In The Company Of Hackers
By Simon Edwards
Somewhere out there, in the small hours, lies an army of
caffeine-fuelled über-nerds, itching to take control of your system.
Or are they? We investigate the truth about hacking. |
|
 |
|
The Info Security 2000 exhibition was held in April at Olympia in London. Imagine the scene: the main hall is packed with stands at which salesmen try to strike up deals and generally advertise their wares. A first-floor gallery contains more stands, a pressroom and a conference hall. This room is packed with an audience listening intently to a panel of hackers who are answering questions about the state of Internet security. Outside, snaking between more stands, is a queue of journalists, network administrators and wannabe hackers. It's busy, noisy and bright. I'm late, and the hall is already full. Further admissions are refused on fire safety grounds. However, our ever-intrepid reporter finds a way in through the pressroom and an adjoining kitchen. I 'hack' into the hall where the hackers are speaking. Later one of my new friends tells me that this shows the "right attitude", if I want to be a hacker.
The panel includes a plump, moustachioed American, a gothic-looking girl (think The Matrix and you won't be far off), and another American with a goatee beard and a ponytail. He's known as Sir Distic or 'id', the author of the Back Orifice program, used to attack and gain control of Windows PCs. The girl turns out to be his girlfriend.
How To Hack: Break into your first system by guessing user names and passwords. Password cracking tools can help here. Alternatively, phone an employee at the company you're trying to penetrate and ask for his user name and password. You'd be amazed how many people will comply. Leapfrog from one system to another, covering your tracks as you go. Shutting down systems and deleting log files is a good idea. Step 2: Locate your Target Hackers use a scanner to find potential target systems. Because you're scanning from another system over the Internet, you're unlikely to be traced. Scan from your own machine, and you risk a return attack or legal action. Step 3: Probe for Weaknesses Once you've located a server, you'll need to identify what software it's running. Many programs have security flaws, plenty of which are documented on the web - where you'll also find tools to exploit them. If you're really good, you'll have written your own programs to lever a way into the system. Step 4: Gain Access The main aim for serious hackers is to gain control of the system. This brings the opportunity for deleting or modifying files, installing programs (including 'back doors' for easier access next time) and removing traces of the break-in. Some hack for fun, others to steal information or vandalise systems. Defaced web sites are a particularly public and humiliating manifestation of an attack. Some hackers favour the social engineering approach (where users are tricked into giving up their details over the phone), while others prefer the 'purer' technical challenge of software hacking. |
It seems that the Russian mafia is actively recruiting hackers to carry out electronic attacks and steal credit card numbers. Kent (moustache), an 'ethical hacker' who targets child pornography sites, talks of a multi-levelled hacker community containing über-hackers with secret databases, 'good guys' going after the 'bad guys' and a "cyber army" just waiting to attack, should things go wrong. If bad hackers get out of hand, the community will "reverse-track 'em and take 'em off," he says.
We hear about the Great Firewall of China attack, in which China's main Internet censoring filter was deactivated. Chinese servers are, according to Kent, very easy to hack because of the lack of information (ironically due to censorship).
The hackers believe that the introduction of fast and permanent Internet connections will make their lives easier. Around seven per cent of US connections use such technology, which is apparently "crying out" to be abused. The UK will see the same broadband technology around mid-July. Kent suggests that people scan their systems using a web-based tool, available at www.grc.com, to ensure they're secure. Buyer readers with a copy of the January 2000 issue already own a port scanner in the shape of Ipswitch's WS_Ping ProPack.
After a question-and-answer session, the audience disperses to view the stands in the main hall. I slip back through the kitchen, into the pressroom and wait for the hackers to appear for lunch. Like us, they need food - but rest, it seems, is lower on their list of priorities.
Everyone I spoke to, bar Kent, had not slept in at least 36 hours. David, who spent at least five hours in my company, had been up for 49 hours when I first met him. We spent the afternoon discussing hacking techniques. I received an astounding tutorial in the art of 'smashing the stack', a technique used to gain unauthorised access to systems.
While the rest of us sleep, David and his kind are online. Surprisingly, though, most of the hackers I met have girlfriends or wives. Although he admits to a real rush when he executes a successful hack, David is adamant "it's still not as good as sex." He spends his weekends with his girlfriend, Sophie, restricting his hacking activities to weekdays. I meet no female hackers to ask.
Online addiction
Three things fuel the hackers I do meet: nicotine, caffeine and an almost supernatural desire to break into computer systems. David admits to an "obsession to bend the machines to my will." There's also a fair amount of testosterone in the air and each expert wants to make a name for himself. In the world of the hacker, the really important thing is to gain a reputation - and, therefore, recognition and respect. They hope to do this by discovering security holes. Real men, it appears, then write code to exploit the holes. Simply finding a bug is not enough to earn kudos.
How Not to Get Hacked If you're running a Windows 95/98 PC, it's unlikely you're running any kind of server software. You probably don't yet have an ADSL Internet connection, and so only go online for short periods of time. This combination of factors makes your PC virtually impregnable to hackers. But there is still a way that ingenious hackers can get at you. Computer viruses like Back Orifice can secretly install themselves and provide remote-control services to hackers.How do you catch such a virus? You can infect your machine with a Trojan-style virus by running files you find attached to e-mails sent by strangers. If the file ends in the .Exe file extension, beware. If you want to stay safe, avoid running any attached files unless you were expecting them. How does a hacker know if you're online? The virus detects when you're online and immediately sends an alert to the hacker, who will almost certainly be waiting for notification from any number of infected machines. |
Some, like Kent, are shamelessly macho about hacking, using phrases like "You can attack my system but I'll f***ing shut you down." Most will also happily stab others in the back the minute they're on their own. The Americans refer to hacking rivals as being "lame". The English hackers prefer the term "pants".
Some more English hackers turn up, unannounced, and move around the newspaper journalists hoping to be interviewed. I'm accosted by one called Mat. He and his friend, a giant tattooed man with deep-set eyes and a crew cut, agree to sit down for a chat. But Mat's too intent on criticising his fellow hackers to hold a decent conversation, and his friend prefers to pay attention to his mobile phone, which sports a sticker of the FreeBSD logo. FreeBSD is an open source UNIX-type operating system - a bit like Linux.
I corner Kent, the ethical hacker, and ask him why he believes he has the right to decide which sites are OK and which are unacceptable. He tells me that child pornography and Nazis are fair game. It's hard to disagree, but harder to listen as he starts to describe some of the sick material he has unearthed. I make my excuses and leave. Before I do, Kent makes an astounding claim. He tells me about a technique that will give me unauthorised top-level access to certain types of system. I'm not sure of his technical accuracy and a few conversations with the others convince me that he's exaggerating.
It's a mad, bad world...
Everyone is at risk from hackers, even from the self-proclaimed 'good guys' like Kent. Your system may not be the real target, but these people will still try to gain access as just one stage in their assault on another computer system. They even attack each other. David tells me of one evening when he discovered someone scanning his PC. He ran a few checks and discovered that not only was a hacker trying to gain access, but that it was his friend Greg. "I called him up straight away. We had a good laugh about it," says David. Greg claimed that he didn't know whose system he was probing.
David (24) is the director of his own security company. Cerberus Information Security Ltd will, for a fee, try to find all of the possible vulnerabilities in a business network and web site. His clients are well known, although most wouldn't want to admit that David and his team frequently find gaping holes. I'm invited to attend one such 'penetration attack', and readily agree. These usually take place at night, when business won't be affected, and go on into the small hours. We'll keep you posted on how I get on.