itw61i

Aldis Ozols

Hackers Exposed

November 2000

Australian PC World

Submitted for Best Investigative category

Meet the hackers
Hear the word "hacker", and you might think of evil whiz-kids who sit in the dark, plotting to deface your Web page and steal your credit card number. The reality is not so straightforward -- in fact, some hackers can even help make your system safer. Aldis Ozols reports on Australia's most prominent hacker group.

What is hacking?
The Jargon File (www.science.uva.nl/~mes/jargon/) defines a hacker as "a person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary ... one who programs enthusiastically ... an expert or enthusiast of any kind."

It's an old computer industry term for programmers dating from the 60s, but in recent years the word "hacker" has come to represent people who break into computer systems in the popular mind, and despite the protests of the terminology purists, that's how most people use the word today.

The hackers we'll meet here are members of 2600 Australia, a loosely organised association of people who share interests in computer security -- and how to get around it. They spend much of their time prowling the net, looking for vulnerable systems, probing for cracks in their defences, and seeing just what the possibilities are for exploitation. For hacking purists, the aim of the game is to find these vulnerabilities as an exercise and display of one's skills, not necessarily to do anything malicious to a compromised system.

2600 member poppy says "Hacking is the art of manipulating systems to perform in a manner which they were not designed to do," and most other members see the development of skills and knowledge as the main point of the exercise. However, there are also some hackers with darker motives. That's why it's important to know a bit about Internet security, and groups such as 2600 Australia can be surprisingly helpful in your quest for network safety.

Who are the hackers?
There are many different types of hackers, and it's a mistake to think they all share the same values, interests and motivations. Most of the members of 2600 Australia range in age from 16 to 25, and the majority are either students or professional computer workers. Acceptance among the group depends largely on technical abilities or willingness to learn them, though personality plays a part.

Most hackers are young, and consequently they share one of the characteristics of this group: they like to push the boundaries. Some enthusiasts like to spend their afternoons working on a car to make it go faster -- in a similar way, many hackers like to spend their late evenings trying to see what they can make a computer do. The fact that it may be someone else's computer just adds spice to the game.

There are different factions, some who consider hacking as a pure art to be done for the knowledge it brings, others breaking into systems for seemingly noble political motives or baser ones such as greed. All "true" hackers, however, share a love of the technology for its own sake. It's this devotion that enables them to spend the many tedious hours of study and practice that are needed to build the necessary skills, for an expert hacker needs a practical knowledge of operating systems and networks superior to that of the average professional system administrator.

There's yet another group -- the "script kiddies". This is how hackers refer to those who want to break into computer systems without taking the trouble to learn how they really work. Generations of hackers have written programs to automate some of the tasks involved in penetrating computer defences, and many of these are freely available on the Internet. It's possible for inexperienced people to download and use these tools, and many do, without having the knowledge to produce their own. Such unskilled hacking is regarded with contempt by the computing elite, but it's a sad fact that a great many systems are vulnerable even to the well-known attacks made possible by such software. Reducing this sort of vulnerability is one of the ways in which the more dedicated hackers can be helpful.

Why do they do it?
Behind the youthful exuberance there often lies a hacker philosophy and a set of values. It's about freedom, empowerment, and the special buzz that comes from excelling at doing something difficult and demanding.

High school student and hacker puddl says "I hack because I can, I have the knowledge to do so. It is a feeling which is indescribable ... knowing how everything works, and that you know how to take advantage of the system. Accessing information not showable to people is another reason. Uncovering secrets that are usually locked behind safes never allowed to be seen. Hacking gives a hacker a so-called adrenaline rush ... accept no restrictions or limitations, believe in no boundaries and not in the illusions designed to hide the truth."

Fellow hacker black-hand says, "hacking is exploring and learning ... [we should] hack to learn, not learn to hack," while GAW adds "learn to hack for supreme knowledge, not learn to hack to cause malicious harm." Many hackers have little regard for "hacktivism", hacking for a political cause, yet this is not a universally held view. Puddl, for instance, sympathises with the hackers who redirected the Nike Website to the protest group s11.org: "Some might say it is a crime, but I myself think it is a deed ... like Robin Hood."

There are also "crackers" -- people who see hacking as an excuse to perform electronic vandalism, crashing or defacing any system they can break into. They aren't well regarded in 2600 circles, where proof of a skilful penetration that leaves the target system unharmed is more likely to gain respect than mere acts of destruction. In fact, many hackers make a point of warning administrators that their system is vulnerable, so preventing future attacks by vandals -- their own satisfaction comes from demonstrating their abilities to their peers, not from harming others.

Black Hats, White Hats, Grey Hats
It's this aspect of hacker motivations that can make them a powerful force for good in the online world. One of the best sources of information about how to make computer systems resistant to attack is the information supplied by experienced attackers.

Among hackers there are "black hats", who break into systems to vandalise them or steal information, as well as "grey hats", who subvert security but often improve it in the long term by pointing out vulnerabilities which would otherwise be exploited by black hats. There are probably some "white hats" too, who never do anything naughty, but there's some doubt as to whether such people actually exist.

