June 1, 1997 by Robert Richardson Hackers: Devils or Saints? Network professionals don't hold out much love or kindness for hackers. But maybe law-abiding system managers can gain something--such as increased network security--by understanding the mindset and modus operandi of hackers. Jeff Moss can actually patch people in and out of conference calls, distinguish each participant from one another, and, somehow or other, achieve better-than-average sound quality on the call. That talent in itself should tip you off that he, though seemingly friendly and harmless, has a few tricks up his sleeve. In the particular conference call he patches me into, Moss is facilitating not only the mechanics of the call, but also the conversation between me and, for lack of a better way to put it, the enemy. Everybody on the line, except me, knows how to hack his way into other people's computers. For instance, there is a guy called Nile who is passionate about breaking into Windows NT servers. To him, Windows NT is not so much an operating system with a few holes as it is a garage where convening hackers could park all their tour buses. There are three or four hackers on the line, all folks that Moss knows and regularly talks to. Everybody on the line fires jokes back and forth, dormitory style. It seems like most of them are multitasking while they're chatting. For example, while we're talking, one of these guys is running a program to locate insecure Network News Transfer Protocol servers on the Internet, and he turns up more than 300 during our two-hour conversation. Because they're hackers, these guys routinely use handles rather than their real names. I can't catch all the handles, and I have some trouble keeping their voices sorted out. What I do know, however, is that when Jeff Moss moves in these circles, he's known as Dark Tangent. SAINT OR SINNER? Dark Tangent says he doesn't hack anymore: He can't since he started running the annual Las Vegas Defcon conference, one of several national hacker gatherings. Because law enforcement types know that Dark Tangent is really Jeff Moss, and because they can watch him too easily, he stays within the law and acts as a liaison for meetings between hackers and those who could potentially crimp hacker connectivity. Hackers like conversations with journalists (and sometimes even with law enforcement officials) because they like to talk about their "pastime," and because they sometimes learn which systems might be interesting for future hacking. For instance, they like to learn what equipment is likely to become commonplace in a typical MIS shop over the next couple of years. In a separate phone conversation, I ask Moss whether knowing certain things about "typical" hackers could help network managers secure their networks more tightly. What are the secrets about hackers that would keep them off networks' doorsteps? Even though he knows many hackers, Moss can't tell me much-at least in specifics. However, he does offer interesting insights into the world of hackerdom. For example, he explains that there is "an old school and a new school. The old school is the Stephen Levy-style hacker." By this he means the kind of non-criminal programmer chronicled in Levy's book Hackers. "The new-school [hackers] are less interested in how things work. People call them 'script kitties' because they use the scripts created by more experienced hackers to automate system attacks without necessarily understanding what the script is doing. They think: Just give me the tool so I can break in." In the old school/new school model, the old-school hackers aren't out to hurt anybody, except for maybe the occasional idiot. The newbies are much less predictable and,from the way Moss tells it, potentially a lot more destructive. Generally, older and wiser hackers avoid damaging a system at all possible costs. In fact, says Moss, these old-school hackers sometimes do you some good. "[Hacker victims] sometimes catch on to the fact that they've been rooted [that is, root or supervisor access to their system has been compromised] because their system starts working better. The hacker has gone in and replaced the kernel with a hacked one that runs more reliably. The hacker has also gotten rid of overgrown log files and is fixing jammed-up print queues because he or she doesn't want anyone going in to troubleshoot some routine problem and accidentally discovering evidence of an intruder." In the winter 1997 issue of 2600 Magazine, a hacker quarterly that enjoys a circulation of 40,000, there is more of this "do no harm" credo. An opening editorial called "Knowledge is Strength" reads, "One . . . thing we must be careful of is the temptation of true crime. Once that world is entered, the spirit of adventure and discovery is replaced by the incentive for profit...not to mention that you turn into an utter sleaze-bag." This statement sets forth some kind of hacker ethics, which suggests that the primary motivation behind hacking should be "adventure and discovery" rather than malicious evil-doing. However, I question how seriously the magazine takes its do-no-harm position. For example, another article in the winter issue contains a highly detailed exploration of smart cards, such as phone cards and electronic wallets. This discussion includes pinouts, circuit diagrams, and detailed instructions for removing and reusing the chip from various kinds of cards. "Criminal use of this information is on the criminal himself," the introduction chides. A few pages later, there's a full rundown of the software used in yellow CAT (Craft Access Terminal) handsets that telephone repair workers use to test phone lines. "Next time you decide to steal a CAT," the article advises, "make sure it's on a Friday." Stealing on a Friday gives you the weekend before the password expires. Further into the issue, there's a fairly