Ever wonder how hard it is to become a hacker? I can tell you firsthand it’s probably easier than you may think.
It all started when I was testing Symantec’s Web clients for pcANYWHERE on my office network. I downloaded the software from Symantec’s site and ran it. Wonder of wonders, it worked perfectly — way cool and very impressive.
As I was about to leave for a conference I thought it would be useful if I could use pcANYWHERE to access my machines while I was away. So I decided to test it by dialling up an ISP and looping back to my office via my Digital Subscriber Line connection.
Imagine my surprise when I ran the applet and was given a list of six pcANYWHERE clients of which only one was mine.
Aha! Let’s see if anyone forgot to set a password on his or her copy. Lo and behold, there it was, 2 a.m. and one copy was unsecured. Suddenly I was observing the screen of someone else’s machine! Wild.
The owner was in the process of using a speech recognition system to dictate a letter to his girlfriend (no, nothing very steamy), and there at the bottom of the screen was his name (we’ll call him Ralph).
I think the reason I could see his name was that it was part of the training data loaded into the speech recognition system. I thought I should let him know he had a security problem, so I put the cursor in the window his spoken words were appearing in and typed “Yo, Ralph.”
Nothing. He did not notice. I tried changing windows to Notepad but the speech recognition system switched back to the first window.
So to get his attention, I switched to my word processor, typed a long message, copied it to my clipboard, copied my clipboard over to his clipboard, and pasted the message into his active window. This time he noticed. He immediately pulled the plug on his computer, and the connection vanished.
I felt bad. I’d freaked Ralph out, and there was no opportunity to explain. So how to find him? Well, I knew his IP address but that was not much use, so I went searching. Luckily he had an unusual last name, which made life easier.
I went to several search engines, including InfoSeek and AltaVista, and I found lots of dud leads (dead links and near misses). But eventually I hit pay dirt. I found a Web site and discovered what Ralph looks like (he has a picture of himself eating lobster) and that he is a scriptwriter. Then I went to switchboard.com and found him there, too.
From Ralph’s Web site I knew where he’d been on holiday and some other trivia of his life. From switchboard.com I had learned Ralph’s street address, telephone number and e-mail address. It had taken me all of 15 minutes.
So trying to be a nice guy, I sent him an e-mail message explaining what had happened, that I hadn’t done anything to his PC, and noting that he should password-protect his copy of pcANYWHERE.
Next day there was no reply, so I called him. We had a nonconversation.
I explained who I was (“Uh-huh,” he said), I assured him that I wasn’t a hacker, (“Uh-huh”), that I hadn’t done anything to his PC (“Uh-huh”), and that he should secure his system (“Uh-huh”). I explained that a hacker could have had a field day (“Uh-huh”) and, well, I hardly got a response.
Ho hum.
It was such a simple hole in his system and one that I could have exploited without him having a clue what was going on. On the other hand, he probably wouldn’t have been of much interest to a real hacker. But what if Ralph had been your chief financial officer? That could lead to all sorts of infiltrations into your corporate network. Frightening.
I would never have guessed that being a hacker was so damn easy.