The History of Hacking

TOM: First of all, let me introduce myself. My name’s Tom Kirkham. I am the founder and head honcho of IronTech Security. Those of you that have been on some of our other webinars, you know my habit. Using the word “head honcho” covers a lot of different people.

This Deeper Dive is about a brief history of hacking. I’ve spent 2 days working on this, and I should say it’s a very brief history. Very, very brief because we normally try to do these for 30 minutes, and it was hard. And I’m still not sure exactly how long this is going to take. And I left a lot of things out, so we may stop this and then revisit it again. We might do a deeper Deeper Dive, because some of these hacks are just fascinating in and of themselves. We’ll just see how it goes. If you’ve got any questions, put it in the chat box, and we’ll address them throughout. This is all a casual thing. We’re a pretty laidback bunch.

So, 1903. Marconi, the inventor of what they called at the time the wireless telegraph, but it was actually wireless radio – he’s the inventor of that, and during a demo of – I think it was England’s Royal Society whatever. It was not only a social, but a scientific venue in a big auditorium and everything like that, and they were touting the fact that it was really, really secure, this wireless radio technology or wireless telegraph technology.

Well, this guy by the name of Nevil Maskelyne – I think I’m pronouncing it correctly – actually found out that all it was was a transmitter, and all he had to do was set another transmitter up in the arena or whatever it was, in the auditorium. He actually just trolled them. One of the things he did was he wanted to pick on Marconi. He was mocking him. So one of the things he transmitted was “There was a young fellow of Italy who diddled the public quite prettily.” Then he also did other rude things and things like that, and it all got transmitted. It made them all a laughing stock. Embarrassed Marconi tremendously.

But the simple fact of the matter was, there was absolutely no security. It was merely transmitting. He thought because it was on such a narrow band, that in itself was enough to protect the messages. So 1903, very first hack that I can find.

Another one that I was really surprised to learn – and we’re going to go through these in decades, basically, the ones that I think are very, very worthwhile. They’ll have a theme to this as we go through them. The Enigma machine. A lot of people don’t realize, but the Poles, these Polish cryptologists, actually cracked the Enigma in 1932 once they were invaded by Germany. I suppose it was ’32. And then their work was used by Alan Turing and others at Bletchley in England to create the Bombe machine. If you’re familiar with the movie The Imitation Game, that was what it was about. There are some inaccuracies in the movie. It kind of led you to believe there was only one big Bombe, the one big computer that did this cracking, but they actually built over 200 of them, and none of them were built at Bletchley. Anyway, there’s a lot of curious things about that.

Alan Turing also is the – I forgot the name of it, but he theorized before this that machines could think, so the Turing test is what’s used on computers with artificial intelligence to see if they’re capable of thinking.

Then finally, in ’55, the word “hack” was first used at the Tech Model Railroad Club, and it meant fussing with a machine or fussing with a computer. It didn’t mean anything bad at the time. Even today, there’s black hat and white hat hackers. Penetration testing companies – that’s something we don’t do. We can, but we don’t do it because it’s a conflict of interest. But whenever we start doing some vulnerability assessments, we kind of do a little bit of penetration testing. Well, that’s being a white hat hacker. We’re going to talk about a movie here in a minute that talks a little bit more about that that’s a really good example and a really great movie.

Getting into the ’60s, the phreaking boxes – there was a guy by the name of Captain Crunch that was real well-known for whistling into a phone, and basically he was reproducing the switching codes, the touchtone phone switching codes. Probably some of you may remember touchtone phones. But those tones were also used inside the AT&T network, or Ma Bell network, to switch and route calls and signify whether quarters or dimes or nickels were dropped into a payphone, for those of you who remember payphones. They could be used for a lot of different things – free phone calls all over the world. And in the ’60s, it was very expensive to call internationally. We don’t even think twice about it.

But these phreaking boxes – they had different color names for them. They weren’t actually colored discs, but they had red ones and black ones and white ones, and they all had different purposes. I can’t remember exactly the colors, but one might be just for the payphone thing. There’s a scene in that movie right there where he actually does that. Another thing to remember is Steve Wozniak and Steve Jobs built and sold phreaking boxes before they founded Apple Computer. And yes, they were illegal.

