It's Hip to Hack

With the growth of the Internet as a major form of communication, millions of people across the world can now exchange ideas and transmit information via computer in a matter of seconds. However, the recent spate of hacker-related incidents at Harvard, and throughout the world, have students and administrators worried about the security of the Internet.

"Hackers like to attack prominent targets like Harvard," Franklin "Frank" M. Steen, director of Harvard Arts and Sciences Computer Services, writes in an e-mail message. "We understand this, and security is a high priority."

Nearly two months ago, a hacker used the computer of an Eliot House resident to gain access to the user names and passwords of other Eliot House residents.

"Network security for those residents in Eliot was immediately re-established after we learned about the compromise," says Rick Osterberg '96, coordinator of residential computing support. "Since we now have the tools in place, we were able to immediately require all of the affected Eliot House residents to re-authenticate to the FAS central systems and change their passwords."

A week later, a Rhode Island man pleaded guilty to hacking into a Dunster House computer in October of 1996. Although the incident was not initially reported to FAS Computer Services, Osterberg says students have nothing to be worried about. "[I am] under the impression that the compromised system was sanitized and does not represent a threat currently," he says. "Any accounts on FAS central systems that may have been compromised as a result of that incident have long since been secured, due to the periodic enforced password changes that now take place."

Steen adds, "We act on every security incident that we discover or are informed of. We then take steps to eliminate the problem and protect other systems at Harvard."

Yet, as these incidents have shown, most hacking threats at Harvard come not from within the University, but rather from the outside world.

Therefore, the University continuously explores ways to increase network security. However, administrators say that implementing every available option is not always feasible because of the high cost of equipment and human labor. Furthermore, administrators say they must be careful to balance security with usability.

"There are some extreme measures that could technically be taken to provide an extremely high level of network security," Osterberg says. "However, those measures would significantly impact the usability of the network."

Harvard students were subjected to heightened security this fall when they tried to access their e-mail accounts. Students had to change their passwords and pass a quiz about proper computer use before they could check their e-mail messages.

"Changing your password is one of the most important things you can do to maintain the security of your own FAS e-mail account," Osterberg says. "Each insecure individual account is a weak link in the chain, which may allow a malicious outside user to gain access to our system. By doing what we can to maintain the security of the individual accounts, we increase the overall security of the system as a whole."

To this end, administrators have been busy educating students about network security. Besides the quiz, a newsgroup called harvard.comp.security has been created so students can discuss computer security issues.

"We're becoming more active in making security bulletining available to the user community through that newsgroup," Osterberg says. "I believe we've seen a large increase in overall awareness of computer security issues, which to me means that our outreach is starting to work. There is more to be done, of course, but we're starting to make progress."

What is Hacking?

So what exactly is hacking? Although this term is widely used, there is no precise definition that is understood by all. Osterberg uses the term hacking simply to mean "breaking in."

A common misconception about hackers is that their sole intent is to defraud other people. However, there are those who hack purely for the challenge and the enjoyment of it. They generally do not have any malicious intent further than pranking the server they break into and perhaps turning some heads.

One prime example is the recent hack of the Harvard Lampoon's Web site by a Columbia University Marching Band member. No real permanent damage was done to the server on which the Lampoon's Web page resides, and the student's main goal was simply to play a joke on the Lampoon.

However, the vast majority of hackers are out there for the taking of private information, as in the cases of the Dunster and Eliot House system break-ins. Some follow a profoundly anti-bureaucratic ethic that was defined by Steven Levy in his 1984 book, Hackers: Heroes of the Computer Revolution. His tenets are as follows: Access to computers should be unlimited and total, all information should be free, authority should be mistrusted and decentralization should be promoted.

It is also important to note that not all malicious computer use is considered hacking. For example, there is a "denial of service attack." "This is an attack where the attacker doesn't actually break into a remote system but does something to render the remote system unusable by flooding it with information in some way," Osterberg says.

How to Hack

The actual hacking of a Web site is, in actuality, not an extremely complicated process. For the hacker, the only obstacle is getting the password for the root user to the server.

By logging in as root, a person gains universal access to do whatever they want to the files on that server. For hackers, this generally entails first changing passwords, so that only they can gain access to the server, and then altering the site, while taking care to delete all the logs that might be used later on to identify them.

There are two commonly used methods of gaining root access to a server. The first is through anonymous FTP access into the Web page's server.

Once connected, all the hacker has to do is take the password file and unencrypt it using a cracker program and a dictionary maker. With these programs in hand, the hacker can simply run them on the password file to get an unencrypted version of the password file.

Basically, what this cracker/dictionary combination does is generate alphabets and then use some version of a "brute force" (where every possible combination for the encryption key is tried) in order to break the encryption code.

Hence, the more heavily encrypted a password file is, the more difficult it will be for a hacker to be able to compromise it.

Another method of hacking Web pages is

through the use of exploits, which are more closely related to what most people think hacking on the Internet is.

Exploits are tiny programs that a hacker runs on a server to expose errors or bugs in a system. While this is a much more complicated way of hacking a Web site than through FTP, it is also much more powerful because it allows a person to hack servers that don't allow anonymous FTP access.

Generally, what a person would do is to set up an account with the target if that is possible and then view any weak spots in the system from the inside out. Each system, however, is bound to be different, so this is where a certain level of skill and experience come into play.