low-intelligence article explaining how easy it is to physically tap into someone's residential phone service. From reading all of this, I imagine that readers might find the "temptation of true crime" hanging over them with some regularity. CRIME AND PUNISHMENT Even if 2600 is standing on a slippery moral slope, the hacker community convincingly argues that the computer industry establishment, with some help from the FBI and the CIA, has taken a simpleton's approach to dealing with hackers: Virtually every hacker exploit is viewed as a crime punishable by jail time. Many of these exploits are "benign" trespasses that the computer counterculture doesn't view as crimes. There are at least two strands to any argument that defends hacking as harmless. First, there's the "no harm, no foul" argument. Second, there's the "do-gooder David against the military/industrial Goliath" argument, which journalist Gareth Branwyn has articulated in the preface to a published hacker manual called Secrets of a Super-Hacker. According to the first defense of hacking, the appropriation of computer resources that weren't being used in the first place can't be considered stealing. While the FBI and purveyors of firewalls tell you that this argument is nonsense and that any unauthorized use is a felony, they haven't gone to great pains to explain exactly why this argument is nonsense or why benign trespasses are felonious. In contrast to other law enforcement practices in the United States, enforcement of the various computer crime-related statutes seems rather unrefined, punishing offenders more for what they are capable of doing than for what they have actually done. As such, punishment results from the fact that someone merely hacked into the system, rather than from what that person actually did to it. Whether by design or by dint of technical ignorance, federal claims about hacker-inflicted damage have been overblown. To take one media-hyped example, Kevin Mitnick was accused of causing $80 million worth of damage, but the evidence presented by the FBI didn't support these claims. Perhaps (as when mob gangsters go to prison for tax evasion rather than for murder) Mitnick was up to a lot more than the government was prepared to try him for in court. But that's not how the hacker community sees it; they think Mitnick is more a victim than a culprit. Mitnick's case, and others like it, seems to indicate that law enforcement's main approach to hackers is to deter them from hacking-especially since they are hard to catch. Apparently, deterrence is achieved by making a few hackers look especially notorious in the public eye and then squashing them like bugs. The "hacker as biblical David" argument is considerably easier to debunk, at least if you're of the opinion that the ends shouldn't justify the means. Even so, there's a difference between an attack designed to publicly illustrate how easily medical information can be obtained and an attack that aims to steal product designs for resale underground. THE NEW THREATS Somewhere between wild claims about the dangers of hackers like Mitnick and the hacker credo of learning about the world without hurting anybody, there's the practical matter of whether you're likely to be attacked and what the increasingly prosecutorial atmosphere will mean if you do find a hacker in your midst. The news isn't necessarily good. Hackers of the old school have curtailed their operations quite a bit, concentrating instead on their own and other hacker equipment. While this is good news, the fact is that new-school hackers playing for high stakes are still out there, and possibly going after your company. If they're going to the trouble to break into your system, they're either out to inflict real harm or to achieve a tangible result (such as a bank transfer authorization code for their efforts). The new-school hackers-with the law's hammer poised over their heads-have more incentive to make it worthwhile if they go to the trouble to enter your system. There is another corollary to consider as well: If one of these guys thinks you're on to him, he has more reason than ever to take whatever destructive measures are needed to cover his tracks. Which brings me back to my conference call. I say, "I'm willing to believe that you guys [of the old-school contingent] aren't likely to come after my little network, or that if you do, I'm unlikely to log in and find everything erased and all my financials posted on the Internet. But what about these so-called new-school hackers. Are they a threat?" "Oh yeah," one says. "They're a threat." "So what can you tell me about them?" "They're lamers," one says. "They just read the security newsgroups and try the various loopholes to see if some idiot has left the door open." Knowledge is half the battle in the network security war, it seems: Hackers pay a lot of attention to security patches and network managers don't. If I learned nothing else while preparing this article, I learned that hackers do their homework-and maybe network managers should, too. Recall the 2600 editorial. What's important, it notes, is the "spirit of adventure and discovery." Hackers are inquisitive-to a fault, you might say. The hacker manual Secrets of a Super-Hacker reinforces this point. For The Knightmare, the hacker who wrote the manual, a hacker is principally someone who "simply wants to know everything there is about the world." In other words, although a network manager may not know much (or anything at all) about a hacker that has attacked his or her network, the hacker has almost certainly been gathering all sorts of information about the network manager, as well as about the targeted network and its computers, the company that owns them, the company's employees, and so on. SOCIAL ENGINEERING A good hacker gathers information zealously, then uses that information to waltz into a