Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
http://www.washingtonpost.com/wp-srv/WPcap/1999-03/10/024r-031099-idx.html
New Computer Technology Makes Hacking a Snap
By Michael E. Ruane
Washington Post Staff Writer
Wednesday, March 10, 1999; Page A01
Used to be you had to have some know-how to crash a kernel. It would take
all night to snoop a connection, smash a stack or crack a password. You
could work forever trying to get to root.
Not any more.
Nowadays, any fresh-faced newbie can download a kiddie script, fire off a
vulnerability scan and, in no time, come up with a nice, juicy target
list.
It's enough to make veteran hackers -- the handful of computer wizards who
speak a colorful language that once was all their own -- break down and
cry.
But it's true. Along with the breathtaking advances in computer technology
has come a vast proliferation of easy, ready-to-use computer hacking
programs, freely available on the Internet, and a boon to greenhorn
hackers.
"This is your nephew or your cousin," says Peter Tippett, president of the
Reston-based International Computer Security Association. "It's a kid who
says, 'This seems kind of cool. Let me just take this tool and aim it at
Ford Motor Company.' "
They use programs -- called "exploits," "tools" or "attacks" -- with names
like "Smurf," "Teardrop" and "John the Ripper."
Some are so-called "denial of service" programs, which sneak or barge in
and overwhelm a targeted system, shutting it down. Others are
"vulnerability scanners," which search the Net for specific weaknesses to
be exploited later. Still others are "penetration" attacks that break in
and take control.
Some attacks use a "Trojan Horse" -- benign-looking bait with an exploit
concealed inside. Others "spoof," using a bogus ID. Still others lie in
wait and spring when an unsuspecting victim pauses to visit.
A few are simply sent out to "sniff the traffic" on the Internet.
There are hundreds of them. So many that some have been given the name
kiddie scripts, because of their simplicity of use. Those who launch them
are called, of course, script kiddies. And experts say they may account
for 95 percent of all external computer hacking attacks.
Hacking always seems to have been the purview of the young. Just last
year, five teenagers hacked into Defense Department computers, and last
month, a 15-year-old from Vienna was accused of hacking into Clemson
University's system and of trying to break into NASA's.
Experts believe there are now tens of thousands of hacking-related Web
sites, and hundreds that approach the subject seriously. The Pentagon,
traditionally the most assailed hacking target on Earth, announced Friday
that it is investigating another potent attack -- one of the 80 to 100 it
undergoes every day.
But in years past, hacking was tedious, demanding work that required
brains and dedication, and, if successful, was an envied notch in the
cyber gun. There was hacker esprit. There was a great "signal-to-noise"
ratio -- intelligent talk vs. baloney. And there was the hacker code:
Look, but don't touch.
No longer.
"It used to be a small circle," says Dr. Mudge, a veteran Boston-area
hacker who operates a Web site with his sidekicks Kingpin, Brian Oblivion,
SpaceRogue and others. "Now it's almost mainstream, and like anything that
goes mainstream you get a lot of good and a lot of bad."
"Now people can hack without having to pay their dues," says Rob Clyde, a
vice president with the Rockville-based computer security firm, Axent
Technologies Inc.
"You no longer have to be an expert," he says. "You just have to have time
and motive. And the motive often times now is vandalism, destruction, just
blow away stuff, destroy it, make it look bad."
Sometimes it's even worse.
The FBI on Friday released an annual survey that it conducts with the San
Francisco-based Computer Security Institute, reporting that criminal
hacking caused $123 million in losses last year, and now posed "a growing
threat to . . . the rule of law in cyberspace."
Mostly, though, many experts say, the new add-water-and-stir hacking is
for amateurs. And most of them are still pretty young.
"We're talking 95 percent of hackers are script kiddies," Tippett says.
"We're talking a million events a month where people run those tools to
see what happens. Maybe one or two percent of hackers are people who know
what the tool actually does."
