Historic Hacks of the 1990s, Part 2
Note: This is Part 2 of 2. To read Part 1, click here.
We're back to continue GoCertify's tour through the most notorious hack attacks of the 1990s.
If you checked your mailbox more than once or twice during the 1990s, then you doubtless know (or knew) of a company named "America Online" (AOL), the world's largest online internet provider. Even if you weren't paying attention, you were probably still aware of their promotional CDs offering 10 hours of free internet access.
More noticeable was how these disks were seemingly inserted into every nook and cranny imaginable. As PC World so appropriately wrote, "(Y)ou couldn't open a magazine or your mailbox without an AOL disk falling out of it."
The flood of these disks sparked protests from a number of environmental and other groups. One entity in particular was No More AOL CDs, which asked people to send them their AOL disks. The goal was to collect one million disks and mail them back to AOL. Eventually the group pulled the plug on the effort after having collected an impressive 410,176 CDs.
Some protestors took things a step further. A 17-year-old hacker from Pittsburg known as "Da Chronic" created a Windows app named AOHell, touting it as, "An all-in-one nice convenient way to break federal fraud law, violate interstate trade regulations, and rack up a couple of good ol' telecommunications infractions in one fell swoop."
Da Chronic claimed he was mad at AOL for the company's refusal to shut down sites harmful to children and the app more than lived up to its name.
AOHell included a fake-account generator enabling anyone to establish fully functional AOL accounts, a phishing tool that utilized automated social-engineering to steal passwords and credit card information, and even an e-mail-bombing option to send hundreds of electronic mail messages to a user's inbox and fax machines.
You could even send an instant message to another user that would log them out, or pose as AOL's founder Steve Case in chat rooms.
Aftermath – AOL spent a great deal of effort and money fighting the app. The company's efforts to identify and delete accounts created using AOHell didn't work, as soon as one account was cancelled, another arose. Their best solution was to release a new version, AOL 2.5, which wasn't compatible with Da Chronic's creation.
AOHell was a gut punch to the company's reputation, and some experts argue that it never fully recovered.
Lesson Learned — Internet providers improved protections for user accounts, such as by offering protocols for double verification of new accounts. There also began to be regular policing of user activity on their sites, particularly when it might involve children. In AOL's case, the company provided a command enabling users to make certain chat-rooms off limits to children.
Corporations also began paying close attention to their public images, realizing that doing something — or not doing something — had the potential to bring the wrath of a hacker upon their heads.
Solar Sunrise 1998
In January 1998 the Middle East was in a turmoil. Saddam Hussein had evicted United Nations weapons inspectors from Iraq and, in response, the Pentagon was gearing up for an anticipated strike on Saddam's military.
In the midst of preparations, automated security monitors detected outside electronic intrusions into systems on a number of U.S. military installations. The intruders hacked through a .edu site and installed sniffer programs to capture passwords and establish a backdoor access.
Although none of the systems were classified, military and government officials feared it was Iraqi hackers spying on the Pentagon's attack preparations. The intrusion was given the code name Solar Sunrise and it set off a massive multi-agency effort involving the Army, Navy and Air Force along with an alphabet soup of government agencies including the FBI, NASA, CIA and the NSA.
Aftermath — It would be a fat understatement to say that authorities took Solar Sunrise seriously. After three days, countless man-hours, great expense and more than a dozen court orders, the FBI, loaded for bear and wearing bullet-proof vests, burst in on the electronic evil-doers — two 16-year old boys living in California and known online as "Mak" and "Stimpy." Their actual names were not revealed due to their ages.
Further investigation revealed communications between Mak and Stimpy and a three-member teenage hacker group in Israel named "The Enforcers." In addition to hacks of the Pentagon and NASA, the Enforcers had also hacked into the Israeli Knesset.
The group was arrested and, after investigations in Israel and the United States, authorities determined that the motive behind the hacks was simply personal amusement. When asked why they did it, one of the Enforcers declared, "It's power dude. You know, power."
While Mark and Stimpy were processed by the California Juvenile Justice System, attorneys for the Enforcers successfully argued that no laws had been broken because none of the sites were labelled "restricted."
Lessons Learned — Solar Sunrise made it clear to everyone that even non-critical systems need to be protected from attacks. The U.S. intra-agency effort to identify and go after hackers resulted in the development of new forensic tools and protocols for handling future hacking investigations.
It also showed that the gloves were off regarding hackers attacking government systems. Speaking of the unprecedented investigative effort, Attorney General Janet Reno said, "This should send a message to would-be computer hackers all over the world that the United States will treat computer intrusions as serious crimes."
Melissa Virus 1999
Curiosity killed the cat — and spread this virus. Melissa would arrive as an email attachment with a subject line of, "Important Message from [the name of someone]," and for good measure, text in the body that read "Here is that document you asked for ... don't show anyone else ;-)."
If a user clicked on the attachment and was also running Microsoft's Outlook email program, the virus would replicate itself to the first 50 contacts in a user's address book.
Although Melissa did not destroy data or hardware, it caused an increasingly large wave of e-mail distributions that could and did overwhelm e-mail systems. To stop the intrusion, large corporations like Microsoft, Intel, and others were forced to temporarily shut down incoming emails.
Aftermath — At trial, Melissa's creator David Smith explained he named it after an exotic dancer and maintained that it was not designed to be malicious — although it did cause $80 million worth of damage. Smith's shenanigans netted him 20 months in prison.
Lesson Learned — Since that day, every IT department has stressed not blindly clicking on email attachments. "If you're not sure, don't click."