[ISN] Hackers Read End of the Line - Security

From: mea culpa (jerichoat_private)
Date: Fri Dec 04 1998 - 00:32:53 PST

  • Next message: mea culpa: "[ISN] Crypto Setback in Vienna"

    Forwarded From: Nicholas Charles Brawn <ncb05at_private>
    [All in all not a bad article at all. The reporter shows he's researched
     the subject relatively well, and has some clue about what he's talking
     about. We need more articles like this! :) - Nicholas]
    Security Britain's computer outlaws are a spent force. Michael McCormack
    finds out why.
    British hackers are watching their shadowy community die on the vine, a
    victim of in-fighting, more effective law enforcement and - of all things
    - its own maturity. 
    Hacking in this country has declined dramatically since its high point in
    the run-up to the last parliamentary elections. Then, hackers were making
    high-profile scores against Labour and Conservative party web pages and
    security consultants were warning of a rising tide of online fraud and
    extortion attempts. 
    Two years on, the hacking scene is all but dead: most of the community's
    leading lights have retired, no new hacking conferences are planned,
    police and ISPs are collaborating ever more closely to trace offenders and
    improved security programs have left few easy targets on which new hackers
    can practise their skills. 
    Security professionals, whose job requires close attention to trends in IT
    crime, find hackers now command very little of their attention. Ed
    Wilding, associate director of computer evidence at Network International,
    said:  "There is very little outside hacking now. We see a lot of computer
    intrusion, but it's almost always done from the inside." And a spokesman
    for UUnet, the ISP and network services specialist, said: "We just don't
    see the level of hacking that was predicted one or two years ago." 
    According to the hackers themselves, the British scene has split into four
    suspicious and mutually mistrustful groups: yesterday's men - older
    hackers now in legitimate IT jobs; hardcore crims - a tiny minority
    responsible for the bulk of the economic harm blamed on hackers; vanity
    cases - hackers intent on making high-profile hacks to further their own
    celebrity; and script kiddies - masters of the point and click who perform
    the majority of "nuisance hacks". 
    Two of yesterday's men, who left hacking after being arrested in
    connection with what they term "non-economic hacks - making unsolicited
    changes to high-profile websites", told Connected how they felt the
    hacking climate in Britain had changed. Neither would allow his name to be
    "When I got started in the late Eighties, there wasn't really any public
    attention to hacking and most of the security people took you as one of
    their own doing the things they had done themselves as students," said
    "Now, the first thing a hacked company will do is call in the police. The
    risks are higher and you can find out about unfamiliar computer systems on
    the Web, instead of having to break into them to see how they work."
    And, according to his companion, time takes its own toll on a busy hacker: 
    "To hack well, you have to spend countless hours trying and failing to get
    into a system. You almost always have to do it at night, when there's less
    chance of a human noticing things. You can't really do it if you have a
    job or a life. Eventually, other opportunities look more attractive." 
    Chief among these opportunities are jobs in network administration and
    security, the two natural talents of a born hacker. According to one
    ex-hacker: "Hacking is about figuring out how systems fit together and how
    they communicate. If you're good at that, you can make a lot of money
    legitimately because good network people are rare." And security companies
    will all admit that many of their most prized employees are ex-hackers,
    now exploiting their gifts for finding security holes for the benefit of
    Aping the "been there, done that" style of their elders are the vanity
    cases, typically university students who have hacked for two or three
    years and hope to be recognised as leading figures in the hacking
    underworld.  While some hackers and hacking observers in Europe and
    America, notably Hamburg's Chaos Computer Club and Emmanuel Goldstein, the
    American editor of hacking magazine 2600, have achieved media celebrity
    for their expertise, British attempts at stardom have failed miserably. 
    Earlier this year, Connected exposed two Midlands hoaxers who had
    convinced CNN and the Sunday Times that they had hacked into the facility
    which ran India's nuclear test programme. The two hackers involved have
    since become objects of derision and their failure has convinced many
    other hackers that, in the words of one: "If you need to show off, get out