1967 was the first known incident of a network penetration hack. It was a high school computer club in suburban Chicago area, and they were given access by IBM to their APL network. Then once they got in there, they learned the language and the operating system really quick, and before they knew it, they were into all sorts of systems that they weren’t authorized to be in.

Kevin Mitnick. This is a name that keeps coming up over and over and over again. I actually had a chance to see him speak about 3 or 4 years ago. He was on the run for about 20 years and served 5 years in prison for hacking into not only this hack, which was the first one, his first major one – this was into Digital Equipment Corporation, or DEC, if you remember that. They were like a mini computer company, almost a supercomputer, but a mini computer company. He hacked into them, but he hacked into a whole bunch of stuff.

He was on the run for 20 years, and he finally got arrested. He served 5 years in prison, and 8 months of that was in solitary confinement. Now, get this: law enforcement officials convinced a judge that he had the ability to start a nuclear war by whistling into a payphone. Which brings up the 1983 movie WarGames.

NARRATOR: America’s frontline of defense is this computer. It is totally secure… or is it?

GIRL: You’re really into computers, huh?

BOY: Yeah.

GIRL: What are you doing?

BOY: Dialing in to the school’s computer.

GIRL: Are those your grades?

BOY: Yep. I don’t think that I deserved an F. Do you?

GIRL: You can’t do that.

BOY: Already done.

GIRL: You could go to jail for that.

BOY: Only if you’re over 18. This computer company is coming out with these amazing new games in a couple of months. I want to play those games. Wow.

GIRL: What?

BOY: We got something.

GIRL: “‘Games’ refers to models, simulations, and games which have tactical and strategic applications.”

BOY: That must be them.

COMPUTER: Greetings. Game time is near. Shall we play a game?

BOY: Love to. Let’s play Global Thermonuclear War.

COMPUTER: Fine.

BOY: All right!

ALERT: We have a launch detection. We have a Soviet launch.

MAN: What the hell?

ALERT: Missile warning.

BOY: Oh my God.

ALERT: I repeat, confidence is high.

BOY: Is this a game or is it real?

COMPUTER: What’s the difference?

NARRATOR: WarGames. Begin playing June 3rd at a theater near you.

TOM: So that is the movie that was used as an example of why Kevin Mitnick needed to be kept in solitary confinement. There’s a lot of things to that movie. One of them was President Reagan and his wife, Nancy, watched this movie the day after it was released, and he immediately had a general look into whether or not the U.S. systems could be hacked. They found out that not only was it possible, but it was also plausible. So this focus created the first U.S. federal internet policy, the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984. It’s still in use today.

So this was something at the time, in 1983, that people thought and felt was really, really possible, and in fact, it was based on a real-life incident where we almost triggered World War III because of a computer simulation.

Now, other things that WarGames introduced that is all real – this was probably, even to this day, one of the most accurate technical movies. Now, if you’ve seen Swordfish and almost any other hacking movie, they’re pretty liberal. They take a lot of artistic license with it. But the things that you saw in this movie were entirely possible or at least plausible. There really isn’t a whopper supercomputer that controls all of this as far as we know, but he was doing a thing called war dialing or demon dialing, and that’s where you just dial numbers over and over – this was back in the days before everybody had full-time internet. They were doing dial-up.

So he just dials up phone numbers, consecutive numbers, looking for another computer on the other end. If a human being answered, he just hung up and dialed the next number on the list. That’s how he accidentally found this computer that was in the Cheyenne Mountain Complex. It was the first movie to use the word “firewall” in computer context. The word “firewall” has been around since the 1800s, but it was the first time to use it in computer context.

Now, get this. One of the characters in the movie is Dr. Falcon, and he was loosely based on Stephen Hawking. And in fact, both Stephen Hawking and John Lennon were considered for the role of Falcon. Stephen Hawking thought about it and turned it down, and then John Lennon was shot, so they ended up getting that English actor. I forgot the name of him right off the top. But if you haven’t seen that movie, it’s kind of a feel-good movie, but it can really scare you quite a bit.

