💾 Archived View for gemini.spam.works › mirrors › textfiles › news › hcc.txt captured on 2020-10-31 at 16:33:01.

View Raw

More Information

-=-=-=-=-=-=-

                      HOW `CRACKERS' CRACK                                      
                       by Rory J. O'Connor                                      
                  Mercury News Computing Editor                                 
                                                                                
     Police, prosecutors and most of the press call them                        
"hackers." Computer cognoscenti prefer the term "crackers."                     
                                                                                
     Both sides are talking about the same people, typically                    
young men, whose fascination with computers leads them to gain                  
access to computers where they don't belong.                                    
                                                                                
     A few crackers make headlines, like Robert T. Morris Jr.,                  
son of a top computer security expert for the supersecret                       
National Security Agency, who let loose a "worm" program on a                   
national network of university, research and government computers               
in 1988.                                                                        
                                                                                
     There are also notorious crackers like Kevin Mitnick, who                  
was under investigation at the age of 13 for illegally obtaining                
free long-distance phone calls and was sentenced to prison in                   
1989 for computer break-ins.                                                    
                                                                                
     Then there are legions of far more ordinary crackers who                   
simply use their knowledge of computers to "explore" intriguing                 
corporate or government computers or simply to go for the                       
electronic equivalent of a joy ride and impress their friends.                  
                                                                                
     But they all share something: an air of mystery. How do they               
do it?                                                                          
                                                                                
     At a recent conference on computer freedom and privacy,                    
computer expert Russell L. Brand gave a four-hour lecture on the                
inner workings of computer cracking.                                            
                                                                                
     His basic message: Cracking is not as hard as it seems to an               
outsider, and it often goes undetected by legitimate users of                   
"cracked" computers.                                                            
                                                                                
     "Just because you don't see a problem is no reason to think                
a problem hasn't occurred," Brand said. "Generally it's a month                 
to six weeks before (operators) notice anything happened and                    
usually because the cracker accidentally broke something."                      
                                                                                
     Home computers aren't in danger from crackers because they                 
aren't accessible to outsiders--and because they aren't                         
interesting to crackers. Instead, they target mainframes and                    
minicomputers that support many users and are connected to                      
telephone lines and large networks.                                             
                                                                                
     Understanding how crackers work and what security weaknesses               
they exploit can help system managers prevent many break-ins,                   
Brand said. And the biggest problem is carelessness.                            
                                                                                
     "When I started looking at break-ins, I had the assumption                 
that technical problems were at fault," he said. "But the problem               
is human beings."                                                               
                                                                                
     The "Cracker": Most crackers are not bent on stealing either               
money or secrets but will target a particular computer for entry                
because of the bragging rights they will enjoy with fellow                      
crackers once they prove they broke in. Typically, the computer                 
belongs to a corporation or the government and is considered in                 
cracking circles to be hard to penetrate. Often, it is connected                
to the nationwide NSFNet computer network.                                      
                                                                                
     The attack: Crackers can attack the target computer from                   
home, using a modem and a telephone line. Or they can visit a                   
publicly accessible terminal room, like one on a college campus,                
using the school's computer to attack the target through a                      
network. At home, the cracker works undisturbed and unseen for                  
hours, but phone calls might be traced.                                         
                                                                                
     The resources: If the target computer is nearby, the cracker               
may look through the owner's trash for valuable information, a                  
practice called "dumpster diving." Discarded printouts, manuals                 
or other paper may contain lists of accounts, some passwords, or                
technical data more sophisticated crackers can exploit.                         
                                                                                
     The target: The easiest way to enter the target is with an                 
account name and its password. Passwords are often the weakest                  
link in a computer's security system: Many are easy to guess, and               
some accounts have no password at all. Sophisticated crackers use               
their personal computers to quickly try thousands of potential                  
passwords for a match.                                                          
                                                                                
