The term "cracker" is synonymous with computer crime. Many of today's hackers are in fact crackers when you define the threat they pose. Crackers have been around since the late 1960's and continue to pose a significant threat to today's information infrastructure. As part of this research paper I will exam the definition of the term cracker, profile what a typical cracker's characteristics are, exam several legendary hackers, discuss recent / current hacker exploits, briefly discuss tools utilized by crackers, and summarize the threats they pose to current organizations. Profit seems to be the motivation is today's world. With the money now available and the technical resources once so costly but now so easily obtainable crackers will only become more prolific thus more research needs to be done on this threat type.
Hackers in the middle of the 1980's coined the term "cracker". In the 1960's through early 1980's and even into today hackers follow a code of ethics referred to as the "Hacker Ethic."[1] Most hackers believe that technical information should be freely available to all. Hackers break into various computer systems to test their technical skills, retrieve information about the system, and then freely disseminate it to other hackers. There was no malicious intent and systems were left intact to carry on normal functions. This routine was the norm among hackers. As the number of hackers increased so did the potential for criminal activity. Eventually some hackers chose to violate the hacker ethic by stealing information, causing damage to computer systems in penetrating them to retrieve information, and using the information for illegal activities. Also referred to as "malicious" or 'dark" hackers, crackers have become a primary threat to today's computer systems. According to "Que's Computer and Internet Dictionary, 6th Edition" a cracker is "A computer hobbyist who gets kicks from gaining unauthorized access to computer systems. They are people who destroy, alter, or move data in such a way that could cause injury or expense." A shorter definition states " Crackers are professional thieves who steal through illegally accessing information" [2]. Much confusion still reigns today when many of today's hackers should be classified as crackers. The fine print of the crime itself is a determining factor, was something stolen?
A cracker is usually described as having the following characteristics:
Further attempts have been made by various individuals to expand this cracker profile into sub categories including disgruntled employees, software developers, pranksters, professionals, terrorists, and crackers for hire [3][4]. As listed at the all.net web site [5] each of these sub categories can be considered an individual threat of its own.
In technical sophistication the cracker is considered to be inferior to a hacker. Many crackers simply look for the easiest means to steal the information. By taking the simplest, most readily apparent route to the information a cracker utilizes only the easiest tools and methods to achieve the result. When the cracker becomes more technically involved the results can be much more devestating for the organization and more financially rewarding for the cracker.
In researching historical cracker incidents a definite trend emerges. Many of the first crackers prosecuted were actually hackers who had crossed the traditional boundaries defined in the hacker ethic and subsequently prosecuted by the federal government.
One of the very first cases involved John "Cap'n Crunch" Draper the original phone phreak. An engineer for National Semiconductor in 1972, Draper discovered he could duplicate the phone tone necessary to stop a phone call. The discovery that phone tones could be duplicated rather easily with inexpensive equipment started a revolution in computer crime. Draper after "sharing" technology with others and making a point to break into every phone conversation possible, including the president's [6], was sentenced to the federal penitintuary for wire fraud. While wire fraud is considered a federal offense, Draper and others maintained they really never did anything illegal and were simply scapegoats for President Nixon and the Hoover led FBI.
A second case involved Mark Abene a.k.a. "Phiber Optik" the first underground hero of the information age. The ultimate Phone Phreak in the late 1980's and early 1990's was a member of the legendary MOD "Master's of Destruction" New York City Gang. Involved first in phone-phreaking and then later in system intrusion including successful penetrations of the NSA, the group and Phiber Optik boasted "We can destroy people's lives or make them look like saints" [7]. The federal government for computer crimes and wire fraud in 1992 prosecuted Abene and four other members of the MOD. Abene received the longest sentence of one year on prison. Abene was released after 10 months.
In both cases the term 'cracker' applies. Draper's
phone-phreaking allowed
him to listen, record and then use people's private conversations. Draper
was the first to avert normal charges for long distance calls, essentially
stealing money from a telecommunications provider. Mark Abene's methods
and successful attacks on government computers especially the NSA laid
the groundwork for many of today's cracker incident. Both individuals were
essentially stealing information for illegal purposes.
The 1990's saw a dramatic increase in the number of crackers. Many of today's hackers should be considered crackers for the simple reason of motive. When the motive is profit for information stolen the perpetrator should be classified as a cracker. In researching cracker cases in the nineties several stood out:
At first many crackers originated in the United States, simply due to technology resources. As technology has grown in affordibility and availability internationally, many crackers now originate from other countries. China, the United Kingdom, Russia and other former Eastern Block nations now have budding cracker populations of their own.
