272 lines
22 KiB
Plaintext
272 lines
22 KiB
Plaintext
HOW `CRACKERS' CRACK
|
|
by Rory J. O'Connor
|
|
Mercury News Computing Editor
|
|
|
|
Police, prosecutors and most of the press call them
|
|
"hackers." Computer cognoscenti prefer the term "crackers."
|
|
|
|
Both sides are talking about the same people, typically
|
|
young men, whose fascination with computers leads them to gain
|
|
access to computers where they don't belong.
|
|
|
|
A few crackers make headlines, like Robert T. Morris Jr.,
|
|
son of a top computer security expert for the supersecret
|
|
National Security Agency, who let loose a "worm" program on a
|
|
national network of university, research and government computers
|
|
in 1988.
|
|
|
|
There are also notorious crackers like Kevin Mitnick, who
|
|
was under investigation at the age of 13 for illegally obtaining
|
|
free long-distance phone calls and was sentenced to prison in
|
|
1989 for computer break-ins.
|
|
|
|
Then there are legions of far more ordinary crackers who
|
|
simply use their knowledge of computers to "explore" intriguing
|
|
corporate or government computers or simply to go for the
|
|
electronic equivalent of a joy ride and impress their friends.
|
|
|
|
But they all share something: an air of mystery. How do they
|
|
do it?
|
|
|
|
At a recent conference on computer freedom and privacy,
|
|
computer expert Russell L. Brand gave a four-hour lecture on the
|
|
inner workings of computer cracking.
|
|
|
|
His basic message: Cracking is not as hard as it seems to an
|
|
outsider, and it often goes undetected by legitimate users of
|
|
"cracked" computers.
|
|
|
|
"Just because you don't see a problem is no reason to think
|
|
a problem hasn't occurred," Brand said. "Generally it's a month
|
|
to six weeks before (operators) notice anything happened and
|
|
usually because the cracker accidentally broke something."
|
|
|
|
Home computers aren't in danger from crackers because they
|
|
aren't accessible to outsiders--and because they aren't
|
|
interesting to crackers. Instead, they target mainframes and
|
|
minicomputers that support many users and are connected to
|
|
telephone lines and large networks.
|
|
|
|
Understanding how crackers work and what security weaknesses
|
|
they exploit can help system managers prevent many break-ins,
|
|
Brand said. And the biggest problem is carelessness.
|
|
|
|
"When I started looking at break-ins, I had the assumption
|
|
that technical problems were at fault," he said. "But the problem
|
|
is human beings."
|
|
|
|
The "Cracker": Most crackers are not bent on stealing either
|
|
money or secrets but will target a particular computer for entry
|
|
because of the bragging rights they will enjoy with fellow
|
|
crackers once they prove they broke in. Typically, the computer
|
|
belongs to a corporation or the government and is considered in
|
|
cracking circles to be hard to penetrate. Often, it is connected
|
|
to the nationwide NSFNet computer network.
|
|
|
|
The attack: Crackers can attack the target computer from
|
|
home, using a modem and a telephone line. Or they can visit a
|
|
publicly accessible terminal room, like one on a college campus,
|
|
using the school's computer to attack the target through a
|
|
network. At home, the cracker works undisturbed and unseen for
|
|
hours, but phone calls might be traced.
|
|
|
|
The resources: If the target computer is nearby, the cracker
|
|
may look through the owner's trash for valuable information, a
|
|
practice called "dumpster diving." Discarded printouts, manuals
|
|
or other paper may contain lists of accounts, some passwords, or
|
|
technical data more sophisticated crackers can exploit.
|
|
|
|
The target: The easiest way to enter the target is with an
|
|
account name and its password. Passwords are often the weakest
|
|
link in a computer's security system: Many are easy to guess, and
|
|
some accounts have no password at all. Sophisticated crackers use
|
|
their personal computers to quickly try thousands of potential
|
|
passwords for a match.
|
|
|
|
The cover: To make calls from home harder to trace, crackers
|
|
might use stolen telephone credit-card numbers to place a series
|
|
of calls through different long-distance carriers or corporate
|
|
switchboards before calling the target computer's modem.
