A Study of Hackers (Spring, 1993) --------------------------------- By Dr. Williams In "The Hacker's Handbook" on page 123, Hugo Cornwall discussed an idea of setting up his home computer system to look and act like a mainframe system. He would let hackers attempt to gain access to it while he monitored the results. He wanted his home system to emulate the M15, the most notorious hacking target for British hackers. The hackers would get into the system and attempt to gain privileges, when unknowingly they were really trying to get into his system. Hugo did not carry out the plan, even though he did set up a sophisticated emulation of the M15. About the time he was to carry out his plan, a disgruntled employee left the M15 crew, and went to "The News" hanging out all of the dirty laundry. Hugo thought carrying out the stunt may get him into trouble, or at least give him more publicity than he wanted, so he didn t go through with it. I just carried out this idea myself, and I thought the results were interesting. I had just completed a class in operating systems. The class used MINIX as a model to study and modify. MINIX is an operating system compatible with version 7 of UNIX, specifically made to be run on IBM and its clones. It has over 12,000 lines of source code written in C. After finishing the class, I decided to use MINIX because I thought it could best mimic a big computer system under the guise of UNIX. It took me a while to build an appropriate "pseudo-system," one that I thought was capable of fooling novice users of UNIX into thinking they were indeed on a UNIX system. It would have been beyond the capacities of my machine to do all that was necessary to fool expert users of UNIX though, not to mention the time constraints I had. First, I had to reformat my hard drive for the MINIX operating system. Then I had to write a device driver to run the modem, which took a while to do. I had to change physical appearances: names of files, directories, syntax of items, and emulation style. I added some characteristics - putting in games, files with interesting names, eye catching items, and additional mail facilities. Finally, I wrote the program that did the actual mimicking, which also gathered statistics of the users' activities. Overall, I spent six months worth of free time making a satisfactory system. The program was made to imitate UNIX in all regards. At various times, it would "show" different users on, different processes being run, disk quota, terminal statistics, free space, printer job status, and so on. It showed different disk packs, had most of the files which UNIX uses for system and administrative functions, and backup schedules. On the login screen, I was tempted to put something like "Boeing node #2, please log in," or "General Dynamics Site 3, spot 2." However, I thought this could get me more trouble or attention than I wanted, so I settled for a more generic approach: BN Site #2 please log in: After login the first screen would show: *************************************************************** There was a crash on /group3 on 6/8/89 at approximately 03:00. Some files from that location have been deleted. Please inspect your account for file integrity. Call the operators at ext. 3524 if you need to get any files from backups. There will be a gathering on 6/24/89 at noon in the cafeteria during lunch for all employees wishing to form a group of people interested in remote control cars and planes. Please call Jeff Smith at ext 2146 for further details. *************************************************************** And the prompt was: June[1] Every time a command was entered, the number in the square brackets was incremented by one. In the program, I left in some famous UNIX bugs, hoping somebody would try to manipulate the account into getting more privileges. I left in mail bugs, writing commands to the 25th line, and using the same encryption scheme for the password file which UNIX uses, and a few other smaller items. To egg them on, I put in games that could only be executed with privileges, and files with tempting names like CAR.DATA, PRIVATE.DOC, and DOCUM.SECRT, which also could only be read with privileges. Every time the account logged off, I returned most things back to the original setting, including any gains they had made. So if a person logged on more than once, they had to start from scratch every time. I didn't like doing this, but since I thought a lot of people would be using a few accounts, I thought it would look more phony if the account drastically changed every time the person logged onto it. It also helped me make more accurate observations. At this time, I got a friend to agree to give up his dorm room phone for a few months, since he was taking off anyway. So I plugged the computer into there and let 'er rip. I wanted to put the accounts into three different targets: hackers, hacker wannabes, and the academic community. On the bulletin boards, which I had hacker privileges on, I posted a message telling users to call this "neat" system I discovered. The message went something like: "I recently discovered an account to a UNIX system at 555-5555. The account name is 'PAULS,' with password 'dog$car.' Have fun!" A day later, I posted the same sort of message on different bulletin boards, those which I had only a normal status on, but where there were more "kiddies" on. I changed the account name and password. Finally, a week later, I told some of my friends by word of mouth in the academic community, but with another different account/password combination. Something that I predicted would happen is that a lot of the sysops whose system I had posted the message aimed for the "kiddies" erased the message. Over half of them had erased the message in less than a few hours. The other half had the message erased in about a day. It still served my purpose though, because a lot of people had seen the message. I was tempted to tell the sysops whose system I had posted the message on that it was all a hoax - an experiment, but I thought some of them wouldn t keep the lid on that information. Something that I sort of expected was that a lot of the sysops wrote me mail back, furious that I had posted that message. Most of them thought I was putting them in legal jeopardy (understandably). Others said that their board was not into that type of information, threatened to call the police, warned me to never post that type of message again, and even deleted my account (no loss). None of the messages to the hacker crowd were lost. I posted the message 17 times for the kiddies, five times for the