Index


Information Security: Computer Hacker Information Available on the
Internet (Stmnt. for the Rec., 06/05/96, GAO/T-AIMD-96-108).

GAO discussed the importance of computer security and hacker information
available on the Internet. GAO noted that: (1) hackers pose a national
security risk when they break into Department of Defense computer
systems and steal or destroy sensitive data; (2) information on hacker
tools and techniques is available on the Internet and searches for such
information are relatively easy; (3) numerous hacker groups provide
information and user-friendly tools on breaking into phone and computer
systems, obtaining sensitive files, and implanting computer viruses; and
(4) risks of disruption and damage to sensitive computer systems from
hackers will continue as more federal agencies and private companies
rely on the Internet and information on hacker techniques becomes more
readily available.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-96-108
     TITLE:  Information Security: Computer Hacker Information Available 
             on the Internet
      DATE:  06/05/96
   SUBJECT:  Computer security
             Computer viruses
             Hackers
             Information disclosure
             Computer networks
             Computer crimes
             Defense communications operations
             Telecommunications operations
             Confidential records
IDENTIFIER:  Internet
             ARPANET
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                    <info@www.gao.gov>                        **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the Permanent Subcommittee on Investigations, Committee on
Governmental Affairs,
U.S.  Senate

For Hearing on
Wednesday,
June 5, 1996

INFORMATION SECURITY - COMPUTER
HACKER INFORMATION AVAILABLE ON
THE INTERNET

Statement for the Record of Jack L.  Brock, Jr.,
Director, Defense Information and Financial Management Systems
and
Keith A.  Rhodes, Technical Assistant Director,
Office of the Chief Scientist,
Accounting and Information Management Division

GAO/T-AIMD-96-108

GAO/AIMD-96-108T


(511359)


Abbreviations
=============================================================== ABBREV


============================================================ Chapter 0

Mr.  Chairman and Members of the Subcommittee: 

Thank you for the opportunity to again participate in the
Subcommittee's continuing hearings on the security of our nation's
information systems.  As you know, on May 22, 1996, the first day of
the Subcommittee's hearings, we testified and released our report\1

about the increasing risks computer hackers\2 pose to computer
systems and information at the Department of Defense.  Our purpose
today is to reiterate the importance of computer security to Defense
and other federal agencies, and to provide an introduction to hacker
techniques and information available on the Internet. 


--------------------
\1 Information Security:  Computer Attacks at Department of Defense
Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996). 

\2 The term hacker refers to unauthorized individuals who attempt to
penetrate information systems; browse, steal, or modify data; deny
access or service to others; or cause damage or harm in some other
way. 


   COMPUTER ATTACKS ARE AN
   INCREASING THREAT
---------------------------------------------------------- Chapter 0:1

The Department of Defense, like the rest of government and the
private sector, relies on technology.  The Department depends
increasingly on computers linked together in a vast collection of
networks, many of which are connected to the worldwide Internet.\3
The Internet provides tremendous benefits; it can streamline business
operations and put a vast array of information at the fingertips of
millions of users.  Over the last several years, we have seen a rush
to connect to the Internet, and today there are over 40 million users
worldwide. 

However, with these benefits come risks.  Hackers have been
exploiting security weaknesses of systems connected to the Internet
for years.  The number of people with access to the Internet, any one
of which is a potential hacker, coupled with the rapid growth and
reliance on interconnected computers, has made the cyberspace
frontier a dangerous place.  Hackers have more tools and techniques
than ever before, and the number of attacks is growing every day. 
The need for secure information systems and networks has never been
greater. 

The Department of Defense's computer systems are being attacked every
day.  Although the exact number of attacks cannot be readily
determined because only a small portion are actually detected and
reported, Defense Information Systems Agency (DISA) data suggest that
Defense may have experienced as many as 250,000 attacks last year,
and that the number of attacks is doubling each year.  DISA
information also shows that attacks are successful 65 percent of the
time. 

