Who's doing the hacking?
By Robin Bloor [30-07-2002]
The Princeton vs Yale spat highlights hacker dangers
The news that Princeton had hacked Yale must have come as a shock to the Ivy League colleges of the US, including most of the staff and students at the two eminent colleges concerned.
In case you were unaware, Princeton is where the computer was invented and it matters not whose version of the invention of the computer you adhere to either.
Both John von Neumann (the US 'father of the computer') and Alan Turing (the UK 'father of the computer') did their inventive work at Princeton.
One would therefore expect that Princeton might know a thing or two about computers, but sadly not, at least as far as undetected hacking is concerned.
Apparently, at the height of the college admissions season in April of this year, the director of admissions at Princeton, Stephen LeMenager, repeatedly hacked into a Yale website that had been set up to let Yale applicants know whether they had made the grade and got into the university.
As one might expect, Yale officials filed a complaint to the FBI and Princeton placed Mr LeMenager on administrative leave, pending a full investigation.
The immediate concern here has to be for the clear collapse of standards at Princeton. Anyone who knows anything about getting surreptitious access to websites knows that there are identity-cloaking sites on the web that you can use (such as IDzap.com, Anonymizer.com, etc.) in order to remain undetectable. There are also many cybercafes across the world that offer a good level of untraceability.
How is it possible that Mr LeMenager, working for such a prestige pillar of computer education, did not know this?
Examination of whar Mr LeMenager did - access a Yale website using details of students who had also applied to Princeton - also arouses deep concern about the web designers at Yale.
In order to validate the ID of students accessing the Yale website, they requested the input of name and date of birth - personal data that is not particularly difficult to acquire.
It was so ridiculously easy to achieve untraceable unauthorised entry at the Yale website that one could legitimately accuse Princeton and Yale of staging a stupidity contest.
This, by the way, is a contest that Princeton just wins by virtue of Mr LeMenager's excuse that he "accessed the Yale site because he was curious about its security". As regards lame excuses, this one is completely immobile.
In many organisations and among many individuals, there seems to be a naive assumption that there are no bad guys who are going to take advantage of lax computer security.
The opposite is true. There is a bewildering number of bad guys out there and some of them are very talented. They have different interests in getting into your computer.
Some may simply like to prove that they can. Some would like to steal valuable data, such as credit card data. Some would like to play a few pranks and commit a bit of vandalism (or even a lot). Some may have a specific e-heist in mind. Some may be e-terrorists. Some may indeed be competitors (as Princeton is to Yale), who are seeking some competitive gain. Some may wish to do nothing more than steal the use of your resources.
When a new computer is connected to the big wide network, there will probably be an attempt to hack it within 20 minutes, and further attempts may repeat every twenty minutes or so - that is a recently observed figure that applies if your machine is not a natural target.
If it is a popular target, like the CIA website for example - then the frequency of hacking attempts will probably be higher.
The hacking community out there runs scanning software across wide ranges of IP addresses hitting large numbers of machines in a search for known security vulnerabilities.
They may leave such scanners running for days before coming back to look at the results. It is like baiting a series of traps and then coming back some time later to see what has been caught.
If they get into your site, you may never know, because the first act of the hacker is to cover his tracks. Some hackers have assembled whole grids of machines they have compromised in this way and which they can use unnoticed when they please.
These, by the way, are not necessarily highly talented hackers. You can learn how to do this kind of thing simply by surfing the web and gathering bits of technical advice from boastful apprentice hackers. The professionals do not broadcast their knowledge.
The threat is getting more sophisticated all the time and most IT organisations are unprepared for it. The threat out there is a lot more dangerous than the comic interactions of Princeton and Yale suggest.
When really damaging security compromise occurs it rarely makes the news, because nobody wants to admit that there were caught. But in truth, it happens.