2. The Tech Model Railroad Club
Hack definition:
1) an article or project without
constructive end
2) work undertaken on bad
self-advice
3) an entropy booster
4) to produce, or attempt to
produce, a hack
3. The Hacker Ethic
-Steven Levy
1. Access to computers - and anything which might
teach you something about the way the world
works - should be unlimited and total. Always
yield to the Hands-On imperative!
2. All information should be free.
3. Mistrust authority - promote decentralization.
4. Hackers should be judged by their hacking, not
bogus criteria such as degrees, age, race, or
position.
5. You can create art and beauty on a computer.
6. Computers can change your life for the better.
5. History Highlights
• BBSs and hacking groups emerge
including Legion of Doom
• War Games
• Hacker magazines
• CFAA
• The Morris Worm
• Cyberespionage
• Hacker’s Manifesto
6. History Highlights
• Operation Sundevil
• Kevin Poulsen
• Def Con
• Kevin Mitnick
• AOHell
• Pentagon breakins
• Denial of Service attacks
• DNS Attacks
11. Hacking - For Good
Ethical Hacking
“The Best Defense Is A Good Offense.”
• Performed for the sake of “enhancing the performance of a
device or exposing the vulnerabilities of a security system for
the benefit of the system administrator.”
• Penetration Testing- analysis and probe of system for
purpose of targeting flaws and weaknesses that could be
hacked and exploited by a malicious hacker (Black Hat
hackers).
- Old/unpatched software. - Poor configuration of
- Disabled or faulty security Web servers.
systems.
12. Hacking - For Good
Who are they?
White Hat hackers.
Computer and network experts who “possess a variety of
knowledge and skills concerning the web, network and
operating systems, programming, and physical security.”
Abide by ethical principles which prevent them from
abusing computer systems.
Trusted individuals with strict confidentiality policies.
13. Hacking - For Good
Ethical Hackers and Certifications
Universal Certification Does Not Exist
• The EC-Council (International Council of Electronic Commerce
Consultants) has released a certification called Certified Ethical Hacker
test.
• Other certifications available:
– OSCP-Offensive Security Certified Professional
– CEPT-Certified Expert Penetration Tester
– CPTE-Certified Penetration Testing Expert
– CPTS-Certified Penetration Testing Specialist
– ECSA-EC-Council Certified Security Analyst
14. Hackers - For good
Who uses them?
“Increasingly, companies of all types and sizes are
hiring security experts to act like the enemy.”
Some companies have departments dedicated to ethical
hacking:
• IBM
• Microsoft
15. Hacking - For Good
Where did it come from?
• Ethical hacking emerged from early open source
software on the internet.
• Such software still exists such as Mozilla Firefox,
Wikipedia, and Citizendium.
“Open source is a
development method for
software that harnesses
the power of distributed
peer review and
transparency of process.”
17. Hacktivism:
• Fusion of hacking and activism.
• The act of hacking or breaking into a computer system,
for a politically or socially motivated purpose.
• The individual who performs an act of hacktivism is said
to be a hacktivist.
• Computer hacking always involves some degree of
infringement on the privacy of others or damage to
computer-based property such as files, web pages or
software.
• The impact of computer hacking varies from simply
being simply invasive and annoying to destructive.
18. What is Hacking?
• Unauthorized use of computer and network resources.
• “Hacker” originally meant a very gifted programmer.
• Hacking is a felony in the US and most other countries.
• When it is done by request and under a contract
between an ethical hacker and an organization, it is OK!
• The difference is that the ethical hacker has
authorization to probe the target.
• “The number of really gifted hackers in the world is very
small, but there are lots of wannabes…”(-Dr. Charles C.
Palmer, IBM)
19. Definitions
Hacker: Cracker:
A person who enjoys exploring One who breaks security on a
the details of programmable system. Coined ca. 1985 by
systems and how to stretch hackers in defense against
their capabilities, as opposed journalistic misuse of hacker.
to most users, who prefer to An earlier attempt to establish
learn only the minimum `worm' in this sense around
necessary. 1981--82 on Usenet was
One who programs largely a failure.
enthusiastically (even …though crackers often like to
obsessively) or who enjoys describe themselves as
programming rather than just hackers, most true hackers
theorizing about programming. consider them a separate and
A malicious meddler who tries to lower form of life.
discover sensitive information
by poking around. Hence
`password hacker', `network
hacker'. The correct term for
this sense is cracker.
20. Who hacks?
• Hackers in Eastern Europe hacked about
1 million credit card numbers from 40
financial companies in the United States in
2003 alone.
• 64% of companies suffered losses from
hackers’ activities.
• More serious offenders, able to cause
damage to a system, are known as
hackers.
21. Who cracks?
• There are 3 groups of crackers:
• Vandals: hack computer systems for
destruction (deleting files).
• Jokers: the most harmless; hacking systems
and carrying in different sounds, noises, and
visual effects.
• Breakers: professional criminals commit
hacking of computer systems with the
purpose of money theft, industrial or
commercial espionage, and thefts of
expensive software.
22. Laws, Fines, and Penalties
• Hackers, virus and worm writers could get 20
years to life in federal prison.
