WE ARE HACKERS
NOT ALL FUN & GAMES
The underbelly of cyberspace
By ROBERT TRIGAUX, Times Staff Writer
omputer security expert Ray Weadock admits even he can't stop every hacker. They once seized his personal Internet account and sent obscene e-mail in his name to the White House. Another hacker trashed computer files at the Tampa school attended by Weadock's son, doing $120,000 in damage.
Cyberspace is like the new frontier, says Weadock, who heads the Tampa network security company Fortress Technologies. "There are few sheriffs out there."
With the global boom in the Internet and ever-cheaper personal computers, hacking is spreading like online kudzu. Hacking is getting more sophisticated and, in many cases, a lot nastier. And it is chipping away at the ability of the government, the military, and the business community to protect proprietary information and preserve individual privacy. Here are but a few of hundreds of recent examples:
Even the veracity of children's report cards is now suspect. One worried top administrator of a California school district told Tampa's Weadock that he could not be sure his students had the right grades. "That concern could be replicated through every school district in the United States," Weadock said.
Once an odd domain shared by computer scientists, amateur technology buffs and antisocial teenagers, the hacker world is going mainstream. Hackers can attend their own established annual conventions like New York's Beyond HOPE (Hackers On Planet Earth) or Las Vegas' DefCon to help them stay up on hacker culture and learn new hacking techniques. Next month's DefCon6 convention in Las Vegas, for example, is hosted by Seattle hacker Jeff Moss (aka "Dark Tangent"), sponsored by the likes of Jolt Cola and will draw more than 1,500 attendees.
Many hackers are benign -- just intensely curious how software or computer networks work. Some hackers seem threatening but are little more than pranksters spreading online graffiti on Web sites. But a growing number are hacking for personal profit, political cause or simply to inflict damage. Many hackers, trying to distance themselves, call these online abusers "crackers."
In Florida, hacking boasts a long and vivid history. In 1989, an Indiana hacker known as "Fry Guy" (so named for hacking a McDonald's computer) altered phone switches so that calls to a Florida county probation department rang instead at a New York phone-sex line answered by "Tina." A Web site featuring information about Florida's Supreme Court was hacked and adorned with pornographic pictures in late 1996. And in Citrus County last year, hackers calling themselves the Wrathlords operated a Web site that, as an ill-conceived prank, accused a local teacher of having a homosexual affair.
If all this sounds more like some surreal story line from The X-Files, consider this: The Department of Defense in 1995 experienced as many as 250,000 hacker attacks, says the General Accounting Office, the investigative arm of Congress. That's an average of 685 attacks a day, more than 28 attacks an hour around the clock.
The report estimates six out of 10 of the attacks successfully pewwwted at least some portion of the Defense Department's computer networks. Many attacks were never even detected by the military.
"If we aren't vigilant, cybercrime will turn the Internet into the Wild West of the 21st century," said U.S. Attorney General Janet Reno.
Attacks on the increase
So far, individuals using their home PCs are rarely the target of hackers. But that is not the case with businesses and their employees. A study released this spring by the Computer Security Institute and the FBI's International Crime Squad found that nearly two-thirds of more than 500 organizations reported a computer security breach within the past 12 months, up from 48 percent a year ago and 22 percent the year before that.
Many hacker attacks go unreported because companies want to avoid negative publicity. Other companies stung by hackers feel compelled to tell what happened. In January, Boeing Co. advised its workers that the code used to assign temporary PINs -- personal identification numbers -- for their 401(k) savings accounts had been cracked, possibly by a company employee.
On a broader scale, the federal government is starting to take the threat of online mayhem to heart. "Cyberterrorism," "information warfare" and "economic espionage" -- terms that did not exist until recently -- are cropping up often in national security debates.
Last year, the White House created the President's Commission on Critical Infrastructure Protection. Its job is to improve the nation's defenses against online assault. It is "only a matter of time" before critical U.S. computer systems that control the nation's power grid or air traffic control networks face major attack, says commission leader and retired four-star Air Force general Robert Marsh.
The latest GAO report on lax government security criticizes the State Department and the Federal Aviation Administration. At the State Department, the GAO was able to pewwwte non-classified computer systems and gain access to sensitive information. And the FAA, the GAO said, "is ineffective in all critical areas included in our computer security review."
