CSC 379: Ethics in Computing  
  Summer II 2006  
 
 
 
  CSC 379  
 
HOME
  
 
Announcements
  
 
Homework & Grading
 
 
TEXTBOOK
  
  COURSE OVERVIEW  
  This course is a survey of the ethical issues involved in computing. It discusses the way that computers and software pose new ethical questions or pose new versions of standard moral problems and dilemmas. It stresses case studies that relate to ethical theory.  
     
  INSTRUCTOR  
  Edward F. Gehringer
Office: 2301 Partners I
(919) 515-2066
Office hours:
MW 2:45-3:45
efg@ncsu.edu		  
     
  TEACHING ASSISTANT  
  Ahmed Bakir
abakir@ncsu.edu
919-641-6642		  
     
  Lecture 9: Hacking & Security
 
   
Lecture 9: Hacking & Security
  
   

"A jungle out there." It's getting to be a jungle out there. The Internet is no longer a place where you won't be bothered if you just keep to yourself and avoid risks. Three incidents that have happened to me in the past three months will serve to illustrate.

A couple of months ago (mid-2005), I connected an old Windows 95 computer to the Internet to transfer its files to another computer. This was the first time it had been connected via broadband. My usual firewall, ZoneAlarm, wouldn't run on Win 95, so I disconnected from the net as quickly as possible after the upload. The upload was successful, but the next day, when I tried to connect, I couldn't. And my printer wouldn't work either.

Then, a few weeks later, I installed antivirus software on a new laptop, after using it for only a day. Now, a firewall had been installed from the start, and I don't read my e-mail on a Windows machine, which greatly limits the risk of picking up a virus. Nonetheless, a virus scan revealed parts of a "root kit" on the hard drive. Evidently it didn't install completely (perhaps due to the firewall), but it could not be removed without reinstalling the OS.

While on vacation in mid-July, we arrived at the home of a friend of my wife's, but no one was home. Thinking she might have missed an e-mail, my wife asked if she could log on. From my laptop across a parking lot from a row of townhouses, I probed for unsecured wireless networks. I thought I might find one, but I found three! I connected to the first one and she read her e-mail.

These stories are illustrations that intruders have better access than ever before, and that even sophisticated computer users can get bitten if they aren't diligent in their precautions. Let's first of all take a look at some of the tools available to hackers, and then at what users and system administrators should do to protect themselves.

Means of penetration. The word "hacker" originally meant a programmer who was adept at using the tricks of the trade. Largely because of confusion in the news media, it came to mean someone who breaks into computer systems. One common but low-tech means of penetration is by guessing passwords, as the Internet worm did. Another is a rogue login program, which is a user-level program that displays a screen that looks exactly like the login screen of the operating system. Then when an unsuspecting user logs in, the program makes a note of his user-ID and password, saves it for the hacker, and then changes the user-ID to the login of the unsuspecting user.

Sniffers. Then about 1993, so-called "sniffers" came into prominence on the Internet. First, the intruder breaks into a single system on a network. Then, (s)he installs a program that monitors the network, watching for certain kinds of traffic. It looks at the first part of a telnet, ftp, or rlogin session. Then it reports usernames and passwords back to the intruder. Some of the sessions may be logins on distant networks. So one weak machine anywhere can compromise the whole Internet. In February 1994, a rapid increase in sniffers led the CERT Coordination Center to issue an advisory. On NCSU Eos and Unity systems, Kerberos doesn't send passwords over the network, and everything that it sends to authorize access is encrypted. If a Kerberos key is cracked, it expires within hours, along with the user's tokens.

IP spoofing. Another ruse is IP spoofing. Robert Morris, who later became famous for the 1988 Internet worm, wrote the first paper on this as an intern at Bell Labs in 1984. To start out, a large number of connection requests are sent to a fileserver, overflowing its input buffer. Then it sends a series of SYN messages to the computer it wants to connect to, to find out how it generates sequence numbers. It next sends requests to the target computer, making them appear to be from the fileserver. In this way, the intruder masquerades as the fileserver, and could execute commands on the target computer.

Justifications for hacking. Hackers' motivation is complex. Some hackers contend that information should be free, and if it were free, there would be no need for intellectual property and security. Suppose that were true--an economist would say that by decreeing the price of information to be 0, you minimize the supply.