hackers, and told four friends, who I know passed it on to a few other people. I suppose if somebody would have thought about it, he or she might have concluded that it's pretty hokey to post an account/password combination on a public BBS room where everybody can read it. Either I had to be really arrogant, or had to have ulterior motives. Within eight hours of posting the message, the system got its first call. I was really hoping that it would be somebody who knew what they were doing. I wanted to see if anyone was going to be able to jump the hoops I set up to gain further privileges. The first person didn't seem to be familiar with the UNIX operating system - they kept on trying MS-DOS commands. They couldn't do a disk directory, or any other basic operations in UNIX. In fairness, if you're not used to UNIX, it is pretty user unfriendly. The next few callers seemed to know more about what was going on. They were logged on under the hackers' account. They were able to find out the attributes of the account, get a view of what the overall system looked like, and see what the range of the system was. A few of those were able to locate some of the targets of interest I put in, but did not gain access. Next, the kiddies' account took a big jump in usage. The majority of them were unfamiliar with the UNIX system. Some of them had a cursory knowledge of the basic UNIX commands, but didn't really know how to manipulate the machine. Finally, a few calls started coming in on the academic account. Most of them didn't spend too long on the account. Since they knew more about what was going on, they took a look to see what was around and split. One or two of them tried using some of the more sophisticated commands that work on UNIX, but not on MINIX. Over a two month period, I was able to see what the overall attributes of usage were. I don't know how many unique individuals logged into the account, but I did keep track of how many times the account was used. By looking at the log of commands from the kiddie account, about half of its usage came from people unfamiliar with UNIX. Using MS-DOS commands or commands of other PCs, inability to access the help file, and no experience with the UNIX environment were characteristic of these users. Approximately a quarter of the usage came from people who had exposure to UNIX with a basic knowledge. They were able to find out the basic structure of the account and system, wander around a bit, but did not do anything sophisticated. The last quarter had at least competent users; some were quite expert. They were able to discover items of interest, find most items of importance, gain further privileges, and attempt to hide the account that had been used. From the 50 percent of users who were UNIX competent, only one third of them tried to gain privileges. The other two thirds must have been content where they were at. Of the others, the most popular scheme used to gain privileges was to read the password file (which, like in UNIX, is publicly readable but encrypted). This was not a bit surprising to me, since the Cornell Worm used essentially the same method. Many articles have talked about it, some showing how in a cookbook recipe manner the steps were taken. Users would try to decrypt the password file and gain the root password. The next most common method was written commands to the 25th line of a more privileged account. This wasn't surprising either, since much ado has been made about that. The rest seemed to be evenly spread around on mail bugs, finding bugs in commands that ran shells in privileged modes, or some other method. From the third of the users left over, 32 percent of them succeeded in raising the account s privileges. Out of that 32 percent, 68 percent of the people were able to get at least operator privileges. Out of that 68 percent, 18 percent (25 people) were able to get root privileges. I didn't know though if that was one person who got root privileges 25 times, or 25 different people. The program I had written really only mimicked the root privilege, and did not allow total control of the machine. The sophistication of the user was directly related to the amount of "stupid" things the user did. Some of the kiddies did some real stupid things, like creating files saying something like, "Ha. Ha. I'm a hacker and I'm in your system," deleting files, or editing files in an obvious manner. Others romped around the system, checking out every file in every subdirectory. Other items which were not as obvious were using the help files excessively, entering many incorrect commands consecutively, and continually trying to access items for which they had insufficient privileges. The most knowledgeable users tried to hide their presence. Some of them successfully edited the user log without leaving a trace, kept a low profile of activities, and did not play the games at all or for great lengths of time. Out of those who gained privileges, there was only one incidence of someone deleting a file on purpose without cause. Overall, the kiddie account logged in 2,017 users. The hacker account logged 1,432 users, and the academic account logged 386 users. I have no way of knowing though how many unique people used the accounts. I was disappointed at the low turnout from the academic community. I talked to somebody I had given the account to, and some of the reasons seemed to be that some people just weren't into hacking, had legitimate accounts, were not curious about other systems, and just didn't want to risk getting into trouble. Overall, the most incompetent users came from the kiddie account. The hacker account seemed to be most familiar with all of the system weaknesses, but lacked an overall understanding of the system. The academic account was just the opposite; they knew how to work the system, but did not know of the security shortcomings of UNIX. However, the best users came from the academic account, where there was probably an elite crust of students who are also hackers. One side effect came shortly after I posted the original message on BBSs. Soon, other people started posting the kiddie account/password combo, claiming they got it from a friend or had "hacked" it themselves. That's why when the sysops deleted my message, I wasn't worried, because enough people had seen it to spread the word around. I half expected some law agency to raise an eyebrow and look into the matter. After all, I had done a pretty blunt thing. I did not get any questions about it though, nor did the person who owned the phone number. But then again, maybe somebody did, and I just didn't find out about it.