Once-only codes are passwords valid for only one access. Sometimes they are used
as temporary guest accounts to demonstrate a system to potential clients. Once-
only codes may also be employed by the system to allow actual users to log in for
the first time; the users will then be expected to change
their password from the one provided to a more se-cure, personal code. In
situations where groups of people must log in, but security must be main-tained, a
list of once-only codes may be provided. Users then extract one code at a time,
depending on external factors such as time, date or day. Maybe you can find a list
of codes by going through the garbage of a place? The codes won't work anymore,
but you'll get a sense of what the system expects from you.
Passwords Supplied By The User
Most passwords are of the choose-it-yourself variety, and due to security awareness
most con-temporary programs which ask for a password to be supplied will not
accept words of a certain short length which the program deems to be too easily
"hackable." Most passwords will be more than four or five characters long. Other
measures to protect users from their own lack of password creativity might be
taken as well. For example, systems may force passwords to contain a mixture of
upper and lower case, numbers, and perhaps disallow obvious passwords (such as
"computer").
Software is available for most operating sys-tems which looks through the
computer's pass-word files, analyzes user passwords and decides how secure they
are. Unsecure passwords will be changed, or prevented in the first place. This is
one area where your prior research should help you. Generally you will know which
of these programs your target has installed, and what passwords the software will
not allow.
Regardless of how clumsy-brained or brilliant a person is, all people tend to think
alike. It is only through learning that they begin to think in crea-tive ways. Even
then, initial assumptions and first conclusions are similar for a given peer group.
What this means is that when a person logs onto a computer for the first time, and
is prompted for a password - especially if that person is under stress of time or
place - that password is likely going to be a variation on some common themes.
Imagine some of the situations people are in when they are asked to create a secret
password for themselves. They may be calling a remote com-puter over a long
distance phone line, or sur-rounded by a group of technicians who are there to
teach them to use the system. In any case, the prompt is there on the screen and
with it, a sense of urgency is brought to mind. People type the first thing they
think of, the first thing they see, or hear, or are hoping to do once they get past the
login procedure. The password is entered quickly, and rarely is it changed to a
better, more secure one.
Thus, many passwords relate to top-of-the-mind thoughts, such as job, family, possibly
current events, possessions, environment, hobbies or interests. If you can
either find out or guess any of these traits of a valid system user, the number of
potential passwords you will have to guess will decrease significantly.
Get catalogs from the companies that make wall posters, humorous mugs and other
novelty items one finds around offices. How many times have you seen that tired
phrase, "You don't have to be crazy to work here... But it helps!"? I guarantee the
word "crazy" gets picked off that mug every day as a password. Think about the
age and life-styles of the average user whose account you are attempting to
breach. An office in a corporate set-ting probably wouldn't have a nudie poster
hang-ing up - but a college dorm would, and so you may get passwords such as
"playmate," Nictoria," "body," or "month."
The easiest way to get a password is to enter it yourself for the user, or to supply
the password to the user who is logging on for the first time. You might be acting
the role of computer tutor to a novice, and while showing him or her the ropes,
downplay the security aspects and allow him or her to tell you the password as they
type it, either because they spell it out loud, or because you watch the person's
eyes light up as his or her gaze falls upon the wall poster with the word It
surfboard" written across the top. (Or they say, "Gee, what's a good secret
password? Oh, I know - " and proceed to spell it out to you as they hunt and peck
at the keyboard.) Most often you will be hacking away at user ac-' counts that have
been long-established. On these ou will have to use some kind of either brute force
method, observation, social or technical method of password retrieval.
Most passwords are dictionary words, like "subway," "table," "chocolate" or
"hotdog." Hon-estly, can you imagine any computer novice sitting
down and entering "fMm6Pe#" as a password? Of course not!
Scrabble rules do not apply here: proper names are allowed in password creation,
as are misspellings, abbreviations, non-words and foreign terms. Thus a person
who likes watching Star Trek may have the password "enterprize" instead of the
cor-rect "Enterprise." Whether that's due to bad spell-ing habits or because he or
she simply likes it better that way is unimportant. What is important is that you
have to be aware that misspelled words exist in passwordland. You are going to
find the letter "k" used in place of hard "c," as in "koka kola." You will find N" for
"ks" (thanx), and other phonetic substi-tutions, like "lether," 'Tone" and "stryker."
Some hackers will go through every word in the English language until they find
something that works as a password. If the password they seek is a real word, but
isn't spelled correctly, they are going to be wasting vast amounts of time.
Complete brute force dictionary attacks are often fruitless, useless, adolescent ways
of doing things.
Many words recur frequently as passwords, and examples are given in the
appendices. However, there are many words that you would almost never expect to
find as a password on a system. Is it reasonable to suspect a person will enter an
adverb for a password? Words of this sort would be the last ones to try. Real-word
passwords will generally be nouns, ("eyeball," "drums," "kitchen"), verbs, (usually
obscene ones), and perhaps adjectives ("purple," of great, " "happy").
Girl friends, boy friends, and the cute pet names they give each other are popular
passwords; these you would have found out from prior re-search. Also semi-
popular are passwords with the word "sure" embedded inside them, as in "forsure"
or "fursure," "surething" or "asb" (short for "a sure bet"). Besides dictionary words,
you can expect to find names of relations, streets, pets, sports teams and foods;
important dates and ID numbers, such as social security numbers, anniversaries, or
birth-days; and keyboard patterns. Examples of key-board patterns include
'Akjkjk," 700u," 11WXYZ,11 it ccccccc," "0987654321," "asdfgh" or 'I qazwsx." Look
at the location of these letters on a keyboard if you are confused about these last
two examples. Keyboard patterns will usually be simple repetitions of characters,
portions of columns or rows or every-other-letter designs. Keyboard patterns may
be wholly unguessable and yet fully logical when you know what's going on at the
other end of the phone line. For example, "05AP may seem a funny thing to pick
up from a keyboard, but when you know the computer in question has a special
hexadecimal keypad attached, the whole thing starts to make sense.
Figure 4
A hexadecimal keypad, used by some computer
programmers to allow fast entry of numbers in
base 16. The keypad illustrates a principle
smart hackers will follow: That what you
see on your side may be different from
what they see on theirs.
Some keyboard patterns I've actually seen be-ing used on systems: "abcdef,"
"qwerty," "12345," foxxxxxx " "opopopopp." If you know the minimum password
length is six characters, don't expect pat-terned passwords to go much beyond that
mini-mum. On the other hand, you can't reasonably try out every possible pattern:
there's an infinite num-
ber. Beyond a certain point, guessing keyboard patterns is strictly reserved for
amateur hour.
Possible Password Investigation
One of the sources I used to research this book was an unofficial manual for a
popular fee-based information service. Throughout that book, the author
continuously made references to her pet cat, her love of Philadelphia soft pretzels,
her favorite football team, her husband and children, and her newly acquired
interest in computers. Not only did references to these aspects of her life abound in
the text, they also appeared in illustrations of the serv-ice's "Find" command,
sample messages and sam-ple letters.
I knew the author's name, of course. I knew she had a membership on this
system, and I knew about her life. It was insanely simple to get her per-sonal ID
number on the system and, yes, within two dozen password guesses, to access the
service under her account. She has since taken my advice and changed her
password.
This isn't an isolated example! Every day you and I read newspaper articles,
magazine columns, and books - in which the authors give away their computer
addresses so readers can respond. Yesterday I heard a radio talk show host give
out his CompuServe address for the large listening audience who didn't get the
chance to speak out on the air! We know enough about many of these authors and
others to be able to make educated guesses of their passwords. Even if an author
doesn't mention personal details in the book, there's usually an "About the Author"
section to turn to for facts. Many computer books are written by college professors;
naturally you'll know what college they're at, and so you have a lead to an account.
If the sample program segments they list en-tail baseball trivia, you've got
a good idea where to begin a brute force siege.
With all of this said, I want you to realize this is for informational purposes only. I
made the above remarks only to point out some of the lax security around anyone
in the public eye. Don't get any funny ideas about breaking my passwords!
Another trick is to look in Who's Who books. Almost all industries have a yearly
Who's Who published. Many of these are vanity affairs: people pay to get a write-
up about themselves listed. You can get good data from these, and if you can't get
enough good data, print up your own official-looking Who's Who form and mail it to
the person you have in mind at the company. Make sure the accompanying letter
states that once they fill out the form, their entry will be included free of charge in
the eventual book, and they will receive one copy of the book, free. This will help
ensure that they mail you back the form. It also ensures you get good data to help
you crack their passwords.