Others say that break-ins illustrate security problems and cause them to be fixed. For example, in 1984, Steven Gold and Robert Schifreen penetrated British Telecom's Prestel system and left a rude message in the Duke of Edinborough's account. The incident attracted enormous publicity and led directly to improved security for the Prestel system. They were convicted under the Forgery Act and fined £2350. But they won on appeal because they had caused no damage and had not defrauded anyone. Now break-ins are a crime in Britain, thanks to Computer Misuse Act of 1990. But, what of this argument? If the hackers wanted the security problems to be fixed, then why don't they try to get the problems fixed immediately? This pro-hacker view is like saying that vigilantes who tried to break into houses would be doing a neighborhood a service. Hackers do cause security modifications to be made, but at some expense, which would not be necessary if they didn't break in. It's like car theft: if cars are being stolen frequently, locking them isn't good enough; you need burglar alarms, and they cost extra money. There are other ways to expose security flaws, "tiger teams," for example.

A third perspective is that hackers are doing no harm; they are just learning about how computer systems operate. But is hard to be sure they're not causing trouble. Even slowing down a system slightly could be critical in some cases. For example, suppose the computer is being used to match organ donors with recipients and it fails to find a match soon enough. It could be seen as an intrusion of privacy. Certainly the military would prosecute any unauthorized access, even if it were only to a computer keeping track of laundry. Unfortunately, in computer systems, it is easy to damage something unintentionally, but hard to establish intent. At the very least, hackers undermine the trust that is essential for a "neighborhood" to operate smoothly. There are better ways to learn about computing.

Some hackers say they break into systems to watch for abuses and hold "Big Brother" at bay. Hacking is increasingly being undertaken for political motives. When Al Quaeda attacked America in 2001, among the first to respond were "hackers." The day after the attack, the official Web site of the Presidential Palace of the Islamic State of Afghanistan was unreachable, after its address was published in several Internet newsgroups. Another example is the September 2000 attack on 168 Web sites to protest high fuel taxes in the UK. Regardless of whether the abuses these hackers target is imagined or real, there are probably better protections than free-lance vigilantes.

Companies have often employed "white hat" hackers to look for security vulnerabilities. But some experts question the wisdom of that. They say that the risk of hiring hackers is too great, given the ability of hackers to remove everything from the system--e.g., to facilitate identity theft and orchestrate major privacy violations for which a company could be held liable.

The Kevin Mitnick case. Let's take a look at one of the most celebrated hacker manhunts, which happens to have ended in Raleigh Late at night on Valentine's Day 1995, at the Players' Club Apartments off of Duraleigh Road, the famous "hacker" Kevin Mitnick was arrested. He had moved to Raleigh the preceding January 4th. A couple of months earlier he had disappeared from Seattle when his landlord told him that the police and Secret Service were looking for him. Mitnick said, "They have made me out to be John Dillinger or a desperado, but I'm just an excellent prankster. I have never profited from it."

Mitnick was captured largely due to the efforts of Tsutomu Shimomura, a security expert from the San Diego Supercomputing Center. Shimomura said, "I knew one thing for certain about Kevin Mitnick: He was in no way the hero of a movie about some mistreated computer hacker whose only crime was curiosity. There was nothing heroic about reading other people's e-mail and stealing their software."

For Kevin Mitnick, his downfall began with a Christmas-day attack on Shimomura's computers. An intruder became root on a SparcStation in a renovated San Francisco house where Shimomura was staying. The interloper used this computer to launch an attack on computers in Shimomura's beach house in San Diego. Shimomura was a computer-security expert at the San Diego Supercomputing Center who collected info on little-known vulnerabilities in operating systems. On his computers, he had a variety of security tools. Not all were on Internet computers, but some were. The attack was discovered when one of Shimomura's assistants, ECE student Andrew Gross, noticed Shimomura's log files getting shorter. Now, that is a sign that someone is erasing records from log files in order to cover his tracks. By looking at the file structure on his gateway computer, Shimomura discovered that a file called oki.tar.Z had momentarily existed. He thought that might have something to do with the Oki cellular phone software he had once reverse-engineered for a programmer who was developing field-diagnostic software to sell to telephone companies and law-enforcement agencies.