In February, Reno unveiled the National Infrastructure Protection Center, or NIPC. Reno said the center's mission is to protect the nation's telecommunications, technology and transportation systems. Part of that effort includes managing FBI investigations into hackers.
Some Internet watchers, like Tampa Bay security consultant Winn Schwartau, say the feds seem bent on another hacker crackdown, not unlike one in the late 1980s. But individual hackers are not the real threat, Schwartau suggests. Foreign governments and organized terrorist groups are.
"The threat is from transnational gangs," he said. "How much damage could be done to the United States online with the backing of $100-million? A lot. And that's just chump change in the international markets."
The good and the bad
As millions of people opt to try the Internet and go online each year, new recruits join the hacker ranks every day.
That's not necessarily bad. Many are drawn to the traditional hacker culture: Anti-establishment, yes, but mostly harmless. One that embraces a passionate curiosity about computers and communications. A fervent belief that information should be free, uncensored -- and shared. A strong opposition to Big Brother.
Some hacker groups like L0pht, run by "Mudge" and other hackers like "SpaceRogue," "Brian Oblivion" and "Weld Pond," often find many of the "bugs" or holes in new software programs like Microsoft's xxxx
Windows NT program or Netscape's Internet browser. The group then publicizes the program's defects on the Internet. That's often how many programs get fixed.
But many in the new hacker generation, when exploring a computer network, apparently ignore or never learned the hacker ethic: Look but don't touch.
Consider Julio Cesar Ardita, a 23-year-old Argentine known to authorities as "Griton" (Spanish for "Screamer"), who returned voluntarily to the United States this spring, more than two years after he was first accused of hacking into university and military computer networks in the United States. Sentenced in May under a plea agreement to three years' probation and a $5,000 fine, Ardita still faces charges in his homeland.
Another big catch involved the federal sting of Carlos Felipe Salgado Jr. Known online as "Smak," Salgado was caught last year after stealing 10,000 credit card numbers off the files of an Internet service provider in California. Salgado tried to sell them for $260,000 to an undercover FBI agent.
A favorite target of hackers is America Online because its 12-million customers make a highly visible target. Fed up with a widely available program called AOL4FREE that gave users free access to the online service, AOL urged federal prosecutors to nail its creator.
The feds did. Yale University student Nicholas Ryan, known online as "Happy Hardcore," was convicted of computer fraud and sentenced last year to two years' probation, six months' home confinement and a $50 fine (after paying $62,000 in restitution). It was the first federal felony conviction of a hacker involving a private Internet online service.
AOL security chief Tatiana Gau hopes the Ryan case sent a strong message that her Internet company will not put up with hackers.
Easier said than done. Hacker groups with political agendas and an often juvenile style of protest are on the rise. In 1994, for example, when the Internet Liberation Front broke into computer networks at GE, NBC and other companies, the group denounced the companies for turning the Internet into a "cesspool of greed."
Such protesters often hack prominent government or military Web sites and leave behind online graffiti. At the U.S. Justice Department Web site, for example, anti-censorship messages were left and a photo of Attorney General Reno was swapped with that of Adolf Hitler.
Hackers also altered the Central Intelligence Agency site to read "Central Stupidity Agency." College basketball's NCAA site (during 1997's finals) was doctored to display a "white power" symbol. And Valujet (now called AirTran), the airline whose passenger jet crashed in the Everglades in 1996, had its Web site altered last year by hackers who inserted an image of a burning plane and the line "Fly us because crashing is fun."
In most cases, hacked sites are quickly discovered, shut down and fixed, but not before the protest messages become part of Internet lore.
Some hackers try their hand at online extortion. Hackers in early 1997 sent forged messages by e-mail to Capitol Hill threatening to delete every file on computers in the U.S. Senate and House of Representatives. The Times of London reported that several multinational banks, anxious to maintain public confidence, paid hush money to hackers to keep quiet their successful intrusions into the bank's networks. The banking industry denied any payoffs.
Germany's long-established Chaos Computer Club, best known for hacking into U.S. military sites and selling stolen U.S. software to industrial spies, recently went on television to show how to transfer funds from individual bank accounts without using passwords or PIN numbers.
Even newspapers come under electronic siege. A hacker known as "u4ea" -- upset by Boston Herald coverage that suggested he had harassed an Internet service provider -- threatened "electronic terrorism" two years ago against the newspaper and other computer networks around Boston. At the New York Times site on AOL, hackers last year inserted references to "kiddie porn" and "gay nuns" into photo captions.