One more helpful subterfuge, this one involv-ing socializing with cronies at the
company. Call up an office and talk to a receptionist or anyone who knows
everyone's gossip. Say you're from a new trade magazine specializing in that
business's field of endeavor. Ask for the names of all the major department heads,
and their secretaries, so you can send them a free trial subscription. Then call back
and talk to each of their secretaries. Have them fill out "market research" cards,
again for some prize, like a free subscription or a clock radio or something. Typical
marketing questions for trade magazine subscribers include inquiries about
schooling, degrees held, industry awards, trade association memberships, military
service, salary range, and length of service at the company. As the conversation
continues, start asking about hobbies and outside interests, favorite sports, names
of kids and spouse, and home address. These too are acceptable questions for a
market research surveyor to ask; they are also valuable possible password leads.
The short version of this is to call up, say you're one of the assistant editors for a
trade magazine, and you're trying to find interesting people in the field. "Do you
know of anyone there who has done anything at all spectacular, or has any
particularly unusual hobbies?" You might get a "no," but keep pressing: "Anyone
with special talent? Musical tal-ent, for instance?" Keep going like this; eventually
you'll hit upon something, and you can use the above tricks to find out more about
that person than you ever thought you could.
Uncovering a subject's interests is called making up a personality profile or, for
hackers, a password profile. The technique is done whenever the hacker has a
specific individual in mind, whose computers the hacker wants to crack. If you
wanted to read the e-mail and other private files of some
head honcho at a corporation, you would go find reports of said honcho in the
media, see what he or she likes, and go from there. One popular strata-gem,
mentioned by Hugo Cornwall in his Hacker's Handbook, recognizes the fact that
often a chief per-son in an organization is given an account to dem-onstrate the
new computer system, under the as-sumption that setting up a new account is too
diffi-cult or time consun-dng for the busy leader to do on his or her own. This
account will of course have a natural English password, something of either the
easily-guessed variety, or something from the boss's list of interests. ("Say, Mr.
Larsen likes fishing, doesn't he? Put in 'FISH' as the password!")
So let's suppose you know a person's hobbies or interests: From there, how do you
proceed?
To start, you could go to a library and get all the books you can on that subject.
Then make up word banks from the glossaries and indices. People like to use big
and (they think) obscure names/words from their coveted subject which they think
no one else would ever think of. So you get students of literature using names for
passwords, like "Euripides," "Aeschylus," and in general, a mess of lengthy technical
terms.
Make up word lists, try them out, and if all else fails you can go on to a new
password type. Just because someone's a doctor doesn't mean his pass-word will
be "pericardiocentesis." People's lives are composed of many subjects, their
occupation being just one.
Password Studies
If you think all of this talk about easily guessed passwords is balderdash, think
again. A good number of formal and informal studies have been done to see just
how good people are at picking safe passwords.
One such experiment found that out of 3,289 passwords
• 15 were a single ASCII character,
• 72 were two characters,
• 464 were three characters,
• 477 were four characters long,
• 706 were five letters, all of the same case, and
• 605 were six letters, all lower case.
The point being this: That hackers can simply sit down and guess passwords is
FACT not FIC-TION. It can be done, and sometimes quite easily.
Another example of the ease with which passwords can be hacked is the Internet
worm which squirmed through the net, disabling much of it, in 1988. The worm
had two tactics it used to spread itself, one of which was attempting to crack user
passwords. It would first try inputting the typical passwords, like login name, a
user's first and/or last names, and other variations of these. If that didn't work, the
worm had an internal dictionary of 432 common passwords to try. Finally, both of
these methods failing, the worm went to the UNIX system dictionary, attempting
each word in turn, until something hopefully worked. As we know, the worm's
method worked superbly.
By the way, if you're ever on a UNIX system and need to do a brute force attack to
gain higher access, the system dictionary is very helpful. You can find it in a
subdirectory called Vusr/dict." The file is called "words." You can also download this
file or capture it to another computer, if you need a plaintext dictionary file for use
on other machines. < One problem with using the UNIX dictionary "straight from
the box" is that the words it contains do not genuinely reflect words in common
English usage. There is a high preponderance of scientific words, due to the
manner in which the dictionary was constructed >
Password Restraints
Most operating systems weren't developed with security as top priority. Indeed,
password-based accounts should be all the security required on a time sharing
system. As we have seen, however, too frequently passwords are chosen that are
easy to guess. The UNIX operating system does restrain password selection by
suggesting that passwords contain no less than five lower case characters, or only
four characters if at least one of those is nonalphabetic or uppercase. However, if a
user insists on a shorter password, disregarding the plea that security be
maintained, that shorter password will be allowed.
Sysops know that most passwords aren't secure, so many have installed programs
which disallow obvious passwords from being generated.
Passwords are then forced to conform to certain characteristics, such as:
• Passwords must be of a certain length.
• Passwords must include a mixture of upper and lower cases.
• Passwords must include one or more numerals.
• Passwords must include a non-alphanumeric symbol.
One or more of these constraints might be en-forced. The program may also test
the user's password against a list of known "bad" passwords, which are not allowed
to be used.
Not allowing single-case passwords or strictly alphabetical passwords does add
some difficulty to a guess-attack, but not much. One time I had some-one in mind
who I felt certain had "popeye" for a password, due to his large collection of classic
comic books and the big deal he always made about Popeye. The system software
required a mix-ture of cases (which helpfully informs you, by the way, that upper
and lower case are distinguished by the system), so instead of just trying "popeye",
I tried:
Popeye PoPeYe popeyE
PopEye popEYE popEyE
PopeyE PopEYE PoPeye
and also tried each of these with cases reversed, such that PopeyE became pOPEYe
(in case the user thought of capital letters as normal for computer keyboards, and
lower case the exception). It was highly unlikely that this particular Popeye lover
would try anything so bizarre as capitalizing in the middle of a syllable, or without
some pattern to it. Indeed, when forced to capitalize, who in their right mind
would?
As it turned out, his password was "OliveOyl."
If not capital letters, numbers might be forced into one's password upon first login.
Again, you can hardly expect Joe User to break up syllables with a number, and the
numbers that are used you should expect to be not more than one or two dig-its.
After all, the user thinks of it as a password. The number will generally be slapped
on as a necessary afterthought.
Thus, what you will normally find are passwords in the following forms:
password #
pass # word
# password
Numbers will be those which are easy to remember, or easy to type, like 1 or 0.
Numbers from one through 31 should be most common, along with numbers either
repeating, ending in zero or nine, such as "888," "500" or "1999." It is reasonable
to expect typists to use the numeral "1" substituted in for the letter "I" (lowercase
"L"), in passwords which contain that letter. Cyberspace devotees might do
likewise, as well as using zero for their required number, putting it in place of the
letter "O." This means that if you ever suspect a word that contains the letters "L"
or "O," instead of finding something like "cool," "computer," "lucifer," "lemon," or
"colts," you may find `c001," "cOmputer," "lucifer," "Iern0n," and 'Wlts," where the
digits 1 and 0 have replaced the appropriate letters. (Actually, "c001" is usually
spelled 'k001.")
Computer Generated Passwords: Fakery and Analysis of Machine-Generated
Passwords
Many passwords that the computer generates on its own will have some flavor of
randomness to them. For instance, look at this bit of imaginary program segment:
Randomize Timer
100 For i = 1 to 6
110 Char = Int (Rnd * 91)
120 If Char < 65 Then Goto 110
130 Password = Password + Chr$ (Char)
140 Next i
200 Print "Your new password is: "; Password
Here, six uppercase letters are selected inde-pendently and concatenated to form
the password. The way the letters are selected is that a random number between
65 and 90 is chosen - this corre-lates with the ASCII code for the letters of the
uppercase alphabet. The randomness of the numbers chosen is based upon the
randomizer function being used. In this case, pseudo-random numbers are
generated based upon the exact time of the computer's internal clock, although
randomization could also have been based on a practically infinite, hardware-
dependent range of inputs. I said pseudo" random numbers because no matter how
random these numbers may appear to us, to the
41
computer they are just values plugged into a formula.
If the password-making program could be altered in the right way, then all
randomly-generated passwords after the time of alteration may be yours for the
taking (or deducing). If you have the ability to change the program and save the
changes to disk, or the ability to reroute the password-making subroutine, then
here are some further items to consider.
