http://www.washingtonpost.com/wp-srv/WPcap/1999-03/10/024r-031099-idx.html New Computer Technology Makes Hacking a Snap By Michael E. Ruane Washington Post Staff Writer Wednesday, March 10, 1999; Page A01 Used to be you had to have some know-how to crash a kernel. It would take all night to snoop a connection, smash a stack or crack a password. You could work forever trying to get to root. Not any more. Nowadays, any fresh-faced newbie can download a kiddie script, fire off a vulnerability scan and, in no time, come up with a nice, juicy target list. It's enough to make veteran hackers -- the handful of computer wizards who speak a colorful language that once was all their own -- break down and cry. But it's true. Along with the breathtaking advances in computer technology has come a vast proliferation of easy, ready-to-use computer hacking programs, freely available on the Internet, and a boon to greenhorn hackers. "This is your nephew or your cousin," says Peter Tippett, president of the Reston-based International Computer Security Association. "It's a kid who says, 'This seems kind of cool. Let me just take this tool and aim it at Ford Motor Company.' " They use programs -- called "exploits," "tools" or "attacks" -- with names like "Smurf," "Teardrop" and "John the Ripper." Some are so-called "denial of service" programs, which sneak or barge in and overwhelm a targeted system, shutting it down. Others are "vulnerability scanners," which search the Net for specific weaknesses to be exploited later. Still others are "penetration" attacks that break in and take control. Some attacks use a "Trojan Horse" -- benign-looking bait with an exploit concealed inside. Others "spoof," using a bogus ID. Still others lie in wait and spring when an unsuspecting victim pauses to visit. A few are simply sent out to "sniff the traffic" on the Internet. There are hundreds of them. So many that some have been given the name kiddie scripts, because of their simplicity of use. Those who launch them are called, of course, script kiddies. And experts say they may account for 95 percent of all external computer hacking attacks. Hacking always seems to have been the purview of the young. Just last year, five teenagers hacked into Defense Department computers, and last month, a 15-year-old from Vienna was accused of hacking into Clemson University's system and of trying to break into NASA's. Experts believe there are now tens of thousands of hacking-related Web sites, and hundreds that approach the subject seriously. The Pentagon, traditionally the most assailed hacking target on Earth, announced Friday that it is investigating another potent attack -- one of the 80 to 100 it undergoes every day. But in years past, hacking was tedious, demanding work that required brains and dedication, and, if successful, was an envied notch in the cyber gun. There was hacker esprit. There was a great "signal-to-noise" ratio -- intelligent talk vs. baloney. And there was the hacker code: Look, but don't touch. No longer. "It used to be a small circle," says Dr. Mudge, a veteran Boston-area hacker who operates a Web site with his sidekicks Kingpin, Brian Oblivion, SpaceRogue and others. "Now it's almost mainstream, and like anything that goes mainstream you get a lot of good and a lot of bad." "Now people can hack without having to pay their dues," says Rob Clyde, a vice president with the Rockville-based computer security firm, Axent Technologies Inc. "You no longer have to be an expert," he says. "You just have to have time and motive. And the motive often times now is vandalism, destruction, just blow away stuff, destroy it, make it look bad." Sometimes it's even worse. The FBI on Friday released an annual survey that it conducts with the San Francisco-based Computer Security Institute, reporting that criminal hacking caused $123 million in losses last year, and now posed "a growing threat to . . . the rule of law in cyberspace." Mostly, though, many experts say, the new add-water-and-stir hacking is for amateurs. And most of them are still pretty young. "We're talking 95 percent of hackers are script kiddies," Tippett says. "We're talking a million events a month where people run those tools to see what happens. Maybe one or two percent of hackers are people who know what the tool actually does." Peter Mell, a computer scientist at the National Institute of Standards and Technology, in Gaithersburg, says, "Ten years ago if you wanted to break into somebody's system, you would stay up all night long." "You would manually go to their computer, try a few things, if it didn't work you'd go to another computer, try a few things," he says. "Very tedious. You'd spend all night doing it." "Nowadays what somebody does is . . . at 6 o'clock, they download a vulnerability scanner and an associated attack. They set the vulnerability scanner running. They go out to a party . . . come home 11 at night. And their computer has compiled a list for them of 2,000 hosts on the Internet which are vulnerable to that attack." "All they have to do is type the name of the computer that is vulnerable into their attack script, and they have complete control of the enemy," he says. The actual damage done by hackers is uncertain and some experts suggested it is overstated by a computer industry eager to sell its services. Those experts estimate that 80 percent of hacking comes from within a corporation rather than through outside attacks. Hacking lingo seems filled with military references like "attack" and "target." But hacking also has -- along with its own magazines and an annual convention -- an idiom all its own. "Crashing a kernel," for example, refers to breaking down the core of an operating system. "Smashing a stack" means taking over a vital part of a computer's memory. "Snooping a connection" means breaking into a conversation between two other computers. And the ultimate feat, "getting to root," or more simply, "getting root," means seizing fundamental control of target system. Mell, 26, a surgeon's son from St. Louis who said his brother taught him to program in second grade, has conducted a study of published attacks that smash, crash, seize and snoop by monitoring what people request at hacker Web sites. He has named the array of published attacks the Global Attack Toolkit. And he has compiled a list of the top 20 recently most popular. He points out that most attacks can be defended with so called "patches," but a few are almost indefensible. One of the most popular -- number 2 on his list -- and one that's tough to counter is "Smurf." "It's an attack where you overwhelm an enemy system with a huge number of (information) packets . . . and their computer simply can't handle all of the packets," he says. "The computer shuts down. If it's a Web site, the Web site stops working. If it's the router going into the White House, the White House traffic stops flowing." Number one on his list was a Trojan Horse called "Back Orifice." In a paper he wrote last year, Mell mentioned one hacker Web site that lists 690 scripts, another that has 383 and another that lists 556. "Together, the exploit script Web sites form an attack tool kit that is available to literally everyone in the world," he wrote. "Somewhere on the Internet, there exists a host vulnerable to almost every attack, and scanning tools are readily available to find that host." Mell says the attack scripts are posted on hacker Web sites by other hackers, by disgruntled systems administrators trying to draw attention, and eventually patches, to holes in their systems, and by "white hat" hackers seeking to alert the computer security industry to vulnerabilities. And he believes that posting easy scripts may not be all bad. "When attacks are posted to the Internet, companies respond, and they fix their software very quickly, and they release patches, and there's news articles and advisories alerting people that there's this vulnerability," he says. "So by the public posting . . . in a way it makes the world safer, because everybody knows what's out there and they're prepared," he says. "If the scripts weren't published, intrusion-detection companies wouldn't know where to get their data, security companies wouldn't know that their applications had holes in them." "At the same time that these attack scripts make it available for anyone in the world with very little intelligence to download and run attacks, it also means that security companies are quick on their feet to respond to them." But computer security firms are not sitting idly by. They have their own intrusion detection programs -- some of which are recon missions, if you will, that "sniff" the traffic to ambush roving attack scripts. Mell says there is a "Virtual Suicide" Web site where systems operators can request an attack to test security. Visitors can ask to be "crippled," "beheaded" or "vaporized." Perhaps the most sinister attacks, though, are passive. Apparently small in number, Mell says in his report, they "require a target to visit the hacker's Web site" before striking. Soon, he writes, "the Internet may develop 'bad parts of town.'" "Watch where you walk!" -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:43 PDT