In the beginning the tools of hackers were ingenuity and intuition which when combined with a detailed knowledge of the system being hacked resulted in systems which did special and new things in a better and more responsive manner through software enhancements. Later the Homebrew Club and their contemporaries reached the same achievements through the development of hardware devices. With the introduction of the personal computer and modems, new tools were available and new techniques of hacking were necessary. The results were different also; now hacks could be inserted into systems a thousand miles away, though it would be very disappointing not to be around when the hack was activated. Just as in the days of CTSS the first task was to overcome the basic security system by locating an available login identification and the corresponding password. Two basic approaches to identification are possible: (1) to understand the basic mechanism for assigning/selecting identifications, or (2) to find the system backdoor access which is generally provided to allow a supervisor to access the system after crashes and an otherwise locked system. With the advent of wide area networks and the need to send e-mail to users, login identification has become much more predictable - last name, last name and first initial, first initial and last name, initials, etc. Even when the actual identifier is different, many systems provide an alias which is equally predictable. Similarly passwords, without some special mechanism for generation, are predictable if one has a knowledge of the user - children's names, dog's names, special interests, etc. Landreth[10] provided an appendix in his book which listed the manufacturer installed identifications and passwords which were delivered with each machine. He pointed out that in many cases the user did not change these "open doors" either because they were unaware of their availability or since they were frightened that if these access keys were to be changed they might forget them and thus be denied entrance at a later time. More direct methods can be used in direct contact with the user of an account to be attacked. Termed by Parker[11] as "shoulder surfing", some attackers have learned the techniques of reading a user's keystrokes and obtaining the password by this means even though it is not printed on the terminal screen; the identification is printed for all to see! This technique is particularly simple in observing the keystrokes on a number pad such as used with an ATM machine.
Quite commonly banks assign Personal Identification Numbers which have a pattern to them -- up and down on line (8255), the corners, (7931) or some other pattern which is easier to remember than the number itself. This considerably eases the task of the shoulder surfer.
In 1984 the FBI reported that the average embezzlement netted the perpetrator $15,000, but the means for the computer knowledgeable embezzler is simpler than that for the person who has to work in the open. Hiding behind the anonymity of a programmer the embezzler can now alter the program to suit his needs (such as collecting the fractions of cents not assigned to an account in interest calculations) or making minor, but accumulative, modifications to the input (and corresponding output) data. This termed "data diddling". This attack methodology which would probably be rejected as conforming to the Hacker Ethic and thus not be used by the true hacker. This methodology is much more common as a technique of a embezzlement by an employee of (say) a bank or a financial agency who does not necessarily have a background in programming. Simply, the input data to a system is modified in order to benefit the perpetrator -- the introduction of a bogus bank account through which funds are transferred long enough before assignment to the true account to accrue small amounts of interest. Very few account holder actually check their interest credits to the penny; interest after all is "free" and the interest rate changes quarterly so it is difficult for the average person to verify these account entries regularly. An obvious place for an embezzlement. In social service agencies, dead beneficiaries have been kept on the books and the checks diverted to another address where they can be collected by the data diddler. One of the most insidious forms of system attack is the result of sabotage by legitimate users, possibly disgruntled employees of the system owner, or by previous employees who were discharged under a cloud. In some cases this might well be initially perpetrated as a safeguard against later unsatisfactory actions by the owner. For example, there have been a number of cases where a piece of code has been inserted into the payroll program so that if the identification of the employee is not in the data base then the system should crash! In one case which we examined, this piece of code was installed as a set of data in a COBOL program, which were thought to be taxation constants be other investigators of the apparently flawed hardware system. Procedures of this form are termed logic bombs, since they were triggered by a logical condition. Similarly an alternative action, such as the otherwise of a select statement might be filled with an unsavory procedure, thus forming a trap door through which the program may fall.
Hackers seeking to access a system can use a variety of methodologies depending on the capabilities (or weaknesses) of the system under attack. It is not unusual for multi-user systems to provide a mechanism by which legitimate users who own several accounts might move from one to another readily, thus obviating the need to completely exit the system before accessing the new account. In most systems this requires the use of a new password but this password is not always subjected to the same revision policies as primary passwords. Alternatively, a user can access the data of another account by linking to that account. Thus a hacker piggybacking on a legitimate, and commonly a guest account, and thereby to sidestep into another domain. Of course the common method of access is to impersonate the legitimate user through the use of his identification and password.
Hackers who Landreth classified as "crashers" have numerous methods, not all of which necessitate actual access to the system code and by which method the system can be crashed. Other methods can use the actual characteristics of the system so as to make it useless to other users. For example, an interactive system which permits the instantiation of multi-tasking is liable to attack through the overloading of the system by nonsense, infinite, cycle (or storage) grabbing routines. Such a system will slowly grind to a standstill. In the case of the Internet virus of 1988[12], a similar situation was created which slowly overloaded the communications network until it was unable carry legitimate messages. In late 1988 a "Christmas Tree" package almost brought the BITNET[13] to its knees. In this case a victim would find a message on his screen which said "Enter Merry Christmas". When he typed in this command a Christmas Tree was displayed on the screen with appropriate seasonal greetings. However at the same time the package sent itself in a mail message to all the names in his mail distribution file! Quickly the network filled with messages, but fortunately the package could be identified by potential victims and thwarted.
