[ISN] New Computer Technology Makes Hacking a Snap

From: mea culpa (jerichoat_private)
Date: Wed Mar 10 1999 - 22:46:15 PST

  • Next message: mea culpa: "[ISN] FAILURE OF PENTIUM III UTILITY Exposed by Zero-Knowledge Systems"

    http://www.washingtonpost.com/wp-srv/WPcap/1999-03/10/024r-031099-idx.html
    
    New Computer Technology Makes Hacking a Snap
    By Michael E. Ruane
    Washington Post Staff Writer
    Wednesday, March 10, 1999; Page A01
    
    Used to be you had to have some know-how to crash a kernel. It would take
    all night to snoop a connection, smash a stack or crack a password. You
    could work forever trying to get to root. 
    
    Not any more. 
    
    Nowadays, any fresh-faced newbie can download a kiddie script, fire off a
    vulnerability scan and, in no time, come up with a nice, juicy target
    list. 
    
    It's enough to make veteran hackers -- the handful of computer wizards who
    speak a colorful language that once was all their own -- break down and
    cry. 
    
    But it's true. Along with the breathtaking advances in computer technology
    has come a vast proliferation of easy, ready-to-use computer hacking
    programs, freely available on the Internet, and a boon to greenhorn
    hackers. 
    
    "This is your nephew or your cousin," says Peter Tippett, president of the
    Reston-based International Computer Security Association. "It's a kid who
    says, 'This seems kind of cool. Let me just take this tool and aim it at
    Ford Motor Company.' " 
    
    They use programs -- called "exploits," "tools" or "attacks" -- with names
    like "Smurf," "Teardrop"  and "John the Ripper." 
    
    Some are so-called "denial of service" programs, which sneak or barge in
    and overwhelm a targeted system, shutting it down. Others are
    "vulnerability scanners," which search the Net for specific weaknesses to
    be exploited later. Still others are "penetration" attacks that break in
    and take control. 
    
    Some attacks use a "Trojan Horse" -- benign-looking bait with an exploit
    concealed inside. Others "spoof," using a bogus ID. Still others lie in
    wait and spring when an unsuspecting victim pauses to visit. 
    
    A few are simply sent out to "sniff the traffic" on the Internet. 
    
    There are hundreds of them. So many that some have been given the name
    kiddie scripts, because of their simplicity of use. Those who launch them
    are called, of course, script kiddies. And experts say they may account
    for 95 percent of all external computer hacking attacks. 
    
    Hacking always seems to have been the purview of the young. Just last
    year, five teenagers hacked into Defense Department computers, and last
    month, a 15-year-old from Vienna was accused of hacking into Clemson
    University's system and of trying to break into NASA's. 
    
    Experts believe there are now tens of thousands of hacking-related Web
    sites, and hundreds that approach the subject seriously. The Pentagon,
    traditionally the most assailed hacking target on Earth, announced Friday
    that it is investigating another potent attack -- one of the 80 to 100 it
    undergoes every day. 
    
    But in years past, hacking was tedious, demanding work that required
    brains and dedication, and, if successful, was an envied notch in the
    cyber gun. There was hacker esprit. There was a great "signal-to-noise"
    ratio -- intelligent talk vs. baloney. And there was the hacker code:
    Look, but don't touch. 
    
    No longer. 
    
    "It used to be a small circle," says Dr. Mudge, a veteran Boston-area
    hacker who operates a Web site with his sidekicks Kingpin, Brian Oblivion,
    SpaceRogue and others. "Now it's almost mainstream, and like anything that
    goes mainstream you get a lot of good and a lot of bad." 
    
    "Now people can hack without having to pay their dues," says Rob Clyde, a
    vice president with the Rockville-based computer security firm, Axent
    Technologies Inc. 
    
    "You no longer have to be an expert," he says. "You just have to have time
    and motive. And the motive often times now is vandalism, destruction, just
    blow away stuff, destroy it, make it look bad." 
    
    Sometimes it's even worse. 
    
    The FBI on Friday released an annual survey that it conducts with the San
    Francisco-based Computer Security Institute, reporting that criminal
    hacking caused $123 million in losses last year, and now posed "a growing
    threat to . . . the rule of law in cyberspace." 
    
    Mostly, though, many experts say, the new add-water-and-stir hacking is
    for amateurs. And most of them are still pretty young. 
    
    "We're talking 95 percent of hackers are script kiddies," Tippett says.
    "We're talking a million events a month where people run those tools to
    see what happens. Maybe one or two percent of hackers are people who know
    what the tool actually does." 
    