Peter Mell, a computer scientist at the National Institute of Standards
and Technology, in Gaithersburg, says, "Ten years ago if you wanted to
break into somebody's system, you would stay up all night long."
"You would manually go to their computer, try a few things, if it didn't
work you'd go to another computer, try a few things," he says. "Very
tedious. You'd spend all night doing it."
"Nowadays what somebody does is . . . at 6 o'clock, they download a
vulnerability scanner and an associated attack. They set the vulnerability
scanner running. They go out to a party . . . come home 11 at night. And
their computer has compiled a list for them of 2,000 hosts on the Internet
which are vulnerable to that attack."
"All they have to do is type the name of the computer that is vulnerable
into their attack script, and they have complete control of the enemy," he
says.
The actual damage done by hackers is uncertain and some experts suggested
it is overstated by a computer industry eager to sell its services. Those
experts estimate that 80 percent of hacking comes from within a
corporation rather than through outside attacks.
Hacking lingo seems filled with military references like "attack" and
"target." But hacking also has -- along with its own magazines and an
annual convention -- an idiom all its own.
"Crashing a kernel," for example, refers to breaking down the core of an
operating system. "Smashing a stack" means taking over a vital part of a
computer's memory. "Snooping a connection" means breaking into a
conversation between two other computers. And the ultimate feat, "getting
to root," or more simply, "getting root," means seizing fundamental
control of target system.
Mell, 26, a surgeon's son from St. Louis who said his brother taught him
to program in second grade, has conducted a study of published attacks
that smash, crash, seize and snoop by monitoring what people request at
hacker Web sites.
He has named the array of published attacks the Global Attack Toolkit. And
he has compiled a list of the top 20 recently most popular. He points out
that most attacks can be defended with so called "patches," but a few are
almost indefensible.
One of the most popular -- number 2 on his list -- and one that's tough to
counter is "Smurf."
"It's an attack where you overwhelm an enemy system with a huge number of
(information) packets . . . and their computer simply can't handle all of
the packets," he says. "The computer shuts down. If it's a Web site, the
Web site stops working. If it's the router going into the White House, the
White House traffic stops flowing."
Number one on his list was a Trojan Horse called "Back Orifice."
In a paper he wrote last year, Mell mentioned one hacker Web site that
lists 690 scripts, another that has 383 and another that lists 556.
"Together, the exploit script Web sites form an attack tool kit that is
available to literally everyone in the world," he wrote. "Somewhere on the
Internet, there exists a host vulnerable to almost every attack, and
scanning tools are readily available to find that host."
Mell says the attack scripts are posted on hacker Web sites by other
hackers, by disgruntled systems administrators trying to draw attention,
and eventually patches, to holes in their systems, and by "white hat"
hackers seeking to alert the computer security industry to
vulnerabilities.
And he believes that posting easy scripts may not be all bad.
"When attacks are posted to the Internet, companies respond, and they fix
their software very quickly, and they release patches, and there's news
articles and advisories alerting people that there's this vulnerability,"
he says.
"So by the public posting . . . in a way it makes the world safer, because
everybody knows what's out there and they're prepared," he says. "If the
scripts weren't published, intrusion-detection companies wouldn't know
where to get their data, security companies wouldn't know that their
applications had holes in them."
"At the same time that these attack scripts make it available for anyone
in the world with very little intelligence to download and run attacks, it
also means that security companies are quick on their feet to respond to
them."
But computer security firms are not sitting idly by. They have their own
intrusion detection programs -- some of which are recon missions, if you
will, that "sniff" the traffic to ambush roving attack scripts.
Mell says there is a "Virtual Suicide" Web site where systems operators
can request an attack to test security. Visitors can ask to be "crippled,"
"beheaded" or "vaporized."
Perhaps the most sinister attacks, though, are passive. Apparently small
in number, Mell says in his report, they "require a target to visit the
hacker's Web site" before striking.
Soon, he writes, "the Internet may develop 'bad parts of town.'"
"Watch where you walk!"
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:31:53 1999