|
|
|
|
The way in: Many crackers take advantage of "holes" in the
|
|
operating system, the software that controls the basic operations
|
|
of the machine. The holes are like secret doors that either let
|
|
crackers make their own "super" accounts or just bypass accounts
|
|
and passwords altogether. Five holes in the Unix operating system
|
|
account for the bulk of computer break-ins--yet many
|
|
installations have failed to patch them.
|
|
|
|
The network: Most large computers are connected to several
|
|
others through networks, a chief point of attack. Computers erect
|
|
barriers to people but often completely trust other computers, so
|
|
attacking a computer through another computer on the network can
|
|
be easier than attacking it with a personal computer and a modem.
|
|
|
|
Ill-used passwords let many pass
|
|
|
|
Passwords are the security linchpin for most computer
|
|
systems. But these supposedly secret keys to computer access are
|
|
easily obtained by a determined cracker.
|
|
|
|
The main reason: Users and system managers often are so
|
|
careless with passwords that they are as easy to find as a door
|
|
key left under the welcome mat.
|
|
|
|
Part of the problem is the proliferation of computers and
|
|
computerlike devices such as automated teller machines, all of
|
|
which require passwords or personal identification numbers. Many
|
|
people must now remember half a dozen or more such secret codes,
|
|
encouraging them to make each one short and simple.
|
|
|
|
Often, that means making their passwords the same as their
|
|
account name, which in turn is often the user's own first or last
|
|
name. Such identical combinations are called "Joe" accounts, and
|
|
according to computer expert Russell L. Brand, they are "the
|
|
single most common cause of password problems in the world."
|
|
|
|
These `secret' keys to computer access are easily obtained
|
|
by a determined cracker. The main reason: Users and system
|
|
managers often are so careless with passwords that they are as
|
|
easy to find as a key left under the welcome mat.
|
|
|
|
Knowing there are Joes, a cracker can simply try a few dozen
|
|
common English names with a reasonable chance that one will work.
|
|
Armed with an easily obtained company directory of employees, the
|
|
task can be even easier.
|
|
|
|
Joe accounts also crop up when the system manager creates an
|
|
account for a new employee, expecting that the user will
|
|
immediately change the given password from his or her name to
|
|
something else. But users often fail to make the change or aren't
|
|
told how. Sometimes, they never use the account at all, providing
|
|
not only easy access for the cracker but an account where the
|
|
owner won't notice any illicit activity.
|
|
|
|
Even if crackers can't find a "Joe" on the computer they
|
|
want to enter, there are several other common ways for them to
|
|
find a password that will work:
|
|
|
|
- Many systems have accounts with no passwords or have
|
|
accounts for occasional visitors to use where the ID and password
|
|
are both GUEST.
|
|
|
|
- Outdated operator's manuals retrieved from the trash often
|
|
list the account name and standard password provided by the
|
|
operating system for use by maintenance programmers. Although it
|
|
can and should be changed, the password seldom is.
|
|
|
|
- "Social engineering"--in effect, persuading someone,
|
|
usually by telephone, to divulge account names, passwords or
|
|
both--is a common ploy used by crackers.
|
|
|
|
- Crackers are sometimes able to obtain an encrypted list of
|
|
passwords for a target computer, discarded by the owners who
|
|
mistakenly believe the coded words aren't useful to crackers.
|
|
While it's true they are difficult to decode, it is easy for a
|
|
cracker to use a personal computer to take a potential password
|
|
and encode it. Because most passwords are ordinary English words,
|
|
crackers can simply run a personal computer program to encode the
|
|
contents of an electronic dictionary and identify any entries
|
|
that match passwords on the coded list.
|
|
|
|
- In another form of deception, crackers set up public
|
|
bulletin board systems whose real purpose is to snag passwords.
|
|
Because many people tend to use the same password for all their
|
|
computer accounts, the cracker can simply wait until someone who
|
|
has an account on the target computer also sets up an account on
|
|
the bulletin board. The cracker then reads the password and tries
|
|
it on the target system.
