“Hackers”: Know the adversary

5
Computers & Security, 10 (1991) 405-409 “Hackers”: Know the Adversary Belden Menkus P.O.Box 129, Hillsboro, TN37342, U.S.A. 1. Introduction C onfusion appears to con- tinue among many of those concerned about computer security about who hackers are, what they do and why they are doing it. Inaccurate accounts of some hacker activities in both the general and data processing trade press confuse many people about what these activities really involve. Elements of academia and the civil liberties movement add to this confusion when they perceive and portray some segments of the hacker com- munity as a persecuted minority needing protection from State oppression’. It may prove helpful to clarify some of the terms, concepts, and motives involved in the hacker phenomenon. This discussion focuses on outsiders-individuals who are not employees of the organization. Penetration and compromise of an information 0 199 1, Belden Menkus. system presents a greater challenge to outsiders than, in most instances, it offers to employees. The undertaking of such activities by employees in some instances may be harder to detect than intrusions into an organization’s data processing environment by outsiders, but, generally, inappropriate employee computer activities should be easier to detect and control than those of outsiders. 2. Making Distinctions The use of the term hacker in the manner described here is older than data processing. The term hacker has been used since early in the computing era to identify someone who hacks at an obstacle-or a difficult prob- lem-until it is cut through or resolved in some acceptable fashion. In this context, the hacker typically has been some- one who is bright, inventive, a committed puzzle solver and intensely dedicated to the suc- cessful completion of whatever task might be undertaken. Such a 0167-4048/91/$3.50 0 1991, Elsevier Science Publishers Ltd. person tends to be extremely committed to achieving some particular goal. This person’s ac- tivities normally have involved nothing more than a form of problem resolution. They have been value neutral. Rarely have a data processing hacker’s under- takings encompassed doing any- thing that essentially was dishonest. However, in recent years this situation has changed dramatically. The term hacker now includes individuals principally engaged in unauthorized-and often illegal-intrusions into informa- tion systems. (Too often these intrusions have resulted in some form of system manipulation or damage.) The use of the term to describe these intruders generally has distressed the conventional data processing hackers. Some suggest crackers as a more appro- priate term for the new breed hackers since they crack open systems to which they do not possess legitimate access rights. However, a better term might be compdsive microcomputerjunkies. 405

Transcript of “Hackers”: Know the adversary

Page 1: “Hackers”: Know the adversary

Computers & Security, 10 (1991) 405-409

“Hackers”: Know the Adversary Belden Menkus P.O.Box 129, Hillsboro, TN37342, U.S.A.

1. Introduction

C onfusion appears to con- tinue among many of those

concerned about computer security about who hackers are, what they do and why they are doing it. Inaccurate accounts of some hacker activities in both the general and data processing trade press confuse many people about what these activities really involve. Elements of academia and the civil liberties movement add to this confusion when they perceive and portray some segments of the hacker com- munity as a persecuted minority needing protection from State oppression’.

It may prove helpful to clarify some of the terms, concepts, and motives involved in the hacker phenomenon. This discussion focuses on outsiders-individuals who are not employees of the organization. Penetration and compromise of an information

0 199 1, Belden Menkus.

system presents a greater challenge to outsiders than, in most instances, it offers to employees. The undertaking of such activities by employees in some instances may be harder to detect than intrusions into an organization’s data processing environment by outsiders, but, generally, inappropriate employee computer activities should be easier to detect and control than those of outsiders.

2. Making Distinctions

The use of the term hacker in the manner described here is older than data processing. The term hacker has been used since early in the computing era to identify someone who hacks at an obstacle-or a difficult prob- lem-until it is cut through or resolved in some acceptable fashion. In this context, the hacker typically has been some- one who is bright, inventive, a committed puzzle solver and intensely dedicated to the suc- cessful completion of whatever task might be undertaken. Such a

0167-4048/91/$3.50 0 1991, Elsevier Science Publishers Ltd.

person tends to be extremely committed to achieving some particular goal. This person’s ac- tivities normally have involved nothing more than a form of problem resolution. They have been value neutral. Rarely have a data processing hacker’s under- takings encompassed doing any- thing that essentially was dishonest. However, in recent years this situation has changed dramatically.

The term hacker now includes individuals principally engaged in unauthorized-and often illegal-intrusions into informa- tion systems. (Too often these intrusions have resulted in some form of system manipulation or damage.) The use of the term to describe these intruders generally has distressed the conventional data processing hackers. Some suggest crackers as a more appro- priate term for the new breed hackers since they crack open systems to which they do not possess legitimate access rights. However, a better term might be compdsive microcomputerjunkies.

