Search for notes by fellow students, in your own course and all over the country.

Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.

My Basket

Buy These Notes

You have nothing in your shopping cart yet.

Title: Hacking
Description: It's complete notes on Secrets of a super hackers
Buy These NotesPreview

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above

SECRETS OF A
SUPER HACKER
By The Knightmare

TOC
Appendix

Text ripped verbatim
Note: Edited with clarity and space (win 98 word pad in Times new roman)
185 pages
6 yrs old
Kind of outdated and lot of it is garbage but its ok
Constant Sorrow

SECRETS
of a
SUPER
HACKER
By The KNIGHTMARE
Introduction by Gareth Branwyn
Sound Bytes from Reviews of
Secrets of a Super Hacker
"Secrets of a Super Hacker is a fascinating hacker cookbook that reveals the ease of
penetrating even the most stalwart computer system
...
Secrets of a Super Hacker, by The Knightmare, is
billed as 'every security manager's worst nightmare
...
"
- Info security News

...
"
- Booklist
"Excellent
...
"
-The Reader's Review
"
...
Recommended
...
It is
well-written, sprinkled with wit and the Knightmare's own personal experiences
...
"
- BBS Magazine
"It's readable, interesting, informative, balanced, and accurate, with a nice spirit of
fun and swashbuckling!"
- on alt
...
reviews
"Secrets of a Super Hacker
...
"
- ComputerWorld

Secrets of a

Super Hacker
By The Knightmare

Loompanics Unlimited
Port Townsend, Washington

This book is sold for information purposes only
...

Secrets of a Super Hacker
1994 by Dennis Fiery
Introduction (c) 1994 by Gareth Branwyn
Cover by Bart Nagel
Illustrations by Dan Wend/MEDIA Graphics
All rights reserved
...
Reviews may quote
brief passages without the written consent of the publisher as long as proper credit
is given
...
O
...

ISBN 1-55950-106-5
Library of Congress Catalog Card Number 93-86568

Contents
Introduction: Hackers:
Heroes or Villains?, by Gareth
Branwyn
...


...
Doing ?Opening Remarks?Equipment Moderns and Speed?
Communications
Software?Handy Features Data Capture?Past and Future?Days of Yore Live
On?Computer
Crime? Stealing Money Sabotage?Various Thieveries?The Seventh Crime?Hacker
Motivations

Chapter Two:
The History Of
Hacking
...


...
35
Passwords ? Passwords Supplied by the User ? Possible Password Investigation ?
Password Studies ? Password Restraints ? Computer Generated Passwords: Fakery
and Analysis of Machine Generated Passwords ? Non-Random Machine-Generated
Passwords ? Programs are People Too
Brute Force Methods ? Foiling the Brute Force Assault ? Conclusion
Chapter Five:
Social
Engineering
...
49
The Noble Form ? Hacker as Neophyte ? Hacker in Power ? Hacker as Helper ? Peak
Hours ? Other Hints Sample Social Engineering Situations ? Miscellaneous Social

Engineering Tips ? Other Roles In-Person Engineering ? Written Engineering
Request for Information ? Message From God ? Trouble in Paradise?

?

Chapter Six:
Reverse Social
Engineering
...
63
Overcoming Social Engineering Drawbacks ? Reverse Social Engineering Sabotage
Methods ? RSE
Case Study: The Translation Table ? Solving the Sabotage ? RSE Advertising
Methods ? Trouble for Nothing?

PART TWO
During Hack
Chapter Seven:
Public Access Computers And
Terminals
...
71
Introduction to the Three Kinds ? CD-ROM Databases and Information Computers ?
Public Access
Terminals (PATs) ? The Bar Code Hack ? Hidden Commands ? College PATs ? Doing it
the E-Z
Way ? Shoulder Surfing ? Doing it BASICally ? Hardware Methods ? General
Purpose Microcomputers ? Breaking Free ? Freedom Means Free Roaming ? PACK
? Menu Simulation and Other Sneakiness ? Hiding Your Goody Basket ? Things to
Watch Out For
Chapter Eight:
On-Site Hacking: The TrespasserHacker
...
99
Reality ? Who to Connect to ? Paying for the Pleasure ? Packet Switched Networks ?
Other
Networks ? Finding Dial-Up Numbers ? Dial-Up Security Measures ? Scrutinize the
Login Environment
Chapter Ten:
Electronic Bulletin Board
Systems
...


...
1
23
Hacker Motivations Revisited * Operating Systems * Looking Around * Commands
to Look For
and to Use * File Transfer Protocol (FTP) * Fun 'N Games The User Network *
Becoming a Superuser * Spoofing * Cryptography and DES * Bit by Bit Program
Employment * Viruses * Covert Channels * Get Out of Jail Free * Returning to the
Scene * Mission Accomplished Almost!

PART THREE
After Hack
Chapter Thirteen:
This Lawful Land …………………………………………………………………………………
...
* Federal Computer Crime Laws, Or: It's 10:30, DoThey Know Where the
Hackers Are? * Conclusion
Chapter Fourteen:
Hacker Security: How To Keep From Getting
Caught……………………
...
161
The Hacker's Ethic * My Code of Ethics * Combining Principles * My One-Person
Tiger Team *
Principles Combined * Concluding Thoughts * Some Thoughts to the Concerned
Administrator *
Some Thoughts to the Concerned Hacker
Further Reading
The Books * Other Sources

169

Glossary

173

APPENDICES
Appendix A: Explanation of Some ASCII Codes

185

Appendix B: Common Defaults

189

Appendix C: Common Commands

191

Appendix D: Novice Word List

193

Appendix E: job-Related Word List

197

Appendix F: Technical Word List

199

Appendix G: Social Security Number Listing and ICAO Alphabet
Appendix H: Additional R/SE Role Playing Situations

201
205

Introduction:
Hackers: Heroes or Villains?
by Gareth Branwyn
Hacking in the Village
"Where am I?"
"In the Village
...
"
"Whose side are you on?"
"That would be telling
...
information
...
information
...
"
"By hook or by crook, we will!"
Remember the '60s TV show The Prisoner? Created by and starring Patrick
McGoohan, this surrealist series was basically a platform for McGoohan to explore
his own fears of modem surve-illance/spy technology, behavioral engineering, and
society's increasing ability to control people through pacifying pleasures
...

McGoohan's #6 character became a symbol of the lone individual's right to remain
an individual rather than a numbered cog in the chugging machinery of the State
...
He saw no escape from the mushrooming technoarmed State short of out-and-out violent revolution (it was, after all, the '60s!)
...

The #6 character himself comes close to revealing this in a number of episodes, as
he uses his will, his ingenuity, and his own spy skills to reroute #2's attempts to
rob him of his individuality
...
With all the social engineering, spy skills, and street
tech knowledge that #6 possessed, he lacked one important thing: access to the
higher tech that enslaved him and the other hapless village residents
...

In the last two-part episode of the series, #6 finally reveals why he quit his
intelligence job: "Too
i
many people know too much
...
He probably didn't mean "people" as much as he
meant "governments
...

Let's look at a number of the mythic images of the hacker that have arisen in the
past decade and explore the reality that they both reflect and distort:

The Hacker as Independent Scientist
The first image of hackerdom to emerge in the '60s and 70s was of the benevolent
computer science student pushing the limits of computer technology and his/her
own intellect
...
These early hackers quickly
developed a set of ethics that centered around the pursuit of pure knowledge and
the idea that hackers should share all of their information and brilliant hacks with
each other
...
Just as
information should be clearly and elegantly transported within the computer, and
just as software should be freely disseminated, hackers believed people should be
allowed access to files or tools which might promote the hacker quest to find out
and improve the way the world works
...
"
While this ethic continues to inform many hackers, including the author of the book
you are holding, it has become more difficult for many to purely embrace, as the
once innocent and largely sheltered world of hackerdom has opened up onto a vast
geography of data continents with spoils beyond measure, tempting even the most
principled hackers
...


The Hacker as Cowboy
The cowboy has always served as a potent American myth of individuality and
survivalism in the face of a harsh and lawless frontier
...
Case and the other "console cowboys" in the novel ride a

cybernetic range as data rustlers for hire, ultimately sad and alone in their harsh
nomadic world
...

I don't think I need to tell readers here what impact Gibson's fictional world has had
on fueling hacker fan-tasies or what potent similarities exist between Gibson's world
and our own
...
Not
surprisingly, Electronic Frontier Foundation co-founder John Perry Barlow (a
Wyoming cattle rancher himself) chose frontier metaphors when he wrote his
landmark essay "Crime and Puzzlement" (Whole Earth Review, Fall 1990)
...
"

The Hacker as Techno-Terrorist
When I was a budding revolutionary in the 70s, with my Abbie Hoffman and Jimi
Hendrix
posters and my cache of middle class weapons (
...
12 gauge
shotgun, hunting bows), 1, like McGoohan, was gearing up for the Big
Confrontation
...
We
would fantasize how it was all gonna come down and what role we (the "Radicals for
Social Improvement") would play in the grand scheme of things
...
S
...
The idea that bands of weekend rebels, however well trained and coordinated,
could bring down "The Man" was pure romance
...
My friends and I were content to play act, to
dream the impossible dream of overthrow
...
There was now at least the possibility that groups or
individual hackers could seriously compromise the U
...
military and/or civilian
electronic infrastructure
...
, the son of a well known computer security researcher, brought
down over 10% of the Internet with his worm
(a program that self propagates over a network, reproducing as it goes)
...
"Hacker
terrorists," "viruses," "worms," "computer espionage"
...
A new computer
security industry popped up overnight, offering counseling, virus protection
software (sometimes with antidotes to viruses that didn't even exist!), and work
shops, seminars and books on computer crime
...
Like a cat chasing its own tail, the busts and
media coverage and additional busts, followed by more sensational reportage,
created a runaway loop of accelerating hysteria and misinformation
...
" Of course, the truth turned out to be far less dramatic
...
For a thorough and lively account of this and many of the
other arrests made during Operation Sundevil, check out Bruce Sterling's The
Hacker Crackdown (Bantam, 1992)
...
Computer terrorism has yet to rear its head in any
significant fashion, but the potential is definitely there
...
Wireheads of every gauge would do well to study volumes
like Secrets of a Super Hacker to stay abreast of the game and to cover their
backsides should the proverbial shit hit the fan
...
Oceanographic and piracy metaphors are equally as common in cyberculture
as ones about lawless frontiers and modem-totin' cowboys and cowgirls
...
" Bruce Sterling's
near future novel about data piracy was named Islands in the Net
...

Anarchist theorist and rantmeister Hakim Bey penned an essay called "Temporary
Autonomous Zones
(or T
...
Z
...
Bey sees in the rapidly growing
technoiv
sphere of our planet the possibilities for a new form of nomadic anarchic culture
that might resemble the sea-faring pirate societies of the 18th century
...
These bands can wreak havoc, throw a party,
exchange intelligence, or whatever else they want
...
While de-cidedly romantic, the TAZ idea is attractive to many hackers
and cyberspace residents who daily feel the fluidity of movement and the potential
for invisibility offered on "the nets
...
In cyber-space, piracy becomes a more ambiguous and con-tested can of
worms
...
Am I stealing? If I publish the work commercially, THEN is it
plagiarism? All of these questions about sampling, copying, cutting, pasting, repurposing, and altering have become the thorny legal and ethical issues of our
cybernetic age
...


The Hacker as Biblical David
When liberal and fringe media want to feel good about hacking and cracking they
start invok-ing images of the hacker as a do-gooder David against a
military/industrial Goliath
...
However over-romanticized this
myth is, there is comfort to be found in the knowledge that individuals can
penetrate even the most behemoth systems
...


The Hacker as Security Informant
Another do-gooder myth revolves around the hacker as an either self-appointed or
hired security checker
...
To the hacker who is inter-ested in the gamesmanship and
challenge of pene-trating a system, tipping off the system's adminis-trators means
a new level of challenge should they ever return
...
Often times, these hired guns are
convicted computer criminals who "go straight
...
While many hackers bristle at such turncoat
maneuvers, other more politically neutral hackers point out that it doesn't really
matter to them who they're working for as long as they get to hack
...
S
...
S
...

Movies such as WarGames, Sneakers, Jurassic Park, and TV shows such as Max
Headroom glamorize hackers, often portraying them as misguided geniuses who
finally see the light and prevent calamities they're often responsible for in-itiating
...
John Badham's 1983 film WarGames probably did more to
stimulate interest in hacking and phone phreaking among young people than
anything before or since
...
All these films have also played into the myth of the evil govern-ment and
megacorps who deserve the harassment that the hacker protagonists dish out
...
It will be very
interesting to see how Hollywood con-tinues to re-invent the hacker
...
It is this writer's opinion that hackers represent the scouts to a new territory
that is just now beginning to be mapped out by others
...
As Manuel De Landa explains in his book War in the Age
of Intelligent Machines (MIT, 1991), we are forging a new symbiotic relationship
with machines via computers
...
While De
Landa is very laudatory toward the "freedom of in-formation" ethic and
developmental ingenuity of hackerdom, he cautions those who wish to make too
much trouble for individuals and organiza-tions, leading to retaliation, escalation of
tensions, and increased paranoia
...
[S]orne elements of the hacker
ethic which were once indispensable means to channel their energies into the quest
for interactivity (system-crashing, physical and logical lock-busting) have changed
character as the once innocent world of hackerism has become the mul-timilliondollar business of computer crime
...
"De Landa
...
S
...
He
speculates that those outside the military-industrial machinery have only a few
years to develop a new and truly decentralized sys-tem of networks before the
military devises a new tactical doctrine that subsumes the distributed PC
...
These academics have embraced cyber-punk sci-fi,
the politicized image of the hacker, and postmodern ideas about posthumanism (a
future of human/machine hybridization)
...
Hackers were the first
to experi-ence this " many others are now following in their digital footsteps
...
The "idea" of hacking has migrated far from the actual
act of hacking
...


The Knightmare's Vision

Behind all these lofty notions lies the tedious and compelling act of the hack itself
...
In this classic hacker cookbook, the author has gone to
great pains to explain the massive width and breadth of hacking, cracking, and
com-puter security
...
Numerous
examples and "amazing hacker tales" take the reader inside
each level of the hack
...
It has already been very valuable to me
...
much more attuned to computer security
...
He wanted controversy, argu-ments, fights, discussions,
people waving fists in his face
...
Computer hacking and the wooly
frontiers of cyberspace are similar domains of controversy
...
It is my hope that it will help keep the debate alive
and that those who make use of its privileged information will do so responsibly and
without malice
...

vi

PART ONE
BEFORE THE HACK
1
Page Intentionally left blank
2
"Given that more and more information about individuals is now being stored on
computers, often without our knowledge or consent, is it not reassuring that some
citizens are able to penetrate these databases tofind out what is going on? Thus it
could be argued that hackers represent one way in which we can help avoid the
creation of a more centralized, even totalitarian government
...

Tom Forrester and Perry Morrison in Computer Ethics

Chapter One:
The Basics
Reading vs
...

The first is to write an encyclopedic account of every known system and its dialup
numbers, passwords, loopholes, and how to increase one's access once inside
...
And surely, after word leaks to
the computer sites of the world the remaining information will be rendered nonfunctional
...

Indeed, there are both print and on-line publications which attempt to do just that
...

This is a much more agreeable solution to the problem of how to distribute
changing information
...
Naturally, way-to-write-a-book Number Two is the way this book has been
written
...
I
tried to keep this book flowing in a logical order, conducive to understanding, but
occasionally you will find ripples in the flow
...
You'll learn soon enough
...
Com-puter hacking is a subject which contains a voluminous amount of information
...
Sometimes I compromised, sometimes I
did-n't
...
When all is said and
done, the important part isn't the writing of the book, it's the reading of it, and the
actions that result from the reading
...
It's not about reading about doing something
...

Speaking of books being read, it is often a wonder that they ever do get to that
readable finished state at all
...
S
...


Opening Remarks
This book will show you various methods you can use to break into computer
systems
...
Nowadays people are more
strict, more cau-tious about security
...
But there are
plenty of holes still left in any sys-tem's armor
...
Re-member the first rule of hacking: Whatever a
...
Whatever one mind can hide, another
can discover
...


What is a hacker? I'm going to give a definition now, and if you don't fit the
description I give, you can just close this book and throw it away:
A hacker is a person with an intense love of something, be it computers, writing,
nature or sports
...
If a hacker loves computers,
then he or she is curious about every aspect of computers
...
Hackers have re-spect for their
subject
...
That sort of thing is for social-outcast
junior high school kids
...
The True Computer Hacker is a computer
enthusiast and more importantly, a Universe enthusiast
...
Are you ready to learn?

Equipment
There is only one piece of equipment you need to be a successful computer
hacker
...
That's right - you don't even need a computer
...
However, to start out you will
want to have a computer, a modem, and a tele-phone line close by so you can
connect to the out-side
...
What's more important are the
modem and the communications software you use with it
...
Let me explain
...
Below speeds of 600 baud, the baud rate is equal to bits-per-second
...
For example, a 2400 baud modem
may only be sending 1200 bits-per-second
...
While a hacker should
be aware of the difference between baud rate and bits-per-second, the important
thing to remember about modem speed is: the faster, the better
...

Five years ago, 300 baud moderns were quite popular
...
Higher speed modems, such as 14,400
4
baud and 19,900 baud, are now available in fairly inexpensive models
...

Hacking is a hobby that requires little equipment; when it is necessary to buy
something, you should try to buy the best available
...
It means, get what is
best suited to your needs
...
When I got my
first modem, I thought of 140 baud as being the slowpoke
...

Realize that whatever speed modem you get, it will usually run even slower than
advertised
...
Modems may run at half
their listed speed, or even slower if they're in a particularly bad mood
...

For all of these reasons it's crazy not to get a fast modern
...

Communications Software
It's hard to find truly splendid communications software, and yet it is the software
(in conjunction with a fast, high-quality modem) which will de-termine how much
enjoyment or frustration you get from your on-line interactions
...

Just because a particular package comes with your modem doesn't mean you
should feel obli-gated to use it
...
For the hacker, it is necessary to have all
these features
...

Handy Features
The monitor on your computer was probably specially designed for your computer
...
Con-sequently,
certain standards (rules of behavior for monitors to follow) have been devised
...
Your communications program, or "comm program," should
be able to adjust to a wide range of these codes and charac-ters
...
Software that can't do that will often represent data
from the remote computer in peculiar ways, or as garbage characters
...
It is also handy for the software to have a translation table - the ability
to translate incoming and outgoing characters to other characters
...
A proto-col is a set of rules
...
These file transfer
protocols set up specific guidelines for the two computers to follow regard-ing how
the file should be sent and received
...
The Zmodem protocol transfers files fast, and with good error
recovery, but it isn't as prevalent as the original Xmodem
...
Kermit is used on many university mainframes for speedy, efficient
file transfer
...

Choose software that allows you to enter "AT" commands
...
They have been
adopted for most makes of modern
...
You should also be
able to shell to your computer's operating system while maintaining the connection
- sometimes you will want to run another program while on-line
...
You should be able to store more than just the ten
digit phone number extensions and special codes should be pro-grammable, as well
as sign-on macros for faster connections
...
Overall,
the program you use must be pleasant and easy to use
...
Generally I tend to stick with the PC Tools Desktop comm
program
...
ProComm Plus for the IBM and Macintosh is the Lotus 1-23 of communications, software
...
There are also many low price (free) alternatives in the
world of shareware and public domain software
...

There is one final necessity for the hacker:
Data Capture
Your terminal program should have a data cap-ture feature
...

It's important for you to keep the data capture feature on whenever you're using
your modem
...
When I'm logged in somewhere, I
like to poke into all the text files I can find, but I don't like to waste my time on the
sys-tem by actually reading them while on-line
...
(At other times it is more appropriate
to simply transfer the files; what one does depends on circum-stances
...
And sometimes text is immediately erased after it's put on
the screen, either for security reasons or due to faulty software
...
In any event, it's nice to have an
official record of your hacking activities that you can use for reference and research
...
The modems con-nected, I pressed
Enter a couple times, and I got the usual random characters on the screen, then
the login prompt came on
...

Later, I was going over the print outs I made of the break-in and I took a second
look at what at the time seemed to be just normal login garbage
...
And on the next line, sandwiched between
two plus signs, this: "ye!"
...
What I was
looking at was the last half of the word "good-bye!"
...
In other words, I had called the system just after someone else had
logged off, and I had gotten the tail end of their log-off message
...

This meant there was a bug that could be exploited
...
The person who had been using the
BBS before me was a regular User of the system and, sure enough, according to the
log she had logged off just seconds before I was recorded as having logged in
...
I wrote a letter explaining to him what
6
I had done, and how
...

So you see, sometimes weird things happen while you're logging on or off, but
anomalies can occur at any time
...

You never know when something out-of-the-ordinary is going to happen, like the
sys-tem operator (sysop) coming on and doing system maintenance while you
watch
...
In fact, there was one week
in which it happened twice
...
Instead of rushing off to the bus stop, I
was on my computer, dialing BBSs
...
"I have to do some-thing real fast," he typed, "and I'm late for
school
...
He went into the
back screens of the bulletin board system program, then shelled out to his hard
drive, and came back in again
...
The information I
learned from watching that sysop fix his system did not help me break in anywhere,
but it taught me more about how telecommunication systems work
...

A few mornings later, I was on another system and almost the same thing
happened
...
This time I was able to understand as I
watched what was going on: one of the things the sysop did was to validate a new
user's password (a dumb thing to do in front of somebody, but maybe he didn't
realize I could see what he was typing)
...


An alternative to data capture is to have your printer running continuously
...
Also, a printer
won't be as efficient as your communica-tions program at capturing strange control
codes and foreign symbols
...

Past and Future
As you read about the many facets of hacking, you will be introduced to more
equipment, tools, software and hardware that will be of interest to hackers who
wish to try their expertise in more specialized areas of interest
...

Days Of Yore Live On
Men you start reading through the literature of data security, you begin to get
worried
...
Gone
are the system bugs and loopholes, the naively entered "PASSWORD" used as a
password
...
Gone are
the lone hackers
...
But all of this really isn't true! As recently as just a few
years ago, Robert Morris, Jr
...
These weren't even new bugs -they were old ones that
no one had ever noticed or bothered to correct before! Who knows how many more
similar bugs like it are out there, waiting to be manipulated? And the trap doors
will always be there as well: it is the programmer's vanity that leads him to stylize
otherwise joint or corporate software by inserting covert code, either for benign,
"jokey," Easter Eggs purposes - or to wreak havoc later on
...
> And don't
forget all the stupidity: the test accounts and demo modes, the default security
7
measures that nobody bothers to delete or change
...
These crackers
exploited a flaw in the VMS infrastructure which DEC Corporation had announced
was remedied three months earlier
...
Even with the
patch in place, the Chaos members reportedly were laughing themselves silly over
the often trivial passwords used to "protect" the system
...

Never can you get 4,000 people together and still keep secrets hushed up
...
The culture may
have gotten more security-aware, but the individual user still lives in a world of
benign indifference, vanity, user-friendliness and friendly-userness
...
Those
who aren't will seek the advice of the gurus
...
Ease
of use will always rule
...

After all, people just don't choose 116Fk%8l0(@vbM-34trwX51" for their passwords!
Add to this milieu the immense number of computer systems operating today, and
the stag-gering multitudes of inept users who run them
...
Now they are bought, installed, used,
managed, and even programmed by folks who have a hard time getting their bread
to toast light brown
...
I just wish (sort of) that they would realize what
danger they put themselves in every time they act without security in mind
...
If this
isn't clear now, it certainly will be once you've read a few chapters of this book
...
It
seems incredibly naive, but it's true
...
Publicly or privately, they say things like:
• Extra security decreases the sense of openness and trust which we've strived to
develop
...

• Extra security just invites hackers who love a challenge
...

• The reprogramming could open up new secu-rity problems
...
The last one is certainly false as any reader of this book should
be quick to point out
...
Some of these sayings also have their validity
...
With a little work we can often ride the breeze inside
...
When you're talking about the bad stuff that
people do with computers, hack-ing truly is at the bottom of the list, and it certainly
is the farthest removed from traditional crimes -things like murder and burglary
which we feel in our hearts are wrong
...
Perhaps it is immoral or wrong,
but there is much worse that can be done
...
The seven categories are financial theft,
sabotage, hardware theft, software theft, information theft, and electronic
espionage
...

Stealing Money
Financial theft occurs when computer records are altered to misappropriate money
...

A salami technique is a method used to steal small sums of money over a long
period of time, with the assumption that such small sums won't be missed
...

For instance an account might hold $713
...
Normally the computers would
say this person has $713
...
However, a
computer programmed with salami in mind would slice off those extra digits and put
them into a sepa-rate account
...
14 in the
account, but who's going to notice or complain about a missing penny?
The computer is not generating new money, it's only shifting valid money to an
invalid account
...
Once the criminal's
account has grown big enough on those fractions of pennies, he or she can
withdraw the money and most likely will get away with the crime
...

The way investigators check to see if a salami technique is being used is to have
the computer make a list of all accounts, and how many times per day over a period
of days a transaction has oc-curred with that account
...
If it's tiny sums, someone's up to something!
While I don't condone such thievery, I feel obli-gated to point out where computer
criminals have gone wrong in the past and how to avoid future mishaps
...

Then, the portions of code which print out total bank holdings should be altered to
include that hidden figure in its summation, so those minuscule amounts aren't
missed
...
I say some "random" value so every transaction on the thief s
account won't be exactly the same and thus suspicious
...
However, when an employee with limited computer access or a
com-plete outsider pulls off a financial theft, computer hacking will surely be
involved
...
The point of
sabotage may be to force a competitor out of business, or, as is sometimes done
with ar-son, to get the insurance money
...
Still, sometimes sabotage does creep into hacking in
limited ways
...

You will read about reverse social engineering later on
...
Vandals should not be confused
with hackers, however
...
An illus-tration
of such data tampering is given by Thomas Whiteside in his book Computer Capers
(Crowell, 1978)
...
" For all
we know various agencies may be continuing this practice
...
It is related to
hacking in that stolen or "borrowed" hardware may be used to procure access
codes
...

Software theft or piracy is the unauthorized copying of programs protected by
copyright
...
As
with hardware piracy, there is also the aspect of wanting to get an edge on a
competitor's new line of soft-ware, and so there is the hacking connection
...
Electronic espionage occurs when that information is sold to a
third party, making the hacker a spy for either another country or company
...

The Seventh Crime
Finally, there is hacking
...
Read that again carefully, and see if you can detect the paradox
...
Of course,

there is that small matter of illegally breaking into other people's computers before
that choice is made
...
" Where other computer crimes are
concerned, motivations are obvious
...
But with pure
hacking, essentially a peaceful, harmless act, motivations might not be as apparent
...
But nowadays
that quest may be ruled by higher motives - like money
...
In fact, there are a number of both
moral and immoral reasons one would provide one's hacking services for a fee
...

Hacker Motivations
The IRS has a bad reputation - and it deserves it
...

For instance, the IRS has a computer selection program called the Discriminate
Function System
...
When the DFS selects a return for audit,
it is because the program believes there is a high probability the citizen made
improper deductions, or hasn't reported all income, or for some other rea-son
believes the filer has lied
...
The decisionmaking formula (algorithm) used by the
10
DFS to select which returns will be audited is kept secret from us (so we can never
really know to what extent an action of ours breaks the IRS's re-turn-selection
laws)
...
But it also restricts our rights, and several years ago, two
outraged citizens sued the IRS to re-veal their selection formula
...
The IRS was not ready to reveal
their secrets, and they ap-pealed their way up to the Supreme Court and still lost in
favor of the Freedom of Information Act
...
Congress, of course, immedi-ately enacted a
statute which made the IRS's audit selection algorithm immune to the Freedom of
In-formation Act
...
...
Taxpayers could use his
guide to safely overstate the amount of deductions they claimed
...

Dissemination of information is always an hon-orable incentive to hack
...
All of this information was gained by illegal
break-ins carried out in govern-ment computer installations
...

Hackers also see themselves as preventers of disasters - computer disasters that is
...
They did this by publicizing a phone number hackers could call to try to beat the system
...

Hackers who maintain a high degree of virtue will use their illegal hacking to
prevent disasters
...
Hackers are thus
beneficial to the world in that they act to keep the world in-formed and secured
...
Unfortunately, due to the exciting/risky/devilish nature of
hacking, the people involved are often immature and play around in juvenile
activities such as vandalism and carding (mail ordering stuff on other people's
credit cards)
...
"
Many hackers, even some very good hackers, have done their part to give hacking a
bad name by having skewed motivations
...

There are also hackers-for-hire
...
Or
there are the people who want informa-tion about themselves deleted from the
record, be-cause they are in hiding
...
Office
workers have hired hackers to scope out the personal electronic mail and files of
coworkers and competitors, to gain an edge when making a proposal or a bid
...
All of the above has been
done and is being done RIGHT NOW, by hackers who hack for money
...
Maybe a
11
once-in-a-while job is okay, but to do it extensively and exclusively is to sell out
one's integrity
...

12

Chapter Two:
The History of Hacking

First Came Hardware
Where does one begin a history of hacking?
Do we start with the creation of the computer, by J
...
With the
government backing their way, the Electronic Numerical Inte-grator And Calculator
(ENIAC) was born in 1946
...

Of course, the origin of the computer - the computer for god's sake - the most
revolutionary invention since the telephone, can not be so easily summed up in a
tidy paragraph of wartime patri-otic stupor
...
It may have been ENIAC that spawned the next generation of
computers, but ENIAC was a one-task machine
...
anything
...
The longing to do
...
Perhaps we should begin with the
revolutionary creation of the telephone, culminat-mg with Alexander Graham Bell's
historic "acci-dent" on March 10, 1876
...
After all, you couldn't simply buy one and place it in your house and use it
...
Networks had to be created to link home to home,
business to business, and fi-nally, state to neighboring state
...

YIPL and TAP
So there was the telephone, there was the computer, and there was an undaunted
inquisitiveness in the collective human subconscious
...
Abbie Hoffman and a
phone phreak who went by the handle Al Bell used YIPL to disburse information
about cracking the phone network
...
Subscriptions to the journal spread
the word of this arm of the underground far away from Bleecker Street to people of
all walks of life
...

A few years after YIPL's inception, it became TAP - Technological Assistance
Program - when the goals of the phreaks collided with the more po-litically-minded
members of YIPL
...

Computer Crime

The first recorded computer abuse, according to Donn B
...
The first federally prose-cuted crime
identified specifically as a computer crime involved an alteration of bank records by
computer in Minneapolis in 1966
...
It's one thing to have money
controlled and kept track of via computer; it's quite another to have power
controlled in this way
...
Even in the mid-1970s, as crimes by computer
were becoming more frequent and more costly, the feeling was that the machines
themselves were just a part of the environment, and so they naturally would
become a component of crime in some instances
...
The
criminologists could not have realized then that the computer really was an integral
part of the crime, and that the existence of these machines - and the systems built
around them - led to whole new areas of crime and think-ing about crime that had
never before been explored
...
In 1976 two
important de-velopments occurred
...
Also in 1976, Senator Abraham Ribicoff
and his U
...
Senate Gov-ernment Affairs Committee realized that something big
was going on, and it was important for the gov-ernment to get in on it
...
These reports eventually became the
Com-puter Fraud and Abuse Act of 1986
...

A year before, a major breakthrough was an-nounced at the Securicom Conference
in Cannes by a group of Swedish scientists who had invented a method of silently
eavesdropping on a computer screen from a far-off distance
...
Much later
...
The journal
came to an end before its time in 1983 when Torn Edison's New Jersey
condominium burned to the ground, the victim of a professional burglary and an
amateurish arson
...
The arson, perhaps
14
an attempt to cover the burglary, did not succeed
...
A few months later, the original TAP printed its final issue
...
Ironically, Goldstein is more a rhetorician than a
hacker, and the magazine is less technical and more political (like the original
YIPL)
...
Mo needs
published magazines? The City University of New York and Yale University joined
together as the first BITNET (Because It's Time NETwork) link in May 1981
...

WarGames and Phrack
A hacker named Bill Landreth was indicted for computer fraud in 1983, and
convicted in 1984 of entering such computer systems as GTE Tele-mail's electronic
mail network, and reading the NASA and Department of Defense correspondence
within
...
1983 also saw the release of
WarGames, and all hell broke loose
...
The exciting story of David Lightman (played by
Matthew Broderick), a school-age whiz kid who nearly starts World War 111,
became the basis for many modems for Christmas presents that year
...
Bulletin board systems flour-ished, and a large
number of boards catering to hackers, phreaks, warez dOOds (software pirates),
anarchists, and all manner of restless youth sprung up
...
Louis, Missouri, operated by Taran King and Knight
Lightning
...
Later, when the journal's founders went off to college and received Internet
access, the publication was distributed through list servers which can automatically
e-mail hundreds of copies of the pub-lication throughout the world
...
As the name implies, Phrack deals with PHReaking and
hACKing, but it also is pleased to present articles on any sort of mischief-making
...

Louis
...
He left a note stating that he
would cornmit suicide "sometime around my 22nd birthday
...
Was it a publicity stunt, or for real? Eventually Landreth
reappeared in Seattle, Washington, in July, 1987, and he was hastily carted back to
jail for breaking probation
...
Shadow Hawk (really Herbert
Zinn of Chicago) was an 18-year-old high school drop-out when he was arrested
...
S
...
Shadow Hawk's
case is important because in 1989 he became the first person to be prosecuted
under the Computer Fraud and Abuse Act of 1986
...
Around this time there were a lot of hackers being brought down by
all manner of cops: security offi15
cers for the telephone companies and other organizations, the FBI, local police and
concerned citizens
...
Not that
they suddenly knew more about computers and hacking, but now they understood
that to catch a lion, one must step into its den
...
Many warnings were issued, and many arrests were made
...
Stoll's
efforts led to the discovery of a group of German hackers who had broken into the
computer system
...

Organized and independent hacker activity continued for the next few years with
little public interest
...
The
threats never materialized but minor havoc was wrought anyway, as many
computers were temporarily pulled from the net until the threat could be analyzed
...
It was then that Robert Morris Jr
...
Exploiting an undocumented bug in the
sendmail program and utilizing its own internal arsenal of tricks, the worm would
infiltrate a system and quickly eat up most or all of the system's process-ing
capabilities and memory space as it squiggled around from machine to machine, net
to net
...
EFF
is a group dedi-cated to protecting our constitutional rights; it was created as a
response to a series of rude and unin-formed blunderings by the Secret Service in
the witch hunt known as Operation Sundevil
...
They seized
23,000 disks and 42 computers, often for in-appropriate reasons
...
Public postings never made it to the screens of the computer
community
...

John Perry Barlow (author, retired cattle rancher, and a lyricist for the Grateful
Dead), and computer guru Mitch Kapor, best known for writ-ing Lotus 1-2-3, were
outraged by these events (and by their own run-ins with the FBI over stolen source

code that was being distributed by the NuPrometheus League)
...

Some yellow journalism by the Washington Post provided the publicity needed to
attract Steve Wozniak (co-founder of Apple) and John Gilmore (of Sun
Microsystems) who offered monetary support for the enterprise
...
An
Austin, Texas, pub-lisher of role-playing games, Jackson's business was raided by
the Secret Service because one of his games, called GURPS Cyberpunk, had to do
with a kind of futuristic computer hacking
...
" This was ludicrous, akin to arrest-ing Milton
Bradley because they sell Chess, which teaches kids how to wage war
...
"Eventually," Jackson later wrote, "we
got most of our property back (though some of it was damaged or destroyed)
...
"
Jackson sued the U
...
government (the Secret Service, two of its agents, and a
Bellcore official were named in the suit) on charges that the Secret Service had
violated his right to free speech during the office raid
...
Jackson has, since made a role-playing game about the incident
...
There are the
famous stories, the infamous ones, and the ones that barely made the back page
...
They had broken into the Pentagon's computers, among others, and
16
got a whole load of law enforcers on their tail
...

Dozens of stories like this were reported then quickly faded
...

