What Hackers Don't Want You To Know
The Laptop Buyer's Guide and Handbook - November 1, 1998
By Jack M. Germain

Anyone who uses a computer is a potential hacking victim. A hacker with access to a personal computer can create havoc in a single computer or a vast com­puter network. Many hackers view their pursuit as an art, relishing their talents and sharpening their skills through study and practice. Other hackers take their art a step higher, giving it a near-occult status. They band together in secret organizations that meet in obscure hangouts on the Internet. You may think they are far removed from your daily computing tasks and that all you really have to worry about are computer viruses. Think again!

“Every day, all over the world, computer networks and hosts are being broken into,” claimed a page on Cybertrix.com, one of more than 500 Web sites devoted to hacking. While most break-ins are caused by weak passwords, Cybertrix’s Webmaster wrote that many hackers use more advanced techniques to break in. “The NIC, NCSC, RSA, NASA, MIT, Uunet, Berkeley, Purdue, and Sun. You name it, we’ve seen it broken into. Anything that is on the Internet (and many that aren’t) seems to be fairly easy game.

If a hacker is skilled and interested enough, he or she can get into your computer and acquire any information you store there. Even worse, the hacker can trash your computer and crash the network. If you use a computer network — and that includes the laptop or desktop you connect to a network you are a potential target. Hackers openly boast that no network is hack proof. Sure, you can redouble basic security methods on your portable computer to make it more difficult for an unauthorized user to gain access to your files. Passwords required at boot-up go a long way to keep out amateur thieves. User passwords to start Windows and bypass screen savers add a thin layer of security. Saving critical data to external disks or a removable hard drive prevents total disaster if the notebook computer is stolen.

Just never assume that your computer, its network connection, and your e-mail are hack proof. They’re not! John Vacca, a former computer-security official for the NASA Space Station Program, warns in his book, “Internet Security Secrets,” that the amount of information stolen or damage done to an invaded system is limited only by the network’s speed and the hacker’s equipment.

Hacker Profiles

These people are real, not contrived. They are well known in Internet circles for their hacking skills. We contacted them via e-mail and their Web sites to verify that they are who they say they are. In most cases, however, these sources of information on hacking declined to provide us with their non-virtual identities. Their reason, usually not acceptable under normal journalistic standards, was that interviewing them under their pseudonyms was their only protection against discovery and possible recrimination. Under these circumstances, we agree.

Meet the Tazinator, aka the Webmaster at hfactorx.org, a site devoted to hacking. The Tazinator got involved in hacking because he liked to take apart, explore, and figure out what made things work on a computer and networks.

“Learning it comes from a strong desire and the never-give-up atti­tude,” he says in discus­sing his background. Tazinator overcame the barriers that block many would-be hackers who are eager to learn and find someone to teach them. Most of them get discouraged because all their efforts to find a mentor lead them only to torment and harassment. Instead, he learned as a youngster how to figure things out on his own. He downloaded countless texts on the ins and outs of dealing with technology, particularly computers, and purchased a number books on the same subject. Over time, he experimented with what he learned and got better with practice and by conversing with others.

The Hacker, the Cracker, and You

Tazinator sees two classes of hackers with the distinction based on their reasons for breaking into a computer system. There are hackers, and there are crackers. Crackers are the more malevolent. Almost everything a cracker does is for pleasure — rather than to achieve some larger goal. Hackers, on the other hand, do things for specific reasons. For instance, a true hacker breaks into a system to show where the flaws are and how to fix them. “The definition of a hacker has become corrupted and no longer is it the same as it once was,” he explains. While it seems that everyone now knows how to “hack,” true hackers — the ones who don’t cause trouble — are very rare and seldom identify themselves as hackers.

The Master of Magic agrees. Working with computers profes­sionally for 13 years, he, too, learned the hacking business from the Internet itself. He only breaks into systems with permission, so he can track down security weaknesses. For him, hacking is a quest for knowledge. He praises true hackers as saviors. “They are, in fact, helping major operating system vendors to increase security by informing them about vulnerabilities in their software in advance — before it becomes common knowledge.”