The easiest thing to do would be to change the program by getting rid of the
randomization factor entirely and simply inserting a "Let Password$ = "EVBIDCL8....
statement. Then every new user would be given the same seemingly random
password. The problem is this is not going to go unnoticed by the system
administrators (although you might be able to restore the original program before
your change is noticed).
A more logical choice is to have the program generate a random-looking password
based on some information about the user that you can eas-ily determine from
publicly available sources, such as the user's birth date or Social Security number.
Then you can simply plug that piece of information into your copy of the code on
your home computer and reproduce the new user's password. One encoding
algorithm that works well is to take the sine of the ASCII value of the first six or
eight characters of the user's name, then take the second-to-last two values of the
sine, convert them to fall within a suitable range, then concatenate the
corresponding ASCII characters to form a "word." Thus you have a random-seeming
password that can be easily constructed, even by hand. If the username is less
than six characters, the remainder could be filled in by a predetermined set.
(See Figure 5.)
A sample username is encoded into an obscure password using the method
outlined in the text. On inspection the password seems random and secure, but
a hacker can determine a user's password using publicly available information
about that user (in this case, the user's last name).
This is just a simple example; your password would have to comply with case
mingling, length, or digit sprinkling requirements where appropri-ate.
Forcing a password in this way can help if you run an electronic messaging or
bulletin board system: users may get so comfortable with their new, secure
passwords (wouldn't you think "rueavz" was secure?) that they transfer them over
to other accounts elsewhere.
Another possibility, again requiring the ability to covertly change the password
generator, is to al-ter the randomizer's seed to a constant value, thus causing the
program to produce the same series of random numbers each time it is run (as long
as the computer stays on and the program is not reset). This is risky though, and
unwanted side effects may result.
One method utilizing the flaws in pseudo-random number generators was actually
accomplished, and reported on by UNIX co-creator Dennis M. Ritchie in a 1986
security bulletin en-titled "On the Security of UNIX." To increase security at a
computer installation, the administrat-ors decided to provide safe, computer
generated passwords. Each password would be a string of lower case letters and
digits, eight characters long. This calculates to 2,821,109,900,000 passwords
which, according to Ritchie, on a PDP-11/70 would take 112 years to brute force
through all those combinations. But the hacker knew that the random number
generator could only take 32,768 seeds, and so only that many possible outcomes
needed to be looked at. "The bad guy did, in fact, generate and test each of these
strings and found every one of the system-generated passwords using a total of
only about one minute of machine time." [Emphasis added.]
Clearly, sixty seconds plus some programming time is worth spending to have
access to every ac-count on a system!
If you can't insert code to generate machine-made passwords, you might be able to
analyze them after they've been produced. This requires having access to a
minimum of one password, preferably two or more, from a given system. If you
have a legitimate account, there's your first password. If it's a local BBS you're
hacking, or some other sort of system where multiple anonymous logons are
possible, try calling back a few more
times and collect new passwords under different names. Or get ahold of the BBS
software or the password-generating routine, and work that to collect various
passwords.
Once I was going through some new BBSs that had started up and I came across an
ad for a system that was a couple states over but still seemed worth a try. I called
up, logged in as a new user, and found it wasn't all that interesting after all - run by
a factory supervisor mainly to let site agents or-der inventory stock. I used the
made-up name and address Roger Eichner, 13 Stem Court, North Coast, WA 64203
to log on. The password that was generated was "roghner24." I was astounded!
Obviously the program had simply taken the first three letters from my first name,
the last four letters of my last name, and stuck a number at the end!
Or had it? I called back a second time, logging in as a new user with a different
name. This time there seemed to be no correlation at all with any of the personal
information I had given. Now I was not only astounded " but confused as well! Had
the first password been simply a fluke? Was the second a fluke? Was it
programmed to only sometimes use parts of the username? I called back a third
time and again logged on as a new user. Again the password was unrelated to
anything I had entered. Now I was pretty positive the first password had just been
an unbelievable coincidence. I wrote a message to the system operator, saying he
could delete these three new users of his (I supplied their personal info so he would
not think I was playing a joke) and I didn't call back until a few weeks later.
Even though my second two passwords were unrelated to both each other and my
personal data, I thought that perhaps I had missed something that first encounter,
since some of the characters were repeated from one password to the next. Could
these characters refer to my baud rate or computer type, or some other parameter
that had stayed the same from one login to the next? Or was it possible that what
was random about the passwords was which pieces of data it selected to insert into
the password? This would account for my name in the first case, and one of the
items (which I didn't recognize as relating to me) being repeated in the third call
password.
Logging on with the same name, address, terminal characteristics and everything
else as I had originally done, I received, to my disappointment,
not a computer-generated password but the following astonishing message:
Dear Member:
Sorry about having to go through this again but we've had a problem the last few
days. I will have to ask that you be patient with the low access level you will
receive until I get a chance to validate you. Please note, when asked to supply a
password do not give the one you were previously assigned. Make up a new and
totally unconnected password.
See General Posting #1 for explanation.
StRaPmAsTeR === wllLiE ===> (sysop)
Input Password ==>?
General Posting #1 said that a certain (relatively new) user of the BBS, whose
handle was Mr. Joke, had kicked into action a "feature" of the BBS soft-ware that
produced less-than-secure passwords. The previous year the system had "crashed,
appar-ently as a result of a rogue program that was uploaded to file section by Mr.
Joke." No further de-tails were given on the cause or nature of the crash, because
apparently regular callers of the system al-ready knew the story.
Anyway, you can see how it's possible to occa-sionally get some good information
by analyzing of random" passwords. Even if there doesn't seem to be any
discernible pattern, that doesn't mean there isn't one hidden somewhere. There
might be some subtlety to the pattern or, if not a pattern, a bug or strangeness
that you might be able to spot. For example, in the first version of one BBS
program -a program that was so godawful the board folded after about a month -
the random password generator would never produce a password with the letter A
or the digit 0 in it. Knowing this does help a little: for a seven character password
of the form WXYZ123, where WXYZ are letters of one case and 123 are numbers,
there are only 284,765,630 possible combinations of letters and numbers, instead
of 456,976,000 - a difference of 172,210,370 passwords! This software was riddled
with bugs, many of which have become famous as the worst blunders in the history
of horrible programming.
Non-Random
Machine-Generated Passwords
Finally, let's consider randornless machine-made passwords. Often users are
entered into a computer system before their first logon. Then, unless the sysops
can relay information to users off-line, the password must temporarily be something
that the user already knows, such as their Social Security number (SSN), date
of birth, or other personal data. Users are supposed to change this easy-to-guess
password to a more secure one, but unless they're specifically shown how or
required to do so, it is unlikely they will follow through.
Here's a non-computer example which demon-strates this weakness. In April of
1992, students at a New Jersey university received a memo, informing them of new
over-the-telephone class registration procedures. The memo stated that the
Personal Access Code (PAC) assigned to authenticate one's registration was the first
four digits of one's birthdate (month and day), entered in conjunction with one's
nine digit student ID number (essentially, one's social security number).
What got me was that first of all, they told students that their top secret PAC was
their birth date. This violates all the security precautions they're trying to maintain.
After all, how difficult is it to find out someone's birthday? But the PAC is only half
of the "password" - the other part is a student ID.
Again, it's a piece of cake to find out someone's ID. lDs are publicly or semi-publicly
available at the student health centers, on computer room sign-up sheets, on
identification cards, class rosters, housing lists and elsewhere! The memo does say
that those concerned with security can come into the registrar's office to change
their PAC, but who's going to go out of their way to do that?
Anyway, changing just those four numbers doesn't do much to stymie the
determined hacker. Following a change of PAC there are 10,000 minus one
possibilities to try. This is as opposed to the mere 366 possible PACs before that
security-aware person changed his or her number. Sure, ten thousand is a lot of
numbers to try, but it's certainly not impossible. A touch-tone auto-dialer can
phone
through all of those in about seven minutes, given unlimited PAC-entry retries per
phone call. In any case, I'm using this story to illustrate the principle of least
resistance: Users are not going to go out of their way to change access codes if
they don't have to. And even if they do, it doesn't matter much. After all, we are
hackers.
Let's move back to our discussion of non-random passwords which are generated by
computer; or rather, passwords decided upon by the programmer or administrator
and selected from data files by the computer.
