|
|
by M. E. Kabay, PhD, CISSP
Director of Education
ICSA, Inc.
At some time in your career
as users of computers, someone is going to tell you how much fun it is
to hack into computer systems and networks. I'm here to tell you it's a
bad idea. I'd like you to understand what happens on the other side of
that modem -- on the other side of that Internet connection -- when someone
uses a computer system without permission.
Let me tell you a little
about myself first. Strange as it may seem, I was once a kid. Admittedly,
I was a pretty strange kid, but then so are many criminal hackers. I began
programming computers when I was 15. That's probably around the time some
of your parents were born--it was 1965. At that time, computers were pretty
much as big as a house, needed enormous power cables to supply all the
electricity, needed enormous air-conditioning units to carry all the heat
away, and could serve one user at a time. We used to program these monstrous
computers--computers that had not much more power than a hand-held programmable
calculator today--using punch cards.
It was pretty hard to gain
unauthorized access to computers back them because he they were locked
up. The only way you got to program the computer was to hand in your cards
through a window into this big room. If the technicians knew you or if
you could show them your identification, they would feed your cards into
the computer. Whenever you finished running your program, it would disappear
from the inside of the computer--the memory--and someone else's program
would be loaded.
Giving your name to the
technician was a form of identification. Identification means telling who
you are. The next step was authentication. Authentication means proving
that you are who you say you are. Showing your ID card from your school
or from your employer is a form of authentication because it represents
something that only you are supposed to own. When your parents enter their
bank-card into the automatic teller machine, that card is their identification.
When your parents punch
in their personal identification number (PIN), they are authenticating
themselves.
Identification and authentication
are very important in today's computer systems, but we do it differently
now. Instead of speaking to a technician, now we usually type in a user-ID
and give a password that no one else is supposed to know. Sometimes modern
computers use other forms of identification and authentication; for instance,
some computers look at your fingerprints, the shape of your hand, your
eyes (retinas and irises), or your face and identify and authenticate you
that way. Some computer systems recognize your voice or your handwriting
and they identify and authenticate you that way. Other computer systems
read a special card that has a little computer -- a microchip -- in it
and that belongs only to you.
Well anyway, back in the
1960s and 1970s, computers and communications continued to evolve.
Computers began to allow
several people--sometimes hundreds of people--to use them all at the same
time. It also became possible to communicate with computers from much further
away than in the old days. The development of modems meant that you could
communicate with a computer from many miles away by using the phone system.
Well, that kind of access
meant that it was possible to get into computer systems without permission.
For example, people could find out your user-ID and password and pretend
to be you--after all, there was no technician to check to see if it really
was you. Many computers back then had tight limits on how many hours of
use you had on the computer every month, so someone who used your user-ID
was in a way stealing computer time. If the person did not know your password,
sometimes they would guess over and over; if you had a password that was
easy to guess -- if it were really short, or was maybe your own name, or
your dog's name, or your favorite sports team -- it could be pretty easy
to guess. These people who used the computer in your name were among the
earliest criminal hackers.
What do we mean by criminal
hacking? Basically it means using a computer without the permission of
the owners.
To understand why a using
a computer system without permission causes problems, you have to understand
the basic goals of information security. There are six different aspects
of information that needs protection. Let's look at these one by one. The
six principals are as follows:
confidentiality, control,
integrity, authenticity, availability, and finally usability. Let's look
at these one by one.
Security experts talk about
confidentiality. Confidentiality refers to limits on who can get what kind
of information. For example, you might want to keep it secret that you
have a crush on the child who sits in front of you! If someone were to
find that out and tell other people, that would be a breach of confidentiality.
If somebody were to find out your parents' bank account number and their
secret number (the PIN, or Personal Identification Number) that they use
at the banking machine, that would be a breach of confidentiality.