Phiber Optik was eventually arrested and sentenced to thirty-five hours of
community service in'February, 1991
...
Neidorf story made head-lines
...
Nei-dorf published
an (edited) internal BellSouth paper in Phrack and was quickly charged with
interstate transport of stolen property, with a possible sen-tence of 60 years in jail
and $122,000 in fines
...
Sixty years in jail for copyright infringement?
The EFF helped Neidorf through these troubled times (as they'd helped Steve
Jackson, and would come to aid many hackers and crackers who'd been treated
unfairly or with ignorance by the law)
...
S
...

There are dozens or hundreds of stories about hackers every year, and there have
been for quite some time
...
Such was the case on November 6,1992, when a group of hackers,
peacefully con-vening in the food court of the Pentagon City Mall outside
Washington, D
...
, were bullied and man-handled by mall security personnel, Secret
Service and FBI agents
...

17
Page Intentionally left blank
18

Chapter Three:
Researching The Hack
Any serious hack will involve some prepara-tory research long before the hacker
sets foot near a computer
...

With computer hacking, you should obviously have some knowledge about
computers and telecommunications (ideas) but to actually carry out a hack requires
just one fact: a phone number
...
Either case requires some research
...
And finally, there is the ongoing research you will do
once you've gained access to a system, to help you make full use of the facilities
you've conquered
...
" For now, let us discuss what to do to get started
...
This may seem like a trivial
topic for many reasons, but in fact it is a topic well worth discussing
...
You have gotten - through research of
some kind, or just plain luck - a piece of information you feel will be helpful in
entering a specific system
...
Naturally, it seems reasonable to call the number and see if it actually is
what you've heard it to be
...
Look up
the number in a criss-cross telephone directory for that region
...
, which are available at many libraries, are books (usually non-licensed by
the phone com-pany) which list the names and addresses that go with phone
numbers
...
If you can't get this sort of directory, call the operator and ask
who the number belongs to
...
If the phone number is publicly available, it probably isn't a
computer line after all, let alone a secret one
...
If it really is a top-secret database, it's
reason-able to assume that your call will be traced, or at the very least, will arouse
suspicion
...
You may not yet have the expertise to alter phone
company data, or call from a pay phone, or in some other way make it seem like
you are not the person placing the call
...
That's just be-ing stupid, period
...
It may be preferable to wait awhile, until you have the expertise
to do it properly
...
If you try to act on
your inside knowledge and fail, you are ruining your chances of getting in later, as
the system managers might see their mis-takes and correct them
...
Get familiar with floating
on your back before trying to scuba dive for sunken treasure or else you may end
up being the one who's sunk
...
What if you do have some exciting secret
that will let you get in somewhere? Perhaps you should think about the best way of
reaching that system in the first place
...

If you are enrolled at a college, or live near one and have access to your own
Internet computer account, it is a trifling matter to log mi as yourself and, from
there, attempt to connect to other systems
...
Before you can move out of the few directories
allowed by your minimal access level, you will have to figure out a way to
disassociate yourself with what you do
...

Breaking into major league computer systems is very often a matter of, first,
personal hacking, and second, institutional hacking
...

Time, money and effort can be spent needlessly on attempts to access systems that
ultimately turn out to be dead ends
...
You may think your target
individ-ual would be the dean or some other school head, but as it turns out, in
many instances you would be wrong
...
In this
case you would want to target a professor or more likely, a teaching assistant
(T
...
They're the ones who have to do the actual inputting of grades
...
A
...

Then there's the matter of the computer
...
But that
isn't necessarily where you need to go to change your grade
...

It seems logical to assume that the president of a university has the highest level of
computer ac-cess
...
One English teacher I had mentioned Kojak a cou-ple times in class,
and on several occasions made references to things that could be interpreted as
having some relation to that television show (sometimes he would use phrases that
Kojak used
20
in the series)
...
And
trying Kojak-related words like "Telly Savalas," "lollipop," "bald," for passwords is
the obvious way of per-sonally targeting that English teacher's account
...
If you have goals
in mind, do the necessary research to find out if you are targeting the right PEOPLE,
as well as the right computers
...
Docu-ments pertaining to "ethical use" of the system, and articles
encouraging "preventative security" are often particularly enlightening
...
This is one sugges-tion taken from a list of what was felt to be
neces-sary improvements in security
...
Here's the one suggestion from the list that stuck out:
Net 19 must be isolated completely by gateways from PCs and from the
broadband
...
PCs should be
implemented
which will run software that will monitor the network for signs of misuse andlor
unethical usage
...
We have these suggestions
for improvement, so now it should be a simple task to determine which software
was purchased to implement the suggestions
...
But most interesting of all (and the
point that is related to this discussion of targeting) is the mention of "Net 19
...
Clearly it's something well worth hacking
...


Keep in mind that I read this document from a public terminal, without having to
log in as any-body
...
It is
information available to anybody, and look at the wonderful clue it holds for all who
see it! Now, when I read this I didn't know what Net 19 was, but I knew
immediately to target all efforts to finding that system and penetrating its security
...
But
don't forget - I was reading through every publicly available document for the SOLE
PURPOSE of breaking into the system
...

In a way, doing this kind of on-line research -exploring every inch of the system
available to you before going after the private regions - is a kind of targeting
...
This can only help you in the long run
...

Things you should be looking for when you target a public system in this way, with
the intent of going after a correlated private system, are: how it handles input and
output; if any bugs are present and how the system reacts to them; what the command format is (three letters? control sequence?) and what kinds of commands are
available; and machine specifications and hardware
...
These are things that will be helpful later on,
because when you actually are trespassing, you won't want to spend hours trying to
find the help command or how to log off
...
After all, a scientist
can analyze a rainbow using specific technical terms that explain what a rainbow is,
how it is formed, and why it displays its colors as it does
...
The ex-planation ignores the beauty of it
...

You may use similar arguments to complain that targeting and pre-thought and
planning of hacking attacks distract from the pleasure of the hack itself
...
But
otherwise, why should we bother to discipline our-selves with such nonsense as
targeting? You're right! Certainly you're correct! There is no reason to feel
obligated to apply these suggestions that I pre-sent
...
At least, if you break the rules, you should understand
how following them might have helped
...
But in the long run, if you really want to end up at a position further
from where you started, if you want to hack for the enjoyment of it and maintain
high pleasure levels throughout the endeavor
...
They
will help lessen the amount of frivolous searching and brute-force monotony needed
to get in, and will help you stay out of trouble
...


Make sure the goals you've out-lined are really the ones that apply to your case
...

I keep bringing up the point of "intentions," and it goals," but unless you're a
private investigator or some sort of muckraker, you're probably willing and happy to
break into any computer available any and all opportunities that present
themselves
...

But as you can well imagine, it is much more in-teresting to break into a system
that holds secrets, than one whose contents are worthless to you
...
) Choose your targets carefully
...

Collecting Information
Before you begin researching you should know what kind of information you should
be trying to find out
...

There is a certain level of understanding you should have about computers,
modems the tele-phone and human nature
...
If not and I readily admit this is not an all inclusive Bible of the Universe - then go around
to some local or special libraries and find out what you need to know
...
You will still want to keep
up with the latest developments in technology as well as the organizations who run
the computers you intend to hack
...
Go to the shelves with the computer books, and the
shelves with the criminal justice books, and the shelves with the business
management books
...
Every once in a while, take out some books on
telecommunications and look through them
...

Look up "telecommunications" in the card catalog
...
Also, remember to look through the
22
books in the reference section; you will find the most useful materials there
...

By the way, do you know who the biggest book publisher in the world is? The
United States government
...
You'll learn a lot from
that stuff
...
What I am
saying is that very often people don't realize the wealth of information that is available to them free for the asking - no need to hack
...
You will get to know the kinds of commands that are available to you,
and what formats the systems use for names and pass-words
...
All this information will be helpful
to you as
you proceed
...
Borrow some that you don't normally read, or that
you've never heard of before
...

It's amazing what compa-nies will send you, and it's further amazing to think about
all the great tips this information offers to the hacker
...
I know
everything I need to know about all their products, their upgrades, what businesses
use their software - and from that information, I can hack my way around their
products
...

Another, sometimes more practical way to use the library is to find out about
donated books
...
A lot of those books are old technical and company
manuals for computers, software, and operating system proce-dures
...
If you make friends with them, surely they would prefer giving such
11useless" items to you, rather than discarding them
...
I
even have a very nice and very current set of AT&T security books
...
My favor-ite note was the one that gave a phone number and group ID
access code
...

Some Unusual Research Methods
They aren't really all that unusual, because after all, anything that works - works!
Any time you get an idea for a new way of discovering more about an online system
or the people who run it you should do your best to act on that idea
...
Anything you manage to find will either
help you get in your present target computer, or get in an-other one some time in
the future
...
Share that knowledge with other hackers and you will be re-warded with
interesting tips that will be beneficial to you
...

Remember - these research meth-ods work
...


Online Computer Simulators And Tutorials
Computer-based simulators and tutorials are often employed in teaching the ways
of the com-pany computer system
...
Tutorials and simulators differ from the actual network in that they talk the user through a typical use
of the system, per23
haps showing off special features available to the user
...

Tutorials and simulators give new users hands-on experience with the problems and
poli-cies of software they will encounter
...
There are several reasons for this
...
Using simulators eliminates these problems since they
can be set up on any computer
...
Or regular employees may want the convenience of being able to borrow
a tutorial disk from the company library to practice on at home
...

How to get them? Simulation programs may be available from corporate, special or
even academic libraries
...
Write to
a software publisher,' saying you're interested in making a large purchase and ask if
a demonstration disk is available
...

Simulators and tutorials are great things for a hacker to come across; the
usefulness of them should be self-evident
...

Social engineering is the act of talking to a system user, pretending that you are
also a legal user of the system, and in the course of the conversation, manipulating
the discussion so that the user reveals passwords or other good stuff
...
I was waiting in an office one day to see someone
...
e disk held a program called
ARRSIM (ARRangement SIMulator) which was actually a copy of a program they
used on-line, only with a minuscule database of names
...

When I got home I booted it up and started playing around
...
Apparently it wanted a password
...
I scanned through the disk with a file maintenance utility, but
could find no text (i
...
, hidden pass-word) that I had not already seen
...
So why had it asked for a password
when I tried to change an address? Ob-viously the program had been designed by
your usual paranoid manager who did not trust a recep-tionist to change a name or
address by herself
...
"It's really horrible
...
' I don't know
why they have that there
...
But it was the password used to get into
the actual net-work
...

24
Sorting Through Trash
It isn't really a dirty job, and nobody has got to do it, but serious investigators will
...

It really isn't all that messy going through the garbage of most places
...
Some may be shredded, but mostly not
...
You
want your garbage to be in tip-top shape
...
Then I bring it home to examine what I've collected
...
Much of it is help-ful, and most
is interesting too
...

Rummaging around in the garbage bins of various companies, office centers and
other institutions, I have come across: micro-fiche, computer cards, entire boxes of
business cards, books, a dead cat (really gross), broken elec-tronic junk, and lots
and lots of, well, garbage
...
You can find out a lot about how an organization
functions by its trash, and the way in which that trash is organized
...

Bank bags, by the way, are stapled shut with a paper receipt that tells the name of
the bank, and the time and date of disposal of the bag
...
There are smaller bags containing refuse from each individual's office in the
bank, and then there is the cytoplasm of crumpled forms and dis-carded paper
tapes from behind the counter
...
In my first garbage heist, one banker was Japanese - he was throwing out
a Japanese newspaper and a Japanese candy wrapper in addition to his bankrelated stuff
...
Now the bank director her
garbage was very interesting
...
From that let-ter I was able to get the name, address, and room number of
the bank's Branch Automation Depart-ment and from there evolved a social
engineer through the mails (see chapter on Social Engineer-ing) which resulted in
myself getting a copy of the disk in question as well as some other very useful
information
...
" Now offices pre" much recy-cle everything, so that
won't do for an excuse
...

Before you even step out of your house the first time, do a bit of phone work to find
out what the garbage situation will be like
...
If
pickup is Monday morning, that's good, since you'll be able to go at night over the
weekend, when no one is around
...

As for recycled white paper, if there aren't any outside bins devoted specifically to
it, you might want to go to the office during the day ( if it has a publicly-accessible
area ) and take a casual look at the level of white paper in the recycling cans inside
...
Again, you'll want to nab white office paper when the bins are'at their
fullest
...
Either surgical gloves, or the kind you use while washing dishes
...
You'll also want
to wear gloves when you're at home sorting through the bags you lifted
...
I'm not talking about real ladders here, al-though you may want to use
one
...
Find yourself an old chair or hassock some-body's
throwing away, and take it in the trunk of your car
...
Either way, if you have to leave in a hurry
for some reason you can safely leave it behind - after all, it was garbage to begin
with, right?
Flashlight
...
Make the strap just big enough so you can easily slip the flashlight on and
off your hand
...
Make sure the batteries are okay -best
thing is to use rechargeables
...
Not the clear kind
...
After all, you don't want people to see what you've got in them
...
, out of the trash and are not bringing
home whole, intact bags, you should bring along at least one of your own darkcolored garbage bags, to put everything in
...

Appropriate clothing
...
Wear clothes that won't
snag, old clothes, clothes that you don't care if they get destroyed
...
If you know the
company maintenance staff tends to wear baseball caps, or a certain color shirt or
jacket, then by all means dress similarly
...

Empty soda cans
...
You might want to fill up the bottom third
of one of your garbage bags with cans, or maybe leave an open bag of cans outside
the bin so bypassers will be able to figure out for themselves that you're collecting
cans for charity
...
For every pound of cans we bring
in, our school gets three dollars
...
Right now we're in second place, so I want to bring us up to first!" He walked
away and came back with a handful of empty beer cans and bottles
...

Remember: don't carry unnecessary things in your pockets, or things like watches
that are going to fall off your wrist
...
Before you leave the house, do a pocket check
...
This
seems like obvious advice but I can recall at least four different messages posted by
hackers on private BBSs where they said things like, "Jeez! I just came back from
the CornpuPhone dump and I forgot to put my ring back on after I climbed out of
the can! Now I'll have to go back there tomorrow!"
On the other hand, you might want to take along a cheap watch or something that
didn't cost' much but looks expensive
...
Some have been discarded,
mangled, warped, bent; some have been carelessly lost, in the drive of a public
computer, under a keyboard, be-hind a desk; and others you will find in their natural place - lying around on people's desks, in disk boxes, in library reference books,
in file cabinets
...

I am not going to suggest that you actively steal disks that you find in an office or
wherever, but if you can manage to sneak one away for a few days or overnight
without it being missed, then the best of luck to you!
Before I go into what should be done with found disks, let's get our terminology
straight
...
A disk is composed of two parts
...
The square envelope is simply a means of protecting the flimsy and
fragile disk within, and can be horribly mutilated without damaging data on the disk
itself
...
51/4" disks are unprotected in this way; their disks are exposed
through an oval hole
...
Before examining found or damaged disks, you should get ahold of
a cheap, second-hand drive and use that for found disk analysis
...
Never use bad, damaged or
found disks on a good quality drive!
Check Up
Begin a found disk analysis by removing the disk from its paper sleeve if there is
one, and eye-balling both sides for any distinct problems such as grooves, coffee
stains or wrinkles
...
During the
early '80s when home computers first hit the mar-ketplace, there were warnings
everywhere: "Don't put disks by magnets, by your monitor, on your printer, or near
your telephone
...
" And
on and on
...
And certainly the plastic and Teflon they
are made of are cheap enough to throw away, meaning dis-cards are common
...

If there is nothing visibly wrong with the ( 5 1/4" ) disk, but you're still wary
(because you found it in a garbage can or in a dusty place or something) you should
carefully hold the envelope with one hand while rotating the disk with the other
hand (using the hub ring)
...
Then turn the disk over and inspect the other side the same way
...

If you suspect that a 5 1/4" disk is filthy, or if there is any dirt at all inside, rotating
the disk may scratch it
...
Take a pair of sharp scissors or a knife and cut off
a very thin strip of plastic from the top (label) edge of the envelope
...
Don't wipe dirt off the
disk - you don't want to scratch it
...

Now look inside the plastic envelope
...
If that's dirty, throw away the envelope
...
Make sure the
reinforced hub ring ( if it has one ) faces front
...

28
For 31/2" disks, you can first carefully remove the door, then gently pry open the
plastic envelope case with a knife
...

Re-move the floppy disk
...
Replace the sliding door if you
can, but don't worry about that aspect if you have trouble doing so - most drives
will not miss it
...
They are still usable but the bending can
misalign your drive head
...
Therefore, never use bent disks on a
good drive, or good disks in your bad drive
...
Put it on a
hard, smooth, flat surface
...
Do NOT try to straighten disks by bending them the other
way
...

Let's look at some of other ways a disk can be damaged but still remain
salvageable
...
There are two ways to do it
...
Superzap programs, such as DOS's DEBUG utility,
allow you to alter the data on a disk one bit at a time
...
Then (B) slide out the disk
...
(In single-sided disks,
data is normally read from and written to the back of the disk - the underside, if
you hold the disk label-side up
...

For example, suppose you have found a 51/4" disk with unremov-able blemishes on
one side only and your drive simply refuses to read the disk
...

Take another 51/4" disk, format it, then cut it open
...
The tape should be between the
two disks (thin double-sided tape works best)
...
Insert the taped disks back into a clean envelope, and see what you can
make happen!
Rips And Tears

You can very carefully tape a ripped disk back together with thin transparent tape
...
Once you've gotten all the data
you can off one side, you can remove the tape and repair the other side
...

Imperfections
If a disk looks okay, but will only give you "Read Errors," it is probably physically
damaged on a microscopic level
...
You can push past bad
spots on a disk by manually rotating the disk inside
...
If you manually rotate the disk a little to the left or right, the
new section of disk which you reveal may not have that damage and may there-fore
be readable
...

If you never find a readable spot, perhaps you've been duped! Maybe the disk is
blank, or it isn't suitable for your computer
...

A disk that you find in the trash bin may hold corporate data, proprietary software,
maybe even a tutorial or simulation like we discussed earlier
...
Hacking a damaged disk that you have un-earthed from a trash bin will lead
you to details you would otherwise never have imagined existed
...

Examining Screenshots
The photographs of computers you see in books, magazines, system
documentation, promotional literature such as posters and pamphlets, government
publications and booklets, as well as the pictures of computers available on
television documentaries, news shows and commercials -can all contain valuable
hacking information
...
Or the picture might depict an actual
computer in its natural envi-ronment with perhaps an operator visible
...

This can clue you in on what accessing style the system uses, if the password is
displayed on-screen as it is typed, username and password styles, what features
are available, and much more, depending on what the photographs are attempt-ing
to illustrate
...

Knowing error messages and knowing the lay-out of the screen will make you a
more believable system administrator or low-level user when you attempt some of

the social engineering tricks men-tioned later in this book, especially if the
computer system in question is one that is closed to outsiders
...
If a user name is shown or illustrated, it may
be a valid one
...
If in
separate photos taken from separate sources, both pass-words are shown being
covered by eight asterisks, that is a good indication that either there is a de-fault
eight-character password used to demonstrate the system, or that passwords are a
maximum length of eight-characters
...
Seeing examples of
usernarnes lets you know if first and last names are required, if uppercase letters
are needed, whether abbrevia-tions or company names or group names are used for
usemames
...
A more generalized
shot may show the computer's surroundings
...
A user might be in the picture; is he or she wearing a name
tag? Are pictures of a family present, or items suggesting a hobby, such as a
mounted baseball or a fishing rod? All avail-able data can be put to use by a
hacker
...
Newspaper and magazine articles are often accompanied by the kind of
computer photo you will want to analyze
...
The specific kind of computer
may suggest ways of breaking in using known bugs or loopholes
...

An additional way computer photographs can help is by looking to the bottom,
usually in the caption, to where the source of the photo is listed
...
This can help in determining phone numbers, means of ac-cess, and
also passwords
...
You can see why it is a good idea
to videotape as many corn-puter-related TV shows as you can; you can always fastforward through the boring parts
...

If you get a lot of static on your television when you freeze a frame, try cleaning
the VCR
...
Try taping just the video part of

the tape you want to freeze
...
Copy the relevant
portion of the tape, and you will have a picture without accompanying sound to
muddy the screen
...

Here's an example of how this kind of photo-graphic detective work pays off:
A hacker named Bellee was watching a behind-the-scenes-at-the-police-station
show on her local cable channel
...
The rest of
the num-ber was invisible due to glare on the screen
...
Some of the access codes being typed
to get into the da-tabank were easily visible or inferable by all who watched the
show, but some weren't
...
Bellee then
dialed each of those exchanges until she found the correct phone number
...
)
Once she got through, she was able to use the login information she knew (a
precinct number, municipality and state were needed) and hack the part she didn't
(she knew she needed an eight-letter password from the TV show)
...

Even widely syndicated shows can mess up by inadvertently revealing important
clues to an observant audience
...

Several times dur-ing the course of the story the camera came close to the
computer's screen, where the electronic address of the computer they had hacked
was visible
...
As you can imagine, soon
after the segment aired the account was closed up
...
For ex-ample, it is no longer possible to call up anony-mously and
retrieve files from that system
...
A tour might
be one that is regularly run for wide-eyed kiddies and their par-ents, or it may be
one specially set up for you be-cause you say you are a journalist who wants to do
an article on the company
...

That's all good information that can be put to use in guessing passwords
...
This can only help you when you go
home that night and hack the place
...

Now here's a hint I like to make use of, though I get to do so only irregularly
...
That is, when one
image is displayed for an extended period of time, the image gets burnt into the
screen
...
Many of the functions available for staff
use only are visible on the screen and can be put to use or hacked
...
) Other times I've
snuck a peek at the computer behind the counter, and although an innocuous
screen was being displayed at the time, there was worthwhile stuff barely visible,
burnt into the screen
...

These gener-ally concern themselves only with the product or service which is the
group's field of interest, but also include valuable details on the group itself
...
Often there is a helpful listing of what programs are available on
the mainframes
...

Snooping around buildings undergoing recon-struction can be worthwhile, as can
snooping around buildings whose occupants are moving to a new building
...

I remember one building I went to that was temporarily vacated due to
construction, which had tons of cartons, desks and workstations out in the corridors
(they were repainting offices)
...
It was amazing that people could leave their secrets lay-ing out in the
open like that, and yet it happens all the time
...

decade-old literature from a defunct computer users group, programmers' guides,
and other stuff
...
And it was in-teresting to rescue it from its dusty box on the
top shelf of a closet
...
The first, formal and engraved said, "Computer Room
...

Inside there was a huge and informative operating system reference manual and
two PCs, each of
which had modems
...
You set up the terminal program so that
when you log onto a system, the contents of the script file are sent to that system
...

This is handy, both for legitimate users, and for hackers who happen to gain access
to those script files
...
Always look for such things when you snoop
...
It adds a bit of physical excite-ment to the
usually passive art of hacking, and it gets you away from the eyestrain of computer
screens for a while
...

Research in any form doesn't have to be undertaken with a particular hack in mind
...
In other words, all hacking
doesn't have to be done on computers
...

34

Chapter Four
Passwords And Access Control
Three dominant classes of access control have developed to protect computer
installations
...
Sometimes there is a metal clip of a pe-culiar shape that must
fit into a hole in the com-puter before the computer will operate
...

Biometric devices are those which look at some trait of a potential user and
compare it to traits previously recorded, such as fingerprints, signa-ture, or
geometry of the hand
...
Thus,
de-scriptions of biornetric and physical keys will be further developed in the on-site
hacking section of this book
...

That is, control is limited to those persons who can prove they have knowledge of
something secret, usually a pass-word
...
Here, then, is everything you need to know about
passwords: how they work, how they are stored, and how they are bro-ken
...
Even computers that under normal circumstances have
no need for security features o
...
Furthermore, systems which are pro-tected by other
means - by magnetic cards or by software alternatives such as encryption - will
35
double or triple the security of their assets through the use of a password system
...

Passwords are usually thought of as the en-trance keys to a computer system, but
they are also used for other purposes: to enable write access to drives, as
encryption keys, to allow decompression
of files, and in other instances where it is important to either ensure that it is the
legitimate owner or user who is attempting an action
...

They are:
• User supplied passwords
• System generated random passwords
• System generated random passcodes
• Half and halves
• Pass phrases
• Interactive question-and-answer sequences
• Predetermined by code-indicating coordinates
If you intend to hack a computer installation you will first have to figure out which
of these seven password
types are used by that system
...

System generated random passwords and codes may be of several kinds
...
Or, computer-produced passwords
may be taken randomly from a list of words or nonsense syllables supplied by the
pro-gram authors, thus creating passwords like nah
...

Half and halves are partially user-supplied, while the rest is composed by some
random proc-ess
...

Pass phrases are good in that they are long and hard to guess, but easily
remembered
...
" Pass phrases are used when the
manager of a site is particularly security-conscious
...

Related to the pass phrase concept is the phrase acronym, which security experts
have been ap-plauding as a short but equally safe form of pass-word
...

For example, the acro-nyms for the two pass phrases above would be wwtbV and
"fuon
...

The sixth password type, question-and-answer sequences, requires the user to
supply answers to several (usually personal) questions: "Spouse's maiden name?",
"Favorite color?", etc
...

These ques-tion/answer sessions can be delicious to the hacker who is intimately
familiar with the user whom he or she is attempting to impersonate
...
This can get pretty annoy-ing, especially if someone's in the
middle of an ex-citing online game when it happens
...
When it was first proposed it seemed like a good idea, but the
bothersome fac-tor has resulted in this method being pretty much phased out
...
In
any case, a set of key prompts are offered by the computer, and the user is
required to return the appropriate responses to them
...

Once-only codes are passwords valid for only one access
...
Onceonly codes may also be employed by the system to allow actual users to log in for
the first time; the users will then be expected to change
36
their password from the one provided to a more se-cure, personal code
...
Users then extract one code at a time,
depending on external factors such as time, date or day
...

Passwords Supplied By The User
Most passwords are of the choose-it-yourself variety, and due to security awareness
most con-temporary programs which ask for a password to be supplied will not
accept words of a certain short length which the program deems to be too easily
"hackable
...
Other
measures to protect users from their own lack of password creativity might be
taken as well
...

Software is available for most operating sys-tems which looks through the
computer's pass-word files, analyzes user passwords and decides how secure they
are
...
This is
one area where your prior research should help you
...


Regardless of how clumsy-brained or brilliant a person is, all people tend to think
alike
...
Even
then, initial assumptions and first conclusions are similar for a given peer group
...

Imagine some of the situations people are in when they are asked to create a secret
password for themselves
...
In any case, the prompt is there on the screen and
with it, a sense of urgency is brought to mind
...
The password is entered quickly, and rarely is it changed to a
better, more secure one
...
If you can
either find out or guess any of these traits of a valid system user, the number of
potential passwords you will have to guess will decrease significantly
...
How many times have you seen that tired
phrase, "You don't have to be crazy to work here
...
Think about the
age and life-styles of the average user whose account you are attempting to
breach
...
"
The easiest way to get a password is to enter it yourself for the user, or to supply
the password to the user who is logging on for the first time
...
(Or they say, "Gee, what's a good secret
password? Oh, I know - " and proceed to spell it out to you as they hunt and peck
at the keyboard
...
On these ou will have to use some kind of either brute force
method, observation, social or technical method of password retrieval
...
" Hon-estly, can you imagine any computer novice sitting
37
down and entering "fMm6Pe#" as a password? Of course not!
Scrabble rules do not apply here: proper names are allowed in password creation,
as are misspellings, abbreviations, non-words and foreign terms
...
" Whether that's due to bad spell-ing habits or because he or
she simply likes it better that way is unimportant
...
You are going to
find the letter "k" used in place of hard "c," as in "koka kola
...
"

Some hackers will go through every word in the English language until they find
something that works as a password
...

Complete brute force dictionary attacks are often fruitless, useless, adolescent ways
of doing things
...
However, there are many words that you would almost never expect to
find as a password on a system
...
Real-word
passwords will generally be nouns, ("eyeball," "drums," "kitchen"), verbs, (usually
obscene ones), and perhaps adjectives ("purple," of great, " "happy")
...
Also semipopular are passwords with the word "sure" embedded inside them, as in "forsure"
or "fursure," "surething" or "asb" (short for "a sure bet")
...
Examples of key-board patterns include
'Akjkjk," 700u," 11WXYZ,11 it ccccccc," "0987654321," "asdfgh" or 'I qazwsx
...
Keyboard patterns will usually be simple repetitions of characters,
portions of columns or rows or every-other-letter designs
...
For example, "05AP may seem a funny thing to pick
up from a keyboard, but when you know the computer in question has a special
hexadecimal keypad attached, the whole thing starts to make sense
...
The keypad illustrates a principle
smart hackers will follow: That what you

see on your side may be different from
what they see on theirs
...
" If you know the minimum password
length is six characters, don't expect pat-terned passwords to go much beyond that
mini-mum
...
Beyond a certain point, guessing keyboard patterns is strictly reserved for
amateur hour
...
Throughout that book, the author
continuously made references to her pet cat, her love of Philadelphia soft pretzels,
her favorite football team, her husband and children, and her newly acquired
interest in computers
...

I knew the author's name, of course
...
It was insanely simple to get her per-sonal ID
number on the system and, yes, within two dozen password guesses, to access the
service under her account
...

This isn't an isolated example! Every day you and I read newspaper articles,
magazine columns, and books - in which the authors give away their computer
addresses so readers can respond
...
Even if an author
doesn't mention personal details in the book, there's usually an "About the Author"
section to turn to for facts
...
If the sample program segments they list en-tail baseball trivia, you've got
a good idea where to begin a brute force siege
...
I
made the above remarks only to point out some of the lax security around anyone
in the public eye
...
Almost all industries have a yearly
Who's Who published
...
You can get good data from these, and if you can't get
enough good data, print up your own official-looking Who's Who form and mail it to
the person you have in mind at the company
...
This will help
ensure that they mail you back the form
...


One more helpful subterfuge, this one involv-ing socializing with cronies at the
company
...
Say you're from a new trade magazine specializing in that
business's field of endeavor
...
Then call back
and talk to each of their secretaries
...
Typical
marketing questions for trade magazine subscribers include inquiries about
schooling, degrees held, industry awards, trade association memberships, military
service, salary range, and length of service at the company
...
These too are acceptable questions for a
market research surveyor to ask; they are also valuable possible password leads
...
"Do you
know of anyone there who has done anything at all spectacular, or has any
particularly unusual hobbies?" You might get a "no," but keep pressing: "Anyone
with special talent? Musical tal-ent, for instance?" Keep going like this; eventually
you'll hit upon something, and you can use the above tricks to find out more about
that person than you ever thought you could
...
The technique is done whenever the hacker has a
specific individual in mind, whose computers the hacker wants to crack
...
One popular strata-gem,
mentioned by Hugo Cornwall in his Hacker's Handbook, recognizes the fact that
often a chief per-son in an organization is given an account to dem-onstrate the
new computer system, under the as-sumption that setting up a new account is too
diffi-cult or time consun-dng for the busy leader to do on his or her own
...
("Say, Mr
...

Then make up word banks from the glossaries and indices
...
So you get students of literature using names for
passwords, like "Euripides," "Aeschylus," and in general, a mess of lengthy technical
terms
...
Just because someone's a doctor doesn't mean his pass-word will
be "pericardiocentesis
...

Password Studies

If you think all of this talk about easily guessed passwords is balderdash, think
again
...

One such experiment found that out of 3,289 passwords
• 15 were a single ASCII character,
• 72 were two characters,
• 464 were three characters,
• 477 were four characters long,
• 706 were five letters, all of the same case, and
• 605 were six letters, all lower case
...
It can be done, and sometimes quite easily
...
The worm
had two tactics it used to spread itself, one of which was attempting to crack user
passwords
...
If that didn't work, the
worm had an internal dictionary of 432 common passwords to try
...
As we know, the worm's
method worked superbly
...
You can find it in a
subdirectory called Vusr/dict
...
" You can also download this
file or capture it to another computer, if you need a plaintext dictionary file for use
on other machines
...
There is a high preponderance of scientific words, due to the
manner in which the dictionary was constructed >
Password Restraints
Most operating systems weren't developed with security as top priority
...
As we have seen, however, too frequently passwords are chosen that are
easy to guess
...
However, if a
user insists on a shorter password, disregarding the plea that security be
maintained, that shorter password will be allowed
...

40
Passwords are then forced to conform to certain characteristics, such as:
• Passwords must be of a certain length
...

• Passwords must include one or more numerals
...


One or more of these constraints might be en-forced
...

Not allowing single-case passwords or strictly alphabetical passwords does add
some difficulty to a guess-attack, but not much
...
The system software
required a mix-ture of cases (which helpfully informs you, by the way, that upper
and lower case are distinguished by the system), so instead of just trying "popeye",
I tried:
Popeye
PopEye
PopeyE

PoPeYe
popEYE
PopEYE

popeyE
popEyE
PoPeye

and also tried each of these with cases reversed, such that PopeyE became pOPEYe
(in case the user thought of capital letters as normal for computer keyboards, and
lower case the exception)
...
Indeed, when forced to capitalize, who in their right mind
would?
As it turned out, his password was "OliveOyl
...

Again, you can hardly expect Joe User to break up syllables with a number, and the
numbers that are used you should expect to be not more than one or two dig-its
...
The number will generally be slapped
on as a necessary afterthought
...

Numbers from one through 31 should be most common, along with numbers either
repeating, ending in zero or nine, such as "888," "500" or "1999
...
Cyberspace devotees might do
likewise, as well as using zero for their required number, putting it in place of the
letter "O
...
(Actually, "c001" is usually
spelled 'k001
...
For instance, look at this bit of imaginary program segment:
5

Randomize Timer

100
110
120
130
140
200

For i = 1 to 6
Char = Int (Rnd * 91)
If Char < 65 Then Goto 110
Password = Password + Chr$ (Char)
Next i
Print "Your new password is: "; Password

Here, six uppercase letters are selected inde-pendently and concatenated to form
the password
...
The randomness of the numbers chosen is based upon the
randomizer function being used
...
I said pseudo" random numbers because no matter how
random these numbers may appear to us, to the
41
computer they are just values plugged into a formula
...
If you have the ability to change the program and save the
changes to disk, or the ability to reroute the password-making subroutine, then
here are some further items to consider
...

statement
...
The problem is this is not going to go unnoticed by the system
administrators (although you might be able to restore the original program before
your change is noticed)
...

Then you can simply plug that piece of information into your copy of the code on
your home computer and reproduce the new user's password
...
" Thus you have a random-seeming
password that can be easily constructed, even by hand
...

(See Figure 5
...
On inspection the password seems random and secure, but
a hacker can determine a user's password using publicly available information
about that user (in this case, the user's last name)
...

Forcing a password in this way can help if you run an electronic messaging or
bulletin board system: users may get so comfortable with their new, secure
passwords (wouldn't you think "rueavz" was secure?) that they transfer them over
to other accounts elsewhere
...
This is risky though, and
unwanted side effects may result
...
Ritchie in a 1986
security bulletin en-titled "On the Security of UNIX
...
Each password would be a string of lower case letters and
digits, eight characters long
...
But the hacker knew that the random number
generator could only take 32,768 seeds, and so only that many possible outcomes
needed to be looked at
...
" [Emphasis added
...
This requires having access to a
minimum of one password, preferably two or more, from a given system
...
If it's a local BBS you're
hacking, or some other sort of system where multiple anonymous logons are
possible, try calling back a few more
times and collect new passwords under different names
...

Once I was going through some new BBSs that had started up and I came across an
ad for a system that was a couple states over but still seemed worth a try
...
I used the
made-up name and address Roger Eichner, 13 Stem Court, North Coast, WA 64203
to log on
...
" I was astounded!
Obviously the program had simply taken the first three letters from my first name,
the last four letters of my last name, and stuck a number at the end!
Or had it? I called back a second time, logging in as a new user with a different
name
...
Now I was not only astounded " but confused as well! Had
the first password been simply a fluke? Was the second a fluke? Was it
programmed to only sometimes use parts of the username? I called back a third
time and again logged on as a new user
...
Now I was pretty positive the first password had just been
an unbelievable coincidence
...

