By: Jason Williams
Special Report On Hackers, Web Security
from this week’s special E&P Interactive print section:
Ask most newspaper publishers to picture a hacker, and they will probably
describe some pimply-faced, adolescent shut-in, pounding away at a keyboard,
glasses sliding down his nose, hacking into eBay to snatch an autographed script
for one of the ‘Star Wars’ episodes. A nuisance, a fly in the ointment, a tiny
wrench in the machine of e-business.
But as is often the case in the untamed microcosm of the Internet, the
perception rarely matches the reality, and newspapers have more to fear from
hackers than they realize.
In early February, newspaper executives dozing on the issue of Internet security
were roughly awakened by the sound of traffic screeching to a halt on five of
the biggest sites on the Web: Yahoo!, E*Trade, eBay, CNN.com, and Amazon.com.
The denial-of-service (DoS) attacks apparently also stumped servers at
Following the short-lived Web coup, both President Clinton and Attorney General
Janet Reno talked about putting the clamps on the rogue Netizens responsible,
and newspaper Web sites began to lock down their sites to prevent future
At The Seattle Times’ Web site, its security council had just finished its audit
when news of the DoS attacks hit. Seattletimes.com had hired Arca Systems, a
company owned by Santa Clara, Calif.-based Exodus Communications, to analyze its
systems, despite never having had a serious breach of its security.
‘Something that I’ve heard said here, and I think is really applicable, is that
we’re both lucky and unlucky that we’ve never actually been hacked,’ says John
Soltys, senior Internet engineer at seattletimes.com. ‘We’re lucky because
obviously we don’t want to get hacked, but unlucky because security was never
something we thought about in a proactive way.’
Coming in the hack door
Someone (most likely a hacker) once said, ‘The Internet is like a vault with a
screen door on the back. I don’t need jackhammers and an atom bomb to get in
when I can walk through the door.’
Jason Bent – a k a ‘SiliconToad,’ senior security analyst for Prohacktive, a new
Internet security company – agrees. ‘I think [DoS attacks] go on all the time,
all over the place,’ he says. ‘But kids and others are getting more creative.’
The recent DoS attacks have been a source of debate not only within mainstream
computer circles but also within the hacker community. Many old-school hackers
and ‘hacktavists’ (more on them later) see DoS attacks as the work of ‘script
kiddies,’ newbies on the hacking scene who simply download and run pre-existing
software. These programs overload the host’s server with packets of information
requests, causing it to crash and preventing users from logging onto the DoS-
targeted site or sites.
‘Our amazement came from the complexity of the [February] attack, the way they
teamed up with so many machines,’ says Tyler Bye – a k a ‘HyperViper,’ founder
of Prohacktive. ‘We had heard numbers anywhere between 10 and 16,000 machines
were used to attack Yahoo! And, luckily, most of the ‘script kiddies’ and the
teen-agers out there would not be able to pull that off, or it would have been
much worse, and you would have seen many more multiple attacks.’ (Both Bent and
Bye are former Webmasters for Hackers.com, a popular hacking-community hangout.)
But the DoS attacks are just the tip of the subsurface iceberg ready to take
down all those sites that feel like they’re ‘king of the world’ right now – and
online newspapers may be headed for a collision. ‘Newspapers and news sites in
general, they tend to be the first targets hackers go after where they know that
they’ll get some high-profile traffic on, say, a defaced page,’ Bye says.
In April 1997, a hacker severely damaged the San Antonio Express-News’ Internet
Service Provider (ISP) and Web site, an incident the Express-News announced at
the Nexpo conference two months later. ‘We have 300,000 pages on our Web site,
and as far as we can determine, every one of them was screwed up so that we’ve
had to go through it level by level,’ Jon Donley, then online managing editor
for the Express-News Web site, told Nexpo conference-goers.
In September 1998, The New York Times on the Web was hacked and replaced with
soft-core pornographic images, verbal attacks on a New York Times technology
writer, and calls for the release of jailed hacker icon Kevin Mitnick by a group
calling itself H.F.G., Hacking for Girliez.