Computers will select passwords any time a large number of passwords must be
assigned at once. During the first week of a college semester, thousands of new
accounts must be created for students enrolled in computer classes. For the most
part, these accounts are going to be set up with username equal to some truncation
or bastardized form of one's real name, and the password will be either one's Social
Security number (SSN) or student ID number.
So if you want to hack a college system, start early in the semester - before those
passwords get changed by the user to something more secure. Social Security
numbers may be easily hacked by brute force, especially when you know how they
are distributed.
Social Security (or other ID numbers) may also be obtained through social means
(see the chapter on Social Engineering) or by other forms of chican-ery. I've sat in
on college classes where the instruc-tor hands around a sheet of paper, on which
the students are asked to write their name and ID number. This sheet is then
handed to the teaching assistant, who enters this information as accounts into the
computer system. If you happen to find some classes that operate like this, make
sure you sit in the back of the class, where nobody will no-tice you copying other
people's private data. A hand-held scanner/copier makes life easier at times like
these.
You can also get names and SSNs from atten-dance sheets, or class rosters, which
usually list both pieces of information for every individual in the class. If the
professor doesn't make the roster available for student perusal, make up some
excuse to swipe a look at it. For instance, say the registrar had your name
incorrectly spelled on your last transcript, and you want to make sure they've
corrected the problem. Professors will love any excuse that points out slip-ups in
the bureaucracy of the school system. Use their mindset against them!
Several court battles have ruled that use of one's Social Security number in
conjunction with one's name in a public environment is unconstitutional, as it is an
invasion of personal privacy. Therefore, we may see a trend starting, with SSNs
getting used less and less for identification purposes, and an organization-defined
ID number being used in its place. If that's the case, you will have to rely more on
brute force to access the array of ID numbers assigned to a person.
Pre-usage passwords won't always be Social Security numbers or other ID numbers.
If some non-computer communication is possible between the sysadmin and the
user, other words may be as-signed as temporary passwords (to be changed when
the user logs on).
There might be a generic "new user" password which is given to all accounts, which
shouldn't be very hard to crack. Or the password might be something very obscure
and security-conscious, like some long string of random characters. It may be
necessary to intercept the new user's physical mailbox for that envelope which
contains the as-signed password.
Programs Are People Too
Sometimes computer systems are set up with programs that have usernames and
passwords, just like any other user of the system. Thus if you login as that
program, the program is executed. Programs might be a tutorial on how to use the
net-work, information system, database, messaging system or just about any sort
of application program. Some sites also have accounts whose user-name is that of
an elementary command, such as "time," "date" or "who" (which tells, you who is
logged on). This allows people to carry out certain quickie functions without having
to go through the hassle of logging on to the machine. Often these command
accounts don't have passwords associated with them, which is ironic since many are
given superuser access permissions.
It's possible that you may get in to one of these program users with a
name/password combination chosen from words such as these:
guest demo help
info tutorial tut
menu data base
intro anonymous database
visit welcome hello
"Visit" or "visitor" might be the username, and "tut" the password, for example.
Other possibilities are trying to get in with usernames "calendar," It cal,11 #I
sched," "schedule," " whois," "ftp," "who," "Ipq," "archie," or other common
command names. Many installations will have a general-usage or even public
information system set up. Access may be gotten by logging in as "info," as
suggested above, but other variations are possible. The fictional Wakka Doo
University may require logging in as "wdu," "wduinfo," "hellowdu, "wdunews,"
"wdumail," " welcomewdu," or some other variation on the University's initials.
If you do manage to get in this way, first of all you are to be congratulated for a
very successful hack - but then what? If you are interested in gaining higher
access levels or in escaping out of the program entirely, you could have a lot of
diffi-culty ahead of you. An upcoming section will offer suggestions for getting
beyond limited access restrictions.
Brute Force Methods
Brute force means manual labor for your computer and, usually, lots of it. It isn't
too difficult to do, but it is time consuming. What brute force methods entail is the
inputting of one password after another until finally - maybe - something hopefully
works. Or just until you give up and move on to a better method.
Brute force methods are usually the first and last thing a hacker does when trying
to break into a system. The first time he does it, it's a half-hearted attempt. If he
can guess the password right away, or after the first seventy-five or hundred
attempts or so, then that's fine. After that fails it's on to trying out other angles for
a while. If none of those more sophisticated ways work, then it's back to brute
force for the big finish.
Brute force, after all, must work eventually. The "must" is what draws hackers to
it; the "eventually"
is what drives them crazy. Brute force takes a lot of time, but not much else. That
time is spent in research, trial and error, and in writing special programs to hurl one
password after another at the system.
Brute force is the least graceful way to fly, but since it eventually must be effective,
eventually all hackers will resort to using it at one time or an-other.
You may find yourself in a situation where you know nothing about the people who
use a particu-lar system; where common names and passwords have failed; and
where no trick seems to work. In these cases, you will have to try the most brutal
of all brute force approaches: you will have to write a little program that will
repeatedly dial the com-puter system, enter a new name/password combi-nation,
and keep repeating this until something works.
This could take forever.
Some hackers use a dictionary file they get from their word processing programs or
off a bulletin board. This is a good idea, but only if you use it properly. Edit the
dictionary file so it includes common names, each letter of the alphabet, musicians,
names of cars and presidents, numbers, ce-lebrity nicknames and other
common password material. Get rid of the words like "perspectives" that just seem
too weird for anyone to use as pass-words.
Speaking of making things go faster for your-self, the same holds true when brute
forcing non-language passwords. If you live in New York, you should begin your
attack by brute forcing New York SSNs only. There are many ways to bring down
the number of potential codes you have to check. The military uses what is called
the TAC Access Control System (TACACS) to ensure legitimacy of usership of its
network computers. The access codes that TACACS looks at are strings of
alphanumeric characters - but the strings will never contain the numerals zero and
one, nor the letters Q and Z. The theory behind this decision is that a user reading
his or her access code off a code card can easily confuse Is, Os, Qs and Zs with
other letters or numbers.
Once you have edited your dictionary of possible passwords to best suit your needs,
or once you have determined which codes are the ones most likely to occur, you
write yourself a little
program in whatever language you know, to dial the modem, enter one word at a
time as a password, and try, try again. And again. And again. This is a simple
program to write, but if you don't have the expertise to do so, plenty of programs
like this are available on BBSs.
There are some things to consider when writing the program. How many times will
the computer system allow you to enter bad name/password combinations before it
logs you off? Three? Eight? If it gives you three chances before saying bye-bye,
make sure your program outputs exactly three name/password combos before
redialing the number.
Often remote computers will accept characters as input even before the input
prompt is put on the screen.
If this isn't the case with the system you're trying to get into, you'll have to put a
delay loop in your program to make sure passwords are not being entered before
the cursor is on the screen.
Finally, what happens when your program does manage to ferret out a workable
usernarne and password? Unless you're sitting there, monitoring the computer as it
does its thing, you need some way of knowing when a brute force attempt has been
successful. Otherwise your program will continue to spit out passwords, and the
system operators - who by now almost certainly have noticed what is going on - will
be absolutely furious! Have the program monitor text as it is sent from the remote
computer. When something other than the login prompts are received, have the
program flash the screen and ring the loud bell on your printer. Either that, or have
it input the logoff command, and print the usable username/password on the screen
for you to see when you wake up the next morning.
If you know Joe User works for Company X, then you can have the program run
through every combination of password with usernarnes Joe, User, JUser, and Joe
User - not to mention other varieties like joe, JOE, and joeuse. (But from your
research and experimenting you should have some idea what format the username
will be in, so you shouldn't have to try too many variations.) If, on the other hand,
you don't know the name of anyone who works there, you'll have to either find out
(i.e., look in company directories, call up and ask, look in annual reports,
newspaper articles, or any of a hundred other places to find names) or try every
combination of possible first names. If you must resort to trying every first name,
make sure you try female and foreign names. You might want to take a trip to the
library and find out what the most popular first and last names are. But remember,
you don't need the current popular names - you need names that were popular and
common twenty or thirty years ago, when parents were naming the people who
work in the company you're trying to break into.
Certainly, it is not absolutely essential to write a program to spit out passwords. If
you have the time and patience, you can sit down and enter passwords yourself.
But remember that this will take even longer than the already immense amount of
time it takes a computer to brute force its way in. I must emphasize that no matter
how many pre-cautions you take to eliminate excess work, brute force will almost
always take an extremely long time to bring results. Therefore, it's important to do
what you can to speed up the entry of passwords. If you have to redial the modern
after every three passwords, make sure you're running your attack off a phone line
with Touch Tone capabilities.