Even though my second two passwords were unrelated to both each other and my
personal data, I thought that perhaps I had missed something that first encounter,
since some of the characters were repeated from one password to the next
...

Logging on with the same name, address, terminal characteristics and everything
else as I had originally done, I received, to my disappointment,
43
not a computer-generated password but the following astonishing message:
Dear Member:
Sorry about having to go through this again but we've had a problem the last few
days
...
Please note, when asked to supply a
password do not give the one you were previously assigned
...

See General Posting #1 for explanation
...
Joke, had kicked into action a "feature" of the BBS soft-ware that
produced less-than-secure passwords
...

Joke
...

Anyway, you can see how it's possible to occa-sionally get some good information
by analyzing of random" passwords
...
There
might be some subtlety to the pattern or, if not a pattern, a bug or strangeness
that you might be able to spot
...
Knowing this does help a little: for a seven character password
of the form WXYZ123, where WXYZ are letters of one case and 123 are numbers,
there are only 284,765,630 possible combinations of letters and numbers, instead
of 456,976,000 - a difference of 172,210,370 passwords! This software was riddled
with bugs, many of which have become famous as the worst blunders in the history
of horrible programming
...
Often users are
entered into a computer system before their first logon
...
Users are supposed to change this easy-to-guess
password to a more secure one, but unless they're specifically shown how or
required to do so, it is unlikely they will follow through
...
In April of
1992, students at a New Jersey university received a memo, informing them of new
over-the-telephone class registration procedures
...

What got me was that first of all, they told students that their top secret PAC was
their birth date
...

After all, how difficult is it to find out someone's birthday? But the PAC is only half
of the "password" - the other part is a student ID
...
lDs are publicly or semi-publicly
available at the student health centers, on computer room sign-up sheets, on
identification cards, class rosters, housing lists and elsewhere! The memo does say
that those concerned with security can come into the registrar's office to change
their PAC, but who's going to go out of their way to do that?
Anyway, changing just those four numbers doesn't do much to stymie the
determined hacker
...
This is as opposed to the mere 366 possible PACs before that

security-aware person changed his or her number
...
A touch-tone auto-dialer can
phone
44
through all of those in about seven minutes, given unlimited PAC-entry retries per
phone call
...
And even if they do, it doesn't matter much
...

Let's move back to our discussion of non-random passwords which are generated by
computer; or rather, passwords decided upon by the programmer or administrator
and selected from data files by the computer
...
During the first week of a college semester, thousands of new
accounts must be created for students enrolled in computer classes
...

So if you want to hack a college system, start early in the semester - before those
passwords get changed by the user to something more secure
...

Social Security (or other ID numbers) may also be obtained through social means
(see the chapter on Social Engineering) or by other forms of chican-ery
...
This sheet is then
handed to the teaching assistant, who enters this information as accounts into the
computer system
...
A hand-held scanner/copier makes life easier at times like
these
...
If the
professor doesn't make the roster available for student perusal, make up some
excuse to swipe a look at it
...
Professors will love any excuse that points out slip-ups in
the bureaucracy of the school system
...
Therefore, we may see a trend starting, with SSNs
getting used less and less for identification purposes, and an organization-defined
ID number being used in its place
...

Pre-usage passwords won't always be Social Security numbers or other ID numbers
...

There might be a generic "new user" password which is given to all accounts, which
shouldn't be very hard to crack
...
It may be
necessary to intercept the new user's physical mailbox for that envelope which
contains the as-signed password
...
Thus if you login as that
program, the program is executed
...
Some sites also have accounts whose user-name is that of
an elementary command, such as "time," "date" or "who" (which tells, you who is
logged on)
...
Often these command
accounts don't have passwords associated with them, which is ironic since many are
given superuser access permissions
...

Other possibilities are trying to get in with usernames "calendar," It cal,11 #I
sched," "schedule," " whois," "ftp," "who," "Ipq," "archie," or other common
command names
...
Access may be gotten by logging in as "info," as
suggested above, but other variations are possible
...

If you do manage to get in this way, first of all you are to be congratulated for a
very successful hack - but then what? If you are interested in gaining higher
access levels or in escaping out of the program entirely, you could have a lot of
diffi-culty ahead of you
...

Brute Force Methods
Brute force means manual labor for your computer and, usually, lots of it
...
What brute force methods entail is the
inputting of one password after another until finally - maybe - something hopefully
works
...

Brute force methods are usually the first and last thing a hacker does when trying
to break into a system
...
If he
can guess the password right away, or after the first seventy-five or hundred
attempts or so, then that's fine
...
If none of those more sophisticated ways work, then it's back to brute
force for the big finish
...
The "must" is what draws hackers to
it; the "eventually"
is what drives them crazy
...
That
time is spent in research, trial and error, and in writing special programs to hurl one
password after another at the system
...

You may find yourself in a situation where you know nothing about the people who
use a particu-lar system; where common names and passwords have failed; and
where no trick seems to work
...

This could take forever
...
This is a good idea, but only if you use it properly
...
Get rid of the words like "perspectives" that just seem
too weird for anyone to use as pass-words
...
If you live in New York, you should begin your
attack by brute forcing New York SSNs only
...
The military uses what is called
the TAC Access Control System (TACACS) to ensure legitimacy of usership of its
network computers
...
The theory behind this decision is that a user reading
his or her access code off a code card can easily confuse Is, Os, Qs and Zs with
other letters or numbers
...
And again
...
This is a simple
program to write, but if you don't have the expertise to do so, plenty of programs
like this are available on BBSs
...
How many times will
the computer system allow you to enter bad name/password combinations before it
logs you off? Three? Eight? If it gives you three chances before saying bye-bye,
make sure your program outputs exactly three name/password combos before
redialing the number
...

If this isn't the case with the system you're trying to get into, you'll have to put a
delay loop in your program to make sure passwords are not being entered before
the cursor is on the screen
...
Otherwise your program will continue to spit out passwords, and the
system operators - who by now almost certainly have noticed what is going on - will
be absolutely furious! Have the program monitor text as it is sent from the remote
computer
...
Either that, or have
it input the logoff command, and print the usable username/password on the screen
for you to see when you wake up the next morning
...
(But from your
research and experimenting you should have some idea what format the username
will be in, so you shouldn't have to try too many variations
...
e
...
If you must resort to trying every first name,
make sure you try female and foreign names
...
But remember,
you don't need the current popular names - you need names that were popular and
common twenty or thirty years ago, when parents were naming the people who
work in the company you're trying to break into
...
If
you have the time and patience, you can sit down and enter passwords yourself
...
I must emphasize that no matter
how many pre-cautions you take to eliminate excess work, brute force will almost
always take an extremely long time to bring results
...
If you have to redial the modern
after every three passwords, make sure you're running your attack off a phone line
with Touch Tone capabilities
...

Moving just a few notches up the baud ladder makes a big difference in speed
...
Naturally I decided to do my part to see that I
ate my fair share but by the third reorder, we were getting increasingly frustrated
with the long waits and smaller portions
...
They keep taking longer and longer to come out
with the food, and they give you' less of it
...

The techniques used to thwart brute force at-tacks work on the same principle as
that all-you-can-eat restaurant
...
Therefore, the way to
prevent such an attack from succeeding is to struc-ture the system prompts to
frustrate the hacker into quitting early
...
The computer may then refuse to allow a reconnection within a
certain period of time
...

Another method is to increasingly slow the re-sponse time to each successive login
attempt
...
Then a minute
...
The
long waiting periods wouldn't start until the first three or four login attempts were
tried and found unsuccessful
...
Must be a hacker!"
Another trick is the dummy login prompt
...

The moral of this story is, if you write a pass-word-cracking program, be sure you
monitor its progress
...
When you wake up
the next morning you may find it's been taking forty minutes for the computer to
respond to your inputs
...

Conclusion
Much of this chapter has focused on different"likely" passwords to try when
initializing an educated bruteforce attack
...
There comes a time when you have to forget about trying to limit the
number of possiblepasswords to a select few, because your "limited" number will be
as infinite as before you put the restrictions in place
...

The password "Smith" is not secure, and "Jones" is not secure, but"Smith@#Jones"
is as ob-scure as anything
...
Brute force is
best carried out by computers, and should really only be used when a computer is
necessary to gain access (I'm thinking about Robert Morris Jr
...
The thing is, the whole business of hacking has to do with skill and
knowledge
...
But no one's going to
look down on a hacker who does some educated brute force work, especially if that
hacker has a good reason for doing so
...
And that is the topic of the following two chapters
...

Donn B
...
" At least
it was shocking for me
...

That is how it was at some point in the past, until it became impractical
...
But there are other ways to learn pass-words; social
engineering is one of them
...
The alternate term for
this is "bullshitting the operator
...
Here I will list
many of them
...
Some twists I
will examine, others will be left for you to creatively imagine
...
?"
I think I've never heard of a verifiable instance where this has worked, though
there are rumors that hackers have simply requested -and received - passwords
from system users
...

Give me a low access account and I will use my skills to show you what your
system's weak-nesses are
...
"
49
The other way to do this is to call up some-one - anyone - a secretary in an office
for in-stance -1 and just ask, "What do you type in to start the computer in the
morning?" Will this work? Well, you would have to be lucky enough to call someone
who's fed up with his or her job, and who doesn't know any better about security
procedures
...
More likely you will want to bone up on your acting
skills and try some telephone shenanigans
...
Let's say you're trying to get into a
company's com-puter system
...
You call up the

computer department (from your home or wherever) and this is the conver-sation
that follows:
PERSON ON OTHER END: "Hello; Jack Chipper, Computing Department
...
Maybe
you could help me
with a problem?'
JACK: 'Maybe
...
Will you talk me through it?"
JACK: 'Sure
...
"
JACK: 'Okay
...

You see it there?'
YOU: 'Yes, okay
...
Okay
...
'
YOU: "To what?"
JACK: 'Uh, boot up
...

YOU: "Okay, it stopped
...
It worked up to
here fine before, but after this, it didn't work
...
This is my first day here
...

YOU: "Enter
...

JACK: 'Now type 'TEMP'spacebar 'PUPPY
...
Oh!"
JACK:

"See?

YOU: "Thank you, lack - I don't know what went wrong before!'
Now I want to run through this conversation again, this time pointing out some of
the essential components of all successful social engi-neers
...
"
YOU: "Hello, lack, this is Gary Harris from the Researching Department
...
This is done to make the person on the other end feel more comfortable
talking to you, and to show that you're not afraid to reveal who you are or what
business you do for the company
...
Unless you have a company di-rectory as reference, you
won't know the exact names insiders use for each of the various seg-ments of the
corporation
...
Even if you say "department" when you should have said "committee"
or "room," the fact that the technician used that term will make you sound, in his
ears, like an employee
...
Also piques his
curiosity as to what could be wrong with his system, or your use of his system
...
He will then go overboard
to show you how smart he is
...

Also, notice the mention of the word problem
...
Mention in a vague way that there's a problem with his system, and he'll go
crazy: just open your ears and let the passwords roll right in!
YOU: "Well I'm thefirst one here
...
It won't always be possible to call before the
workday begins, but it sure does help if you can
...
But technicians won't always be available before anyone else at the
office, so this won't always work
...

Then you'll be able to say that the other people in the office shut off the computers
and went home be-fore you had a chance to finish your work
...
and I can't seem to get things started up
...
After all, dialing into the company's computer system from
your house could look very different from actually being there, using it in person
...
The will you talk me through it?"
request begs him to do something he does by rote every day
...
For example, if you had simply
said, "Can you help me?" he might want to walk over to your office to help you out
...

JACK: "Okay
...
You see it there?"
YOU: "Yes, okay
...
Okay
...
It's good to have an actual computer next to you, so he or she can
hear the power being turned on and you clicking away at the keyboard
...

YOU: 'To what?"
JACK: "Uh, boot up
...
"
YOU: "Okay, it stopped
...
You
don't want to pretend you've been living in a cave the last three decades, however
...

Don't forget that the conversation has a plan to it - you're trying to steer the
conversation to your benefit, so make sure you stay in control of where it's heading
...
But
above all, it keeps you on track so the conversation can con-tinue toward its
ultimate reward
...
It worked up to
herefine before, but after this, it didn't work
...
This is my first day here
...
"), but what if
you guess wrong? What if at this point an office worker is placed at the DOS
prompt or Macintosh Desk-top? You see, it could be that dial-in lines are password
protected while in-house computers are not
...

In this instance, you've used the "new per-son" ploy
...
Saying you're from a temporary
agency may or may not be a good idea
...
The technician might not
know that, however, and in any case you can always say that your supervisor is in a
meeting and told you to call the computer department for advice
...
'
YOU: 'Enter
...
'
JACK: "Now type 'TEMP'spacebar 'PUPPY
...
Oh!"
JACK: "See?"
YOU: "Thank you, lack - I don't know what went wrong before!
The "Okay
...
Thank the technician profusely for his help, and reassure him that you are
a genuinely naive but responsible member of the company (in this case, by saying
you don't understand what went wrong before)
...
I can recall dozens of
times when I personally have been asked how to do some-thing that the user has'
already done before, without getting it to work
...
My experience has been that these calls usually end
with the person who has been helped grouchily saying, "But I tried that before! It
didn't work be-fore!" So make sure that you are nice to your technician - you may
be needing help from him or her again and it will certainly boost his or her ego to
know you appreciate the help you have received
...
When a new computer
system has been installed in an office, there will often be business cards or phone
numbers taped near the terminals which are used to contact someone from the
technical department of the company which supplied the computers, to deal with
bugs that haven't yet been worked out
...

Crane your neck if you must to get the name and number off the card (or simply
ask the person, we don't al-ways have to do everything on the sly!)
...
Call the number
and say, "Hi, this is Lauren from Booboo, Insurance
...
And
let them lead the way
...

I copied off the information, then called up, saying, "This is Jack [a guy named Jack
really worked at the li-brary] from Whoopie Library
...
The computer's behind the
counter, so I don't know what it was doing in PA mode to begin with, but
...
In a military setting, pre-tending to be a high
ranking officer can put fear into the hearts of any lowly receptionist
...

In either case, both of you are pissed off that your computer isn't starting up the
way it should
...

Don't whine or complain just make angry demands
...

In a corporate milieu, pretend to be the CEO or the president, or secretary of a CEO
or presi-dent, especially in organizations where it is well known that the leader is a
hothead
...
The anger routine is useful
because the person who picks up will want to be rid of you as fast as possible, and
will do anything to get you off his or her back
...
Just the mention that you are whoever you say you are will work wonders
for your credibility (who else would possibly dare to proclaim themselves General
So-And-So?)
...

This is a sample encounter:
PERSON ON OTHER END: "Good afternoo YOU: "THIS IS GENERAL FROBBS
...
I HAD MANY IMPORTANT
DOCUMENTS SAVED THERE!"

PERSON ON OTHER END: "Did you try typing 'GROUP
...
'
YOU: "THAT'S THE DAMNED GROUP CODES! I NEED MY OWN PERSONAL
ACCOUNT BACK! I
AM APPALLED!
PERSON ON OTHER END: 'I'm sorry, I can't help you with your own codes
...
Even if the person on the other end never does manage to find the
general's password, at least you've ended up with not just one, but several accesses
to the sys-tem
...
Here you pretend that something has gone wrong with a place's
computers, and you are the technician who is calling to fix it
...
You call up
his secre-tary, and you say something like this:
"Hello, this is Jake McConnel from Computers
...
'
You say, "Yes! That's exactly it! That wasn't your fault - there's something wrong
with the computers, and we're having troublefixing it
...
"
The secretary will not be suspicious; after all, you've identified yourself
...
The secretary
doesn't understand computers and doesn't want to
...
This is a very effective ploy
...
It'll be harder to work effectively
...

If the system you're breaking into is a place you have access to, such as a library,
dentist's office, bank or school, you should do a little re-search and figure out when
the best time is to make your call
...
" At around 3 o'clock every afternoon, the computers suddenly slow down to
half their usual speed
...
I don't know why the computers slow
down; maybe the system gets the most use at 3 o'clock, or maybe at that time
information is forced to travel through an alternate route to get from the library's
terminals to the mainframe located at a college on the other side of town
...

I've noticed another thing: The library pa-trons who don't realize that there's
nothing wrong with computers (who don't know that they always slow down around
that time) call up the "computer roomit at the college and ask why their computers
are down
...
e
...
Especially in university settings, this is true
...
On the other
hand, some systems will actually getfaster as the day proceeds, so research is
always a must
...
This is because data is stored on a dual-tier basis
...
Users connect to the semi-local
minicomputers, called Local Site Con-trollers, and as they use the system, data is
cop-ied from the far away mainframes, to the local minis
...

It's good to be aware of pace trends in the places you intend to social engineer
...
Good times don't have to just
be when the computer changes pace; if the workload, noise-level, number of
54
customers, or some other aggravating condition worsens during a particular time,
that is gener-ally a nice time to social engineer
...
Find out when the office is
busiest
...
Ask a question about some-thing, and if they seem to be
having trouble when they look it up in the computer, call back as the guy from the
computer department
...
Just make sure
they're not so busy that they don't have time to schmooze on the phone with you
...
Social engineering has been
successfully used to gain access to corporate networks, schools, government
offices, and other systems
...


Other Hints
If it's possible to research the place, do so be-forehand
...
If it's a public place like a library, for example, then try to figure out
which people working there know nothing about computers
...
Also, make sure you identify yourself as so-and-so from the
computer de-partment (or computer division, or section; if the person answers the
phone, "Hello, registration office," then use the same terminology - com-puter
office)
...
If you can't get the login information the first time, try again at a
different time, on a dif-ferent day
...

A friend of mine, Bill, told me this story
...
As the woman was taking his order, she casually
mentioned that she was doing everything by hand because the computers were
down
...
She said she didn't know, but
she was pissed about it because com-puters in other parts of the building were
working fine
...
May I help you?"

BILL: "Yes but actually I called to help you
...
Are
you still having problems with the computers?'
OPERATOR:

'We sure are!"

BILL: 'Oh, okay
...
"

BILL: "Oh I see
...

OPERATOR: "Yeah
...
Now would be a good time to try
...
Nothing came on the screen
...
No
...
Try typing in all the stuff you usually type in when you first turn
on the computer
...

The operator went on to give Bill all the in-formation he needed to know
...
I'll go back and tinker around some more
...
" Of
course, he still didn't have a phone number to call
...
But now
he knew how to go about logging in to Shark Radio Supplies's com-puter system,
and he had made a friend on the inside
...

Having an in-side friend was important because now Bill could use her as a further
information source, if the need ever arose
...
You will speak to reception-ists and other company
insiders who know the lingo, know policies and screen setups, and know how to
spot a fake
...
Here are
some samples" and possible solutions
...
Green in our
computing department
...
"
YOUR RESPONSE: 'Yes, I know
...
Maybe
later today
...

YOUR RESPONSE: "Oh yeah, Jack -right!"
RECEPTIONIST:
"I won't be able to help you until I have your staff ID
...
I'm just a temp
...
'
RECEPTIONIST:

"Just read the number off your ID badge
...

My supervisor said
she would give it to me tomorrow, maybe
...
"
RECEPTIONIST: "Who's your boss/supervisor/manager?
YOUR RESPONSE: "M______,Do you know any-thing about him1her? "
(You should've done your research, so you should know the answer to this sort of
question
...

Something with an 'S' - Schindler? Schindling? Schiffer? Schifrin?")
Here's a different situation:
RECEPTIONIST: "But I don't have a computer!"
YOUR RESPONSE: 'I'm sorry
...
Is M- available? '
(M_______,is the name of the receptionist's boss
...
This is just another way of
gaining credibility points
...
It's really loud here with that
construction they're
doing next door
...

Miscellaneous Social Engineering Tips
To improve your chances of getting in with social engineering, here are some tips
...
If you speak to a
receptionist or other worker on the bottom of the pay ladder, he or she may not
want to chit chat or fool around with computers if he or she's being monitored, or if
calls are being screened by the boss
...
Write down the four digits that
appear on the box (these are the last four digits of the phone line that the terminal
is hooked to)
...
Call a couple times at different times of day to
make sure the line is always busy
...
This is especially true of sysops who suspect you're a hacker and want to see
if you're brave enough to give them personal identification information about
yourself
...

Just giving them a number will usually relax them enough so they feel you are one
to be trusted
...
Say, "Are
you sure that's really the one you use?" Secretaries may have two passwords
...
The other is
their boss's password, a higher level one that they know about because, frankly,
sec-retaries know everything about an organization
...
Second guessing them shows that you al-ready knew the
correct password, and that you caught them in a lie
...
Then
quickly change the subject
...
Before using this tape, try to take a tour of the company and
listen to the real sounds made during the work day
...
Remember that if
you're the "first one in the office" as with our naive user example, you don't want
the tape to include background chatter or typing!
When you're talking to people, even if it's just over the telephone, keep a smile on
your face and act in a jovial, friendly manner
...
If the person picks up the phone with a, "Hello, General Widgit Corporation,
Lulu speaking," you re-spond with, "Hi Lulu! This is
...

Now Lulu doesn't know if you two have met before, and as you continue with your
friendly attitude, she will begin to treat you more like a friend
...
, to get more ideas
...
Often
a company telephone will make a different sort of ring, depending on whether the
caller is on an inside or outside line
...
To fix that, call a wrong
office or department in the company, and have them transfer you to the number
you're after
...
May I help you?"

YOU:"I'm sorry, I guess I dialed wrong
...

Another way to get that desirable inside caller ring/light is to dial, not the listed
number, but one next to it
...
So if the listed number to call is 1234567, try calling 123-4568, or some-thing a few digits higher or lower
...

Another thing to consider is if you're trying to reach a higher-up in the corporation,
you may only end up contacting secretaries, receptionists and/or other underlings
...
For example, suppose I want to try social
engineering Mr
...
But I can't
get through to speak with him personally
...
Colt, who is
either a same-level, or higher-level manager, and I ask her secretary to connect me
with Colt person-ally
...
Colt handles only the rubber band
accounts, not shoes
...
Palooka about that one; would you like me to connect you?" She will
then trans-fer your call to Mr
...
Pa-looka's secretary comes on
the line, and you say to her, "Hello
...
Mrs
...
Palooka about shoes
...

Palooka
...
But the goal of social
engineering doesn't just have to be passwords
...
Con-versations may take place in
person or through the mail
...
The second is more suited to those who find it difficult to ad lib telephone
SE conversations
...
The impersonation
may be of an individual person (the president of a com-pany who demands to know
why his password isn't working) or of a generic person Gill Tech-rucian, calling to
ask if any computer problems have come up)
...
If
the conversation starts to go sour, a telephone can be hung up; if a face-to-face
talk gets out of hand, it could be dif-ficult to get out of the building
...
Make yourself look like you just stepped
out of a fashion magazine
...
Females, wear
suitable business attire
58
Many kinds of SE that work over the phone, won't work in person
...
Because of this
the information you get from bullshitting in person may be minimal or only
peripheral
...

Pretending to be interested in wanting a job at the firm, or going on a tour of the
place, or simply squeezing in and wandering around on your own, provide lots of
good data on how employees interact among themselves
...
Being a security guard is also a nice ruse
...
You make up a
survey, and stand in the lobby of the building with a pen and clipboard, and get
people passing by to fill one out for you
...
Then you go home and try all that
stuff as passwords
...
For
example, that completely filled out forms will be entered in a raffle; winners get
tickets to a local show, or a free meal at a nearby restaurant
...
)
Written Engineering
Social engineering may be done through the mail or through other forms of written
contact with users of a system
...
If you don't want to wait around in a
lobby all day, just leave out stacks of the forms with either a drop-box or an
address to mail them to
...

Other written ruses take the form of adver-tisements
...

"Become a System Manager' Great Experience!" Have interested folks mail you a
post card with their name, address, de-sired password, and possibly the machines
they
currently have access to on the net
...

Have them address the post-cards to something like "X University, Computer
Science Department, Roger Hamm's Office" fol-lowed by your address
...

Two Manhattan hackers tried this stunt
...
They went to local area libraries and bor-rowed all
magazines they could find that had this ad in it
...
" Then they returned the
magazines to the library
...
!" When that was done, one of the
hackers would come on and ask the caller a few questions: "Where did you hear
about this program?" "Have you ever subscribed to X-Net in the past?" "What other
fee-based bulletin boards, or other computer networks do you belong to?" "When
you call up X-Net, what would you like your sign-in name to be?" "And your secret
password?" "Are you sure you're going to remember that password? Perhaps you'd
like to choose something else?"
In this way, they ended up with a dozen names, computers they visited, and one or
two passwords to try out
...
Advertising can also be done by slipping a printed card
into the magazine, or by advertising on BBSs
...
When users log on
they will see what appears to be the usual opening screen, but is in reality a
simulation which you programmed
...
(Otherwise, respond with a message like, "Line is busy" or "Connection
can not be established
...
)
After "connecting" to a computer or network, the program continues its simulation,
collects the user's name and password, then aborts due to erratic line noise or some
other ghastly prob-lem
...

Request For Information
And now, back to some pure social engineer-ing through the mails
...
Journal-istic morality
generally prevents dangerous se-crets from making their way to the mass media,
so the exact details of system security failings won't make it to print
...
" Or you'll see things like,
"Company Y has released a warning about its Component Z, which is supposed to
keep unauthorized users from penetrating a system
...
You
can try the annoyed approach:
Dear Mr
...

My business operates under the assumption that our data is secure because of
Component Z
...

I expect a quick reply
...
Abel Jones:
I was dismayed to read in Friday's edition of Computer Magazine that your
Component Z is defective
...

Please send an explanation of the problem in the enclosed envelope, so that my
technicians may remedy the problem as soon as possible
...

Sincerely,

I'm divided as to whether or not you should mention specific threats in your letter
to the company or organization
...
But on the other hand, they're going to be receiv-ing many letters
similar to yours, most of which are legitimate
...
For added effect, type the address on the envelope, and instead
of stamping it, run it through a postage meter
...

If the company refuses to help you without proof of purchase, well then, you're on
your own
...
There are also plenty of computer security
associations, organizations and other groups which will have the particulars of the
loophole
...
Try to speak to the person who reported
the story
...

As the director of PinkyLink, America's largest on-line information service, I was
shocked to discover that a theft of several backup tapes took place over the July
6th weekend
...


While your name was, luckily, not on that stolen tape, there is still some threat to
you
...
Therefore, we request you fill
out this application and mail it back immediately in the postage paid envelope
provided
...
Once received, we will
update you to this new, secure ID
...

Name
Address
Zip
Day Phone(_)
Night Phone(_)
...

Please keep a copy of this for your records
...
It looks authentic, having the logo
and letterhead of the service, and arriving in a metered, typed en-velope
...
It's simply the
cheapest and easiest way to update hundreds or thousands of pieces of user
information
...

And what about that 75% deal at the bottom? That makes Joe twice as likely to
respond to the letter
...
And the return envelope is postage paid!
Of course, PinkyLink probably has an on-line way for users to change their
password, but you don't have to mention that when you write a letter like this
...
Before you
send out something like this, be sure to look at real examples of PinkyLink's
correspondence, to get an idea of the kind of paper and printing used, sizes of
fonts, coloring, etc
...
Later we'll talk more about how monitoring BBS
activity can pay off
...
The Post Office considers such
activity postal fraud, even if you're just doing it for laughs
...
Before you go and do something stupid, you might want to read Chapter
Fourteen
...
Consider, when you social engineer someone,
that person







may have been warned about security leaks
may be knowledgeable about social engi-neering tactics
can not verify your claimed identity
might know you are not who you claim to be
has no reason to assist you, and can give you wrong or misleading information
can report your call to a security manager
...

Considering the above list, would you divulge confidential information to someone
asking you for it over the telephone?
That's the problem
...
However, results from RSE are so strong - and often so humorous that it provides a flashy alternative to other methods of breaching system security
...
No system is perfect, and
clearly the list of flaws from the previous chapter shows that there are deficiencies
in the usefulness of social engineering
...
However, reverse SE can only be used in
specific situations and after much preparation and research
...

Don't expect this technique to be your bread and butter as you are first introduced
to the world of computer-criminal culture
...
Here is a comparison
chart that shows some of the pros and cons of each form
...

REVERSE: They place call, are dependent upon you
...

REVERSE: They appreciate your help and concern, will oblige you in the future if
ever you need
assistance
...

REVERSE: They need help from you
...

REVERSE: All problems are corrected; no suspicious loose ends
...

REVERSE: You retain complete control of the direction and subject of conversation
...

REVERSE: Lots of pre-planning required; previous access to the site is needed
...

REVERSE: Only can be used under certain circumstances
...

The reverse to this is that a legitimate system user has difficulties, and he or she
asks you the hacker for
assistance
...

An RSE attack consists of three parts:
• Sabotage
• Advertising
• Assisting
Sabotage is an initial brief contact with an on-site computer, during which the
hacker causes a malfunction of some kind that will need correcting
...

Assisting is the conversation in which you solve the user's problem, and the user
unknowingly solves yours
...
Let's
step through that list of bad stuff about social engineering that was given

previously, this time demonstrating how reverse social engineering overcomes all
of those problems
...
Even if the other
party doesn't know about "SEing" per se, he or she may take "Don't
reveal the password" warnings seriously enough to see through your bull
...
You can't
always guarantee that will happen
...
Consequently he or she
believes you are trustworthy, a member of the company or approved by the
company, and one who already knows passwords and protocols anyway
...
In fact, it won't even be thought
of as "divulging" since the person you speak with will just matter-of-factly spill his
or her guts to you without hesitation
...
It
takes a backwards approach to the problem of getting users to talk, and so it won't
be recognized by a person familiar with conventional hacker tricks
...
He or she needs your help to correct the problem; he or she
realizes that if he or she doesn't cooperate, you won't be able to assist
...
Besides, you never know if the person on
the other end of the line has been tipped off that you are lying about your identity using cues such as Caller ID, a distinctive in-house tele-phone ring, or a knowledge
of employees and protocol
...

BUT in reverse SE, those who know the words of passage have no reason to suspect
you of deceit: you are the one they call for advice
...
In fact, when they call you, you can legitimately
request that they identify who they are
...

64
Has No Reason To Assist You, Or Can Give You
Wrong/Misleading Information
What does the social engineered person care whether you are helped or not? I
know if I were a busy back-stabbing office worker or receptionist in the midst of a
hectic day, I would be furious if some idiot on the phone asked me to give up a few

moments of my time to tell him things he probably shouldn't know in the first place
...

On the other hand, reverse social engineers know that the people they are speaking
with require their assistance
...
That power user knows he will get the
solution when you reveal it to him so he can solve it himself the next time it occurs
...
She
can then go off and tell others about your attempted pilfering of passwords
...
None of this will help you get in later on,
even if it doesn't immediately get you caught or hurt your chances of penetration
...

On the other hand, reverse SEing is sure to make you a friend on the inside
...

The preceding explanations were motivated by three goals
...
Yet my main concern is this: Social engineering can not remain as a
mainstay of the modem hacker's bag of tricks without word getting out to ordinary
computer users
...
Ordinary users are reading more in the mainstream press about how we
hackers break into systems
...
The systems them-selves contain warnings not to reveal anything to
anyone; their employers tell them that, their conscience tells them that
...

I doubt strongly there will ever come a time when all computer users know enough
not to blab
...
Then, if a
naughty word is spoken, it can be detected and eradicated before the electrons that
compose it leave the confines of the building's wiring
...

Reverse Social Engineering
Sabotage Methods
The first step of RSEing is to disable the target computer or the user's ability to use
that computer
...
You

want to do something that is hard to detect yet easy to correct
...
Examples: default
printer port, screen colors, macros, obscure printer codes, technical peripheral
settings
...

Example: if
65
• WP
...
$A$
...
Examples: switch a color monitor to monochrome mode;
reverse disk drives;
disconnect or loosen the keyboard, or unplug the computer or surge protector
...
User won't know why program fails to
run
...

WARNING!
••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
Sabotage should not be permanently harmful to the user or the computer! Do NOT
delete files or directories: they may become unrecoverable
...
Do NOT sabotage in a way such that the operating
system refuses to boot: they may not have a bootable DOS disk handy when they
call you later!
••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
RSE Case Study:
The Translation Table
A hacker and phone phreak nicknamed Phlash -because of the speed with which
he'd managed a number of great hacks - was once almost resigned to the fact that
he couldn't get any information about the computers at a particular embassy
...
"I tried bull-shitting them, but they
wouldn't have any of it
...
And once on,
they only gave you two chances before disconnecting you
...
"
From scavenging around in the trash bins he found evidence that at least one
computer there used a particular cheapo-brand modem
...


Sometimes people want to be able to press a certain key on their keyboard, but
have it come out as a different key on the computer they're connected to
...
To really send a Backspace to the
remote computer, you might have to type Control-Backspace
...
A translation table is a file that contains each key you
can type, and the character that is to be sent through the phone lines when you
type that key
...

Translation tables also work the other way
...
If you want
to get rid of annoying linefeeds in a file, for instance, you can set up the table so
anytime it sees a Control-J, it translates it to a null, or to a tap of the spacebar
...
He took a
copy of the terminal program and composed both an incoming and outgoing
translation table, both of which were made to jumble characters
...
Any data they received would be
totally garbled gibberish
...
His INSTALL
program looked in the directory for the already-installed terminal program, moved
any existing translation tables to the floppy disk, and copied his newfangled tables
over
...

He gave explicit instructions for the installation, then concluded with, "Any
questions or comments should be directed toward Sr
...
" And he mailed it to a top person at the
embassy
...
"Actually, they had tried calling before but I had
been away," Phlash told me later
...
Of course it didn't work
...
So we tried that
...

Finally I decided it was in her best interest to try going through the reinstallation
again
...
Of course now I also had all I needed to get into two important government
accounts!"
Phlash said that he was getting so caught up in his pretend role that he almost
forgot to get the passwords and phone numbers
...

Unlike typical reverse engineering, this particular case involved no physical entry of
the computer site
...

How to gain access is touched on elsewhere in this book
...

This can be done by giving explicit instructions such as: "Type 'rename WP
...
EXE
...

So how to get around this obstacle? You have to give instructions which will soothe
the wary user
...

For example, "Go into the word processor directory and type 'SETUP' and press
Return
...
" In this case, SETUP was a file that
you put on the disk, which contained the renaming instruction, and also a command
to delete itself at the end of its run
...

RSE Advertising Methods
Here are five general advertising techniques that can be used to get them to call
you:
Switch notes
...
Elite hackers will simply dial into their local telco computers and
change the number of a local pay phone to the listed computer help desk number
...

Post a public message
...
Put
these signs up all over, or drop them as flyers on people's desks, especially in view
of the computers you sabotaged
...
Call up the day before - or even a few hours before - the
sabotage and tell the person who answers about the computing department's new
phone number helpline (your number)
...

Ask if he or she is the only one who uses that terminal; if the answer is "no," tell
the person to make sure others know about the new number too
...
Get a company's internal phone directory and add your number
to the list, either by crossing out the existing technical support line and writing in
your own, or by inserting a visible printed addendum to the book
...
When doing the initial sabotage, see if you can post a note on
the bulletin board (electronic this time!) concerning your computer helpline
...
For
example, rename WREXE, then create a simulated word processor which crashes to
the operating system after the first few keystrokes, leaving behind garbled
characters and colors, and this message:

XERROR 3 --- Consult fdox 900
...
That is,
do that unless you have managed to appropriate an inside office or phone (by
sneaking into an office while someone's away on vacation, for example)
...
But is it worth the effort? Why not just stick with the easier
social engineering and not worry about the remote possibility that the guy on the
other end will be wise to you?
Well, first of all, that's foolish
...
You must, in many
circumstances, assume that they know what you're up to when you're bullshitting
them
...

Another factor, one related to both this and a remark I made earlier: when you
reverse engineer a situation, you create a friend on the inside
...

If you've proven yourself to some user by solving their
computing problem, you can then call back a short time after breaking in and ask
questions like, "Hi, remember me? I helped you with that problem
...
You might want to tell them to call
you if they ever hear about "hackers" or whatever
...