target system with a familiarity that is likely to appear above suspicion. This initial gathering of information generally doesn't involve electronic sniffers, specialized software, or midnight raids on your premises (although none of these tactics can be ruled out). No, it's casual conversation and careless memos that open the door for hackers. In the parlance of the underground, social engineering refers to the classic hacker tactic of telephoning a company and posing as someone who would logically be entitled to the information being requested. The would-be attacker's job is to get lots of small pieces of information, then fit together a couple of those pieces to get information that might help gain access to a system. A hacker that was targeting a specific company, for instance, might start by figuring out who's who in upper management. The hacker could do this by building up a library of discarded memos or by making a few calls over time. The Knightmare claims that top executives, because they want maximum ease of use, often have lousy passwords, which, as often as not, were thought up and created by someone else. Having, on at least one occasion, personally set a CEO's password to something that was very nearly his first name (at the CEO's insistence), I can vouch for this being the case at least some of the time. Of course, a hacker's ultimate goal is to gain network access. He or she could gain access either through a public network (the Internet being the main thoroughfare) or via direct dial-up. Because a given business location almost always has phone lines in the same prefix, rote calling of numbers within the prefix will yield tell-tale modem tones at some point or another. In most parts of the United States, it's not illegal to dial your way through a prefix in this manner. Doing so may, of course, tip off the phone company to watch the line, but a clever hacker is likely to sufficiently mix up the calls so that there's no pattern to pick up. Simpler still, a hacker might do nothing more than watch through the glass doors of a main lobby until the receptionist steps out, enter the lobby under some pretext (asking for directions to some other business in the building, perhaps), and find the number for a network modem in the company phone list sitting on the desk. Now, with a modem number and information about a likely username or two, the hacker may have enough information to guess a login name and password. Failing that, the hacker can still gain additional information about the targeted system. For example, knowing the modem number, the hacker can dial up and, in most cases, learn what kind of dial-up support the system offers. How? By paying attention to how the system answers when it receives a phone call. Armed with this information, the hacker can perform a little more social engineering. He could call up someone in tech support and pretend to be employed at another branch of the company. It's simple to claim that some vice president who really does work at the company (there's that phone list again) has asked you to dial up remotely because the branch office is having trouble getting proper access. As often as not, many of the hackers I've spoken with claim that this kind of tactic leads to a guided tour of the system. The procedure's a little different with an Internet-connected company, of course. It's easier. Or rather, it's easier if the company allows any traffic to come in from outside a firewall-and most do in some form or another. Failing contact with a friendly insider who hands over account access without a fuss, the hacker may still be able to guess passwords for your system. Even if you constantly nag your end users about the importance of picking good passwords, many still tend to pick passwords they can easily remember. What's particularly dangerous is that people tend to use the same passwords in lots of different situations. Hackers have been known to offer free services that are password-protected, just to see what passwords a user community would choose. Given a few usernames and passwords, the odds are high that some of those combinations will work on other systems. Once into a system, a hacker will begin a new phase of inquiry. As The Knightmare puts it, "Breaking into a system isn't worth anything if you find yourself in an empty home directory with such a low access level that nothing fun is allowable. When you hack into a low-level account, you will want to raise your access to the highest it can go." In this phase of the hacking process, a hacker can bring an elaborate bag of tricks to your system in order to gather more information about it. At the very least, a hacker can watch to see who else is on the system and perhaps what they are doing. At most, the hacker can discover that you have certain accounts with poor passwords (passwords left at their default values, for example) and which are set with supervisor privileges. With this top-level access, your infiltrated system is at the hacker's mercy. At this point, you can only hope that the hacker in question is with the old school. LEARNING TO LISTEN There are some other hacker traits that might be of interest to network managers. For example, while competent hackers usually don't brag about specific infiltrations, they like to talk about security and its shortcomings. One way to obtain this information from hackers is to exercise some social engineering yourself. After all, social engineering works on hackers just like it works on everyone else, and some network managers who've been attacked have found their attackers by posing as hackers and asking for information about their own systems. Regardless of how you achieve contact, if you get a chance to talk with a hacker, you would do well to forestall any preaching and listen to what the hacker has to say; you might learn about some potential security