HOW `CRACKERS' CRACK
by Rory J. O'Connor
Mercury News Computing Editor
Police, prosecutors and most of the press call them
"hackers." Computer cognoscenti prefer the term "crackers."
Both sides are talking about the same people, typically
young men, whose fascination with computers leads them to gain
access to computers where they don't belong.
A few crackers make headlines, like Robert T. Morris Jr.,
son of a top computer security expert for the supersecret
National Security Agency, who let loose a "worm" program on a
national network of university, research and government computers
in 1988.
There are also notorious crackers like Kevin Mitnick, who
was under investigation at the age of 13 for illegally obtaining
free long-distance phone calls and was sentenced to prison in
1989 for computer break-ins.
Then there are legions of far more ordinary crackers who
simply use their knowledge of computers to "explore" intriguing
corporate or government computers or simply to go for the
electronic equivalent of a joy ride and impress their friends.
But they all share something: an air of mystery. How do they
do it?
At a recent conference on computer freedom and privacy,
computer expert Russell L. Brand gave a four-hour lecture on the
inner workings of computer cracking.
His basic message: Cracking is not as hard as it seems to an
outsider, and it often goes undetected by legitimate users of
"cracked" computers.
"Just because you don't see a problem is no reason to think
a problem hasn't occurred," Brand said. "Generally it's a month
to six weeks before (operators) notice anything happened and
usually because the cracker accidentally broke something."
Home computers aren't in danger from crackers because they
aren't accessible to outsiders--and because they aren't
interesting to crackers. Instead, they target mainframes and
minicomputers that support many users and are connected to
telephone lines and large networks.
Understanding how crackers work and what security weaknesses
they exploit can help system managers prevent many break-ins,
Brand said. And the biggest problem is carelessness.
"When I started looking at break-ins, I had the assumption
that technical problems were at fault," he said. "But the problem
is human beings."
The "Cracker": Most crackers are not bent on stealing either
money or secrets but will target a particular computer for entry
because of the bragging rights they will enjoy with fellow
crackers once they prove they broke in. Typically, the computer
belongs to a corporation or the government and is considered in
cracking circles to be hard to penetrate. Often, it is connected
to the nationwide NSFNet computer network.
The attack: Crackers can attack the target computer from
home, using a modem and a telephone line. Or they can visit a
publicly accessible terminal room, like one on a college campus,
using the school's computer to attack the target through a
network. At home, the cracker works undisturbed and unseen for
hours, but phone calls might be traced.
The resources: If the target computer is nearby, the cracker
may look through the owner's trash for valuable information, a
practice called "dumpster diving." Discarded printouts, manuals
or other paper may contain lists of accounts, some passwords, or
technical data more sophisticated crackers can exploit.
The target: The easiest way to enter the target is with an
account name and its password. Passwords are often the weakest
link in a computer's security system: Many are easy to guess, and
some accounts have no password at all. Sophisticated crackers use
their personal computers to quickly try thousands of potential
passwords for a match.
The cover: To make calls from home harder to trace, crackers
might use stolen telephone credit-card numbers to place a series
of calls through different long-distance carriers or corporate
switchboards before calling the target computer's modem.
The way in: Many crackers take advantage of "holes" in the
operating system, the software that controls the basic operations
of the machine. The holes are like secret doors that either let
crackers make their own "super" accounts or just bypass accounts
and passwords altogether. Five holes in the Unix operating system
account for the bulk of computer break-ins--yet many
installations have failed to patch them.
The network: Most large computers are connected to several
others through networks, a chief point of attack. Computers erect
barriers to people but often completely trust other computers, so
attacking a computer through another computer on the network can
be easier than attacking it with a personal computer and a modem.
Ill-used passwords let many pass
Passwords are the security linchpin for most computer
systems. But these supposedly secret keys to computer access are
easily obtained by a determined cracker.
The main reason: Users and system managers often are so
careless with passwords that they are as easy to find as a door
key left under the welcome mat.
Part of the problem is the proliferation of computers and
computerlike devices such as automated teller machines, all of
which require passwords or personal identification numbers. Many
people must now remember half a dozen or more such secret codes,
encouraging them to make each one short and simple.
Often, that means making their passwords the same as their
account name, which in turn is often the user's own first or last
name. Such identical combinations are called "Joe" accounts, and
according to computer expert Russell L. Brand, they are "the
single most common cause of password problems in the world."
These `secret' keys to computer access are easily obtained
by a determined cracker. The main reason: Users and system
managers often are so careless with passwords that they are as
easy to find as a key left under the welcome mat.
Knowing there are Joes, a cracker can simply try a few dozen
common English names with a reasonable chance that one will work.
Armed with an easily obtained company directory of employees, the
task can be even easier.