     The cover: To make calls from home harder to trace, crackers               
might use stolen telephone credit-card numbers to place a series                
of calls through different long-distance carriers or corporate                  
switchboards before calling the target computer's modem.                        
                                                                                
     The way in: Many crackers take advantage of "holes" in the                 
operating system, the software that controls the basic operations               
of the machine. The holes are like secret doors that either let                 
crackers make their own "super" accounts or just bypass accounts                
and passwords altogether. Five holes in the Unix operating system               
account for the bulk of computer break-ins--yet many                            
installations have failed to patch them.                                        
                                                                                
     The network: Most large computers are connected to several                 
others through networks, a chief point of attack. Computers erect               
barriers to people but often completely trust other computers, so               
attacking a computer through another computer on the network can                
be easier than attacking it with a personal computer and a modem.               
                                                                                
     Ill-used passwords let many pass                                           
                                                                                
     Passwords are the security linchpin for most computer                      
systems. But these supposedly secret keys to computer access are                
easily obtained by a determined cracker.                                        
                                                                                
     The main reason: Users and system managers often are so                    
careless with passwords that they are as easy to find as a door                 
key left under the welcome mat.                                                 
                                                                                
     Part of the problem is the proliferation of computers and                  
computerlike devices such as automated teller machines, all of                  
which require passwords or personal identification numbers. Many                
people must now remember half a dozen or more such secret codes,                
encouraging them to make each one short and simple.                             
                                                                                
     Often, that means making their passwords the same as their                 
account name, which in turn is often the user's own first or last               
name. Such identical combinations are called "Joe" accounts, and                
according to computer expert Russell L. Brand, they are "the                    
single most common cause of password problems in the world."                    
                                                                                
     These `secret' keys to computer access are easily obtained                 
by a determined cracker. The main reason: Users and system                      
managers often are so careless with passwords that they are as                  
easy to find as a key left under the welcome mat.                               
                                                                                
     Knowing there are Joes, a cracker can simply try a few dozen               
common English names with a reasonable chance that one will work.               
Armed with an easily obtained company directory of employees, the               
task can be even easier.                                                        
                                                                                
     Joe accounts also crop up when the system manager creates an               
account for a new employee, expecting that the user will                        
immediately change the given password from his or her name to                   
something else. But users often fail to make the change or aren't               
told how. Sometimes, they never use the account at all, providing               
not only easy access for the cracker but an account where the                   
owner won't notice any illicit activity.                                        
                                                                                
     Even if crackers can't find a "Joe" on the computer they                   
want to enter, there are several other common ways for them to                  
find a password that will work:                                                 
                                                                                
     - Many systems have accounts with no passwords or have                     
accounts for occasional visitors to use where the ID and password               
are both GUEST.                                                                 
                                                                                
     - Outdated operator's manuals retrieved from the trash often               
list the account name and standard password provided by the                     
operating system for use by maintenance programmers. Although it                
can and should be changed, the password seldom is.                              
                                                                                
     - "Social engineering"--in effect, persuading someone,                     
usually by telephone, to divulge account names, passwords or                    
both--is a common ploy used by crackers.                                        
                                                                                
     - Crackers are sometimes able to obtain an encrypted list of               
passwords for a target computer, discarded by the owners who                    
mistakenly believe the coded words aren't useful to crackers.                   
While it's true they are difficult to decode, it is easy for a                  
cracker to use a personal computer to take a potential password                 
and encode it. Because most passwords are ordinary English words,               
crackers can simply run a personal computer program to encode the               
contents of an electronic dictionary and identify any entries                   
that match passwords on the coded list.                                         
                                                                                
     - In another form of deception, crackers set up public                     
bulletin board systems whose real purpose is to snag passwords.                 
Because many people tend to use the same password for all their                 
computer accounts, the cracker can simply wait until someone who                
has an account on the target computer also sets up an account on                
the bulletin board. The cracker then reads the password and tries               
it on the target system.                                                        
                                                                                
