W t with logic bombs, Trojan horses, decoy programs, tele-phone tricks, and all the other little techniques hackers know and use, you may, by now, think that there is no possible way to track down a good hac.ker. I've deliberately taken care to tell you about a lot of things that might be wrong with your computer security - things that might also seem difficult, if not impossible, to detect.
Owner, operator, or user of a large system, you may feel you are up against a new game: hacker-in-a-haystack. After all, even small or medium-sized systems contain a considerable number of files and are accessed a relatively large number of times every day by a variety of users. If you are working with a very large system, the problem can be magnified enormously. How can a system operator be expected to examine every file, every user, and every remote access? If this is close to what you are thinking, I've succeeded in expanding your awareness of computer security. Now it's time to see how you can take the ini-tiative. Here's your advantage: Hackers leave footprints.
TURNABOUT IS FAIR PLAY
HOW THE USER CAN HELP
OUT Of THE INNER CIRCLE
Unless a hacker expends quite a bit of effort while demonstrating a high level of skill, he can't help but leave signs of his presence. Even in those cases where he could be a hundred percent undetectable, no hacker is going to bother becoming invisible. The sysop of the system under attack is the person who concerns the hacker the most, and in the real world ... some sysops don't care about security, others are very busy, still others think hackers are a bunch of kids who overesti-mate their own importance, and others (especially in the academic world) sympathize with, at least, the Student hacker's addiction to computers. So, whether the hacker's footprints consist of unexplained miscellaneous files, altered information, or strange communications, hackers rely on the fact that these signs will go unnoticed. They are correct about eighty-five percent of the time.
This fact can work in your favor if you use your computer's log files often and educate your users so they can help you look for the danger signs. The average hacker is going to be, at the very least, slightly careless on your system, because he isn't used to people actu-ally caring about security. Use his trusting nature to your advantage.
Hackers often give uneducated users all kinds of unusual signs and signals that they never even notice. At times, the way these signs are scattered all over the place, it seems that the users must be tripping over them constantly. If users knew what to look for, how to look for it, and what to do once they found it, there would be a much better chance of keeping hackers off the system. To help users, here are some
"footprints" a user should look for.
Excessive log-oil times. In many companies, employees do not have to charge their computer time to a specific project or even ac-count for it. Sometimes, they are not even told how much time is spent on their accounts, and some never seem to use their authorized ac-counts. Because of this, if and when the employee logs on, he or she may not notice unauthorized activity on the account, even if the sys-tem displays the last log-on date, or the length of the last session.
Hackers know they can use such accounts for days at a time without the user noticing or keeping track of how often the account is
( HAP T E R TEN Tell/die Signs
used. For example, I remember one account that was heavily used by hackers. If the system, which had built-in accounting software, had charged the computer time used to one or more tasks or projects au-thorized on the user's account, it would have cost under $50 a month in most cases. Of course, this wasn't most cases. Hackers started using the system and adding up computer time which, as far as they were concerned, was free. Before too long, the monthly charge would have been over $5000 if anyone or anything had kept track. But because the user did not have to account for this time or charge it to an authorized job, he never had any idea. On the other hand, how could he?
Files that have been moved, deleted, or otherwise altered. No mat-ter what his objectives, many of the things a hacker needs to do require modifying existing files. In almost every case, users don't notice the alteration of a file or two. These little alterations, however, can aid a hacker. They may, for instance, at some later date, result in triggering a Trojan horse that may change the user's password to something the hacker knows, and thus allow the hacker to log onto the user's account even after the user changes his password. Altered files could also be used to store information, so that the hacker would not have to create new, possibly detectable, files. At any rate, if there is a file on a user's account that has not been used in eight months, a hacker will feel fairly safe in altering it to use himself. Again, as I've said so often, user edu-cation is the key to avoiding this problem.
In addition, hackers can sometimes copy all of the important sys-tem hIes into the directory they are using so it is easier to learn about the files. Hackers may also copy files that interest them in other ways, again so they can look at all the interesting files without having to move around the system all the time.
The most likely type of file that a hacker will want to copy, however, will be "source files," if they are available to him. A source file is a text file that contains a computer program. The program, at this point, can be read and modified by a programmer, but to become
"readable" to a computer, it must be "compiled" by a special program known, appropriately enough, as a compiler. Once a source file is
com-piled, it becomes a program that can then be run on that particular computer. A programmer writes programs by writing a source-code
OUT OF THE INNER CIRCLE
file and having this source code compiled. The source code is kept, and if any changes need to be made, they are made on the source code, which is then recompiled into a newer version of the program.
The hacker can take a source file and do one of two things: First, he can alter the file as a Trojan horse and recompile it. Second, he may simply be able to compile the program and run it himself. This may not sound valuable in itself, but it's possible that the hacker does not have the power to run the actual program. If he takes the source file and recompiles it, however, that sometimes opens the door for him.
Files that have been added. Hackers often need to create files.
