Forwarded From: Nicholas Charles Brawn <ncb05at_private> [All in all not a bad article at all. The reporter shows he's researched the subject relatively well, and has some clue about what he's talking about. We need more articles like this! :) - Nicholas] HACKERS READ END OF THE LINE - SECURITY Security Britain's computer outlaws are a spent force. Michael McCormack finds out why. British hackers are watching their shadowy community die on the vine, a victim of in-fighting, more effective law enforcement and - of all things - its own maturity. Hacking in this country has declined dramatically since its high point in the run-up to the last parliamentary elections. Then, hackers were making high-profile scores against Labour and Conservative party web pages and security consultants were warning of a rising tide of online fraud and extortion attempts. Two years on, the hacking scene is all but dead: most of the community's leading lights have retired, no new hacking conferences are planned, police and ISPs are collaborating ever more closely to trace offenders and improved security programs have left few easy targets on which new hackers can practise their skills. Security professionals, whose job requires close attention to trends in IT crime, find hackers now command very little of their attention. Ed Wilding, associate director of computer evidence at Network International, said: "There is very little outside hacking now. We see a lot of computer intrusion, but it's almost always done from the inside." And a spokesman for UUnet, the ISP and network services specialist, said: "We just don't see the level of hacking that was predicted one or two years ago." According to the hackers themselves, the British scene has split into four suspicious and mutually mistrustful groups: yesterday's men - older hackers now in legitimate IT jobs; hardcore crims - a tiny minority responsible for the bulk of the economic harm blamed on hackers; vanity cases - hackers intent on making high-profile hacks to further their own celebrity; and script kiddies - masters of the point and click who perform the majority of "nuisance hacks". Two of yesterday's men, who left hacking after being arrested in connection with what they term "non-economic hacks - making unsolicited changes to high-profile websites", told Connected how they felt the hacking climate in Britain had changed. Neither would allow his name to be used. "When I got started in the late Eighties, there wasn't really any public attention to hacking and most of the security people took you as one of their own doing the things they had done themselves as students," said one. "Now, the first thing a hacked company will do is call in the police. The risks are higher and you can find out about unfamiliar computer systems on the Web, instead of having to break into them to see how they work." And, according to his companion, time takes its own toll on a busy hacker: "To hack well, you have to spend countless hours trying and failing to get into a system. You almost always have to do it at night, when there's less chance of a human noticing things. You can't really do it if you have a job or a life. Eventually, other opportunities look more attractive." Chief among these opportunities are jobs in network administration and security, the two natural talents of a born hacker. According to one ex-hacker: "Hacking is about figuring out how systems fit together and how they communicate. If you're good at that, you can make a lot of money legitimately because good network people are rare." And security companies will all admit that many of their most prized employees are ex-hackers, now exploiting their gifts for finding security holes for the benefit of clients. Aping the "been there, done that" style of their elders are the vanity cases, typically university students who have hacked for two or three years and hope to be recognised as leading figures in the hacking underworld. While some hackers and hacking observers in Europe and America, notably Hamburg's Chaos Computer Club and Emmanuel Goldstein, the American editor of hacking magazine 2600, have achieved media celebrity for their expertise, British attempts at stardom have failed miserably. Earlier this year, Connected exposed two Midlands hoaxers who had convinced CNN and the Sunday Times that they had hacked into the facility which ran India's nuclear test programme. The two hackers involved have since become objects of derision and their failure has convinced many other hackers that, in the words of one: "If you need to show off, get out of hacking." By far the greatest nuisance to hackers and victims alike are the script kiddies, typically school-aged newcomers to hacking who delight in malicious acts of electronic sabotage. Lacking the programming skills to perform intrusive hacks, they specialise in emailed viruses, signing "victim" email addresses up to dozens of online newsletters and disrupting companies' communications with spam attacks and email bombs. According to the National Computing Centre, such low-level harassment is suffered by one British company in eight, at an average cost of more than #7,000 in lost time and repairs. Script kiddies are despised by more serious hackers for their reliance on point-and-click hacking tools, software packages prepared by other hackers and downloaded, ready to run, from the Internet. "Hacking is supposed to be about learning," said one of yesterday's men. "What will you learn from point-and-click except that everyone hates a snotty kid?" The most dangerous kind of British hacker is also the rarest: the hardcore crim who uses his knowledge of financial systems and security loopholes to attempt wire frauds and extortion. Specialising in inside jobs, they are far removed from the popular image of the spotty teen hacker, alone at his computer in the dark of night. According to Ed Wilding, their success is due to their ability at social engineering: "Typically they will contact someone in an organisation by email and build up a relationship. They then manipulate that person into supplying information like customer databases or forward plans. "The person inside may well believe they are communicating with another employee who is perfectly entitled to have the information they're giving up. Then the hacker will demand a ransom for the database or try to sell it to a competitor." Evidence from recent security surveys shows an increasing number of criminals are taking jobs as computer contractors to gain access to such information. "The inside man has all the advantages and hackers know it," said Wilding. Another growing crime is arranging bogus payments from large financial organisations. "Hackers know that once a payment is authorised and hits the electronic systems, it's very difficult to trace," said Wilding. "They will ingratiate themselves with someone who works in the back office of a bank or brokerage and arrange to have a wire transfer made. Once the money comes out they'll try to hide it in other accounts. "These crimes are very rare - there are very few people out there who attempt them. They don't require tremendous technological knowledge the way other kinds of hacking do, but they depend very much on sophisticated social hacking." With the demise of hacking conferences in this country, the four groups are growing more isolated. Mutual distrust has stopped British hackers forming "non-harmful" collectives such as New York's Lopht Heavy Industries or Hamburg's CCC, which promote socially responsible hacking. With little light on the horizon, British hacking might gently fade away, much to the relief of its present and potential targets. Why I gave it up "David", a 28-year-old former hacker, is very keen on anonymity. For much of the late 80s and early 90s, he led the British charge into the hacking scene, founding three bulletin boards devoted to hacking tools and writing some of the earliest antecedents of today's password crackers. But in 1992, he gave it up. "I guess I grew up," he says. "I had learned as much about systems as any of the people who designed them, I lost interest in the competitive side - trying to put one over on someone else - and I got sick of seeing 20 emails every day from kids trying to hack into the school computer. "Hacking reached a point where the media got interested and it stopped being about learning and started being abut high-profile hacks. I never saw hacking as slapping `Phear me! I am 3L33T' all over someone's website; it's about learning and doing things for yourself. "I still drop in on the hacking channels occasionally, and compared to 1990, the hacking population seems much larger and much less skilled. It's also more malicious. I'm glad I'm out." Factions in the British hacker crowd Yesterday's men Older hackers now inlegitimate computer jobs. Hardcore crims A tiny minority responsible for the bulk of the economic harm blamed on hackers. Vanity cases Hackers intent on making high-profile hacks to further their own celebrity. Script kiddies Masters of the point-and-click hacking tool who perform the majority of "nuisance hacks". DAILY TELEGRAPH 03/12/1998 P6 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:13:20 PDT