Also, before you begin a brute force approach, set yourself up with the highest baud
modem you can possibly acquire, even if you need to borrow one from a friend.
Moving just a few notches up the baud ladder makes a big difference in speed.
Foiling The Brute Force Assault
As a youngster I remember going out to dinner with my family one night, where
they had an all-you-can-eat special. Naturally I decided to do my part to see that I
ate my fair share but by the third reorder, we were getting increasingly frustrated
with the long waits and smaller portions. My dad explained it: "You see, that's what
they do so you won't eat as much. They keep taking longer and longer to come out
with the food, and they give you' less of it." I don't know how true that was, but
after a while it certainly was not worth waiting around forty minutes just to shovel
down another plateful of food.
The techniques used to thwart brute force at-tacks work on the same principle as
that all-you-can-eat restaurant. As mentioned earlier, if one is
persistent enough then it is really only a matter of time before a legal
username/password is hacked by guesswork or by chance. Therefore, the way to
prevent such an attack from succeeding is to struc-ture the system prompts to
frustrate the hacker into quitting early.
The most common defense is allowing only a few login attempts before
disconnecting. The computer may then refuse to allow a reconnection within a
certain period of time. The drawback to this is that a legitimate user might be
inconvenienced - though having to wait a few minutes is much less of an
inconvenience than logging on to find one's files have been tampered with by some
cracker.
Another method is to increasingly slow the re-sponse time to each successive login
attempt. A prospective hacker might find himself waiting thirty seconds for a
response from the remote com-puter... Then a minute... Then two minutes... The
long waiting periods wouldn't start until the first three or four login attempts were
tried and found unsuccessful. Then the computer would say to it-self, "Gosh, no
real user would spell his name wrong that many times. Must be a hacker!"
Another trick is the dummy login prompt. After a certain number of unsuccessful
login attempts the system continues asking for login information, but returns an
error message no- matter what the input is.
The moral of this story is, if you write a pass-word-cracking program, be sure you
monitor its progress. Don't just set it to run overnight and leave it unless you've
first determined that such security measures are not in place. When you wake up
the next morning you may find it's been taking forty minutes for the computer to
respond to your inputs. Or you may find that every possible combi-nation has been
tried to no avail, and so you know that you've been wasting time responding to
dummy login prompts.
Conclusion
Much of this chapter has focused on different"likely" passwords to try when
initializing an educated bruteforce attack. We can go on forever list-ing common
passwords - names of pets, historical dates, room numbers " book titles - not to
mention all of the above with vowels removed, backwards, and in various anagram
forms. There comes a time when you have to forget about trying to limit the
number of possiblepasswords to a select few, because your "limited" number will be
as infinite as before you put the restrictions in place. Besides, a password may be
"easily guessable" and yet be secure enough to thwart your attempts to guess it.
The password "Smith" is not secure, and "Jones" is not secure, but"Smith@#Jones"
is as ob-scure as anything. Outsiders see password guess-ing as a valiant pastime
for the hacker, but in es-sence it is only the beginning of the hack. Brute force is
best carried out by computers, and should really only be used when a computer is
necessary to gain access (I'm thinking about Robert Morris Jr.'s worm program as
an example).The thing is, the whole business of hacking has to do with skill and
knowledge. Brute forcing pass-words requires little of either. But no one's going to
look down on a hacker who does some educated brute force work, especially if that
hacker has a good reason for doing so. But don't rely on the computer's brawn to
do your dirty work: Use the ingenious computing power of your
brain. And that is the topic of the following two chapters.
"Computer crimes deal with people to a far greater degree than they deal with
technology.
Donn B. Parker
Chapter Five:
Social Engineering
It is somehow shocking the first time one hears about "social engineering." At least
it was shocking for me. Hacking is thought of as an ac-tivity pursued solely,
nocturnally, relentlessly, for hour after midnight hour, by some dazed and nerdish
character banging away at a computer keyboard in feverish pursuit of that single
golden word which will grant access to the technological secrets of the universe.
That is how it was at some point in the past, until it became impractical. Those
brute force methods are certainly valid, and they are the bread and butter of any
well-stocked hacker's arsenal. But there are other ways to learn pass-words; social
engineering is one of them.
"Social engineering" is the attempt to talk a lawful user of the system into revealing
all that is necessary to break through the security barri-ers. The alternate term for
this is "bullshitting the operator."
Social Engineering (SE) appears in a variety of forms and disguises. Here I will list
many of them. As you will surely discover for yourself, there is a cornucopia of
clever twists and vari-ations to be made on each of these examples. Some twists I
will examine, others will be left for you to creatively imagine.
The Noble Form
To those hackers whose sense of ethics does not allow them to use trickery in an
attempt to ascertain passwords, one form of social engi-neering still might be used
without straying from one's sense of morality: the gentle art of asking, "Please ... ?"
I think I've never heard of a verifiable instance where this has worked, though
there are rumors that hackers have simply requested -and received - passwords
from system users. Usually, the story goes, the system operator is either asked
over the telephone, or e-mailed a letter which says something like: "I am a hacker.
Give me a low access account and I will use my skills to show you what your
system's weak-nesses are. That way you can correct them and won't be troubled
by malicious crackers in the future."
The other way to do this is to call up some-one - anyone - a secretary in an office
for in-stance -1 and just ask, "What do you type in to start the computer in the
morning?" Will this work? Well, you would have to be lucky enough to call someone
who's fed up with his or her job, and who doesn't know any better about security
procedures.
Social engineering minus the deceit is not likely to work, and could make it harder
for you to get in, in the future. More likely you will want to bone up on your acting
skills and try some telephone shenanigans.
Hacker As Neophyte
Here you play the role of a new user. Let's say you're trying to get into a
company's com-puter system. The time is 8:55 in the morning. You call up the
computer department (from your home or wherever) and this is the conver-sation
that follows:
PERSON ON OTHER END: "Hello; Jack Chipper, Computing Department. "
YOU: 'Hello, Jack, this is Gary Harris from the Researching Department. Maybe
you could help me
with a problem?'
JACK: 'Maybe... What is it?"
YOU: "Well I'm the first one here, and I can't seem
to get things started up. Will you talk me through it?"
JACK: 'Sure. You by your computer?"
YOU: 'Yes."
JACK: 'Okay. Turn on the red switch on the floor.
You see it there?'
YOU: 'Yes, okay. I see it... Okay.
JACK: 'It'll take a few minutes for everything to boot up.'
YOU: "To what?"
JACK: 'Uh, boot up. I mean, it'll take a minute or two for the computer to set
itself, to get ready to use.
YOU: "Okay, it stopped.
JACK: 'What do you see?
YOU: "Just what you always see. It worked up to
here fine before, but after this, it didn't work. What do I do when it
doesn't work here?
JACK: "What do you usually type?"
YOU: 'I don't know. This is my first day here. I'm just a temp - they said
someone would tell me!
Part Two
During Hack
69
Blank Page
70
Chapter Seven:
Public Access Computers
And Terminals
Introduction To The Three Kinds
Have you been to a mall lately? I mean one of those huge, sprawling malls that not
only have clothing stores, electronics shops and food courts, but miniature golf
courses, arcades, banks, post of-fices, and anything else you can or can not think
of?
Instead of the large "You are here - >` maps they used to have, you now often find
computers set up with touch-sensitive screens that help you find your way around
the mall and inform you about mall happenings.
Personally, I've never hacked a mall computer - but the potential is there - and the
motivation to do so is there as well. Hackers hack because they are in love with the
idea that any accessible com-puter has a secret side that can be broken into. The
computers at the mall have a secret side - the gen-eral public is not supposed to be
able to change around the names of the stores on the computer-ized map of the
building - but there is a way of doing just that. Similarly, when you go to Ellis Island
and look up your ancestors in the computers, there is obviously some rear end
to the system that you are not being allowed to see. All public computers have a
secret side. A hacker is a person who wants to get at it.
This chapter addresses two aspects of publicly accessible computers:
• How to get into the behind-the-scenes parts, and
• using public computers to collect information you're not supposed to know about
the people who use
them.
The computers and dumb terminals that are publicly available are a great boon to
anyone inter-ested in hacking. Even if a general-access computer doesn't have a
modem hanging off the back, or does not allow out-dialing, hackers can benefit by
using the computer to gather information about legitimate users of on-line
databases, school net-works and other computing systems.