Another kind of protection
for information is the preservation of control. As an example, imagine
what would happen if somebody told your parents that they had taken a video
film showing exactly what buttons your parents pushed when entering their
bank-card PINs -- but that everything was OK because no one had looked
at the video yet. Your parents would be frantic.
They would be worried because
they would no longer have control over their own secret number and over
their own bank accounts. Something very similar--a loss of control--is
what would occur if a stranger broke into your house when everyone was
away. Even if they didn't do anything, you would still feel comfortable.
You wouldn't know if maybe the strangers did something bad to your food.
You might want a throw food away just in case. You might feel uncomfortable
because maybe the strangers looked in your diary. These would all be indications
of a breach of control.
Security people next consider
the issue of integrity. Integrity refers to being correct. For example
imagine how bad you would be if somebody took one of your exam papers and
change it so that your answers were now wrong. This would be a breach of
integrity. If someone were to take a check that your parents wrote and
then changed the amount payable, that would be a breach of integrity. Changing
information without permission is a breach of integrity.
There have been cases where
criminals have altered medical data. Changing medical records can lead
to very dangerous situations for the patients. Some criminal hackers have
played around in school records. They changed grades that were recorded
by teachers. Now of course, this may sound funny, but it stops being funny
when you think about what would happen if somebody changed your grades
and made them worse. Unauthorized modification of data is a breach of integrity.
Another principle of security
is authenticity. Authenticity means that information should be labeled
correctly. For example sometimes a criminal hacker sends electronic mail
in somebody else's name. In one case, a professor in a Texas university
found that someone had broken into his e-mail account. The hacker sent
out two thousand e-mail messages in the professor's name.
These e-mail messages were
full of hateful, racist Language and therefore some of the people who got
the messages became very angry with the professor. This was not fair, because
the professor didn't write the messages. However, he and his family received
death threats and had to be put under police protection because people
threatened to burn their house down. This was an example of a breach of
authenticity. You might want to think about how embarrassing it would be
if someone were to send e-mail messages in your name that said things you
didn't agree with.
Suppose someone were to
insult your teachers by sending them messages signed with your name. You
might get into a lot of trouble even though you had not done anything wrong.
Protecting authenticity
is one of the reasons that you must never reveal your password to anyone
else. You have to protect the authenticity of your communications.
This fifth principle of
information security is preservation of availability. Availability means
having timely access to information. Timely access refers to getting hold
of the information you need when you need it. For example, suppose you
have to write an essay on the novel, The Wind in the Willows. You want
to read the novel before you write the essay. If someone hides all the
copies of the novel at the library and at the bookstores, you can't read
the novel in time for your essay. That would be a breach of availability
of that novel.
One of the most serious
and widespread problems in today's computers is called denial of service.
Denial of service can occur when someone overloads a computer system or
network with bogus requests. One bad case of denial of service occurred
when some nut who called himself Johnny [x]Chaotic subscribed dozens of
people to huundreds of e-mail lists. These poor people began receiving
e-mail on basket weaving, engineering, plumbing -- you name it. One writer
received 20,000 e-mail messages in a single day. Imagine trying to find
your own e-mail messages if someone sent you twenty thousand messages you
did not want. It would take hours just to read through the subject lines
to find the e-mail you wanted. That would be a denial of service. Denial
of service is a breach of availability.
Finally, the last principle
of information security is utility. Utility means usefulness. For example,
if you went to the local store and all of the prices were in Norwegian
Kroner but nobody knew how many Kroner there were in the dollar, that would
not be very useful to you.
Now that you have some idea
of what information security people worry about, it's pretty easy to understand
why breaking into somebody's computer system is really bad.
Of course the obvious problems
concern confidentiality, integrity and authenticity.
Anyone can see that going
into a computer system and reading other people's documents, other people's
e-mail--or even information relating to national security in military computers--all
of these breaches of confidentiality are a real problem.
Changing accounting records,
stealing money by making false bank transfers, altering prescriptions so
the people can become sick, sending out bad the email other people's names--
these breaches of integrity and authenticity or all so obviously bad.