Crackers are thought to be technically inferior to hackers [13] in today's world. As computer tools became more affordable and attainable to crackers, technical knowledge was not a necessary pre-requisite for successful cracking. In 1994 a tool named SATAN appeared that dramatically changed cracking. SATAN was the first program to use a graphical interface to assist even the most novice crackers in organizing a series of attacks against a given host; with the results displayed in an easily understandable format. Because it searches for all know security holes in a matter of minutes, SATAN could help a cracker find an accessible system in a fraction of the time it would otherwise have taken. SATAN exploited known problems with NFS, NIX, rexd access, sendmail, TFTP file access, unrestricted x-server access and wu-ftp vulnerability. [14].
Trojan Horse programs, probably the most commonly utilized tools of today, take advantage of many well-known remote login procedures including rlogin, telnet, and FTP.[15] Recent trojan horse tools that have appeared include NETBUS, and the well-known Backorifice. Each of the tools requires little programming knowledge. All are as easy to install as any software product you buy off of the shelf, so the cracker no longer has to design the tools of his trade. The cracker can grab any number of pre-packaged products downloadable off of the Internet, and easily gain access to profitable information. The term "casual" cracker has come into use to describe this threat.[16]
The technically competent cracker employs a wide range of
tools including
extensive programming, technical, and in depth knowledge of various
operating
systems. This individual is capable of penetrating a system, even with
the highest level of security possible, and downloading information for
personal profit. Even though Kevin Mitnick is classified as a hacker one
of his most famous penetrations involved Novell. He was able in a matter
of hours to gain access to Novell's corporate network and download a copy
of their latest software that was going to be released to the public. While
he did not sell the software for profit (which would have changed his
classification
to hacker) this incident really shows just how easily crackers can obtain
information with the right tools from even the most secure networks.
Any organization having information in computer systems that could be sold for profit, is a target for the cracker. Most organizations fall into one of the three groups listed below:
Even today with all the coverage, many organizations and institutions still do not have the proper security measures in place to guard against crackers. Commonly targeted information includes credit card information, scientific information, online transactions [17], and company trade secrets.
As profit is a motive for most crackers the credit card industry is a primary target organization. In 1994 Vladimer Levin a Russian cracker broke into CitiBanks computer systems. He was able to make the systems spit out $10 million to other accounts accessible to him.[18] Many recent cracker incidents have involved credit card number theft. Crackers have stolen the numbers, posted them on web sites for bidding and then sold them to the highest bidder. Several cases recently have the crackers extorting cash to prevent the sale of stolen numbers.[19]
Government Agencies also present a major target for today's cracker with critical information being stolen and then sold to the highest bidder. A somewhat recent case documented in the book "A Cuckoo's Nest" by Clifford Stoll really shows the differentiation between a "hacker" and a "cracker" and the threat a cracker can pose to a government's infrastructure. Markus Hess romped through various government agencies computers, downloading files on different projects, and then sold them to Eastern bidders. he was finally caught only after repeated efforts by Stoll to say someone was stealing potentially critical information from the government. In reading the book it was amazing the amount of evidence that had to be presented to the FBI and other agencies charged with investigating computer crime, before they would even take a serious look at the claims.
Scenario: Accused cracker is recruited to work as security consultant for a company / agency or starts a private consulting company for profit.
Many crackers have been able to start security consulting businesses. They are in high demand from business to help combat the increasing number of security incidents. Predictions by Richard Brewer, a senior analyst with Data Corp say cracking/hacking turned legitimate security consultants will amount to $7.3 billion dollars of business in 2000.[20] But is there a risk (threat) associated with this?
One incident researched described a government agency that contracted with a reformed "cracker" to clean up its systems. After the contracted services were completed it was discovered that the cracker had posted the system vulnerabilities for the agency on several underground web sites.[21] Reformed crackers are often featured presenters or lecturers at conference including Defcon, and others
While there is a growing trend to hire, many companies are also putting up the stops. Any cracker that has been criminally investigated will usually be ruled unable to work for many government agencies. Many crackers fitting the profile suggested earlier in this paper are high school drop outs and really lack necessary skills for success in a corporate environment. Potential employers asking for writing samples or even evidence of technical skill quickly find many hackers do not meet the bill. The point made earlier regarding less technical expertise as many prepackaged items exist really comes to light in these cases.
Crackers pose a significant threat to today's information infrastructure. The term cracker is still misunderstood in today's world. A cracker is a separate identity from the hacker, and many hackers look upon crackers with feelings that range from revulsion to condescending attitudes. With the availability of sophisticated cracking tools, already designed and easily downloadable off of the Internet, the amount of technical knowledge needed to perform cracking has decreased dramatically. Now many individuals "casual crackers" simply with computer access have the capability to steal information from computer systems for profit. Many crackers do not have advanced technical skills. From research the cracker is profiled with the following characteristics: school dropout, young white male, motivated by money, and a self taught computer expert. The casual cracker will usually use a pre-designed off the shelf tool (network sniffer, trojan horse) to obtain access to the system.