Computers are publicly available in lots of places - lobbies of office buildings, malls,
muse-ums, airport club lounges, public fax machines, public and private schools,
and in stores. However, the place they are most often seen is at libraries;
consequently, the following discussion is based mostly on the computers found
there.
Computers for the use of the general public are available now at most public and
academic librar-ies. They fall into three groups:
• CD-ROM databases and information computers,
• public access terminals, and
• general purpose microcomputers.
Let's look at each one of these in turn, and see how these can help the hacker help
himself.
CD-ROM Databases And Information Computers
CD-ROM databases, like InfoTrac and News-Net, are computerized listings of
periodical articles, updated monthly. Other databases are available with slants
toward business news, census data and the like. Some libraries have CD-ROM
encyclope-dias, and many government depository libraries will have databases
listing government publica-tions available.
In a similar vein, I've seen libraries with com-puters (usually Macintoshes) set up
with user-friendly programs designed to teach patrons how to use the library and to
dispense other helpful advice. All of these computers are useful to the hacker only
for the information they carry, due to the fact that they are set up on independent
ma-chines, without modems, and without access to telephone lines. They usually
serve the single pur-pose of dispensing information on their specific topic.
Finally - this is rare and a bit odd - but occa-sionally you will see a computer being
used as a register". As people walk into the computer room, office, or wherever,
they sign into the computer with a name and ID number, and perhaps answer a few
questions about themselves. The purpose of this sort of computer setup is to keep
a timed and dated record of who uses the public facilities. Of course, unless a light
pen or graphics tablet is used, signatures can not be collected and so their use for
security purposes is lost.
Unlike databases and tutorials, there is a bit more you can do hacker-wise with a
guest record computer, though not much more. One application might be to use
the computer to see who else has been using the facilities. This information could
be helpful if the facility in question is a computer room. You might be able to find
exploitable patterns in computer usage by certain individuals, or an overall
tendency for less people to be in the room at certain times, both of which are
helpful to know, as we will see.
If the guest register program itself doesn't let you see who was there before you,
try exiting out to the operating system and checking for relevant data files. This
will be discussed in the upcoming section on general-purpose micros.
Access to CD-ROM databases and information computers is not usually of much use
to the hacker. There are exceptions of course, and it's well worth investigating any
computer of this kind that you find.
Public Access Terminals (PATs)
These are usually dumb terminals (although sometimes you see IBM compatibles)
set up in fi-braries as electronic card catalogs. They have names like MS and GEAC.
These systems allow h-brary patrons to search for materials (books, magazines,
videos) by various search restrictions; to see the current status of materials (On
the shelf? Charged out? Overdue? Missing?); place holds on items; get library
news, and other library-related functions. Often dial-in lines are available, especially
at university libraries.
The challenge to the hacker is this: He knows there is a secret side to every library
computer. How can he get into it?
Every library computer system is divided into two parts. There is the publicly-
accessible catalog, and the private stuff. The private stuff (the secret side) includes
procedures to discharge materials, get confidential patron information, add or alter
fines, block library cards, etc. These private func-tions, used by library staff, must
rely on the same database of information as is found on the PATs. (If the librarian
checks out a book to somebody, the fact that the book is not present in the library
must be shown on the public terminals.) Therefore, the functions that are available
to the public are a sub-set of the entire library program. That is, the pro-gram the
public uses to make inquiries on books is part of a larger program which includes
higher managerial functions.
The two program parts are obviously separated, otherwise anyone could walk into
the library
and erase all the fines off their library card, or put $100 worth of lost items on an
enemy's card. So, how is the public side separated from the private side? Take a
guess.
Yup, a password.
Actually, it's usually a combination of two things: first, a hidden menu command,
and then the password to authorize usage. Go to the main or earliest menu on the
library system and try various commands like BYE, END, EXIT, X, XXX, SYS,
SYSTEM, LATER, and OFF. Usually this kind of system will accept either three-
character corn-mands or single-character commands, but of course things vary
widely as you go from one system to another, so vary your tactics accordingly. If
some-thing like BYE works, and you are exited from the public portion of the
system, you will probably be asked to supply a password. Well, you know how to
get passwords! On the other hand, it may not ask for a password at all...
Several library systems use bar code identifica-tion to detern-dne who gets to go
backstage. If your library card has a bar code on it, then it is possible -but not
certain - that achieving system operator status relies not on uncovering a password,
but finding out some sequence of little black stripes. I have a story about this.
The Bar Code Hack
A certain academic library, close to my house, has dumb terminals and IBM
compatible micros set up throughout the building for the public to use. The IBMs
also have light pens attached. On those computers, patrons can access and change
infor-mation about themselves, using the bar codes on their library cards for
security.
One fine day I decided I wanted to hack the sys-tern. I knew from random trying
that BYE from the Main Menu brought me to a screen that asked for my bar code
number. Naturally, I was not allowed staff access, so scanning my library card did
noth-ing. I needed a staff card -preferably one with high access levels, like the
library card of the li-brary director, or some supervisor or someone like that.
I was not about to become a pickpocket to get a card. There was a better, more
flexible, more
hacker-like way of solving the problem. I would use computer technology to defeat
the computer.
When you look at a bar code, you will generally see little numerals printed below
the stripes. This is the number that the bar code is encoding. On a h-brary card
(or the bar code put on library books), the number is about sixteen digits long.
There is an initial grouping which identifies the bar code as belonging to that
particular library, followed by some zeros, and then a concluding seven or eight
digits. This kind of numerical arrangement applies to your checkbook account
number, and many other numbers used to identify you.
Now, the only part of the number that really matters is the last group of eight
digits, following the zeros, since the library identification portion doesn't change
from one person to the next. This meant that if I wanted to try a brute force entry
of every bar code number until I found one with high access levels, I wouldn't have
to try trillions and trillions of numbers - only a hundred million or SO.
Naturally I wouldn't be able to type in those bar code numbers from the keyboard
(and who would want to, anyway?). You see, the computers do not allow people to
walk over and type in bar code numbers. If they did, then anyone who knew anyone
else's code number could easily access the pri-vate records of anyone else.
That meant, even if I found out the bar code nuniber of the library direc-tor, I still
wouldn't be allowed into the backstage areas of the library program. I would still
need the director's library card.
A way you might be able to get around this is to scan your bar code, and look at
what happens. Did the computer put a carriage return at the end of the number?
If not, see if you can back up and alter digits.
If a carriage return was added, try scanning your bar code again, this time sending
a break or pause signal as soon as you do. You might be able to make the
computer think it's receiving the entire bar code, although you will be able to
change and add numbers to suit your needs. If you pushed con-trol-S to pause the
bar code -and it worked -try pressing control-C and see if this stops it from
reading in more digits from the scanner.
The bar code will be read in and placed on the screen rather quickly, so it may be
difficult to stop it halfway through. If there's a printer attached to
the computer, try sending output to it. This might slow down the bar code enough
to let you break it at the right time. Also, if it is a computer you're working on (not
just a terminal) there might be a "Turbo" button that you can press to take it out of
turbo mode. If there is no button (but you know it's in turbo mode because there is
a "Turbo" light lit up), there will be some way of disabling turbo mode through
either the software (break into the DOS shell and see if there's a SPEED command
or something similar), or through the keyboard (often something like Ctrl-Alt-Minus
sign will take it out of Turbo).
Another difficult thing to do is to try giving the scanner only a partial or erroneous
code. Occa-sionally bar code readers can be duped into think-ing a bar code of a
kind it's not supposed to be able to read is the correct type. Then it may read that
code and stop halfway through, to wait for the rest of the input.
Lastly, if there is a way of accessing terminal parameter menus, by all means do so:
often there is some sort of switch which toggles automatic send-ing of input, or the
key code used to send input. By disabling the automatic send, you can manually
input the bar-coded information.
All of these above suggestions imply that you have managed to get ahold of the bar
code number of someone important in the library hierarchy -someone whose ID
number you can use to access the rear end of the system. If you do happen to
know the number, then you can try to print up a bar code for it, either by using bar
code generating software, or by carefully examining bar codes until you have
determined what thickness and pattern of lines are used to represent the different
digits.
But I didn't have anyone's number. The pur-pose of my hack was tofind one. So I
had to find a way of using the light pen to scan in a hundred million bar codes that
I didn't have, until one was discovered that could access the library program's
secret side.
I could've used a bar code program to print out all of those different combinations
of digits but that would have been a huge waste of time and effort.