Not all attacks result in actual intrusions; some are attempts to
obtain information on systems in preparation for future attacks,
while others are made by the curious or those who wish to challenge
the Department's computer defenses.  Many attacks, however, have been
very serious, resulting in stolen and destroyed sensitive data and
software.  By installing backdoors, guessing passwords, or other
techniques, hackers have surreptitiously gained illegal entry into
sensitive Defense systems, many of which support critical functions,
such as weapons systems research and development, supply, personnel,
contract management, and finance.  They have caused entire systems
and networks to crash, denying computer service to authorized users
and preventing Defense personnel from performing their duties. 
Although Defense has not computed the cost of these attacks,
unofficial estimates place the cost at millions of dollars in lost
productivity and damage to systems. 

Even more critical than the cost and disruption caused by these
attacks is the potential threat to national security.  Many Defense
and computer systems experts believe that computer attackers can
disrupt communications, steal sensitive information, and threaten our
ability to execute military operations.  The National Security Agency
and other experts have acknowledged that potential adversaries are
attempting to obtain sensitive information by hacking into military
computer systems.  They believe that over 120 countries either have
or are developing information warfare capabilities.  Countries today
do not have to be military superpowers with large standing armies,
fleets of battleships, or squadrons of fighters to gain a competitive
edge.  Instead, all they need to steal sensitive data or shut down
military computers is a $2,000 computer, a modem, and a connection to
the Internet. 

The Internet was spawned from ARPANET, a network designed by the
Advanced Research Projects Agency in the 1960s to provide a means of
electronically exchanging military research information.  The main
goals of ARPANET were to provide a network that would continue to
function even if sections of the network were lost, to allow
computers of many different types to communicate with each other, and
to enable inexpensive, convenient addition or removal of nodes
(Internet hookups).  In the 1980s, ARPANET became the Internet. 
Because of this history, the Department of Defense has been using the
Internet longer and more widely than other government agencies.  As a
result, the Department, despite its problems, probably has one of the
strongest computer security programs in government.  Its experience
suggests, however, that other agencies will increasingly be at risk
of computer attacks as they expand their use of the Internet. 


--------------------
\3 The Internet is a global network interconnecting thousands of
dissimilar computer networks and millions of computers worldwide. 
Over the past 20 years, its role has evolved from relatively obscure
use by scientists and researchers to a popular, user-friendly means
of information exchange for millions of users. 


   HOW COMPUTER SYSTEMS ARE
   ATTACKED
---------------------------------------------------------- Chapter 0:2

A variety of weaknesses can leave computer systems vulnerable to
attack.  For example, they are vulnerable when (1) inexperienced or
untrained users accidentally violate good security practices by
inadvertently publicizing their passwords, (2) weak passwords are
chosen which can be easily guessed, or (3) identified system or
network security weaknesses go uncorrected.  Malicious threats can be
intentionally designed to unleash computer viruses,\4 trigger future
attacks, or install software programs that compromise or damage
information and systems. 

Attackers use a variety of methods to exploit numerous computer
system vulnerabilities.  Examples, include (1) sendmail - a common
type of attack in which the attacker installs malicious code in an
electronic mail message that adds a password into the system's
password file thereby giving the attacker total system privileges,
(2) password cracking - a technique in which attackers try to guess
or steal passwords to obtain access to computer systems, and (3)
packet sniffing - a technique in which attackers surreptitiously
insert a software program that captures the passwords and user
identifications contained in the first 128 key strokes of a
connection. 

Once they have gained access, hackers use the computer systems as
though they were legitimate users.  They use a variety of techniques
to cover their tracks and avoid detection.  Hackers can steal
information, both from the systems compromised as well as systems
connected to them. 


--------------------
\4 A virus is a code fragment that reproduces by inserting copies of
itself to other programs.  In may damage data directly, or it may
degrade system performance by taking over system resources which are
then not available to authorized users. 