Hackers generally have high ideals, notes Tazinator. Each hacker has his own main goal. For most, it is the challenge of getting through that supposedly unbeatable security system. For others, it is to prove that they are better than the system operator who runs a particular server. “Things are not like they are portrayed in the movies where the only reason a hacker breaks into another system is to thieve sensitive information,” he says. “Situations do arise where certain information or software is on a particular system and hackers will use it if they think they will benefit from it.”

Breaking into a system to steal sensitive documents is more of a hacker stereotype. Tazinator acknowledges that it happens, but he also emphasizes the more benevolent aims of hacking. “Usually, we would break into a system to show the flaws in that system’s security and provide a method or explanation to the administrator on how to fix the problem,” he stresses. “You don’t always need to be a hacker to find a hole or back door into a system, so if we can find it, someone else can, too.” Hackers often let others know that their security has been violated by leaving a calling card of sorts.

One common calling card is rearranging Web sites. That is something Tazinator, and probably almost every other hacker, has done. Another is to post a message. For example, explains Tazinator, imagine a large corporation was losing sight of production quality, yet raising prices out of greed rather than to improve upon a product. That could urge a hacker to alter the Web site to relay this point to all visitors to that site.

Lianne Annstrong (not her real last name, but her nom de guerre), a 14-year-old hacker-in-training from Ontario, Canada, developed an interest in hacking mostly out of boredom and the glorified view presented in the movie Hackers. With her curiosity piqued, she read some books about basic computers and modems. Then she stumbled on a book called Secrets of a Super Hacker, by Gareth Branwyn ($19.95; Loompanics), went to a few Internet sites, and learned a ton about hacking. She’s been learning ever since and joined a hacker group known as 007. Armstrong is a hacker in the less accurate but more common and more feared usage of the word. Falling short of Tazinator’s ideal view of hackers, Armstrong admits to being more mischievous than benevolent when she cracks into a system. “I will read other people’s e­mail. I will screw up people’s Web sites, especially the sexiest porn ones. And I like “piggybacking” onto other people’s accounts, she brags, adding “I like messing around with the school and library computers — the staff goes nuts!” Her primary tool is the virus.

For Armstrong, hacking is a power trip. People don’t mess with her, she notes, because they know she can kill their computer. “I could mess up your computer, from my computer, no matter how far away I am from you,” she says. Yet she has a conscience and knows that hackers do get into trouble when caught. “It’s like going through a red light in front of a cop — it’s risky,” she admits.

The song is the same, no matter which hacker sings. Hack-proof computer systems don’t exist. Armstrong knows the lyrics, too. “Hacking is pretty widespread. Every year, they discover new things to protect computers and to make them do more things. Yet, every year, hackers find new vi ruses and new tricks, and it’s an ongoing thing. Everyone progresses. We stay on top. They are fixing cracks and doorways. but we’re getting smarter and quicker.”

Sobering words from such a young hacker who has learned most of the tricks on her own. Her closing refrain doesn't offer much hope for prevention, either. “No one is safe from a really good hacker. A virus detector or prevention for viruses can help, but with the right virus, we can mess up the detector, too!”

How Do They Do It?

If you know what hackers know, you become more aware of the attack risk you face through applications on your computer. One simple message was evident in all of our exchanges with hackers. Learn all you can about how your computer works. That, essentially, is how hackers learn their trade. In a kind of reverse engineering fashion, they learn what makes things tick. If you know what their so-called textbooks are, you can learn what hackers know. Of course, you don’t want to learn and practice the hacking skills themselves. However, you will be forearmed so you can avoid the mistakes that give hackers easier access to your equipment.

Hackers use a wide range of tools and methods to access a system — from programs known as password crackers to Trojan Horse software. Password crackers methodically feed every conceivable alphanumeric combination at dial-in prompts to eventually gain access. Password sniffers are programs that log passwords entered by others and clandestinely e-mail them to another location. Trojan Horse programs conceal a virus within an apparently safe utility available for download or installation from a floppy disk. Running the so-called program activates the virus.

