Hacking is no longer for kids, adults can do it too

Hacking used to be an activity carried out by specialists or teenagers. But thanks to new software, it is now being used as a...

Hacking used to be an activity carried out by specialists or teenagers. But thanks to new software, it is now being used as a powerful tool by anyone with a message to put across.

Hacking is playing a part in the current propaganda war between the US and China, following growing antagonism between the two countries in the aftermath of the US spy plane incident.

Pornography has appeared on several official Chinese Web sites, while hundreds of Chinese Web sites, governmental and commercial, have reportedly been hacked.

On the other side, Chinese hackers have declared a week-long May Day war on US sites. The US departments of labour and health have been invaded with messages and pictures of the Chinese pilot Wang Wei who was killed in the spy plane collision.

Activists have shown a growing awareness that the soft underbelly of capitalism lies in the corporate Internet infrastructure, ever since the first mass hacking protests on 18 June 1999.

Then, hackers from around the world launched more than 10,000 attacks on more than 20 companies, including Barclays Bank and the London Stock Exchange, over the space of five hours.

Once, hacking, viruses and denial of service attacks required skilled programmers to orchestrate them. But over the past few years simple tools have begun to appear on the Internet that make it possible for IT novices to construct their own viruses, scan corporate computer systems for security weaknesses or infect Web sites with Trojan horses. These tools are opening up cyber-mischief to protest groups, anarchists, and curious teenagers.

Unfortunately, a few minutes on a search engine is all it takes to track down sophisticated hacking programs with easy-to-use point and click interfaces. Their ready availability is placing renewed pressure on IT directors to make sure their security policies are up to scratch, said security consultant Chris Sundt.

"As we dumb down the ability to write this sort of attacking software we are going to get more people who can use it for mischief- making. That means you need better defences to filter this stuff out," said Sundt.

Although it is not difficult for IT departments to protect themselves against these tools, lax security practices will often leave companies open to attack.

Virus-writing kits were among the first automated hacking tools to appear on the Internet. The Nowhere Man virus construction kit, which appeared in the 1990s, set new standards for hackers with its graphical user interface and context-sensitive help. It wasn't until this year, however, that a kit-written virus caused serious damage to businesses.

The Anna Kournikova virus infected millions of desktop PCs and cost companies many millions of pounds to clear up. The virus did not have a sophisticated payload, but the author's decision to hide it inside a picture of the Russian tennis star and sex symbol ensured its widespread propagation.

"It is relatively trivial to write a virus construction kit. It's not that clever. The real problem with these things is that any moron can write a virus now. You simply chose a date, what you want a virus to do, what you want to call it and then press go," said Graham Cluley from anti-virus firm Sophos.

Hackers can find all the tools they need to infiltrate computer systems on the Internet. The hacker's favourite is Nmap, a tool capable of scanning the communication ports of servers on the Internet for vulnerabilities.

"It's like rattling the doors, walking down the street and seeing if any of the windows are open," said Glyn Geoghegan, principal consultant of ISS Security Assessment Services. "The program uses special techniques such as half scans, which make it harder for some machines to know they are being scanned."

Hackers can use other free tools on the Internet, such as Nessus, to identify servers with weaknesses in their operating systems that could leave them vulnerable to attack. "That gives the hacker an idea of what exploit to download from a site. It is very useful," said Geoghegan.

Organised hacking groups will use tools like this to scan huge swathes of the Internet in readiness for programming vulnerabilities to emerge. As soon as a new problem is announced they are able to cross-reference their databases to discover which machines may be vulnerable to that problem.

People with little IT expertise can use programs such as Back Orifice and Sub7, also freely available on the Internet, to develop trojans capable of stealing passwords, or monitoring a victim's screen.

One plug-in for Back Orifice, Botool, allows would-be hackers to easily navigate through the files of an infected machine and to copy anything that looks interesting. Another plug-in called Boping can turn an infected PC into a network scanner.

Although tools such as Back Orifice should be easily detectable by a virus scanner, surprisingly, companies have fallen victim to this sort of incursion.

MIS Corporate Defence Systems was called in to help a firm in the North West. "Its servers would go down intermittently. It discovered a number of its machines had been back-doored. It took two or three weeks of concerted effort to rebuild its system," said MIS' security consultant Steve Gray.

Another tool, God Will, can hide its potentially damaging payloads in Web sites.

By following a point and click interface, would-be hackers can implant code into Web sites that could steal passwords, destroy hard discs, or erase the chips in the desktop PC of anyone unfortunate enough to visit the site. The program works by hiding the payload on a Web site in Active X script.

"In the past it has only ever been programmers who understood how Active X worked and how to exploit it. God Will drops that ability into everyone's hands. Everyone that wants to do it can do it," said David Duke, technical director of Cryptic Software.

"A hacker could install it on our Web site and we would inadvertently be affecting customers that log on. Leaving aside the damage, the public relations loss would be devastating," said Roger Ellis, former IT director with law firm Clifford Chance.

Fortunately for IT directors, it is not difficult to defend IT systems from the attacks associated with these sort of tools.

"The first line of defence is to make it as difficult as possible to be infected by these things," said Gray. "That means securing the corporate network and good practice about what staff can and cannot do.

"Ultimately, make sure the individual does not do stupid things, like running attachments."

Bill Goodwin
[email protected]

Read more on Antivirus, firewall and IDS products