Hackers or Crackers or What? v2.0: Notorious Cases

A lot of us hackers who grew up within the system always thought of ourselves as kind of rebels. We'd play Led Zeppelin while we loaded our machines and we always thought we were kind of a little different. It was really funny seeing an entire subculture who thought we were 'The Man.'" So begins the tale of a modern Virgil, an anonymous cracker-hunter willing to guide others through the maze of confusion that is that "entire subculture" - a subculture of which he had been unaware until one of its denizens invaded the computer system to which he had been assigned as guardian. "I wound up having to immerse myself in the various aspects of the hacker culture and I began to realize that I'm just a little piece of it," he says. "My piece is sort of the legitimate, established people - and that there are tons of other folks who are getting into this for lots of different reasons. But we're all sort of driven internally by the same kind of need to tinker with stuff."

But as "Virgil" soon learned, for some people, that "need to tinker" sometimes meant venturing uninvited into other peoples' - and companies' - computer networks. When his organization experienced a cracker attack during the late 1980s and he learned that the local and federal authorities were disinterested in pursuing such incidents, Virgil took it upon himself to learn more about how and why crackers do what they do. What he found was that, as the Internet had grown and its character changed, so had the motivations and culture of those whose curiosity compels them to explore computers and networks that don't belong to them and in which they often have no right to snoop.

While today many people envision crackers as being young, socially alienated and marginalized malcontents (and there may be some truth in that), such has not always been the case. In 1988, Robert Morris (www.eecs.harvard.edu/~rtm) released what he believed to be a harmless worm (a program that tunnels through computers, using each in the chain as a launching pad for its next move) that quickly brought the fetal stages of what would eventually become know as the Internet to its knees, and introduced the term "hacker" into the American vernacular. Dubbed the "Accidental Attacker" for his gaffe, the Cornell University graduate student and son of the chief scientist at the National Computer Security Center managed to infect thousands of networked computers, bringing a full 6,000 of them to a complete standstill. Why? According to Virgil, the motivations were largely intellectual and possibly even benevolent. "Robert Morris discovers that, gosh, there are all these flaws in this UNIX operating system which is running on a lot of the computers on the early Internet back in the '80s and he says, 'Wouldn't it be cool if I could do a sort of proof-of-concept thing, where I could write this worm.' So, Morris wrote a worm that exploited a number of problems that people pretty much knew about."

Virgil and other experts in the field believe that Morris had no idea his worm would be so effective. As Virgil explains,

"Morris had been brought up in a time when this was a small research problem, the Internet - or the ARPANET, when it was called that. And he thought he could do this worm, spread it across all the computers out there without anyone knowing, and then he'd announce to everyone, "See what I was able to do? Isn't this horrible?'"

Unfortunately, it didn't quite work out that way. Genius that Morris was, he was not perfect and a tiny flaw in his code caused the worm to go out of control. Within a few hours of its release, nearly every VAX on the Net was down. Unusable. Unable to load. "And so," Virgil sums up, "single-handedly, Robert Morris brought the Internet down. This was our first eye-opener to how interconnected we were and how vulnerable the systems on the Net were."

Morris stands in stark contrast to the young man Virgil calls "the poster boy for the computer underground right now." A repeat offender since his teen years, Kevin Mitnick (www.kevinmitnick.com) has been called the Lost Boy of Cyberspace and has the questionable distinction of being the first cracker to have his face emblazoned on an FBI Most Wanted poster. Accused by the U.S. Government of 25 counts of federal computer and wire fraud violations, Mitnick pled guilty to five of these counts (plus two additional counts from the Northern District of California) and was sentenced to 46 months in prison and three years probation, as well as eight months imposed by the state of North Carolina (where he was captured) and 14 months for his probation violation. The government claims major companies cracked by Mitnick suffered more than $80 million worth of losses as a result of his actions.

Mitnick's aggressive prosecution by the U.S. Government has sent a clear message to other crackers that the feds have decided to take cracking seriously. The outcry from many within the Internet security world about Mitnick's attempts to schedule money-making speaking engagements indicates the impatience with which many hacker insiders are now viewing those who creep along the other side of the law. To round out the picture, there are angry crackers who, in Mitnick's name, perform acts of vandalism on websites, sometimes leaving protest graffiti behind, as was the case with attacks on the New York Times site (www.nytimes.com).

The advent of the '90s saw cracker activity increasingly targeting flaws on computers and computer systems attached to the Internet, and in the various protocols running the system networks. Although not particularly flattering to crackers, many in the security industry find that this results in crackers who aren't necessarily brilliant, but are merely able to make good use of the tools (software and hardware) created by other, more clever individuals. Mitnick is considered by some to be a prime example of such a person. In his book, Takedown:

The Pursuit and Capture of America's Most Wanted Computer Outlaw - By the Man Who Did It (Warner Books; ISBN 0786889136, www.takedown.com), Tsutomu Shimomura, along with New York Times journalist, John Markoff, tell how Mitnick pinged the wrong patsy when he cracked security expert Shimomura's San Diego, California computers on Christmas of 1994 - two years after vanishing while on probation for his 1989 conviction for computer and access device fraud. According to Shimomura, Mitnick's primary skill is his ability to use the tools available to him and a willingness to take the time to learn to use them effectively.

