COVER

CRACKING THE NET

For the good citizens of the Internet, a new wave of hackers is making business risky

JOE CHIDLEY May 22 1995
COVER

CRACKING THE NET

For the good citizens of the Internet, a new wave of hackers is making business risky

JOE CHIDLEY May 22 1995

CRACKING THE NET

For the good citizens of the Internet, a new wave of hackers is making business risky

JOE CHIDLEY

His fingers trip lightly over the keyboard. With the punch of a return key, a string of characters—writ in the arcane language of computers—scrolls onto the black-andwhite display in front of him. “OK,” he says, “I’m in.” Suddenly, horizontal rows of letters and numbers scroll from left to right across the screen—meaningless to the uninitiated eye. But for the hacker, the mishmash of data contains seductive, perhaps lucrative secrets. With the aid of his packet sniffer, a program that shows him every keystroke on every computer on the network, he can tell that somebody at another terminal is playing a game; someone else is typing a message. And then, the entry he’s been waiting for: somebody is logging on. “There it is,” says the hacker, pointing to the screen. “There’s the user ID—and there’s the password. ”

With that knowledge, the hacker can log in as the other user, take over his computer account or retrieve confidential files. If the person whose password he has g stolen were a high-level network user—say, a system ad§ ministrator or a top-level executive—it could be the t hacker’s key to other users, other networks, other secrets. | And then, if he is smart enough, he could bring the whole system to a crashing halt.

This is only a test. The ostensible culprit is Ian Goldberg, a 22-year-old computer science/mathematics student at the University of Waterloo. And he is playing around on the network that links the dozen or so computers in the southwestern Ontario school’s computer science club. So this hack, he explains, is “perfectly legal.”

But the exercise has a serious point. The night before speaking with Maclean’s, Goldberg compiled the sniffer program to show “exactly how bad most network security is.” And although he is a programming whiz headed for the University of California at Berkeley this fall to pursue a doctorate in computer graphics, even Goldberg seems surprised at how easily he could break into the club’s system. Total elapsed time for writing the program and testing it: about 40 minutes. “It’s very much a concern,” Goldberg says. “You don’t want people watching what you’re doing, and you especially don’t want people seeing your password. Then they can become you, pretend they’re you, and do anything they want.”

It seems axiomatic: the greater the exchange of information, the more likely it is that somebody will overhear. And today, everybody from secretaries to CEOs is hooked into local area networks, or LANs. On a global scale, 35 million people are linked to the Internet. Workers store love letters on their office terminals; mega-corporations send sensitive information to branches via electronic mail. And increasingly, that material proves a lure for the hacker—the inquis-

itive, sometimes malicious computer user, motivated by greed or self-aggrandizement, who interrupts the data flow and turns it to his own ends.

How serious is hacking? In 1989, the Computer Emergency Response Team, a nonprofit organization that monitors security issues throughout North America from its base at the Carnegie Mellon University in Pittsburgh, reported 132 computer intrusions; last year, the team recorded 2,341. And in recent months, a few celebrated cases have shed a new light on the hacker’s netherworldly activities. One notorious hacker is American Kevin Mitnick, a 31-year-old computer junkie arrested by the FBI in February for allegedly pilfering more than $1 million worth of data and 20,000 credit-card numbers through the Internet. Still, the new wave of network hacking is presenting fresh problems for companies, universities and law-enforcement officials in every industrialized country. And Canada is no exception.

As computing services director for the University of British Columbia in Vancouver, Jack Leigh has had more experience with security breaches than any man deserves. Two years ago, someone broke into the university’s computer network, which links thousands of terminals to one another and the Internet. Vancouver RCMP have

since arrested a teenager and charged him with unauthorized use of a computer system and mischief to data; his identity is protected under the Young Offenders Act.