• Anyone who uses computers to cause death or
bodily harm, such as bringing down power grids
or airport control centers, can get the maximum
sentence.
• The sentence is increased by 25% if they steal
personal information.
• The sentence is increased by 50% if they share
the stolen information.
• If posted on the Internet, sentence is doubled!
23. Computer Fraud and Abuse Act
Summary of CFAA Compromising Confidentiality Provisions
Offense -Sentence
•Obtaining National Security Information -10 (20) years
•Compromising the Confidentiality of a Computer -1 or 5
•Trespassing in a Government Computer -1 (10)
•Accessing a Computer to Defraud & Obtain Value -5 (10)
•Knowing Transmission and Intentional Damage -10 (20 or life)
•Intentional Access and Reckless Damage -5 (20)
•Intentional Access and Damage -1 (10)
•Trafficking in Passwords -1 (10)
•Extortion Involving Threats to Damage Computer -5 (10)
25. Works Cited
• Baase, Sara. A Gift of Fire. Upper Saddle River: Pearson, 2003.
• “A Convicted Hacker Debunks Some Myths.” CNN.com. 13 Oct 2005. CNN. 3 Nov
2007. <http://www.cnn.com/2005/TECH/internet/10/07/kevin.mitnick.cnna/>.
• Draper, John. “The Story so Far…” Cap’n Crunch in Cyberspace. 2005. 3 Nov 2007.
<http://www.webcrunchers.com/crunch/story.html>.
• Eltringham, Scott (ed.). “Prosecuting Computer Crimes.” Computer Crime &
Intellectual Property Section of the United States Department of Justice. Feb 2007.
United States Department of Justice. 3 Nov 2007. <http://
www.cybercrime.gov/ccmanual/index.html>.
• InfoSec Institute, "Ethical Hacking and Countermeasures." Certified Ethical Hacking.
EC-Council. 10 Nov 2007. <http://www.infosecinstitute.com/>.
• Kreider, Aaron. “Ambiguous Definitions of Hacker: Conflicting Discourses and their
Impact Upon the Possibilities of Resistance.” Campus Activism. 13 Dec 1999.
Campus Activism. 3 Nov 2007. <http://www.campusactivism.org/html-
resource/hackers/index.html>.
• Lemos, Robert. "New laws make hacking a black-and-white choice." CNET
News.com. 23 Sep 2002. CNET News. 11 Nov 2007 <http://www.news.com/
2009-1001-958129.html?tag=fd_lede>.
• McMillan, Robert. "Hackers at Microsoft?! ." Washingtonpost.com. 6 Oct 2007. PC
World. 7 Nov 2007 <http://www.washingtonpost.com/wp-dyn/content/article/
2007/10/06/AR2007100600065.html>.
26. Works Cited
• “The National Information Infrastructure Protection Act of 1996 Legislative Analysis.”
Computer Crime & Intellectual Property Section of the United States
Department of Justice. 1996. United States Department of Justice. 3 Nov 2007.
<http://www.cybercrime.gov/1030analysis.html>.
• PCWorld.com staff. “Hacking’s History.” PCWorld.com. 2007. PC World Magazine. 3
Nov 2007. <http://www.pcworld.com/article/id,45764-page,1/article.html>.
• Peterson, Craig R. "The Laws, Fines and Penalties Facing Hackers." Mainstream
Security Services, LLC. 4 Nov 2007. <http://www.mainstream.net/summary/
hacker_laws_sentencing_penalties.shtml>.
• ProzacOD. “Business card for Mitnick Security Consulting, LLC.” Online Image.
Mitnick Security Consulting, LLC. 10 Nov 2007. <http://
www.kevinmitnick.com/>.
• Raymond, Eric S. “The New Hacker’s Dictionary.” Jargon File Resources. 25 July
1996. 3 Nov 2007. <http://www.ccil.org/jargon/jargon_toc.html>.
• Redfern, Chad. "What is Ethical Hacking?." PRWeb Press Release News Wire. 29
Dec 2004. PRWeb Press Release News Wire. 11 Nov 2007. <http://
www.prweb.com/releases/2004/12/prweb191822.htm>.
• Sabadash, Victor. "What is Hacking?" Computer Crime Research Center. 2 Nov
2007. <http://www.crime-research.org/news/>.
• Sabadash, Victor. "Who hacks? Who cracks?" Computer Crime Research Center. 2
Nov 2007. <http://www.crime-research.org/news/>.
27. Works Cited
• Samavati, Shaheen. "More companies using ethical hackers to pose as enemy in the
name of security." The Plain Dealer. 1 Oct 2007. The Plain Dealer
Newspaper. 8 Nov 2007. <http://www.cleveland.com/business/plaindealer/
index.ssf?/base/other/119122827862110.xml&>.
• Samson, Pete (derived). “Abridged Dictionary of the TMRC Language.” The Tech
Model Railroad Club of MIT. 23 Nov 2005. Tech Model Railroad Club. 3 Nov
2007. <http://tmrc.mit.edu/dictionary.html>.