The light pen (also known as a "wand," "bar code reader," or "scanner") works like
this. Light is emitted from an LED inside the pen, focused through a sapphire
sphere (which acts as a lens) onto the bar code. The light is then reflected off the
page, and now focused through the sphere onto a photo-sensor, which converts the
reflected light into bursts of voltage. The electrical output of the photo-sensor is
amplified, thus generating a signal proportional to the series of black and white
lines of the bar code label.
The pen is attached to the computer either via some external box, or an internal
card. This box/card decodes the on-off firing pattern of the voltage into usable
ASCII characters. At the time of decoding, voltage corresponding to white lines is
approximately 0.11 volts, and 0 volts for the black lines. My plan was to send
voltages into the scan-ner, making it think it was reading a bar code, when really all
it was doing was being victimized by a clever hacker's brute force attack.
If you are programming a computer or signal generator to create fake codes for
you, some fidget-ing around might be necessary before you arrive at the correct
numbers for that particular system. Also, the time it takes to generate a complete
code will have to be adjusted accordingly: usually scan-ners will accept bar codes at
up to 45 inches per second. Perhaps you can manage to locate appro-priate
technical manuals or some source code list-ings, or call up the company and ask to
speak to a technician about what ideal values are for voltages and timing.
If it is a computer you are working with, rather than a dumb terminal, it is possible
the bar code decoding program is memory resident. You might be able to
circumvent that program, or trick it into reading input from a disk file you supply.
A good idea would be to copy the contents of the fixed drive, then at home see if
there's a way of making the scanner decoder think the keyboard is the cor-rect
RS232 serial interface to look at for input data.
Finally, remember that there will be a check digit at one end of the bar code, or
both ends, al-though it will almost never be printed on the label itself. If the check
digit is printed on the bar code label, study some sample bar codes and try to work
out the method used to generate the check digit. You don't need to look at only bar
codes on library cards - which you would probably have difficulty finding enough of
- you can examine bar codes on books and come up with the same result.
For example, the check digit formula used by the Universal Product Code found on
supermarket food packages is the following: 210 minus three
times the sum of the alternating digits (starting with the separated digit to the left
of the bar code), minus the sum of the remaining digits. The check digit is the last
digit in your answer.
Figure 6
The UPC check digit system. The initial digit may appear in either of the spots
marked with a 0. The subsequent digits are placed under the bar code, with the
check digit appearing in either of the two
places marked with a check mark.
The UPC check digit formula is:
210 - 3 (a + c + e + g + i + k) - (b + d + f + h +j)
For this sample bar code, theformula is:
210 - 3 (O + 2 + 4 + 6 + 8 + 0) - (I + 3 + 5 + 7 + 9) = 125
The last digit of the answer is 5.
Thus 5 is the check digit.
Back to the target of my attack, that academic library near my home. The light pen
at one of the computers was attached with a telephone-style modular clip. It could
easily be removed. I bought a receiving jack of appropriate size and used a cable to
connect it to the modem port of one of my smaller portable computers. Then I
modified an auto-dialer program to spit out bar code numbers in the range I
needed. I was all set.
A few days later it was Saturday, and it was a gorgeous day. I had expected to pull
off this stunt on a Sunday because I'd seen the results of a user survey which
indicated that less people came into that particular library on Sunday than any
other day of the week -the last thing I needed was a bunch of onlookers. But it
was such a beautiful day I figured everyone would be at the beach. I was right;
practically no one was there.
I detached the light pen from the library's com-puter and connected the plug into
my portable's jack. I typed BYE, which brought me to a prompt which asked for my
bar code before it would allow me to go backstage. Then I started the program
running. It worked fine - the program was send-ing bar code numbers through the
modem port and into the light pen cable. The library's computer had no way of
knowing that the data it was receiving was not coming from an actual bar code.
I closed the cover of my little portable, and hid the whole thing under a newspaper.
Then I sat there and read a magazine while it went through the numbers.
After a while I did find a bar code number as-sociated with a privileged account,
and I was able to use it to change the status of my own library card to a virtual
superuser.
That was great in and of itself, but having superuser status allowed me to go one
step further. Since I now had access to patron records, I could find out the
addresses, phone numbers, student 113s, social security numbers and birth dates
of eve-ryone with a card at that library. This meant I had background information
on virtually every student at the school, and every professor and staff mem-ber. I
could also find out what books were checked out to people, and therefore the
subjects and hob-bies that interested them. Using all this information it was a
simple task getting into many network accounts I should not have been able to get
into otherwise.
75
Hidden Commands
Whenever you're hacking any public terminal of this type you have to remember
that it's common to have different levels of security for potential us-ers of the
system. With each level, the various commands may or may not appear listed in
the menu - although you may still be able to activate them via an inadequacy in the
program. If a menu is given with options ranging from one to four -try five! And
six... and zero too. Always try Z, Q, X, and other "weird" letters -anything else
that has a possibility of working. It may not be enough to try these unlisted
commands just once; sometimes you can have the program display an error
message once or twice, and then suddenly crash out of the system or enter private
territory. I grant you, usu-ally you won't find that programs have been so badly
coded as to allow misuse, but you'd be sur-prised at the number of bugs that do go
unnoticed by the authors and testers. This is especially true of early program
editions.
Also, remember this: There are many functions you may not think would be on a
library computer (or whatever computer it is you're working on). There may be
mnemonics used which, on your own, you would never think of trying. So you must
therefore try everything you can. What I mean is, let's say a library's PATs allow
you to enter these three-letter commands to do different things: INQ (to make an
inquiry on a book), NEW (to get new user information), and PAT (patron
information, to find out about yourself). Naturally the system doesn't only support
those three commands. There are dozens of other commands that you simply don't
know about.
Try things like CON, ILL, CHG, DIS and other three-letter combinations (or
whatever number of characters is appropriate). On some systems, all commands
are three characters except for one called NEW USER or RECALL or something. If
that's the case, then you know the computer will support commands of more than
three characters. Consequently, you should try longer commands as well. The
commands I've chosen above are abbre-viations for CONversion, InterLibrary Loan,
CHarGe and DIScharge, respectively. Before I told you what ILL stood for, you may
have been won-dering how the word "ILLness" or "I Love Lucy" could have anything
to do with a library. But ILL happens to be a very commonly used abbreviation.
Figure 7
To fool the PAT into believing you are feeding it bar codes,first (a) remove the light
penfrom the computer.
Then (b) plug the jack into a receiver that is connected to your laptop via the
communication port.
You can then output bar codes through the comm port, straight into the PAT.
If you're trying to break into a system you know nothing about, it's more than likely
they'll use codes and abbreviations that are related to their field. Consequently,
ongoing research is a must.
One United Kingdom system uses things like LCO and LIN for Library Check Out and
Library INquiry. Also, due to certain overseas privacy laws, staff members are not
supposed to access patron accounts to see personal information like addresses and
phone numbers, and what books are checked out to patrons. This poses an obvious
problem to the librarians who MUST know how to contact people who refuse to
return borrowed items (and for countless others reasons, must know what items
people have borrowed), so the people who wrote this library program installed a
command that is invisible to EVERYBODY - even library employ-ees. Pressing "X" at
the book inquiry screen will ac-cess a patron inquiry mode. This is something that
the library staff obviously knows about and uses, but is not supposed to have even
heard of.
Anyway, the point is this: dumb terminals often include exits to controlling
programs. You can ac-cess these secret parts by either issuing an exit command (a
"trap door") and entering a password, or by entering a hidden menu item or
command statement. Access may also be unintentional and due to an error, as
with a program that lets you in even though you are not situated at a valid terminal,
or have not entered the password.
It is also advisable to turn off the terminal, wait ten seconds, then turn it on again
to see what hap pens. Some terminals respond to various combina-tions of Ctrl,
Shift, and Alt. (Sometimes Alt is la-beled "Compose Character" because if you keep
it pressed down while typing out a number 0-255 on the numeric keypad on the
right side of the key-board, the corresponding ASCII character will be produced.)
Also look at the function keys, and combina-tions of Shift, Ctrl, etc., with the
function keys. Try various other control codes like Escape, Ctrl-C, Ctrl-X, Ctrl-Q,
Ctrl-G, Ctrl-Break, etc. You can never tell what's going to do something, or if anything
unusual will happen at all. But sometimes you can get pleasantly surprised.
