Hacking began in the 1960s at MIT when students attempted to learn more about mainframe computing systems and improve their skills.
The telephone systems were tempting to phreakers, and John Draper, known as Captain Crunch, used a whistle packaged in Captain Crunch cereal to generate a 2600 Hertz tone that allowed access to AT&T long distance network. This discovery led to Draper and other designing and building a so-called ‘blue box’ that generated 2600 Hertz signal and other tones for use in making long distance phone calls without paying. Steve Jobs & Steve Wozniak, who later founded Apple Technologies, were also the makers of Blue Boxes.
In the 1980s, hackers began to share information and stolen passwords on electronic computer bulletin boards such as “Sherwood Forest”. Hacking clubs began to form with names like the German “Chaos Computer Club”. In 1982, teenagers in Wisconsin, known as 414 Gang, launched attacks into Sloan Kettering Cancer Hospital’s Medical records systems. Two years later, the hacker magazine 2600 made its debut under editor Eric Corley, aka Emmanuel Goldstein. In November 1988, the Morris Internet Worm spread through the Internet and resulted in large scale Denial of Service(DoS attacks). The cause of this Disruption was a small program written by Robert Tappan Morris, a 23 years old doctoral student at Cornell University. The worm infected approximately 6,000 networked computers.
In 1986, attacks were launched against U.S. classified computer systems by Germans affiliated with the Chaos Computer Club and working for the KGB. In 1990, a hacker named Kevin Poulson, with some associates, hacked a radio station’s phone system to ensure they won a call-in contest for Porsches and other prizes. Poulson, who was also wanted for phreaking, was apprehended and sentenced to five years in prison. He was released in 1996.
The first hacking conference, called Def Con, was held in Las Vegas in 1993 and is still held annually. If you want to know more about hacking, I suggest you watch the videos of Def Con. You might be knowing about Kevin Mitnick. He was one of the most notorious hackers of his times. On Christmas 1995, he broke into the computers of Tsutomu Shimomura in San Diego, California. Shimomura tracked down Mitnick after a cross country electronic pursuit, and he was arrested by FBI in Raleigh, North Carolina, on February 15, 1995. Mitnick pleaded guilty to charges at his trial in March 1999, and his sentence was nearly equal to his time served. He is now an independent security consultant and author.
Then after, in 1995, Russian Hacker Vladimir Leven and associates performed electronic transfer of 10 Million Dollars to a number of international banks. Leven was captured and tried in U.S. and sentenced to three years confinement. In 1998, “The Cult of the Dead Cow” announced and released very effective Trojan Horse software called Back Orfice at Def Con. Back Orfice provided remote access to Windows 98 & Windows 95 computers. In February 2000, hackers launched Distributed Denial of Service (DDoS) attacks against Yahoo, Amazon, and ZDnet. Microsoft Corporation’s Network was hacked in October 2000 by an attacker who gained access to Software under Development. The “Symantec Internet Security Threat Report” published in September 2006 confirmed the increase of the targeted and profit-driven attacks by saying that attacks on financial targets had increased by approximately 350 percent in the first half of 2006 over the preceding six month period. Attacks on the home user declined by approximately 7 percent in that same period. The hacker community is changing.
Over the last two to three years, hackers motivation has changed from just the thrill of figuring out how to exploit vulnerabilities to figuring out how to make revenue from their actions and getting paid for their skills. Hackers who were out to “have fun” without any real targeted victims in mind have been largely replaced by people who are serious about reaping financial benefits from their activities. The attacks are not only were getting more specific but also increasing in sophistication. This is why many people believe that the spread of malware has declined over time malware that sends a “shotgun blast” of software to as many systems as it can bring no financial benefit to the bad guys compared with malware that zeros in on a victim for a more strategic attack.
The year 2006 has been called the “Year of the Rootkit” because of the growing use of rootkits, which allowed hackers to attack specific targets without much risk of being identified. Much antivirus and anti-malware cannot detect rootkits as specific tools are used to detect rootkits, so while the vendors say that they have malware more under control, it is rather that the hackers are changing their ways of doing business. Both Ameritrade and E-Trade Financial, two of the top five online brokerage services, confirmed that millions of dollars had been lost to (or stolen by) hacker attacks on their systems in the third quarter of 2006. Investigations by the SEC, FBI, and Secret Service have been initiated as a result. Apple computers, which had been relatively untargeted by hackers due to their smaller market share, are becoming the focus of more attacks. Identified vulnerabilities in the MAC OS X increased by almost 400 percent from 2004 to 2006, but still, make up only a small percentage of the total of known vulnerabilities. In another product line, Apple reported that some of their iPods shipped in late 2006 were infected with the RavMonE.exe virus. The virus was thought to have been introduced into the production line through another company that builds the iPods for Apple.
In December 2006, a 26-year-old Romanian man was indicted by U.S. courts on nine counts of computer intrusion and one count of conspiracy regarding breaking into more than 150 U.S. government computer systems at the Jet Propulsion Labs, the Goddard Space Flight Center, Sandia National Laboratories, and the U.S. Naval Observatory. The intrusion cost the U.S. government nearly $150 million in damages. The accused faces up to 54 years in prison if convicted on all counts. In Symantec’s “Internet Security Threat Report, Volume X,” released in September 2006, they reported the detection of over 150,000 new, unique phishing messages over a six-month period from January 2006 through June 2006, up 81 percent over the same reporting period from the previous year. Symantec detected an average of 6,110 denial of service (DoS) attacks per day, the United States being the most prevalent target of attacks (54 percent) and the most prolific source of attacks (37 percent) worldwide. Networks in China, and specifically Beijing, are identified as being the most bot-infected and compromised on the planet.
