Hacking the Bubble
Hacking has existed in one form or another for quite some time. Just as the Internet grew by leaps and bounds in the '90s, so did the hacking community. While the dot-com bubble thrust the Internet into the general public’s conscience, it also brought hacking into the limelight. Web site defacements and denial of service attacks quickly became commonplace. Naturally, with the rapid growth of the Internet population, a rise in the number of people looking to take advantage of neophyte users also took place.
More hacking groups began forming in the '90s, such as the L0pht. In 1998 members of the L0pht testified before congress that they could shut down the Internet in 30 minutes. In 1992, five members of the Masters of Deception group were indicted in federal court and later plead guilty. The Cult of the Dead Cow was responsible for HoHoCon, the first modern hacker convention and became the first group to have its own Usenet group – alt.fan.cult-dead-cow – in 1994.
There were also two high-profile pursuits and arrests in the 90s: Kevin Poulsen and Kevin Mitnick. Poulsen, who was featured on the television show Unsolved Mysteries, also famously rigged the telephone lines of a radio station call-in contest in Los Angeles. Mitnick’s story was covered in the New York Times and two controversial books, one of which was made into a movie. Both Poulsen and Mitnick also received lengthy prison sentences for their actions.
The heightened awareness of computer security at this time also prompted the creation of the Bugtraqmailing list in 1993. The list was created as a forum for people to report and discuss computer security vulnerabilities and issues since most vendors at the time didn’t acknowledge them. Because of this, members also discussed workarounds and other ways to fix the vulnerabilities.
Of course, with all the fame and notoriety earned by skilled hackers and groups came the coattail riders. This decade saw the rise of the “script kiddies,” a term used to describe unskilled attackers who used tools and exploits created by others to embark on their own hacking escapades. Because the script kiddies usually lacked knowledge and skills, they were generally shunned by actual hackers and for the most part ended up creating their own groups and communities.
The '90s were also marked by the rise and evolution of malicious code. With the increasing connectivity, malicious code was able to propagate more rapidly than ever before to a larger group of potential victims. Trojans designed to steal America Online accounts began surfacing at a steady pace along with back door server programs such as Netbus and Back Orifice. Then, in 1999 a new type of threat appeared – the mass-mailing worm. Melissa was the first threat to have a severe impact on corporate and home users alike, causing email servers to be clogged with the sheer volume of messages it generated. It was not uncommon to hear of companies simply unplugging their email servers from the network during the initial outbreak.
The '90s also saw the introduction of online spam and phishing. The first documented instance of commercial spam occurred in 1994 when two lawyers began bulk-posting advertisements for their immigration services to Usenet groups. As we all know, spam has not been limited to Usenet postings or immigration services since then. Phishing began mainly as an attempt to steal AOL account information from users. Phishers would frequently pose as AOL customer service representatives and send instant messages to users asking them to verify their account information.
Many of the concepts, threats, and tools that were pioneered in the early days of the Internet experienced a rapid evolution in the 90s. While there were many elaborate attacks performed, there were also many unsophisticated attempts. Since then we have observed a evolution in the threat landscape. Since the end of the '90s, a shift has occurred from attack activity that was conducted by hobbyist attackers motivated by intellectual curiosity and a desire to show off their skills, towards more organized attacks motivated by financial gain. But that is a story for subsequent installments in this series.