Dispatches from the hacker wars

By Ellen Messmer
Network World, 11/16/98

Most IS professionals don't want to talk about the times they've been hacked. Some fear it gives their competitors, or other hackers, insight into their network. Others don't want to give hackers the attention they so desperately seek. And some are simply embarrassed.

After dozens of requests, we found five people willing to tell us what it is like when the hackers start sneaking in.

No longer a game

As a teenage hacker, Manny Berrios loved to break into organizations' networks out of a passion for adventure. But now, in his mid-20s and vice president of IT at a growing Web-based game service called ActionWorld, hackers have become his round-the-clock headache.

Network security logs tell Berrios that hackers are constantly probing for holes in ActionWorld's Web servers, which are based on Microsoft's Internet Information Server 4.0. They also enjoy shooting down his server farm, housed in New York, with denial-of-service attacks in the middle of the night; these immediately set off Berrios' beeper. Ironically, these hackers are often ActionWorld's own online game customers - all part of the youthful crowd that lives and plays on the 'Net. And if they discover your network's vulnerabilities, they'll trash everything they can.

"I spend 50% of my time baby-sitting these machines," laments Berrios. As a former hacker, Berrios still has a few hacker friends.

"They're doing it for the sheer thrill of exploring," he notes. "Now that I'm on this side of the fence, it makes me edgy. I know the reality of it. Nothing is 100% secure. Everything is simply an obstacle, and their exploits are changing so rapidly that you have to keep putting up new obstacles."

If a hacker manages to get past one obstacle, say by breaching ActionWorld's public Web server, he's usually stopped in what's popularly called the "demilitarized zone" between firewalls. When that happens, Berrios will try to track down the would-be intruder with the help of an ISP.

"One time it was a 13-year-old kid, and we called him and talked to him just to scare him a little," Berrios says.

Far more nerve-racking are encounters with hard-core hackers out for criminal gain. A similar situation happened a year ago when someone broke in through ActionWorld's Microsoft Remote Access Server - apparently because the preconfigured "guest account" setting shipped with the server hadn't been disabled by ActionWorld's staff.

This criminally minded hacker exploited the vulnerability to gain access to ActionWorld's resources, and from there, he staged attacks on other organizations, accessed pornography sites and dealt in stolen credit cards.

This little crime wave got the New York City Police Department and the Federal Bureau of Investigation involved - and these agencies initially seized on ActionWorld as the suspect. After some explaining, the online gaming firm spent a month working with law enforcement officials to collect data on the hacker's activities so they could nab him. But in the end, the hacker eluded them. "This was a sophisticated break-in," Berrios says. "This person was very good at it."

Berrios says he knows from direct experience that hard-core criminals are on the rise in the hacker community, which traditionally has preferred to view itself as a bunch of adventurous free spirits out to have fun.

In fact, hackers are now getting paid to try to steal proprietary corporate data or military secrets, some claim. "Most hackers are kids, but there are professional hackers, the experienced ones. They're going where the money is," Berrios says.

Universities exposed

No organization, not even a school as technically savvy as the Massachusetts Institute of Technology, is immune from the hacker menace. "We're working with the FBI right now to try to catch a hacker," says Jeff Schiller, network manager at MIT, where a troublemaker has been looking at password-protected student files stored on servers at the university.

Stopping hackers is particularly hard in a university setting such as MIT, where students balk at anything that restricts user access to the Internet.

"It's impossible to establish a security policy," concedes Schiller, who says MIT doesn't use a firewall for student access to the dormitory LANs because the school's technical culture rejects these types of controls.

Schiller berates hackers as "idiots" who bring down servers as they stumble around from machine to machine.

MIT is hardly the first university to have to cope with hackers. Universities have long been exploited as hacker proving grounds. Stanford University earlier this month disclosed that stolen passwords "sniffed" by hackers - apparently based in Sweden and Canada - gave the intruders access to 4,500 e-mail accounts.

Hitting close to home

Sometimes hackers are more than just idiots; they're terrorists. That's according to Seminole, Fla., security consultant Winn Schwartau, who says hackers are now e-mailing death threats to him, his family, his staff and even his neighbors. "Extortion, murder and kidnapping threats," is how Schwartau describes the message content.

Why? Perhaps because Schwartau has been vocal against hacker exploits, speaking out at conferences, such as DefCon, where hackers anonymously intermingle with law enforcement officials.

During the past month, Schwartau has also started hosting a Microsoft-sponsored Internet radio program, airing daily at noon, on which he interviews hackers on www. thecyberstation.com.

Hackers, Schwartau says, have now managed to shut down his phone and electricity by fooling the utilities and have also pulled stunts such as ordering hundreds of WebTV boxes to be sent to his house, purchased with other people's credit cards.

But according to Schwartau, the FBI isn't paying attention to his plight.

"That's because the FBI agents are convinced that I'm a hacker," Schwartau says, perhaps because he has been hobnobbing with hackers lately.

Global reach

Other stories suggest the strange lengths to which corporations will go to to shut out hackers.

"I've had hackers bold enough to e-mail us while they were hacking the system, telling us there was nothing we could do to keep them out," recounts Hewlett-Packard information security consultant Don Pipkin, author of Halting the Hacker, published by Prentice Hall.

Pipkin tells of an incident in which a hacker broke into the intranet of a major telecommunications company, which he declined to name, through the company's public Web server. HP's security division, called in to stop the intruder, closed up some of the security holes in the server and managed to trace the attacker to Pakistan.

Because nabbing this hacker seemed somewhat futile, HP asked the telecom firm how important it was to let the nation of Pakistan view its public Web server. With the answer being "not very," the telecom firm quietly cut off that entire country's access to its Web server.

Beyond the 'Net

The Internet, though, isn't the only medium that hackers can use to grab control of your network resources. Ed Simonson, president of TeleDesign Management, a Burlingame, Calif., consultancy that conducts security audits, has witnessed some dazzling hacker exploits over the years.

Hackers are known to call corporate switchboards and demand to be transferred to "918," which gets them outside access to a long-distance line. "They'll also dial in to your voice mail and try to dial another extension," Simonson says.

Hackers also like to dial in to the maintenance ports of Rolm, Nortel Networks and Lucent PBXs that are used by service repairman. So it's important to ensure that a company using PBXs has installed third-party security software for the maintenance port. Such software is available from Microframe, Leemah and other vendors, Simonson says.

"I have been in a PBX and seen two different hacks - two thefts - going on at the same time. Neither knew the other was there," Simonson recounts. "Hackers may never make more than two calls per day on your system, so you have to have a policy in place to review phone logs," he says.

If a hacker strikes, who has to pay the price? "The law says whoever controls the access, pays the bill," Simonson says. "For the most part, with a Centrex line, you're not responsible for paying the bill."