For hacker wannabes, role models are plentiful. Some big-name hackers from the past include John Draper, who discovered that the tone of a whistle given away in a box of cereal could, when blown into a pay phone, trigger the country's phone system to allow free calls. That discovery earned Draper an international following and, in a salute to the cereal brand, his still famous hacker handle: "Captain Crunch."
Even Steve Jobs and Steve Wozniak, founders of Apple Computer, started out as hackers. And rival hacker gangs known as the Masters of Deception and the Legion of Doom dominated the mid-1980s with their successful invasions of the country's telephone networks.
In recent years, Kevin Mitnick has emerged as the most hyped name in hackerdom. Mitnick's hacking exploits of the late 1980s and early '90s inspired a media frenzy and multiple books. His current jail term has made him the poster boy of hacker protests against Big Brother. "Free Kevin" protest messages still litter hacked Web sites and the hotel hallways of hacker conventions.
If such prominent hackers are not inspiring, dozens of others are making a name for themselves. How to hack isn't a well-hidden secret. Hacking guides, tips, tools and manifestoes can be found online at an estimated 2,000 Web sites and 440 bulletin boards.
And if real hackers don't inspire the up-and-comers, pop culture will.
Hackers as nerdy geniuses battling Big Brother is a popular movie theme. The 1983 movie War Games featured actor Matthew Broderick hacking innocently into the U.S. military NORAD network to play Global Thermonuclear War (for real). The movie fired the imagination of teenagers to the thrill of computer literacy. In 1986, Broderick surfaced again in Ferris Bueller's Day Off, this time using his home PC to change student grades at school.
In the 1992 movie Sneakers, hackers led by actor Robert Redford broke into a highly secure corporation. Tapping an especially sensitive topic, hackers in 1995's The Net stole the identity of Sandra Bullock's character by altering her personal computer records. Now computer hacking is a common subplot in dozens of popular flicks, from Jurassic Park to Mission: Impossible.
Hacking became so hip that the 1995 movie Hackers tried to capture the culture of the underground computer scene. The movie's weak plot so incensed real hackers that they seized the movie's promotional Web site, defaced the online photos of the film's characters and left behind a scathing review: "no plot or creative thought."
Hollywood's MGM/UA studio, ever vigilant to any kind of free publicity, kept the hacked Web site available, graffiti intact, for online viewers.
A law enforcement backlash
The hyper-growth of malevolent hacking is not going unchecked. In addition to Attorney General Reno's recent edicts, the FBI and the Secret Service are building a national network of computer-literate agents that can help monitor, track and pursue online hackers.
Even the Florida Department of Law Enforcement has trained several of its agents to specialize in computer-related crimes. Still, in contrast to the explosive growth of the Internet, the number of law enforcement officers with such training remains small.
The antics of Cornell University graduate student Robert Tappan Morris Jr. helped spur the creation of an Internet computer SWAT team. In an experiment gone haywire, Morris in 1988 let loose a computer virus known as a "worm" that replicated itself across the Internet and crashed a tenth of the network. Morris, the son of a National Security Agency computer expert, was later convicted and fined $10,000.
In the aftermath, the Computer Emergency Response Team, or CERT, was formed at Carnegie Mellon University in Pittsburgh to investigate attacks on computer networks and, when possible, offer remedies.
CERT is very busy these days. As many as 200 new viruses with such onerous names as Antichrist, Bad Taste, Damage and HIV are identified each month.
Any high-profile body, it seems, is fair game to hackers. Just ask the police in New York City.
On April 15, 1996, callers to the NYPD heard this message: "You have reached the New York City Police Department. For any real emergencies, dial 119. Anyone else -- we're a little busy right now eating some doughnuts and having coffee."
Or ask Time magazine writer Joshua Quittner, who co-wrote Masters of Deception, a 1995 book about the New York-based hacker gang. After the book was published, Quittner's e-mail service was trashed by hackers. His phone was re-routed several times, first to an out-of-state answering machine, then to a phone-sex number and once to 1-800-EAT-S---.
It took half a dozen unlisted numbers and a year of phone taps by the phone company's security folks to stop the problem.
The experience influenced Quittner's writing plans, as he explained in a Time article. "Write another hacker book? I'd rather take on the Scientologists."
©Copyright 2000 St. Petersburg Times. All rights reserved.