Best answer: It's probable that the main reason he was able to do it is that the sites were poorly maintained and insecure. This is all too often the case today, too. A recent survey of the US Computer Emergency Response Team network found 1,085 instances of 202 high-risk security holes. Thus, one of the groups responsible for maintaining and handling computer security issues is itself quite insecure. Government computer networks routinely get abysmal grades for computer security.

Anyway, there are all kinds of security vulnerabilities. One of the most common is actually social engineering, or "manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques."

Given the right tools it's really quite simple to crack an insecure machine or network. Combine a scanner like Nessus to find vulnerable machines and automated cracking software like Metasploit and it's basically point and click. The slightly harder part is covering ones tracks, but using anonymizing proxies, 'borrowing' insecure wireless networks, using unmonitored public terminals, etc, can make it easier.
posted by jedicus at 9:48 AM on September 9, 2010

Best answer: If you want some specific, easy to understand examples, here are a couple:

1. Default passwords. A lot of software used to come with a simple default password (and a depressing amount still does), and users were able to install the software without setting a new password. Inevitably, many users left the default password in place, so 'hacking' the system is as simple as knowing the default password and logging in through the front door, so to speak.

2. Weak passwords. Many users set very weak passwords, for example words found in the dictionary or short combinations of random letters and numbers. A computer can try every word in the dictionary and all possible short passwords very quickly. If the system doesn't lock out users who get a password wrong over and over, it can be easy to find the password through brute force.

3. Man in the middle. Suppose Alice wants to talk to Bob over a network. Now suppose Mallory can 'listen in' on their conversation because Mallory has access to a computer in between Alice's and Bob's on the network. If Alice and Bob don't use an appropriate encryption scheme, then Mallory can do all kinds of evil things. For example, Mallory can eavesdrop, but Mallory can also manipulate the conversation:

Alice sends: "Set the new password to your birthday (which Mallory doesn't know)"
Mallory intercepts the message and changes it to: "Set the new password to MalloryIsAwesome"
Bob sets the password to MalloryIsAwesome, and now Mallory knows the password

Other kinds of vulnerabilities require a little more understanding of the way computers work under the hood to explain.
posted by jedicus at 9:59 AM on September 9, 2010

Best answer: It's really hard to say without more information, but some possibilities:

• He went to a site and tried the default passwords (the most common passwords are qwerty, 12345, 123456, password)
• He did social engineering and tricked people into giving him their passwords ("Hey, this is Bob down in accounting, we're having a problem logging into the system. Can you give me your password so I can login?")
• Dumpster diving. You'd be amazed as to what things people throw away.
• Actual exploits. These are fairly sophisticated and doable only if you are either really good, or if someone has created a program to do it (the latter are known as script kiddies).

You'll notice most of what I wrote are more of social exploits rather than technical ones. It turns out in practice that these social exploits are far more common, but the technical ones get the press.

These technical exploits usually try to find some flaw in a system, sometimes through trial and error, sometimes based on patches that are sent out, sometimes through insider knowledge.

For example, one of the most common exploits today is a "buffer overflow" attack. This basically means that the program was only expecting, say, 15 characters, but you sent it 25. If programs aren't protected against this attack, then very clever hackers can write things into a computer's memory. Typically, this just crashes the computer, but if you know a lot about the hardware and software being run, you can actually write new instructions that the computer will run.

There are tons of other software exploits. Again, without more details, it's hard to say what he actually did.
posted by jasonhong at 10:00 AM on September 9, 2010

Best answer: Breaking into networks is pretty simple:
1. identify what software is running
2. identify what versions are installed
3. identify security breaches in them

There are in fact quite old tools to handle much of this.
1. Strobe, released in 1995 by Julian Assange of (now) Wikileaks fame.
2. also pretty easy, as many programs will outright tell you if you know how to ask. Over time, we've learned that this is a bad idea, to disclose specific software versions to the general public. "Lyris2" maybe okay, but "lyris 2.0.13" quickly reveals the sysadmin hasn't updated. A quick crawl of the internet for something like "powered by lyiris 2.0.13" will basically give you a list of old shitty software. (version number totally made up).
3. bugtraq publishes a list of vulnerable program versions, starting from 1993. They even classify the attacks so you can narrow in on remote execution in popular tools.