By writing the right programs and running them correctly, the most experienced hackers can usually hack into just about any server. This is a scary notion, because no matter how heavily protected one is against break-ins to the server, one can never be completely sure whether a hacker will run some program on the system that will expose a flaw in security.

Therefore, the people whose job it is to manage Web servers are very protective about the security of their systems. When questioned about the specifics of how Harvard has responded to the recent hacking incidents, Steen is hesitant to provide too much detail.

"We also do not discuss the specifics of the steps taken for security reasons," he says. "Information about our actions could be used to compromise security."

Just Another Teen Trend?

As the number of hacking incidents continues to rise, many people have proposed the view that hacking is just a trend.

"Breaking into systems is something of an adrenaline rush for many people," Osterberg says. "It gives some people a sense of accomplishment, that they've accomplished something that others couldn't."

Hackers are very competitive about trying to break into the most difficult systems. A hacker who is able to break into a very secure and protected system is respected and considered to be a better hacker.

Not only does hacking appear to be a trend, but it is one that seems to be dominated by teenagers and young adults.

Recently, two California teenagers were convicted of hacking into U.S. military computers. Before they were identified, many thought their hacking was the work of terrorists rather than that of 15 and 16-year-olds

Furthermore, an organization of young hackers known as HFG hacked into The New York Times Web site this past September. When loyal readers tried to access the Times site that day, they were shocked to discover that the site had been altered.

The purpose of the hack was to protest the role Times reporter John. Markoff played in the imprisonment of hacker Kevin Mitnick.

Young people have always been known to commit mischievous and malicious acts for fun. Since today's youth have grown up with computers and technology, it is not surprising that they now use this technology to pull pranks and wreak havoc in the Internet, administrators say.

"I think it goes back to the sense of power," Osterberg says. "It fits in quite well with [the] teen and young adult mentality of being invincible and young adult mentality of being invincible and not really considering the consequences of actions. A more mature person may be more likely to be on the victim side of such an attack, and thus, have a better appreciation for why such things can be so damaging."

Osterberg says that as more and more people use the Internet, they must become increasingly aware of the danger that hacking poses.

"Security, confidentiality and authentication of communication, I believe, will continue to become more and more important," he says. "Here at Harvard, we can be sure that the University is doing its best to protect us from further attacks by hackers, even if we can't be privy to all the details. Or as Steen says, "Security is a topic that it is best to keep secure.

through the use of exploits, which are more closely related to what most people think hacking on the Internet is.

Exploits are tiny programs that a hacker runs on a server to expose errors or bugs in a system. While this is a much more complicated way of hacking a Web site than through FTP, it is also much more powerful because it allows a person to hack servers that don't allow anonymous FTP access.

Generally, what a person would do is to set up an account with the target if that is possible and then view any weak spots in the system from the inside out. Each system, however, is bound to be different, so this is where a certain level of skill and experience come into play.

By writing the right programs and running them correctly, the most experienced hackers can usually hack into just about any server. This is a scary notion, because no matter how heavily protected one is against break-ins to the server, one can never be completely sure whether a hacker will run some program on the system that will expose a flaw in security.

Therefore, the people whose job it is to manage Web servers are very protective about the security of their systems. When questioned about the specifics of how Harvard has responded to the recent hacking incidents, Steen is hesitant to provide too much detail.

"We also do not discuss the specifics of the steps taken for security reasons," he says. "Information about our actions could be used to compromise security."

Just Another Teen Trend?

As the number of hacking incidents continues to rise, many people have proposed the view that hacking is just a trend.

"Breaking into systems is something of an adrenaline rush for many people," Osterberg says. "It gives some people a sense of accomplishment, that they've accomplished something that others couldn't."

Hackers are very competitive about trying to break into the most difficult systems. A hacker who is able to break into a very secure and protected system is respected and considered to be a better hacker.

Not only does hacking appear to be a trend, but it is one that seems to be dominated by teenagers and young adults.

Recently, two California teenagers were convicted of hacking into U.S. military computers. Before they were identified, many thought their hacking was the work of terrorists rather than that of 15 and 16-year-olds

Furthermore, an organization of young hackers known as HFG hacked into The New York Times Web site this past September. When loyal readers tried to access the Times site that day, they were shocked to discover that the site had been altered.

The purpose of the hack was to protest the role Times reporter John. Markoff played in the imprisonment of hacker Kevin Mitnick.

Young people have always been known to commit mischievous and malicious acts for fun. Since today's youth have grown up with computers and technology, it is not surprising that they now use this technology to pull pranks and wreak havoc in the Internet, administrators say.

"I think it goes back to the sense of power," Osterberg says. "It fits in quite well with [the] teen and young adult mentality of being invincible and young adult mentality of being invincible and not really considering the consequences of actions. A more mature person may be more likely to be on the victim side of such an attack, and thus, have a better appreciation for why such things can be so damaging."

Osterberg says that as more and more people use the Internet, they must become increasingly aware of the danger that hacking poses.

"Security, confidentiality and authentication of communication, I believe, will continue to become more and more important," he says. "Here at Harvard, we can be sure that the University is doing its best to protect us from further attacks by hackers, even if we can't be privy to all the details. Or as Steen says, "Security is a topic that it is best to keep secure.