   HACKER INFORMATION AVAILABLE ON
   THE INTERNET
---------------------------------------------------------- Chapter 0:3

Computer attacks have also become easier to carry out due to the
proliferation of readily available hacker information, tools, and
techniques on the Internet.  Behind this proliferation are informal
hacker groups, such as 2600, the Legion of Doom, and Phrack, Inc.,
which openly share information on things such as how to break into
computer systems and how to obtain free telephone service.  The
information posted on the electronic bulletin boards at the web
sites\5 such groups sponsor allows virtually any of the more than 40
million Internet users who wants to be a hacker to become one. 

The potential hacker can learn about these groups from any computer
with an Internet connection by using any one of a number of search
programs available to Internet users.  These programs, or search
"engines," which include lycos, alta vista, yahoo, web crawler,
excite, magellan, all can be used as a starting point to help a
potential hacker pinpoint web sites containing information for
conducting computer attacks.  For example, we tried a simple
single-word and dual-word query using the alta vista program.  Using
the word "hacking", we got more than 20,000 responses showing
Internet sites or files where information on hacking is available. 
Similarly, using the words "password cracking", we got an additional
20,000 responses.  The two examples below are typical of the
responses we came across. 

  -- alt.2600/#hack FAQ at www.(site).edu/alt2600/FAQ.html

  -- alt.2600 Survival Guide at www.(site).edu/alt2600/survive.html

These two responses are from alt.2600, the file name of a web site on
the Internet that supports the readers of 2600 Magazine, a hacker
quarterly.  The purpose of the alt.2600 survival guide is to provide
information on the hacker news group, as well as information on how
to avoid being caught by the people and organizations under attack. 
To get to the web site containing the files, one need only click on
the file name.  In this case, we were sent to a web site called the
Internet Underground.  The Internet Underground site provides a
typical disclaimer

     "This WWW (world-wide web) page is provided for informational
     sake to those like me who are interested in computer and
     telephone security.  In no way do I encourage you to do anything
     illegal (emphasis added).  Far from it.  Think of this as a
     guide of what not to do."

This disclaimer is like openly providing the recipe for baking a
cake, but telling you not to bake it.  Despite this disclaimer,
people will use the information to hack into computer systems. 

At this Internet Underground site, one can examine the frequently
asked questions, or take a look at the survival guide itself.  The
survival guide begins, "Welcome to alt.2600, the Internet news group
for readers of 2600 Magazine.  On alt.2600 we discuss telephone
(phreaking), computer (hacking), and related topics.  .  .  . 
alt.2600 readers pride themselves on being hackers.  A hacker seeks
out information by every available means (emphasis added)."

If you proceed further into this site, you can locate additional
information files.  For example, "info philes" (spelled with a "ph"
because the file mostly contains information on how to break into a
telephone system) contains information on how to build devices known
as boxes that allow you to break into cable/video boxes, pay
telephones, or telephone circuits.  For example, one home page\6 we
visited containing information on these devices was John's Boxing
Page.  Again we came across a disclaimer that read ".  .  .  my
intention is not to defraud or encourage people to defraud the phone
company.  .  ." and then proceeded to describe how to build 26
different kinds of boxes.  One of the files linked to this home page
gave the following directions for building a red box. 

1.  Buy Radio Shack part number 43-146.
2.  Unscrew all of the screws.
3.  Desolder the crystal which says 3579 on it.
4.  Replace it with a 6.5536 MHz crystal.
5.  Replace the cover.
6.  You now have a red box. 

Although this information is claimed to be outdated and no longer
valid, a red box is typically used to generate a digital or tonal
signal that emulates the sound of coins being dropped into a public
telephone, thus allowing hackers to make telephone calls for free. 

There are many other hacker publications on the Internet.  For
example, Phrack is a very popular phone cracking association.  When
you go to this web site, you find several directories; one being the
Phrack Magazine Underground Archives.  The maintainers of the
archives have collected a variety of documents from various
phreaking, cracking, and hacking sources.  These publications include
information on hacker conferences and how to break into computer and
telephone systems.  It also contains links to other web sites. 
Following is just a partial list of groups in the archives. 

  -- 40 Hex Magazine

  -- Activist Times, Inc. 