On September 25, 2007, hackers posted names, credit card numbers, as well as Card Verification Value (CVV) Codes and addresses of eBay customers on a forum that was specifically created for fraud prevention by the auction site. The information was available for more than an hour to anyone that visited the forum before it was taken down. A security breach at Pfizer on September 4, 2007, may have publicly exposed the names, social security numbers, addresses, dates of birth, phone numbers, credit card information, signatures, bank account numbers, and other personal information of 34,000 employees. The breach occurred in 2006 but was not noticed by the company until July 10, 2007. On August 23, 2007, the names, addresses, and phone numbers of around 1.6 million job seekers were stolen from Monster.com. On February 8, 2007, Consumeraffairs.com reported that identity theft had topped the Federal Trade Commission’s (FTC’s) complaint list for the seventh year in a row. Identity theft complaints accounted for 36 percent of the 674,354 complaints that were received by the FTC in the period between January 1, 2006, and December 31, 2006.
Privacyrights.org has reported that the total number of records containing sensitive information that have been involved in security breaches from January 10, 2005, to September 28, 2007, numbers 166,844,653. Clay High School in Oregon, Ohio, reported on January 25, 2007, that staff and student information had been obtained through a security breach by a former student. The data had been copied to an iPod and included names, social security numbers, birth dates, phone numbers, and addresses. The theft of a portable hard drive from an employee of the U. S. Department of Veteran’s Affairs, VA Medical Center in Birmingham, Alabama, resulted in the potential exposure of nearly a million VA patients’ data, as well as more than $20 million being spent in response to the data breach.
In April 2007, a woman in Nebraska was able to use TurboTax online to access not only her previous tax returns but the returns for other TurboTax customers in different parts of the country. This information contained things like social security numbers, personal information, bank account numbers, and routing digits that would have been provided when e-filing. A security contractor for Los Alamos National Laboratory sent critical and sensitive information on nuclear materials over open, unsecured e-mail networks in January 2007—a security failing ranked among the top of serious threats against national security interests or critical Department of Energy assets. Several Los Alamos National Security officials apparently used open and insecure e-mail networks to share classified information pertaining to nuclear material in nuclear weapons on January 19, 2007. Carnegie Mellon University’s Computer Emergency Response Team (CERT) shows in its cyberterrorism study that the bad guys are getting smarter, more resourceful, and seemingly unstoppable, so what will companies need to do to properly protect themselves from these types of incidents and business risks? In 2006, an increasing number of companies felt that security was the number one concern of senior management. Protection from the attack was their highest priority, followed by proprietary data protection, then customer and client privacy, and finally regulatory compliance issues.
Telecommuting, mobile devices, public terminals, and thumb drives are viewed as principal sources of unauthorized data access and data theft but are not yet covered in most corporate security policies and programs. The FBI has named computer crimes as their third priority. The 203-page document that justifies its 2008 fiscal year budget request to Congress included a request for $258.5 million to fund 659 field agents. This is a 1.5 percent increase over the 2007 fiscal year. IT budgets, staffing, and salaries were expected to increase during the year 2007 according to a survey of CIOs and IT executives conducted by the Society for Information Management. In February 2007, Forrester.com reported in a teleconference that the firms they had surveyed were planning on spending between 7.5 percent and 9.0 percent of their IT budgets on security. These figures were fairly consistent among different organizations, regardless of their industry, size, and geographic location. In May 2007 they reported that more than half of the IT directors they had surveyed were planning on increasing their security budgets.
As stated earlier, an interesting shift has taken place in the hacker community—from joyriding to hacking as an occupation. Today close to a million computers are infected with bots that are controlled by specific hackers. If a hacker has infected 4,000 systems, he or she can use her bot network to carry out DoS attacks or lease these systems to others. Botnets are used to spread more spam, phishing attacks, and pornography. Hackers who own and run botnets are referred to as bot herders, and they lease out systems to others who do not want their activities linked to their true identities or systems. Since more network administrators have properly configured their mail relays, and blacklists are used to block mail relays that are open, spammers have had to move to different methods(using botnets), which the hacking community has been more than willing to provide for a price.
On January 23, 2006, “BotHerder” Jeanson James Ancheta, 21, of Downey, California, a member of the “botmaster underground,” pleaded guilty to fraudulently installing adware and then selling zombies to hackers and spammers. “BotHerder” was sentenced on May 8, 2006, with a record prison sentence of 57 months (nearly five years) in federal prison. At the time of sentencing, it was the first prosecution of its kind in the United States and was the longest known sentence for a defendant who had spread computer viruses. A drastic increase in spam was experienced in the later months of 2006 and early part of 2007 because spammers embedded images with their messages instead of using the traditional text. This outwitted almost all of the spam filters, and many people around the world experienced a large surge in spam.
So what does this all have to do with ethics? As many of you might know, the term “hacker” had a positive connotation in the 1980s and early 1990s. It was a name for someone who really understood systems and software, but it did not mean that they were carrying out malicious activities. As malware and attacks emerged, the press and the industry equated the term “hacker” with someone who carries out malicious technical attacks. Just as in the rest of life, where good and evil are constantly trying to outwit each other, there are good hackers (ethical) and bad hackers (unethical).