Let’s move ahead. 1992 was the first use of polymorphic code. What’s polymorphic code? Polymorphic code has the ability to, in every instance that it reproduces, it changes its signature. Some of you have heard me talk about antivirus, and antivirus is signature-based. Once polymorphic code was introduced, antivirus became less and less useful. That was the first downfall of antivirus. Of course, now antivirus is practically useless. It’s just horrible. Don’t rely on antivirus. But ’92, it’s that old, when it was first introduced.

Now, this is the second movie that I’ve got in here. The writers of WarGames went on to write the screenplay for Sneakers. Sneakers is another one of those that is fairly technically accurate, and besides that it’s just a great movie. Just a well-written movie. I’m going to play a little bit of this. I’m not going to play the whole clip because it’s kind of long.

MOTHER: This LTX-71 concealable mic is part of the same system that NASA used when they faked the Apollo moon landings. Worked for them. Shouldn’t give us too many problems.

NARRATOR: They break and enter…

MAN 1: How are we doing?

MAN 2: Carl’s in position on the fire escape. Mother is in the cable vault.

MAN 1: Preparing to sever master circuit.

NARRATOR: But they’re not thieves.

MR. BISHOP: We’re getting too old for this.

NARRATOR: They know your secrets… but they’re not spies.

MR. BISHOP: Got to be there somewhere. What’s he doing?

CARL: Mr. Bishop, do you mind if I take a look?

MR. BISHOP: Carl.

WOMAN: I’ll give you something to work, baby.

WOMAN: So people hire you to break into their places to make sure no one can break into their places?

MAN: It’s a living.

WOMAN: Not a very good one.

NARRATOR: Now, they’ve got a new client.

MAN: National Security Agency.

MAN: I don’t work for the government.

MAN: Relax, Marty. It’s just everybody on your team has had some sort of problem in their past.

MAN: Now what do you say? The NSA killed Kennedy?

MOTHER: No. They shot him but they didn’t kill him. He’s still alive.

NARRATOR: They may not want the job…

MAN: Miss, I need your help.

WOMAN: I will not be dragged back into your world.

NARRATOR: But they don’t have a choice.

MAN: We don’t want to bust you, we want to hire you.

MAN: We’re the good guys, Marty.

MARTY: I can’t tell you what a relief that is, Dick.

MAN: Your job is to find that little black box.

MAN: We got it.

MAN: Holy cow. What the hell is this?

MAN: It’s a war out there, old friend. A world war.

WOMAN: Oh my God.

MAN: How is this possible?

MAN: It’s not about who’s got the most bullets. It’s about who controls the information.

MAN: Anybody want to shut down the power reserve?

MAN: Hey, don’t screw around with that thing.

MAN: It’s all about the information.

MAN: So it’s a codebreaker.

MAN: No. It’s the codebreaker.

TOM: So what that movie is about – first of all, the group of them, Robert Redford, Sidney Poitier, Dan Aykroyd and so on, they are a penetration testing organization. That’s what they get paid to do: break in, find out where the vulnerabilities are, issue a report, and walk away. That’s what penetration testers do. There’s a bunch of cool things in that movie. It’s very enjoyable. How could it not be if it’s got Robert Redford, Sidney Poitier, and Dan Aykroyd’s there for the comic relief? And Ben Kingsley. At any rate, this was back in 1992.

What they were trying to steal in the movie Sneakers was a device that could unencrypt any encryption. Well, in 1996, cryptovirology is born, which forms the basis of ransomware today. Ransomware is all about encrypting and holding the data for ransom, and pay the ransom, they’ll unencrypt your data. So in 1996 the foundation was laid for the scourge of ransomware that we’re familiar with today.

Kevin Mitnick. In 1998, Yahoo! was hacked by hacktivists that planted a logic bomb if Kevin Mitnick is not released. Remember Kevin Mitnick is in prison. I don’t know who the hacktivists were, but if you remember, we want to understand who our threat actors are. What they did is planted a logic bomb and a worm that, if you just visited the Yahoo! site, for about a month, they claimed that the logic bomb would go off if he wasn’t released from prison. This is 1998.

