http://www2.thestar.com/thestar/back_issues/ED19990403/news/990403NEW04_FO-HACKER3.html
April 3, 1999
By John Howell
Hack attack: My search for Zyklon
He infiltrated my Web site; I tracked him to his lair
My battle with the Nazi-inspired hacker Zyklon began on a ordinary Monday
last March.
[Nazi inspired? There is no basis for that claim.]
At the time, I was computer network supervisor for a large Toronto
company. I received a call from a fellow employee, who told me he thought
the company Web site ``looked strange.''
I called up the site on my notebook computer, and what I saw stopped me in
my tracks. Scrawled across the corporate Web page, something which is
potentially viewed by tens of thousands of people, was the declaration:
``THIS SITE IS 0WN3D BY ZYKLON!'' My site had been ``hacked,'' vandalized
by an electronic thug.
He was very proud of what he'd done. He had named himself for Zyklon-B,
the gas used by the Nazis to exterminate Jews in the concentration camps
of World War II. He wrote ``OWN3D'' instead of ``OWNED'' to imitate the
lingo favoured by gangsta rappers.
[Nothing like unfounded claims and spewing the word 'nazi'
to get the masses hating this kid too. The '0wn3d's is not gangsta rapper
derived either, but more 'young hacker' dericed.]
I contacted our site's Webmaster and together we replaced the vandalized
Web page. But the implications of what Zyklon had done were much more
serious.
The feeling of having been violated would not go away. I decided to track
Zyklon to his lair.
I am a computer geek. I spend my whole day working on large computer
networks. I design, optimize and troubleshoot them. I love the way
computers work and when they don't it's even more fun to psychoanalyze
them.
And I've been following hacking techniques since I started computing in
the early 1980s.
A hacker exploits weaknesses within computer systems to access, modify or
destroy the information of the computer. In most cases hackers will
embarrass a company by changing its Web page into a pornography page. The
more sophisticated hacker will access a computer and never let anyone
know. He - and it's almost always a ``he'' - just sits and watches and
learns, plotting destruction.
[In most cases? For someone that has been "following hacking
techniques since.. the early 1980s", this claim is absurd. How can
you forget about over 10 years of no HTTP with which to deface a web site?
Does the last few years of overhyped web defacements really define
"most cases" over the previous decade of non visible hacks? I don't think
so. Further, less than 5 percent of defaced web pages contain pornography.
This claim is pure unfounded hype. Last, "plotting destruction"? Since
most kids deface web pages as Mr Howell points out, it leads to the
conclusion that these kids are annoyances, but NOT destructive.]
Let's get this straight: Hackers are criminals, and smug ones at that. To
hackers, only their immediate team of hacker friends are ``elite.'' They
hold all other users of the Internet in complete contempt, calling them
``lamers.''
[All system designers and administrators are pompous assholes that
do nothing but make life difficult for the end users. Is that fair to say?
No. Yet these 'experts' continually make sweeping statements based on
a small percentage of a group.]
On the Internet you are never completely safe. It's like being an
excellent driver. No matter how good a driver you are, another driver can
always crash into you. The vast majority of hackers these days are
copycats following from recipe books of hacks, known as ``exploits.''
There are literally thousands of exploits a hacker can do, making it
pitifully easy to destroy or disable a computer system.
[More FUD. Even though hackers CAN destroy or disable, the
fact that an incredibly small percentage choose to do it is important.
Hyping up that aspect is nothing more than FUD (Fear, Uncertainty and Doubt)]
After we fixed the damage to our Web site and closed the access that
Zyklon had used to change it, I got busy finding out about him.
I began by making many, many searches on my favourite Web search sites,
Yahoo! and AltaVista. I typed in search terms ``Zyklon,'' ``0wn3d,``
``hack'' and other words, scouring the Internet for other examples of
Zyklon's destruction.