    Peter Mell, a computer scientist at the National Institute of Standards
    and Technology, in Gaithersburg, says, "Ten years ago if you wanted to
    break into somebody's system, you would stay up all night long." 
    
    "You would manually go to their computer, try a few things, if it didn't
    work you'd go to another computer, try a few things," he says. "Very
    tedious. You'd spend all night doing it." 
    
    "Nowadays what somebody does is . . . at 6 o'clock, they download a
    vulnerability scanner and an associated attack. They set the vulnerability
    scanner running. They go out to a party . . . come home 11 at night. And
    their computer has compiled a list for them of 2,000 hosts on the Internet
    which are vulnerable to that attack." 
    
    "All they have to do is type the name of the computer that is vulnerable
    into their attack script, and they have complete control of the enemy," he
    says. 
    
    The actual damage done by hackers is uncertain and some experts suggested
    it is overstated by a computer industry eager to sell its services. Those
    experts estimate that 80 percent of hacking comes from within a
    corporation rather than through outside attacks. 
    
    Hacking lingo seems filled with military references like "attack" and
    "target." But hacking also has -- along with its own magazines and an
    annual convention -- an idiom all its own. 
    
    "Crashing a kernel," for example, refers to breaking down the core of an
    operating system. "Smashing a stack" means taking over a vital part of a
    computer's memory. "Snooping a connection" means breaking into a
    conversation between two other computers. And the ultimate feat, "getting
    to root,"  or more simply, "getting root," means seizing fundamental
    control of target system. 
    
    Mell, 26, a surgeon's son from St. Louis who said his brother taught him
    to program in second grade, has conducted a study of published attacks
    that smash, crash, seize and snoop by monitoring what people request at
    hacker Web sites. 
    
    He has named the array of published attacks the Global Attack Toolkit. And
    he has compiled a list of the top 20 recently most popular. He points out
    that most attacks can be defended with so called "patches," but a few are
    almost indefensible. 
    
    One of the most popular -- number 2 on his list -- and one that's tough to
    counter is "Smurf." 
    
    "It's an attack where you overwhelm an enemy system with a huge number of
    (information) packets . .  . and their computer simply can't handle all of
    the packets," he says. "The computer shuts down. If it's a Web site, the
    Web site stops working. If it's the router going into the White House, the
    White House traffic stops flowing." 
    
    Number one on his list was a Trojan Horse called "Back Orifice." 
    
    In a paper he wrote last year, Mell mentioned one hacker Web site that
    lists 690 scripts, another that has 383 and another that lists 556. 
    
    "Together, the exploit script Web sites form an attack tool kit that is
    available to literally everyone in the world," he wrote. "Somewhere on the
    Internet, there exists a host vulnerable to almost every attack, and
    scanning tools are readily available to find that host." 
    
    Mell says the attack scripts are posted on hacker Web sites by other
    hackers, by disgruntled systems administrators trying to draw attention,
    and eventually patches, to holes in their systems, and by "white hat"
    hackers seeking to alert the computer security industry to
    vulnerabilities. 
    
    And he believes that posting easy scripts may not be all bad. 
    
    "When attacks are posted to the Internet, companies respond, and they fix
    their software very quickly, and they release patches, and there's news
    articles and advisories alerting people that there's this vulnerability,"
    he says. 
    
    "So by the public posting . . . in a way it makes the world safer, because
    everybody knows what's out there and they're prepared," he says. "If the
    scripts weren't published, intrusion-detection companies wouldn't know
    where to get their data, security companies wouldn't know that their
    applications had holes in them." 
    
    "At the same time that these attack scripts make it available for anyone
    in the world with very little intelligence to download and run attacks, it
    also means that security companies are quick on their feet to respond to
    them." 
    
    But computer security firms are not sitting idly by. They have their own
    intrusion detection programs -- some of which are recon missions, if you
    will, that "sniff" the traffic to ambush roving attack scripts. 
    
    Mell says there is a "Virtual Suicide" Web site where systems operators
    can request an attack to test security. Visitors can ask to be "crippled,"
    "beheaded" or "vaporized." 
    
    Perhaps the most sinister attacks, though, are passive. Apparently small
    in number, Mell says in his report, they "require a target to visit the
    hacker's Web site" before striking. 
    
    Soon, he writes, "the Internet may develop 'bad parts of town.'" 
    
    "Watch where you walk!" 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:43 PDT