Later, less notable to the media – but not to The Evansville (Ind.) Courier &
Press – was the February 1999 hacking of the paper’s online automotive section,
which left the site vandalized with disparaging comments about a particular car
Just recently, The Kansas City (Mo.) Star reported a hacker had placed a
pornographic photo on its home page (http://www.kcstar.com). Technicians were
forced to shut down the site for an hour. According to kcstar.com, it was the
first time the site had been hacked since it launched in 1996.
Plus, a string of other news and information sites endured hack attacks last
year, including those of The Associated Press, ABC, C-SPAN, the Drudge Report,
and Wired News.
In most of these incidents, however, entire pages were altered, so that no one
could have mistaken them for the originals. An example of a more dangerous
possibility occurred recently on the home page of Marquette University, where
false and offensive comments were attributed to Vice President Al Gore, who had
given a speech at the university the day before.
The attack occurred early in the morning of March 28 and was spotted quickly,
say university representatives, but the resemblance of the hacked page –
containing false, inflammatory rhetoric attributed to the vice president – to
the original could have caused a serious public-relations problem for the
And these are just the attacks that were publicized.
According to the Computer Emergency Response Team (CERT), there were 8,268
incidents of computer security breaches in the United States last year. And an
annual survey conducted by the FBI and the San Francisco-based Computer Security
Institute reported that the total verifiable losses in 1999 due to hacker
attacks were more than $265 million, more than doubling the average from the
past three years, with 90% of survey respondents reporting some kind of security
breach, 70% of a ‘serious’ nature.
In short, it’s a potential problem that online newspaper publishers can’t
But who are these denizens of data, these masters of e-mayhem? Before a
company’s system managers and information technology professionals can
successfully secure a network, they must first know with what and whom
The answer is not as simple as just bored, smart kids. The reality is
that the hacking community, like any other interest group, has its good
and bad, its left and right, its young and old. It’s a diverse e-
society in which the only true unifying element is a love of cracking
Appropriate to the lawless frontier of the Web, most hackers identify
the good and the bad as ‘white-hat hackers’ and ‘black-hat hackers,’
respectively. The ‘white-hat hackers,’ typically, are interested in
improving security systems, while maintaining the freedom that the Web
provides. They see the proliferation of hacking and the reverse-
engineering of software as a kind of computer Darwinism that ultimately
strengthens networks by highlighting their flaws. The ‘black-hat
hackers’ are more interested in personal or political gain. They are
outlaws, breaking into systems, replacing pages with pornography and
obscene, often incomprehensible, rants.
Of course, the labels don’t always fit, and often white-hat hackers don
black hats for political purposes or vice versa. A number of hackers
consider themselves ‘hacktavists,’ protesters in an electronic age.
Like the picket lines, sit-ins, and marches of the 1960s, ‘hacktavism’
could very well become the counterculturalism of the new millennium.
The H.F.G. attack on The New York Times on the Web, for example,
included statements of support for jailed hacker Mitnick on the defaced
site and attacks on John Markoff, The New York Times technology writer
who had a hand in Mitnick’s capture. Several other Web sites, media and
nonmedia alike, also were hacked and defaced with statements of
support, alleging a conspiracy against the infamous Mitnick.
Mitnick was released this January after serving five years in the
Lompoc Federal Corrections Institute for hacking into the computer
systems of Motorola, Fujitsu, Nokia, Sun Microsystems, Novell, and NEC.
His cause is a rallying point for many hackers who believe that the
government overstated the case against Mitnick to make an example of
‘I think, depending on the sophistication, that, yes, the low end of
the spectrum is the guy just looking for notoriety,’ Bent says. ‘He
lets his friends know and lets Hackernews.com know, that he just hacked
a site, and they take a snapshot of the Web site – and instantly he’s
famous as a hacker.’
The hacktavists, however, ‘target specific channels, such as The New
York Times, to get the word out. They’re almost guaranteed that a lot
of people will see it,’ Bent continues.
One such group is ‘United Loan Gunmen (U.L.G.).’ Among its victims are
ABC.com, the AP, the Drudge Report, and C-SPAN. The U.L.G.’s oft-
repeated message: free the Internet from the corporate control that the
group feels dominates other media. ‘Unlike the world of TV and radio
… the Internet is there not only for you to use, but for you to
control,’ read the hacked page of ABC.com. The U.L.G. and groups like
it use news and newspaper sites as bulletin boards for their anti-
corporate or anti-government diatribes.