The continuing loyalty and assistance you will receive from the inside is well worth
the beginning trouble you may have in setting up the sabotage
...

Personally, I've never hacked a mall computer - but the potential is there - and the
motivation to do so is there as well
...
The
computers at the mall have a secret side - the gen-eral public is not supposed to be
able to change around the names of the stores on the computer-ized map of the
building - but there is a way of doing just that
...
All public computers have a
secret side
...

This chapter addresses two aspects of publicly accessible computers:
• How to get into the behind-the-scenes parts, and
• using public computers to collect information you're not supposed to know about
the people who use
them
...
Even if a general-access computer doesn't have a
modem hanging off the back, or does not allow out-dialing, hackers can benefit by
using the computer to gather information about legitimate users of on-line
databases, school net-works and other computing systems
...
However, the place they are most often seen is at libraries;

consequently, the following discussion is based mostly on the computers found
there
...
They fall into three groups:
• CD-ROM databases and information computers,
• public access terminals, and
• general purpose microcomputers
...

CD-ROM Databases And Information Computers
CD-ROM databases, like InfoTrac and News-Net, are computerized listings of
periodical articles, updated monthly
...
Some libraries have CD-ROM
encyclope-dias, and many government depository libraries will have databases
listing government publica-tions available
...
All of these computers are useful to the hacker only
for the information they carry, due to the fact that they are set up on independent
ma-chines, without modems, and without access to telephone lines
...

Finally - this is rare and a bit odd - but occa-sionally you will see a computer being
used as a register"
...
The purpose of this sort of computer setup is to keep
a timed and dated record of who uses the public facilities
...

Unlike databases and tutorials, there is a bit more you can do hacker-wise with a
guest record computer, though not much more
...
This information could
be helpful if the facility in question is a computer room
...

If the guest register program itself doesn't let you see who was there before you,
try exiting out to the operating system and checking for relevant data files
...

Access to CD-ROM databases and information computers is not usually of much use
to the hacker
...

Public Access Terminals (PATs)

These are usually dumb terminals (although sometimes you see IBM compatibles)
set up in fi-braries as electronic card catalogs
...

These systems allow h-brary patrons to search for materials (books, magazines,
videos) by various search restrictions; to see the current status of materials (On
the shelf? Charged out? Overdue? Missing?); place holds on items; get library
news, and other library-related functions
...

The challenge to the hacker is this: He knows there is a secret side to every library
computer
...
There is the publiclyaccessible catalog, and the private stuff
...
These private func-tions, used by library staff, must
rely on the same database of information as is found on the PATs
...
) Therefore, the functions that are available
to the public are a sub-set of the entire library program
...

The two program parts are obviously separated, otherwise anyone could walk into
the library
72
and erase all the fines off their library card, or put $100 worth of lost items on an
enemy's card
...

Yup, a password
...
Go to the main or earliest menu on the
library system and try various commands like BYE, END, EXIT, X, XXX, SYS,
SYSTEM, LATER, and OFF
...
If
some-thing like BYE works, and you are exited from the public portion of the
system, you will probably be asked to supply a password
...

Several library systems use bar code identifica-tion to detern-dne who gets to go
backstage
...
I have a story about this
...
The IBMs
also have light pens attached
...

One fine day I decided I wanted to hack the sys-tern
...
Naturally, I was not allowed staff access, so scanning my library card did

noth-ing
...

I was not about to become a pickpocket to get a card
...
I would use computer technology to defeat
the computer
...
This is the number that the bar code is encoding
...

There is an initial grouping which identifies the bar code as belonging to that
particular library, followed by some zeros, and then a concluding seven or eight
digits
...

Now, the only part of the number that really matters is the last group of eight
digits, following the zeros, since the library identification portion doesn't change
from one person to the next
...

Naturally I wouldn't be able to type in those bar code numbers from the keyboard
(and who would want to, anyway?)
...
If they did, then anyone who knew anyone else's code number could easily access the pri-vate records of anyone else
...
I would still
need the director's library card
...
Did the computer put a carriage return at the end of the number?
If not, see if you can back up and alter digits
...
You might be able to make the
computer think it's receiving the entire bar code, although you will be able to
change and add numbers to suit your needs
...

The bar code will be read in and placed on the screen rather quickly, so it may be
difficult to stop it halfway through
...
This might slow down the bar code enough
to let you break it at the right time
...
If there is no button (but you know it's in turbo mode because there is
a "Turbo" light lit up), there will be some way of disabling turbo mode through
either the software (break into the DOS shell and see if there's a SPEED command
or something similar), or through the keyboard (often something like Ctrl-Alt-Minus
sign will take it out of Turbo)
...
Occa-sionally bar code readers can be duped into think-ing a bar code of a
kind it's not supposed to be able to read is the correct type
...


Lastly, if there is a way of accessing terminal parameter menus, by all means do so:
often there is some sort of switch which toggles automatic send-ing of input, or the
key code used to send input
...

All of these above suggestions imply that you have managed to get ahold of the bar
code number of someone important in the library hierarchy -someone whose ID
number you can use to access the rear end of the system
...

But I didn't have anyone's number
...
So I
had to find a way of using the light pen to scan in a hundred million bar codes that
I didn't have, until one was discovered that could access the library program's
secret side
...

The light pen (also known as a "wand," "bar code reader," or "scanner") works like
this
...
The light is then reflected off the
page, and now focused through the sphere onto a photo-sensor, which converts the
reflected light into bursts of voltage
...

The pen is attached to the computer either via some external box, or an internal
card
...
At the time of decoding, voltage corresponding to white lines is
approximately 0
...
My plan was to send
voltages into the scan-ner, making it think it was reading a bar code, when really all
it was doing was being victimized by a clever hacker's brute force attack
...
Also, the time it takes to generate a complete
code will have to be adjusted accordingly: usually scan-ners will accept bar codes at
up to 45 inches per second
...

If it is a computer you are working with, rather than a dumb terminal, it is possible
the bar code decoding program is memory resident
...

A good idea would be to copy the contents of the fixed drive, then at home see if
there's a way of making the scanner decoder think the keyboard is the cor-rect
RS232 serial interface to look at for input data
...
If the check
digit is printed on the bar code label, study some sample bar codes and try to work
out the method used to generate the check digit
...

For example, the check digit formula used by the Universal Product Code found on
supermarket food packages is the following: 210 minus three

74
times the sum of the alternating digits (starting with the separated digit to the left
of the bar code), minus the sum of the remaining digits
...


Figure 6
The UPC check digit system
...
The subsequent digits are placed under the bar code, with the
check digit appearing in either of the two
places marked with a check mark
...

Thus 5 is the check digit
...
The light pen
at one of the computers was attached with a telephone-style modular clip
...
I bought a receiving jack of appropriate size and used a cable to
connect it to the modem port of one of my smaller portable computers
...
I was all set
...
I had expected to pull
off this stunt on a Sunday because I'd seen the results of a user survey which
indicated that less people came into that particular library on Sunday than any
other day of the week - the last thing I needed was a bunch of onlookers
...
I was right;
practically no one was there
...
I typed BYE, which brought me to a prompt which asked for my
bar code before it would allow me to go backstage
...
It worked fine - the program was send-ing bar code numbers through the
modem port and into the light pen cable
...

I closed the cover of my little portable, and hid the whole thing under a newspaper
...

After a while I did find a bar code number as-sociated with a privileged account,
and I was able to use it to change the status of my own library card to a virtual
superuser
...
Since I now had access to patron records, I could find out the
addresses, phone numbers, student 113s, social security numbers and birth dates
of eve-ryone with a card at that library
...
I
could also find out what books were checked out to people, and therefore the
subjects and hob-bies that interested them
...

75
Hidden Commands
Whenever you're hacking any public terminal of this type you have to remember
that it's common to have different levels of security for potential us-ers of the
system
...
If a menu is given with options ranging from one to four -try five! And
six
...
Always try Z, Q, X, and other "weird" letters - anything else
that has a possibility of working
...
I grant you, usu-ally you won't find that programs have been so badly
coded as to allow misuse, but you'd be sur-prised at the number of bugs that do go
unnoticed by the authors and testers
...

Also, remember this: There are many functions you may not think would be on a
library computer (or whatever computer it is you're working on)
...
So you must
therefore try everything you can
...
Naturally the system doesn't only support
those three commands
...

Try things like CON, ILL, CHG, DIS and other three-letter combinations (or
whatever number of characters is appropriate)
...
If
that's the case, then you know the computer will support commands of more than
three characters
...
The

commands I've chosen above are abbre-viations for CONversion, InterLibrary Loan,
CHarGe and DIScharge, respectively
...
But ILL happens to be a very commonly used abbreviation
...

Then (b) plug the jack into a receiver that is connected to your laptop via the
communication port
...

76
If you're trying to break into a system you know nothing about, it's more than likely
they'll use codes and abbreviations that are related to their field
...

One United Kingdom system uses things like LCO and LIN for Library Check Out and
Library INquiry
...
This poses an obvious
problem to the librarians who MUST know how to contact people who refuse to
return borrowed items (and for countless others reasons, must know what items
people have borrowed), so the people who wrote this library program installed a
command that is invisible to EVERYBODY - even library employ-ees
...
This is something that
the library staff obviously knows about and uses, but is not supposed to have even
heard of
...
You can ac-cess these secret parts by either issuing an exit command (a
"trap door") and entering a password, or by entering a hidden menu item or
command statement
...

It is also advisable to turn off the terminal, wait ten seconds, then turn it on again
to see what hap pens
...
(Sometimes Alt is la-beled "Compose Character" because if you keep
it pressed down while typing out a number 0-255 on the numeric keypad on the
right side of the key-board, the corresponding ASCII character will be produced
...
, with the
function keys
...
You can never tell what's going to do something, or if anything unusual will happen at all
...

College PATs
There is also another kind of publicly accessible terminal, one easily found in the
computer rooms of any college
...

You should try the different function and con-trol keys on these terminals, too
...

Press ? or type HELP and see what commands are available to you
...
It should be a
trivial matter to find out if a public information system is present on the system
you're using, and if so, how to access it
...
(Remember to ask for the dial-in phone numbers, too!)
Generally you will be able to use telnet or other networking protocols to connect
with computers all over the campus, country, and possibly, the world
...
This
section deals with some techniques hackers have used to un-cover passwords and
lDs through the use of public access terminals at colleges
...

Doing It The E-Z Way
Barry, a computer enthusiast from Las Vegas, Nevada, used a quite easy way of
finding out info without any programming skills or special equipment
...
He had his own account on the system, but he wanted to do some serious
hacking
...
All he needed was some measly low-level account from which he
could hack without risk
...
Available commands or menus
were dis-played on the screen with an underline of appropriate size placed at the
bottom, where the user would input his choice
...

Barry went to the main menu of the information system
...
At the bottom, he put the
appropri-ate prompt
...
and positioned the cursor at the beginning of the underline
...
Then Barry took a seat at
a Mac near his prepared terminal, and waited
...
He had to wait more than an hour
until a per-son finally came in to use a terminal
...
From Barry's position at
the Mac he could easily see what the person typed in
...
The woman who was using the terminal did
not seem to realize that anything unusual was going on as she typed her vital data
...
The computer
redrew the information system main menu, and the woman, surprised, logged in
again and went about her business
...
" Barry was elated; on his
first try, with almost no effort on his part, he had a name and password and could
do all the hacking he wanted to without having it being traced back to him
...

There are many variations of this tactic that should also be considered, depending
on the nature of the command system, the terminals used, layout of the room, etc
...

Some terminals allow you to change screen color
...
First I erased the screen and typed up a fabrication
of the login screen
...

I then moved the cursor over to the place on the screen where commands were
supposed to be en-tered (above my fake underline)
...
I typed "log-on
...

Then I repositioned the cursor at the beginning of the underline, used the function
key to change the text color back to bright white, and took a seat on a nearby
armchair
...
About twenty min-utes later a group of people came in,
and one sat down at my terminal
...
I told him, "No, no
one's using that one
...
I set up the terminal again and took my position
on the chair, pretending to study a numerical analysis book
...
All this
I was easily able to see
...
The computer only recognized my hidden (black-on-black)
"logon"
...
The user, thinking he had made a typing mistake, entered
them again
...

This will only work with systems that allow you to enter all login codes on a single
line, or on machines with certain appropriate capabilities and setups
...
If you don't have
an account on the system, and therefore do not have access to the e-mail text
editor, there is probably a "Send Com-ments to Sysop" section in the public
information system that you are able to access
...

One way of using a text editor to simulate the login screen is to write up a
document such as this:
>login
Enter Name:
Enter Password:
Above this you may want to have the tail end of a commonly seen menu, list of
commands, or a body of text one normally sees when turning on the terminal
...

You put the cursor right after the colon, and turn off the Insert key, if there is one
...
He will type in his name and press Enter
...

There are some problems with this method (and all these E-Z methods, actually)
...
There's always the possibility that
some guardian of the computer room will switch off any terminals he sees left on
needlessly, and then all your work might be lost
...

There are plenty of things that can go wrong with this ruse, but for the small
investment of time to set it up, then who-knows-how-long of waiting, it's worth it
...
Switch on the Caps Lock key if it helps
...
Tilt the moni-tor a bit to reduce glare from your viewing
angle
...
Before you choose your waiting spot,
make sure that when a person sits down in the chair, his or her body won't be

blocking your view
...

Shoulder Surfing
The above two methods are slightly involved examples of what's called "shoulder
surfing
...
While the user types, the hacker
watches the keyboard to pick up the pass-word as it is entered
...

Pure shoulder surfing can only be done under certain circumstances, such as if you
are legiti-mately helping the user with a problem and you have to stand there for
the user to show you what's wrong
...

A strategically placed mirror, in the upper cor-ner between wall and ceiling, can do
the trick
...

Binoculars are frequently used by calling-card number thieves to illegally obtain
people's code numbers, thus enabling the thieves to make free long distance phone
calls
...
It might be neces79
sary to tilt the keyboard to a specific orientation to better enable you to see what is
typed
...

You might have to do your watching outside, through a window
...
Even at night you will be easily
seen through the glass if the building has outside lights
...
Per-haps you can partially close the blinds or drapes, to further
shield yourself from view
...
Tricks
can be used to breakfreefrom the menu, then either
alter the menu or the application programs
to collect private user data
...
Perhaps you don't need any of this advice at all
...

Apparently the account owners didn't know that
shutting off the terminal does not log them out of their account
...
It was a hacker's
paradise!

Doing It BASICally
If you have an account - or if you go into the computer lab and find someone else's
account logged in and abandoned - you can write a simple BASIC program to
simulate the login procedures, then leave it running
...
Or, use the inputted data to have
80 REM the program login to the system
...

Remember to program in necessary time de-lays, if it usually takes a few seconds
for commands to register
...

Sometimes commands are available to users be-fore logging on, like allowing them
to see who else is currently logged on
...
The program doesn't have to be extremely
elabo-rate, however, as most users will probably just sit down and login right away
...

After the user is done typing his name and password, the program should store the
information, and exit out of your account
...
> After all, once you log out of that account, you won't be

able to get back in again
...

Hacker security is very important - you never know what superuser is spying on
your activities
...

I use a simple code, such as storing 13 + ASCII code of each character, with every
other number stored being random
...

An expansion of these ideas is found in an up-coming chapter
...
At about four in the
morning I smuggled the thing into the computer lab, and replaced a terminal that
was already there with my own, connecting the cable to the portable
...
It was a wooden table with an overhang
...
I had the
portable programmed to save on disk the first ten characters that appeared after
"Usernarne:" and "Password:"
...
It worked well
...
The guy thought I was trying to steal it
...
Make sure the computer you put in and any wiring
associated with it stays sepa-rated from the internal goings-on of the dumb
terminal
...


General Purpose Microcomputers
Now we come to the third We of Public Access Computer from that list I gave
several pages back: the General Purpose Micro
...
Of course, all techniques I discuss can be translated
to any computing envirorunent
...
Ordinar-ily these are nonnetwork machines, although if there's more than one they may be connected to the
same printer, or to some other peripheral
...
There are also businesses set up now where people can go to rent
time on a com-puter to type up their r6sum6s or reports, and have them printed
out on a good quality printer
...


Breaking Free
The first thing you'll notice is there's some kind of menu system on these micros
...
It is generally a trivial
matter to get out of the menu program, even though its very existence - at least
partially - is to keep you from doing just that
...
" Try it
- does it work? You might
81
exit the menu, only to get a message like this: "Error! Press any key to return to
Menu
...
BAT file
...
BAT shell, and are experiencing
the next line of that BAT file
...

Even if it doesn't say on the screen how to leave the menu, you will want to try
various function keys, the Ctrl-Break key, the Escape key, and differ-ent
combinations of Alt and Ctrl with C, X, and Q
...
If this is the case with the one you're hacking, by all means
try various passwords -starting with blank lines, the name of the building or
company, and other obvious work-related and business-like words
...

Actually, for best results you should repeatedly tap Ctrl-C and the Ctrl-Break key
simul-taneously
...
BAT startup procedures
...
If both of these
tactics fail, use the menu system to run the various programs listed and see if any
of them have an escape to the operating system
...
Wordstar allows shelling or single
commands to be entered with Ctrl-K, F
...

If there are lots of computer-wise people around, or people looking over your
shoulder, or people in charge running all over the place, then you'll want to get
back to authorized sections of the computer ASAP so you're not discovered in the
private parts and thrown out of the building
...
This is akin to the burglar who
steals the entire unopenable safe so he can work on it in his basement with noisy
power tools and blow torches
...
BAT file and the menu system first of all, and any directories
you find containing files with BAT, DOC or TXT extensions; miscellaneous disk

utilities (especially public domain-type programs); security, maintenance, or
updating programs; anything having to do with telecommunications; memory
resident programs; other explanatory text files
...

Check for hidden files and directories
...
Also see if
any files have been deleted, and try to recover them if they appear applicable to
your needs
...
Often it's worth
hacking a public computer like this just for the thrill of getting by security
measures
...

Many times I've found public domain and shareware utilities that I'd never seen
before, so it's worth doing this just to see if you can pick up any-thing new along
these lines
...

Another thing that's common is to find in-house programs on the system - things
like employee schedulers, databases, or other programs that are not available for
public use, and are reserved for use by the managers of the business or library
...

If you have encountered prompts for passwords in your exploration of the
computer, try to find out where the master list of passwords is stored on the disk
...
I typed it to the screen and was surprised to
find a list of about six user names, along with passwords, addresses and other
personal information for each name
...
I tried those names on all the systems in
the area without success
...
The people listed in the file seemed to not exist anywhere I
looked for them! Perhaps someone was just using the file as a test or demo, or on
some private computer system
...
It's all part of the nature of being what you are
...
Once you have decided on a question ("Will this password
list work on the Raamses 3?" "Does the President of Moroll Corporation have a
secretary with system access?"), then you can do higher level research and try to
answer
it
...
This kit should
include:
Plenty of blank, formatted disks, in both 3%" and 51/4" sizes, so you can quickly
copy the menu's security programs
...

Auxiliary programs, such as superzappers and other utilities
...
Public domain programs are available to shut off
the internal speaker
...

Other tools: A Swiss Army knife is good, or at least bring a little screwdriver
...
A large, unbent paper clip is handy for hacking
Macs
...
That's often the fastest way
to eject a disk
...
There are three fruitful programming
ideas the hacker can employ with these:
• altering the menu,
• altering the menu program, or
• creating your own simulation of the menuing system
...
This allows the people who
maintain the computers to create menu categories such as "Business Programs,"
"Word Processing," and the like, and to add and edit the programs available for
public use
...
However, what the menu will really do is take that user to
a program that you wrote, that simulates an envi-ronment the user is familiar with
...
Later, you
can go to where the computer hid the passwords and lDs, and retrieve them for
your personal use
...
EXE or SETUP
...
You may also be able to do editing di-rectly from the
menu program itself, by pushing a function key or control code
...
The menu-editing feature may have been eliminated
once the menu was set up, or a password might be required to do any-thing
...

Alternately, you might be able to use a text editor or superzap program to change
the file where menu information is stored
...
Just type "attrib filename -r" to un-lock it (on MS-DOS systems)
...
He then must choose a file to be
executed when that phrase is se-lected, possibly providing a drive path, and other
information
...
Your initial target is a
public computer with word processing, spreadsheet and telecommunications
abilities
...
Then the connection is made
...
What actually happened was that
when the user pressed "T" for "Telecommunications," the menu ran a program that
you snuck onto the system, instead of actually connecting to the network
...
" For example, it might prompt for
which computer the user wants to connect with, and then pretend to connect to
that computer
...

You'll be better off having your little simulation program being called from a batch
file
...
It might be possible to have the batch file feed in the
name and password the user entered, thus eliminating any trace of weirdness
...

In other situations, the "Telecommunications" option will bring the user to a
commercial terminal package such as ProComm Plus or SmartCom
...
But there is a catch
...
He will be awfully suspicious and confused if
the speaker is on and yet no dialing sounds come out of it! (Remember, you
somehow have to make the program appear to dial out, so you can then simulate
the network that is called
...
)
The most reasonable way to solve this dilemma is to have the program give an
exotic error message like:
Operating Error 2130: Line Noise Interference
...

Of course, this message should closely conform to the other error messages that
the terminal pro-gram actually puts out
...
The name and password is taken
and quietly stored to disk, and then an error message is given and the user is
logged off
...
Make it look
realistic - like the kind of line noise that we've all gotten at one time or another -

but make it excessive
...
If he
doesn't, or if he tries doing anything, just have the computer display the stan-dard
"Logged off
...
It may be possible at that point to have the
computer load the real terminal program, so it will look like nothing very unusual
has occurred
...
But offices and busi84
nesses might have them, so consider these ideas when you think about hacking onsite
...

The menu program might not be a commer-cially available one
...
The program might be just a batch
file
...

The final variation on the menu ploy is to com-pose a simulation of the menu
...

It can take a while to replicate the menu pro-gram
...
You will have to carefully take
note of screen colors and special characters displayed, how the actual program
handles invalid data, and other peculiarities of the menu
...

Hiding Your Goody Basket
All of the above menu methods, as well as many of the techniques explained earlier
regarding simulating network login sequences and capturing keystrokes, result in a
file being saved to disk
...
Let's look at how we can
prevent both of these from occurring
...
This includes the people who run the computer labs,
those who fix the computers, other hackers, and the oh-so-curious general public
...

Most public computers you encounter will have a self-cleaning routine installed
...

Most public word processing computers have notes attached that beg people to
bring their own disks on which to save their work, but there usually is a special
USERS directory, or some other area where anyone can save files
...
The
program will often scan the rest of the drive, clearing away files that users have
stored in other directories
...

These are private di-rectories that people made for themselves in the hopes that
other users wouldn't read or delete their files - never realizing that their files would
be de-leted by the computer
...

Before you put your altered menu program or whatever onto a public computer, you
must do some experimenting to see what kind of cleaning system it has, if any
...

If a cleaning program does exist on the computer, you should have it copied over,
along with everything else, from your initial investigation of the computer
...
The cleaner probably
has a data file that holds information on which directories it should examine, what
should be done with the outdated files it detects, what cal-endar date constitutes
"oldness," and other perti-nent variables
...

If the computer activates the cleaning program automatically, your explorations
might lead you to find the trigger that sets it off and causes it to delete certain files
and not others
...
The
cleaner could also be activated as part of a start-up routine, or a regu-larlyperformed maintenance check
...
Once you find the program that sets the
cleaner off, you will be able to make alterations to your own file so that it is ignored, rather than deleted
...
However, there are consid-erate versions
that only delete old files
...
Here is an example of an MS-DOS batch file that changes the date
of your hidden goody basket in the example (a text file called "filename") to one far
in the future
...
BAT, or to the
point in the system's maintenance routines directly before the cleaner is activated
...

@echo off
ctty nul
date < commandl > temp edlin temp < cornmand2 date 12-31-1999 edlin filename
< command3 edlin commandl < command3 edlin command
...
bak
del temp
...
Here we are calling
them commandl," "command
...
"Commandl" contains a single carriage return

(Control-M)
...
"Command2" is a
bit longer:
2d
I rCurrent date is
1rSun
Irmon
IrTue
IrWed
IrThu
1rFri
IrSat
e
The batch file works by using the "date" command to change the date to December
31, 1999
...
a y, the date is
returned to normal
...
You might have to alter the batch file and "Command2" if your
target computer is set up in an irregular way
...
You would do best to use something exotic in your own program
...
BAT files get changed often, and a batch file like this sample is bound to
be noticed by the maintenance staff
...
BAT
...
BAT" will
execute your Trojan and, once it's done, return to the ALJTOEXEC batch file)
...

Also remember that under certain operating systems, such as MS-DOS, the
"ATTRIB" command can be used to make filenames invisible in the directory listing
("attrib FILENAME +h" turns on the hide factor)
...
But eliminating the name the from the
directory certainly does much to halt casual discovery of your Trojan files
...
My remarks will be directed toward this program in particular, but they are
far-ranging enough to be
86

applicable to just about any program like this that you hide on a system
...
They may not be available on the computer you are using, and you can
end up with a mess on your hands, and discovery of your intentions
...
In that case you may have to put the necessary commands in an
alternative directory
...
If the cleaner does delete these external commands you will have to
figure out some solution to get them onto the disk and protect them from the
cleaner
...

Second, you will have to make sure beforehand that the DOS directory is in the
PATH
...
BAT) as a place for the operating sys-tem to look for files to execute
...

Also notice before installing any programs: will there be enough space on the disk?
Enough mem-ory? Does the program try to create the temp file in a locked
directory? (If so, open temp in a USERS di-rectory, or some other writable one
...
In-stead of having
the date-changer execute before the clean-up program, it could be run every time
the password file gets updated
...
Recall
that this program is meant to be used in conjunction with some sort of Trojan horse
you've installed; the horse itself will slow down the computer somewhat already,
the combination of the two programs might be too much to go unnoticed
...
You will have to use similar programming
techniques to thwart its ad-vances accordingly
...
That human being might not be clever enough to look outside the
designated USERS directory for files, but you have to act as if that person is as
clever as you
...

Here are a few suggestions:
Change the hidden-file attribute so that it is not listed in the directory
...
Try this experiment
...
After sixteen nestled directories named
"dir" are created you will get an error message
...
You will find that within the innermost directory it is impossible
to make any more directories - there's a limit to what the computer has been
programmed to handle
...

Those grafted directories will be impossible to see or ac-cess from the DOS shell
...

You don't want that to happen: that would lead to discovery of your secret files
hidden within that directory
...
Your Trojan
horse would have to be able to move the data file from its pro-tected position, then
back again afterward
...
DON'T use
87
filenames like SECRET
...
HA! Use a bit of creativity when naming
them
...
If you see for example, that a spreadsheet has files named
AFGRABL
...
OVL, AFGRAB3
...
OVL,
AFGRAB5
...
Do you think anyone will bother to look at them then? You
might want to split up the files, putting each in a separate directory; don't forget to
specify the proper drive paths in the batch file that uses these files
...
However, all will be for naught if,
when you come back the next day to see what you've reaped, all of your files are
gone
...

Keep in mind as you read about these special programming tricks, that I'm not
implying you should actually sit out in the open and edit menus or sift through files
looking for passwords
...
You will have already copied
over the important and unusual files - in this initial exploration of the computer and you should have the entire menu program at your disposal
...

Then, once you've finished the programming and editing required, you can go back
for a second session at the public computer, this time secretly installing your
mutated versions of their programs onto the system
...
It also reduces the chance of error in the things you do
...
Guest registers, as described earlier, are used for the few
moments it takes for a person to enter his or her name and identification number
...

It is not the other users you have to be wary of: they couldn't care less about you,
and if anything, will probably mistake you for someone who works in the building
...
If
it's a college computer lab being moni-tored by one or two students, they might be
curi-ous, but won't pry as long as you don't stay longer than you're supposed to at
the computers
...
A
comment such as, "Oh, I just wanted to see how they did this batch file," or some
other appropriate explanation, is a good enough excuse for most such people
...
That is the topic of the next
chapter
...
side to on-site hacking
...

I'm referring to the on-site hacking of, not public
computers, but private ones
...

It is risky and possibly dangerous to walk into a company headquarters and simply
start using the computers you find there
...

Sometimes, on-site hacking is a necessity
...
More secure setups might use some facet of
the hardware to validate authen-ticity
...
In these
cases you would have to hack on premises
...
Hacking is about
computers; there are lots of reasons why a hacker will need to be able to touch and
see those computers in person
...
For example, security expert Robert Farr, in his book
The Electronic Criminals, explains how he penetrated the "heavily guarded company
headquarters
...
a well-known office machine company" to win a bet
...
"
Farr did it with prethought, planning, and sometimes blundering
...

In some ways it is easier to enter large organizations like this than the local
insurance office or small busi-ness
...
All of these
can make it tough
89
for a hacker to get close enough to even touch acomputer on site, let alone
infiltrate it
...
m
...
I called up the store
where I bought it, trying to reach the service and repair department
...
Finally I spoke with someone in the computer department
who assured me that people would be in the store until 9:00 p
...
to deal with my
broken computer
...

The door was open and unlocked, the lights were on, thousands of dollars worth of
broken appliances were lying around, and there were two of the store's terminals up
and running
...
But surely someone was there? I yelled for assistance
...
I walked behind the counter and into the back areas of the shop
...
And there were those two terminals
there
...
Now, as it turns out, I did some checking around the
store until I managed to find a room that appeared to house the viewing monitors
associated with the store's security cameras
...
Even though the monitors were not being watched, it
was good that I had seen those hidden security cameras
...

The correct terminology for security cameras is Closed-Circuit Television, or CCTV
...
Usually black & white is
used, as it is less expensive and color is generally an un-needed feature
...

The cameras employed may be either openly visible or hidden (as my department
store cameras were)
...
A trespasser
will then cringe from the dummy camera, straight into view of the well-placed real
camera
...
If you
see some cameras visibly panning back and forth, but one or two remaining
stationary, it is likely those motionless ones are either broken or fake
...
This housing may be a conventional metal box, or one more suited for
covert surveillance
...
Cameras may
also be placed behind grillwork, pipes, or a one-way rnir-ror, or hung from the
ceiling inside a translucent plastic dome
...
After all, you don't want to give a
camera a full-frontal shot of your face and body
...
If a shape pro-trudes from a wall or ceiling, pay it no mind - it won't do
you any good to stare
...
Images picked up may
be fuzzy, dark, full of shadows, and generally hard to see
...
Concealing a camera
may hinder its usefulness
...
Hidden cameras are
more likely to be stationary and fo-cused on a single point, such as an entrance or
exit, or a particular point in a hallway
...
These
will be protected from the elements with suitable housings, sun-shields, fans,
wipers, and/or defoggers
...
If they are outside, they will have
night viewing capabilities, and so you may be detected even before you enter the
building
...

If you absolutely must trespass a building or its property to get to its computers,
try to go at night during a thunderstorm
...

Biometric Systems
Controls based on personal characteristics are the ultimate in computer access
control - when they work properly
...
A biornetric system may look at any one of these individual traits to
verify user identity: fin-gerprints, voiceprint, handwritten signature, palm print,
hand geometry, or retinal patterns
...
For example, a legitimate user's voiceprint may
be rejected because of a change in voice pattern or voice speed due to illness or
stress, or because of interference from outside noises
...
Signature and
handwriting analysis systems sometimes fail to pick up nuances in pressure, style
and velocity; people do not always write their names the same way every day
...
Hand injuries could also make a
person's signature look different
...
Finally there are retinal pattern rec-ognition systems, which look at
the pattern com-posed by blood vessels in the eyes
...

I point out the flaws in these systems so you will get a feeling for what it must be
like to work in a building where you're required to get your eye-balls scanned every
time you want to walk through a door
...
The first few times it may be
seen as a novelty, but soon these gadgets become another ho-hurn part of office
life
...
People like showing how friendly they are
...
They don't mind allowing others
to use their own clearance to gain access to a room
...

So, you will sometimes find these costly ma-chines turned off and unplugged
...
You will find helpful, smiling personnel who will open doors for you and
hold doors open behind them to let you through -even when they've never seen you
before in their lives
...
Well, that's good
for you, the hacker
...

Always A Way
Think about the enormous amount of power government possesses over us
...
Think of all the expertise available to such
a powerful entity
...

When we start to think about all the covert ac-tions going on around us, and all the
myriad ways in which we don't even know we are being ma-nipulated or spied
upon, we begin to think of gov-ernment agencies as unbreakable, unstoppable
...
And even if we think we have a chance at hacking it, we know we will
end up in prison
...
You
only have to look as far back as Operation Sun Devil a few years ago, when Steve
Jackson got his games taken away because they were thought to be a menace to
socl-ety
...

We read about all these scary spy gadgets that have been developed that can read
our lives like a README
...
We hear about the "impenetrable" government
computer systems that have been set UP, and we are scared away because they
sound so hermetically protected
...
Therefore, all those
spy guys in Washington have set up ul-tra-secure network links in an effort to
protect their valuable secrets
...
These are
strictly isolated systems - no connections to outside phones or computers, so no
hackers can gain access by dialing in
...

This is heavy protection, and sounds like it would be impossible to hack, especially
when you realize that even if there were some way to get at those lines, you still

need various levels of permis-sions, passwords and access codes to reach the
highest and most secret classifications of data
...
Never forget that behind every complicated system, is nothing
more than some human beings
...
They're probably asleep more often than awake,
especially if the temperature and humidity is high in their work area
...
Or
they would take a quick look out the window and go back to sleep
...
No guard is going to go out sloshing through the mud and rain to
investigate an intruder he knows won't be there
...
Don't be
fooled by first appearances
...
There's nothing difficult about this - just pretend you own the place
...
Smile and say hello to
the people you pass
...
All throughout junior and senior high, I never
got stopped once by a teacher or hall monitor for not being in class, simply because
I acted as if I was on some official mission for the principal
...
")
So do your best to keep your cool
...
Here's a
hint to help you do that
...
Don't do that - it sounds really
bad and it takes away from your credibility and sincer-ity
...

Say your prepared script without worrying if it sounds fake
...

Piggybacking
There are two kinds of piggybacking
...
Physical piggybacking is using another person's access to gain entry to
a computer or computer room
...
Many offices stay open late at night and on
weekends, for people who need to come in to clean or work overtime
...
Just wait around outside until you
see a car pull up, then time yourself so you will be behind the employee as he or
she heads toward the door
...
If you can get in, the whole building is yours for the asking
...

The thing is, though, you have to plan ahead to be successful at this and not arouse
suspicion
...
Perhaps carry a briefcase or a lunch bag
...
I spent last week at
the regional head-quarters of a large bank, doing temporary work for them
...
First there were the signs hanging up in the
parking garage about how my car would be towed if I parked there without a
hangtag
...
I
went over and explained to him that I was a temp worker and I didn't have a
hangtag
...

Then I went into the building, up to the seven-teenth floor, and came out of the
elevator facing a locked door that required a magnetic card to get in
...
I waited a few
moments until an office worker ap-proached the door from the other side, held it
open for me, then went on his way
...

So you see, piggybacking - the use of another's legitimate access to gain entry into
a building or computer - is an on-site hacker's best friend!
Other Successful Tricks & Antics
There have been hackers (and thieves and spies) who dress as one of the
maintenance crew to get into a place and get closer to the computers there
...
This sort of impersonation works best in large companies where no one
will question you, because everyone assumes you're there because someone else
wants you there
...

One hacker/spy completely re-wallpapered the employee lounge while learning
codes, names, and procedures over a five day period
...
Besides, you may find that you're suited to being a delivery boy or sandwich
girl for a few days
...

Then, even if the jobs you are assigned don't take you near a computer you will be
able to later use your temp-ing as justification for a return visit to the site
...

Cubicles are great - I love cubicles! Because once you're in one of those gigantic
gray ice-tray rooms, you have the entire area to explore: no locked doors and lots
of comers to hide behind
...
You can find pictures of kids, people's names, hobbies, etc
...
You can eas-ily eavesdrop and find out inside dope on
people, as well as shoulder surf with ease
...
Note that on some
terminals (or computers), non-standard data entry keys are used
...
I
know, it's crazy, but I've seen it
...
In air-ports one can often find unattended terminals
...

