advertising information
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




How hackers cover their tracks


January 25, 1999
Web posted at: 6:39 p.m. EST (2339 GMT)

by Stuart McClure and Joel Scambray


(IDG) -- Ever wonder how hackers can spend so much time online and rarely get caught? After all, everything they do on the Internet should be logged, right? Web hits, FTP sessions, Telnet connections, newsgroup postings, burps, and coughs should all be traceable, right? Then how do they pillage and plunder with such ease?

In the good old days, compromising university or government accounts and using them to bounce around the Internet was widespread. Hackers still use these techniques, but they cover their tracks. Temporary guest accounts, unrestricted proxy servers, buggy Wingate servers, and anonymous accounts can keep hackers carefree.

Hackers can become invisible on the Internet by obtaining a test account from an ISP. A hacker can call a small ISP, profess interest, and open a guest account for a couple of weeks by giving false information. Then, using Telnet, the unwanted guest can connect to any other compromised account.

  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at's personal news page
  Subscribe to's free daily newsletter for IT leaders
  Questions about computers? Let's editors help you
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

University computers are notorious for their easy accessibility to the public. Hackers can take advantage of the lack of monitoring to store the majority of their scripts and tools on the university system. And many universities give out free shell or Internet accounts to "students" supplying little more than a valid name and student registration number.

From there they can exploit old Wingate servers that allow Telnet redirection by default. Discovered in early 1998, this bug permits unfettered Telnet access to anyone on the Internet through a Wingate proxy server. The bug has been fixed, but many sites have not yet applied the fix. Scanning a list of Wingate servers discovered at a popular hacker Web site, we found at least five (out of 127) machines still vulnerable to this bug. If you use Wingate, be sure to download Version 3.0, which fixes this and other problems.

Anonymous surfing

Proxy servers let small organizations protect their internal systems. But an improperly configured system can be vulnerable. Be sure to scan the external interface of your proxy servers. Check for open ports, especially ports 80 (unless you are Web publishing), 3128, 8080, and 10080. Out of 282 systems we scanned, more than one half (151) provide proxy services to the world. All Internet users have to do is change proxy settings in their Web browsers to an available proxy server, and it's clear sailing.

Some Web sites offer free anonymous Web surfing, which is a boon for all of us privacy paranoids out there, but a nightmare for law enforcement. Both CyberArmy and Anonymizer offer free, albeit slow, anonymous Web surfing. Connecting to a Web page through their free services will mask your identity. Connecting through Anonymizer's ISP you get the following identity:

Connect from [] (Mozilla /4.5 [en] (TuringOS; Turing Machine; 0.0))logged.

And from CyberArmy's redirector server you get this identity:

Connect from s214-50.9natmp [] (Mozilla/4.01 (compatible; NORAD National Defence Network))logged.

TuringOS and NORAD National Defence are spoofed origins that mask the originating system.

Lucent also has a proxy server meant to protect your privacy. Like the others, the Lucent Personalized Web Assistant can make you anonymous by tunneling all of your Web traffic through its proxy server. The only difference with Lucent is you must provide your e-mail address to sign in.

Anonymous service providers such as Anonymizer and Lucent have the right intentions -- protecting your privacy -- but like any umbrella they can be abused. Services such as these can be a hacker's dream. Anonymizer offers Internet security and privacy for corporate customers and individuals, and effectively makes them invisible. They don't store cookies, they block Java and JavaScript access, and they remove all identifier strings.

To its credit, Anonymizer severely limits to whom they give shell accounts. But at $7 a month, anyone with a good story should be able to obtain one. They keep logs for 48 hours but don't record the source IP address. To guard against abuse, Anonymizer will shut down service to a particular Web site if abuse is reported. But with no source IP logging, it must shut down service to that site for all customers.

Privacy cheerleading

Don't get us wrong, we are the first to jump on the privacy bandwagon whenever it rolls by, but at what cost? Even if all of the software bugs contributing to anonymous connections are fixed, more and more ISPs will inevitably offer anonymous connectivity. How will you defend your site against the possible onslaught of phantom hack attempts? Will logged IP addresses quickly turn into ghosts offering little more than a place to begin? Let us know at

Stuart McClure, a senior manager at Ernst & Young's Information Security Services, and InfoWorld Technology Analyst Joel Scambray have managed information security in academic, corporate, and government environments for the past nine years.

Related stories:
Latest Headlines

Today on CNN

Related stories:

Note: Pages will open in a new browser window Related sites:

External sites are not
endorsed by CNN Interactive.

Enter keyword(s)   go    help


Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.