Even more threatening is the technical cracker. The technical cracker has significant technical skills (including programming) and will be able to design his/her own tools to obtain profit. This type of cracker working for hire, will have a very lucrative career ahead with organized crime, foreign governments, and business competitors looking to retain their services. They are few and far between but when they strike they are often not able to be tracked down. If they are able to be tracked down it is usually down because they have made a mistake in obtaining the information and not covered their tracks.
Also increasing the threat is many organizations lack of desire to upgrade their computer security systems to adequately protect themselves from cracker attacks. Government agencies, corporate businesses, and financial institutions are the organizations most often targeted by crackers. Financial data (such as credit card numbers) and classified government information are key targets at these organizations. Cracking is growing at an exponential rate.
Recently a trend has developed to employ crackers as consultants or even employees at corporate businesses in information security related matters. This has been met with mixed success with some companies networks being compromised. Due to the limited technical knowledge and often limited social skills, the reformed cracker is turning out to be a most undesirable employee.
As technology becomes even more affordable and knowledge
more available
today's cracker is only going to become even more of a threat.
Some topics for further research:
Exact definition of the term cracker - most definitions are similar but there is a lot of overlap with other threat types
Different subcategories of hackers including "casual" and "technically sophisticated"
Tools utilized to track crackers on the information superhighway
Federal statutes pertaining to prosecution of crackers -
many crackers
were originally prosecuted for wire-fraud.
Exactly what illegal act is required for prosecution?
Is there really a difference between a hacker and a cracker when you look at potential revenue or time lost to organizations and agencies?
References:
1. Online article obtained from URL:
http://www.infowar.com/hacker/hackzf.html-ssi
Mizrach, Steve "Is there a Hacker Ethic for 90's
Hackers?" copyright 1997
2. Cohen, Fred "Protection and Security on the Information Superhighway"
Copyright, Fred Cohen - 1995-7
3. Icove, David , Seger, Karl, and VonStorch, William ""Computer
Crime A Crimefighters Handbook" Sebastopol, CA : O'Reilly & Associates,
1995
4. all.net website Fred Cohen author
5. Ibid
6. Daly, James "John Draper" Forbes 6/3/96 Supplment ASAP Vol 157 Issue
11 p.138 2p.
7. Quittner, Joshua "Hacker Homecoming" Time 1/23/95 Vol. 145 Issue
3 p.61
8. Online article obtained from CNN Interactive URL:
http://clinton.cnn.com/TECH/computing/9805/25/hacking_sentence.ap/
"Programmer Sentenced for Military Computer
Intrusion"
9. Online article obtained from URL:
http://www.thestandard.net/article/display/0,1151,3016,00.html
Haney, Claire "Chinese Hackers Get Death Sentence"
The Standard December 30, 1998
10. Online article obtained from URL:
http://www.newdimensions.net/headlines/secret.htm
"Britons Hack Into Pentagon" Daily Mail,
London 2/26/1998
11. Online article obtained from URL: http://www.Isli.com/tut4.html
"Internet Security Problems" Copyright
1995-1999 Freemont Avenue Software, Inc.
12. Online article obtained from URL:
http://antionline.com/cgi-bin/News?type=antionline&date=01-10-2000&s
tory=cc.news
Vranesevich, John "The Credit Card Hacker"
Wednesday January 12, 2000
13. "Internet Security Problems" [11]
14. Online article obtained from URL:
http://www.cs.ruu.nl/cert-uu/satan.html
Venema, Wietse and Farmer, Dan "What SATAN
is"
15. Ibid.
16. "Internet Security Problems" [11]
17. Denning, Dorothy E. "Information Warfare and Security"
Addison-Wesley
Pub Co; ISBN: 0201433036 copyright: December 1, 1998
18. Obtained from online website "Discovery Online, Hacker's Hall of
Fame" URL: http://www.discovery.com/area/technology/hackers/levin.html
19. Obtained online URL:
http://dailynews.yahoo.com/h/ao/20000111/cr/20000111010.html
Noack, David "Extortion Hack Remains
a Mystery" APBnews.com Tuesday January 11, 2000
20. Online article obtained from
//www.infowar.com/hacker/99/hack_011999b_j.shtml
Radcliff, Deborah "Hackers for Hire.
Article from Upside" January 14, 1999
21. Ibid.