One of the most popular
forms of criminal hacking is Web vandalism: damaging Web sites by substituting
often obscene pictures and offensive text for the original materials. The
CIA was renamed the Central Stupidity Agency; the Florida Supreme Court's
Web page was turned into an illustrated sex-manual--you get the idea. The
people are usually children or young teenagers.
These cybervandals are just
like the punks who throw rocks through people's windows or who spray-paint
curses and foul words on buildings to express their rage and rebellion.
They're bored, childish nuisances.
The really tricky problem
is that criminal hackers always claim that if they don't alter information,
they haven't done anything wrong--or at least, they haven't done anything
really wrong, as they say. This point of view is simply, flatly wrong.
The fundamental problem
caused by unauthorized access to information systems is loss of control.
Let me explain what really happens when some punk breaks into a computer
system.
First you have to understand
that many people depend on computer systems to get their work done. The
computer systems they depend on are known as production systems. For example
the local banks need to have computers process their checks so that people
can get paid and so that the right amounts can be taken out of the employer
bank accounts and deposited in the employee bank accounts. What do you
think happens in the bank if someone breaks into their computer system?
I'll tell you: it's a real mess.
The poor bank employees
don't know whether the intruders have damaged some of their bank records
or programs. Even if the criminal hackers leave a note (you know, "W3 D1DN'7
DO 4NY7H1NG WR0NG C4USE W3R3 313373" using that code of theirs), how do
the employees really know if everything's still OK or whether the hackers
have damaged something?
The only thing to do is
to check. Security experts say that such a system is no longer trusted.
The employees have to reestablish trust in the data and also in the programs.
Criminal hackers have been known to insert their own changes to certain
computer programs. Criminal hackers often leave what are called back doors
into the systems they've already broken into. Back doors allow the hackers
to re-enter the compromised computer systems anytime they want. This kind
of change to system software is a real threat to the people that have been
victimized. It can take days to check all of the information on a computer
system that has been broken into. Sometimes the checking costs hundreds
of thousands of dollars in wasted salary or consulting fees.
I remember that when I was
in charge of a big computer center in the 1980, my staff and I would spend
from midnight to 6 in the morning every day for five days testing the new
version of the computer operating system that the computer maker had sent
to us. If we were willing to spend five nights testing the manufacturer's
software, doesn't that tell you how important trust was for us? Now think
about why on earth we would trust a production system that might have been
damaged by a criminal hacker. It wouldn't make sense. We have to check
the system after every intrusion. So that's why it's not true that breaking
into computer systems is harmless fun.
I hope you will think about
this the next time someone suggests that you play with them by breaking
into somebody's computer system. Try to tell them this isn't a videogame.
Hacking computers hurts real people. The victims of hacking spend sleepless
nights away from their families working hard to see if their computer systems
have been damaged by intruders. They worry about it. If there has been
damage, it can cost lot of money to fix the data and the programs. This
money lowers profits for companies or increases costs for nonprofit organizations.
If the criminal hackers
laugh at the costs and tell you that "it's only a company -- it's not real
people" then you will know that they are either stupid or they are deliberately
lying to you.
Organizations are made of
real people. Real people lose because of criminal hacking.
On another level, some people
get caught when they hack, and their reputation for dishonesty can follow
them for many years. I have met young people who didn't think they were
doing anything wrong but who discovered how hard it is to be accepted at
universities were to get good jobs when they have shown themselves to be
sneaky criminals who obviously did not care about the people that they
hurt. If these people continue hacking past their eighteenth birthday,
they can go to jail for unauthorized access to some kinds of computers.
There are many ways to learn
about computing. It is not necessary to become a criminal in order to learn.
Enjoy computers and respect your fellow human beings while you enjoy this
wonderful new world of cyberspace.
You are welcome to write
to me. Send e-mail to mkabay@compuserve.com
with your comments and questions.
|
