life in cyberspace

[David Farber <farber@central.cis.upenn.edu>]

PUBLICATION DATE      Tuesday. March 1, 1994
EDITION               NASSAU AND SUFFOLK
SECTION               DISCOVERY
PAGE                  61
OTHER EDITIONS        67 C
HEADLINE              LIFE IN CYBERSPACE
                      COMPUTERS IN THE ^90s
                      The Password Is `Loopholes^
BYLINE                Joshua Quittner
LENGTH                102   Lines


  YOU'D THINK that Polytechnic University, in Brooklyn, one of the finer
  technical schools in the country, would know how to safeguard its
  computer system against hacker intrusions. And you'd think the same of
  New York University's Courant Institute, which hosts the mathematical
  and computer science departments.
       But a teenage Brooklyn hacker, who calls himself Iceman, and some
  of his friends say they invaded the schools^ Internet-connected
  computers and snatched the passwords of 103 students. Iceman called me
  last week to say he and his friends have been using the passwords since
  Jan. 24 to joyride on the Internet, and read the students^ private
  e-mail and computer files. The passwords could not be used to get into
  administrative accounts where academic grades could be changed.
       Officials at the universities said it will take time to verify the
  claims. But they say they are treating Iceman's story as if it were
  true. The officials admitted that the loopholes the hacker claims to
  have exploited exist, are obvious and accessible.
     "Academic computers are not very well protected. And students
  practice the least safe computing habits of anyone," said Richard
  Mandelbaum, director of the center for Advanced Technology in
  Telecommunications at Polytechnic.
      Internet break-ins have been a national news story lately, with
  reports that unknown intruders have purloined more than 10,000 passwords
  in a burst of activity during recent months. The Federal Bureau of
  Investigation is investigating, since so many "federal-interest
  computers" are attached to the wide-open Internet and since it is a
  crime to possess and use other peoples^ passwords. Many large commercial
  and university systems, including one run by Xerox^ prestigious Palo
  Alto Research Center, have temporarily disconnected from the Internet
  in an attempt to secure their systems.
      Experts now believe that a group of young hackers who call
  themselves The Posse are responsible for the break-ins, though who they
  are and what they're after is unclear. Some people believe the crew is
  merely collecting passwords for bragging rights, while others suspect
  more insidious motives. Their approach is more sophisticated, from a
  technical standpoint, than Iceman's. But the result is the same.
      Despite widespread warnings on the Net, Internet intrusions persist,
  in part because the global web of interconnected networks was founded on
  a philosophy of openness, and in part because people use easy-to-guess
  passwords.
      Now Iceman, who's 18, has nothing to do with The Posse, never heard
  of it, in fact. He hangs with a group of budding New York City hackers
  who call themselves MPI. I met him two years ago on a story; I don't
  know his real name or address, though he calls periodically to claim one
  conquest or another in cyberspace. He's not a bad kid  -  he's not
  venal, he doesn't want to hurt anyone, he's just exploring, he says  -
  but he is a kid, as intoxicated by trespass as any teenager.
      Iceman told me it was simple to steal 103 passwords on the
  universities^ systems since each password was a common word or name.
     "Computer" was one password, he said. "Friends" was another. Two
  people used the word "Christ" and one used the first eight letters of
  the word "Antichrist." "Stooge," "Dragon" (used by two people),
  "Superman," "Hatred," "Vengence," "Ripper" and "Baseball" were all
  passwords. This violates the first rule of selecting passwords: Never
  use a plain word or a name. Pick a password that mixes numbers and
  letters.
     "Take the word, `baseball,^ " Iceman said. "If the person who used
  that as a password just substituted ones [the numeral] for els [the
  letter], I wouldn't have guessed it in a million years."
     If Polytechnic University and the computer science department of NYU
  can't get their students to practice "safe computing," what chance does
  America Online, Prodigy or CompuServe have with its millions of new and
  presumably unsophisticated users coming onto the net for the first time?


     Mandelbaum said that new students at Polytechnic are given a pamphlet
  that urges them to choose a password that isn't a name or a dictionary
  word. "Students often don't do that, even at a technical university," he
  said.
     Iceman said that cracking the passwords was child's play. Using a
  legitimate account from another Polytechnic student, Iceman and a
  friend, on their home computers, dialed into a Polytechnic mainframe
  called Newton. Once there, they called up a file that stores the
  passwords for 3,646 students. The password file, of course, is
  encrypted, using a secret formula that translates each password into a
  13-character code.
      But for the past year, Iceman has been building a "dictionary" of
  common words and names. Each word in Iceman's lexicon is also encrypted,
  using the same, commercially available encryption software that
  Polytechnic, NYU and most other academic computer systems use. Iceman
  then instructed his IBM-clone, 486-chip computer to compare the
  encrypted words in his dictionary to the encrypted passwords on the
  Polytechnic system. Simple. Seven hours later, he said, the computer
  yielded 93 matches.
     Gene Spafford, a computer science professor and security expert at
  Purdue University, in Indiana, said that encrypting passwords and
  storing them in publicly readable files has been standard procedure for
  years and has become a problem only with the advent of powerful desk-top
  computers.
     "The encryption method was so slow when it was originally designed 20
  years ago it was no threat to do what this person was talking about,"
  Spafford said. "It would take too long to encrypt a dictionary to do
  passwords."
     The universities said they would warn their users to change their
  passwords, and said other plans were under way to make intrusions more
  difficult.
     What did Iceman and company do with the passwords?
     He said mostly, they enjoy reading other people's files and e-mail.
  "Every once in a while," he said, "you get something interesting."


  NET TIPS
      Choosing a password: The cardinal rule of selecting a password is
  never use a word or name. If you pick a password based on random letters
  and numbers  -  khe235X, for instance  -  you'll never remember it,
  though. One trick is to pick a name and substitute numbers for letters.
  David could become da51d ("v" being the Roman numeral for 5, and "1"
  being a common substitution for "i." Others prefer to mingle symbols
  such as * into the password, as in dav*id. Likewise, many computer
  operating systems are case sensitive, so a hacker using a
  dictionary-cracker program on the word "baseball" probably wouldn't
  catch bAsEbAlL.


**END OF STORY REACHED**
ENTER N(next story), C(next context), T(total story), NT(next take)
PT(prev take), S(save), QUIT(switch databases), EXIT(terminate display)
   /