But for Leigh, the latest hacking incident had a less satisfactory outcome. In March, technicians discovered a sniffer program on the UBC network of almost 4,000 computers. A subsequent investigation revealed that the program—and therefore the hackers who had installed it—had retrieved about 3,000 user passwords. After discovering the problem, Leigh says, there was very little the university could

do about it. Investigations of security breaches are notoriously difficult. The investigator has to monitor an ongoing pattern of intrusions, painstakingly tracing them back to the intruder on the other end of the network. “Because it takes so long, and because of the extent of the information they had,” says Leigh, “we decided to take drastic action and shut the system down.”

Leigh has his theories about who broke into the system—he suspects the hackers used the Internet to attack from a computer site in the United States, with help from someone in Canada. But shutting down the 3,000 accounts, which allowed legitimate users to obtain new passwords, erased any hopes of catching the hackers. Now, Leigh says, “the only thing we can do is wait for the next incident.”

To be precise, most hackers are people who simply love playing with computers. True, they may break security measures in a network—but they do it just for fun, or because they think the flaws need to be pointed out. The malicious subset of the hacker community,

who intrude on computer networks to do damage, commit fraud or steal data, are known as “crackers.”

By either name, they now have an arsenal of technologies to help them in their quest for secrets. Cracking tools are readily available, thanks largely to the Internet. In several newsgroups in the Usenet, hackers offer to exchange such devices as password crackers, file scavengers and the poetic-sounding Trojan horse.

Among the most controversial cracking tools is Satan, an acronym for Security Administrator Tool for Analyzing Networks. Developed by former employees of Mountain View, Calif.-based Silicon Graphics Inc., Satan attacks a network in much the same way a reasonably knowledgeable hacker would. The idea is that legitimate system administrators can run Satan to discover areas that need fixing. But because its creators have released the program as freeware—for anybody to download from the Internet—critics contend that the technology could just as well be used by crackers. “They’re saying that it’s not a hacker’s door to your company,” says Thomas Healey, Torontobased general manager of the Infocosm division of Andersen Consulting, who advises corporations and government agencies on information-highway issues. “But you know, I’d rather not see that on the Internet.”

If Canada has a cyber-cop, it is Sgt. Doug Dzurko. As computer support NCO for the Vancouver detachment of the RCMP, Dzurko, 37, has investigated—and got convictions in—seven hacking cases since 1987. His latest is Mikko Woodroffe, a 22-year-old programmer who in 1993 broke into Simon Fraser University’s computer accounts. “He was using another person’s account to surf the Internet, brag about his compromises, download software—the things normally associated with hacking,” Dzurko says. In March, Woodroffe pleaded guilty to a charge of mischief to data. He was ordered to pay a $1,000 fine and put in 100 hours of community service.

But the Internet, Dzurko says, is making enforcement in cyberspace more difficult “Rather than dealing with local jurisdictions, now we have the international connectivity,” he adds. “Say you have a company hacked in Toronto and the incident originates in Australia—is Ontario going to try to bring these people to trial here in Canada? Those issues haven’t been tried yet in this country.”

Like other computer-crime specialists, Dzurko acknowledges that many cases go unreported—particularly those that involve corporations. “In a lot of cases,” he says, “there’s a reluctance from businesses to report hacks, because of the consequences of doing so from an investor point of view.”

In fact, the real costs of network hacking to business are among the best-kept secrets in cyberspace. But there are plenty of hints. Of 1,271 North American companies surveyed by the accounting firm Ernst & Young in 1994, more than 50 per cent reported financial losses in the previous two years related to information security. And clearly, the potential for security breaches is growing. In the same survey, 45 per cent of companies said that they use the Internet or other public networks to exchange important business data.

There are ways for corporations to safeguard against hackers—and the demand for safety has led to a boom industry in data security. Security measures range from user IDs and passwords to thumbprint, voiceprint or retinal scan technologies. Another approach is public key encryption, used in software packages such as Entrust Produced by Ottawa-based Nortel Secure Networks, Entrust encrypts, or scrambles, messages so that only the intended recipient can read them, and it can create digital signatures that help to ensure electronic documents are authentic. Says Brad Ross, director of business development for Nortel Secure Networks: “The use of encryption technologies is taking off right now.”