405

Page 2: “Hackers”: Know the adversary

B. Menkusl “Hackers”‘: Know the Adversary

Microcomputerjunkies initially appeared when the devices were introduced on a large scale out- side of the hobbyist and academic environments. Encountering computing for the first time, some people became so absorbed in learning how to master this new information handling tool that-for a while at least- they failed to do any other legitimate work. The typical microcomputerjunkie did not

. ~~~~e~~~~~~~~s~~~~te~~~~

true in most instances. However, problems with integrity and honesty commonly surface when this sort of behavior becomes obsessive or compulsive. Some people came to believe in a right to access all information and telecommunication resources, wherever they may be, and to use them without any consideration of the rights of the legitimate owners of these assets. Often a somewhat infantile quality pervades the activities of compul- sive microcomputerjunkies. They want what they want when they want it2. They also believe that they are justified in using any available means to gain access to what they want.

The compulsive microcomputer junkies-who will be referred to as hackers for simplicity during the rest of this discussion-are linear descendents of the so- called phonefreaks of the 1960s. These people claimed to possess an unrestricted right to telecom- munications use. They main- tained that by their unauthorized

use of telecommunication common carrier services they were involved in a liberation movement of fighting State- sanctioned Capitalist 0ppression3. This movement has been trans- formed by the ability to connect microcomputers to tele- communication carrier facilities. General news media coverage of the activities of these people has been consistent over the past 25 years. It has glossed over their distorted morality, and has mis- represented them as naive, heroic and young. This characterization never has been completely true. For instance, many of the older generation of hackers appear to have moved beyond vandalizing telecommunication and comput- ing activities. These people have entered seriously into such things as active computer virus planting and exploiting the rapidly expanding field of so- called business or commercial intelli- gence.

3. Hacker Objectives

The hacker population is remark- ably diverse. Exceptions can be found to any attempt to general- ize about the motives of those who compose this group. (Some hackers, for instance, tend to personalize their dealings with the information systems that they compromise, referring to specific ones in terms that one might use in discussing a contact with an introverted human friend. Some use the type of transcendental terms in describ- ing their activities that might be

applied to undergoing a religious experience.) However, the typical hacker tends to be, as suggested earlier, extremely intelligent, ingenious, curious, analytical and able to focus intensively for an extended period on the resolu- tion of some problem or the achievement of some difficult task or goal. It must be assumed that there is no activity so outrageous, of sufficient questionable legali@, of particu- lar complexity or difficulty, that a self-identified hacker will be reluctant to attempt to undertake it. (A surprising number of com- plex, ingenious and seemingly robust computer security measures have been compro- mised simply because the indi- vidual who developed that mechanism assumed, it was admitted later, that no one would devote the time, energy or resources required to defeat it by either a direct assault or someform of “‘reverse engineering”.)

For most hackers, the main objec- tive appears to be to satisfy seemingly innocuous and almost limitless curiosity about the way in which computing and data communication is done. The hacker may begin by learning to observe the way in which a number of diverse and possibly complex information systems are organized and function. At times, however, this interest may be compounded by a desire to find new or unusual games to learn and play. It may be motivated as well by an obsession with achiev- ing-say, by intruding into and

406

Page 3: “Hackers”: Know the adversary

Computers and Security, Vol. 10, No. 5

learning about as many systems as possible or by mastering some very large number of games. All of this tends to involve the hacker in deviant, unethical and essen- tially illegal behavior. Some data processing academics, regulators, legislators and members of the judiciary see this activity as innocuous-even though they admit it may distress and irritate its targets. They believe that it does not merit the attention of an already overburdened crimi- nal justice system. In some cases, those who hold this position even would deny the hacker’s target any sort of civil relief In almost every instance these hacker advocates have convinced themselves that these efforts to satisfy one’s curiosity will never involve someone in anything with more dangerous social or economic consequences.

Unfortunately, the problem is that the efforts of some hackers to exercise their curiosity eventually may lead them to vandalize an information system-either as a result of boredom, some form of personal frustrations or a lack of sufficient knowledge of the complex nature of either the system’s structure or the envi- ronment in which it functions. In some instances, further expan- sion of the way in which this curiosi the r the

is exercised may trigger t of information-involv-

ing either software or data, or funds, or even goods or physical assets. It even may put people at risk-say, by interdicting the operation of firefighting and

other emergency response services.