Before concluding this section on the hacking of private and on-site computers, I
want to touch on an area that is connected to the subject by a tenuous thread
...
That's the way many hackers
view this activity of hacking - as an intellectual exercise in which the hacker tries to
out-think either the computer, the user, the Goliath corporation, or the computer
designer
...
Passive
computing is the act of eavesdropping - monitoring computer usage and
surreptitiously collecting the information that is transferred
...
Thus,
by a flick of a switch he could send any of our screens to his computer monitor, to
make sure we did the work we were assigned and didn't goof off
...

Actually, it's no great technological feat to con-nect two or more monitors to the
same computer and switch between them
...
Then sit back and watch as what occurs
on your target's screen unfurls on yours
...
This is a good technique if your target has
a lot of encrypted files for which you don't have the key
...

It may not be possible to sit down close to the target at your own monitor and
watch
...


If you hook up a VCR to your monitor, you'll get a hard copy of your target's
activities
...
If you do so, it is best to have a remote way of turning
the VCR on and off, so you don't record while the computer is idle
...

There's no law saying all screen output has to go to a screen - if for some reason
you can't use any of the above techniques
...
Make sure that either the printer is fast
or the buffer is large
...
Also, of course, the printer has to be located far away
from the target, preferably in another room or an-other building entirely
...

"Print from
keyboard" causes that several thousand dollar machine to act like any old junky
typewriter, printing characters directly as they are typed on the keyboard
...
From then on, anything
further he types within the pro-gram will be sent to the printer
...

By printing "Shift-PrintScreen" on any DOS computer, the "print from keyboard"
mode will be activated
...

As an example of passive computing which is really very active, in that hacking is
required, it might be reasonable to log on to a network and use programming to
direct the target's output to your own terminal
...
Additional programming might be required if the
computer refuses to send the target's output to your screen, or if the target is
getting your output
...
On UNIX systems, you would be thinking in terms of altering already
existing pro-grams such as TALK or WRITE to get the job done
...
Any time two accounts are
joined, there is a potential for misuse of that link-age
...

Another option is to make use of monitoring software which is commercially
available - or write some yourself, to satisfy your own personal needs
...
Other monitoring
software keeps track of which programs are being used and how, often timestamping such information as well
...
I hot-wired one such keystroke-capturing program
to print a weekly report to a hidden directory
...
I altered it to look for that hidden re-port on certain days and e-mail it to me
through an unknowing third party
...

You might ask, "Why would you need such a thing - don't you have the guy's
password and everything from reading those weekly lists of his keystrokes? You
can delete the evidence yourself
...

You see, the keystroke-capturer can only go into effect once the user has logged in
and the startup file is executed - by then there is no need to enter one's password
...

Hacking often involves making assumptions and then see-ing how one's
assumptions were wrong
...

Tapping the phone line or intercepting micro-wave transmissions are always open
options, or bugging the phone if the modem is coupled to it
...
Printer, modem, monitor, and other computer cables can also be tapped to
good effect
...
You go home, call the number that the tapped
computer called, and play back the recording for the remote computer to hear
...
Your goal will be to synchro-nize the
playing of the recording with the remote computer's prompting
...

You know, once someone gets their computer all plugged in and set up, it is only on
very rare oc-casions that they ever look at the backside or un-derneath it again,
especially since they probably have a messy tangle of cords running out the back,
an office cleaning staff to keep it dusted, and the back of the computer pushed
against a wall
...

Radiation Comprehension
If you like to watch television while you use your computer, you may have noticed
something funny happening when the channel is turned to certain stations
...
This happens when electromagnetic fields radiating
from my computer and cables are picked up by the televi-sion antenna
...

There is a simple reason for this happening
...
The

components, cables and whatnot will not only pick up the radia-tion, but transmit it
as well, sometimes re-emitting it at some distance from the source equipment
...

Computers operate at radio frequencies and so they are also radio transmitters
...
The FCC wants to make sure those radio emissions aren't strong enough to
interfere with other licensed radio receivers (such as television sets)
...
This sort of thing is more
likely to occur when the neighbor has a black and white television and the computer
has a composite monitor, because a black and white set can more easily adapt the
syn-chronization signals that it picks up from a com-posite monitor (especially if the
TV has an antenna amplifier attached)
...

Imagine the consequences of someone setting out to purposely receive radiated
information
...
For years the Department of Defense has stashed away its most hush-hush
computers and communications devices in copper-lined rooms to prevent radiation
leakage
...
) which defines
how military computers are to be constructed so that the radiation leaking from
them is minimal
...
The FCC ensures that equipment won't inter-fere with other
equipment; it makes no promises that equipment is safe from prying eyes
...
There is an electronic
marvel called the Van Eck device which picks up your favorite leaked radiation and
projects it onto a television screen
...

96
Van Eck And Britton
In 1985 a group of Swedish engineers, led by one William "Wim" Van Eck,
presented a paper called "Electromagnetic Radiation from Video Dis-play Units: An
Eavesdropping Risk?" at the Securi-corn Conference in Cannes
...
Scientist Don Britton had already gone public with a virtually
identical device in 1979, but it was the Van Eck paper that got people to sit up and
take notice
...
This is possible,
yes, but you would end up with an unintelligible mishmash of signals
...

Doing so would enable you to determine what a distant computer was "thinking" as
those electrical pulses shot through its system
...
We all know the story about how computers are
digital beasts, proc-essing streams of ones and zeroes to create the fabulous

tapestries of color and sound that we get to appreciate every time we boot up a
copy of the latest Sierra game
...
What's
going on is a high or low electrical current passing through
...
Any electrical device is going to have radiation emissions
...
Keep all this in
mind while we take a little side trip
...
Each dot is a little
speck of some substance that glows (fluoresces) when energized, and the inside of
the screen is covered with the stuff
...
Light up the appropriate pixels and keep them lit, and you
end up with glowing dots that can combine to form the lines, characters, symbols
and graphics that make up our daily experience with visual computer output
...
Hitting the phosphorescent
matter with an electron only pro-duces a very brief burst of glow before extinguishing
...
If we wish to
cancel a pixel or series of pixels, we simply discontinue firing an electron at that
section of the screen
...

Britton's and Van Eck's idea was to simply use a television re-ceiver to listen for
those bursts of high voltage as a monitor emits them, and have the television respond by firing a pixel in the corresponding place on its own screen - thus ending
up with a display screen that exactly matches, pixel by pixel, that of the target
computer
...
There's nothing inherent to a high pulse
that signals where on the receiving television that pixel should go
...
However, the
pulses are too weak to pick up from a distance
...
Two adjustable oscillators are used
to create the vertical (picture) and horizontal (line) synchronization
...
This
could theoretically be done by hand, but this is the computer age: the signals are
97
mathematically combined and fed into a logic cir-cuit which performs the job
automatically
...
If you have the tech knowledge you can build one of these for
$10 to $15
...

Besides the oscillators and the logic processing sync restorer board, you will want to
hook up a di-rectional antenna to help focus in on exactly what you're after
...
This is
due to differences in the components making up the monitors
...
Your suitably engi-neered Van Eck or Britton device can
discriminate between the several traits presented
...

Ups And Downs
This method of on-site computer cracking is safer than most because it involves no
trespassing at all to get at your target computer
...
His working group housed the device in a van which they
parked on the street, usually right in front of a target's home, without incident
...
But Van Eck and Britton machines also deprive us of freedom
of direction, of choice
...
Very rarely do pass-words appear on a
computer screen, so we most likely won't even be allowed the opportunity to use a
bit of learned knowledge to coax what other excit-ing information we can from the
system unless the user chooses to allow us entry into those secret realms
...
But tra-ditional hacking methods - through the
telephone - allow us to delve into the forbidden from much further away than a
kilometer
...

98

Chapter Nine:
Hacking At Home:
Dialing Up ComputersWith Your Modem
Now we get to the stuff of which dreams are made
...

You press a few keys, type in a phone number and after some beeps you hear the
wonderful shriek of connection
...

You press Enter a few times
...
You respond - not with your own name of course with someone else's
...


Menus! Options! Choices to be made! Files to read and to learn from, software to
run, games to play
...
So much to do, and then you see connections to
other sites, and more sites, and more secret files to read! You smile as you realize
something: every hack, no matter its size, leads to new hacks, new computers, new
horizons of exploration and gain
...
Most computer hackers
nowadays won't hack from their houses for fear of Caller ID, line tracers, tricks,
traps and federal agents
...
Ways in which, if you are so inclined, without
even leaving your house, you can connect yourself with the world
...
There are
other home com-puters,
mainframes, minicomputers, companies, government offices, clubs - you will be
able to call any organization or individual who owns a computer, and has need to
communicate via computer with other entities
...

99
Paying For The Pleasure
A hacker named Rebel was recently telling me how enthralled he was with
CompuServe, except for one aspect - the stiff price one pays for using the service
...
CompuServe is not the only vendor charging the public a
fortune to pay back their huge advertising budget
...

Databases are available to look up any sort of data: census data, news, stock
market information, results of government research, science and tech-nology
reports, books, personal information, his-tory, and popular culture
...
Anybody can access one of
these databases and find what he or she needs any time of the day or night
...
There is usually a charge to
subscribe to the service, then there may be any number of the following charges:
A display charge for each piece of data pre-sented on the screen, or a search charge
for each query made to the database
...

High-speed surcharge for using a faster modem (thus gaining the ability to grab
more info per minute)
...

Many hackers refuse to pay the inflated bills

these services can run up, though they also refuse to give up the service,
particularly when so many special and useful features can be gained by dialing in
...
>and a plethora of other goodies make the services attractive to
the hacker
...

You will find many ideas through-out this book
...
One brand of personal computer was
being sold in a special package that included several pieces of software, along with
a trial membership to one of the on-line services
...
Many of those customers were individual people or families, but a good
number of the computers had been bought by stores and busi-nesses
...
Sure
enough, pushed aside on bookshelves, unopened and untouched, lay the envelope
that included the "Getting Started With StarBase On-line" manual and trial access
codes that had been included with the computer
...

Packet Switched Networks
There are corporations an government agen-cies all across the country that have
computers you will want to get your hands into
...
The solution?
Public Data Networks (PDNs)
...
You call up one
local to you, then type the address of the computer system you want to connect
with
...
When you enter a
valid address, the login display for the desired sys-tem will appear
...

There may be hundreds of other sessions going on simultaneously from points
throughout the net-work, as thousands of users interact with the many computers
on the net
...
The
intermediate computers that do all the work are called PADs, or Packet
Assembler/Disassemblers, because they
100
take incoming packets of data, strip away the en-coded insulation which tells that
PAD where the packet is headed, then reassemble the data with new directional
information, sending it further along the route
...
Once there, a hacker can try out
various ad-dresses at random
...

The most well-known PDNs are Telenet and Tymnet, and there are also
international packet networks, and networks in other countries as well
...


Other Networks
The only other network that counts is the Internet
...
There are academic networks,
government networks, businesses and organizations throughout the world, all
connected together (by PDNs) to ex-change ideas, software, technologies, gossip
and guacarnole recipes
...
Altogether, these make up DDN,
the De-fense Data Network
...

Others include the National Science Foundation NETwork (NSFNET), which includes
supercom-puter centers and other research sites funded by the NSF
...
JANET is the United Kingdom network, one of many
national networks around the world that is bridged with the Internet
...

Some of the pay-for-play services offer access to the Internet
...
Basically, having an "in" with the Internet
allows one to travel around the world and back without leaving your armchair
...
An Internet
address is a series of code words punctuated with periods, and refers to one
particular computer in the millions that make up the Internet
...
zowie4
...
edu
...
The "edu" is a standard thing stuck at the end of
educational computer addresses
...

An Internet address may also end in a two-character country abbreviation
...

Finding Dial-Up Numbers
To "direct connect" with computers, you will need their phone numbers
...
If that doesn't work, try calling individual offices at the firm and ask if they know how to access the company computer from

their home computers
...

Phone books are a big help
...
Internal directories might also be of the kind that list numbers for the
different departments; some go so far as to list home phone numbers and
addresses of the people who work there
...
But you won't even have to
call and ask for dial-up lines if those numbers are listed in the di-rectory
...

When a person speaks on the telephone, it doesn't matter if every once in a while
the voice on the other end gets a bit fuzzy, or if the tone gets momentarily higher
or lower
...
So the telephone company has special lines which offices can
install (for a price) to ease the flow of data between telecom-munications devices
such as moderns
...
Many hack-ers get theirs by scavenging
...
Large corn-Panies will own
big blocks of telephone numbers, with each office or extension being one digit
differ-ent from the preceding one
...
The 390 stays the same for every de-partment, but the
last four digits change for each phone line
...
Then sort the list and try calling everything in that
exchange that is not on your list
...
Criss-cross directories
are sorted by number, not name, so if you know that Company J's numbers fall into
the 390- range, using such a direc-tory you will have an even bigger list of numbers
to avoid
...

Software is available to repeatedly dial up a se-ries of phone numbers, reporting on
whether a mo-dem is connected
...
" If you can't find such a program, write one for yourself; it's simple
to do and will cost you only a few hours of time
...
The phone
company security patrol
knows what you're doing when you make that many calls that quickly, and with
such precision
...
That way everything
looks legit: if a person picks up, they get a short re-corded message: if a modem
picks up, they get a callback later
...
They recognize the important
value of having direct dial-up lines for easy access, but they also understand that
anytime a person is able to call a computer directly, a security breach is not only
possible - it's unstoppable
...
They will only allow access to an intermediary de-vice or computer
which firewalls important data from potential hackers
...
When access is confirmed, the caller is trans-ferred to a line
connected to the actual computer
...
As long as the password to the initial
computer is kept secure and changed frequently, the important data on the actual
computer is free from harm
...
The system administrator keeps a
list of the home phone numbers and office numbers of legitimate users, and if the
computer sees that the incoming call is not from one of those, there is an
immediate disconnect
...

Where Caller-ID is unavailable or unknown, a ring-back feature may be put to use
...
This is the normal way ring-back
102
works, but in some instances (such as the RBBS-PC electronic bulletin board
system) the ring-back op-tion means that a caller lets the phone ring X times, then
hangs up and calls back again
...
If the
caller had origi-nally let the phone ring more than X times, the computer would
have ignored the call completely, thus providing a layer of security
...

A host computer may also not connect a caller until a certain code is played on a
Touch Tone phone
...

As you can see, all of these dial-up security measures make life difficult for the
hacker
...

You may be randomly dialing through a range of phone numbers because you have
reason to sus-pect that a computer line exists within that range
...
If you call one number and
hear a computer at the other end but aren't connected, suspect that the computer
is looking at your phone number and seeing if it's valid
...
However, it is still necessary to
know that phone number
...
) Caller-11)
type sys-tems, and those which call back a phone number, will be especially
common on computer systems whose users are situated within a close regional
area
...
Though it is a dial-in line, special equipment may be needed to
connect with it
...
When a user calls up to use the
computer, a special device answers the phone
...
You can see how this would easily foil any
WarGames dialer
...
Luckily, the majority of computers do
not employ such tactics, and are easier to crack than a hard boiled egg
...

The login environment of most computers is limited to a username and password
prompt
...
Those instructions
won't necessarily be carried out (you probably have to log in first) but they can be
helpful
...
Try typing "help" or "T' first, and
see if that does anything
...
The advantage of having certain other conunands may not
be as apparent, nor will there necessarily be any advantage at all to the hacker
...
Thus if three incorrect user-name/passwords are
entered, instead of discon-necting you, the computer will bring you back to the
command prompt for another go-round
...
Try
entering commands in all upper or all lower case, then mixed cases
...

See which characters are
recognized
...

It helps you more easily figure out what you should be doing to get things moving
...
That is useful information
...
If, on
the other hand, your entire entry is examined, advanced help may be available
...
Such help
systems are common
...
Some terminals tell
you you're wrong when you enter a bad name, others wait until you've given both
name and password to in-form you
...
The IBM VM/370
was inse-cure in this regard; it immediately informed you that the username was
no good with a "userid not in cp directory" error message
...
First it helpfully prompts for your "Nine digit ID
code" (hint, hint, what could that be? A social security number perhaps?) and when
the correct one is en-tered, it will say, "Good morning Samantha
...
" This particular computer al-lows you to easily break into one of several
com-mand languages and reprogram the menu inter-face
...
Dynix is a joy to hack
...
This can help you decide if a usemame
you're entering is valid or not
...
Every time you
type "Jim," it takes that long
...
" This is obviously a
made-up name that the computer won't be able to find in its files
...
;hould continue guessing
passwords for him
...

In any case, source codes are often available, espe-cially for UNIX files, and so you
can look them up to see how the inner workings of the login prompts function
...

A completely different way you might like to research the login prompt is by control
codes
...
For
example, you can send an ASCII code to command the remote computer to stop
reading a password file
...
Sometimes pressing
Control-Z (the end-of-file command) at the right time will bring strange results too
...

Any decent library will have an encyclopedia of acronyms
...
) Very often you will call up a packet switching network, find a valid
address, then get something like "Welcome to VHMSD! Password?" on the screen
...
Remember, when you are hacking a computer, you are really
hacking the people that run the computer
...
Otherwise you're just taking random stabs at a
computer identified only by some strange abbreviation
...
A BBS
is a computer program that anyone can set up on his or her computer
...
When
it does, the BBS program answers the phone
...
The person who is calling is then able to use the
computer on the other end of the line as if he or she was sitting di-rectly at that
computer's keyboard
...
In
essence, the caller actually controls the computer through the phone lines
...
The BBS
program separates the caller from the computer itself
...

BBSs are generally run by computer hobbyists on their home computers, and are
used as a way to share information in the spirit of the original hack-ers
...
Schools, libraries,
stores, user groups, churches, and organizations often run BBSs to spread the word
about activities and to keep mem-bers in touch with one another
...

The US Congress has even set up a bulletin board system
...

Other BBSs are private ones, the phone num-bers to which are not made widely
available
...
Franchise businesses such as fast food places often
use BBSs to upload inventory or financial data to their company head105
quarters on a daily basis
...

Access to most BBSs is controlled by a name/password combination
...

If you are a new user, you will be asked if you wish to register for the, sys-tem and,
if so, you will be asked some questions, welcomed to the system, perhaps given a
short tour, and shown the rules of the house ("Please keep messages clean
...

After that, you might be given guest access to the BBS until the sysop can validate
your request for admission, or you might be logged off and asked to call back the
next day
...
They want to make sure the people they will be allowing to use
their computer can be trusted
...
They enable us to communicate (possibly anonymously
or serni-anonymously) with other computer users
...

And of course, there are the immoral and illegal ways of using BBSs, ways to exploit
them and the people on them for your benefit, ways to make con-tact with the
underground and deviant computer users of the world, including hackers
...
The sysops of BBSs are not competitive
...
Thus, you will almost always find a BBS list on any BBS you call
...
BBSs also usually have a BBS message center, or
a place where other sysops can advertise their BBSsSo once you call up that first BBS, you will have the phone numbers for many more
...

To start with, if you know anyone who has a computer and a modem, ask them if
they have any BBS numbers
...
The companies that manufacture moderns and other telecommunications
equipment, as well as the software companies, often have BBSs
...

Hayes, for instance, has a nation-wide 1-800 BBS you can call to get product
information and lists of BBSs from all over the country
...

Computer magazines often list BBS numbers
...
There are also several computer phone books that give listings
...

Finding Hacker Boards
The most adept hacker BBSs will not advertise themselves, but don't worry: Once
you establish yourself as a knowledgeable hacker, you will learn of their existence
and they will welcome you with open arms
...
Perhaps they have
worthwhile information
...
You can ask on overtly
hacker/criminal boards if the mem-bers know of any other hacker boards (or look in
the BBS listings there), but you probably shouldn't stick around on overtly criminal
boards, as they are more likely to be busted
...


106
Occasionally you will find an electronic conver-sation with some intellectual value to
it
...
If you find such a BBS, one whose members proclaim themselves to
be hackers, and yet the conversation is smart and con-servative, you can bet that
there are secret sub-boards lurking behind trap doors, where all the real-hacking
news gets discussed
...
To be accepted as a hacker you must be willing to exchange information
...

If you log on to a respectable PBS which you suspect contains a secret hacker
subsection, acci-dentally try a different unlisted command each time you log on
...
) If you find a
com-mand that works, and you're asked for a password, then you'll know you're on
the right track
...
Modestly tell of your hacking
achievements
...
law enforcement officers make about hackers is that they say we live by a double
standard: That we think it is no crime to violate other people's privacy, but we can't
stand the thought of being probed ourselves
...
As far as hacking a hacker BBS is
concerned, since the users of that BBS do not know you, they don't know that your
intentions are honorable
...
In your
talking to the sysop you might want to mention that you refrained from hacking the
hole that you found, in order to reassure them that you are a fellow hacker and not
a cop
...
Talk to the sysop and assistant sysops privately about your
find, via e-mail or on-line chats
...
There will be no
talk of hacking, no trading of break-in secrets, and certainly no sensitive
information of any kind being distributed to newcomers
...

Be polite, try to be helpful
...
Having an
experi-enced hacker as a friend will do more to boost your skill in that area than
anything else - except per-haps some persistence, research and luck
...
"
There is no single, organized underground per se, but there are groups of hackers
and others inter-ested in technology scattered here and there
...
The
message boards they use to communicate will often remain hidden to the
uninitiated, and the BBSs on which the most interesting tales are traded will not
have their phone numbers publicized at all
...
If

you start to get the feel-ing that someone on one of the bulletin boards may be
inclined to deviant computing, you may want to send him or her a private message
(tactfully) asking if he or she is interested in that sort of thing and if so, would that
person want to trade information? But remember: any message you send on a BBS
can be read by the sysop, co-sysops, and possibly other system managers lower
down the hierarchy, so be discreet if the people who run the show are antihacker
...
If you look in the right places you are
sure to find computer hackers
...
Hackers like to show off, but they don't usually like
to ex-plain how they do their tricks
...

As you wander through the bulletin board for-est, keep track of where you've been
...
Particular features to keep
track of are file transfer capability, extent of BBS list, user lists, and doors
...

BBSs with file/ transfer sections will allow you to upload (send) computer programs
and files to the BBS, and download (receive) files from the BBS computer
...

There are various kinds of user lists and logs on BBSs
...
Often
usage logs are available; these will let you see who logged onto the BBS before you
arrived there
...

"Doors" are used to go outside of the BBS pro-gram
...
Usually doors are used to play games on-line, but any kind of program
can be ac-cessed through doors
...

Other BBS features include:
• Graffiti walls
...

• E-mail (electronic mail)
...

• Chat (also called "page operator")
...

Text file libraries
...


Once you get started BBSing, you'll get a handle on the kinds of things you tend to
find on BBSs
...
Nowadays, things are a bit tougher
...

Oh, they're still there if you know what you're doing - but unfortunately, for the
most part you'll be stuck if you rely on those methods
...

Unless you have some phobia, you are not afraid of being struck by lightning every
time you leave your house
...
But what if someday you
were struck by lightning? That would change your perspective on things, wouldn't
it?
My point is this: the weakest link in any secu-rity system is the people involved in
making sure everything stays secure
...
He's never had files erased by a vi-rus, never had his credit
card numbers stolen, or his DIALOG account breached
...

How is Joe Blow - the weak link - to be ex-ploited? Joe is a typical computer user and a typical human being
...
He's human, so he has trouble remembering fifty different passwords
...
Joe uses easily guessed passwords, or maybe none at all
...

108
And guess who's going to be exploiting Joe Blow? Yes, you
...
Well, in some ways it does, but there are a lot of things I
say in this book that are like that
...

Sometimes you have to break your own rules to have some fun
...
Why did I say to do this?
Because the people you will meet on these systems are people who are into BBSing
...

If you call up Fred's BBS, and you go to the "Computers" Discussion area, and Joe
Blow is there talking about CompuServe, you have just found out a very significant
clue! All you have to do now is find out what password Joe uses on Fred's BBS
...
This is easier said than done, of course
...
Many BBSs have a listing of which users have signed
on to that BBS, where they live, what their interests are and what they do for a
living
...
Use your program's data
capture facility to record the most useful lists you find, then edit them down and
print out the essentials
...
Under interests, Joe put down "bowling, SCUBA diving, Star
Trek & lacrosse
...
It's more than likely that Joe Blow's
password is a word taken from one of these areas of interest
...
It is vastly easier to figure out the
password of someone you know than the password of a complete stranger
...
Ob-viously, it's
better to try to focus on someone who is not an expert BBSer - although some
expert users are so smug they become complacent and lazy, and so perhaps
become better targets
...
A newcomer will be more likely to
choose a bad password
...

To sum up: If you find out what things a user (especially a new user) is interested
in, it's "easy" to guess his or her password
...

I'm not trying to suggest that guessing a pass-word is simple
...
But there are faster, smarter and consequently, more technical - ways of getting into Joe Blow's BBS ac-count
than a brute force attack
...

Bypassing BBS Security
Even though BBSs employ security features, there are at least eight factors which
serve to make them vulnerable to any resourceful hacker
...

• BBS run on home computer
...

• Hacker is familiar with the people involved
...

• File transfer section
...

• Hacker knows usage patterns
...
Taken as a whole, it should be pretty much
impossible for a hacker to NOT be successful at a BBS breach
...
BBSs often have a menu option that gives you the

rundown on what equipment is being used to op-erate the system
...
Knowing all these facts gives you a
great advantage in the writing and uploading of Trojan horse programs, in the
seeking out of bugs to profit by and, yes, in the guessing of passwords
...

Naturally there is no guarantee that the sysop is not present when the notice says
he's not present, but the "Sysop is IN" sign can at least warn you of when you
should definitely be most cautious
...
For example, RBBS-PC bulletin board software allows the
sysop to keep a continuous printout on each caller's name, files exchanged, and
error messages that oc-cur
...

Running A BBS
The least difficult way to collect passwords is to have people give them to you
...

But being a sysop takes a lot of work, and it also involves the use of your computer,
modem, tele-phone line(s) and possibly even your printer
...
When you set up your own,BBS, the first two of these reasons are suddenly gone
...
However
...
For exam-ple, the
hacker can set up a BBS specifically as a place for other hackers to pose questions
and ex-change information
...
So as not to get too off the topic, I will come back to the security
subject later, at the end of this chapter
...
It's always beneficial to a hacker, and soothing to the true hacker's mindset,
to be fully conscious of how a computer system works
...
This
will show you what can and cannot be done on the particular BBS software you're
running, and might teach you something about hacking as well
...
And you can alert
other sysops to the se-curity risks inherent in their systems
...
But I have been an assistant
sysop with full operating abilities on several BBSs, and in so doing I've seen a lot of
tricks that people have tried in an effort to break into those systems
...
m
...
The hacker tried logging in a few times using my handle, The Knightmare
...
The following is a transcript of the ensuing
conversation, copied exactly as it appeared in the sysop's printout, but with
unnecessary carriage re110
turns removed
...
]
SysOp wants to Chat!
This is DR dendryte, Who RU?
this is Knightmair i Forgot my password
...

[At this point, DR dendryte knew for certain he was dealing with an impostor
...
DR den-dryte, however, decided to play along
...
i guess! I can't just give out passwords like
that you don't have to you can just log me in
...

[Here DR dendryte was referring to the hacker's bad spelling and grammar; DR
dendryte knew that I am meticulous in my on-line chat writing
...
DR dendryte lets the cracker speak:]
That does igt! I don't want to be your friend anymore! just delete me off the BBS
...
]
i Don't believv you don't trust me
GO VOICE
Theres no phone in the room
...
]
The next day, when DR dendryte told me this story I said, "You should have told
him, 'I AM The Knightmare!' That would've really embarrassed him!"
Impersonations of this kind might work, but only if you are already intimately
familiar with the person you are attempting to impersonate
...
Perhaps the hacker also supposed that DR dendryte would be
asleep
...

Hackmail
The Treacherous Den BBS was a particularly sweet target for hackers to try and
infiltrate
...

The system was run off a pirated copy of a popular BBS software package, but DR
dendryte had altered it so that it appeared to have been officially registered in his
name
...
DR dendryte told him to hold on
a minute, he would look up the answer in the manual
...

"Yeah," DR dendryte replied, referring to the in-struction manual, which he had
found ait a used book store for a quarter
...

He didn't think any more of the conversation until the follow-ing month, when a
cardboard envelope arrived in the mail
...
DR dendryte opened the envelope
...
The letter read:
Dear Mr
...
All customers who have
pur-chased non-entertainment packages from be-fore July 1986 are entitled to a
yearly free up-grade
...

upgrade, simply insert the enclosed diskette and type START
...
We hope to have you again as
our customer in the future
...
B__

Not only did DR dendryte know immediately that this was a total crock, but he knew
who had had the gall to send it to him
...
Then he
wrote a nasty note and e-mailed it to him
...
But of course, I already
knew that DR dendryte had not bought the software, but had obtained the manual
through alternate means
...

Upon examination of the disk that had been mailed to him, we found that the disk
contained eight files:
There was a text file which explained all the "wonderful and exciting features you
will enjoy having on your new version of L BBS Software
...
START would then
"update" the old version of the software with its "new" version
...
) Finally, there was a blank file called T on the disk,
which served no purpose at all
...
As it turned out there were two things different
...


You won't be able to pull a stunt like this unless you can gain access to the source
code for the soft-ware, as he must have been able to do (unless you want to
recreate from scratch an entire bulletin board system)
...
It had simply frozen up and would have to be
rebooted
...
A "\x" typed at the password prompt caused
everything to halt
...
To remedy the problem I simply added a line after
the prompt that would disconnect anyone who tried typing in the dreaded 'Ax
...

I've always wondered about that "\x
...
Maybe it was some trap door that
had gone awry
...

Maybe - this is a credible possibility - that bug had been placed there by the person
who had given the copy of the software to the sysop, or by the pirate who had first
bootlegged it, or by anyone at all along the line
...
Hey - are you starting to get an idea there? I know I am!
You could either write your own BBS program or alter a currently existing one, with
some secret features such as an exit to DOS, or whatever trap doors tickle your
fancy
...

A twist to this tactic is to write or change a terminal program, which you give to the
user
...
For example, a user would be running your special
terminal program while calling your BBS
...
To
cover up the fact that you're roaming around in there, entry would have to take
place during a long file transfer or, if it is a slow modem, during those time lags
between modem action
...

PRODIGY, a graphic-oriented interactive, on-line service, was accused of engaging
in a variation on this theme in the summer of 1991
...
After complaints
and outrage, PRODIGY's senior vice president mailed out a utility to those
concerned, which would erase non-essential data from the service's terminal
software
...
We want to assure you yo

that we will continue to work to safeguard the privacy of all of our members
...
The program gave users the
convenient option of allowing them to store passwords and other login procedures
on disk so that one would never have to worry about forgetting them
...
The program was developed to "go bad" after several phone numbers and passwords were
stored, the hope being that users would send back the disks, and the hackers would
end up with a bunch of precious login information
...
Unless you work something like that into your term
program, who's going to want to bother in-stalling and learning your software when
they are already familiar with one or several commercial
113
packages? In fact, this is what happened to that group of hackers
...
The problem was, the hackers
gave the program out to experienced users who had already developed an intimacy
with one or more commer-cial programs
...

As for the first idea - changing a BBS to in-clude trap doors - now that is a viable
possibility
...

Distri-bution is less of a problem than the programirang, especially considering that
you will not only have to interject code for the trap door but, for best re-sults,
determine a way to hide that code from inter-ested eyes
...
The hacker writes a program which performs some interesting
function, such as playing a game or putting pretty pictures on the screen
...
The hacker then uploads the program to a BBS and -here's the
important part - hopes the sysop runs the program
...

Otherwise, how will you know what files to look in or where to go on the disk for
information?
What kinds of things can you program a Trojan horse to do? Here are some
suggestions:
Have it secretly reprogram the BBS itself to in-clude a trap door
...
This
actu-ally has been done on a popular Commodore 64 bulletin board system that
was written in BASIC
...
Many BBSs have a text file section
...
Then you simply log on, view the files, obtain
the encrypted pass-words and decode them
...

Another way to get password information back to yourself is to use the BBS's e-mail
function
...

A Trojan horse may contain a rough version of some key portion of the BBS
program itself
...

Covering Up
Trojan Horse Activity
There are two things you have to worry about when you upload a program
containing a Trojan horse to a system:
1 That your Trojan horse will be discovered while it is running
...

I will talk about each of these problems in turn
...
You see, if junior Joe writes a program to covertly format hard drives,
something has to be happening on-screen to divert the user's attention while the
hard disk drive light flashes on and on and on
...
junior Joe has to clev-erly devise some non-interactive time-killer that
will hold interest for the length of the format or file de-letions
...
!") or a digitized musical score, or perhaps the
program could send graphics to the printer
...

Never have your program access the hard drive (or any unauthorized peripheral) for
what the sy-sop will think is no reason
...
For example, if the Trojan horse is hidden in a game,
you could have it display the message, "Saving your new high score
...

Don't forget, the program actually should be saving the user's high score as well,
and the entire drive access time should be very short
...
If possible, have the note be
erased midway through the Trojan horse's activities, to deliver the illusion of very
quick drive access
...
3 (c)opyright 1992 Paul Bradley Ascs
...
1 for viruses
Scanning file FILENAME
...
1, FILENAME
...
in the above, substitute names of the program
and data files that were uploaded with the application
...
Instead, have the periods
appear one at a time between disk accesses, to make it appear that the program is
really scan-ning through the different files
...

Trojan horses that perform BBS functions (such as changing passwords) should do
so via direct disk access if possible, and not by utilizing the BBS program
...

Before & After
Sysops, system administrators, and even regu-lar u-,ers are now wise to the
hazards of bulletin board file transfers
...

This means they will use a virus scanner to check your uploads for viruses
...
What you do
have to be careful of, is that the sysop or system manager will manually examine
your uploads for filthy words or erratic programming
...
They have text they have to hide within their programs
...
Even if the sysop doesn't have one of those pro-grams, if he or she
is cautious enough, that crasher's "GOTCHM!" will certainly be discovered before the
program is ever run
...
AU the text in your programs will
be text that gets written sensibly to the screen anyway, text that is either part of
the application program, or text that looks like it comes from the program, but is
actu-ally used to blanket your Trojan horse
...
Thus, your job is easier than
the crasher's, though it's far from being a snap
...
These
115
commands, and more importantly, the filenames, must not be discovered by the
sysop
...
If you just push everything up one letter higher (i
...
,
"PASS" becomes "QBTT"), those programs will still locate this encoded text -and the
sysop might be smart enough to discover what it means
...

A program you upload may be an uncompiled source listing or a batch file
...

NEVER simply upload a batch file in its raw form
...
TXT
read USERINFO
...
It's meant to illustrate the kind of brazen attempt at upgrading
access that would catch a sysop's attention
...
The batch commands start out as encoded
gibberish in the application pro-gram
...

The creation and use of the file should probably be done on separate oc-casions, to
keep illegal drive access time low
...
Put it deep within the pro-gram
...
Remember, if your cover
program is particularly clever, the sysop may want to ana-lyze it, to see how you
achieved such a wonderful thing! This means your cover program could be under
some heavy scrutiny; and your Trojan horse could be discovered by accident
...

That is, have the last few steps the Trojan horse takes be to erase itself from the
program
...
This can be tricky: how can you get the sysop to delete all those files you
uploaded, without letting on that something shady is going on below the surface?
Ways this can come to pass are by having the ap-plication program be something

that you know the sysop already owns, or something similar yet infe-rior to the
sysop's version
...
" This can only be done when the application you sent is a compiled
program, elsewise the sysop would be able to correct the problem himself -wouldn't
he!
A particularly paranoid sysop might transfer any uploaded files to a different
computer before he tries them out
...
Take these things into consideration when you program, and have your
Trojan horse only work when the computer is set up as it is supposed to be
...
It's also necessary to do this because, if
the application that hides your Tro-jan horse is good enough, the sysop will make it
available for other users to download
...
What if you make a dedicated effort at
finding a suitable BBS on which you can learn and share, but none turns up in your
search? You may want to start a BBS of your own to suit your needs
...
This would be no
problem if all you did on your computer was hack, since your hacking can be
116
taken on the road through the use of laptops, pub-licly available computers and the
like
...
Consider this before you get all
ex-cited about setting up a BBS
...