This was one I wasn’t aware of: in ’99, a hacker on a radio interview show, which was Coast to Coast AM hosted by Art Bell – in fact, the person was Heely Rose, whoever that may be. But he actually exposed a plot by al Qaeda to derail Amtrak trains. This is 1999. It’s a couple of years before, so it wasn’t just the World Trade Center. They had other plans as well. But at any rate, they shut the trains down over Y2K – I guess it was the trigger for it – as a safety measure. That Y2K date, the trains were shut down. They weren’t running.

All right, now, 2001, the National Cybersecurity Alliance was established. They are responsible for Cybersecurity Awareness Month, Data Privacy Day, and they have another part of their organization, Cybersecure My Business. They give you a lot of tools and awareness things. That’s what they’re about: tools to help you protect yourself and increasing awareness of all of this. Their website is staysafeonline.com. There’s a bunch of things about protecting your family and things like that.

2003, Anonymous is formed. We’ll get to that.

In 2006, a hacker did the world’s largest website defacement. He did 21,500 websites in one shot. Like 21,000 website were hacked all at one time.

2007, there was a spear phish at the Office of the Secretary of Defense, and they stole sensitive U.S. Defense information which led to significant changes in identity and message source verification. Spear phishing is targeted phishing emails. That’s part of our training that we provide to you guys. We train you how to identify a phish. A spear phish is a very well-crafted phishing email that looks like it’s internal. So the Secretary of Defense Office was caught in one and they got some stuff leaked out.

And then I even remember the Conficker worm because that was on the national news for several days. It was millions upon millions of PCs worldwide.

Am I still okay?

KINDSEY: Yeah, you’re good.

TOM: Millions of PCs worldwide were infiltrated, including many government-level top security computer networks. Those of you that remember, that was on CNN and everything for quite a few days. In fact, that image there is a button you could buy. “I survived Conficker.”

This one I did all by itself. There’s so many things about Stuxnet. Stuxnet, for those of you that don’t know, this is a worm that was created to attack a specific Siemens 7 industrial control system, and it was designed to be distributed even through air gapped systems. What’s an air gapped system? An air gapped system is a network that in no way is connected to the internet. They designed it to be distributed via USB drive.

We’re not entirely sure of all the details on this, but I do have some very high confidence trivial stuff about this. Israel and the United States apparently got together and spent quite a bit of time and money creating the Stuxnet virus, and it was specifically designed to basically destroy the centrifuges Iran was using to refine plutonium. It was like a rifle shot; it had very, very tight conditions that had to be met before it would execute, and if the target machine didn’t meet these specifications, it terminated itself so nobody would find it. So it’s a very stealthy worm.

Basically what it did is it not only spun the centrifuges up faster than their operational limits, but it also reported back to the monitoring control panel or the monitoring center that everything was functioning normal – there was noting wrong, they were all functioning normal, staying within their operational limits, when in reality they were going way past their operational limits and basically self-destructing.

A few things that we do know – Snowden mentioned this in 2013. Regardless of what you think about Snowden, he claimed that Stuxnet was developed by the United States and Israel. In 2011, on the PBS program “Need to Know,” Gary Samore, who at the time was White House Coordinator for Arms Control and Weapons of Mass Destruction, said “We’re glad the Iranians are having trouble with their centrifuge machine and that we, the U.S. and its allies, are doing everything we can to make sure that we complicate matters for them” – offering a wink, wink, nudge, nudge acknowledgment of U.S. involvement.

Also, Sean McGurk, who was a former cybersecurity official at the Department of Homeland Security, noted that the Stuxnet source code could now be downloaded online and modified to be directed at new target systems. He says, “The Stuxnet creators opened a box. They demonstrated the capability. It’s not something that can be put back.” So this Stuxnet virus that was successful, that did destroy centrifuges – and it’s verified by a lot of different people. There’s other people that are on record for the wink ,wink, nudge, nudge thing, so it’s almost certain that United States and Israel were involved. There’s some other European country that might’ve been involved.

But what happened – and we’re going to talk about this a couple of slides later – but this tool got out into the wild, along with the source code, and now it has been modified and can still be modified to attack all sorts of different industrial control systems, and basically every nation on Earth has now been a victim of a variant of the Stuxnet virus or the worm that we created. Spent a lot of money on that, too. Millions upon millions.

