Hacks, Phreaks, and Worms: Events That Changed Internet Security

Given the headlines lately, you could be forgiven for thinking that the biggest, baddest events in the history of computer security have all happened within the last few years. After all, there have been so many hacks disclosed that Stephen Northcutt of SANS recently observed, “The way we are going, there are only going to be a couple hundred people of any significant net worth in the United States that have not had their details lost in a privacy breach–and they are going to prove to be so ultra paranoid they never borrowed money or had a credit card.”

In reality, the history of the most significant hacks, malware and other security bungles stretches back a lot further than the oft-cited chronology breaches compiled by the Privacy Rights Clearinghouse. That’s why we’ve put together this list of the worst, but most important, moments in computer security–a sort of cynics’ guide through the history of information security.

Some of the items on the list were chosen because of their legislative impact or technical sophistication. Others were picked as a result of the media attention they received, and still others because of the focus they brought to important security issues. One even happened well before computers became a personal item, back when the Internet had a mere 60,000 connections. But each event, in its own way, is one that we at CSO think is momentous.

Of course the list is arguable. That’s half the fun.

1971: Captain Crunch Whistle

Phone phreaker (a term for a subculture of people who, ahem, experiment with telecom systems) John Draper discovered that a toy whistle packaged in boxes of cereal could be modified to emit a tone at 2600 hertz. That was the same frequency used by phone companies to indicate that a trunk line was available to route a new call. Blowing the whistle into the telephone receiver would disconnect one end of the trunk, allowing the side that was still connected to enter an operator mode (a useful function for maintenance and repair personnel as well as phreakers).

“The problem was that the telcos allowed this to be sent in-band, and thus end customers could create and ‘transmit’ these signals as well. Although most of this has been moved to out-of-band signaling, this problem still exists for many older switches, some in the states and several places overseas,” says Mudge, a hacker turned computer researcher at BBN Technologies. The upshot: the phreaker gets free phone calls and various other opportunities for mischief.

Why significant: Widely cited as the seminal precursor to computer hacking. Draper went on to build blue boxes, which are capable of reproducing other tones used by the phone company and allow their users to make free long distance calls. Draper was exposed in a 1971 Esquire article, which sparked the interest of a certain duo named Steve Jobs and Steve Wozniak, who also began building blue boxes themselves. Of course, they later founded Apple.

1988: Morris Worm

Robert Tappan Morris, a 23-year-old Cornell University student, wrote some code as part of a research project aimed at determining the size of the Internet. The worm was meant to infect computers, but only to see how many connections to the Internet existed. Because of a flaw in the code, however, it ended up exploiting vulnerabilities in Unix and spread quickly, infecting multiple machines multiple times and rendering them unusable.

Why significant: Considered the first computer worm distributed on the Internet, and thus to some extent the beginning of the age of malware. Morris’ worm also was the first to gain significant attention from the mainstream media–and the judicial system. In 1990, Morris was sentenced in U.S district court to three year’s probation, 400 hours of community service and a $10,050 fine.

1994: Citibank Heist

Russian hacker Vladimir Levin broke into Citibank’s cash management system and siphoned $10 million into his own accounts. The stolen accounts were unencrypted. All but $400,000 of the stolen cash was recovered, and Levin was arrested in 1995 and extradited to the U.S. in 1997. In 1998, he pled guilty to conspiracy to commit wire, bank and computer fraud. A federal court judge sentenced Levin to three years in prison, and a fine of $240,000 to be paid to Citibank.

Why significant: Considered by many as the first major bank robbery carried out with computers, and one that also underscored the global nature of cybercrime. According to Steve Katz, who was recruited after the hack to become part of a Citibank security task force, that breach was also the catalyst that helped give rise to the modern chief security officer. “It really elevated information security within the corporation and made a case for its importance,” he says. “It helped change the direction of infosec.”

1995: The Celebrity of Kevin Mitnick

This was the year that Mitnick began a five-year prison term after a two-and-a-half-year hacking spree, during which time he broke into and stole files from corporations including Motorola and Sun Microsystems. He was arrested after breaking into the system of a computer scientist who helped the FBI track Mitnick down.

Why significant: Put a hacker into the spotlight. A slew of media coverage (but don’t blame CSO, we weren’t born yet) made Mitnick the most notorious and well-known hacker in U.S. history. His attacks also brought into the public eye the concept of social engineering–using manipulation and deception instead of technical approaches to gain access to an organization.

2004: Witty WormBruce Schneier, CTO of BT Counterpane. It also infected smaller and harder-to-infect hosts than previous worms.