  -- The BIOC Files

  -- Chalisti

  -- Freakers Bureau Inc. 

  -- Freedom

  -- The Legion of Doom

  -- Misc.  Underground Files

  -- National Security Anarchists

  -- The New Fone Express

  -- PHUN Magazine

  -- United Phreakers Inc. 

  -- The Art of Technology Digest

  -- Anarchy 'N' Explosives

  -- The Cult of the Dead Cow

  -- Chaos Digest

  -- Digital Free Press

  -- Informatik

  -- Legions of Lucifer

  -- N.A.R.C.  Newsletter

  -- Network Information Access

  -- Phantasy Magazine

  -- Pirate Magazine

  -- Vindicator Publications

For example, some of these groups openly share information on how to
go from one's home into a public telephone switch without paying for
it, and then go from there into another telephone switch (possibly in
another country), and then from there to the desired destination. 
This use of multiple telephone switches makes it more difficult for
the authorities to trace the hacker. 

Also available on the Internet are user-friendly hacker tools.  For
example, SATAN (Security Administrator Tool for Analyzing Networks)
is one such tool that was designed to identify computer system and
network security weaknesses, but which is also being used by hackers
to break into systems.  Similarly, a tool called rootkit is available
on the Internet.  Rootkit is actually a series of "trojan horses." A
trojan horse is a software program that replaces and mimics an
existing function, but also performs unauthorized functions, often
usurping the privileges of authorized users.  For example, a hacker
can install rootkit on a targeted system in a remote location.  The
program would be invisible to the authorized system administrator,
but would enable the hacker to obtain a list of the files on that
system, monitor disk usage, and see what processes are running. 

We also found hacker tools at an Internet bulletin board called the
Computer Underground Digest.  It contains nearly 70 directories, each
containing information on how to undertake acts of destruction and
mayhem such as how to break into systems and how to create and plant
viruses.  For example, the directory called 40hex/ publishes
Spotlight on Viruses which actually includes some of the source
code\7 for viruses that one can use to disrupt somebody else's
computer system.  Some of the virus information in 40hex/ includes

  -- Virus Spotlight, The Tiny virus

  -- Sub-Zero virus

  -- Leprosy-B

  -- USA Virus News

  -- The Sunday Virus

  -- The Typo COM Virus

  -- How to modify viruses to avoid SCAN

  -- Simple encryption techniques

  -- 1992 virus

  -- The Bob Ross Virus

  -- The Terror Virus

In conclusion, these bulletin boards and sites clearly show that any
marginally computer literate individual can use the Internet itself
to quickly obtain basic information on the tools and techniques
needed to become a computer hacker.  They also demonstrate that the
Subcommittee's concerns about unauthorized access to sensitive
information in computer systems are well-founded.  The Department of
Defense has already experienced thousands of computer attacks
originating from network connections, many of which have resulted in
considerable disruption and damage.  Other government agencies and
the private sector will undoubtedly be at increasing risk of attack
as their reliance on the Internet increases, as the number of
worldwide Internet users multiplies, and as information on hacker
tools and techniques becomes even more readily available. 


--------------------
\5 The worldwide web (www), started by Tim Berners-Lee while at the
European Laboratory for Particle Physics, is a "distributed
hypermedia system." In practice, the web is a vast collection of
interconnected information, spanning the world.  A web site is any
computer on the Internet running a World-Wide Web server process.  A
particular web site is identified by the hostname part of the uniform
resource locator. 

\6 A home page is typically the top-level introduction to an
individual's or institution's Internet site.  It often includes a
uniform resource locator, a draft standard for specifying an object
on the Internet, such as a file or newsgroup, e.g. 
http://www.ncsa.uiuc.edu/.  All other pages on a server are usually
accessible by following links from the home page. 

\7 Source code is the software program written in human readable form
by the programmer, as opposed to object code which is derived from
source code and is machine executable. 


-------------------------------------------------------- Chapter 0:3.1

Mr.  Chairman, that completes our statement.  We will be happy to
answer any questions you or Members of the Subcommittee may have. 

*** End of document. ***