He had been a very busy vandal. My searches showed he had hacked hundreds
of Web sites in Canada, the U.S. and around the world, targeting such
major government operations as NATO, the United States Information Agency
and the 21st Century U.S. Government site, which is dedicated to
``transforming governments in the 21st Century.''
The targets varied from small interest groups to big government agencies.
In some cases home pages had been changed to porn. In others Zyklon had
created a greeting card to his hacker associates and in still others he
had caused their Web page to be ``mirrored'' - electronically linked - to
an anarchy site in Sweden.
[Every case listed is non desctructive. Not once can Mr. Howell
identify a site that was destroyed.. yet all previous descriptions of
Zyklon's work were done with words like "destroyed", "destruction",
and "harmed".]
I learned that a certain U.S. state's Web site was so open, anyone who
knew this could send out press releases posing as the state governor.
A knowledgeable and determined hacker can access a Web server completely
through a Web browser, the navigation program used to surf the Net. This
``exploit'' uses a back door (a login that bypasses security) to give
access to the Web site's main computer server.
[No exploit requires JUST a browser to change a victim's web
page. Mr. Howell also starts the classic blunder of many experts, mixing
terminology. An exploit is not a backdoor. An exploit allows illegal
access to a site the first time, while a backdoor is planted by the
intruder to allow CONTINUED access.]
Changing the company's site is as simple as typing in a single short
command such as ``This site is 0wn3d by Zyklon'' to a Web page from the
Web browser.
[This statement makes it abundantly clear that Mr. Howell
has no knowledge of web browsers, HTTP, or hacking. At all. End of story.
Any claims otherwise can be proven by changing the ATTRITION page by
using nothing more than a browser. It simply is not possible to just
magically type in a new page from a browser.]
A common attack is to create a program that will send the hacker your
password then delete itself. It does its work by asking you to enter your
password, just as you would do everyday.
The way this would look is that the computer would say: ``Login,'' a
prompt most computer users see on their screen at least once a day.
You would then type in your computer access name, receiving back the
message ``Incorrect Password.'' You would then retype your password,
thinking you'd made a mistake the first time. What you would really have
done is fed your password and login name to a hacker.
I noticed that on some of the sites Zyklon had hacked there was mention of
what looked to be a chat group, a place where computer users congregate
online to gab, via a system called Internet Relay Chat (IRC).
The tip-off was the electronic signature ``#pascal.'' It meant the chat
group's name was ``Pascal,'' named after a computer programming language
developed in the 1970s.
I did a search of some common IRC groups - also called channels - and not
only found Pascal, I also found Zyklon. He was the owner of the channel.
[On EFNet IRC, channels are not 'owned' by anyone. Some channel
members have 'op' status, meaning they (among many others usually) can control
certain aspects of the channel.]
When I entered his realm I was immediately tagged as coming from a site
that he had hacked. My nickname that I had given myself for the chat was
``Roadkill'' - which I figured was appropriate, seeing as how Zyklon had
tried to run me over.
An automatic look-up called a ``bot'' - short for robot - told Zyklon who
I was. It was the equivalent of walking through a metal detector.
[A 'bot' is an autonomous piece of software that is designed
to perform one of many functions. These 'bots' are not automatic look-up
programs like suggested. Zyklon most likely executed a command all by himself
like "/whois roadkill", which would have shown him the information. This
is IRC 101.]
``Heh, heh,'' he chortled, as I entered the chat group.
Zyklon started bragging to his Pascal cronies about the information he had
stolen from me.
``The Webmaster's password (at my company) is: ``getout! Ha, ha.''
I didn't rise to Zyklon's bait. I held back - ``lurking,'' as it's called
- to see if Zyklon would further implicate himself.
``You got in?'' said another Pascal member, identified as ``Crystalin.''
``Getout!'' he said, repeating my password. ``Laugh out loud! Someone's
getting sick of me.''
``Heh, heh,'' Crystalin chortled. ``What, did they see you?''
``No, usually not,'' Zyklon replied. ``But they know when someone is there
working their magic.''