Whatever home you give to your system, you should install it with a false front to
make it look legit, and a back side that encompasses the private area for accepted
hackers only
...

I have seen some fantastic BBSs go up, only to fail miserably
...
As a hacker BBS,
you won't experience this to such a great extent since you aren't going to advertise
as much as a generalized BBS would - after all, you re trying to keep out all the riffraff
...


The strategy for getting users to come in and stay awhile is to set up your BBS,
turn it on, then leave it on
...
Don't do that! If someone calls and finds no com-puter is there to
pick up, they aren't going to call back a second time
...

Have members of your BBS run scouting mis-sions to the above-ground hacker
BBSs
...

Before you allow an unknown hacker into the secluded realm of your hacker subboards, you should make doubly and triply sure that he or she is not a cop
...
Don't be fooled! Verify that this self-proclaimed hacker is not an FBI
agent by checking out credit ratings, telephone company data, and positions on
other computer systems
...
This isn't paranoia - it is common sense
...
The safest thing is to not accept new
members into your BBS; but that may not be the smartest thing because it
eliminates a possible world full of information that will never expose itself to you
...
It can sharpen your
skills and teach you much about a lot of things
...

Considering the dangers of hacking, that might not be such a bad fate
...
But for now let's get back to hacking - some of the best and
most useful techniques are yet to come!
117

BLANK PAGE

118

Chapter Eleven:
Borderline Hacking
I want to talk about some non-hackerish ways of dealing with hacking problems
...
When that is so, the usual time consuming methods may fail us, and
so one must resort to desperate measures
...


Hacking For Ca$h
There are hackers who have "made good," be-coming security consultants for
corporations and governments
...
From the hackers: "How dare you do this to us!" (Rebuttal: "Obviously
you are not a real hacker
...
") From the law-abiding citizens: "We couldn't
trust him before, why should we trust him now?" and "Just because you know how
to break into systems doesn't mean you know how to prevent them from being
broken into
...

If you wish to enter this line of businessf you are not alone
...
"Tiger teams" is the term for groups of hackers or some-times
lone hackers who are hired by an organiza-tion to put their security to the test
...
You have to prove to them you are a competent hacker, but you
can't let them know that there is a rebellious spirit inyour heart
...
There are also
viruses, improper computing environments, loose-lipped employees and other
hazards that can make even a tightly sealed ship sink
...

To touch on the second criticism of the "law-abiders," it is important to offer
solutions to any se-curity loopholes you uncover in your investigation
...

119
You know their minds and their methods, and so, yes, you have the expertise to
recommend action that will prevent invasion of their system
...
Tell them
what you did to get in, the weaknesses you saw, and the po-tential trouble spots for
the future
...
Hackers have been hired to alter
phone numbers, find unlisted num-bers and addresses, remove fines, look up
license plate data and change school grades, among other jobs
...
Therefore, you should be very careful
about who you deal with and how much you let those people find out about
yourself
...
Once you start getting paid for it you run into a problem: What
happens if you can't complete a job?
True, nothing should be too tough for the Super Hacker like you, but occasionally
you might have a deadline or unexpected difficulties and the system that looked so
fragile when you began now looms as a large and impenetrable monster that is
beyond your capabilities
...
Hopefully you won't
have to resort to anything less than hacker's methods
...


Besides, there's no sense in restricting yourself to hacker techniques when the bulk
of penetrators are going to use these uncouth methods anyway
...
Therefore, you might have to try them out on the system you are being
paid to protect
...
These
"techniques" are strictly for non-hackers
...

Often these tricks are used as a precursor to some sort of theft, or espionage topics which lay on the fringe of true hacking only because they in-volve
computers
...

Bribery
You might not want to bribe the system admin-istrator, but there will probably be
some underlings who also have "God access," who may be willing to lend same to
you, for a price
...
After all, you
want him to remain unin-volved in your affairs; if you're spying by com-puter, the
last thing you need is a company insider knowing that you're doing so
...
If the latter, only log on when the bribee is not on duty, so
that he or she won't get curious and look to see what you're up to
...
For Instance, in 1973 a computer operator
employed by the Illinois Driver Registration Bureau was given a $10,000 bribe to
steal a tape reel which contained personal information about drivers registered in
that state
...
My source of information on this case
does not mention whether or not the people who offered the bribe were
apprehended, but just the fact that we know about the bribe implies they were not
successful
...
) This is why
120
you should hack if you can hack, and use other methods ("filthy tricks") only as a
last resort - and then only to get into the computer, not as payment for the
information you seek
...


Booze And Broads
Yes! It sounds like science fiction but it's true! There have been reported cases of
crackersgaining access to computers by supplying alcohol,drugs and even
prostitutes to the security person-nel at a company
...
Upon investigating, it was found "that theJapanese firm had recruited one of
the manufacturer's midlevel managers with a drug habit to passalong confidential
bidding information
...

Bad Feelings
This isn't exactly a dirty trick, but it feels like one
...
Play up
his or her bad feelings toward the company
...
Without being specific, say you want to help them get revenge on the
company
...
(I know, I'm cruel sometimes
...
If your goal is to penetrate a
system run under top notch security, getting a friend on the inside may be your
only hope
...
Anytime
you hear of an employee either quitting or being fired there is the opportunity to
find out that blessed data
...
Once someone has left the company, what does he
care whether you use his password or not?
121
BLANK PAGE
122

Chapter Twelve:
What To Do When Inside
It seems straightforward enough
...
But then what? To answer this we will have to begin with a
re-thinking of our goals and morals
...

Others who use hacker techniques might do so because they have a desire to learn
about their competitor's secrets; to understand why they keep getting underbid
every time; or to cleverly outwit the company or individual who they feel owes
them something, and enact revenge upon them
...
There is the free-thinking, computer-enthusiast
hacker, the eco-nomic espionage hacker, the politico-espionage hacker, the out for
revenge cracker, and finally, the hacker for hire
...
This is because accounts
with low security clearance are the most prevalent, and many hacker tricks focus on
the naive user who is more prone to having a low-level account
...
They will want to go after either a particular
username/password combina-tion, or any access big enough to allow covert entry
into their target's account
...
That is, they will be content to break in under any
password, do whatever damage is possible, send some nasty e-mail, and leave
...
If these "hackers" do have targets in mind (like the
president of the com-pany or whomever) they will most likely settle happily into
whatever lower-level role they find themselves in
...

123
The true hacker may or may not want to take the hack all the way to the top
...
This isn't giving up, it's
being practi-cal
...
Or, the hacker may not
feel se-cure enough in his knowledge of the computer, its users, or operating
system to feel confident in his ability to achieve higher access
...
If
something like this comes up it's probably only a matter of research to put the
hacker back on the track toward superuser status
...
I like hacking, but I also
like exploration
...

Besides increasing one's status in the system, a hacker has many options to choose
from once in-side
...

• Download files
...

• Learn about the computing environment
...

• Cover his ass
...

If you have managed to work your way into some data that you feel might have
market value, you might consider selling that data and thereby fund your next big
computer purchase
...
Becoming a spy -for
anyone - becomes a serious and dangerous business
...

Although most courts and CEOs would dis-agree, I personally believe that there is
no harm done in reading through whatever files are on a system, so long as no one
is hurt in the process
...
You will have to construct your
own set of ethics to guide you; I sincerely hope those ethical constraints are based
firmly on the principles of the hacker ethic that both opens and closes this book
...
It is akin to B & E without the E, and I can not see how they can
morally condone the "B" (breaking in) while shunning the "E" (entering)
...

The other options I mentioned - increasing status, helping the sysops, and the
learning - all require different degrees of familiarity with the computer system you
have entered
...

To begin with, the account you have hacked yourself in with can be a single user
account, a group account, root account, or "special account
...
The root account is held by the system administrator (or one of several
"sysadmins")
...
Or you
may never even know you've gotten into the root until you find you can do stuff
only the Computer Gods high upon Mount Input/Output should be able to do
...
It might be a departmental or store
account, where everyone in a particular store or department can log in under the
same name/pass combo
...
For ex-ample, many companies
like to set up limited ac-counts for secretaries, typing pool or temps
...
Thus, all may be able to
search a database, but only those who log in with a certain password can enter new
data, or can change the way the da-tabase is structured
...
They may be testing ac-counts put in by
system programmers
...
Programs are set up this
way for tutorial purposes, to dispense information, or so access to a particular
application may be more freely available
...


In any case, before any action can be taken you must understand what kind of
access you have, what privileges you're entitled to, and how they can be exploited
to your advantage
...
Before we can proceed there's one teeny weeny concept
you must have full compre-hension of
...

Operating Systems
Okay, clear your mind of any thoughts you've ever had about computers
...

Let's say you had a computer that only did one thing
...
That's a computer which plays but a single game
...
Af-ter all, there's nothing else to do with the machine except play that
game
...
Let's say, not only does the
computer play a game, it also does word processing
...

What happens when we push the on switch? Does it go right to the game? It can't
- what if we wanted to do word processing? You see, now we have to make a
choice
...
How do we let the computer know where to
go?
Well, we could have two separate switches, meaning any time I press the left
switch, the game goes on and when I press the right switch, the word processor
goes on
...
The third program is called the operating system (or OS), and
when I push the computer's switch, the computer will automatically turn on the
operating system program
...
For example, when the operating system is started it may put a
prompt on the screen such as, "Which program?" to which I would reply, "Game" or
"Word Processor
...
In the early days of computing, when computers didn't do much more
than run a few select programs, the controlling software was called "the monitor
...
The
monitor grew to become an all-encompassing program which did a lot more than
just allowing the user to choose between a few programs
...

Operating systems control the functioning of the entire computer; they control how
resources will be allocated to the tasks at hand, how memory is used, which
programs are to be run and in what order
...

Some operating systems you are most likely to run into are "UNIX," "MS-DOS" or
"P&DOS" (on IBM compatibles), "PRIMOS," "RSTS" (on Digital Equipment
Corporation's PDP-11 minicomputers), and "VMS
...
If you don't know the commands and syntax that control the computer, you
won't be able to get the
computer to do anything
...
When you understand how an operating sys-tem works, you will be better able to
look for bugs in it
...

3
...

4
...

All of this leads up to one big THEREFORE
...
If you want to control a computer, you have to know how to
tame the software which controls that com-puter - you have to understand very
fundamental things about its operating system
...
And I'm talking about seV-taught knowledge
...

Does this sound intimidating? Then maybe you don't have what it takes to be a
hacker
...
>
Realistically, there is no way to make a 100% guarantee that a particular computer
system is safe from intruders
...

A good hacker should be able to break into most systems
...
And the absolute finest hacker will not only be able
to enter every com-puter he encounters, but will be able to do some-thing
constructive once inside to make the trip worthwhile
...
It's another
thing entirely to fig-ure out how to alter records in that database, and to do so
without being caught
...
At the simplest level that
means knowing the basic commands that any user of the system requires on a dayto-day basis to interact with files, to send and receive mail, and to perform any
needed action on the machine
...
He needs to know how the manuals are structured and the "jargon" of the OS
...
And he needs to
know the meanings of error messages
...
You see, all of the above is just the
tip of the ice-berg
...
What a hacker
needs to know about an OS is the secret stuff that doesn't come in the manuals, or
if it is printed there it is so technical and obscure that it is information decipherable only by a select few
...
But a hacker - to effectively enter and
exploit any system he or she encounters - needs to know how the OS works, and
why it works as it does
...
They are some-times altered to
include features or functions that a particular computer manager finds desirable,
but those alterations open up security holes
...
Additionally, the
software that is used may have been designed for the plain-Jane version of the OS
and so incompatibilities (and hence glitches) develop
...

The casual user is oblivious to all of these pos-sible security breaches
...

126
Needless to say, this book is not going to sud-denly turn into an explanation of the
technical as-pects of every single operating system, and a true hacker wouldn't
want it to be
...
Learn its basic commands, but then go a Step beyond that and
learn how those commands were programmed
...
What happens to
memory when the com-mand is executed? Are there ways to change mem-ory?
These are the kinds of things that are impor-tant to a hacker who wants to
accomplish big dreams
...
The reason is simple and unavoidable: the best things in life are often
not free
...
Sure, you may find it convenient to learn certain things only as
the need arises, such as a particular shell programming language, or the way an
application works
...

Let's get away from all this heady stuff for awhile and go back to the impetus for
this discus-sion of operating systems: After you get in, what the hell comes next?
Looking Around
What should you expect to find, once you've made it onto a system or network? A
whole lotta things!
There may be files to read, programs to run, or ways to move about from one
computer to another, or one network to another
...
Some text editors leave behind files like this that are readable by anyone

who happens to pass by
...
Electronic mail is
often not automati-cally deleted, and it accumulates in (perhaps hid-den) files on
disks
...

See if you can find evidence of security logs
...
If
you can find a readable secu-rity log it will often contain records of these login
errors
...
He has typed his name before the login prompt,
and he has put his password (quite visibly) on the "Usernarne:` line
...

Somewhere in the administrative directories, there is a log file that reads:
Unsuccessful login of user cherrytree @ Tue,
Mar 24,1992,14:16:03
Now you just have to go through the various users on the system until you find the
one who uses this password
...

Speaking of security, thefirst thing you should do any time you log in to an account
for the first time is try to get a sense of who this person is whose account you are
borrowing (assuming you don't already know)
...

If the message tells you that the legitimate user logged in recently then you may
have a problem
...
Try logging in two times simul-taneously on two separate computers and see
what happens
...

Let's look at this first scenario
...
the actual user
tries logging in but gets a "User hjones already logged in on port 116" message
...
So if the legitimate account holder were to
log in she would find something like this waiting for her:
Message #01
From 1513 SuperUser

To AUUSERS@calli
...
n-til
Some faulty wiring has led to problems with several of our port connection verifier
circuits in the subchart group C of the local network system
...

We are sorry about this problem and we are doing what we can to correct it, but
this will take time
...
I hope you will agree it is better to
have some bugs in the sys-tem than no system at all
...
Thanks for your
cooperation
...
There may be
history re-ports detailing command activity, newsgroup readership, file transfers or
files deleted
...

If your account has been used very infre-quently, then you know that the actual
account owner poses very little threat to you - although it also means the system
manager is now a threat, since he will suddenly see tons of activity from an account
that had never before been active
...

Commands To Look For And To Use
Most operating systems come with extensive online help
...
Also helpful is
"apropos" which will display a list of commands that are related to a given word
...

You can then use "man
commandname" to find out what each one means
...

Process commands tell you what is being done on the system and, generally, who is
doing it
...
Using such commands will give you a feel for what options are available
to you
...
If you're extremely lucky you might
even find an encryption key poised in the list of processes
...
Unfortunately, the crypt program acts to remove the key
from the listing once it is activated, but there is a brief period when the key is
public data, there for all to see
...

"Telnet" is a program that allows you to connect to other computers
...

The reason a hacker bothers with regular user accounts in the first place is to give
him or her a safe place to do real hacking
...
UNIX also has a "cu" (Call Up) command
which allows the user to call up a specified phone number
...

also might be the

It

128
most practical solution to the problem of connect-ing to a certain computer, since
some computers can only be accessed through other networks
...
Strictly BITNET
users will need to use e-mail instead of FrP to transfer files
...
A username and password will be asked for
...

Often an anonymous FTP site is set up like a trading post
...
Users can then upload files they want to share with others without
those others knowing the files are available
...

One common security hole with anonymous FTP is that two auxiliary directories
called "etc
...
If this is the case, and if
they are not write protected, any user could upload their own malevolent ver-sions
of system programs and batches
...
Be-cause the
games are multiuser, passwords are re-quired to access them, and it should be
noted that often the password-storing mechanism on the games is not as secure as
it should be; the pass-words are sometimes placed in a plaintext file
...
Think about it
...

USENET is an Internet BBS that encompasses thousands of discussion groups and
millions of postings
...
you
name it
...
There are groups engaging in talk
about music, cars, sex, SCUBA diving, crime, parachuting, television, books, bestiality, flowers - it makes one dizzy to think about it all
...
That is, some controlling organization edits the
postings or picks and chooses which messages will be given display time
...


One accesses USENET by running a news pro-gram such as "readnews," "news," or
"nn
...
Messages are
sent out to all other participat-ing sites worldwide, which means if you have a
question about anything, USENET offers a huge in-temational forum through which
to find an answer
...
Men you hack
into a low-level account belonging to a data entry clerk or some other restricted
user, you will want to raise your access to the highest it can go
...

As far as research is concerned, you will want to look around the system you've just
penetrated and see what options are available to you
...
Most technical hacks in-volve bugs in established software
...

Thus mailing and "chatting" programs are susceptible, as well as text editors
...
Let's start with spoofing
...
Spoofing can also refer to any act whereby
a hacker impersonates another user
...

One prototypical scam is to spoof an e-mail letter from the system operator
...
She checks her mailbox and is surprised to find a letter has just been
mailed to her from the system administrator
...

"Your new password is D4YUL," says S
...
's e-mail
...
Remember it! Don't reveal it to anybody! Computer
security is an important issue that can not be taken lightly!"
A few moments later you notice that Susie has issued a SET-PASS command, and a
few moments later you log on in her name, thus achieving her higher security
privileges
...

Before you can spoof e-mail, you have to understand how such a thing is possible
...
Some mail
programs allow fur-ther complexities, such as the inclusion of other text files or
programs, return receipts, etc
...


When you send electronic mail to another user, the computer automatically places a
heading on top of the letter, which identifies it as having come from you
...

Usually one sends mail by running a mail pro-gram
...
But in many cases you don't
have to use a special mailing program to send mail
...
This is what the mailing program does: it sends the text
of your message into a file called MAIL
...

executes her mail program, it will display the contents of the file MAIL
...

As you can imagine, it is a simple task to open a text file, type in a header that
looks like a header from a superuser's letter, then add your own text to the bottom
of the file
...
Make sure the directory you put it in is one with higher access privileges
than your own!
Sometimes the operating system itself foils this scheme
...
To spoof on the Internet, one would connect to a host
through port 25, which is how e-mail is transferred to a site
...
This includes "mail from" and "rcpt" which es-tablish
who the sender and recipient are
...

Earlier I mentioned that spoofing is also con-sidered to be any form of on-line
impersonation of another
...
When you issue a TALK command, a
message appears on the recipi-ent's screen, saying that you wish to talk
...
Then
whatever you type appears on the other one's screen and vice versa
...
The hacking possibilities are endless!
One popular trick is to TALK a message like, "SYSTEM FAILURE
...

SYSADMIN," onto another
130
person's screen
...

As with e-mail spoofs, you can't actually use the TALK command to put text on
another user's screen
...
This bypasses the
safety features inherent in the TALK command
...
You have to emulate the TALK header
which announces the name of the user sending text
...
)
It's a recognized fact that spoofing accounts for a good majority of system security
failings, mainly because they're so easy to do once you've gotten on-line and taken
a look at the software source codes and manuals
...
When you use a TALK
command you aren't putting words into the OS prompt's mouth - the OS is simply
putting what you type onto the remote terminal's screen
...
Some intel-ligent terminals have a Send or
Enter escape se-quence that tells the terminal to send the current line to the
system as if the user had typed it in from the keyboard
...

Not only e-mail and TALK, but other com-mands are also known to be rife with ways
they can be misused to a hacker's benefit
...

Look at programs, too, to see if they can be used to communicate out of your own
directory
...
If you happened to
name that file "
...
) then whenever that user logged
on, that "
...
And if part of that "Jogin" included mailing
the user's secret stuff to your account, so much the better
...
Even with your meager account you should
be able to copy an encrypted password file off a machine you've hacked and onto a
safer one
...

Then you compile a copy of the decryption software, altering it so it will read in a
word from a specially-prepared dictionary file, use that as a key, and print the
result
...
Even if
you can't get a decryptor of the type used by the computer to code the password
(and other) files, you can still go to the manual, see which encryption algorithm is
used, and write a program yourself that follows that algorithm
...
Soon you should have found a key that unlocks the code,
and soon you will have the superuser password!
Brute force may not always be a necessity
...
Sorry to say, I don't know exactly what this inversion method is
...
That com-mand uses the World War 11 Enigma coding algo-rithm, which
was devious for its time but no match for modern supercomputers
...

However, the crypt command isn't used all that much because everyone knows how
vulnerable it is
...
The
encryptor that is most often used to en-code passwords is a version of the federal
Data En-cryption Standard (DES)
...
How does it defeat
brute force attacks?
131

As we all know, UNIX password files are openly available for anyone to read, copy,
or print out, but the passwords themselves are stored in an encrypted form
...
The password file actually does NOT contain any passwords
at all
...

Another reason why DES was chosen to encrypt passwords is that when the DES
algorithm is implemented in software form, it is slow
...

Staying with this topic a bit, it's unsettling to note that the Data Encryption
Standard also may not be as secure as it was once believed to be
...
Before being released as the USA's official (standard) code,
the top-secret National Se-curity Agency had their say in the matter, reducing the
complexity of the encoding algorithm and keeping certain aspects of its design
under wraps
...

In early 1992, two Israeli scientists announced that they had found a way to beat
the system
...
Then
other coded texts which use the same key can be easily read
...

Some systems make it difficult to brute force the plaintext out of an encrypted file,
because the en-cryption key supplied by the user is not what en-codes the text
...

Those
characters encode the text
...
But to crack
data encryption algorithms you must be clever, smart and mathematically-inclined
...

Bit By Bit
Let's say you find yourself in some rinky-dink little account one evening, with just
about zero ac-cess to anything interesting
...

You can see that your account's password has been encrypted (in the file) as
"fg(kk3j2
...
Well, naturally you can't do that
...
Or is it?
The system security may be such that it only makes validation checks at the
highest level of in-teraction
...
If this were true for the whole
available storage arena, every file could be completely read or rewritten bit by bit
...

On the other hand, you might find that security prevents even low level instructions
from being performed
...
If so, you may not be
able to change the passwords file, but perhaps it would be possible to move files to
another user's private directory, or to change files that are already there
...

If security seems to prevent all illegal access from taking place, perhaps it is
possible to trick a process with superuser security clearance into do-ing the work for
you
...

Compile and save the program, making access to it available only to superusers
...
Eventually some superuser will come
along and execute it, thus enacting the portions of your program which, if you had
run them yourself, would have resulted in error messages and perhaps a few more
ticks on the security log
...
And
the classic Trojan horse example is one which uses the faults of others to achieve
its goal
...

Most modem operating systems allow you to arrange your files in an organized
fashion by the use of directories and subdirectories
...

The solution is in PATH commands
...
Thenlook there
...
" In other words, you specify a path which the OS can follow to find files
...

PATH commands are usually put into batch files which are run at login
...

In those cases, especially if the user is a maintenance operator and needs ac-cess
all over the place, there might be a lot of direc-tories specified in the PATH
...
The hacker starts by rewriting a
program that gets used often and putting a Trojan horse into it
...
A privileged
user or program, such as a superuser shell script, may innocently chance upon, let's
say, your "date" program instead of the It official" version stored in the OS
directory
...

Trojan horses can do a lot of things
...
) remove read/write protection
from files, or fake system crashes (and when the user shuts off his terminal and
walks away, you type in the secret control code which causes the Trojan horse to

uncrash back to the user's account)
...
But there is another, different means of gaining
higher access by employing programs, and that is with the use of computer viruses
...

A logic bomb is a piece of code hidden within a larger program
...
IF such-and-such is true, THEN do
something
...

The classic example of a logic bomb being put to use is when a system programmer
is fired for in-adequate job performance, or for some other hu-miliating reason
...
" The programmer has, you
see, implanted a logic bomb that will detonate at that certain date
...
All it does is look at its
environment, see where it can make a copy of itself, and it does so
...
Each of those reproduces, and there are four
...
Soon an entire computer or network is clogged with
hundreds or even thou-sands of unstoppable reproduction machines
...
A virus comes from the mating of these two other breeds
...
The
whole
133
thing hides itself within an application program, as a Trojan horse
...
Worms and viruses on
the other hand, are unpredictable
...
A true hacker may
release a virus if it can move harmlessly throughout a system, erasing itself as it
goes, mak-ing sure it never backtracks to where it's been be-fore
...

There are lots of ways in which hackers can use viruses, but it is difficult to use
them safely
...
The virus is called the AT&Tack Virus
...
If one
exists, it silences the modem's speaker and dials a Preprogrammed number
...

To me, this seems like nothing more than a rumor
...
Besides, it seems to me this sort of thing would work better as a
Trojan horse in a graphics display program, rather than as a virus
...

Consider a virus that attaches itself to the login program and thus collects
passwords
...
One method has already been
mentioned: the virus can periodically e-mail you a list of passwords
...

It would also be a good idea to encrypt the mail before it is sent
...
Anyone finding your virus or Trojan horse will
easily figure out what the key is and be able to interpret e-mail or temporary files
that the virus/Trojan horse produces
...
which
requires another key
...
an-other
key
...
Make the best of the situation
...
Disadvantage:
You have to spoof the post, or some-one may notice that this user (who is
unknowingly activating your virus or Trojan horse) is posting a lot of "garbage" to
the group
...
Make certain files can be downloaded from that
directory, because as mentioned earlier, often the ability to download from such
directories is turned off for security reasons
...
However, if
you targeted a,spe-cific individual by giving that individual sole access to your
Trojan horse, then only a password would be needed
...
You may be a hacker, but you may also be a spy, a crasher, or whoknows-what-else
...
) you may have your rogue program rename a
world-changeable file to that message
...
Your Trojan horse/virus will come into your directory under the disguise of various users from all around the network, and attempt
to rename that file to that message
...
(You can set up a process to constantly run in the
back-ground, monitoring the state of that file
...
)
Other short messages can be sent a bit at a time
...
If
the directory is empty, the file deleted, a zero bit is being transmitted
...
When enough zeros and ones accumulate, the
program translates them into a character of the message
...
For instance,
01000001 represents the capital letter A
...
For your
virus or Trojan horse to send an eight character password, 64 deletions and
creations of file X would be needed
...

Get Out Of jail Free
Okay, all of that is fine if you've broken in by discovering someone's username and
password but what if the only access you've found to a machine is that of a
command account or information setup? Then you have to see what can be done to
break out of this jail of a program and get down to the level of the operating
system
...
It will be less so if you've done any
serious programming in the past
...
If you're stuck in an account that runs
an info program, let's say, you will want to try every unconventional, unexpected
thing you can think of, in the hopes that you'll find something the programmer
didn't think to guard against
...
essage and
crash out to the OS prompt
...
Or when asked to supply a
number, that will be analyzed by a function, try an incredibly small or large one
...
Try executing "Find" commands that will search out of bounds of available
resources, or that will look beyond the alphabet
...

If there is any sort of text editing facility, such as a program to send mail to sysops,
do what you can to compose a batch file, and see if it's possible to send your
message as a command that must be executed
...
If the editor has special text revision functions,
write up a huge paragraph then cut and paste a copy underneath it
...
, until the program either crashes or
doesn't allow you to continue
...

You may be in a program that is made to look like a simple operating system or
control program, essentially a menu with the list of options either unavailable, or
callable with a HELP command
...
Some application commands allow appending to them the name of a file
on which you intend to work
...
DOC with a word
processor, you might type the cornmand "WORD PROC STORY
...
DOC already loaded in it
...
DOC FILEONE FILETWO
...
Some
examples:
WORD

PROC

WORD

PROC

WORD

-

PROC

nonexistent-filename
WORD-PROC /etc/date [or other command]

\directoryname

WORD

- PROC

The "inappropriate data" tactic has been used successfully in the recent past
...
Command stacking
is the placing of multiple commands on one line
...
The
parser which interprets the stacked commands may break down if too many
commands are given it
...

If there is a language or compiler available, then it should be possible to POKE
some values into places that would be better left unprodded
...
Or your code might cause the program
to jump to a new location, where further instructions can be carried out
...

Bugs in software are most likely to occur if the software in question:
• Is new (i
...
, version one or thereabouts, or being Beta tested)
...

• Has remained the same for years despite hardware or other changes
...

• Is not commercially available
...
These will generally list, not
just the improvements made, but sometimes the reasons for the improvements
(i
...
, if there was an exploitable bug in the earlier version)
...

Returning To The Scene
The prudent hacker will build himself or herself a trap door to allow easy entry if
further penetrations are required
...
After all, there is no guarantee that the account you
used the first time will still be valid the next time you login, or that the password or
some other critical item won't have been changed, barring your entrance
...

On many operating systems, programs can be set to run even after the user has
logged off
...
Writing a suitable program and then running it under one of
these commands can make your return easier to accomplish
...
Almost!
Hey! Look at what you've done!

You've done your research, found your computer, broken in, and now, you've
dabbled around inside
...
This
is what it means to be a hacker
...

These first four parts had to be done in linear order, one following the other
...
It is something you should be doing from the very
beginning, thinking about every step of the way
...
And so you must
protect yourself
...
Then we will see how we can keep on hacking forever unscathed
...

136

Part Three
AFTER HACK
137
Blank Page
138

Chapter Thirteen:
This Lawful Land
There are lots of fraud investigators, special agents, Secret Service people, FBI
guys and all manner of local, state and federal enforcement officials roaming around
cyberspace, waiting to trip you up
...

Getting caught can make you famous, maybe even throw some money your way
...
Let's take a look at the laws
that cause this state of affairs
...
They are
all pretty much alike in that they start out by defining what a computer is, and
defining various terms relating to computers and computer crime
...

You can easily find out what the situation is for your state
...

The Wisconsin statute on computer crimes ("Chapter 293, Laws of 1981, 943
...
The first six have to do with "computer data and programs," the sixth
being the willful, knowing, and unauthorized disclosing of "restricted access codes
or other restricted access information to unauthorized person[s]
...
"
The final offenses have to do with the hardware aspect
...

There are eight different penalties listed, depending on whether the act in question
is consid139
ered a misdemeanor or a felony under the law
...
Penalties range from life imprisonment (sheesh!) to various fines in the
$500410,000 range
...

Prosecutors will try to convict hackers on violations of any law, even if there's a
large void between the hacker's actions and the original intent of the law
...
For other reasons - such as a rural jury prosecutors will press the issue of guilt, but try to sidestep the technical aspect of
it
...

There are problems applying traditional laws to modern "crimes," and the focus
changes from whether Hacker X is guilty or innocent, to whether Hacker X is guilty
of that particular crime
...
On the other hand, if a hacker
steals records from a database, do the bur-glary statutes still apply? What if the
hacker didn't actually deprive anyone of their information, but only made a copy of
it for him or herself? Is this a different issue?
These topics have been addressed differently in different court cases
...
If the state has no com-puter crime statutes,
then "software" may not be defined; in that case it is up to the judge entirely to
decide what these terms mean
...
For the specifics you will have to do your own
research into your state's laws
...
I want to
stress this point of "generalizations
...
Individual states add their own

personal quirks and nuances to these laws - minutiae on which both surprise
verdicts and legal loopholes are based
...
You may say to yourself, "Gosh, as long as I don't pur-posely go around
acting like a jerk, how can they convict me on that one?" Good question
...
That's
the traditional definition
...
In-deed, the software may not actually have been
al-tered to any detectable degree, and the hacker him-self may not have done any
noticeable actions at all
...

The answers to such questions remain to be adequately determined
...
Again there is
140
a problem, in that we have to decide whether or not to accept an operating
computer network as prop-erty
...
It may become slightly less futile if there is a
clear intent on the hacker's part to commit a crime
...

Of course, the physical breaking and entering of a building, with the intention of
using the comput-ers there to hack, is a more clear-cut matter
...

Fraud
Fraud is easy to define: any sort of deception, cheating or unfair behavior that is
used to cause injury to another person
...

But to be convicted of fraud it must be shown that because of the deception, the
victim had dam-age done to him or her
...

That may be intent to defraud, and perhaps not fraud itself
...
Actu-ally, fraud is universally
cited in any instance of computer crime, no matter what methods were used or
what the outcome of the "crime
...
In all of these cases, it is essential that it can be
established that no damage (or alteration) was done, and none was intended
...

Again, problems arise when applying this to computer hacking
...
Has the hacker effectively deprived the
administrators on that system of that section of code - that piece of property?
Addi-tionally there is the problem of determining if the intent was to leave the
GOTO in permanently, and not only that, whether or not such an action consti-tutes
"taking" away of property
...

Larceny may be applied to the stealing of time on a computer, to stolen telephone
service or elec-trical power
...

Theft Of Trade Secrets
Theft of trade secrets - also called "misappropriation" of trade secrets - may be contained in the larceny laws of the state if a trade se-cret is defined as a kind of
property, or it may be the principal construct of its own statute
...

So if a hacker has printouts of some top secret laboratory reports, that information
has been mis-appropriated, copied by an individual unauthor-ized to do so
...
We are then back to the question of whether or not it
141
can be shown that the hacker intended to perma-nently deprive the owner of his
property
...
We know that, but we can't expect judges and juries
to understand
...
If the accused hacker leaves no trace
of his or her en-tering a system, then it is typically the case that theft of trade
secrets can not be seriously consid-ered as having taken place
...

Receipt Of Stolen Property
Let's describe this one by mentioning its three parts: (1) The stolen property must
have been re-ceived by (2) someone who knows or should rea-sonably suspect that
the property was stolen, and (3) the receiving has been done with the intent of
permanently depriving the owner of his property
...
Regardless, ROSP is a good crime to catch
hackers by
...
If you've got any of these, or anything else for that matter, you've got ROSP to deal with
...
Boy, I thought I had to abbreviate when discussing
Receipt of Stolen Property! TOSOLUFP is basically a form of larceny whereby you
trick someone into letting you have something
...

Similarly, any false representation of a fact with the intention of obtaining the
property of another is TOSOLUFP
...

Interference With Use Statutes
If someone does something so another person can't use his or her property (with a
resulting loss to the property owner) then it is said that an "interference with use"
statute has been broken
...
Sometimes these are called anti-tampering laws
...

An IWUS can apply even if there is no visible damage as a result of tampering
...

Traditional Federal Crime Laws
A crime may become a federal crime if it takes place on or involves federal
property, or if there is a vested federal interest in the crime
...
Note that these laws, as well as

the laws described in following sections, are applicable only when the computers
you hack are related to the federal government in some way
...
The law goes on to state it is unlawful for these two or
more people to plan to defraud the US government, or any federal agency
...

In any case, if you are a member of any sort of group which discusses hacking, or if
you've ever discussed hacking or other illegal activities with anyone, you are a
potential victim of this law
...

Other federal laws may also apply in select cases of computer hacking
...

For example, laws 18 USC 661 & 2113 have to do with thefts committed within a
special maritime jurisdiction and burglary of a bank respectively
...
These are special laws that will apply only if you have, let's say, "burglarized"
the information in a post office database, or committed some other special-area
offense
...
USC 912 makes it unlawful to obtain "a thing of value" by
impersonating a federal officer or employee
...

Number 1343 on the books says you can't use wire communications to execute or
attempt to de-fraud or scheme to obtain property under false pre-tenses, when the
message crosses state lines
...
All of
which a computer cracker is likely to do, if on a federal computer
...
It
doesn't seem worthwhile to go through every last one of them
...
I'm not saying you should go out and memorize
every bill that's ever been passed that might have some remote connection to
computer law
...
Use your head
...
If
you're lucky, you'll be hacking with-out harm for as long as you want
...
The Counterfeit Access Device and Com-puter Fraud Act of
1984 (18 USC 1030) was the first law that explicitly talked about computer crime
...
It prohibits un-authorized access to data stored on any "federal in-terest
computer," and specifically mentions finan-cial records and national secrets as info
not to mess around with
...

Two years later, two computer crime acts were passed by Congress
...
There are also provisions for the
trafficking in passwords with intent to defraud computer owners
...