Shimomura was born in 1964 in Nagoya, Japan. His father was a biochemist and his mother a pharmacologist working on luminescence. His parents moved to Princeton University when he was very young. Tsutomu was generally interested in experimenting, but not in his classes. He got into an antiestablishment group at Princeton High School and got expelled for it, even though he had won a local math/science contest.

One of the intruder's modes of attack was IP spoofing to steal files from Shimomura's computer at SDSC. He copied these files to the Well, a northern California timesharing service, and made them publicly readable. It was the end of January 1995 when the Well realized they had been hacked. Shimomura, who was advising them, gave them permission to delete the files, but only after sending a message saying that the intruder was over quota. The idea was to avoid tipping him off that the Well knew something was amiss. The files appeared a week later on another account--which was an indication that the hacker had access to more than one Well account.

At first, Shimomura didn't think he was dealing with Mitnick; the attacks seemed too sophisticated. Later--using sniffers and filtering software--they captured some of his sessions and found that he looked for the string "itni" in the e-mail of New York Times reporter John Markoff. (Mitnick himself had tried using sniffing to see if he would be vulnerable in that way. But he concluded it wouldn't work because there was too much traffic. But he didn't anticipate the filtering software that Shimomura et al. installed.) Shimomura was concerned that Mitnick would get spooked and disappear again; this was their 2nd sting. Or, what if he retaliated with a more sophisticated attack on the Internet?

Mitnick was using Sprint cellular phone to connect to the Internet from Netcom's Raleigh number. (In those days, it was rare for someone to call an Internet service provider from a cellular phone, unless he was stealing the service. It was too expensive and prone to disconnection.) Shimomura traveled to Raleigh and worked with the FBI and other police agencies to capture Mitnick. They rigged a van with radio direction-finding equipment. Then they put a box over the top so Mitnick wouldn't get suspicious it if he happened to glance out. They staked out the Player's Club apartment complex off of Duraleigh Rd. just south of Glenwood. It took them two days to get the necessary warrants. For example, they needed to get a special warrant to make an arrest after 10:00 at night. Meanwhile, back in California, Andrew Gross misinterpreted a communication from Shimomura to mean that Mitnick had already been captured, and therefore started deleting the files Mitnick had stolen. This gave Shimomura a scare; he was afraid it would tip off Mitnick. Finally at 1:40 AM on February 15, 1995 they arrested him. If you are interested in learning about the pursuit in more detail, be sure to visit the Web site of Shimomura's book Takedown, where you can listen to Mitnick's voicemail and replay some of his hacking attempts.

Mitnick's harm. What harm did Mitnick do? Well, he read other people's e-mail. Especially computer-security researchers'. He stole the mail of Eric Allman, the author of sendmail--no doubt to find reports of new security problems with sendmail. He stole software indiscriminately, including a lot of free software. He pilfered cellular-phone software from Qualcomm, a San Diego technology firm. He got lots of programs from Intermetrics, an East Coast software house. From Silicon Graphics, he filched the 3-D workstation software used in creating most Hollywood movie special effects. He copped sundry software tools for breaking into computers in various ways. He stole 20,000 credit-card numbers from Netcom, an Internet access provider, but evidently never used any of them. He also got his hands on Netcom's subscriber password file (so he could "guess" poor passwords like Morris did).

He caused serious concern at Internet access providers. The Well, especially, was home to a number of privacy activists who would be paranoid about anyone reading their mail. The Well wanted to close the security holes, but Shimomura persuaded them not to for a time to avoid tipping off the intruder. "If you ... chang[e] passwords and clos[e] his accounts, he's almost certain to have hidden a Trojaned program somewhere ... that would allow him to come right back in, only this time you won't know where he is." He broke into computer systems at several academic, government, and commercial sites. Had root access at a number of them, so he could have destroyed files and accounting information. Even though he hadn't tried anything like that, who knew what he might try if on the verge of being caught. He eluded police for 3 years. He was almost captured at a Kinko's when having California driver records of law-enforcement officers faxed to him in 1992.

The penalty. Mitnick was indicted on 23 counts of computer and telecommunications fraud. These were just the charges in North Carolina, and didn't include the charges he faced in California. In July '95, he pled guilty to one charge of cellular-telephone fraud and was sentenced to eight months in prison. The other 22 counts were dropped as a result of a plea bargain. He also faced charges in a number of other states. He was released from prison in January 2000. Mitnick has since gone on to a successful career as a "white-hat" hacker.