• Scholes, Dan. “Kevin Mitnick: The Most Notorious Hacker.” Webster University
Worldwide. Webster University. 3 Nov 2007.<http://www.webster.edu/
philosophy/~umbaugh/courses/frosh/dairy/mitnick.htm>.
• Various. "Ethical Hacking." The Ethical Hacker Network. 2007. The Ethical Hacker
Network. 11 Nov 2007. <http://www.ethicalhacker.net/content/category/
1/31/3/>.
• “Various.” Various dates. Online images. myoldmac.net. 10 Nov 2007. <http://
myoldmac.net/FAQ/TheBlueBox-1.htm>.
• “Various.” Various dates. Online images. Amazon. 10 Nov 2007. <http://
www.amazon.com/>.
• “Various.” Various dates. Online Images. Google.com. 10 Nov 2007. <https://
www.google.com>.
• Various. "Welcome to Offensive-Security.com." Offensive-Security. Various dates.
Offensive-Security. 11 Nov 2007. <https://www.offensive-security.com/
index.php>.
• Various. “White Hat." Wikipedia. 2007. wikipedia.org. 11 Nov 2007. <http://
en.wikipedia.org/wiki/White_hat>.
Notas del editor
Source TMRC Dictionary Club at mit -Still around today in cambridge Hacked railroad things used comps at night some members in it Early 60s late 50s computer hacking
1984 book - Hackers: Heroes of the Computer Revolution. Large part based on hackers at MIT
1 st pic john draper 2 nd pic blue box used by steve wozniak 3 rd pic steve wozniak 4 th pic steve jobs and steve wozniak Phone hackers aka phreaks – early 70s John Draper learned that a toy whistle given in captain crunch cereal box generates the right signal needed to access at&ts system. he built blue box when used with whistle can make free calls. esquire published article “secrets of the little blue box” with instrucs - apple computer founders steve wozniak & steve jobs make and sell -woz (nickname) asked draper to teach him how to use the box he made from the article -one call he made free was to the pope pretending to be henry kissinger but the pope was sleeping -draper was eventually convicted of fraud by wire and served time
1980 bbs and hacking groups –legion of doom notorious hacking group****1983 war games****1984 -Hacker magazine 2600 started in 1984 and still sold today at bookstores –in fact, in one book I read the author was told by a police detective specializing in financial crime that the majority of subscribers are law-enforcement personnel****1986 -Computer fraud and abuse act****1988 Robert Morris Jr. grad student at cornell started a self-replicating worm on arpanet to see how it effected UNIX –worm was out of control –spread to 6k networked comps –he was dismissed from cornell, fined $10k, 3 yrs probation****1989 west german hackers arrested for breaking into us govt computers and selling o/s to the kgb –information was not classified so they only received fines and probation****also in 1989 hacker named the mentor was arrested and he published the hacker’s manifesto begins “My crime is that of curiosity..i am a hacker, and this is my manifesto. You may stop this individ but you cant stop us all
1990 operation sundevil –secret services raid in 14 cities. -the hacking community falls apart – to get immunity hackers inform on other hackers****1993 kevin and friends rig radio station call in giveaway and win 20k, 2 porsches, trips –serves 5 years in prison****also in 1993 first def con hacking conference in las vegas****kevin mitnick****1997 aohell –freeware app –aol users were the recipients of mail bombs and chat room spam****1998 teenagers break into unclassified pentagon comps stealing software****2000 denial of service –for instance send tons of traffic to a page to overload the servers –traced to a 15 year old boy (mafiaboy) –be4 he was found many thought it was the work of terrorists –he spent 8 mnths in a juvenile detention facility – most sentences for juveniles are very light****2001 dns attacks rerouting dns paths –microsoft targeted
started hacking as a teenager -1st success breaking into his hs system/phone phreaking -6 mths in jail in the early 80s, then a year in the late 80s - had to go to a residential treatment ctr to help break his hacking addiction -early 90s the FBI wanted to talk to him and he fled -2 yrs later broke into a security experts computer, and the expert (tsutomu shimomura) helped the FBI track him down -kept in prison for four years w/o trial -1999 pled guilty to 7 charges and got slightly more than time served. -even though he was such a notorious hacker, compared to the damage done by email viruses and attacks on the Web in the 90s, he was tame –limited effects Today he Runs Mitnick security consulting llc In a 2005 interview stated: “But, I don't have a problem at all using my credit card online. There are attacks that can be done, but it's unlikely that I'll be targeted as an individual. It's more likely the attackers will target the bank. So that way they can get many user names and passwords, and get access to many accounts, rather than just targeting me. I think it's safer to use a credit card over the Internet than it is to go to a Macy's and use it where an employee can simply skim off the card, or go into a bar, or a restaurant where they have your credit card number. “
The New Hacker’s Dictionary circa 1996 (new versions available) The malicious one is deprecated
2 nd offense in parenthesis
Attempting to commit the crimes are also crimes –lawfully authorized activities of law enforcement or intelligence agencies are explicitly excluded 2001 patriot act revised it again –explicitly provided for extraterritorial jurisdictions –basically says that anyone outside of the US is subject to the same penalties