One sort of strange requirement that this law makes is that it can only be applied to
crimes where the victim has lost $1,000 or more due to the crime
...
e
...

This facet of the Act is made even more interesting when you realize that the
Senate Judiciary Committee, in their report on the Act, explained that a cracker
doesn't have to actually steal data to be prosecuted under the law
143
- he or she only has to read the data
...
But then, I'm no lawyer
...

Conclusion
I was going to apologize to all the lawyers out there, for the way I've manhandled
these descrip-tions of all the above laws
...

144

Chapter Fourteen:
Hacker Security:
How To Keep From Getting Caught

Hacking is fun
...
But it's also illegal, sometimes immoral, and
usually pun-ishable
...
The very least that might happen is the security holes you utilized the first time around might get patched up
...
Informal punishments include the unofficial
destruction of your equipment by law enforcement officers, and being blacklisted
from tech-related jobs
...
Number
one: don't get caught
...
This chapter
will present strategies the care-ful hacker will follow to ensure both situations are
true
...
Part of the
mindset must deal with keep-ing oneself safe, or else the rest of it has been all for
naught
...
Remember, there have
been many computer criminals who've been sent to prison
...
Some even learned to hack in prison
...
So when you're on-line, in public, in private, or just living through
your life, make sure you apply these guidelines
...
If you make the calls yourself it's better to say a simple,
"Sorry, wrong number," than just hanging up and annoying all those people
...

145
In Social Engineering
Some social engineering and most reverse engi-neering requires authorized user
contact over the telephone or through the mail
...

Hackers have utilized several ingenious methods to overcome this
problem
...
By doing some hacking, some research, and
rubbing my lucky rabbit's foot I was able to come up with the code that released
messages left on their answering machine
...

I put up some phony advertising for a com-puter network, instructing people to call
and leave their name and vital data
...
When the store reopened, I called them up, saying I was from the phone company
...

Some hackers will simply change a pay phone to residential status and work out of
there
...
One hacker found a cheaper solution
...
O
...
Apparently it was
unassigned
...
This hacker took an unbent clothes hanger and a metal clip, fashioned them
together into a grabber that he could slide into his box and go fishing into the
mailbox below his
...
For a long while the box re-mained unused,
and he was able to get all the se-cret mail he wanted sent there
...
"
- Nelson Rockefeller
When you're new it may be okay to dial up re-mote computers from your house,
but once you've been around a while you'll never know if your phone is being
tapped or your computer usage be-ing monitored
...

Even when you are new to hacking, you could be in trouble
...
Even
scarier than that are serni-reliable rumors which have been cir-culating through
branches of the technical under-ground which imply that the phone companies
routinely monitor and record modern conversations which pass through their lines
...
Even if the
gos-sip turns out to be false, consider this: (1) We obviously have the technology to
do such a thing and, (2) it is well known that the NSA records many, many phone
calls
...
If you must associate with known com-puter culprits, or with established
hackers, do so as covertly as possible
...
That means you
may want to splurge for a portable laptop computer
...
All this should run you about
one or two thousand dollars - a lot less than the cost of retaining an attorney to
defend you in court
...
The external modem is needed to plug the coupler into
...

Now that you have your equipment, where should you take it? There are plenty of
places
...

146
Two summers ago, I was walking past my local municipal center a little past 9 p
...
,
and I noticed that every office had their windows open
...
Needless to say, if I'd been in the hacking mood I would've scrambled
through a window and hooked up my portable to a tele-phone
...

If you have money laying around, or if you have a hacking expense account, you
can always hole up in a hotel or motel to do your hacking
...
Phone bills add up
fast, which is why most serious hackers are phreaks too
...
One of the major aspects of phreaking is the
producing of code tones which signal the telephone system to perform special
functions, such as place long distance calls for free
...

Many hackers will say that any hacking other than hacking the computers which run
the tele-phone system is child's play
...
The telephone
computer networks are in-credibly large, sprawling, wonderful masses of in-tricate
functions, enormous databases, technical operations and blinding wizardry which
makes hacking anything less look pitiful
...
This
center controls all phones in your neighborhood, which may mean as many as
15,000 telephone lines
...
These computers are the essential targets of the phone company
hacker; if you can access the computer, you can access every phone that it
switches
...
You
could, if you were not a hacker, wreak quite a lot of havoc
...

From there you can go to regional maintenance systems such as COSMOS (which
sends out instructions to create and HI phone numbers among other things) and
MIZAR (the local MIZAR actually does the work that COSMOS sets up)
...
For instance, you know you probably
don't want to place hacking phone calls from your house
...
You then use the pay
phones to call or hack any place in the world
...
If your call gets traced, you'll be sending the feds on a
wild goose chase
...
Communi-cating through a telephone or through a computer sometimes
gives you a false feeling of protection, especially when you become good at hacking
and phreaking, and turn from confident to cocky
...

Remember to always follow these safety rules
...
Always call from a different place, at different
times of day
...
Late night is good because system administrators will probably have gone
home already - but then, so too have most valid users, so you'll stand out like a
clown at a funeral
...
There really isn't any perfect time to call
...

Time how long you're on the phone with a ma-chine
...
But it's still not wise to stay on a single line half the day
...
If your target has multiple dial-in lines, randomly choose from all
of them
...

When in unfamiliar domain, such as an office, hotel, schoolroom after hours, or
otherwise, your laptop is of infinite value - so long as you can get it to work
...
Many offices have installed their own electronic
phone systems, called PBXs, to facilitate special functions such as in-house dialing
and phone menus, or to block certain phones from making long distance calls
...
To see if the line you have in mind is
safe, try plugging in a really cheap phone first
...

PBX-networked phones may not work with your modem because of special audible
or numeric codes used in local routing procedures
...

To correct the problem you have to plug the modem into the phone jack, and
connect the room phone (not your cheap one) to the modem (you may need a
special double port for this)
...
hone, and when you hear remote computer ringing, turn your modem online and hang up
...
The device converts ordinary mo-dem signals
so they will work on digital systems such as a PBX
...

Sometimes you can find yourself in a place with a telephone, but no plug-in jack for
your modem
...
In these cases, unscrew or pry Off the mouthpiece of the
phone and use a cable with attached alligator clips to connect the red and green
wires from your modem wire to the two silver mouthpiece contacts in-side the
telephone handset
...
You will then have to hold down the switchhook on the
telephone to place the call
...
Must have a modem
...

• One small, cheap, reliable telephone for testing line voltages
...

• An extra phone cord, with an RJ-11 modular clip at one end (the standard, square
telephone plug-in
thingy) and with alligator clips at the other end
...

System Tiptoeing
Even the best intentioned, the most honorable and nondestructive of hackers are
thought of as evil by the managerial population
...
Even if the
hacking you were doing is completely benign you are likely to be punished in some
way
...
Other sources list figures as
high as $100 billion
...
Government and
industry people will realize that most computer crimes go unreported,
148
and so the true cost is likely to be much higher than the official estimate
...

Let's take a brief interlude here and examine the case of the Greenwood Family
Hospital BBS
...

One day she sent me a message on a BBS asking if I knew how to get into the
computers of a certain hospital that was in my area
...

When you logged onto the system, you were greeted with this informative message
(names and numbers are fictitious, of course)
...
I thought to myself, "Hey,
hospitals must use computers, right? I can probably get into one!" So I got the
supposedly private number for the Greenwood Family Hospital Network, and I called
up, and I got that welcoming screen
...
Unfortunately, the real Roger Cornwall had a password of some sort;
pressing Return on a blank Me just got me an error message
...
Again, no go
...
A woman an-swered:
"Greenwood, may I help you?"
"Yes, please," I said, "Is Tom there?"
'Who?"
"Uhm
...
Your supervisor or
somebody?"
"Lee Brown
...

"Oh yeah, I guess that's it
...
Uh, is he there?"
"Nope
...
"
"All right, thanks
...
"
I went back to my computer and called back GFH-NET and tried LEE BROWN for the
name
...
However, after a few more phone calls to the
various numbers listed for the hospital, I came up with a guy (a resident) who had
not bothered with a password
...
It had nothing to do with
hospital billing, pa-tient records, or anything else pertaining to the ac-tual running
of the place
...
From what I could make of it, it was
medi-cal students discussing problems with the doctors on the system
...
It was no big deal, but
it was fun to get into
...
Out of those names, three had
no password
...
I called it
up for the first time in years, and to my surprise found this nasty logon screen
awaiting me:
USE OF THIS SYSTEM IS
RESTRICTED
TO AUTHORIZED PERSONNEL
ONLY!
EVERYONE ELSE MUST HANG UP
NOW!

149
All useful information was gone! AU that re-mained was an angry note and a nonuseful arrow prompt
...
I tried some more social engineer-ing, but everyone I
spoke to kept their mouths shut about everything
...
)
I e-mailed a letter back to Pretty Theft
...
The
next day I got her reply:
Last month a friend of mine was in the hospital, so I wanted to see if I could change
his bill
...
I knew the name of my
friend's doctor, and when I was there visiting him, I got the names of lots more
from the paging system (you know, "Calling Dr
...
") and from charts on the
walls
...
Every time I tried getting on after that he kicked me
off
...
One of the doctor's names I tried
had the name as a password too
...
after giving my
name and password, it just froze
...
It said, MOST OF THE IM-PORTANT FILES
HAVE BEEN DELETED BY SOMEONE OR SOMETHING
...
A week later I tried it again, and the phone just rung
...
A few days ago I called back for no reason, and, well, you know
...
They had gotten smart, and because of it, security was
tightened
...
There is only one case,
really, when you would want to show yourself to the system operator, and that is
when you've found out everything there is to know about a system and are never
going to call back again
...
Through continued perseverance I was able to get onto GFH-NET
again
...
Maybe it was the students getting dumber?
There was also an old bulletin posted from one of the sysops
...
mostly it said that
certain files were deleted, and many of the bulletins were replaced with obscene
musings on female anatomy
...
I did a little investigating, and found that although it was not listed in the
main menu, pressing 'T" brought me to a defunct file transfer system
...

The next day I typed up a long letter to the sy-sops at the hospital, explaining
everything, what they could do to correct the problem, and how other security
breaches could be curtailed
...
" Then I

called back the BBS and uploaded it to them
...
It says: "THANX POLLY! - SIGNED R
...

& H
...
"
I couldn't have been happier
...
That's why
you have to hack in the first place
...

On GFH-NET, the sysops went crazy when they realized their computers were being
abused, and they made it a lot harder to get into
...

If you do show yourself in any way - like by a million log entries of "USER FAILED
LOGON PROCEDURE" from when you tried every word in the dictionary as a
password - the sysops are go-ing to get concerned, at the very least
...
It may mean
changing every legitimate user's password, or cleaning up dead accounts that might
otherwise facilitate entry
...

Many times, they won't believe you
...
But if they do
believe you, and they take your advice, they will be quite grateful and, if you ask,
might give you a low-level account on the system, or some handy tips
...
Some of them can be quite good about it,
though others will think you're up to no good no matter what
...
These are actually inter-twined
issues, as sysops of one BBS will generally be users of other BBSs
...

Do not post messages concerning illegal activi-ties on any BBS where you don't feel
completely se-cure
...
If you are actively
involved with BBSing, by all means become good friends with non-deviant systems,
if only to maintain a balanced perspective of your computorial existence
...

Don't get me wrong
...
When you start

sharing secrets on a hacker BBS, you'd better make sure the sysop takes all of the
following safety precautions: user screenings, a false front and hidden back boards,
double blind anonymity, encryption, and affidavits of intent
...
A true
hacker BBS will not advertise, because it does not need new members
...

Hacker BBSs should further protect themselves by only allowing specified users to
enter the secret parts of its domain, to prevent unauthorized hackers or pseudohackers from breaking in to your meeting place
...

Going up the scale of stupidity just a bit, I've seen plenty of "hacker" BBSs which
allow access to the hidden part by entering words like "DEATH" and, yes, even
"PASSWORD" as passwords
...

No new users should be allowed on a hacker BBS unless one or several existing
members can verify that the potential user is not a cop, will abide by the club's law
of conduct, has information to share, and will not be a big blabbermouth
...
Remember, any new member should not even know that the BBS
exists until the time when he or she is accepted into it
...

Once a member has been verified as clean, his or her private information should be
destroyed from the computer records
...
Are there any which are likely to be busted in a raid? Even
if
151
you aren't doing anything wrong on the system even if nobody on the system is
doing anything illegal you know very well how mixed-up the feds get when it comes
to computers
...
So if you're a member of any
subculture BBS, tell the sysop, to replace your personal infor-mation (name,
address, phone number) with false-hoods
...
(Verifying that such information has
been altered or deleted is one legitimate reason for hacking a BBS
...
) It is important to do all this, because
there are impos-tors out there who are very good at catching hack-ers when they
least expect to be caught
...
This led to the hacker's arrest
...

In any case, make sure your real name, address and other identifying data never
stray to unsafe waters
...
In 1986 a BBS called simply and arrogantly, "The

Board," came into being in Detroit
...
On August 20, the follow-ing ominous message appeared on The
Board when oneloggedin:
Welcome to MIKE WENDLAND'S I-TEAM
sting board!
(Computer Services Provided by BOARDSCAN)
66 Megabytes Strong
300/1200 baud - 24 hours
...
08 hours
Greetings:
You are now on THE BOARD, a "sting" BBS operated by MIKE WENDLAND of the
WDIV-TV I-Team
...
"
Thanks for your cooperation
...
And the beauty of this is we have your posts, your E-Mail and - most
importantly - your REAL names and addresses
...
1 plan a special series of
reports about our experiences with THE BOARD, which saw users check in from
coast-to-coast and Canada, users ranging in age from 12 to 48
...
John Maxfield of
Boardscan served as our consultant and pro-vided the HP2000 that this "sting" ran
on
...

When will our reports be ready? In a few weeks
...


152

It should be a hell of a series
...
And don't bother trying any
harassment
...

Mike Wendland
The I-team
WDIV, Detroit, MI
...
31 hours
This is John Maxfield of Boardscanl
...
This board was his idea
...
k
...
Cable Pair)
Is any comment required?
You can see from this that the people who come after hackers - the people who will
be coming af-ter YOU - are not all Keystone Cops
...
The newuser password to get into
The Board was HEL-N555,Elite,3 - a quite hip password considering its origin
...

They are
knowledgeable of the culture and the lingo and the way we think
...
You won't become an elite hacker without the strength of your entire common
sense working for you
...

Now let's talk about exercising First Amend-ment rights
...
On a
hacker board, that information is likely not going to be the kind of thing you'd read
to your mother
...
" are Boardscan is a company headed by John Maxfield, which seeks out
and destroys hackers and their ilk
...
" That is, can it be shown that the hacker or cracker will-ingly
caused damage to a computer?
If you are running a hacker BBS or club, you might then consider having members
sign an affi-davit which makes their good intentions known
...
Basically this should be a way to let the members feel they are actively participating in your code of ethical hacker conduct which should be prominently
displayed upon login to the BBS
...
It will stress the point
that a member who does not follow the agreement is un-worthy to be a part of your

hacker BBS or club
...

It has been suggested that sysops should have their members sign an agreement
that, in the event of a raid by law enforcement officials, users would join a lawsuit
against the officials to win back mo-nies to pay for destroyed equipment, lost time,
false arrests, the hassle, and everything else that goes along with being persecuted
by Big Brother
...
The ECPA ensures that
electronic mail that was sent within the past 180 days is private and requires a
warrant for an official to search and read it
...

So, if your users have signed an agreement, and sample e-mail is stored for each
user (it may be fudged e-mail whose time and date of origination gets automatically
updated every 180 days), you want to make all of this known to invading offi-cials
...

Violation of this statute by law enforcement agents is very likely to result in a civil
suit as provided under Section 2000aa-6
...
Agents in some states may
NOT be protected from personal civil liability if they violate this statute
...
Such stored electronic communications, as de-fined by the Electronic
Communication Pri-vacy Act (ECPA), are protected by the ECPA from unauthorized
accesses - such as seizure by government officials - without warrants specific to
each person's e-mail
...
There are civil actions which may be taken
against law enforcement agents under provisions of the Act
...
On this system you can expect up to X people to have
stored e-mail
...
Note that all users of this
system have already agreed in writing that their pri-vacy is well worth the hassles
of court
...

Perhaps the agency you work for might pay your legal fees and judgments against
you, but why take chances? If you feel the need to go af-ter our private and legally
protected e-mail, or take actions which would deny e-mail access to our users (such
as seizing our hardware), get appropriate warrants
...
Please bring it to my attention if you discover illegal activities on this
board, because as cura-tor of this museum I will not tolerate it
...
Maxfield is a
computer security consultant well known as a hacker tracker, and the one who
helped organize The Board sting de-scribed above
...
You know how insecure computers can be, and when you post
messages or send e-mail on a BBS you are in effect opening yourself up for the
world to see
...
When you roam around cyberspace, do so discreetly
...
Having a regular schedule of activity may make life
easier for you, but it also allows others to find you when you are trying to hide, and
notice you when you are trying to remain inconspicuous
...
The
oilman would then read from the tapes posted by the system manager before
starting his work
...

That industrial spy, like many other hackers and crackers, was caught because he
followed a pattern
...
But remember, any plan
you conceive should have elements of randomness to it
...

Once I got a list of Social Security numbers from sitting in on a computer class on
the first day: the professor handed around a sign-up sheet for stu-dents to list their
name and number so that ac-counts could be made for them on the computer
system
...
But trying them all at one time would have been too suspi-cious
...

The system was secure in that it asked me to change my password upon first login
...

But in each user's directory I left behind a hidden program that I could use for
remote file viewing and playtime later on
...
For 123-45-6789 you might enter 123456789 or 123-45-6780 or 123-4567890, as if the typist's finger has slipped
...


It is equally important that your modus operandi change as you move from one
hack to the next
...
But make sure you always use a different
name and password, and make anything you input about your fictional persona as
noncommittal as possible
...
e
...

Security Logs
It is easy to get manufacturers of security prod-ucts to mail you everything you
would ever want to know about the things they sell
...
Someone at the company takes a look at the log, then says to him-self,
"Hey! Mr
...
That
seems unusual
...
" Suddenly you're in an unsafe
position, and you never even knew it was coming
...
Get the descriptive literature from the manufacturer so you'll
know what silent enemy you are up against
...
Well, you're not going to create
any patterns, but you're probably going to create some problems, and those too,
will show up on the security log's report
...

Don't destroy the auditor, simply reprogram it to ignore you when you log on
...
This should be piece of cake, considering that if you're in the
position to do these sorts of things, you most likely already have root access
...
You may also be able
to use a date or time setting corn155
mand to control how the security monitor judges your behavior
...
Or hackers who were trying to be helpful by cleaning up a messy
program or fixing a typo in a memo, and having some disaster occur
...
The backup rule applies every time you use a

computer, especially computers which aren't yours
...
When you're done, make
certain your changes are perfect, delete the original file and then rename the
backup
...
Again, re-search is
needed to see how your particular target computer responds to inaccurate logon
inputs
...
In that case you would
try to always make your last login attempt something innocuous
...
Instead, press Con-trol-C
or Control-Z or whatever it is you can use to break back to the previous level of
interaction
...
If you're able, try to write these pro-grams so that they
get around the security logs
...
Another, depending on what kinds of things the log is keeping track
of, would be to rename suspicious commands, so that the log either won't know to
record those commands under their new name, or if the supervisor reads through
the log printouts, he or she won't notice any question-able activity going on
...
Any hacker worth his salt, can go in and fiddle with
records which have been stored on a tape or disk
...
Once a deed is done, it is trapped on that page for life
...
Limit the number of
illegal or questionable activities you perform until you can find a way to disable the
printer
...
Of course, since you're probably doing all this over the
phone, you might not know what equipment is being used
...
At
times it may even be possible to trick the computer into thinking it's printing to the
printer when actually it's printing back through its own modem - and so you end up
receiving re-Ports of your own activities as you go about your business
...
Some companies insist that each
employee enter telephone calls in a log
...
If you sneak into an office to make long dis-tance calls,
you can be easily trapped with such a log, since you probably won't know about it
...
If
you use a company's corn-puters to call other computers, that might be a toll call
which would show up on the phone bill, but not in the employee log
...
Stay on top of things because the littlest errors lead to the biggest
downfalls
...
Not only do you have all the threats
that a home-based hacker has, you have the additional concerns of whether or not
you will be recognized or apprehended
...
When a
burglar enters a house, the first thing he does is scope out all the exits
...
And just as a burglar is always glad to see tall shrubbery to hide
behind, you should try to sit at computers that are hidden in some way; with people
or objects sitting in front of you, and hope-fully a wall behind you, so no one can
look over your shoulder
...
Remem-ber, that's what
happens to regular users when shoulder surfing takes place - they forget where
they are and they let people see the secret things they're doing
...

Take care to have a decent story prepared if youre trespassing, or if your actions
will seem fishy to a passer-by
...

Regardless of your story, clean dressy clothes are always a plus
...
Be alert to
shoulder surfers, and to other tricks of the trade
...

Be cautious, too, upon log out
...
Often that buffer is not cleated,
even after log out
...
Anyone can go over to that terminal now and access, read, even print out
dozens or hundreds of screenfuls of data
...

Maintaining Your Computer
You should routinely look at the files stored on your computer and destroy those
which you ille-gally acquired
...
You can
use a "Wipefile" or "Wipedisk" program to write over data
...

Also keep in mind that sometimes pieces of files get lost or unattached from the
files to which they belong, or parts of files get duplicated elsewhere on your disks
...


Any computer file which you simply can't de-stroy must be encrypted and, ideally,
hidden under an inconspicuous filename, such as PACMAN
...

There are other matters to consider, other things about your computer that might
not directly con-vict you, but can lead to evidence that will: termi-nal programs,
autodialers, databases of modem numbers and account codes, lists of BBS numbers
(especially pirate, phreak or hacking boards), and any other program that could
even remotely be linked with a crime
...
" I
programmed all my computers to check for a particular key be-ing pressed during
the start up procedures
...
It will then call a time-and-date sub-routine
...
I must input
a certain time and date, otherwise the computer will display a "LOADING MENU"
mes-sage and remove the directory in which I keep all my naughty stuff
...

Luckily, I've never had my computers seized
...
And even if he's prepared for that, he still won't
know how to prevent it from happening!
Keeping Your Other Stuff
Once a law enforcement official has a warrant for your arrest, he or she can legally
steal all of your computers and peripherals, blank disks and audio cassettes,
commercial software and documentation, printouts and operating logs, telephones
and an-swering machines, any piece of electronic equip-ment as well as any papers
indicating that you are the owner or user of that equipment, wires and loose parts,
model rockets, disk boxes, radios, sol-dering irons, surge protectors, books,
journals, magazines, et cetera
...

Also, if the crimes which you are suspected of
committing are related to a specific place or person, they will seize any papers or
evidence with which a connec-tion may be made between that place or person and
the crime
...

And don't expect to get any of it back in one piece, either
...
It's sad but true, and so you should do your best to hide
anything when you're out of your house or not us-ing your equipment
...
Make the marks big and visible, and innocuous,
and maybe they'll overlook the folders' contents
...
The truth is, a print-out is just as valid as
any other piece of written evi-dence, as long as it can be shown to have been made
at or near the time of the criminal act, or during preparation for the act
...
On the other

hand, if there is in fact some accessible in-criminating evidence stored on your
computer, the prosecuting attorneys will know how they can le-gally present it to
the court (I presume by bringing your computer into the courtroom, plugging it in
and firing away)
...
Law enforcement officers are smart
enough to get warrants that let them take anything even remotely connected to
electricity
...

Suppose un-derground
information were routinely distributed on audio cassettes
...
The cops would know that, and thus would want
to get their hands on every tape we own, including ones that look as harmless as
rock and roll
...
So if you have a
box of disks containing all your hacker stuff, you can't simply label the disks with
names like "Space War" and Pac Man
...
(Think of Steve
Jackson
...
So you'll have to hide the disks
themselves, and hide them in a way that is unrelated to tech-nology
...
For example, I keep my backup disks in a graham
cracker box
...
I store my laptop in a big corn
flakes box up in the closet - it's just as
158
easy to keep it there as anywhere else, and doing so makes me feel more secure
...
Anything incriminating you want to discard should be
destroyed beyond recoverability first, and discarded from somewhere other than
your home
...
If the Secret Service finds shredded paper in your
trash, they WILL piece it back together
...
Disk contents should be encrypted, then deleted
...
enough for the US Department of Defense, which according to Lance Hoffman in his
Modern Methods for Computer Security and Privacy (Prentice-Hall, Inc
...
">These items can be anonymously deposited in some public garbage can,
or in the case of paper, a public re-cycling bin
...

If you do these things, you will definitely get in trouble
...
by traces or technical means,
2
...
by getting many agencies ganged up against you,
4
...
by being made (recognized)
...
So don't keep a routine
...

You will get caught by getting ratted on
...
Don't tell anyone who doesn't need to know about what you're up
to
...
Be nice to
them, and hope-fully they will be nice to you
...
Don't steal or
destroy or vandalize
...
Hackers have a bad enough image as it is,
mainly because hacking's most public practitioners are nerdish eighth grade heavy
metal pseudo-anarchists with skin problems
...
Tiptoe
...
It is a mistake not to take all of these
precautions
...
Never reveal anything about yourself
...
One of the things that tripped up Lt
...
Oliver
North -according to Donn B
...
In addition, frequent backup copies of all messages were
made and stored for later retrieval in the event of a com-puter failure
...

You need to be especially vigilant about timed backups which are made
automatically, without your consent
...
But the most careful hacker can be
tripped up by the mistake of assuming a course of action is infal-lible when there
are, in fact, gaping holes in it
...

The criminal opened a bank account using the false name S
...
Each time, after he withdrew some money, he
would telephone the bank to find out the status of his ac-count
...


Later, Kobayashi used this information after carrying out a kidnapping
...
The plan backfired because of this one assumption
...
Police were stationed close by to each of the bank's 348 ATMs, and when the
kid-napper retrieved the money, he was caught
...

Finally, you will get caught by being recog-nized
...

The surest way to NOT get caught is to NOT start hacking
...
Part of your life is computers and the
things you can do with computers
...

But WITH hacking, you have instantaneous control of the world
...
May
we all have a good many peaceful, happy hacks!
160

Chapter 15:
Conclusion
The Hacker's Ethic
Many hackers and non-hackers have given their versions of the "Hacker's Ethic
...
What's different is the de-gree to which
the ethic is followed
...
They begin to
get the feeling that be-cause they know about the law, they have the authority to
break it: "It's not like we're blindly acting without discretion
...

What I'm about to do is give my own version of the Hacker's Ethic
...
It may not be what you believe,
but that's all right
...

However, I urge you to understand why it's important that you formulate a hacker's
code of ethics and live by them
...
Now, I'm not saying that if you're caught, a judge and jury are going to
base their verdict on whether or not you behaved according to your beliefs especially since some of your beliefs likely involve illegal activities
...
" If you remember our previous dis-cussions of law,
many offenses require that, for a criminal action to have occurred, the suspect's
con-duct must have been intentionally criminal
...
In real life one can't count on others seeing things from
your point of view
...

More importantly, I feel there is some indescribable underlying
goodness
161
about having a code to guide you
...
I'm done
...
These are my beliefs about computers and hacking, as I
attempt to live them
...
The free flow of informa-tion is good, but
not when it violates human rights
...
There are
rights which pertain to individual humans, and rights which pertain to humanity as
a group
...

There should be a free flow of information, and informa-tion and technology should
be used in moral ways
...
New ideas should be
heard, and there should be the capability for ideas to be discussed, and questions
answered, from multiple viewpoints
...
Technology should be used to this
end, not for profiteering or political gain
...
People should have the right
to be notified when information about them is added to a database, when and to
whom it is sold or given
...

A person should have the right to examine in-formation about him or herself in a
computer file or database, and should be able to do so easily
...
People should be guaranteed that all
makers and suppliers of data-bases will enable these rights to be granted, in a
timely fashion
...
However, most of these rights are almost unanimously
ignored
...
Hacking is using computers (or
whatever) to live according to these ideals
...

• If damage has been done, do what is necessary to correct that damage, and to
prevent it from occurring in
the future
...

• Warm computer managers about lapses in their security
...

This isn't neces-sary, it is
politeness
...
Act discreetly
...

I am not suggesting that following a code of ethical conduct of this sort makes my
hacking moral or right
...
Don't
even raise any argu-ments along those lines with me because I simply do not care
about them
...
Hacking is something that I am
going to do regardless of how I feel about its morality
...

Combining Principles
Throughout this book I've tried to offer general guidelines on the various topics that
will prepare you for any computing situation you happen to find yourself in
...
Rather, one must call
upon a vari-ety of general ideas, overlay them when appropri-ate, and just hack
away until something comes of it
...

I want to tell you one final story
...
It shows how each is played off the other for the final
triumphant result of a successful hack
...
The library director was concerned because
they had recently transferred to this new system which, unlike previous ones, allowed dial-up access from outside lines
...
Or would it be possible to escape
en-tirely from the library program to the operating system and perhaps do some
damage?
I told him I would be happy to look into the matter
...
I was a hacker after all! (Actually, I was acting cocky to impress him
- I already knew the phone number from watching him give me a demonstra-tion of
how the public part of the system worked
...
It was a
command-run sys-tem
...
The proper way to end a session was with the END command
...
More than you n-ught
realize, this is a very common practice on computer setups where part of the
system is public and part is private
...
So I
tested a whole slew of key words: EXIT, BYE,LATER, START, LEAVE, LOGIN, QUIT,
USER, PASS, LOG, LOGI, CIRC, and the like
...
(For example, CIRC is often used to enter the part of a li-brary
program that takes care of circulating mate-rials
...
) None of these, nor
any of the other words I tried, worked
...
Indeed, when I spoke to the director, he
bemoaned the fact that certain function keys on the terminals had not been set up
yet, and that pressing them would exit one to an incomprehensible programmer's
environment
...

I thought perhaps the function keys were mac-ros for commands which a user
would otherwise have to type in by hand, but I didn't know what those commands
were
...
I painstakingly
searched every last inch of the trash that night, but could only come up with half of
the card
...
Only two of them were legible, and the
rest were either torn off or smeared beyond readability, but those two turned out to
be enough
...
There were two-letter commands and dot commands, too
...
) followed by an alphanumeric
command
...
For example, let's say
you're using this library system, and at the prompt where it asks for an author to
search for,
163
you decide to search for books by title instead
...

What's going to happen? The computer thinks that "Title" is the name of the author
you want, and starts a search for someone with that name
...
Now if you
type "
...

Programs often use a period before the com-mand because a period is a small,
undistracting character and is also very easy to type
...

Anyway, the reference card told me that press-ing function key F1 was akin to the
QUIT com-mand, and F2 was the HELP command
...
QUIT
because it might allow me access to the nether regions, and HELP because since
this was a newly set up system, help was very likely not yet implemented - and
might be one of those functions which the director was complain-mg would crash
the system if someone used it
...
Of course I
had tried their undotted counterparts be-fore to no avail, but maybe, just maybe,
one of them with the dot would work
...
QUIT simply terminated my session and dis-connected me
...

I was temporarily licked, I thought, though it was interesting that now I knew about
a \txt direc-tory which apparently contained various text files, and a \hIp directory
within it which held help files
...
Smith Co Special Library On-Line >>>
(000)U/SYS v55
...

"(000)" presumably signified the opening screen, where I was
attempting to launch these unlisted commands
...
` Indeed, that is exactly what happened
...
One of the things this
system used to take input was a cornmand followed by a number
...
1 wondered if the same format would apply to the help command as
well
...
HELP99999," hoping that 99999 would be a num-ber too big for the
system to handle (certainly there was no screen that high)
...
I tried other
variations, such as "
...
HELP < 99999" but none of them were
valid either
...
HELP99999" one last try and this time it worked! I
guess I had made a typo when I tried it the first time, perhaps inserting a space
between the "P" and the "9," or whatever
...

It was like a mini-editing system for the text and batch files that the database
used
...

I looked through various directories of soft-ware companies, trying to come up with
actual words to go with the initials, and finally I found two that fit
...

I asked about obtaining replace-ment documentation for the
package
...
I tried some
bull-shitting: "Well, I don't know the serial number be-cause I don't have the

instructions
...
"I don't have the disks near me
right now -I'm calling from my car phone
...
Smith Co
...
Smith had sent in his card
...
I thanked the
receptionist and told her I would call back the next day
...
Besides, I
wanted to do this whole thing as if I were an outside hacker, unconnected with the
company, trying to get in; special favors were out of the ques-tion
...
The only person at the
library who really knew anything important about the system was the director
himself, and he was out of the question since he would recognize my voice
...
I called up the library reierence desk, and
made up a story about how I was a programmer from the company that had
installed the new computer system and I was wondering if they had version 8 of the
pro-gram? Naturally she didn't know, but I kindly ex-plained to her that to find out
she would have to look for some disks with labels stuck to the front of them
...
I had her read it to me, and
one of the twelve digits was an eight, so I told her yes, everything was fine, that I
just wanted to make sure she had the newest version, and that I would send her
version nine if we ever got around to releasing it
...

Anyway, I paid extra for overnight delivery of the debugger documentation, and got
it late the next day
...

(All the important commands were ab-struse things like KLOO and EE61
...
) Exiting
the debugger got me to a login prompt
...
(Here JSC stands for J
...
Of course that is a fictitious name
...
I know how to put in "your personal 9-digit ID code
...
I wrote up a program to continuously spit
out possibilities for the last six digits, and it wasn't too long before I found one that
worked
...
" Jane Thombuckle was not the library director
...
I went back to brute forcing for a while, looking for
Thombuckle's personal password by trying out the obvious possibilities, until I got
sick of it
...
Buried deep in the
stack was the answer: Thornbuckle was a figure in the company's Management
Information Services Department (i
...
, a computer program-mer)
...
Finally I restarted my
program to try social security numbers, and even-tually came up with the library

director's
...

I decided to look back at what I already knew
...
I was able
to use one of the debugger's find commands to lo-cate every occurrence of the
word "circ" in the sys-tem files
...
I tried analyzing the gibberish after the second circ to see if it could be
unencrypted to read "JSC
...
" This tactic was to no avail
...
The problem was I didn't know what the "mini" part meant
...
I was trying passwords like TRAIN, MINI, MCIRC,
MINICIRC,
165
TUTOR, LEARN, and after a lot of trouble, finally came up with T
...
This got me
to my favorite little message: "Please enter your personal 9-digit ID code
...
The screen cleared
...
"Please enter your personal password
...
Yes it was: a few moments later I was
in the minicirc under the password "TRAIN
...
I had managed to get out of the public side of the dialup
system and into the behind-the-scenes area
...

The minicirc was helpful, but it lacked certain features which, if I were an industrial
spy, I would have liked to have had access to
...
, but the
database contained only imaginary names and addresses
...
There was a bulletin board service, which would display messages after
log-ging in
...
From examining these messages carefully, I came up with some
important tidbits of information
...
Part of the sender data included the word "minicirc," which implied that it was
possible to send messages from the minicirc to the circ and vice versa (otherwise,
why would they bother putting that in there?)
...

I used the editor to write a letter and send it to myself
...
Pushing
the debugger to its limits, I was able to use its file editors to find the letter I had
written, and alter its contents
...
And where originally the file had
stored my own name - "New User" - I altered it to say that it came from some

fictitious rep-resentative from the database company that had written the software
...
I supplied a phone number to call
...
We set up
Morriskat's answering machine so that if the director called when he wasn't there, a
convincing song-and-dance would tell about the new products this company was
offering at the time
...
The director didn't know the answers
but, he said, he had a terminal right in front of him - he could log on
...
"Just go through your usual stuff
...
JSC
...
Are you still using the personal pass-word
we originally set you up with?"
"Yeah, 'Firebird
...

