 In reference to a system’s security, hacking is
usually defined as the act of illegally entering
a computer system, and making unauthorized
changes to the files and data contained within
(Winegarden, November 2003).
 Hacker is a programming specialist who has
the expertise to enter a computer or network
without proper authorization (
CyberAngels, November 2003).
 The history
 Hacking has been around for more than a century. In the 1870s, several teenagers
were flung off the country's brand new phone system by enraged authorities.
 Early 1960s
 University facilities with huge mainframe computers, like MIT's artificial
intelligence lab, become staging grounds for hackers. At first, "hacker" was a
positive term for a person with a mastery of computers who could push programs
beyond what they were designed to do.
 Early 1970s
 John Draper makes a long-distance call for free into a telephone that tells the phone system
to open a line. Draper discovered the whistle as a give-away in a box of children's cereal.
Draper, who later earns the handle "Captain Crunch," is arrested repeatedly for phone
tampering throughout the 1970s.
 Yippie social movement starts YIPL/TAP (Youth International Party Line/Technical
Assistance Program) magazine to help phone hackers (called "phreaks") make free long-
distance calls.
 Two members of California's Homebrew Computer Club begin making "blue boxes," devices
used to hack into the phone system. The members, who adopt handles "Berkeley Blue"
(Steve Jobs) and "Oak Toebark" (Steve Wozniak), later go on to found Apple Computer.

 Early 1980s
 Author William Gibson coins the term "cyberspace" in a science fiction novel called
 In one of the first arrests of hackers, the FBI busts the Milwaukee-based 414s (named after
the local area code) after members are accused of 60 computer break-ins ranging from
Memorial Sloan-Kettering Cancer Center to Los Alamos National Laboratory.
 Comprehensive Crime Control Act gives Secret Service jurisdiction over credit card and
computer fraud.
 Two hacker groups form, the Legion of Doom in the United States and the Chaos Computer
Club in Germany.
 2600: The Hacker Quarterly is founded to share tips on phone and computer hacking.
 Late 1980s
 At 25, veteran hacker Kevin Mitnick secretly monitors the e-mail of MCI and
Digital Equipment security officials. He is convicted of damaging computers and
stealing software and is sentenced to one year in prison.
 First National Bank of Chicago is the victim of a $70-million computer heist.
 An Indiana hacker known as "Fry Guy" -- so named for hacking McDonald's -- is
raided by law enforcement. A similar sweep occurs in Atlanta for Legion of Doom
hackers known by the handles "Prophet," "Leftist" and "Urvile."

 Early 1990s
 After AT&T long-distance service crashes on Martin Luther King Jr. Day, law
enforcement starts a national crackdown on hackers. The feds nab St. Louis'
"Knight Lightning" and in New York grab Masters of Deception trio "Phiber
Optik," " Acid Phreak" and "Scorpion." Fellow hacker "Eric Bloodaxe" is
picked up in Austin, Texas.
 Hackers break into Griffith Air Force Base, then pewwwte computers at NASA
and the Korean Atomic Research Institute. Scotland Yard nabs "Data Stream,"
a 16-year-old British teenager who curls up in the fetal position when seized.
 A Texas A&M professor receives death threats after a hacker logs on to his
computer from off-campus and sends 20,000 racist e-mail messages using his
Internet address.
 In a highly publicized case, Kevin Mitnick is arrested (again), this time in
Raleigh, N.C., after he is tracked down via computer by Tsutomu Shimomura at
the San Diego Supercomputer Center.
 Late 1990s
 Hackers break into and deface federal Web sites, including the U.S. Department of Justice,
U.S. Air Force, CIA, NASA and others.
 Report by the General Accounting Office finds Defense Department computers sustained
250,000 attacks by hackers in 1995 alone.
 A Canadian hacker group called the Brotherhood, angry at hackers being falsely accused of
electronically stalking a Canadian family, break into the Canadian Broadcasting Corp. Web site
and leave message: "The media are liars." Family's own 15-year-old son eventually is identified
as stalking culprit.
 Popular Internet search engine Yahoo! is hit by hackers claiming a "logic bomb" will go off in
the PCs of Yahoo!'s users on Christmas Day 1997 unless Kevin Mitnick is released from
prison. "There is no virus," Yahoo! spokeswoman Diane Hunt said.