holes in your system. For example, take Nile, one of the hackers participating in the conference call. The rest of us couldn't get a word in edgewise once we got him talking about Windows NT. I asked him a couple of questions and he was off and running. "Hackers have mostly hacked Unix and VMS in the past. Does relative unfamiliarity with NT mean that hackers will be delayed a while at compromising NT Internet servers?" I asked. "Maybe a little while, but NT is so wide open that I doubt it," Nile answered. "Is NT something hackers are eager to get to work on? Sort of a ground floor opportunity?" "Well, people have already found some big opportunities in NT. For one thing, clients have no way of authenticating that they're talking to the servers they think they're talking to." He went on to explain how this was an opportunity to be the go-between to a server and a client. There were plenty of other things about Windows NT that Nile found interesting. For one thing, he claimed there are ways to convince a client that it's dealing with a server that can't process encrypted passwords, thus causing the client to send passwords as plain text. On the server side, there is an assumption that the client might not be capable of encryption and that perhaps the passwords are being sent in the clear. This makes it much easier to mount a brute force password attack: You don't need to bother with proper encryption because the server will accept your password guesses when sent in the clear. In general, the hackers I talked with believed that Microsoft is dealing rather poorly with security issues. According to them, the company is trying to keep its security plans and any discovered weaknesses as quiet as possible. One hacker after another maintained that this sweep-it-under-the-carpet approach means that many potential security holes in typical Windows NT installations never get plugged because the average network manager isn't aware of them. As for Novell, whose NetWare operating system still has the biggest market share, hackers simply don't take it very seriously, which made it hard for me to figure out how seriously I should take the hackers who scoffed at Novell Directory Services' security. It seemed as though many of the hackers I spoke to or corresponded with had never actually hacked a Novell system. On the other hand, it took me only one search of Yahoo to turn up several sites offering software that could help me hack a Novell system. Whether this software actually works is another question, and frankly, the "instructions" I found for hacking Novell systems evidenced relatively little understanding of NetWare. Still, hackers are increasingly aware of security holes in NetWare and Windows NT, and with more and more of these systems being hooked up to the Internet, they are even more readily accessible. The increasing interconnectedness of different kinds of systems, both internally and on public networks, is seen as a beautiful thing by nearly every hacker I talked to. "Is that because you can get to more systems?" I asked Nile. "Yeah, but also because the systems are all being programmed to trust each other. Take your typical big company out there. It will likely have an old mainframe that it won't get rid of because it spent so much money getting it to do number-crunching. Then a NetWare network got hung off the mainframe so that the PCs on everybody's desktop could talk to each other. Now, a bunch of NT servers are getting added to the system for Web serving, and administrators are getting the management software to put all these systems into one trusted domain. So you just crack the NT server and you've got the whole network. Why bother with good security on the mainframe if you're going to make it trust an NT server?" "You guys really don't think too highly of NT security, do you?" I asked. "Well, I could put together an NT server that I'd be relatively comfortable with, but I know what the holes are," says Nile. "My problem with Microsoft is that it doesn't want any public discussion of NT's holes. At the same time, the source code is available in the hacker community, and let's just say it doesn't look like Microsoft had a security expert working on all the parts that have to do with security. In contrast, people have been beating on Unix security for years, and [as a result] there are people who know how to make a Unix system tight. NT just hasn't been picked on yet, and Microsoft doesn't want anybody talking about it." Jeff Moss had also talked about the availability of Windows NT source code in an earlier conversation. While he carefully didn't admit to having seen any of it himself, he said he'd heard that Microsoft has a policy of not including programmer comments in source code sections related to security. He laughed scornfully when I asked whether that kept anybody from understanding what was going on. "Maybe the guy from the Excel group that's been called over to work on the code," he joked. KNOW THY ENEMY Most companies are not going to achieve the level of safety from hackers that they'd like to have. For one thing, information about computer systems, NOSs, and applications is widely available. Furthermore, human nature often makes us trusting and eager to help-traits that can, unfortunately, make us vulnerable to many kinds of violations. If you've got a system to protect, one way to better secure it is to learn a few things from your enemies-in particular, co-opt some of their strategies. For instance, hackers put a lot of time and energy into finding security holes. Network managers might do well to do the same. After all, you can't change hackers and you can't change human nature, but you can change the level of knowledge and forethought you bring against your would-be attackers. Robert Richardson is a freelance writer and runs the Small Office Tech website at www.smallofficetech.com.