Systems administrators typically log network activity, looking for signs of irregularity that might indicate an unauthorized entry. Last November at the University of Western Ontario in London, adminis-

trators discovered someone knocking at the door of several campus networks. “It got noticed because somebody was trying to do stupid things,” says David Wiseman, network manager for the department of computer science. “Somebody had been trying to force a hole through a fairly wellknown bug—which had already been patched.”

Pulled off his regular duties, Wiseman tracked the hacker to the University of Toronto. Using an Ethernet sniffer from the Toronto site, the hacker “had gotten accounts and passwords from all over the planet,” Wiseman says.

As hackers go, Wiseman adds, this one was neither very good nor very creative. The investigation suggested that he was following—word for word—cookbooks posted on the Internet by a British group calling itself 8LGM, “a supposed group of reformed hackers out to make everyone feel better by telling everyone how to break in,” Wiseman says. From Nov. 24, when he began the investigation, through December,

Wiseman watched the hacker go through his routine. “He started at 4 o’clock in the afternoon and would go till 4 in the morning sometimes,” he recalls. “He would literally go through hundreds and hundreds of sites trying to break in.” In the process, the hacker acquired passwords and accounts to computer systems at IBM, Harvard University and almost every university in Ontario.

On Dec. 23, RCMP officers seized the suspect’s computer equipment. Adam Shiftman, 20, of Toronto is charged with nine counts of fraudulent use of a computer and 11 counts of mischief to data, which carry a maximum sentence of 10 years. He is to appear in court in Toronto on May 30. Shiftman’s lawyer, Joseph Bloomenfeld, declined to discuss the case, but he would say that “most of the people running afoul of these sections [of the Criminal Code] are computer enthusiasts who don’t have a big element of criminality in their personalities.” He added: “They are curious people with excellent minds—and using them.”

What is the motivation for hackers? The answers are probably as numerous as the ways to crack into a computer network. Some hackers contend that their pursuit is both harmless and

educational—they break security barriers, they say, only to learn more about computers. Wiseman will have none of that. “I ask them to demonstrate to me how I can tell them apart from the ones who are malicious,” he says. Others—exponents of the cyberpunk movement, which sees the electronic frontier as a battlefield between the forces of liberty and the forces of repression—contend that hacking is an exercise in freedom of speech. One popular tagline on articles in the hacker Usenet groups is “No more secrets”—a line from the 1992 film Sneakers, about techno-security specialists fighting an evil consortium.

Pop culture, too, has glamorized cyberspace and its putative information intrigues. Sandra Bullock, star of Speed and While You Were Sleeping, is set to headline a new movie, The Net, as a computer expert embroiled in a web of cyberspace intrigue and stolen secrets. Suddenly, computers have become sexy. And greed plays a part: in a recent survey of hackers in New York, nearly all respondents said that they had been approached by corporations who asked that they conduct industrial espionage.

But for the bulk of hackers, their pursuit has more to do with the one-upmanship and the braggadocio ethic of the computer community. Cyberspace, for one thing, is overwhelmingly male: fully 90 per cent of World Wide Web users, studies show, are men. In that testosterone-charged realm, hackers contend for bragging rights. “And those are better than the other set of crackers, who get in to change things,” says computer whiz Goldberg. “The motivation for that is basically vandalism.”

Maybe some hackers even want to get caught. Recently, in Salt Lake City, Utah, state officials arrested a 15-year-old boy who they suspect had been operating a complex Internet fraud that garnered him more than $10,000. Charged with computer and creditcard fraud, as well as theft, the youth, who was not identified because of his age, fully co-operated with the police. Recalled investigator Jeff Robinson: “He said, ‘Here, take my computer. Every time I get on it, I get into trouble.’ ” □