Sometimes, particularly if a cracker has been able to attract a group of like-minded - even adoring - companions, the group teams up against systems, attacking them from various points simultaneously. Virgil believes this is a new trend. "What we have are these larger, concerted attacks," he says. "What we've seen has been the spread of these e-mail-borne viruses where just the attachment launches a virus. They're kind of a worm-virus combo." Because these new attacks spread from otherwise innocent computers and users, tracking the authors of these viruses is often difficult, if not impossible, as is evidenced by law enforcement's inability to pin down the designer of the recent "Love Bug" virus, although the origin of its launch in the Philippines was roughly determined. "Virus writers," in

Virgil's experience, "tend to be kind of shadowy and more often than not, they're not found. Virus writers may launch them or they may give them to friends who wind up launching them."

The ability to track down a viral point-of-origin often depends upon the speed at which it spreads. Slow moving viral trails are easier to follow, for instance, than a rapidly spreading one. Because of this, anti-viral software is sometimes of limited use against new infections. Just as with inoculations against diseases in humans, a piece of viral scanning software can only seek out infections that it is familiar with. And popular programs, such as Microsoft Outlook and other Windows mailers, often invite trouble given that the code is frequently buggy and thus easy to exploit.

Another modern wrinkle is what Virgil refers to as, "the dreaded Denial of Service, or DoS, attack where, basically, a bunch of crackers will launch a kind of flooding attack using lots of different techniques to overwhelm the target. Mail bombing is one service-level way of attacking a site. If you send two million pieces of mail to a mail server, it will keel over under the load," he explains. "The way these folks are working now is that they are being a little more sophisticated. Instead of hitting a specific service on a machine, they're using facets about the actual Internet's networking protocols and using that knowledge to launch that attack." By way of example, February 2000's successful tribal flood attack on Yahoo! (www.yahoo.com) knocked the world's most frequently-visited website offline for several hours. Tribal (or "tribe") flood attacks are a recent development, and involve the creation and spread of a virus that infects multiple machines at once, effectively turning them into zombies: Once infected, the computers can be directed simultaneously at a target computer or collection of computers where they sniff out and exploit system weaknesses. Such attacks can be triggered by remote control or by using a timer embedded within the virus code.

DoS attacks are definitely one of the hot new ways crackers wage war on sites that offend them or, in some cases, merely catch their attention. And while allegations of government involvement in certain DoS attacks have surfaced (as was the case in July when Iraq was accused of sponsoring attacks on hundreds of U.S. defense sites) the vast majority of such accusations have been in error. In the Iraqi case, it was ultimately determined that American and Israeli youths were re-sponsible for cracking at least 200 unclassified defense sites operated by the Pentagon and the military. Among those sites hit were seven Air Forces bases and four Navy installations, the Department of Energy National Laboratories, as well as some university and NASA sites.

Adult websites have not tended to suffer the same ferocity of attack, but have certainly not gone unscathed. Content provider PornCity (www.porncity.net) was hit with a DoS attack in March. And Virgil points out a case in which, "There was a guy who, for a while, claimed that he was after child porno sites. His handle was Seven. His claim to fame was that he said, 'I'm against child pornography and I'm going to hack into sites that have child pornography and delete the stuff.' I know that some time later, he was exposed to be a fraud."

Not everyone who breaks and enters into adult sites does so under a veil of morality, however. Early this summer, JanesGuide (www.janesguide.com) was webjacked for five days, di-verting traffic from site owner Jane Duvall's content and redirecting it to The Sex Palace. It wasn't until Duvall received a call from a friend about the problem, then noticed a huge drop in her traffic and finally checked the WHOIS lookup, that she learned her site registration information had been reassigned to a company with a French address. After hours on hold with Network Solutions (www.networksolutions.com), the situation was finally - mostly - corrected.

The number of webjackings is increasing, and Network Solu- tions has come under criticism about the relative ease with which name thieves have been able to accomplish transfers.

In June, activists calling themselves S-11 webjacked the Nike (www.nike.com) domain name, in fact. Traffic was redirected to an Australian site protesting the September World Economic Forum held in Melbourne, Australia.

Often the threat to adult webmasters does not come from the mainstream world, however. Perhaps this stems from some hacker/cracker appreciation for the socially outlaw nature of porn sites. But, as Robert Jenkins, aka Khan, vice president of webmaster resources for YNOTmasters (www.ynotmasters.com) has learned first hand, there's plenty of cracker activity within the industry's own ranks. Not only was an attempt made to webjack his personal domain (www.khan.com), but the YNOT chat server was once cracked and crashed, requiring then-owner Rick Muenyong to outsource the operation. "They hacked in and changed his access to the program that ran the chat server and reconfigured the chat server," Jenkins explains. "We abandoned the live chat and it was later provided by Dokk over at Albumside (www.albumside.com)."

Although Jenkins believes his personal site may well have been attacked by anti-porn forces, his experiences have lead him to conclude that personal disputes sometimes result in cyber attacks within the adult community. "I've seen evidence in chat rooms of people stealing whole password files having to do with credit cards, where someone hacked in and was using this to blackmail a webmaster. It wasn't extortion money but, rather, where they thought they were owed money and they did this in order to secure payment." Such activity, as Jenkins points out, is a splendid way to destroy customer satisfaction and trust.

Because of this, both Jenkins and Virgil encourage adult webmasters to be especially cautious with sensitive information, including that surrounding credit cards. Theft of credit card information could explain, to some extent, the high rates of chargebacks experienced by some sites.

"There are a lot of people out there now who have the ability to hack or crack," says Virgil. And, like erotic material, the desire to look where one is not allowed is very strong. "Deep at its core, we like doing stuff that's forbidden," Virgil points out. "There's a thrill to it for a lot of people."

If the adult industry understands anything, it understands the appeal of a good thrill. The goal, however, is to make sure that thrill is mutually consensual.

Next month: Hackers and crackers speak.