    of hacking." 
    By far the greatest nuisance to hackers and victims alike are the script
    kiddies, typically school-aged newcomers to hacking who delight in
    malicious acts of electronic sabotage. Lacking the programming skills to
    perform intrusive hacks, they specialise in emailed viruses, signing
    "victim" email addresses up to dozens of online newsletters and disrupting
    companies' communications with spam attacks and email bombs. 
    According to the National Computing Centre, such low-level harassment is
    suffered by one British company in eight, at an average cost of more than
    #7,000 in lost time and repairs. Script kiddies are despised by more
    serious hackers for their reliance on point-and-click hacking tools,
    software packages prepared by other hackers and downloaded, ready to run,
    from the Internet. 
    "Hacking is supposed to be about learning," said one of yesterday's men. 
    "What will you learn from point-and-click except that everyone hates a
    snotty kid?" 
    The most dangerous kind of British hacker is also the rarest: the hardcore
    crim who uses his knowledge of financial systems and security loopholes to
    attempt wire frauds and extortion. 
    Specialising in inside jobs, they are far removed from the popular image
    of the spotty teen hacker, alone at his computer in the dark of night. 
    According to Ed Wilding, their success is due to their ability at social
    engineering: "Typically they will contact someone in an organisation by
    email and build up a relationship. They then manipulate that person into
    supplying information like customer databases or forward plans. 
    "The person inside may well believe they are communicating with another
    employee who is perfectly entitled to have the information they're giving
    up. Then the hacker will demand a ransom for the database or try to sell
    it to a competitor." 
    Evidence from recent security surveys shows an increasing number of
    criminals are taking jobs as computer contractors to gain access to such
    information. "The inside man has all the advantages and hackers know it," 
    said Wilding. Another growing crime is arranging bogus payments from large
    financial organisations. "Hackers know that once a payment is authorised
    and hits the electronic systems, it's very difficult to trace," said
    Wilding. "They will ingratiate themselves with someone who works in the
    back office of a bank or brokerage and arrange to have a wire transfer
    made. Once the money comes out they'll try to hide it in other accounts. 
    "These crimes are very rare - there are very few people out there who
    attempt them. They don't require tremendous technological knowledge the
    way other kinds of hacking do, but they depend very much on sophisticated
    social hacking." 
    With the demise of hacking conferences in this country, the four groups
    are growing more isolated. Mutual distrust has stopped British hackers
    forming "non-harmful" collectives such as New York's Lopht Heavy
    Industries or Hamburg's CCC, which promote socially responsible hacking.
    With little light on the horizon, British hacking might gently fade away,
    much to the relief of its present and potential targets. 
    Why I gave it up
    "David", a 28-year-old former hacker, is very keen on anonymity. For much
    of the late 80s and early 90s, he led the British charge into the hacking
    scene, founding three bulletin boards devoted to hacking tools and writing
    some of the earliest antecedents of today's password crackers. But in
    1992, he gave it up. 
    "I guess I grew up," he says. "I had learned as much about systems as any
    of the people who designed them, I lost interest in the competitive side -
    trying to put one over on someone else - and I got sick of seeing 20
    emails every day from kids trying to hack into the school computer. 
    "Hacking reached a point where the media got interested and it stopped
    being about learning and started being abut high-profile hacks. I never
    saw hacking as slapping `Phear me! I am 3L33T' all over someone's website;
    it's about learning and doing things for yourself. 
    "I still drop in on the hacking channels occasionally, and compared to
    1990, the hacking population seems much larger and much less skilled. It's
    also more malicious. I'm glad I'm out." 
    Factions in the British hacker crowd
    Yesterday's men
     Older hackers now inlegitimate computer jobs.
    Hardcore crims
     A tiny minority responsible for the bulk of the economic harm blamed on
    Vanity cases
     Hackers intent on making high-profile hacks to further their own
    Script kiddies
     Masters of the point-and-click hacking tool who perform the majority of
     "nuisance hacks".
    DAILY TELEGRAPH 03/12/1998 P6 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:13:20 PDT