Difficult to
become a hacker? It's easier than you think
With Symantec's Web client for pcANYWHERE,
you can hack away without really trying.
February 12, 1999
Web posted at: 6:41 p.m. EST (2341 GMT)
by Mark Gibbs
(IDG) -- Ever wonder how hard it is to
become a hacker? I can tell you firsthand it's probably easier
than you may think.
As I was about to leave for a conference I
thought it would be useful if I could use pcANYWHERE to access
my machines while I was away. So I decided to test it by
dialing up an ISPand looping back to my office via my digital
subscriber line connection.
Imagine my surprise when I ran the applet
and was given a list of six pcANYWHERE clients of which only
one was mine.
Aha! Let's see if anyone forgot to set a
password on his or her copy. Lo and behold, there it was, 2
a.m. and one copy was unsecured. Suddenly I was observing the
screen of someone else's machine! Wild.
The owner was in the process of using a
speech recognition system to dictate a letter to his
girlfriend (no, nothing very steamy), and there at the bottom
of the screen was his name (we'll call him Ralph).
I think the reason I could see his name was
that it was part of the training data loaded into the speech
recognition system. I thought I should let him know he had a
security problem, so I put the cursor in the window his spoken
words were appearing in and typed "Yo, Ralph."
Nothing. He did not notice. I tried changing windows to
Notepad but the speech recognition system switched back to the
first window.
So to get his attention, I switched to my
word processor, typed a long message, copied it to my
clipboard, copied my clipboard over to his clipboard, and
pasted the message into his active window. This time he
noticed. He immediately pulled the plug on his computer, and
the connection vanished.
I felt bad. I'd freaked Ralph out, and there
was no opportunity to explain. So how to find him? Well, I
knew his IP address but that was not much use so I went
searching. Luckily he had an unusual last name, which made
life easier.
I went to several search engines, including
InfoSeek and AltaVista, and I found lots of dud leads (dead
links and near misses). But eventually I hit pay dirt. I found
a Web site and discovered what Ralph looks like (he has a
picture of himself eating lobster) and that he is a
scriptwriter. Then I went to switchboard.com and found him
there, too.
From Ralph's Web site I knew where he'd been
on holiday and some other trivia of his life. From
switchboard.com I had learned Ralph's street address,
telephone number and e-mail address. It had taken me all of 15
minutes.
So trying to be a nice guy, I sent him
e-mail explaining what had happened, that I hadn't done
anything to his PC, and noting that he should password-protect
his copy of pcANYWHERE.
Next day there was no reply, so I called
him. We had a nonconversation.
I explained who I was ("Uh-huh,"
he said), I assured him that I wasn't a hacker,
("Uh-huh"), that I hadn't done anything to his PC
("Uh-huh"), and that he should secure his system
("Uh-huh"). I explained that a hacker could have had
a field day ("Uh-huh") and, well, I hardly got a
response. Ho-hum.
It was such a simple hole in his system and
one that I could have exploited without him having a clue what
was going on. On the other hand, he probably wouldn't have
been of much interest to a real hacker. But what if Ralph had
been your chief financial officer? That could lead to all
sorts of infiltrations into your corporate network.
Frightening.
I would never have guessed that being a
hacker was so easy.
Related Links:
How
hackers cover their tracks - January 25, 1999
USIA
Web site hit by hacker - January 21, 1999
Cyber-vigilantes
hunt down hackers - January 12, 1999
Hacker
attackers (Computerworld)
Hackers
spar over cyberwar on Iraq, China (The Industry
Standard)
Forbes
reporter hangs with N.Y. Times hackers (The Industry
Standard)
Teen
hacker sentenced for downing airport phones (Computerworld)
Pentagon
hacker arrested in Israel (PC World Online)
Fear
and hacking in Las Vegas (Computerworld)
TOP