But the hacking community isn’t limited to radical groups with catchy
names. Prohacktives commonly get invitations from a wide spectrum of
interested parties, from individuals to corporations, for revenge
‘We get solicitations all the time – from ‘My friend has hacked me,
[so] will you hack his computer?’ to actual corporations and business
proposals: ‘I’ve been swindled out of millions of dollars
internationally. Can you help me recover it? I’ll pay any price you
want,” Bye says.
Bye continues: ‘We don’t provide these services, and we have to get
pretty blunt with people right away and say, ‘You’ve got the wrong idea
about us.’ … That’s hurting our community, that’s enabling government
to pass more laws and more legislation to shut down what we feel is a
communication between a community. Those attacks are detrimental to our
To believe the hacking community is a small group of lonely,
dispossessed people is to fall victim to a dangerous stereotype that
may leave one’s system vulnerable to the kind of organized, intelligent
attacks that many hacker groups are capable of launching. ‘You have
people doing industrial espionage and spying on technologies and
snooping traffic. The sophistication [of hacking] just continues,’ Bent
Security vs. marshal law
There’s no doubt that many businesses and government agencies are
taking the hacking community seriously. Following the DoS attacks,
President Clinton held a summit with technology leaders to address the
state of Internet security. The month before, Clinton asked Congress
for $2 billion to fight computer sabotage.
Also attending the summit was Attorney General Reno, who called
cybercrime ‘one of the most critical areas we face,’ and vowed to find
those responsible for the DoS attacks. But after having difficulty in
tracking down the ‘cybercriminals,’ Reno questioned the need for
anonymity on the Web.
The end of anonymity on the Internet could be right around the corner –
or across the Atlantic. The French government recently announced that
it would require users to identify themselves to their ISPs before
being allowed to post anything on the Web.
Meanwhile, the Securities and Exchange Commission (SEC) in this country
is creating a system to monitor Internet activity – the exact thing,
some would argue, that landed online advertising company DoubleClick in
court when privacy advocates cited invasion of privacy. In fact, some
critics of the SEC’s policy have suggested the use of ‘cookies’ to
monitor Web users.
Along with copyright issues, security is one of the biggest issues
facing the online newspaper industry, says Stuart Biegel, who heads the
UCLA Online Institute for Cyberspace Law and Policy. The 1998 Digital
Millennium Copyright Act established new penalties for anybody who gets
around existing protection, says Biegel. The Computer Fraud and Abuse
Act can also be used to prosecute DoS or hacking attacks.
‘There are laws protecting against that type of activity [hacking],’
says Biegel, but much of it is untested and inadequate. Biegel is
currently writing a book for M.I.T. Press on cyberlaw issues.
Not to mention that some of the pending laws would restrict the testing
of current security technologies, says Prohacktive’s Bye. ‘[This is]
legislation to prevent and make it basically a felony to test the
security of any application or hardware so we can let the vendors know
[whether or not there’s a security risk],’ says Bye, who then offers
this example: ‘Obviously, I don’t think it’s the best thing to hack
Buy.com, get all the credit-card numbers, and put them all over the
Internet – but if somebody knows [how] and can notify that vendor that,
‘Hey, you have a loophole here,’ why wouldn’t they implement that?’
Bye suggests hackers and network administrators work together, ‘The
ethics of actually disseminating [hacked] information still need to be
adjusted, but we’re trying to build up a network and a community of
both hackers and network managers so we can facilitate better and
somewhat control how that information, once it is discovered, is
actually reported to the community to
Seattletimes.com’s Soltys doesn’t lend much credence to hacker claims
that hacking is for the greater good. ‘Some hackers get to turn it into
a career because they get hired by a security agency, but I don’t
really buy that they are trying to do it for the public good,’ Soltys
says. ‘There are probably some out there that do care, but I think if
that it were their true interest that they would do it through more
Either way, says Soltys, it’s important that newspaper Web sites keep a
constant watch on their systems to prevent break-ins. ‘Is everyone
using [current security technology]? Not yet, unfortunately,’ says Bye,
‘and a lot of people are paying the price.’
Jason Williams (firstname.lastname@example.org) is the new-media
reporter for Editor & Publisher magazine.
(c) Copyright 2000, Editor & Publisher