Piggybacking and Impersonation

It’s bone cold outside, the stranger looks harmless, and you let him in as you unlock the doors of your apartment building one night. The next day all the old ladies in the lobby are talking about a burglary.

You fret. Rightly. You may have let a criminal succeed in piggybacking his way behind you into the building.

It’s happening, too, in computer rooms, which crooks use similar tricks to enter.

That’s physical piggybacking. The electronic kind, rare, can happen this way. You punch in a password or key on your terminal and hook up with the computer, unaware that the piggybacker has a hidden terminal connected to the same phone line. Perhaps you haven’t signed off properly. The computer keeps the connection going, and the piggybacker “rides” on.

Impersonation is what it sounds like, and it can be physical or electronic.

Leslie D. Ball, a Massachusetts consultant and college professor, once illustrated computers’ vulnerabilities to such tricks. “Why is it more difficult to rob a bank of $2,500 than to steal millions from its computer?” he asked, and quickly answered the question.[^[52]]

“During a security consulting project at an Atlantic City hotel,” Ball said, “I spent the evening with an associate in the casino. At about eleven p.m. we headed for our rooms, but the elevator stopped where the computer center was located, and we decided to look around. The door marked ‘Computer Center—No Admittance’ was locked but had a bell beside it. A computer operator opened the door when we rang, letting us in without a word. For the next ten minutes we wandered through the center without speaking to the operators on duty.” In effect, by acting as if they belonged in the room, Ball and the associate were impersonating authorized people. “Finally,” he recalled, “we said, ‘Thank you’ and left. They were lucky we were not disgruntled heavy losers!”

A real impersonator, an ex-college professor named Stanley Mark Rifkin, passed himself off as a bank branch manager to steal $10.2 million. He bought diamonds in Switzerland. The law caught up with him only because, like many bright, cocky computer crooks, he bragged. That wasn’t all. “While awaiting trial,” Ball says, “he attempted a fifty-million-dollar transaction from another bank. When apprehended, Rifkin told a reporter that he thought he finally had all the bugs worked out.”

Rifkin was just another example of an ordinary man using legally acquired skills to commit an illegal act.

However smart, and despite his background as a computer science professor-consultant, he was hardly a genius. “Master criminal?” asked H. Michael Snell, a publisher who’d dealt with him.[^[53]] “I could sooner imagine a smoking gun in the hands of Winnie the Pooh. In fact, Stan resembled Pooh Bear: short, stocky, paunchy from too much good food and wine, a deeply receding hairline above an intelligent, sloping forehead. Quiet, unassuming, not the kind of guy who’d stand out at a cocktail party.” Rifkin was good at puzzles, at problem solving, but as Snell and others agree, that’s true of all talented programmers. You could say the same, too, of first-rate accountants and engineers. Rifkin’s case made me think of Hannah Arendt’s phrase about Adolph Eichmann, applied not to the Nazis but to garden-variety crooks within the computer field: “the banality of evil.”

Rifkin’s take happened to be larger than most. But his mind-set was the same.

Snell said, “He shared the dreams of many academics who feel blocked from great success and wealth, and he loved ‘get-rich-quick’ stories, such as a friend who struck gold in California real estate or the Silicon Valley’s overnight millionaires.”

Greed, however, isn’t the only motive. “People who like computers are games people,” John Lewis, the FBI agent, told me, “and they like challenges. It’s ‘me against the machine.’ You give them a computer and say you can do anything but that, and that’s the first thing they’re going to do. You go back to the Book of Genesis in the Bible where God said, ‘You can do anything in the Garden of Eden but eat from that tree,’ and what’s the first thing people did?” We were in a windowless, fluorescent-lit room at the FBI Academy in Quantico, Virginia, where Lewis lectured on computer crime. He looked at a fellow instructor, a tall, alert man who started out in the bureau not as an agent but as a programmer. “I’ve seen Ken get ahold of material. Like this one program that said it couldn’t be copied. Now he didn’t care what the program did. The first thing he did was copy it. Because they said he couldn’t do it. And he did it.”

I thought of John and Ken three weeks later when I picked up a copy of Technology Illustrated magazine.