The kinds of attacks range from stack overflows to dumb default passwords. Watch Wargames to get an idea of what goes on. However, most military systems are segregated, so you'd only have recruiting and PR type things on the Internet as we know it.

So it's pretty easy, really. It's basically a process that's been automated by tools like nessus. As far as confounding security experts and sysadmins, well, we didn't have nessus back then, and it's one of those things that unless the hacker does something dumb, they may well get away with it unnoticed.

Sysadmins don't spend their life defending against attacks. We also have users to support in accomplishing whatever it is the organization does. The guy in the cube next to me has pretty much adopted a "if it aint broke dont fix it" policy. Which means one of his servers is 130 patches out of date. His users don't mind because the system is never down for upgrades, and never broken in odd ways thanks to an upgrade that fixed something and broke two other things.
posted by pwnguin at 10:18 AM on September 9, 2010 [1 favorite]

Best answer: Yeah, in 1996 I ended up hammering my ISP (about the only one in town) to turn off fingerd, which was cheerfully divulging masses of information about everyone's identity to anyone who wanted to run a finger command and aim it at my ISP. Back then, just knowing stuff about an account, or at least enough accounts, would give you a wedge to get in.

Prior to that, uh, I used to have about an inch thick stack of those green and white very wide tractor feed printouts. Nothing but usernames and passwords for system upon system. Dictionary attacks were so useful in those days. Computer systems were amazingly permeable. I think SATAN, a vulnerability scanner, was still at least a little relevant back then.

The horrible FTP server, wu-ftpd, was very common and had any number of vulnerabilities. Certain ircd IRC servers were quite crashable with just a handful of commands. Though I knew very little about Unix or VMS, I sailed from system to system easily because many of the flaws were so glaringly obvious or easily replicated that merely sitting down and poking about with intent beyond "this is what a good user would do" revealed one amusing oversight after another.

Now, I think the ecology is a bit different. At the top of the pyramid would be a small number of researchers discovering theoretical types of vulnerabilities, followed by a larger group implementing and testing these, then a thin layer of folks who transform these tested vulnerabilities into easy-to-deploy tools for the very young script kiddies. That's at the system level.

On the other hand, as new services arise and programming becomes more accessible, the same errors in services (think websites) continue to crop up, and those, I think, a teenager can find on their own with just some very simple tweaking. I say this because I see paid-for systems handed over to me for a brief security audit that ends with me saying, "... and all you have to do is add this in the URL to cause that. Run it on a virtual, isolated, if you don't want a major rewrite."

I think sixteen year olds are probably not penetrating systems now so much as they are services.
posted by adipocere at 10:20 AM on September 9, 2010 [4 favorites]

Best answer: The most enlightening explanation I've heard regarding a buffer overflow was in Secrets and Lies, by Bruce Schneier. Search "buffer overflow" using the Search Inside This Book feature here, and read the result ~ page 207. Or, paraphrased here:

Schneier explains buffer overflows by comparing computer memory to a loose leaf binder containing instructions for a convenience store clerk. Each page has one instruction; for example, "Greet customer", "Ring up item", "Accept Payment", etc. Suppose the clerk at the convenience store is dimwitted and follows the instruction booklet exactly.

That opens the convenience store to a simple attack. The attacker walks up to the counter, and while the clerk pages through the instructions, the attacker slips in a page that reads, "Take all the money out of the register and give it to the customer." One would hope that as the clerk follows the instructions in the book, he would notice that something is amiss at this point, right?