4. The Hacker’s Methods

Almost all hackers use some com- bination of what they term com- monly social en

4 ineering, data

sharing-mai y the so-called electronic bulletin boards-and brute

force password extraction or decrypting of compromised systems or messages. Social engi- neering involves persuading or tricking someone into volunteer- ing to the hacker such things as access codes and passwords. The practice of sharing data on such things as unlisted telephone numbers and access techniques for compromising specific systems demonstrates an annar- , ent feeling of fraternity an&g those who are active as hackers. The willingness to use what only can be termed bruteforce to extract passwords and message content reflects the tenacity and dedication to accomplishing a task or solving a problem mentioned earlier. It is not uncommon for a hacker engaged in such a task to devote many consecutive days around-the- clock to its completion-stop- ping periodically only to take a relatively brief nap.

5. Response Problems

This tenacity, it appears, must be matched by those who are attempting to deal successfully with the possibility of hacker attack. To some degree all

organizations that are involved in any type of significant data processing are vulnerable to a possible hacker attack. Yet, it should be recognized that the likelihood that any particular computing activity will become the object of hacker attention is relatively low. What is needed, it appears, is a mixture of consist- ent vigilance and realism on the part of those who must deal with the effects of such attention when it occurs.

Maintaining this posture success- fully means finding a strategy for resolving these five problems:

(1) The partial success of efforts by academic computer technolo- gists to convert the hacker from a social outcast into a social hero6. Continued spread of the acceptance of this idea will make it progressively difficult to counter the activities of hackers.

(2) The lack of timely notice of successful hacker activities. Hacker data sharing needs to be matched by data sharing among those who are attacked. Yet, very few organizations that have experienced problems with hacker intrusions have been willing to share the details of what has taken place with others in the computing field. Central hacker experience databases-com- parable to those maintained on both computer virus planting and fraud experience-urgently need to be created.

(3) The difficulty associated with

407

Page 4: “Hackers”: Know the adversary

B. Menkusl”Hackerdf: Know the Adversary

tracing questionable tele- communication activity and gathering relevant evidence. Unfortunately, in most jurisdic- tions, unrealistic concepts of personalprivacyprotection make it virtually impossible for most organizations outside of direct law enforcement or military intelligence operations to receive expeditious legal permission to monitor or trace to their source questionable activities on their telecommunication networks. (This frustration is created by the exercise of a form of circular logic on the part of the regulators and legislators concerned with this problem. It is necessary, in this instance, for the entity being attacked to demonstrate reason- ably credible evidence that an unlawful act has taken place before it will be permitted to monitor or trace the relevant call activity. However. usually, the only way to gather the required evidence is to engage in the sort of surveillance for which permis- sion is being sought to do.)

(4) Limited investigative and prosecutorial interest in acting against alleged hackers. In most jurisdictions the resources of both the law enforcement and criminal justice systems increas- ingly severely are limited. In most instances, the available resources are being applied to what are considered to be more significant matters-which may range from, say, civil distur- bances to robberies and assaults. Also, leaders in both law enforcement and criminal justice

agencies increasingly are insisting that their subordinates concen- trate on those cases which will look good in the various news media. As a result of all of this, cases involving the intangible aspects of computing tend to receive a low priority in both law enforcement and criminal justice agencies-or to be ignored by them altogether! Thus, in most instances, an organization is forced to protect its own data processing activities, without any allowance for receiving significant support for its efforts from any of these agencies-or from the relevant regulatory bodies.

(5) Failure by senior manage- ment, computing executives and data processing users to accept as what might be considered a part of the cost of doing business, the unavoidable operational overhead that is implicit in systematic verification and restriction of access to specific information resources. Admittedly, it is less disruptive-and far less expensive operationally-to eliminate information security mechan- isms. This policy will permit individuals almost unlimited access to computing opportuni- ties within an organization. However, this essentially naive idea reflects only the purported realities of academic computing activities. It is a practice, how- ever, that is difficult to reconcile with management’s obligation to take what commonly are termed prudent measures to protect an organization’s information assets.