A stranger in Quantico, Virginia, it seemed, was dialing up the electronic bulletin boards on which computer pranksters sometimes left messages. The bulletin boards were a form of electronic mail. Callers could write out their thoughts for friends or anyone checking up on the highest-numbered entries. The mysterious computer dialer from Quantico, however, would just read, never send. Aware of the FBI Academy’s location, one of the pranksters posted a friendly suggestion on a board.

He invited the Quantico caller to subscribe to the TAP newsletter—said to be “to phone phreaks what the Wall Street Journal is to stockbrokers.”

TAP stands for a group named the Technology Assistance Program, a successor to Youth International Party Line (YIPL), whose own radical pedigree goes back to Abbie Hoffman’s Yippies. “Al Bell” and Hoffman started YIPL. It was a high-tech display of Hoffman’s Steal This Book philosophy, there being, however, a serious problem, one shared by society at large. The technocrats usurped the politicians.

They were, reportedly, “more interested in blue boxing Ma Bell than in pushing politics.” Cheshire Catalyst, who was editing the TAP newsletter when I talked to him, said, “You don’t have to be a phone phreak to read us—but it helps.”[helps.”]

Lindsay L. Baird, Jr., a tough, no-nonsense consultant with famous corporate clients, told me TAP was a serious threat. “They’re now using micro systems to test the 800 numbers methodically to see which ones have computers on them,” he said of some TAP people. The corporate computers whine their strange mating call no matter who dials up, saying electronically, “I am here, I am a computer, I am ready.” You might say they’re like an unlocked, unattended BMW left with the motor running in New York City. And Baird claimed, rightly or not, that TAP has some political zealots mixed in with the technocrats and that they could indulge in large-scale computer zapping over the next few years.

The TAPpers’ side was this: they illegally logged on to networks like Telenet and the feds’ because they couldn’t stand seeing expensive computer time go unused. “Nobody wants to pool it as a computer utility and make it available to everyone because it would probably not make a profit,” groused “A. Ben Dump” in the newsletter. Cheshire portrayed TAP to High Technology as basically just pranksters, at least in his case. “Good grief!” Cheshire once ghost-wired to a Telex machine; “I seem to have reached Adelaide, Australia. This is just a computer hacker in the United States out for a good time.” The TAPpers said they were against the Bell bureaucracy, not America at large, and, in fact, censored an article submitted to their newsletter telling how to build an H-bomb. “Among other things,” Cheshire worried, “anyone using that technology is going to take out the phone network.” I still wondered. Would TAP have printed the article if a way existed to H-bomb the countryside without toppling any microwave towers?

■ ■ ■

Hacking: An Addiction to Be “Squelched”?

With WarGames-style break-ins in mind, someone once called hacking an addiction to be squelched.

That’s wrong. Hacking is more an addiction to be tamed.

The term “hacking,” perhaps born at M.I.T., just means someone who hacks away at computer problems until he solves them. Many hackers for some reason or another love Chinese food. Sooner or later a computer-crime expert will link computer addiction to ODing on monosodium glutamate.

Cheshire Catalyst is a prototypical hacker in many ways. He’s a thin, bearded man in his twenties, extrapolite, who, when I saw him, was in Washington for an aeronautics and space gathering and wore a Space Shuttle tie and an Apple pin. His nickname indeed came from the grinning, vanishing cat in Alice’s Adventures in Wonderland. Proudly he told me how his clock ran counterclockwise. Cheshire said he hoped someday to meet another backward-clock buff, Grace Hopper, a distinguished military officer who helped give the world the COBOL computer language.

Cheshire might find even more of a soulmate in Steve Wozniak, the Apple cofounder[cofounder], who is perhaps one of the world’s leading hackers—in addition to having been a phone phreak in his time. “Woz” and a friend snooped on computers across America. The friend was John Drapper, a bearded, somewhat maniacal-looking man who earned the nickname Cap’n Crunch because he used prize whistles from cereal boxes to steal free long-distance calls by way of a tone at exactly the right frequency. Later, Crunch wrote the EasyWriter word-processing program used on the Apple and later the IBM PC.

On balance Cheshire thinks that hackers do more good than harm. “Let’s say you have money in a bank,” he says. “Wouldn’t you rather that a hacker get into its computer than a criminal did? He could warn the bank. If I had money at a bank, I’d feel safer with hackers checking out security.”

Well, it depends. Some hackers are nothing more than electronic vandals. Some are a privacy threat; they’re doing the equivalent of spying on mail and tapping phones.