Knowing three out of the four security controls, projecting an air of omniscience,
and having the spoofed e-mail as support, getting that final pass-word was easy as
pie
...
It turns out we could do plenty
...
We were able to toggle access to
virtually every aspect of the software to any other user
...
We knew what materials they had borrowed, their home
and office phone num-bers and addresses, and year of birth
...
"
As the coup de grace, and to prove conclusively that I had done what I had set out
to do, I used the programmer's interactive debugger editor to alter the library
program's opening screen so that in-stead of giving an explanation of commands, it
told a dirty joke
...
This story as I've told it here is pretty much that
file, although here I've expanded more on the hackerish side of things
...

It's not enough to be a spontaneous and smooth-talking social engineer
...
It's not enough to have the perseverance of a
marathon runner
...
And the ethic
...

Did I display the hacker's ethic when I carried out the hack I've just described?
Yeah - I had done nothing more than rename the file that contained the system's
opening screen, and put the dirty joke in a new file with the old name
...
Later the two of
us, along with members of the computing staff of the company held a meeting to
discuss what actions would be taken to close up the security holes I had found
...


Concluding Thoughts
Ask any enlightened sage about the purpose for the existence of our universe - or
ask any burning, age-old philosophic question of the kind - and the response will
invariably be something like this:
"I can not say it in words
...
But to
simply use words to describe an indescribable sen-sation is impossible
...

But he's also sincere
...
Things can be explained
to you, but they can't be felt unless you yourself have felt them
...
You now know
the ideas, the methods, the information and facts that will allow you to begin a
hack in a systematic way, and you know what can be done to minimize mistakes
and wasted effort, and reduce your chances of getting caught
...
As with any hobby/game/education/occupation it takes trial and error,
practice and experience, lots of time and patience and practice and more practice,
before things work out as you would like
Some Thoughts
To The Concerned Administrator
If you have read this book because of your in-terest in law enforcement, security,
or the mindset of the computer delinquent, then you should have by now learned
dozens of ways the most seemingly airtight of security systems can be broken and
penetrated
...

Such a list should include stressing to your sys-tem's users the importance of
keeping good pass-words, regularly changing them, and taking note of the login
message which will display the user's last login date, time and place
...
Tell your users that if they are asked to reveal such things as
pass-words, they should simply respond, "I can not help you with that," and end all
communications
...
All that is required is that statement
...
All others will be hackers
...

Don't let your users become complacent about security, but don't overwhelm them
with it either
...
If your demands are too outrageous however (changing passwords at
every login, for example), none of your users will comply
...
Point out the loss to them if security is
breached
...

Finally, to really ensure that security is as close to 100% as possible, set up a
regular maintenance and clean-up schedule
...
If you hear of hacker attacks or viruses at other sites, learn about
their problems and see that they don't happen to your own site
...

One
investigator has estimated that a third of the security holes he has found were due
to debugging options
...

Notice that when you erase the exemployee's account, you must strike a balance between fair-warning and urgency
...
But giving a warning too far
in advance allows viruses, time bombs and trap doors to creep into your system
...
Make use of these
...

Ultimately, the little bit of extra work this all involves will prove its immense worth
...

If you've tried and tried and tried, but you still haven't managed to get past finding
a phone num-ber - or perhaps you can't even get to that - you can still count
yourself among one of the few true hackers so long as your intentions are good,
you play it safe with hacker security, you intend to act ethically when you do come
onto a system, and you intend to enjoy your life to its fullest potential
...

Congratulations and good luck to you: now you know the Secrets of a Super
Hacker!
And you, too, are one
...
What that means is, if you
want to continue to experience the thrill of tap dancing through the nation's

computer systems, you must have thor-ough knowledge of what goes on within that
playing field of networks, telephones, terminals and users
...

I highly recommend - at least for your own enjoyment and to further your interest
in the world of deviant computing - the books listed below
...
Find it Fast: how to uncover expert information on any subject
...
New York: 1987
...
Berkman lists some good phone numbers and addresses of organizations
you can get in touch with to help you get information in lots of areas necessary for
a hacker to know about, including: companies, special/company libraries,
governmental documents, etc
...
In them Berkman gives you his tips for extracting information
from people
...

Cornwall, Hugo
...
E
...
Alexandria:
1986
...
It often talks in general terms rather than
specifics, and is not as handy as the title seems to indicate
...
If you're the former, then
this book will probably be of some assistance
...
)
169
Farr, Robert
...
McGraw-Hill Book Company
...
Not too much here about hacking per se, but there are many helpful and
exciting anecdotes to aid you in your social engineering and trespassing skills
...
Computer Ethics: cautionary tales and ethical
dilemmas in computing
...
Cambridge, MA: 1990
...

That's what hacking is all about
...
How to Look it Up Online
...
Martin's Press
...
Includes many useful phone numbers (voice and modem), ex-planations of
the various services offered and how to use them
...
" X being whatever topic he is currently writing about
...

Hafner, Katie and Markoff, John
...
outlaws and hackers on the computer
frontier
...
New York: 1991
...
Sprinkled throughout are helpful
hacker hints, interesting histories and revelations of behind-the-scenes goings-ons
at your favorite hack targets
...


Landreth, Bill
...
Microsoft Press
...

"Reformed" hacker Bill Landreth uses his expertise to show system op-erators and
computer managers how they can prevent their security from being breached
...
Includes some interest-ing anecdotes and
useful information
...
Computer Crime: criminal justice resource manual
...
1988
...
Some useful hacker tips can be found here and there, but more
im-portantly, it is essential for you to learn how you will be investigated so you can
protect against it
...
The Complete Laptop Computer Guide
...
Martin's Press
...
This book is a must-read for out-of-towners
...
This is done
without neglecting the United States
...

Sterling, Bruce
...

Bantam Books
...
There's a lot of history and homages herein
...
Also, Sterling is
a good writer
...
The Cuckoo's Egg
...
Don't ask questions: just read it
...
The Federal Database Finder: a directory of free and fee-based
databases and files available from the federal government
...

Chevy Chase: 1987
...
Many such directories exist, this being just one
...

You will find that most of this information is totally useless and/or bogus, but every
once in a while you'll get a lead or a good idea
...

You can even get the magazines for free if you convince the
subscription department that you are someone in the industry
...
The way I do it is I go to the library and borrow some computer
magazines
...
I get information from a lot of different
companies, as well as free disks and posters
...
(There are usually spaces

on these cards to enter your title and company
...
) If
your library doesn't carry a magazine you'd like to receive, you can always just type
up a letter to the subscription department of that magazine, and ask about rates for
'buyers
...
By the way, if your library does get one
of these magazines, there's no sense in using these tricks to steal a subscription, is
there? In any case, for the real inside dope on the hacker scene, you want to go to
the underground press
...
Most of these can be found on-line
...
They are all free, and legally free
...
If you've bought any of it, you've been screwed
...
These zines are often written by cocky, spaced out adolescent weirdos
who don't know much except that they hate everyone and everything
...
Alot of the articles ("philes") you'll find in these journals are simply
rehashings of mainstream works, such as down-to-earth retellings of technical
articles
...
In the very least,
reading these journals makes you feel good, because you'll end up thinking to
yourself, "Gosh, these so-called hackers don't know much more than I do
...
You can know a lot about computers; you can learn a lot about hacking, but
ultimately, the greatest hackers are the ones who are most dedicated to what they
set out to do
...
There is
only trial and error, continued patience, and a loyalty to one's own ethics
...
The acoustic coupler is connected to a modem,
which sends its signals directly through the mouthpiece of the phone, and receives
signals through the earpiece
...

amplifier - A device for increasing the amplitude of a signal without altering its
quality
...

anonymous FTP - The ability to transfer a file from a remote computer connected to
Internet without having an account on the remote computer
...
) One enters of anonymous" for

username, and usually one's e-mail address for the password
...

application program - Any software that is not part of the operating system
...
These are where you hide Trojan horses
...

archive - Several files grouped together and generally compressed into a single file
...
Archive also refers to a computer or drive which acts as a repository for
files, especially a drive which can be accessed via FTP
...
An asynchronous attack on a system involves one program
attempting to change the parameters that the other has checked as valid but has
not yet used
...
But if the
contents of memory that hold the "reject request for superuser status" are changed
to "accept
173
request for superuser status" by another process, then the original "su" command
will exe-cute
...

incarnation of a god
...
That is, it receives and sends news and messages to other sites
...

baud - Pulses per second (pps), with the as-sumption that each pulse is identical in
amplitude
...
Thus, when all
pulses have the same amplitude, baud refers to bits transmitted per second
...
Consists of a piece of code used to govern the
elementary system-level functions of a computer
...

BITNET - A network of normally mini or main-frame computers
...
It provides e-mail and file transfer
capabilities
...

BBS - Bulletin Board System
...
Users
dial in, then have access to various features including e-mail, message exchanges,
games, and text files
...
Now we
refer to ourselves as hackers
...

bps - Short for "bits per second
...
Overflow
happens when excess data is fed to a buffer, without giving it time to digest
previous intake
...
A
person might try and hack his way out of a program by inducing buffer overflow
...
Informally, a byte is a small amount of memory, just enough to hold
a single letter, digit, or other character
...
UNIX is written in C
...
In BBS circles, chat would imply talking with
the sysop on a single-user system
...
Security cameras set up in office buildings and
else-where are monitored on CCTV
...
Some computers use compact discs
the way other computers use floppy disks
...

CIO - Chief Information Officer
...
Also, cty and ctty
...

174
covert channel - A way to secretly communicate information out of a private domain
of a sys-tem, such as an account
...

cty - Console tty
...

daemon - Short for Disk And Execution MONitor
...

Pronounced "day-min" or "dee-min
...

demodulation -The process of removing an audio signal from its high frequency
carrier
...

demon -Similar to a daemon, except this program is invoked by a user or another
program
...
A standard encryption technique for scrambling
data
...

Also a device which makes use of such a circuit
...
Term used to refer to operating systems in general,
or to the operating system of the Apple 11 series
...

dual-tone multifrequency dialing - A dialing method using a pair of tones, one high
and one low
...

dumb terminal - A device that allows input to a computer (such as through a
keyboard) and output from the computer (through a video screen) - and nothing
else
...

duplex - Simultaneous communication in two directions
...

EDP - Electronic Data Processing
...
Sometimes seen as email
...
Also refers to the message itself
...
Users must get through the safety
features of the firewall in order to access the important computer or network
beyond
...

FTP - File Transfer Protocol
...
FTP is also the name of a program that uses the file
transfer protocols to move files back and forth between computers
...
A direct-dialing phone system used by
agencies of the federal government for voice, scrambled voice, high-speed data,
fax, and teletype communications
...
For instance, all
secretaries at an office might use the same account
...

175
handle - An assumed name; an alias
...

handshaking - The process or activity by which two separate pieces of hardware
coordinate their signals so that they can work together, usually to send messages
between them
...

intelligent terminal - A smart terminal
...
Because of their personal nature, the answers should be known
only by the correct user and the system itself, thus authenticating account
ownership
...
It supports e-mail, file transfer protocol (FTP), and remote login (telnet)
...
Or one which
only seems to be so because the security code is not known
...
The trap may be a simulation of the actual system, or an
abundance of groovy text files to read, or something simple like slowing down the
system to a crawl
...
Every piece of known data about a
case is entered, which can then be cross referenced and checked in-stantly
...
Joe accounts have been
called the "single most common cause of password problems in the modern world
...
A network that is linked locally, that is, within the same
room, the same building, or perhaps between adjacent buildings
...
Contrast with WAN
...
Might also be called a nastygrarn
...
These passwords may only be used a set number
of times, or until a certain date
...
Also, loop, telephone line
...
For example, if you want to start a mailing list, the Listserv
would send the files you want mailed to the appropriate destinations
...
For example: On the Apple lie it is
possible to turn an innocuous REM statement in an Applesoft BASIC program into a
nightmare
...
Any DOS command following that
character will be executed
...
More commonly, one thinks of live
data as control instructions to the terminal
...
System
operators are
176
fond of reading through their logs to spot hacker activity
...

login - To gain access to a computer, usually by entering the required username
and password
...
A disgruntled employee might, before quitting
his job, insert a line that says, "IF Joe Smith's account is deleted from the system
THEN instruct payroll program to combine all paychecks into one and mail them to
Joe Smith
...

lounging - See passive computing
...

For example, if you were writing a book about
Hieronymous Bosch, you might set up a macro in your word processor to insert his
name whenever you typed "Alt-H
...
When a modem modulates your data as you type on your
keyboard, it is converting the computer's digital pulses into frequPinvies within the
audio range that the telephone transmits
...
A device that modulates computer data into a
format that can be sent through telephone wires, and can demodulate information
that has been sent to it from another computer
...

MULTICS - Short for MULTiplexed Information and Computing Service
...

multiplexing - The use of different modulating frequencies for the simultaneous
transmission of signals
...

NCIC is linked with TECS, - the computer system of the Treasury Department - as
well as many state computers
...
Often used as part of words that refer to a specific
network, such as the Internet
...

newsgroup - A section of USENET devoted to the discussion of a particular topic
...

OCIS - Organized Crime Information Systems, run by the FBI
...

once-only codes - A password that can only be used for one access
...
The control program of the computer which
oversees how the system interfaces with the user and peripherals
...

OS - Operating System
...

PABX - Private Automatic Branch eXchange
...

packet assembler/disassembler - One of the node computers of a public data
network
...

Each in-termittent computer is a PAD that receives chunks of data (128 bits long,
following the X
...


parser - A program that looks at some inputted text and tries to make sense of
what it means
...
" The parser inside MS-DOS figures out that what you want to do is erase
the file called "filename
...

passive computing -To monitor the contents of a computer screen through
surreptitious means, using one of several methods such as Van Eck phreaking, or
cabling the target computer to a second, secret monitor or VCR
...

pass phrase - A series of words or syllables used for access control instead of a
password
...

PAX - Short for Private Automatic eXchange
...
Used for faster and more secure com-munication
...
A net-work of telephones, each equipped
with its own switching arrangement, instead of requiring switching to be done from
a separate switchboard
...

PC-DOS - Operating system supplied by IBM for
use with its personal computers
...

phreak - One who hacks the telephone system, usually to obtain free long distance
calling and other services such as conference calling
...
- specific pieces of hardware they
had built to generate signals that would cause the phone network to do their
bidding
...
Phreaking has become more
code-oriented; stealing calling card numbers and otherwise charging phone perks to
another's bill
...

It has its own set of rules and jargon, and even a
knowledgeable hacker who stumbles upon a phreak BBS is likely to be confused by
the discussion
...
For hackers,
that language is phreak
...
In the
computing world, to login to a system by tapping into another user's communication
with the computer
...


plaintext - In encryption, the message (or file) that is encoded
...
A local network of telephones usually in separate
buildings, houses or offices, and operated by an outside phone company
...

PPN - Project-Programmer Number
...
PPN may at times be applied to other systems
...

premises wiring - The wires inside a building that are used to connect telephones to
phone company lines
...

process - A program that a computer is currently running
...
For instance, under UNIX one can type "ps -f` 'to see what
everybody else logged on is doing
...
When two
pieces of hardware must interact (such as when two modems connect), they must
follow the same protocol, else communication between them will be impossible
...
25
...

pulse frequency - Number of pulses per second
...
These can
be found at public fax machines and some automatic teller machines
...

reverse social engineering - Tactic whereby the system user contacts the hacker for
advice, and
in the process of problem-solving, divulges confidential data
...
For hacking purposes, we talk about the
superuser aspect of it
...

salami technique - A method used to steal large sums of money over a long period
of time, based on the assumption that little amounts won't be missed
...
The criminal then makes off with the
account
...
Also, trashing
...

security through obscurity - Here is a pre-login message that exemplifies the
opposite of secu-rity through obscurity: "Thanks for calling Hey There Travel
Agency Network
...
If you need help,
call Cheryl in data processing at (818)-XXX-XXXX
...
One would want to obscure it, by changing it all to
one cryptic character, such as >
...

serial - Passing information one bit at a time in sequential order
...

Basically, whenever you input a command to a computer you are using some kind
of shell
...

simplex - One-way communications
...
)
simulation - A program set up by a hacker that mimics a legitimate aspect of the
system, such as login screens
...
Also called an intelligent
terminal
...

source code - The list of instructions that a programmer types in that make up a
computer program
...

stand-alone - A computer or computer system that will operate without requiring
additional equipment
...
A Macintosh is a stand-alone device
...
The superuser can create
and delete accounts, view and change passwords and files, and is usually
responsible for machine maintenance
...
Usually to do so constitutes a security breach, or in the very least,
violates the intended usage of the software one is altering
...

In surveil-lance, the redirection of output of two or more cameras to the available
viewing monitors
...
Usually this is a plain ASCII text file containing shell commands
which are run as a batch
...
BAT
...

sysadmin - SYStem ADMINistrator
...

sysop - SYStem OPerator
...
The
people who help the sysop are "co-sysops," or simply "co's
...
" Often written as "SysOp", and sometimes as "sys-op" though this latter
version is pretty larne
...
What you type
appears not only on your screen, but on his or her screen as well, and vice versa
...
Smuggy would respond with "talk yourname," and the conversation
would begin
...

TAP - Technological Assistance Program
...
There are
two types of programs used to do this
...
The second, TN3270, establishes a full
screen connection
...


In general, it is a combination
input/output de-vice (a monitor and keyboard) connected to a remote computer
...

tiger team - A hacker or group of hackers who are engaged by an organization to
find the security flaws in that organization's computer system
...
Often seen as a portable tone dialer, these
devices are small enough that they will generally include a clip so that they can be
hooked to one's belt and easily carried
...
"
trapdoor - An undocumented way of gaining access to a computer system, usually
thought of as a method of entry put in by a system programmer who wants to
break into the computer after he is no longer employed by the company
...
A different kind of trapdoor
may be unintentional; for example, a laxness in encryption procedure that allows
one to deter-n-dne the plaintext without knowing the key
...


tracking - An investigator's use of system logs and other audit trails to look and
see where a hacker has been and what the hacker has done
...


Trojan horse - A section of code hidden inside an application program that
performs some secret action
...


TSR program - Short for Terminate and Stay Resident program
...
The TSR usually stays "hidden" in the background until a person or the
computer decides to use it
...
As the user switches from
one application to the next, the TSR continues to run silently in the background,
capturing keystrokes
...
True hackers, they wrote what would
become one of the most predominant operating systems so they could play Space
Travel without getting a jerky response from the MULTICS time-sharing system
they had been forced to use
...
Users from all over the
world read and exchange news, notes, comments, stories, files, humor and help on
all topics under - and above - the sun
...
Usually it is some variation on the person's real name
...

virus - A worm implemented as a Trojan horse that contains a logic bomb
...
Voice mail is a comput-erized phone answering setup that
stores in-coming messages in digitized form, on disk
...

WAN - Wide Area Network
...
Computers in a
WAN are generally connected
181
via phone lines (such as Internet)
...

Warez dOOd - A silly name for people who trade or sell pirated software
...

WATS - Wide Area Telecommunications Service
...

worm - A program whose purpose is to reproduce
...

182

Appendices
183
Blank Page
184

Appendix A:
Explanation of Some ASCII Codes
ASCII character code tables are very popular in computer books
...

Since ASCII tables are so prevalent, I'm not including a full one here
...
It's just about impossible to find

a listing anywhere that tells you what these things do or mean
...
`
As you read through the list, try to think of ways you can use the information in
your hacking
...

0 NUL NULI
No character - used for filling time in synchronous communication, or for filling in
extra spaces on disk/tape when there is no data
...
(Control-A)
2 STX Start of TeXt
Specifies the end of the heading, and the beginning of a block of text to which the
heading applies
...
Often used as a break key
...

Indicates the last
185
text has been sent
...
(ControlD)
5 ENQ ENQuiry
A request for a response from the other end
...
Might also be used to ask if a message has
been received
...

(Says, "Yep
...
") Used as a positive response to an ENQ
...
(Control-G)
8 BS Back Space
Indicates the movement of the printing mechanism or display cursor one position
back
...

Often the same as pressing the Tab key
...
(Control-J)
11VT Vertical Tabulation
Print mechanism or display cursor to next series of preassigned printing lines
...
Often clears the display screen
...
Often corresponds to the Enter or Return
key, or Control-M
...
(Control-N)
15 SI Shift In
Indicates the code combinations which follow should be interpreted according to
standard character set
...
(Control-0)
16 DLE Data-Link Escape
Indicates the following character is a control code rather than data
...
DC3 (Control-S) usually pauses local reception of output
until a DC1 (Control-Q) is given
...
DC4 is Control-T
...
A
NAK says, "What'd ya say? I didn't quite catch it
...
When no
data is being sent, synchronous transmission system may send SYN characters
continuously
...
Used for blocking data where block structure is not
necessarily related to processing format
...
Sometimes used as an "abort transmission" command
...
(Control-Y)
26 SUB SUBstitute
Substituted for character found to be erroneous or invalid
...

(Control Z)
27 ESC ESCape
Character intended to provide code extension by giving alternate (usually control)
meaning to characters that follow
...

32 SP SPacebar
127 DEL DELete
187
BLANK PAGE
188

Appendix B:
Common Defaults
These are words that are often used as default names and passwords
...
Besides these, try using variations on the company
name and the type of service it offers as names and/or passwords
...
" Also try putting spaces in the words (i
...
, "New
user") and varying capitalization (i
...
, "NewUser," "newUser," etc
...
), and repeated letters - if a password can be up to eight characters, try
"XXXXXXXX," and other things like it
...


guest
visitor
visit
intro
demo
mail
new
manager
test
field
pswrd
tty
trainer
testing

start
Su
0
email
use
enter
newuser
1
Sys
temp
9
root
tempy
mini

accoun
default
a
x
q
Z
sysop
password
system
instr
startup
go
training
hello

supruser
superuser
anonymous
user
demonstration
instructions
introduction
name
systest
passwd
id
train
info
techsupport

Now here is a whole slew of defaults, common passwords and account names for
different operating systems and other kinds of computers
...

Credit Bureaus
TRW uses a password of the form:
"LLLNNNNNNNLNL" ( Example - abc123456d7e)
where L is a letter of the alphabet, and N is a digit
...

189
For CBI, the passwords are:
"NNNLLNNN-??"
Again, the Ns are numbers and the Ls are letters
...
Note the hyphen placed between the last digit and the first wild
character
...
[Account Namel,[Group
Name][GroupPassword]"
Accounts:

Mgr
...
Telesup,hponly
Mgr
...
Hpoffice,pub
Mgr
...
itf3000,pub
Field
...
telesup,pub (password: mail)
Mgr
...
hppl87
Field
...
hpp196
Field
...

This is called "security through obscurity
...

This is a list of all the commands I remember being able to use in this sort of
situation
...

Sometimes commands must be preceded by a control character
...
"
Unless the system specifically asks for something (like a log-on ID in a particular
format) it's a good idea to try these commands, because you never know when one
of them will work
...
Using one of these as a
password usually indicates a novice or disinterested computer user
...


In addition to these words, you will want to try the letters of the alphabet, various
combinations of letters, and numbers, and things easily typed on a standard
keyboard, such as "poiuy" and "yhnujm"
...
It For parents, try things like "dad,"
"daddy," mother," or "mommy
...
Daddy" may be more appropriate
...
The first is my own
...
, was used by the worm program that blazed throu the Internet in 1988
...
I have it listed here mostly
for historical reasons
...
Duplications between the lists have been removed from my
list
...
k
...

bridget
broadway
bumbling
burgess
campanile
cantor
cardinal
edinburgh

develop
dieter
digital
discovery
disney
dog
drought
duncan
eager
easier
edges

stop

carolina
edwina

caroline

edwin

golpher
cascades

egghead

gorgeous

Morris List:
aaa
einstein
aaa
elephant
academia
gryphon
aerobics
guest
airplane
emerald
albany
engine

algebra
gouge
algebra
graham
aliases
alphabet

castle
cat
answer
answer
anthropoge
anvils

ama

eiderdown
gorges
eileen
gosling
cayuga

anything

celtics
cerulean
change

elizabeth
ellen

charles

guitar
amorphous
gumption

aria

charming

albatross
guntis
albert
enterpise
alex
hamlet
alexander
handily

analog

animals

charon

engineer

anchor
hacker
andromache

ariadne

arrow

chester

arthur

cigar

enzyme

athena

classic

ersatz

194
happening
target
harmony
tarragon
harold
taylor
harvey
telephone
hebrides
temptation
heinlein
scotty
hello
secret
help
sensor
herbert
tomato
hibernia
topography
honey
tortoise
horus
toyota
hutchins
trails
imbroglio
trivial
imperial
shivers
include
ingres
inna
umesh
innocuous
irishman
isis
japan
jessica
jester

lynne

Patricia

Sal

macintosh

Peoria

Saxon

penguin

scamper

mack
maggot

persona

malcolm

percolate

mark
thailand

persimmon
markus

scheme
Scott

Pete

tiger
marty
toggle
marvin

peter
phoenix

serenity

master

Philip

sharks

maurice

Pierre

Sharon

mellon

pizza

Sheffield

plover

Sheldon

merlin
mets
michael
trombone
michelle
mike

minsky
moguls
moose
morley
mozart
nancy

Plymouth

Shiva

polynomial
pondering
pork
minimum
praise
precious
prelude
prince
Princeton
Protect

shuttle
signature
poster

tubas
tuttle
Simon

simple
singer
single
smile
smiles
smooch

unhappy
unicorn
unknown
urchin
utility
vacant

jixian
smother
johnny
joseph
joshua
judith
juggle
sossina
julia
kathleen
whiting
kermit
kernel
springer
kirkland
knight
Williamsburg
ladle
Stratford
lambda
Stuttgart
lamination
larkin
larry
summer
lazarus
super
lebesgue
wormwood
lee
support
leland
leroy
surfer
lewis
Suzanne
light
lisa
zimmerman
louis

napoleon
vertigo
nepenthe
ness
network
newton
next
weenie
nic
noxious

protozoa
pumpkin
puneet
puppet
rabbit
rachmaninoff
rainbox
raindrop

nutrition
nyquist
will
oceanography
ocelot

raleigh
random
rascal
really

Olivetti
Willie
Olivia
Winston
oracle
orca
Orwell
wombat
Osiris
woodwind
outlaw

vicky
village
virginia
warren

sparrows
spit

whatnot

spring

Whitney

squires
strangle

William

rebecca
remote
rick
ripple
robotics

subway
success

Wisconsin
wizard

rochester
rolex
oxford

yaco
pacific
painless
yellowstone
Pakistan
yosemite
Pam
papers
password

snatch
snoopy
soap
Socrates

Superstage
romano

ronald
rosebud

supported yang

rosemary
roses
ruben
rules

195
BLANK PAGE
196

APPENDIX E:
Job - Related Word List

swearer
zap
symmetry
tangerine

These are passwords that might come up in a secretarial or office clerk setting
...

For office settings, also try the company name and variations (initials,
abbreviations), titles of software programs they might use there, and words related
to that particular job
...
These
sorts of people are also often fond of ham radio, science fiction and fantasy,
electronics, mathematics, chess, programming, and other related things
...
Also try words from the
Glossary
...

abort
abortion
absolut
absolute
access
address
ai
algorithm
alias
alpha
bboard
beam
beamup
berserk/er
biff
Bilbo
Blast
Board
Bogon
Bomb
Bones
Bridge
Broadcast
Buzz
Cable
cage
captain
central
chang
channel
chaos
chen
chess
chief
choke
199

ambassador
atheist
anarchism
attack
anarchy
avatar
analog
baggins
application
band
arc
bandwidth
archive
bang
ascii
barf
async
baud
atheism
bbaggins
chomp
erotics
Christmas
expert
cluster
external
connect
female
cowboy
foobar
crack/er
fractal
crunchy
freq
crusher
frequency
data
frodo
date
fronteir
dbms
frontier
demigod
function
demo
gene
devil
generation
Diana
genius
digital
go
dipole
god
director
green
dos
grep
dump
grok
dvorak
gronk
ebdic
group
enterprise
hack/er
enterprize
ham
erotica
hamradio

hobbit
oscillator
home
output
tasha
horizontal
overheat
host
overload
hotkey
picard
technician
human
piggy
test
index
power
time
input
pres
tng
iris
primos
transport
isis
procedure
transporter
j1p
prodigy
travel
kermit
protocol
trek
king
quartz
treker
kirk
quattro,
trekie
klingon query
trekker
Ian
quit
trekkie
lang
qwerty
trekky
language radio
tribble/s
laser
random
troy
lee
ravel
tsupport
lord
register
tyar
male
riker
unix
man
robot
var
mark
romulan
variable
mask
romulon
vax
master romulun
vector
matrix
rtty
virus
memory ryker
VMS
mensa
scotty
Vulcan
menu
scraft
wan
modal
shuttle
Wang
mode
shuttlecraft warf
model
skip
warp
modem skipzone
WC
modulate space
wheel
moon
speed
wizard
msdos
spock
worf
nc-101 star
worm
net
...

network startrek
xterm
next
sting
ymodem,
nil
strek
zmodem
nill
sttng
yar
nim
Su
zero
node
sundevil
zoo
null
super
object
superuser
ohm
support
OOP
SWI
operation synch

szone
tech
technical

200

Appendix G:
Social Security Number Listing
And ICAO Alphabet
The Social Security number has pretty much become the Great American Serial
Number
...
In addition to maintaining records on
virtually every American, the SSA keeps track of millions of foreigners who work in
this country or who once worked in this country and have since retired to live
outside the US
...
Those military SSNs contained ten digits
beginning with zero
...

The first three numerals are known as "area numbers" because they indicate from
which state the subject applied for a number
...

Very few SSNs above 595 have been issued, so stay away from brute forcing those
...
New
numbers in that range have not been assigned since1963
...
(That is, there are
currently no SSNs between 596-626
...

2
...

4
...
The chosen words are easy to understand regardless of
accent
...
)The ICAO words should be added
to any novice and technical word list
...

Alpha/Alfa (Able)
Bravo (Baker)
Charlie
Delta (Dog)
Echo (Easy)
Foxtrot (Fox)
Golf (George)
Hotel (How)
India (Item)
Juliet (jig)
Kilo (King)
Lima (Love)
Mike

November (Nan)
Oscar (Oboe)
Papa (Peter)
Quebec
Romeo (Roger)
Sierra (Sugar)
Tango (Tare)
Uniform (Uncle)
Victor
Whisky (William)
Xray
Yankee(Yoke)
Zulu (Zebra)

Numbers: Wun, Too, Thuh-ree, Fo-wer, Fi-yiv, Six, Seven, Ate, Niner, Zero
...
Can you help me out?"
• Call and ask for a naive user
...
Say you want to test a new help system or tutorial that will help them
learn
...
When

it doesn't work, act surprised and say, "Gee, what do you normally do here?" Then
tell the user you'll fix it and call back later
...

• Place fliers in the college computer room: "We need system managers
immediately! Looks good on
resume! Name
...
" Or work this on, say" Psychology or Economics students tell them
there's a special project they can enroll in for credit or money
...
Set up
your own computer with a simulator
...

• Call a system manager after an incident and say you are a legitimate user who
has been locked out, or who's had an account destroyed
...
) If software failure was involved with the
incident, you will want to talk to the software company and see if you can find out
what the bugs were and how they were exploited or repaired
...
You are in your target's office with the account holder
...
He
thinks the account holder's car was broken into
...

205
BLANK PAGE

SECRETS OF A SUPER HACKER
by The Knightmare
With an Introduction by Gareth Branwyn
This is the most amazing book on computer hacking we have ever seen! The
Knightmare is the kind of
Super Hacker that keeps security managers from sleeping at night
...
And if your computer has any link whatsoever to
the outside world it is vulnerable to his attack
...
Here are some of the methods covered in this
extraordinary manual:
Brute Force Attacks: Hurling passwords at a system until it cracks
...

Spoofing: Designing dummy screens; Delivering fake e-mail
...

Data Delivery: How to hide the information you've collected; How to e-mail it to
your computer
...


And Much More! Including a brief history of hacking, lists of likely passwords, and a
summary of computer crime laws
...
The how-to text is highlighted with bare-knuckle tales of
The Knightmare's hacks, including on-site hacking, remote-access hacking and
bulletin board busting
...

And no person concerned with computer security should miss this amazing manual
of mayhem
...
95 per copy plus $4
...
00 for 4 or more
...

Send your order to:
Loompanics Unlimited, PO Box 1197, Port Townsend, WA 98368
...
9% sales tax
...

BLANK PAGE
• 61139 Methods Of Disguise, Second Edition, by John Sample
...
1994, 51/2 x 81/2 268 pp, over 130 detailed illustrations, soft cover
...
95
...
This is the biggest
and best book on concealment of physical objects ever printed! This book tells how
searchers find hidden contraband and how to hide your stuff so it can't be found
...
1988, 81/2
x1l, 128 pp, more than 100 illustrations, soft cover
...
95
...
We live in an information
age: information is bought, sold and stolen like any other good
...
Learn how to construct simple or complex
codes
...
Learn why the
most unbreakable code isn't always the best
...
1990, 51/2 x 81/2, 125 pp, illus-trated, soft
cover
...
95
...
Industrial spies try to uncover
legal or fi-nancial problems, violations of government regu-lations, marketing plans,
new product information or other company secrets
...
It covers every as-pect of information security, including
physical plant, employees, guards, computers, bugs and wiretaps, and much more
...
$16
...

• 61092 How to Use Mail Drops for Privacy and Profit, by lack Luger
...
They are
confidential mailing addresses that allow you to receive and send mail anonymously
...
1988, 51/2 x 81/2, 112 pp, illustrated, soft cover
...
95
...
Nitchie
...

Eavesdrop to your heart's content
...
Learn secrets secretly
...
His easy-to-use,
step-by-step, illustrated method enables you to become a creative spy in just a few
short lessons
...
$10
...

We offer the very finest in controversial and unusual books - a complete catalog is
sent FREE with every book order
...

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
••••••••••••••••••••••••••••••••••••••••••••••
PRINT AND CUT HERE
SPHK96
LOOMPANICS UNLIMITED
PO BOX 1197
PORT TOWNSEND, WA 98368
Please send me the books I have checked above
...
95 for shipping and handling of orders up to $20
...
Add $1
...
00 ordered Washington residents please include 7
...


NAME______________________________________________________________
_______________
__________________________________________________________________
________________
ADDRESS___________________________________________________________
______________
__________________________________________________________________
________________
CITY_______________________________________________________________
_______________
__________________________________________________________________
________________
STATE/ZlP__________________________________________________________
_______________
__________________________________________________________________
________________

We accept Visa and MasterCard
...

The godfather of all deviant catalogs
...
You would
have doubted that books st like this could even exist
...
- -Outposts
"
...
produces and distributes some of the strangest and most
controversial non-fiction titles you're ever likely to come across - books that prove
truth sometimes really is stranger than fiction
...
" - The New Millennium Whole Farth Catalog
"
...
(it) is sure to remind anyone who has forgotten what a subversive act
reading can be
...
hundreds and hundreds of titles you won't find at B
...
"- The Rap Sheet

"Loompanics Unlimited
...
"- Boston Phoenix

We offer hard-to-find books on the World's most unusual subjects
...

Fake ID/Alternate Identities the most comprhensive selectlon of books on this
little-known subject ever
offered for sale! you have to see it to believe It!
lnvestigatlve/Undercover methods and techniques! professional secrets known
only to a few, now
revealed to you to use! Actual police manuals on shadowing and surveillance!
And much, much more, including Locks and Locksmithing, Self-Defense,
Intelligence Increase, Life
Extension, money-Making Opportunities, Hurnan Oddities, Exotic Weapons, Sex,
Drugs, Anarchism, and
more!

Our large 81/2 x 1 1 book catalog is over 200 pages packed with more than 600 of
the most controversial and unusual books ever printed! You can order every book
listed! Periodic supplements keep you posted on the LATEST titles available!!! Our
catalog is $5
...

Our book catalog Is truly THE BEST BOOK CATALOG IN THE WORLD! yours today
You will be very plaase of we know
...

For credit card orders only,
call 1-800-380-2230 between 9arn and 4pm, PST, Monday through Friday
...
O
...


Title: Hacking
Description: It's complete notes on Secrets of a super hackers
Buy These NotesPreview