82-03-05 Protecting Against Hacker Attacks Previous screen Ed Norris Payoff In order to protect their computer and communications systems, information security practitioners need to understand the motives and modes of operation of external intruders. By learning how hackers gather and share information and how they break into systems, security practitioners can >>|||ensure t||hat |system \\safeguards remain able to detect and thwart attempts at unauthorized access. This article presents a profile of hackers and hacker clubs, their methods of communication (including magazines, bulletin boards, newsgroups, and conventions), and specific methods of information gathering and attack. Recommended procedures and controls for countering such hacker activities are provided. Problems Addressed The problem of people breaking into computer and telephone systems is not new. Such activities have occurred since the first introduction of these technologies. As new technologies become available, it can be expected that new methods of obtaining unauthorized access to these technologies will be developed. To protect their systems against unauthorized intrusion, security practitioners need to understand hackers: who they are, what motivates them to break into systems, and how they operate. This article examines these issues, describes specific hacking techniques, and recommends actions that should be taken to reduce exposure to hacker attacks. What is a Hacker? The term hacker means different things to different people. The author of the book Prevention and Prosecution of Computer and High Technology Crime defines hackers as computer criminals and trespassers who view illegal computer access as an intellectual challenge and a demonstration of technical prowess. The New Hacker's Dictionaryoffers a more benign definition: “A person who enjoys learning the details of computer systems and how to stretch their capabilities as opposed to most users of computers who prefer to learn only the minimum amount necessary.” Indeed, many people consider themselves hackers, yet would never attempt to gain unauthorized access to a computer or telephone system. Other terms are also used to refer to hackers. For example, phreaks are hackers that target telephone systems. The terms computer intruderand cracker are also commonly used for computer hackers. This article modifies the definition from The New Hacker s Dictionary, adding that some hackers may attempt to gain unauthorized access to computer and telephone systems to achieve their goals. A Hacker Profile In the early 1980s, the hacker profile was of a highly intelligent, introverted teenager or young adult male who viewed hacking as a game; most were thought to be from middle and upper class families. Like most stereotypes, this profile has proved to be wrong. In reality, hackers can be very smart or of average intelligence, male or female, young or old, and rich or poor. And recent hacker arrests and convictions have taught hackers that, whatever they may have thought in the past, hacking is not a game. To succeed, hackers need three things: motive, opportunity, and means. The motive may be increased knowledge, a joy ride, or profit. Many IS practitioners have the opportunity and means to hack systems but lack the motive. The opportunity to hack systems has increased greatly over the years. Today, computer Previous screen systems can be found everywhere. Hackers don't need state-of-the-art equipment to hack systems—used equipment is inexpensive and adequate to the task. Most companies allow some type of remote access by means of either dial-up lines or connections to external networks. For a relatively small monthly fee, anyone can have access to the Internet. Unfortunately many corporations provide opportunities to access their systems by failing to provide adequate security controls. And many hackers believe that the potential for success outweighs the possible penalties of being caught. The means of attack is limited only by the imagination and determination of the hacker. A basic law of hacking can be summarized as “delete nothing, move nothing, change nothing, learn everything.” Some hackers target such entities as corporations, security and law enforcement personnel, and other hackers. Kevin Mitnick allegedly electronically harassed a probation officer and FBI agents who got in his way. Some hackers target organizations for political reasons. For example, the Chaos Computer Club supports Germany's Green Party. And others target any machine that runs an operating system capable of executing a particular virus, worm, or Trojan horse. The estimates of the number of people involved in hacking vary greatly. Estimates range from about one hundred serious hackers to hundreds of thousands. No one really knows the number of people involved. Suffice it to say there are enough hackers to warrant taking precautions to prevent unauthorized access. Hackers often use aliases, such as Shadow Hawk 1, Phiber Optik, Knight Lightning, Silent Switchman, Dark Avenger, and Rock Steady. These aliases allow them to remain anonymous, while retaining a recognizable identity. And they can change that identity at any time simply by choosing another handle. For example, Shadow Hawk 1 is known to have also used the handles Feyd Rautha, Captain Beyond, and Mental Cancer. Changing handles is intended to confuse security personnel as to the identity of the hacker, which makes it more difficult to monitor hacker activity. A hacker may also want the targeted organization to think that several people are attacking the target. Security practitioners need to be aware of these methods of operation in order to understand the identity and the true number of hackers involved in an attack. Hacker Clubs Some hackers and phreaks belong to such hacker clubs as Legion of Doom, Chaos Computer Club, NuKE, The Posse, and Outlaw Telecommandos. These clubs give a sense of companionship, although most members never physically meet. More importantly, they help members work as a team toward common goals. By bringing together unique technical skills of individual hackers (e.g., specialties in UNIX or TCP/IP), these teams can achieve goals that might be out of reach for an individual hacker. Some hackers may also view membership in hacker clubs as demonstrating to the hacker and security communities that they are skilled members of an elite. Hacker clubs come and go. The more willing the members are to contribute to club activities, the longer such clubs remain active. Hack-Tic and the Chaos Computer Club have been in existence for a relatively long time, whereas such groups as MAGIK (Master Anarchists Giving Illicit Knowledge) and RRG (Rebels Riting Guild)lasted only a very short time. Hacker Publications Some hacker and phreak clubs produce publications. For example, the Legion of Doom produces Phrack, Phalcon/Skism produces 40Hex, and the Chaos Computer Club produces Chaos Digest. These publications provide hackers with technical information as well as providing a social function. Some hacker publications can be received by means of Previous screen electronic mail over the Internet; others are sent through the postal system. Some book stores and magazine stands sell 2600 The Hacker Quarterly, which has been published for ten years. This publication periodically publishes a list of addresses of other hacker publications. In order to keep informed of hacker interests and activities, security practitioners with access to the Internet should subscribe to the nonhacker publication Computer underground Digest.This electronic digest covers general issues related to information systems, and also covers hacker- and security-related topics. It often provides pointers to other sources of hacker information. Searching these sources can help the security administrator learn about the ways hackers obtain knowledge. Computer underground Digest can be subscribed to by sending an electronic mail message to [email protected]; the message should be sub cudigest your-name. Hacker Conventions Some hacker groups sponsor hacker conventions. For example, the Chaos Computer Club sponsors the Chaos Congress, Hack-Tic sponsors Hacking at the End of The Universe, and Phrack and the Cult of the Dead Cow sponsor HoHoCon. These conventions are held in the US and Europe. Hackers and phreaks, as well as security and law enforcement personnel, are featured speakers. The conventions are open to all interested parties. Most of these conventions serve primarily as venues for hackers to brag, swap stories, and exchange information. They tend not to be highly organized; most substantive information is exchanged in hotel rooms and lobbies. There have been a few raids and arrests at some conventions. Bulletin Boards and Newsgroups Hackers and hacker clubs primarily communicate by means of bulletin board systems. It is estimated that there are about 1,300 underground bulletin boards in the US. The information found on bulletin board systems is usually current and state-of-the-art. Timeliness of this information is important; hacker techniques described in print publications are usually already well know by the time they appear in print, and these published methods may no longer work. Even old information can be valuable, however. The LOD (Legion of Doom) Communications is selling old bulletin-board system archives. Even though these message bases are from the mid-1980s, many organizations are still being successfully attacked using methods described in those files. It can be difficult