College PATs
There is also another kind of publicly accessible terminal, one easily found in the
computer rooms of any college. These are different from the infor-mationdispensing
ones found in libraries in that these are meant to be used solely by
authorized us-ers - people with accounts and passwords on the system.
You should try the different function and con-trol keys on these terminals, too. This
isn't likely to get you anywhere, but often you can use various control codes to
access parameter menus or change screen colors.
Press ? or type HELP and see what commands are available to you. Most colleges
run an infor-mation system, possibly connected with the library system, which gives
you information on such things as student activities, phone numbers, office hours,
campus news, and might also allow you to connect with other college information
systems around the country, or possibly federal or state sys-tems. It should be a
trivial matter to find out if a public information system is present on the system
you're using, and if so, how to access it. If you don't know, call up the computing
department and ask. (Remember to ask for the dial-in phone numbers, too!)
Generally you will be able to use telnet or other networking protocols to connect
with computers all over the campus, country, and possibly, the world. However to
do so will more than likely require you to login as a registered user first. This
section deals with some techniques hackers have used to un-cover passwords and
lDs through the use of public access terminals at colleges.
Here's story #1.
Doing It The E-Z Way
Barry, a computer enthusiast from Las Vegas, Nevada, used a quite easy way of
finding out info without any programming skills or special equipment.
At the university Barry attended, there was a computer lab that had Macintoshs set
up in the center of the room and terminals around the pe-
rimeter. He had his own account on the system, but he wanted to do some serious
hacking. He knew if he tried anything logged in under his own name he might end
up in trouble. All he needed was some measly low-level account from which he
could hack without risk.
The public terminals at his school worked like this. Available commands or menus
were dis-played on the screen with an underline of appropriate size placed at the
bottom, where the user would input his choice. You could move around on the
screen with arrow keys and type elsewhere, but when you pressed Send, only the
characters written in the space where the underline had been would be
acknowledged.
Barry went to the main menu of the information system. He used the arrow keys
and space bar to erase all the text on the screen, then proceeded to reproduce the
login screen that was used to access the mainframe. At the bottom, he put the
appropri-ate prompt...
ENTER NAME/PASS IN FORM nnnnnnnn,pppppppp
... and positioned the cursor at the beginning of the underline. He switched the
Caps Lock key on, and he shut off all the other terminals. Then Barry took a seat at
a Mac near his prepared terminal, and waited.
Everyone seemed to want to use a Mac that day. He had to wait more than an hour
until a per-son finally came in to use a terminal. As Barry had hoped, that person
walked straight for the one that was already powered-up. From Barry's position at
the Mac he could easily see what the person typed in.
As you can imagine, when someone uses the ac-tual login screen, the computer
covers up pass-words with asterisks. The woman who was using the terminal did
not seem to realize that anything unusual was going on as she typed her vital data.
When she pressed Send after her password, she got the usual beep of disapproval
(because she had pressed Send without entering anything in the space that was
supposed to be used for commands, which Barry had erased). The computer
redrew the information system main menu, and the woman, surprised, logged in
again and went about her business.
Another computer user, who had sat down be-side her shortly after she entered the
room com-mented, "They've been acting weird all day." Barry was elated; on his
first try, with almost no effort on his part, he had a name and password and could
do all the hacking he wanted to without having it being traced back to him. Plus,
the bit of strange-ness he had caused was being blamed on unrelated system
malfunctions.
There are many variations of this tactic that should also be considered, depending
on the nature of the command system, the terminals used, layout of the room, etc.
You will want to adjust your strat-egy accordingly.
Some terminals allow you to change screen color. I've worked a ploy similar to
Barry's on one such terminal. First I erased the screen and typed up a fabrication
of the login screen. But it wasn't an exact reproduction -I put my underline one
line below where it normally would be.
I then moved the cursor over to the place on the screen where commands were
supposed to be en-tered (above my fake underline). I used a color-change function
key to make the characters I entered next appear in the same color as the background.
I typed "log-on." It was black letters on a black background, so only I and
the computer knew it was there.
Then I repositioned the cursor at the beginning of the underline, used the function
key to change the text color back to bright white, and took a seat on a nearby
armchair.
I didn't have to wait long. About twenty min-utes later a group of people came in,
and one sat down at my terminal. Unfortunately, he saw the screen, thought
someone else was using the termi-nal, and he got up to leave. I told him, "No, no
one's using that one." So he reset the terminal and pro-ceeded to log onto a totally
different system!
A couple hours later I got luckier. I set up the terminal again and took my position
on the chair, pretending to study a numerical analysis book. Af-ter a long while a
guy sat down, typed in his name/password combination and pressed Enter. All this
I was easily able to see.
But the computer couldn't see what he was typing because he hadn't entered it in
the special input space. The computer only recognized my hidden (black-on-black)
"logon". The computer then connected to the ungradx machine, and asked
for the user's identity. The user, thinking he had made a typing mistake, entered
them again. I was already out of there, as I had the information I needed.
This will only work with systems that allow you to enter all login codes on a single
line, or on machines with certain appropriate capabilities and setups.
Another way is to use a text editor to simulate the login screen. If you don't have
an account on the system, and therefore do not have access to the e-mail text
editor, there is probably a "Send Com-ments to Sysop" section in the public
information system that you are able to access. You would probably want to use a
public editor anyway, to avoid having this evil-doing being traced back to your ID.
One way of using a text editor to simulate the login screen is to write up a
document such as this:
>login
Enter Name:
Enter Password:
Above this you may want to have the tail end of a commonly seen menu, list of
commands, or a body of text one normally sees when turning on the terminal.
You position the document so the last line vis-ible on the screen is "Enter Name:".
You put the cursor right after the colon, and turn off the Insert key, if there is one.
A person sitting down at the terminal will think someone else before him typed in
the "login" com-mand. He will type in his name and press Enter. Pressing Enter
scrolls the document up a line, making it look as though the computer is asking him
to enter a password, which he then does to your utter bliss, because you are sitting
there watching this unfold.
There are some problems with this method (and all these E-Z methods, actually).
What if the first person to sit down doesn't want to log onto his ac-count? Or what
if he makes a typing mistake which goes unnoticed until after he presses Enter? In
both cases your little deviltry may be found out. There's always the possibility that
some guardian of the computer room will switch off any terminals he sees left on
needlessly, and then all your work might be lost. Additionally, if you're doing this
on a university terminal that has access to lots of differ-ent computers, there might
not be a reasonable way to set up the screen.
There are plenty of things that can go wrong with this ruse, but for the small
investment of time to set it up, then who-knows-how-long of waiting, it's worth it.
If you try this, remember these tips: Do what you can to make reading the screen
from a distance easier. Switch on the Caps Lock key if it helps. Brighten up the
screen if you're able. Tilt the moni-tor a bit to reduce glare from your viewing
angle. And if possible, select large fonts. Before you choose your waiting spot,
make sure that when a person sits down in the chair, his or her body won't be
blocking your view. While you're waiting, keep yourself busy to avert suspicion, but
don't get so involved that you miss your quarry.
Shoulder Surfing
The above two methods are slightly involved examples of what's called "shoulder
surfing." Shoulder surfing is when a hacker looms over the shoulder of a legitimate
user as that user logs onto a computer system. While the user types, the hacker
watches the keyboard to pick up the pass-word as it is entered. Remember, most
login rou-tines will not display the password on the screen, so you must look at the
keyboard to get any useful information.
Pure shoulder surfing can only be done under certain circumstances, such as if you
are legiti-mately helping the user with a problem and you have to stand there for
the user to show you what's wrong. Most of the time you will not be able to just
stand behind a person without drawing suspicion to yourself; you will have to rely
on more crafty inventions.
A strategically placed mirror, in the upper cor-ner between wall and ceiling, can do
the trick. It must be small enough to stay put with duct tape, but big enough to be
read from a distance.
Binoculars are frequently used by calling-card number thieves to illegally obtain
people's code numbers, thus enabling the thieves to make free long distance phone
calls. You can do the same to read passwords off keyboards. It might be neces-
sary to tilt the keyboard to a specific orientation to better enable you to see what is
typed. If the key-boards have kickstands to prop them up, make sure you use
them before you take your stalking posi-tion.
You might have to do your watching outside, through a window. Before you do,
make sure you won't be visible to those inside. Even at night you will be easily
seen through the glass if the building has outside lights. Do some detective work
before hacking; go into the computer room and see how visible someone outside
the room would be. Per-haps you can partially close the blinds or drapes, to further
shield yourself from view.
Share this on your favourite network