2012, LinkedIn was hacked. 6.5 million users stolen. 2012 was the first big SCADA systems attack, industrial control systems. 9 countries were hacked, including United States.

’13, Tumblr was hacked and 65 million credentials were stolen.

In 2014, everyone probably remembers this – the movie The Interview, which is about these two characters here. They had a TV news magazine I think, or something like that, and they got an interview with Kim Jong Un in China, and then they were hired to assassinate him. The movie is a comedy, and it makes Kim Jong Un look like an idiot. So North Korea, who has a very good hacking team, hacked Sony servers. They ended up not releasing this movie to the theaters. I think it went direct to video and then it was available for free, if memory serves correctly.

2014, the United States Office of Personnel Management was hacked. 21.5 million people records were stolen, personally identifiable information that included Social Security number, dates of birth, address, fingerprints, security clearance, and other information from the United States Office of Personnel Management. The Wall Street Journal and the Washington Post report that they believe the hacker was the government of China. Cyber warfare is going on all the time.

Remember the Stuxnet virus? 2016, the NSA’s own hacking tools were released onto the Dark Web. They were for sale or for download on the Dark Web, most of them with the source code. So all of these tools, or most of these or some of these – nobody really knows, of course – the NSA itself was hacked, and their tools are now available to download on the Dark Web. That very same Stuxnet virus is being used against us.

’16 also saw 57 million records stolen from Uber. I think 600,000 driver’s licenses of Uber drivers were part of that, and then all the riders, I believe, at that time.

Then we all remember the Equifax breach. 145 million records were stolen. That was all over CNN and the headlines and everything like that.

Here we go back to Anonymous. Anonymous is a hacktivist group. That’s one of the types of groups. 3 days after the murder of George Floyd, they hacked the City of Minneapolis’s website and the Minneapolis Police Department website, and they put their creed up there, “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.” They had a video up there, and they went on to address police brutality and vowed that they will be “exposing your many crimes to the world.”

And then finally, in 2020, we saw the first known death directly attributed to a hack. A hospital got hit with ransomware in Dusseldorf, Germany, and it led to the death of a patient there. There’s probably plenty of others back in time, but this is generally acknowledged as the first known death to occur because of a security event.

Just a quick reminder – oh, if anybody wants to do this again, I liked it, and I think we can do some cool stuff with this. Maybe do a deeper Deeper Dive, like I mentioned up front. We probably will do that and maybe change it up a little bit. But there was a lot of research that went into that.

Just a reminder about the security assessment. Make sure you schedule that. Kindsey just put the link up there in the chat box. I hope everybody enjoyed this because I certainly did. Yeah, we’ll have to do this again. But anyway, easy-peasy to do the security assessment, and I think we have a code for this. What’s the code and when does that expire?

KINDSEY: The code is HACK in all caps, and it will expire tonight.

TOM: Alrighty. I’m going to type the word “HACK.” HACK is the code. Otherwise we’re charging $495 for the security assessment, but with HACK you can get it for free. Expires at midnight.

KINDSEY: Next week we are going to be talking about the scary truth about antivirus and why it leaves you vulnerable.

TOM: It’s horrible. Oh, and sometimes – I just threw this slide in here real quick. One of the myths that we cover is that good cybersecurity is expensive. This is just a sample pricing. If you don’t have a server, you’re just a small company with 3 PCs, you can get security awareness training, you can get that super turbo deluxe antivirus, which is known as MDR or EDR – I hate to even compare it to an antivirus because it’s just so, so much more.

You get the security awareness training, you get the EDR, and then you get virtual machine backup, which is about as good as it gets with disaster recovery and business continuity planning. It’s just a sample price. Once we do the security assessment, we determine what you need and give you a proposal. Actually, you could do it for less than that. If you only have 1 PC that needs a backup, it’s going to actually be less than $99. But anyway, just $33 per month per computer is pretty good to get enterprise grade security.

Thank you, Elizabeth, for the kind words. Yeah, we’ll have to do this again.

KINDSEY: Yeah.

TOM: All right, guys. Thanks a lot.

KINDSEY: Thanks, everybody.