|
|
|
|
While individual users can't delete dormant accounts from
|
|
their computers or keep an eye on the trash, they can be
|
|
intelligent about what passwords they use. Brand suggests users
|
|
choose a short phrase that's easy for them to remember and then
|
|
use the first two letters of each word as the password. As added
|
|
protection, users who are able should mix uppercase and lowercase
|
|
letters in their passwords or use a punctuation mark in the
|
|
middle of the word.--Rory J. O'Connor
|
|
|
|
The rights of bits
|
|
|
|
Constitutional scholar Laurence H. Tribe, widely considered
|
|
the first choice for any Supreme Court vacancy that might arise
|
|
under a Democratic administration, proposed a fairly radical idea
|
|
recently: a constitutional amendment covering computers.
|
|
|
|
Tribe's proposal for a 27th Amendment would specifically
|
|
extend First and Fourth Amendment protections to the rapidly
|
|
growing and increasingly pervasive universe of computing. Those
|
|
rights would be "construed as fully applicable without regard to
|
|
the technological method or medium through which information
|
|
content is generated, stored, altered, transmitted or
|
|
controlled," in the words of the proposed amendment.
|
|
|
|
I am not a constitutional scholar, but I have to believe
|
|
that what's needed is not a change in the Constitution, but
|
|
instead a change in the thinking of judges in particular and the
|
|
public in general.
|
|
|
|
Tribe acknowledges that he doesn't take amendments lightly,
|
|
pointing to the ridiculous brouhaha over a flag-burning amendment
|
|
as an example of what not to do to the basic law of the land. But
|
|
like many people who are more deeply involved in the world of
|
|
computers, Tribe sees the issue of civil liberties in an
|
|
information society as a crucial one.
|
|
|
|
The question is not whether the civil liberties issue is
|
|
serious enough to be addressed by some fundamental legal change.
|
|
The question is really how to get people to see that
|
|
communicating with a computer is speech, and that to search a
|
|
computer and seize data is the same as searching a house and
|
|
seizing the contents of my filing cabinet.
|
|
|
|
People seem to have trouble making these connections when
|
|
computers are involved, even though they wouldn't have trouble
|
|
recognizing a private telephone conversation as protected speech.
|
|
Yet most telephone calls in this country are, at some time in
|
|
their transmission, nothing more than a stream of computer bits
|
|
traveling between sophisticated computers.
|
|
|
|
Admittedly, computers do make for some complications where
|
|
things like search and seizure are concerned.
|
|
|
|
Let's say the FBI gets a search warrant for a computer
|
|
bulletin board, looking for a specific set of messages about an
|
|
illegal drug business. Because a single hard disk drive on a
|
|
bulletin board system can contain thousands of messages from
|
|
different users, the normal method for police will be to take the
|
|
whole disk, and probably the computer as well, back to the lab to
|
|
look for the suspect messages.
|
|
|
|
Of course, that exposes other, supposedly confidential
|
|
messages to police scrutiny. It also interrupts the legitimate
|
|
operation of what is, in effect, an electronic printing press.
|
|
|
|
Certainly, in the case of a real printing press that used
|
|
paper, such police activity would never be allowed. But a
|
|
computer is involved here, which to some appears to make the
|
|
existing rules inapplicable.
|
|
|
|
But in a case like this, we don't need a new amendment, just
|
|
the proper application of the Bill of Rights.
|
|
|
|
As a more practical matter, the chances of amending the
|
|
Constitution are slight. It was the intent of the framers to make
|
|
the task difficult, to prevent just such trivial things as
|
|
flag-burning amendments from being tacked onto the document. Even
|
|
the far more substantial Equal Rights Amendment did not survive
|
|
the rocky road from proposal to adoption. I doubt Tribe's
|
|
amendment would fare any better.
|
|
|
|
Tribe says he hopes his proposal will spur serious
|
|
discussion of civil rights in the information age, and I suspect
|
|
that is his real--and laudable--motive.
|
|
|
|
I'm not dead set against amending the Constitution if that's
|
|
what it takes to extend the Bill of Rights to computing. I just
|
|
believe that Americans are capable of figuring out that we don't
|
|
need it.
|
|
|
|
|
|
|