Kinder, gentler hacks: A bevy of low-stakes early computer breaches

It all seems so innocent now

01 new
When the world was new

Today, IT security is a deadly serious business. But in the early days of computing, the stakes were a bit lower. Maybe it's just that we're seeing it through a nostalgic lens, but the computer breaches in the '70s, '80s, and '90s just seemed a bit more ... fun? We spoke to some people who were there, who enjoyed reminiscing about a gentler era, whether they were the ones hacking or the ones being hacked.

The case of the Missionary Unmasker
The case of the Missionary Unmasker

Thomas P. Keenan, now a professor and author of Technocreep: The Surrender of Privacy and the Capitalization of Intimacy, had to deal with a security crisis at his first systems programming job at the University of Calgary -- in 1972. "Every night, under cover of darkness, someone would post printouts of the user accounts on the Control Data 6400 computer, along with the corresponding passwords, labelled 'From the Missionary Unmasker!' Reading dumps and machine language code revealed that the password was stored -- unencrypted, of course -- in a memory location 114 words after the start of the assigned memory, and wasn't cleared between users. The Unmasker was requesting blocks of core memory and having a peek I plugged that hole, and later heard that the culprit was the bored son of a dean."

Stoned.Monkey
Sneaker virus

Frank Bradshaw, now president of Ho'ike Technologies, recalls a problem from the days when the Internet wasn't the main vector for malware distribution. "In 1993, I was working in a computer lab at college; another employee was file-sharing and downloading software and pictures off of newsgroups. One of them was infected with the Stoned.Monkey boot sector virus. He was assigned to install approved software by the school to several computer labs. He used the same disk that he copied the pirated software and pictures to copy the approved software to be loaded in several computer labs, infecting almost 200 machines." Consequences were dire: "Each machine needed to be rebuilt. This all went down about two to three weeks before finals when most papers were due -- and this was before everyone could afford a cheap PC."

A lot of trouble just for AOL
Credit: Thinkstock
A lot of trouble just for AOL

Dave Cox is the CEO of security firm LiquidVPN, but as a teen in the 1990s, he did some pretty dodgy stuff, including getting "free" dialup access by giving fake credit card numbers to AOL. The numbers "were generated using the same type of rules the companies used to generate them in the first place, and/or curated from lists distributed via AOL chat rooms." Bizarre as it may seem in these days of instant e-commerce, "I suspect AOL had no way to instantly check if it was a real card. If you were really lucky you could get up to two months on a card but it was rare to get more than like two or three weeks."

Spoofing MAC address breaking into lab
Spoofing MAC address breaking into lab

Cox managed to gain admin access to his school's computer system too, through means both technical (he wrote a little volleyball game that installed a keylogger into memory) and old-fashioned (his seat was at the front of the class and he could see his teacher enter her passwords). He used his powers to alter his fellow students' grades (first to help those in dire need, then for cash) and to add rude names for his teachers to the splash screens to the lab. And he used MAC address spoofing to pass the blame onto the second-most computer savvy kid in his class (he, of course, was the best).

Revenge on Reefer Ron
Credit: Thinkstock
Revenge on Reefer Ron

These were also the days of BBSes, and Cox, who ran a BBS called The Lake of Fire, used his skills to settle a BBS beef. "One of the BBS owners was named Reefer Ron; he had a five-modem BBS that used to distribute hacking/anarchy stuff. This was back when you paid for incoming and outgoing phone calls if you went over so many minutes in a month -- you could rack up huge phone bills. Ron stole a new BBS server from another local sysadmin that everyone liked. So a few of us found a way to have his BBS dial back numbers. His five phone lines were running non-stop and he racked up $14,000 in phone charges over three months."

early computer breaches
Credit: Thinkstock
Dialup on someone else's shekel

Dialup shenanigans were a common theme among people I spoke to; ISPs often charged by the minute, and in many countries you had to pay the phone company to make calls as well! Amit Serper, senior security researcher at Cybereason, remembers that he and his friends in Israel in the 1990s got wind of "an exploit in private branch exchange systems that allowed you to get a dial tone and call any number on the PBX owner's dime: dial a toll-free number and while the announcement is being played, hit the '1' key on the phone quickly until you get a dial tone. My friends and I made a list of all of the toll-free numbers we knew and called these numbers and tried to exploit the system. Once we got a dial tone we dialed up to our ISP."

The breachable casino
The breachable casino

Naivety in the early days went beyond just network security. Rick Tracy, CSO of Telos Corporation, was charged with with security testing an online casino on "an obscure island in the Caribbean" in the late '90s. The casino was just "a collection of Unix servers that were housed in a store-front of a small strip mall," but Tracy and his team had them "locked down tighter than a drum." On their way out, they went into the grocery store next door to grab something cold to drink -- and realized that the drop ceiling there connected directly back to the casino. "There were no motion detectors or alarms. Just a useless lock on the front door. There were no safeguards to prevent anyone from entering the online casino office space through the ceiling and physically stealing the servers."

Honorable combat
Honorable combat

Vickie Miller, vice president and CISO at FICO, worked for a local telephone company in Nebraska in the early '90s that decided it would take advantage of the embryonic Internet fad by setting itself up as an ISP -- to monetize people using phone lines for hours, if nothing else. Their rivals across town were an independent ISP founded by a college professor and a couple of students. Miller said they had a "healthy respect" for one another -- but one day, the rival ISP managed to telnet into their system, download their client list and ... used it to send a solicitation email urging them to switch. That was it! Miller said her ISP considered hacking back, but ultimately just wrote a stern letter (and improved their own security).

early computer breaches
Credit: Brad K.
All for glory

Stephen Coty, chief security evangelist at Alert Logic, recalls his own youthful exploits in the late '80s: creating a boot sector virus that would cause an infected computer to put his name up on screen, for instance, or gaining access to mainframes and trading screenshots with friends to prove he'd done it, or war dialing to see if there were open modems he could break into. At the time, these acts weren't meant to be malicious: he says they were about exploration of what computers and networks could do, and what you came away with were trophies, so to speak. Many of the security breaches we've discussed here have that innocent quality about them.

early computer breaches
No more Mr. Nice Guys

Steve Manzuik, director of security research at Duo Security, put it somewhat more cynically: "The bad guys had not figured out how to monetize their skills yet." Perhaps its fairer to say that many got out before they got bad. Coty, like many of his early hacker cohorts, shifted to corporate life in the early '90s, taking a job at Wells Fargo -- where he was honestly surprised how easy the systems were to access, with the biggest threats coming from insiders, not external attackers. When Russian hackers starting moving money around in 1994 or so, he says, that represented a major sea change in the world of computer security.

A long history of vulnerabilities
A long history of vulnerabilities

If you're interested in this period in computing, you probably recognize the name "Jericho," the legendary hacker and mind behind Attrition.org. Now more likely to go by Brian Martin, he's a meticulous cataloger of vulnerabilities, and if you want to go very deep into computing security history, check out his PowerPoint presentation, 112 Years of Vulnerabilities."