     While individual users can't delete dormant accounts from                  
their computers or keep an eye on the trash, they can be                        
intelligent about what passwords they use. Brand suggests users                 
choose a short phrase that's easy for them to remember and then                 
use the first two letters of each word as the password. As added                
protection, users who are able should mix uppercase and lowercase               
letters in their passwords or use a punctuation mark in the                     
middle of the word.--Rory J. O'Connor                                           
                                                                                
     The rights of bits                                                         
                                                                                
     Constitutional scholar Laurence H. Tribe, widely considered                
the first choice for any Supreme Court vacancy that might arise                 
under a Democratic administration, proposed a fairly radical idea               
recently: a constitutional amendment covering computers.                        
                                                                                
     Tribe's proposal for a 27th Amendment would specifically                   
extend First and Fourth Amendment protections to the rapidly                    
growing and increasingly pervasive universe of computing. Those                 
rights would be "construed as fully applicable without regard to                
the technological method or medium through which information                    
content is generated, stored, altered, transmitted or                           
controlled," in the words of the proposed amendment.                            
                                                                                
     I am not a constitutional scholar, but I have to believe                   
that what's needed is not a change in the Constitution, but                     
instead a change in the thinking of judges in particular and the                
public in general.                                                              
                                                                                
     Tribe acknowledges that he doesn't take amendments lightly,                
pointing to the ridiculous brouhaha over a flag-burning amendment               
as an example of what not to do to the basic law of the land. But               
like many people who are more deeply involved in the world of                   
computers, Tribe sees the issue of civil liberties in an                        
information society as a crucial one.                                           
                                                                                
     The question is not whether the civil liberties issue is                   
serious enough to be addressed by some fundamental legal change.                
The question is really how to get people to see that                            
communicating with a computer is speech, and that to search a                   
computer and seize data is the same as searching a house and                    
seizing the contents of my filing cabinet.                                      
                                                                                
     People seem to have trouble making these connections when                  
computers are involved, even though they wouldn't have trouble                  
recognizing a private telephone conversation as protected speech.               
Yet most telephone calls in this country are, at some time in                   
their transmission, nothing more than a stream of computer bits                 
traveling between sophisticated computers.                                      
                                                                                
     Admittedly, computers do make for some complications where                 
things like search and seizure are concerned.                                   
                                                                                
     Let's say the FBI gets a search warrant for a computer                     
bulletin board, looking for a specific set of messages about an                 
illegal drug business. Because a single hard disk drive on a                    
bulletin board system can contain thousands of messages from                    
different users, the normal method for police will be to take the               
whole disk, and probably the computer as well, back to the lab to               
look for the suspect messages.                                                  
                                                                                
     Of course, that exposes other, supposedly confidential                     
messages to police scrutiny. It also interrupts the legitimate                  
operation of what is, in effect, an electronic printing press.                  
                                                                                
     Certainly, in the case of a real printing press that used                  
paper, such police activity would never be allowed. But a                       
computer is involved here, which to some appears to make the                    
existing rules inapplicable.                                                    
                                                                                
     But in a case like this, we don't need a new amendment, just               
the proper application of the Bill of Rights.                                   
                                                                                
     As a more practical matter, the chances of amending the                    
Constitution are slight. It was the intent of the framers to make               
the task difficult, to prevent just such trivial things as                      
flag-burning amendments from being tacked onto the document. Even               
the far more substantial Equal Rights Amendment did not survive                 
the rocky road from proposal to adoption. I doubt Tribe's                       
amendment would fare any better.                                                
                                                                                
     Tribe says he hopes his proposal will spur serious                         
discussion of civil rights in the information age, and I suspect                
that is his real--and laudable--motive.                                         
                                                                                
     I'm not dead set against amending the Constitution if that's               
what it takes to extend the Bill of Rights to computing. I just                 
believe that Americans are capable of figuring out that we don't                
need it.