Securing your own computer. What should you do to protect yourself against hacking and malware? First, make sure you are running an antivirus program. This is true even if you exercise great caution in opening attachments, since your computer can be infected even when you aren't running an e-mail client or Web browser, via attacks against the network stack. Your're most vulnerable if you're connected via broadband, since then hackers can probe your IP address at will, checking for open ports through which to download malware. You should enable the automatic-update feature of your antivirus software, so that you you will be protected against new worms and viruses without having to remember to download the new antivirus definitions. NCSU students can download antivirus software for free for computers they own from http://www.ncsu.edu/antivirus. The staff at help@ncsu.edu can give you assistance in installation.

To prevent probing, use a firewall, such as the free version of ZoneAlarm. It prevents access to any unused ports. Some firewalls have an intrusion detection system for monitoring accesses to ports that need to be left open for specific services (such as http on port 80, or ftp on port 21). IDSs keep track of the attacks sent to specific ports by intruders, and will prevent any access that "looks like" it is coming from a known intruder. A firewall will often use "stateful packet inspection" to differentiate between packets that continue an existing connection, or initiate a connection from the outside. This helps it decide whether the packet was requested by the user or sent unsolicited by someone from the outside.

If you have a router at home, chances are that it comes with a built-in hardware firewall. It makes sense to use it in conjunction with a software firewall. The hardware firewall prevents outsiders from seeing the IP addresses of computers behind it, while the software firewall can prompt you to allow or disallow suspicious activity. It will tell you which program is trying to access the Internet. If it is software that you've just launched, allow it. If you don't recognize the program, and haven't invoked any network access recently, you can deny the access.

An anti-spyware program is a third prong in your defense against unwelcome intruders. Spyware can be downloaded to your computer as part of, or along with, programs that you intentionally download from the Web. The most commonly variant of spyware is adware, which serves to direct pop-up ads to your Web browser, based on information about your interests that it gleans by keeping track of sites that you visit. Adware is just annoying, but spyware can keep track of all information entered into your browser, such as credit-card and Social Security numbers. Removing all spyware is very difficult, even for experienced computer users. And some programs that purport to get rid of spyware actually leave logging software on your computer. A good, free, anti-spyware program is Spybot Search & Destroy. You should install an anti-spyware program on all computers under your control.

If you have a wireless access point, be careful to secure it with a (non-default!) password. Wireless raises several security problems, including easy access: a spammer who is just driving by can connect to your wireless net and e-mail thousands of other users, and the traffic will appear to come from your computer, possibly causing your ISP to revoke your connectivity. Or, since they are inside of your network, they could use IP spoofing to attack your computers. "Wardrivers" drive around with special equipment and software for logging wireless access points. Sometimes they just tell the owners that their networks are insecure. But do not depend on them being so benign!

Security for administrators. Network administrators have to perform all of the above tasks, but they also have an obligation to induce their users to maintain security. A single "weak" password can let an intruder get his foot in the door, and from that account, (s)he can try to break into others and potentially take over the system.

One important aspect of security is choosing a secure password. A secure password is one that is not in any dictionary (hacking programs use dictionary-based attacks); a combination of letters and numbers or special characters is a good choice. It should be long enough (at least 7 characters) so a brute-force attack can't crack it. It should be familiar enough so it doesn't need to be written down (users often leave passwords on pieces of paper near their computers). You shouldn't use the same password on all systems/sites to which you have access (so someone who cracks one of your passwords doesn't have access to everything). One good way to meet all these criteria is to choose passwords for each site that include a certain permutation of characters from the name of the site, together with other numbers or special characters.

A good administrator should also establish a patching policy to ensure that all systems are updated in a timely manner. This is more of a people problem than a technical problem. An unprotected PC can be attacked in 6 to 15 seconds, so all users need to be inolved. Automated patching technology should be employed whenever feasible. Use vulnerability-assessment scanners to probe for weak spots. Employ tiered defenses, and have a backup plan.

Security is no longer an issue that can be left to the experts. All computer users need to know the risks, and what to do about them.