Viruses, like the term hackers, have become the byword of the recent years. Viruses and hackers seem to go together. Contrasted to logic bombs and trap doors, viruses have the basic characteristic that they replicate under certain circumstances and thus are said to to "infect" other software items. Viruses themselves may have two potential purposes - to replicate themselves and to perpetrate some mischief as a bomb or a worm. On the other hand, a virus may do nothing more than replicate itself. The minuteness of simple viruses mean that they can be embedded in other systems quite easily and any differences in file size may be attributed to version differences. A common technique is to embed a virus within a commonly used system and to modify the initial load module to link to the virus before starting up the application. By attaching themselves to word processors or spreadsheets the likelihood of initiation of a virus is greatly increased. Viruses can be introduced into a system by a variety of doors. A system connected to a network is liable for entry through e-mail, through the linkage to other infected systems, through the use of bulletin boards to download software. Viruses can also be carried in on diskettes which have be used in infected systems. Attractive software, commonly to be obtained illicitly to circumvent copyrights or protective locks serve as "trojan horses" and carry with them the virus. One particularly obnoxious form of virus is the "worm" which has the characteristics of eating its way (by destroying data and programs) through the storage system of a computer. Antidotes to viruses have been constructed for many of the well known versions and a new industry has been created to build virus detectives, immunization procedures and antidotes. Like safe sex, there are virtues associated with obtaining software and data through well known, legitimate sources!
On November 2, 1988 the Internet system which interconnects the majority of computer networks in the United States was the victim of a virus which was later to be found to have originated at Cornell University in the account of Robert Morris. The virus, dubbed a worm by some since it not only replicated itself throughout the network by multiply infected single systems, took advantage of some well known flaws in the recent version of UNIX® running on Sun 3 systems and VAX® computers. The basic vehicle for operation was the finger utility which is provided to permit a user to locate another user on the system and possibly (depending on the amount of data captured by the system administrator) other information such as phone number and address. Fundamentally the virus used the lack of memory protection on an input buffer to modify a portion of the operating system in order to access user passwords and therefrom delivered a complex (but relatively small) virus which collected system files from remote machines.
The effects were twofold. On the one hand there was an almost immediate and devastating decline in the operability of the network and numerous machines attached to it. On the other hand it immediately raised the visibility of the need for action on the system security, an improved legalistic approach to computer crime, and the need to make everyone aware of the consequences of and their responsibility for their actions in this non-threatening world of computers and communications.
In discussing hackers and the melanoma alleged to be associated with their activities, we have perhaps overlooked the ultimate instantiation of their trade - the computer criminal. Clearly the computer is a tool that can be used in illegitimate manners just as almost any other tool in our modern repertoire can be used inappropriately. While much of the alleged activity of hackers has com under scrutiny in the legislatures, there is still a line between the hacker and the criminal. This line may hinge on intent and purpose, and while it is not clear that hackers accrue a great deal of financial benefit by their actions, the impact on the owner of a (hardware or software) system is not that different. Consider the disparity between the hacker ethic that information should be free and the right to privacy of individuals whose records are stored in a data bank. Fundamentally the system owner must rely on three elements which will provide his protection:
ACM. 1989. "The Worm Story", A collection of papers and reports, Comm. ACM, Vol. 32, No. 6, pp. 677-703.
Perry, Tekla S. & Paul Wallich. May 1984. "Can Computer Crime be Stopped?", IEEE Spectrum.
Gemignani, Michael. 1989. "Viruses and Criminal Law", Legally Speaking, Comm. ACM, Vol. 32, No. 6, pp. 669-671.
Conway, Richard, and David Gries. 1975. An introduction to programming : a structured approach using PL/1 and PL/C, 2nd ed., Winthrop Publishers, Cambridge, MA.
Irwin, Stephen T. 1990. "The Great Hacker Challenge of 1989", Technical Support,..
Landreth, Bill. 1985. Out of the Inner Circle: A Hacker's Guide to Computer Security, Microsoft Press, Bellvue WA, 230 pp.
Lee, J.A.N., Roz Steier, Gerald Segal. 1986. "Positive Alternatives: A Report of an ACM Panel on Hacking", Comm. ACM, Vol.29, No.4, April 1986, pp.297-299.
Levy, Steven. 1984. Hackers: Heroes of the Computer Revolution, Anchor Press/Doubleday, Garden City, NY, 458 pp.
Parker, Donn B. 1976. Crime by Computer, Scribner's, New York.
Parker, Donn B. 1983. Fighting Computer Crime, Scribner's, New York.
Parker, Donn, and John F. Maxfield. 1985. "The Nature and Extent of Electronic Computer Intrusion", Workshop on Protection of Computer Systems and Software, National Science Foundation.
Samuelson, Pamela. 1989. "Can Hackers be Sued for Damages Caused by Computer Viruses?", Legally Speaking, Comm. ACM, Vol. 32, No. 6, pp. 666-669.
Shapiro, Norman Z. and Robert H. Anderson. 1985. Towards an Ethics and Etiquette for Electronic Mail, Rep. No. R-3283-NSF/RC, Rand Corp., Santa Monica CA.
Steele, Jr., Guy L. at al. 1983. The Hacker's Dictionary, Harper & Row, Publ., New York.
{1} Department of Computer Science
Virginia Polytechnic Institute and State University
Blacksburg VA 24061-0106
[2] Websters New World Dictionary, 1967.
[3] Conway and Gries 1975.
[4] Irwin 1990.
[5] Shapiro 1985.
[6] Levy 1985
[7] Draper took the pseudonym Cap'n Crunch from the cereal when he found that the plastic whistle enclosed as a premium activated the operator controls of the phone system.
[8] Parker 1984.
[9] Landreth 1985.
[10] ibid
[11] ibid
[12] ACM 1989.
[13] Because It's Time NETwork.
[14] ACM 1989.