``You think Roadkill is snooping on us?'' Zyklon asked. ``Cause he found
my eggy? (short for ``egg drop,'' another term for a hack attack). Or do
you think he's just got a (corporate) address for no reason? Heh, heh.''
['eggy' or "egg drop" is a type of bot. It has nothing to do with
a "hack attack". Once again, this is Hacking 101 and IRC 101. Zyklon's
comments hint that he may have been running an eggdrop bot off the hacked
site. If the admin found zyklon but not because of the bot, he has serious
deficiency in administrative skills.]
Zyklon turned to another Pascal member, named ``Fluxx.''
``Fluxxy!'' he said. ``I think someone's trying to find me!''
I had just done my own look-up on him. Zyklon knew it, but I got the
information I was looking for. I could see where he was logging in from.
[When someone does a lookup on you via IRC, you are not notified
of the lookup. Short of hacking the IRC server and modifying it to
alert you (extremely rare), this is completely false.]
This told me what his Internet service provider was and the ID he was
logged in as. This was telling exactly where he was on the Internet,
although at this point I still didn't know his real name, or what city he
was living in.
[Or anything else, as he may have been spoofing, using a hacked
account, or a number of other things that could mislead you.]
``Hey Roadkill,'' Zyklon said, addressing me directly. ``Go to your Web
site.'' He wanted me to run a particular network utility that would look
up his Internet address.
[Lets examine this statement closely. "Go to YOUR web
site". This seems pretty clear to me. Zyklon is asking Howell to load a
browser and go to his own site. This has NOTHING to do with looking up
Zyklon.]
I remained silent and waiting.
``Oh wait! I deleted it!'' Zyklon crowed, taunting me.
He went on to admit that he had hacked my site.
``We just hack (he named my company again) all day, that's what we do. .
. .''
Zyklon was crowing, but the victory was mine. I had located him and got
him to admit his crime.
I now had enough information to take this into a legal setting. I talked
to a lawyer. The lawyer contacted the FBI computer crimes department.
Unfortunately, after an initial interest, no one at the FBI seemed too
interested. This lack of interest frustrated me.
I even had trouble convincing people that they'd been hacked by Zyklon.
Unless they could see the damage he'd actually done, they wouldn't believe
me. One site operator wouldn't believe me until I read him his password
file over the phone.
I knew I had everything to nail Zyklon. I had the times and Internet
location and address for him. By October, I had his real name and age. He
was then 17 years old and living in the western United States.
But there it lay for about three months.
Early this year a close friend of mine contacted me and let me know that
he was talking with an associate who had told him that his company had
been hacked. Out of curiosity, he asked for the hacker's name.
When he heard the name Zyklon bells went off. My friend remembered all the
stories I had told him about my search.
I sent my friend's contact an e-mail file with all the data I had on
Zyklon. I did this in the hope it would finally stop him.
Since I'd last checked on him, Zyklon had been busily hacking in Toronto,
Florida, Japan, Los Angeles and many other cities and countries.
My friend's friend discovered that a company in Florida was being hacked
and sent them an e-mail warning them. Unfortunately, the Florida company
was just trying to find out why their computers had crashed. He got a call
back within hours. The FBI had been called in.
They set up a trace on the company's Internet access and monitored all the
Internet sessions. Zyklon was not quite finished with the site in Florida,
but he soon would be.
The FBI captured the full hacking session and Zyklon's Internet address,
his electronic fingerprints.
Last week, they moved in and arrested Zyklon. He is now being charged with
computer crime offences. U.S. federal law allows every state a hacker
passed through on the Internet to press charges.
[It does? And how do they determine what states it passed through
since routes can be dynamic? Even IF that is the case, it does NOT work
like that. Federal charges are not state dependant.]
His computer equipment has been taken away. And apparently, his parents
are really upset.
Justice may be delayed, but when it comes it can be so sweet.
=-=
John Howell is a computer systems expert.
[Expert?!]