Search the Internet using keywords related to hacking and you will find such programs as Satan, Brute Force, and Cracker Jack, all password-crackers. Satan, although now falling out of date, is a particularly devilish program for hackers. It takes an IP address in an active connection and provides access. You can find lots of others, too. Programs are available for every operating system, in most cases free for the taking. Some programs are better than others, and some do things the others don’t. For instance, you wouldn’t use a cracking program designed to crack Windows passwords to crack a Unix password.

Read through the documentation files for these applications. Their content will make you much more aware of how these programs work. Again, understanding the theory behind such things as password sniffing and cracking will help you change how you carry on your own computing.

Hackers also rely on oh fashioned con-artistry. They fool a regular user into giving them the password. Even worse, they dupe naive system administrators into giving them access. If your computing involves a corporate LAN, for instance, make sure that strict policies are in place for access. Insist that under no circumstances do stances do co-workers and even system administrators provide access information via phone calls. If you expect a con-artist approach, you are more likely to recognize it when the con occurs. Account takeovers have been a common means for computer “crackers” to deface a company or organization’s Web site. These takeovers often occur when the cracker is persistent enough to find a customer service representative who does not follow standard identification procedure.

More often than not, says Tazinator, hackers rely on their own programming skills, rather than hacking software. “If you need to rely on someone else’s programming skills to make you a password cracking program, then you will only be as good as that program.” That’s one reason why we haven’t seen anti-hacking software on the market. Hackers depend less on a particular program than they do on reacting to whatever blocks their access in a system they want to enter.

Tazinator notes that Hackers exploit what they know about network designs to get around security roadblocks. That’s why nothing is ever truly hackproof. Hackers can wander in through the “front door” with stolen passwords. However, if that fails, hackers know they can use the “back door” put there by programmers and system operators. Back doors are programmed into network software and security routines in case system operators get locked out and need to get back in. That is where the vulnerabilities come in.

To truly make a system more secure, you must eliminate the back doors and holes. Sometimes that isn’t possible, says Tazinator, because those holes are there for a reason — for example, to allow you to send and receive electronic mail. Using e-mail server ports to gain access to the systems used to be a major vulnerability that system operators left unsecured.

Plugging e-mail and other security breaches is what the Master of Magic likes to do with his band of merry hackers at http://www.ehap.org/ (Ethical Hackers Against Pedophilia). Recently, he was “hired” by a small BBS operator who was expanding to provide Internet services to his existing subscribers. EHAP’s job was to audit his system. The EHAP hackers completely took over the main server, e-mail server, and router. Their hacking helped that ISP secure his servers and get in touch with the BBS software vendor to make a few fixes to the software itself.

Not all hackers are that good-natured. Hackers routinely plant password sniffers, says the Master of Magic. “It provides sort of a spring board to get into other systems.” He offered an example. “Let’s say I use <shell.Own3d.com> as my primary provider. I would also have a secondary account on <shell.secure.com>. Now, any hacker who plants a password sniffer on <shell.Own3d.com> will find my account information for <shell.secure.com> if I log in to that server from <shell.Own3d.com>.”

Fred Kerber, a hacker-savvy network administrator from Toms River, New Jersey, says today’s code-cracking programs are easier and more efficient to use because hackers’ computers are much faster than the machines many of them learned on years ago. On average, these programs will get a hacker into a supposedly secure network system in about 15 minutes.

Standalone computers are even more vulnerable. “Win Nuke, for instance, takes 15 seconds to get into a dial-up connection,” Kerber adds. It uses Port 1 on a local computer or ties into Port 6668 in a chat-room connection. In all, 32,864 ports are available in an Internet connection. That gives these hacking programs plenty of opportunity to break in. In particular, Win Nuke uses port 72 or 80 to send out massive requests to a computer, says Kerber. Hitting these ports can force the user to reboot the computer, jettisoning all of the active data in the process. Such a tactic, he notes, can also wreck a server and everyone connected to it.

‘That kind of attack causes servers to go down,” says Kerber. “Software just doesn’t crash by itself. It takes intervention.”

Keeping Your System Safe and Secure

Ask the Master of Magic if you can ever have a hack-proof network or totally secure home office/small office computer, and he’ll tell you — ”No, unless you lock your computer into a safe and throw away the key, or rip out network cables, you can’t have a hack-proof system.”