 1998
 Anti-hacker ad runs during Super Bowl XXXII. The Network Associates ad, costing
$1.3-million for 30 seconds, shows two Russian missile silo crewmen worrying that a
computer order to launch missiles may have come from a hacker. They decide to
blow up the world anyway.
 In January, the federal Bureau of Labor Statistics is inundated for days with
hundreds of thousands of fake information requests, a hacker attack called
 Hackers break into United Nation's Children Fund Web site, threatening a
"holocaust" if Kevin Mitnick is not freed.
 Hackers claim to have broken into a Pentagon network and stolen software for a
military satellite system. They threaten to sell the software to terrorists.
 The U.S. Justice Department unveils National Infrastructure Protection Center,
which is given a mission to protect the nation's telecommunications, technology and
transportation systems from hackers.
 Ethical hacker's discoveries made during the evaluation. Vulnerabilities that
were found to exist are explained and avoidance procedures specified. If the
ethical hacker's activities were noticed at all, the response of the client's staff is
described and suggestions for improvements are made. If social engineering
testing exposed problems, advice is offered on how to raise awareness. This is
the main point of the whole exercise: it does clients no good just to tell them that
they have problems. The report must include specific advice on how to close the
vulnerabilities and keep them closed. The actual techniques employed by the
testers are never revealed. This is because the person delivering the report can
never be sure just who will have access to that report once it is in the client's
hands. For example, an employee might want to try out some of the techniques
for himself or herself. He or she might choose to test the company's systems,
possibly annoying system administrators or even inadvertently hiding a real
attack. The employee might also choose to test the systems of another
organization, which is a felony in the United States when done without
 The actual delivery of the report is also a sensitive issue. If vulnerabilities were
found, the report could be extremely dangerous if it fell into the wrong hands. A
competitor might use it for corporate espionage, a hacker might use it to break into
the client's computers, or a prankster might just post the report's contents on the Web
as a joke. The final report is typically delivered directly to an officer of the client
organization in hard-copy form. The ethical hackers would have an ongoing
responsibility to ensure the safety of any information they retain, so in most cases all
information related to the work is destroyed at the end of the contract.
 Once the ethical hack is done and the report delivered, the client might ask “So, if I
fix these things I'll have perfect security, right?” Unfortunately, this is not the case.
People operate the client's computers and networks, and people make mistakes. The
longer it has been since the testing was performed, the less can be reliably said about
the state of a client's security. A portion of the final report includes recommendations
for steps the client should continue to follow in order to reduce the impact of these
mistakes in the future.
 Shut down Internet connection
 The most important step to consider if you suspect your system’s
security has been compromised is to shut off all connections to the
 Although this temporarily detains us from the ability to trace the PC
responsible for the attack, it does enable us to first protect our
information, which is probably your primary concern.

 Install Firewalls
 Luckily, if you were followed any of the advice on this website, you
have a firewall installed on our system.
 Many firewalls, Zonealarm for one, possess the ability of maintaining a
detailed description of attempted intrusions. If your firewall does alert
you to possible invasions, it probably has the capability of providing
the IP address as well.

 Contact ISP
 Once us have obtained the name of the Internet Service Provider(ISP),
the next step is to initiate contact with them. Most ISP’s have some
type of acceptable use policy, and typically illegal intrusion is not
contained in it’s guidelines. After us have reported the incident to the
specific ISP, the punishment/penalty proceedings are in their hands (
Hart, November 2003).
 The idea of testing the security of a system by trying to break into it is
not new. Whether an automobile company is crash-testing cars, or an
individual is testing his or her skill at martial arts by sparring with a
partner, evaluation by testing under attack from a real adversary is
widely accepted as prudent. It is, however, not sufficient by itself. As
Roger Schell observed nearly 30 years ago:
 From a practical standpoint the security problem will remain as
long as manufacturers remain committed to current system
architectures, produced without a firm requirement for security.
As long as there is support for ad hoc fixes and security packages for
these inadequate designs and as long as the illusory results of
penetration teams are accepted as demonstrations of a computer
system security, proper security will not be a reality.

 Regular auditing, vigilant intrusion detection, good system

administration practice, and computer security awareness are all
essential parts of an organization's security efforts. A single failure in
any of these areas could very well expose an organization to cyber-
vandalism, embarrassment, loss of revenue or mind share, or worse.
Any new technology has its benefits and its risks. While ethical hackers
can help clients better understand their security needs, it is up to the
clients to keep their guards in place.