These files might consist of programs that store information (or pass-words) or access various sections of memory, such as password buff-ers. Or, they might contain any of the programs that hackers use to obtain access to accounts. Unfortunately, most users are still some-what computer timid, and will assume that they should not touch any files, even in their own accounts, that they didn't create. It's also likely that users will shrug off the existence of those files - even if they have such obvious names as PASSWD.HAK or HACKER.
On the other hand, funny things can happen when a user does get curious, too. Earlier in the book, I told you of a hacker who used a file named TOP SECRET as bait - everyone who tried this file was treated to a silly message and, unwittingly, helped the hacker find his or her password. In a similar instance, there was no bait, but I know a user who did wonder about some strange files listed under his direc-tory. Among them, he found one called PASSl, so he decided to try it.
He typed PASSl, and then assumed something must not be happening correctly, because all the file did was display WORKING ... on the screen. He didn't realize that, in typing the file name, he had started a program that was busy trying to get the system operator's password.
Directories that have been added. To hide a number of added files he wants to keep, a hacker may create a subdirectory within a user's directory. The hacker's subdirectory would be unobtrusively named, perhaps with only a single character, or "hidden" if the system allows such things to be done. Then, too, some systems aHow non-printable characters as file names. These, of course, while they would be part of a directory, would not be displayed or printed as visible characters.
( HAP T E R TEN TellJale Signs
Older versions of a file. Some systems allow a user to keep several different versions of a file under the same file name. When a user tries to run, type, or edit the file, the system automatically chooses the newest version, unless the user specifies another. A hacker can use this feature to his advantage by giving his subdirectory or file the same name as an existing file belonging to the legitimate user. But the hacker would give his file an earlier version number. The result would be that anyone wanting to use the hacker's version would have to request it specifically. For example, there can be two different files, both called NOTES. One of them, NOTES;2, may be the user's daily notes to himself. The other, NOTES;l, could be the hacker's file. If the hacker wants to use his version of NOTES, he simply tells the system to use the version NOTES;1.
Strange electronic mail. Hackers may use two or more accounts to communicate among themselves. If the hackers know what they are doing, they stick to accounts that are unused. If the hackers don't know what they're doing, they sometimes communicate through accounts that are being used regularly by their rightful owners. In this case, a message meant to be read by a hacker may be sent to a user, instead.
Almost always, though, a user will simply answer the strange mail with I DON'T UNDERSTAND or YOU'VE GOT THE WRONG PERSON.
This warns the hacker that the account is in use.
Most systems also have a special program that allows two or more people to carryon a conversation through their terminals.
Hackers like to use these programs too (and may create their own, if none exists) to communicate with each other. Sometimes a hacker inadvertently contacts an authorized user, who may be surprised by a message like JOE? IS THAT YOU? The user often assumes the message is a mistake and ignores it, although such an incident is even harder to explain if the message is MR. MIDNIGHT? IS THAT YOU?
Lost or pre-read electronic mail. Sometimes hackers read a user's electronic mail, so this is another "footprint" users can learn to watch for. Most electronic-mail systems have a feature that gives the user a list of all the mail that has not been read. If a hacker reads the mail first, the user may never see his new mail, because the system will keep saying that there is none. And even if the user goes back, checks
The Oversimplified System
OUT OF THE INNER CIRCLE
old mail, and finds messages that look unfamiliar, the user will usually just assume that the computer messed up or that he or she'has forgot-ten what was there. It is quite possible on most such systems to read someone else's mail and keep the system from changing the status from "new mail" to "old mail," but most hackers wouldn't bother, simply because most hackers don't say anything, anyway.
As something of a side issue, sometimes a user who links up with a network computer doesn't notice signs of hacking for a very simple reason, despite the fact that the hacker who uses the person's account thinks the user must be blind: The user's machine does too much auto-matically. A user may have a personal computer set up as a smart terminal and, literally at the push of a button, he or she can simply tell the terminal, "Bring my new mail back to me and send this mail out to these people." The terminal will then call the system, enter the user's name and password, issue the commands needed to retrieve all of the user's incoming mail, and issue the commands needed to send all of the outgoing mail to other users.
Such a system is usually set up by a consulting company that ad-vertises an electronic-mail system so simple that anyone can use it with no expensive training. To back up its claim, such a company does not teach the user anything more difficult than how to turn on a termi-nal and hit a few appropriate keys.
Granted, such a "smart" terminal is a boon to the busy user, but in these cases, there is not much chance of the user spotting hacker activity, because he or she never sees anything of the procedures in-volved in logging on and off or sending and receiving mail. Because the password is stored in the personal computer, the user may not even know it exists, much less have any idea about how to change it. The user may not even realize that the actual mail computer is hundreds or thousands of miles away. If asked, the user might guess that, somehow, the microcomputer handled it all.
This type of an overautomated system has one additional re-quirement beyond user awareness of the hacker "footprints" I've men-tioned. To the point of redundancy, educate the user. Assume that this person is interested in the technology being used - perhaps not at the