Still, talented hackers may become real assets to corporations. They’ll care infinitely more about your computer system—and all its quirks—than will programmers working nine to five for the money alone. Just a little oversimplistically it’s been said that you can befriend a hacker merely by supplying a computer with enough RAM, encouragement, a long leash, and lots of chow mein.

■ ■ ■

The TAPpers, depending on your viewpoint, came across in Technology as reassuringly or distressingly middle class. Cheshire at the time of the article was teaching computer skills at a large corporation. “VAX-man”[^[54]] worked as a computer programmer, “The Librarian” as a systems analyst, and another was, of all things, a middle manager for a defense contractor; indeed, every member reportedly boasted a technical background. Most, I suspect, perhaps nearly all, didn’t see themselves as criminals.

“We’re just an information service for the people,” said one.

Well, okay. Maybe it’s good that if G-men want to bone up on the latest electronic tricks, they need only log on to hackers’ bulletin boards and read the TAP newsletter. Still, how many crooks have the same idea?

TAP’s another indication that for the criminally greedy the “data cookie jar,” as it’s been called, is out there.

Lindsay Baird scoffs at computer trade associations’ efforts to play down the problem. And he fires back with statistics of his own. “I’ve worked on thirty-five or forty cases,” he says, “and only one was reported to authorities.” The loot ranged from $40,000 to $29 million. And Baird, dismayed that some computer criminals’ sentences are more shoplifterlike than adequate, jokes, “My wife tells me I ought to commit a crime.”

“The security problems with computing systems in the 1960s was like a balloon deflated,” he says, “and you could hold it in your hand. But now it’s like a huge balloon inflated. Or a big bowl of Jell-O.

“You just can’t handle it now, and the manufacturers have got to be concerned.”

Of course you should remember that most corporate data are far from sensitive, that only the most self-important executive would view everything as a national-security secret. Also, Baird is hardly hurting his bank account in sounding the computer-crime alarm. Still, he’s basically right in saying that computer buyers with sexy data of interest to thieves now may have three choices:

1. Burden programmers and others with electronic versions of heavy padlocks.

2. Keep their computer systems easy to use—and vulnerable. (“Then you’re going to get raped.”)

3. Compromise. (“You get half raped.”)

Baird doesn’t blame just the manufacturers for some computers’ sievelike leaks. “Business isn’t willing to pay the price to secure systems,” he says—a complaint echoed in effect by the Computer and Business Equipment Manufacturers Association (CBEMA). It acknowledges the present clash between security and ease of use of computer systems. “If a computer could be designed with various levels of security as options, computer security might well be a marketable commodity,” said a statement from CBEMA to a trade magazine. In recent years there has been much more research in this area, and when 32-bit micros become the norm, it will be much easier to beef up security.

When crimes do happen on existing systems, they’re often covered up by top executives panicky over going to court or jail.

How’d you like to be the chairman of a corporation faced with an ugly data-security scandal—and the possibility of a stockholders suit? You needn’t be in the scandal personally. Your stockholders could charge you with malfeasance, if not misfeasance, for letting it happen. So could the Securities and Exchange Commission and other feds. When companies hush up computer crimes, it’s not necessarily for high-minded reasons such as protecting assets by playing down vulnerability to electronic crime. Consider Baird’s experiences.

Called to a New England firm to do routine theft prevention, Baird merrily put himself on the payroll—not to steal but to demonstrate system weaknesses.

“I also,” he says, “nicked the vice-president for participating in a $400,000-a-year kickback.”

At another company, an accounting firm did the books at year’s end and had to make an adjustment of $1.2 million. “Then,” said Baird, “we went in some more and really did a number on that company. And we came up with $4.5 million in proven losses. And it all had to do with their computer system.”

But, you’re wondering, how about that crook who stole $8 million and got away with it?

The story—perhaps apocryphal but told in the sedate Smithsonian magazine—is that bank officials confronted the thief in a restaurant over breakfast.

He coolly confessed. If they tried to jail him, why he’d blow the whistle on the bank’s vulnerable computer system. And it would cost more than $8 million to fix.

So the bank officials just asked him to step down quietly.

Leaving the table, the crook smiled.

“I’ll keep the eight million,” he said, “but I’ll pick up the tab for breakfast.”

Definitely, then, Donn Parker was on target when he once called computer security “first and last a people problem.”