Kim Zetter and Andrew Brandt, PCWorld.com
With the click of a mouse on one computer, the screen of the laptop a few feet away flashes wildly as a flood of data flies silently across a private network cable connecting the two machines. Within a minute the laptop’s file sharing password is compromised.
“The computer is having a bad day,” says a reporter as he watches the effect of the attack on his machine. “Packets are coming at it so fast, the firewall doesn’t know what to do.”
Some hackers claim they can teach a monkey how to hack in a couple of hours. We asked two hackers, Syke and Optyx (at their request, we are using their hacking pseudonyms rather than their real names), to give us non-simian reporters a demonstration.
What we got was a sometimes-frightening view of how easily nearly anyone’s computer–at home or at work, protected or not–can be cracked by a determined hacker. But we also found out that computer users can make a hacker’s job much harder by avoiding a few common mistakes.
Syke, a 23-year-old white-hat hacker, and Optyx, a 19-year-old self-proclaimed black hat, both work in computer security (Syke, until recently, for a well-known security software vendor; Optyx for an application service provider).
They launch their attack on our notebook from desktop computers located in the windowless basement that is New Hack City, a sort of hacker research-and-development lab (and part-time party lounge).
The lab’s rooms are filled with over a dozen Sun SPARC servers, assorted network hubs and mountains of ethernet cable, an arcade-size Ms. Pac Man game, and a DJ tower stocked with music-mixing equipment for all-night hacker jams.
“You should understand,” says Optyx, as he enters a few commands that bring our machine to its knees, “no matter what people do, hackers will always find a way to get into systems.”
Just as he says this, Optyx uses a program to get the laptop to spew out a bit of data identifying its operating system and version.
He then runs the program that cracked the file sharing password in the blink of an eye. We watch as he uses another tool to root through files in the laptop’s shared directory.
As hacking goes, the methods our two instructors use on our laptop are not very elegant–the equivalent of using brute force to knock in a door–and through the machine’s software firewall, we are immediately aware that the machine is being hacked. But, save from disconnecting our machine from the network cable, we’re powerless to stop it.
Most hacking attacks, however, are much more invisible.
The methods hackers use to attack your machine or network are fairly simple. A hacker scans for vulnerable systems by using a demon dialer (which will redial a number repeatedly until a connection is made) or a wardialer (an application that uses a modem to dial thousands of random phone numbers to find another modem connected to a computer).
Another approach used to target computers with persistent connections, such as DSL or cable connections, employs a scanner program that sequentially “pings” IP addresses of networked systems to see if the system is up and running.
Where can a hacker find such tools? On the Internet, of course.
Sites containing dozens of free, relatively easy-to-use hacking tools available for download are easy to find on the Net. While understanding how these tools work is not always easy, many files include homegrown documentation written in hacker shoptalk.
Among the programs available are scanning utilities that reveal the vulnerabilities on a computer or network and sniffing programs that let hackers spy on data passing between machines.
Hackers also use the Net to share lists of vulnerable IP addresses–the unique location of Internet-connected computers with unpatched security holes. Addresses of computers that have already been loaded with a Trojan horse are available for anyone to exploit (in many cases without the owner of the computer knowing).
Once the hacker finds a machine, he uses a hacker tool such as Whisker to identify in less than a second what operating system the machine is using and whether any unpatched holes exist in it. Whisker, one of a handful of legitimate tools used by system administrators to test the security of their systems, also provides a list of exploits the hacker can use to take advantage of these holes.
Security Software Alone Can’t Stop Them
Syke and Optyx explain that several conditions make it easier for them to hack into a system. Lax security is one of them–such as when a company uses no passwords on its system or fails to change Windows’ default passwords.
In October 2000 hackers broke into Microsoft’s system and viewed source code for the latest versions of Windows and Office after discovering a default password that an employee never bothered to change.
Other common mistakes: When system administrators don’t update software with security patches, they leave vulnerable ports open to attack. Or when they install expensive intrusion detection systems, some fail to monitor the alarms that warn them when an intruder is breaking in.
Still another boon to hackers is a firewall or router that is misconfigured, allowing hackers to “sniff” pieces of data–passwords, e-mail, or files–that pass through the network.
Once a hacker cracks into a system, his next goal is to get root, or give himself the highest level of access on the machine. The hacker can use little-known commands to get root, or can search the documents in the system’s hard drive for a file or e-mail message that contains the system administrator’s password.
Armed with root access, he can create legitimate-looking user accounts and log in whenever he wants without attracting attention. He can also alter or delete system logs to erase any evidence (such as command lines) that he gained access to the system.
But a hacker doesn’t need root access to affect a system. He can misroute traffic intended to go to one company’s Web server to a different one. Or, exploiting a well-documented bug (for which there’s a patch that many sites haven’t applied), a hacker can replace any Web page with his own text using a simple set of UNIX commands typed into the browser’s Address bar.
A more serious threat, however, comes from skilled hackers who launch a denial-of-service attack, in which a Web server is flooded with so many requests that it stops responding altogether.
Previously one of the most common attacks, DoS attacks are now much harder to accomplish. Large Internet companies counter them by buying larger Internet pipes, which are harder to fill with the junk data hackers throw at them. The more bandwidth a company has, the more service the hacker needs to interrupt in order to produce a noticeable effect.
Hackers quickly learned that a single computer couldn’t send enough phony requests to deny service, so they came up with a clever approach that employs dozens of hacked computers, working in synch to execute a distributed denial-of-service attack.
A DDoS attack uses as many computers as the hacker can control (called “zombies”) to send bogus data requests to a targeted server. To unleash the attack, the hacker sends just one command, which propagates to all of the zombies and causes a near-instantaneous death-by-data on the Web server.
A hacker can also use an army of compromised computers to steal data–such as credit card numbers and proprietary corporate files–without leaving a clear trail. The hacker hops from machine to machine and then launches an attack that passes through all of them, creating a maze of connections for authorities to sift through.
University systems are prime targets for such activity, since administrators often leave student accounts active after students have graduated. A hacker can take over the account and use it as a base to attack another system.
In December 2000 hackers broke into a U.S. Air Force system in Virginia and downloaded code for controlling communication and spy satellites to a computer in Sweden. The Swedish company that owned the system housing the data had no idea hackers were using its computer, and cooperated with authorities.
From Sweden the activity was traced to a university machine in Germany, which authorities also believe was being used by a distant hacker.
Hackers can silently collect information from a machine for months without being detected. Using a Trojan horse, a hacker can log keystrokes on a computer (to obtain a user’s passwords) or use a “sniffing” program to collect sensitive data as it passes from one computer to another.
Sniffer software is a bit like a radio in that it simply listens for traffic to pass by it on the network wire. Sniffers are undetectable by the user and (usually) by the system administrator.
Nowhere to Hide
It might seem that, with all the ways hackers can get into your system, there’s no safe place for your data to hide. Optyx would agree–to a point.
Casually typing commands on his keyboard that sends our laptop into further frenzy, Optyx says that simply running antivirus software alone, or having a firewall or intrusion detection system, won’t prevent the theft of data or hacking of your computer.
“If people hack your machine,” continues Optyx, “they hack it through a vulnerability.”
He recommends that, in addition to using the above tools, every user install the latest security patches on their critical software, including the operating system and the applications they regularly use. “The only way to protect yourself is to patch up the holes,” he says.
Kim Zetter and Andrew Brandt are PC World senior associate editors who cover security and privacy issues. Originally published on PC World, Apr 2, 2001.