6. Problem Resolution

A comprehensive strategy for resolving the problems associated with hacker activities should be based on a recognition of two things:

l No one possesses an inherent right to have access to an organi- zation’s information assets. It is a privilege that is granted only to aid in the carrying out of some task that is of inherent value to that organization.

l An organization’s right to own and use information in a legiti- mate fashion should be protected and encouraged. Admittedly, the owner or operator of a system is responsible for making a reason- able and prudent effort to pro- tect its assets. However, some reasonable compromise between the exercise of this right and the often well-meaning but some- times unrealistic concerns of the protectors of so-called personal privacy needs to be found by every organization that is engaged in some form of computing.

Implementing an effective counter hacker strategy that rests on these two principles should involve, least, an organizational commitment to these three tactics.

(I) Initiation of active lobbying by the targets of hacker activity to counter the propaganda of their partisans and to assure that both the public in general and those in Government in particular under-

408

Page 5: “Hackers”: Know the adversary

Computers and Security, Vol. 70, No. 5

stand the real nature of hacking. In most countries in which they are active, hacker violation of both legal norms and organiza- tional rights has not received concentrated attention from either legislators or Government bureaucrats. Unfortunately those issues which do not demand their attention in the most strident and aggressive fashion possible are not acted upon in anything approaching a timely manner by either legislators or Government bureaucrats.

(2) Improvedpersonnel attribute iden@cation ver@ation on access. Significant technological progress in this area already has been made. It simply needs to be refined and to be made more cost effective for use in distrib- uted computing environments. Accomplishing this in most organizations will require a com- bination of a disposition to invest in a share of underwriting relevant technological research, a willingness to be innovative in structuring computing systems, and a readiness to counter opposition among human resources specialists and some computing technologists to management’s effort to recover control of information asset use from the organization’s employees.

(3) Tracing system use activity on a real-time basis. Again, significant technological progress has been made in this area-especially in

the application of various forms of advanced technology to infor- mation system performance modeling and monitoring. Here, too, a willingness to invest in research, a readiness to be innovative and a determination to recover control of information asset use will be called for.

There is no reason for an organi- zation to assume that it must resign itself to hacker attacks upon its computing activities. Rather, an organizational com- mitment tofight back coupled with understanding of these adversaries and their methods can diminish the effect of their efforts.

Notes

‘The only places where hackers or com- puter virusplanters might be considered legitimately to be such a minority would appear to be in countries which are per- ceived as having repressive governments, say, in some parts of Middle Europe. See Bulgarians Linked To Computer Virus: Young Hackers Said to Infect Programs In The U.S. and Several Other Nations by Chuck Sudetic. The New York Times, December 2 1, 1990. =I Want What I Want When I Want It is the title of a song in Victor Herbert’s 1904 operetta Mademoiselle Modiste. The title and lyric were by Henry Blossom. 3Phonefreak activities initially were centered in the Northeastern U.S., but eventually they spread throughout the developed world. The State-sanctioned allusion reflects State regulation or ownership of telecommunication carriers in all of the countries affected by this movement. ‘Hackers generally are aware that their public activities-and routine com-

munications among them-may be monitored by both law enforcement agency representatives and security officials of some of the organizations whose information resources are their potential targets. Thus, hackers tend to go to extreme lengths to avoid suggesting either that they knowingly are engaged in any illegal undertakings or are advis- ing anyone else to do so. Hackers should be judged, in most instances, by what they actually are doing; not by what they say in public that they are doing. ‘As an example of what can occur in this regard, two Staten Island, New York, teenagers repeatedly vandalized a voice mail system in the Peterborough NH offices of International Data Group (IDG) between May and September 1990. An IDG representative estimated that this activity cost it $2.4 million in lost revenue. One of the teenagers already reportedly unhappy over his parents’ divorce became incensed because he believed, erroneously, that he had been cheated out of a premium that he expected to receive for subscribing to IDG’s Game Pro publication. EDPACS, March 1991. 6Representative of these efforts are the activities of Richard Stallman, a long time member of the staff of the Massa- chusetts Institute of Technology Artifi- cial Intelligence Laboratory. (See Stallman’s letters to the editor of The Communications ofthe ACM[Association

for Computing Machinery] in its January, March and July 1984 issues.) Judging from Stallman’s published statements, he opposes any sort of absoluteproperty 1ight.s in computing. Stallman apparently considers attempts to protect informa- tion resources against intrusion to be, to use his term, totalitarian. (Stallman is, incidentally, the developer of the Unix electronic mail program that Robert Tappan Morris, Jr., used in November 1988 to propagate the so-called Internet worm.) Stallman appears by derivation to consider a hacker to be engaged in an essentially innocent activity that involves what might be termed skill-building and fighting against corporate totalitarianism.

409