Overall, the book is an excellent resource to understand the basics of computer security - not overly technical, although it does get into more complex theory.
posted by BleachBypass at 10:36 AM on September 9, 2010 [1 favorite]

Best answer: this was 14 years ago or 1996 and the internet was a different place back then

Yeah, the university network I was using around this time had just gotten round to using a firewall.

do you think it's possible for a 16-year-old to do something similar today?

They don't call then script kiddies for nothing. Though hacking is thought to be more of an organized crime thing today, using other people's exploits is well within the range of a smart sixteen year old. Creating an exploit is a different matter, but there are plenty of very smart sixteen-year-olds out there who are quite capable, I know, I've met them. I worked with a non-profit who ran a very large free wireless network and all our network security was run by a sixteen year old. It wasn't like there weren't adults who couldn't and didn't do the work, but we had things like families and beer to distract us, while he didn't have that but did have the motivation of getting respect form adult peers who actually understood what he was doing.

In many ways sixteen-year-olds are ideal candidates. Take a delinquent hyper-intelligent sixteen-year-old with the ability to pull all-nighters, an inability to discriminate and a tendency to obsessively focus, lock unsupervised in a basement and BOOM! One difference between then and now, is that are more opportunities to work for good. Lots of open source projects are powered by smart sixteen year olds and we should never underestimate the motivation of being respected by older peers.

(This works just as well with, say, sixteen-year-old bike thieves as it does with potential hackers, even if they don't turn into the model citizens other might wish. Said thief became an illegal rave organizer but that was a hell of a better outcome that bike thief about to graduate to house breaker, but I digress).
posted by tallus at 10:58 AM on September 9, 2010 [1 favorite]

Best answer: Here's what typically happens these days...

A company installs software, such as Wordpress, that eventually has a security vulnerability that allows attackers to either get access to the filesystem of the server or to the database.

Through that low-level access they'll typically load a set of tools that probe for vulnerabilities in the underlying operating system. The goal is to escalate privileges to a higher administrative level.

Assuming that either they have a vulnerability that's not yet known/patched (very unlikely) or the server hasn't been maintained (tragically common) they'll gain access at an administrative level.

Once they've gained administrative access they'll often clean up the initial break-in if they're smart. They'll add an account to the system that allows them to get back in legitimately and they'll usually install both backdoor(s) (to get in without alerting the firewall) and programs to mask their activities.

Now that they "own" the box there are a couple of different routes. Sometimes they'll just leave it that way for further use later. Often they'll upload movies, music, porn, warez, etc. to share on higher speed links than they themselves have access to. They almost always install an IRC bot. Sometimes they'll work to guess other passwords on the server to then try to get deeper in to the organization (ie. they have access to a web server that's at least partially outside of the firewall, if there are users on that server that also have access to an accounting related server inside the firewall, and the webserver stupidly has access via the firewall to that machine they'll try hopping from one to another). If the attack was targeted they'll attempt to gain whatever information that they were after (typically credit cards).

Once they're done with the server they'll often go out of their way to make it obvious that they were there, defacing all of the sites on the server usually with the added bonus of some subtly hidden client side exploit code to snag the machines of the companies customers into a botnet.

I can definitely see 16 year olds doing this today. In fact whenever I'm cleaning up a machine I assume that the person who did it was some asshole 14 year old hanging out on IRC with a bunch of his other loser friends trading porn and other warez instead of living a real life outside of their Mother's basements. They're almost always sloppy in what they've done. Whenever it takes me more than an hour or so to undo the damage I start to wonder if it's one of the more sophisticated 16 year olds, or maybe even a slow 18 year old. If it takes me more than half a day I assume that they're from Eastern Europe and actually knew enough to annoy me. My assumption is that anyone who is still interested in it after 18 went off to college and starts down the lucrative path to a CISSP after four years of taunting the admins at their college of choice.
posted by togdon at 11:01 AM on September 9, 2010