July 30, 1996

Article at The Age

TECHNOLOGY | Violated by a phantom hacker


BEING hacked is not a pleasant feeling. Sort of like being burgled – then being charged for breaking and entering. No matter what you do, no-one ever really believes you’re innocent.

It might not be your fault. You might, for example, have an obscure enough password: no birth dates or obvious names, like that of your cat or a favourite sports star. You might be paranoid enough to check that no-one is looking over your shoulder when you log-in. You might ensure your username and password isn’t written next to the keyboard or saved on your PC dial-up software. In short, you might practice the basics of good Netizenship.

I thought I had. My password was obscure. You would have to be a fan of director George Lucas (he of Star Wars fame) to figure it out: THX-1138 - the title of his first film, a science fiction flop starring Robert Duvall before Apocalypse Now rescued Duvall’s career). 

Apparently, someone else in the big wide world of cyberspace is a fan of Lucas; or is a talented hacker. Two weeks ago person or persons unknown hacked into my Internet account.

On 11 July, using the logon of ‘wdasilva’ at Deakin University (where I do an off-campus course) they said some very unpleasant and quite unprintable things on Internet Relay Chats.

Not content with that, they sent abusive e-mail to people I’ve never met. They downloaded 18 Mb of data into my mailbox, well beyond my 5 Mb limit. For all I know, they read my mail too, and messaged friends and colleagues, or made unseemly remarks on the Internet discussion groups to which I subscribe.

Meanwhile, I was dialing in and retrieving messages, oblivious of the ruckus.

Finally, on 15 July, a broadcast e-mail message was sent to everyone at the university. To all 44,000 users. It said the kind of things you wouldn’t read in a family newspaper.

It was sent in my name. Understandly, Deakin University froze my account. It wasn’t until I tried to log-in the following day that I knew something was up.

“When was the last time you logged in?” asked a justifiably icy technician. “Have you been sending broadcast messages across the campus? . . . Why have you been so active on IRC? Why have you been downloading so much stuff?”

On hearing all of this, I must admit to feeling kind of violated. Not only that, I was also taken aback at being asked to prove that I was innocent.

You can’t blame the people at Deakin for grilling me: how do they know it wasn’t me? Nor can you complain about the security breach: even the most secure military sites get hacked.

“All universities face similar problems,” said Richard Tan, head of information technology services at Deakin.

“It’s no different from someone breaking into your office and going through your things,” he said. “We have more and more users coming on-line. With the popularity of the Internet . . . there are going to be more incidents like these.”

As if it isn’t bad enough already. Of the 44,000 Internet accounts for students and staff at Deakin, an average of two a day are compromised, or hacked. Deakin has a flat domain structure that allows infotech staff to quickly detect a security breach and shut down an account.

Other universities are hacked at similar or higher rates, said one high-level university Unix network programmer who declined to be named. He said many in his position were favorite targets of hackers, and he had been hacked many times.

“It’s a bit like being mugged and robbed,” he said. “There’s always going to be this problem when you try to balance openess with security. It comes down to how much in resources you want to allocate to security. Universities generally don’t consider it a high priority.”

An investigation by Deakin found that my account was most likely hacked via password: ie. someone logged on masquerading as me and used the password.

How did they get it? Two methods: with “sniffers” or “crackers”.

“Sniffers” are virus-like mini-programs that, once planted inside a mainframe computer, wait for people to log-in. They collect log-in usernames and passwords, which are then passed on to the hacker.

A “cracker” is a program that sits inside the hacker’s computer and tries to breach network security by brute force.

The hacker picks a legitimate username, then, using the cracker program, repeatedly tries to log-in under every possible password.

The program literally throws the dictionary at the task, and tries combinations of words with words, and words with numbers, such as “dog24”.

In the end, no one will ever be quite sure that it wasn’t me. And that’s the worrying thing.

You realise that, on top of feeling like someone’s broken into your home and rummaged through your stuff, there’s also the issue of identity theft. In cyberspace terms, it’s as if someone borrowed your name and your face, then carried on like a British soccer hoon at a German Euro96 victory party.

Then the cops come and arrest not the hoon, but you!

Anyone meeting your Net identity for the first time, by way of abusive message or derogatory remark on IRC, is not going to warm to you next time they cross your path in cyberspace.

It will be hard to convince them that it wasn’t you.

Even worse, there is no way of knowing the extent of the damage that may have been done. Were all of my friends e-mailed and abused too? Was my log-in used to mail-bomb ASIO?

The other possibility is that I am guilty as charged. Maybe I had a momentary lack of sanity. Maybe I actually did it just so I could write this article!

“You’re damned if you (write it) and you’re damned if you don’t,” said Tan.