Not all hacking is done remotely via the Internet, as is glorified in movies. “In fact,” says the Master, “70 percent or more of the time, system vulnerability is exploited from inside or within your own network, or via physical access to the computer.”

With that in mind, we compiled a list of suggestions from our hacker confidantes. When computer users are aware of the threat, they can reduce the likelihood of hacker attacks. However, our sources stress that you can never be absolutely safe. Here are their suggestions.

Don’t go annoying people on chat rooms and make them mad. Instead, make a friend of a hacker on the Net. Then buy at least one virus protector. Hackers won’t kill you; they’ll just mess up your computer, sometimes so badly you’ll have to get a new one, warns young Armstrong.

The Tazinator adds that chat-room braggarts often tip their hands by boasting to everyone that they are hackers. They will do stupid things like mail-bomb people at random. You want to stay away from these people as much as you can.

Also, protect any sensitive information that you don’t want exposed — don’t save it on your computer. Instead, save it to a disk and place it in a secure spot. Be sure to protect yourself from loss of information on hacker-trashed systems by backing up your files regularly to a removable storage device.

New viruses come out every day, and your antivirus software won't always be able to detect and remove it. Not keeping your antivirus software updated is almost as bad as not having antivirus software at all.

Don’t download documents from people you don’t know without making sure you know exactly what the documents are. Do the same for e-mail. If you aren’t sure about who sent you something, don’t read it. Viruses can be hidden within e-mail as well as files. Always be sure to scan everything you download before using it. Even though you may have received it from a friend, that friend may not have known it contained a virus.

Avoid online purchases from unfamiliar sites. Credit-card information is still stolen online, particularly from nonsecure sites. Be sure you know from whom you are buying. If you’re not certain of a connection’s security, find the product online and then place the order by phone. Or find out more about whom you are buying from before you commit to sending your personal information across the data stream.

Staying informed is a good defense. Only by applying required software patches and fixes can you keep applications relatively secure. Many hackers succeed because a user or system administrator misconfigured a system.

Kerber adheres to a five-point philosophy in safeguarding networks he handles. His approach offers good safety tips to anyone who uses a desktop computer, network, or notebook computer.

1. Create your own password using as many characters as the system allows. Make sure it contains a random mix of upper and lower case letters, plus numbers and punctuation marks. Hackers use sequencing algorithms that are based primarily on letter combinations.
   

2. Avoid using personal information in selecting PIN numbers for online accounts. It only takes a Yahoo search to find out all your personal information, including listed house and work numbers (unlisted numbers should be safe).
   

3. Do not use profile details anywhere you go on the Internet. The less you publish online about yourself, the fewer clues you leave for hackers to get you.
   

4. Have at least two ISP accounts, even if you subscribe to only one service. Each one should have its own properties and passwords. This gives each ISP account a different IP address, building in one more level of security. If you have an AOL account, beware. Even though AOL lets you establish up to five family member accounts, the other four are still connected to your master account. A hacker getting one of the passwords can gain access to the others very easily.
   

5. Make sure you turn off file-printing and file-sharing properties. File sharing is prevalent on networks. Many software applications use default settings that turn on file sharing and printing access, even when you aren’t connected to a network.

One more tip: Get a good firewall program to put an armor-strength security zone between your Internet connection and your computer. One such program is PCFirewall, which is bundled in Network Associates’ McAfee VirusScan Security Suite Platinum Edition. PCFirewall prevents unauthorized access to your PC while you are connected to the Internet, and access to offensive Web sites.

The hacker threat won’t go away. As computing technology improves, so do the skills of hackers and crackers who are determined to break in. However, there is some hope for security. A new cooperative effort between government and industry may help thwart computer break-ins and security breaches. A consortium of the Department of Defense, private industry, and security professionals has designed an intrusion-detection software system called The Shadow, available free to any U.S. organization. Get details about the Shadow by e-mailing the SANS Institute ( info@sans.org ), an educational group for systems administrators and network security specialists ( http://www.sans.org/ ).