This computer worm attacked the firewall and other security products from Internet Security Systems. The worm spread rapidly after the announcement of the vulnerability, infecting 12,000 machines in 45 minutes, according to

Why significant: The first major piece of malware that took advantage of vulnerabilities in a specific set of security products–ISS’s BlackICE and RealSecure. “It was one of the first worms to utilize a pre-loaded hit-list of target systems,” says Mudge. “It was also interesting as it targeted security software on systems, and there were rumors that it was released by an employee of a rival company.”

2005: Titan Rain

The U.S. government’s code name for a series of hacking incidents via Chinese websites which started in 2003. Targets included computer networks at the Department of Defense and other U.S agencies.

Why significant: The first widely-suspected incident of nation-based espionage. But the details of Titan Rain are controversial. While some believe the Chinese government was involved in cyber espionage, others think that the attacks were the work of hackers using Chinese websites to cover their tracks.

2005: ChoicePoint Debacle

ChoicePoint, one of the largest data aggregators and resellers in the country, announced that thieves establishing fake businesses were able to gain access to 145,000 consumer records. The company failed to thoroughly vet the identities of individuals and businesses who purchased information, willingly handing over personal records and Social Security numbers to people who should not have been authorized to have them.

Why significant: A major security breach that underscored risky business processes, not hacking, and led to increased regulation of consumer data. At the time, California was the only state with a data breach notification law. SB 1386, which gained widespread attention after the ChoicePoint incident, “gave rise to almost all the encryption requirements you see today,” says Katz. Today, 38 states have disclosure laws pertaining to the public, and one state has implemented a government specific law. It also prompted the Federal Trade Commission to impose its largest fine to date–ChoicePoint was required to pay $15 million to settle charges that it violated privacy rights and failed to protect customer information.

2007 Storm Worm

This Trojan horse includes an executable file as an attachment. When the e-mail recipient opens the attachment, he or she unknowingly becomes part of a botnet, (aka a collection of infected computers, which are controlled by a “bot herder” to spread viruses and spam.

Why significant: Not only one of the largest Trojan horses in the last several years, but an ongoing saga that shows no signs of letting up any time soon as variants continue to periodically flood the Internet. It also may be difficult to isolate because it has the ability to infect a computer without showing signs of infection for a long time. “Storm is really much more than just being subtle–it’s an amazing illustration of the new generation of adaptive malware,” says Christofer Hoff, chief architect of security innovation at Unisys.

The Ones That Weren’t

2006: Veterans Affairs Theft

The records of 26.5 million veterans and active duty National Guard and Reserve troops were stolen from an agency employee who took his laptop home. Unencrypted data that included Social Security numbers and dates of birth of the veterans and their spouses were compromised.

Why not-so-significant: The then-largest data security breach in U.S. history and one that highlighted the need for greater scrutiny on information security practices in the government. However, the event didn’t actually force the V.A. to improve its security. “The V.A. took the tactic of offering people identity monitoring services after the fact, rather than to focus on their internal issues that led to this in the first place,” Mudge says. So what came of the uproar surrounding the loss of information and the government’s slowness to alert those who were affected? Not much. “[The department] is not much better off, and the laws and regulations have not changed much from before this event,” Mudge says.

2007: TJX Hack

The retail giant (whose chains include TJ Maxx, Home Goods and Marshalls) initially disclosed that 46 million accounts had been compromised through hacking that involved the company’s wireless networks. Hackers were able to penetrate the network and access data being transferred between hand-held price-checking devices, the store’s computers and cash registers. (We’ve dated this hack by the disclosure, but the initial hack may have taken place as early as 2005, and on subsequent dates ranging from May 2006 to January 2007.) In the months following the initial disclosure, new developments have consistently come to light. In October of 2007, the number of compromised accounts more than doubled to 94 million. TJX has been criticized for collecting too much information, holding it for too long, and failing to upgrade its wireless security from a WEP encryption protocol (an old standard) to WPA (which is much stronger). TJX also came under fire for taking a long time to notify customers of the breach and for being non-compliant with Payment Card Industry Data Security Standard (PCI DSS).

Why not-so-significant: Again, then the largest data breach in history, and one that could have prompted major change and made companies take PCI DSS and other security standards more seriously. However, more than a year after the TJX breach first came to light, only 30 percent of retailers are PCI compliant, according to Sophos’ 2008 Internet Security Report. So much for cosmic change.

What did we miss? E-mail Staff Writer Katherine Walsh at kwalsh@cxo.com.