Joe accounts also crop up when the system manager creates an
account for a new employee, expecting that the user will
immediately change the given password from his or her name to
something else. But users often fail to make the change or aren't
told how. Sometimes, they never use the account at all, providing
not only easy access for the cracker but an account where the
owner won't notice any illicit activity.
Even if crackers can't find a "Joe" on the computer they
want to enter, there are several other common ways for them to
find a password that will work:
- Many systems have accounts with no passwords or have
accounts for occasional visitors to use where the ID and password
are both GUEST.
- Outdated operator's manuals retrieved from the trash often
list the account name and standard password provided by the
operating system for use by maintenance programmers. Although it
can and should be changed, the password seldom is.
- "Social engineering"--in effect, persuading someone,
usually by telephone, to divulge account names, passwords or
both--is a common ploy used by crackers.
- Crackers are sometimes able to obtain an encrypted list of
passwords for a target computer, discarded by the owners who
mistakenly believe the coded words aren't useful to crackers.
While it's true they are difficult to decode, it is easy for a
cracker to use a personal computer to take a potential password
and encode it. Because most passwords are ordinary English words,
crackers can simply run a personal computer program to encode the
contents of an electronic dictionary and identify any entries
that match passwords on the coded list.
- In another form of deception, crackers set up public
bulletin board systems whose real purpose is to snag passwords.
Because many people tend to use the same password for all their
computer accounts, the cracker can simply wait until someone who
has an account on the target computer also sets up an account on
the bulletin board. The cracker then reads the password and tries
it on the target system.
While individual users can't delete dormant accounts from
their computers or keep an eye on the trash, they can be
intelligent about what passwords they use. Brand suggests users
choose a short phrase that's easy for them to remember and then
use the first two letters of each word as the password. As added
protection, users who are able should mix uppercase and lowercase
letters in their passwords or use a punctuation mark in the
middle of the word.--Rory J. O'Connor
The rights of bits
Constitutional scholar Laurence H. Tribe, widely considered
the first choice for any Supreme Court vacancy that might arise
under a Democratic administration, proposed a fairly radical idea
recently: a constitutional amendment covering computers.
Tribe's proposal for a 27th Amendment would specifically
extend First and Fourth Amendment protections to the rapidly
growing and increasingly pervasive universe of computing. Those
rights would be "construed as fully applicable without regard to
the technological method or medium through which information
content is generated, stored, altered, transmitted or
controlled," in the words of the proposed amendment.
I am not a constitutional scholar, but I have to believe
that what's needed is not a change in the Constitution, but
instead a change in the thinking of judges in particular and the
public in general.
Tribe acknowledges that he doesn't take amendments lightly,
pointing to the ridiculous brouhaha over a flag-burning amendment
as an example of what not to do to the basic law of the land. But
like many people who are more deeply involved in the world of
computers, Tribe sees the issue of civil liberties in an
information society as a crucial one.
The question is not whether the civil liberties issue is
serious enough to be addressed by some fundamental legal change.
The question is really how to get people to see that
communicating with a computer is speech, and that to search a
computer and seize data is the same as searching a house and
seizing the contents of my filing cabinet.
People seem to have trouble making these connections when
computers are involved, even though they wouldn't have trouble
recognizing a private telephone conversation as protected speech.
Yet most telephone calls in this country are, at some time in
their transmission, nothing more than a stream of computer bits
traveling between sophisticated computers.
Admittedly, computers do make for some complications where
things like search and seizure are concerned.
Let's say the FBI gets a search warrant for a computer
bulletin board, looking for a specific set of messages about an
illegal drug business. Because a single hard disk drive on a
bulletin board system can contain thousands of messages from
different users, the normal method for police will be to take the
whole disk, and probably the computer as well, back to the lab to
look for the suspect messages.
Of course, that exposes other, supposedly confidential
messages to police scrutiny. It also interrupts the legitimate
operation of what is, in effect, an electronic printing press.
Certainly, in the case of a real printing press that used
paper, such police activity would never be allowed. But a
computer is involved here, which to some appears to make the
existing rules inapplicable.
But in a case like this, we don't need a new amendment, just
the proper application of the Bill of Rights.
As a more practical matter, the chances of amending the
Constitution are slight. It was the intent of the framers to make
the task difficult, to prevent just such trivial things as
flag-burning amendments from being tacked onto the document. Even
the far more substantial Equal Rights Amendment did not survive
the rocky road from proposal to adoption. I doubt Tribe's
amendment would fare any better.
Tribe says he hopes his proposal will spur serious
discussion of civil rights in the information age, and I suspect
that is his real--and laudable--motive.
I'm not dead set against amending the Constitution if that's
what it takes to extend the Bill of Rights to computing. I just
believe that Americans are capable of figuring out that we don't
need it.