2600 Australia has organised its own grey-hat effort through Wiretapped (www.wiretapped.net), a clearing house for security information that anyone can use. Among other things, this site contains alerts about systems which have been found vulnerable by hackers in their explorations. For example, one recent alert described the ways in which a major Australian retailer's online buying system could be exploited. These vulnerabilities were privately notified to the system's administrators a month before being posted, so there was an opportunity to get them fixed. It may be annoying for administrators to be upstaged by hackers in this way, but consider how much worse it could be if the problems were not revealed, and cracks in the system had been left wide open for the black hats to exploit.

Another grey-hat effort is www.condemned.org , a Website devoted to using hackers' skills to track down child pornography and eliminate it from the Net. Established in 1999, it focuses the efforts of many hackers and "works with law enforcement agencies, officials and Web content providers from around the world to remove this content and gather information in a bid for a successful prosecution of these offenders."

Hackers are the experts on breaking into computers. Black-hand says that "you have to know how to break into systems to protect them, so you have to be black-hat to be white-hat, hence 'grey-hat'." Or, as puddl puts it, "protection against hackers == hackers." There's a strong argument that encouraging grey-hat hackers to reveal security problems, rather than prosecuting anyone who discovers a system vulnerability, is the way forward in Internet security. It's certainly better than just covering up this widespread problem, which just leaves computers vulnerable to the depredations of the black hats -- who will always be there to take advantage of insecure systems.

(BOX)
[hacked by rsh.tif -- remove if no space]
Hack attacks
Computers and the Internet are just too complex for anyone to understand completely, so there will always be flaws and bugs in even the best system. Security is in a constant state of change, as hackers discover or create new holes they can exploit, while system administrators and programmers work to fix the weaknesses as soon as they are found. Nevertheless, there are some common types of vulnerabilities that pop up again and again, and many of these can be avoided by taking the right precautions.

Default passwords
Many systems are protected by passwords that identify legitimate users. When they are first installed, they may often come equipped with a standard password, or no password at all, so the owner can access the machine in order to set it up. It's a surprisingly common mistake to leave these passwords in place, and hackers who keep lists of these can easily use them to get in. Default passwords should always be changed to new ones which are difficult to guess, and kept safe from discovery.

Outdated software
When a weakness is found in software, the manufacturer will often issue an update that addresses the problem. Hackers, who keep track of such bugs as they are discovered, will look for systems that have not been updated, as these will have a known vulnerability. Staying current with security updates for your software is one of the most basic techniques for keeping your machine safe.

Trojans
A trojan is a hostile program that hides itself in your computer. Some trojans allow hackers to control an infected computer, while others are designed to turn hundreds of "innocent" systems into platforms for attack on a target system, as we saw earlier this year when several prominent Web sites were blocked using this method. Good antivirus software is the first line of defence against trojans, though securing the system generally from unauthorised access is also important.

Passing variables in URLs
This is the weakness that was evidently exploited in the GST Web site "hack" that was in the news a few months ago. The problem here was that information identifying subscribers was being shown on the Location bar of the Web browser, allowing users to access other people's accounts simply by typing in their identifiers. This demonstrates that common methods of Web design can be inappropriate when used in an environment where security is an issue.

Domain redirection
This exploit was made famous when the Nike Web page was redirected to the site of a protest group, S11.org. When your Web browser wants to go to a site, it asks a machine called a name server for directions. By fooling Nike's name server, hackers were able to redirect requests for Web pages to the site of their choice. This is a case where the target of an attack was compromised not by its own security, but by the vulnerability of a different computer entirely.

Social engineering
A computer is only as secure as the people who use it, and social engineering refers to exploits that take advantage of carelessness or ineffective security procedures. The best security precautions can be foiled if passwords are obvious, or are accessible to outsiders. Hackers may go through the rubbish bins outside a target, looking for useful information, or may impersonate an authorised user to get access codes. An effective approach to computer security requires consideration of factors other than computers themselves.

Security on the Web
Here are some of the Websites frequented by hackers, as well as by those who want to make their systems safe from them.

www.2600.org.au
The official Website of 2600 Australia, with links to the 2600 mailing list and IRC channel.

www.wiretapped.net
A general security resource run by members of 2600 Australia, with local security alerts.

www.security-focus.com
A wide-ranging security site which hosts the BUGTRAQ mailing list, a must-read for system administrators.

packetstorm.securify.com
Security news and an archive of information about hacking.

www.unixhq.org
A new site created by some 2600 members, this is a work in progress but has potential.

Hacker systems
Hackers don't like to be hacked themselves, so the security of their own systems is an important concern. There's a saying that no system is secure if it's connected to anything on a network, but some are better than others. The other important consideration for hackers is that an operating system should be flexible enough to be modified to suit their needs. For these reasons, most hackers use one of the many open-source versions of Unix, though not necessarily the most well-known ones.

OpenBSD has a better reputation for security than many standard Linux distributions, so it's quite popular. Some prefer the Slackware or Debian distributions of Linux, while others prefer specialised security-oriented distributions like Immunix and Trinux. Modified versions of popular distributions such as Red Hat are also used. Some hackers are rumoured to write their own operating systems from scratch, but this is a formidable task and such systems, if they exist, are very rare.

Aldis Ozols

Technical Journalist

Australian PC World

IDG Communications

(02) 9902 2772

aldis_ozols@idg.com.au