Written by
Shuchi Nagpal
Asian School of Cyber Laws

Hacking is the most common form of cyber crime today. The reason why hackers indulge in this crime vary from monetary gain, to political interest to even the sheer thrill of it all. An insight into how the mind of a hacker works…

July 2001 – The website of the Cyber Crime Cell of the Mumbai Police is hacked. The perpetrators leave offensive and abusive messages on the website. They also dare the police to nab them. Up to the challenge, the Mumbai police trace the criminals, Mahesh Mhatre and Anand Khare (alias Dr Neukar) and arrest them for hacking. The duo is also charged with credit card fraud for using 225 credit card numbers, mostly belonging to American citizens.

October 2001 – Over 200 Indian websites are hacked into and defaced. The hackers put in words like bugz, death symbol, Paki-king and allahhuakbar. In the case of 123medicinindia.com, a message is left behind which says – “Catch me if uuu can my deraz lazy adminzzz” – challenging the system administrators to trace the miscreants. The offenders are a group of hackers who go by the name of ‘Pakistani Cyber Warriors’.

Technically speaking, hacking implies unauthorized accessing of a computer. Legally speaking, it is altering any data on a computer. For simplicity’s sake we will focus more on the technical meaning of hacking.

Hacking has many avatars, chiefly web-defacement, DNS spoofing, web-spoofing, e-mail bombing, Trojan attacks, virus attacks, flooding, buffer over flows and password cracking.

Let us focus on web jacking. Just as conventional hijacking airplane by using force, similarly web jacking means forcefully taking over control of a website. The motive is usually the same as hijacking – ransom. The perpetrators have either a monetary or political purpose which they try to satiate by holding the owners of the website to ransom.

In a recent incident reported in the USA the owner of a hobby website for children received an e-mail informing her that a group of hackers had gained control over her website. They demanded a ransom of 1 million dollars from her. The owner, a school teacher, did not take the threat seriously. She felt that it was just a scare tactic and ignored the e-mail. It was three days later that she came to know, following many telephone calls from all over the country, that the hackers had web jacked her website.

Subsequently, they had altered a portion of the website which was entitled ‘How to have fun with goldfish’. In all the places where it had been mentioned, they had replaced the word ‘goldfish’ with the word ‘piranhas’. Piranhas are tiny but extremely dangerous flesh-eating fish. Manu children had visited the popular website and had believed what the contents of the website suggested. These unfortunate children followed the instructions, tried to play with piranhas, which they bought from pet shops, and were very seriously injured!

So, how does someone hijack a website? The administrator of any website has a password and a username that only he (or someone authorized by him) may use to upload files from his computer on the web server (simply put, a sever is a powerful computer) where his website is hosted. Ideally, this password remains secret with the administrator. If a hacker gets hold of this username and password, the he can pretend to be the administrator.

Computers don’t recognize people – only usernames and passwords. The web server will grant control of the website to whoever enters the correct password and username combination. There are many ways in which a hacker may get to know a password, the commonest being password cracking wherein a “cracking software” is used to guess a password. Password cracking attacks are most commonly of two types. The first one is known as the dictionary attack. In this type of attack the software will attempt all the words contained in a predefined dictionary of words.

For example, it may try Rahim, Rahul, Rakesh, Ram, Reema, Reena … in a predefined dictionary of Indian names. These types of dictionaries are readily available on the Internet.

The other form of password cracking is by using ‘brute force’. In this kind of attack the software tries to guess the password by trying out all possible combinations of numbers, symbols, letters till the correct password is found. For example, it may try out password combinations like abc123, acbd5679, sdj#%^, weuf*(-)*.

Some software, available for password cracking using the brute force technique, like Brutus, can check upto 2 lakh password combinations per second on a Pentium III computer! When compared to a dictionary attack, a brute force attack takes more time, but it is no wonder that it is definitely more successful.

Just a note of caution to a reader who feels like taking a shot at hacking. The information Technology Act, 2000 provides for imprisonment upto three years for hacking and fines up to Rs 1 crore for unauthorized access.