[ISN] The secret life of hackers

From: InfoSec News (isnat_private)
Date: Mon Mar 18 2002 - 00:17:43 PST

  • Next message: InfoSec News: "RE: [ISN] Personnel Shortage Hindering Net Security"

    Tuesday 19 March, 2002 
    By Suelette Dreyfus
    Were you to work in a certain Federal Government agency, every morning 
    you walked through the front door, you'd have to use three security 
    cards and type up to 10 passwords - all before your first cup of 
    The employees have a simple solution: they leave their security cards 
    in their desk drawers and sticky notes with passwords on the wall.
    This is not an approved national security protocol.
    Let's face it: security is a pain.
    As "Gan", a highly skilled Australian hacker who used to break into 
    systems illegally, says, "Security prevents people doing things - it's 
    designed to automate authoritarian tendencies in an organisation.
    "It works like the French legal system: you're guilty until proven 
    For the average IT manager, security is a headache. No one notices 
    when you do it right, but, oh, do you hear about it when you've done 
    it wrong. Finding the balance between security and convenience means 
    understanding the threat. So what is out there?  
    Rain Forest Puppy, an American white-hat hacker speaking at Hack 2002 
    Conference and Expo opening today in Sydney, says many hackers, 
    particularly the low-skilled script kiddies who use other people's 
    automated hacking programs, "don't differentiate or target. It's easy 
    to scan the entire Internet and pick off the weak sheep".
    Script kiddies account for most attacks, according to Nesh, an 
    Australian hacker who routinely pokes around other people's systems.
    "They just spray the Internet," Nesh says.
    Keeping your security up to date should fend off many of these 
    However, if you run a network attached to the Net, your systems 
    probably have security holes that a sophisticated hacker can 
    Nesh is a hacker-for-hire. His clients have included government 
    departments and financial institutions. He doesn't want to give his 
    real name, probably because he still keeps a hand in the shadows of 
    the underground.
    While others in the security business happily "whore their names on 
    bugtraq (a security mailing list)", as he describes it, he's happy to 
    work behind the scenes on paid contracts testing organisations' 
    It's intellectually challenging work and he doesn't have to deal with 
    clients much. But there are drawbacks, like being forced to prove to 
    managers that he's broken into their systems.
    "They say, 'No, no, we are secure here.' Then you show them. You see 
    their faces.
    "It's such a negative thing, like, 'I am here to destroy you.' All you 
    are doing is proving people are lazy most of the time. I don't want to 
    do that in front of a client. If you break into a big bank, someone is 
    going to get fired, it's true.
    "I don't like busting people's balls. I don't like feeling the human 
    side of it, I don't like that," he says.
    At the elite end of illegal hacking, the activity is increasingly 
    time-consuming. Nesh has an isolated network of more than 15 systems 
    in his living room for testing code he writes to exploit security 
    holes. He often takes up to three weeks to write one exploit program.
    Gan estimates that, on average, "It is about five times as hard to 
    write an exploit as to find the security hole in the first place."
    The darker corners of the computer underground have changed 
    significantly since its birth in the early 1980s. Here's what IT 
    managers are up against today:
    * Obsession still plays an important role in motivating the illegal 
      hacker but its focus has changed. "The obsession tends to be focused 
      on the research stage - finding the security bug and then writing 
      the exploit software to take advantage of it," Nesh says. However, 
      obsessiveness is still common among top-end hackers. "Being 
      obsessive-compulsive is better than being smart," he says. 
    * At the elite end of intruders, the style of attack has moved from 
      just randomly hacking machines, though they still machine-hop to 
      hide their trails. Says Nesh, "The guys who just sit for days on 
      end and break into machines are gone. The desire to break into lots 
      of systems randomly is gone. The underground is now more geared 
      towards doing better research and selectively using that 
      information to break into machines over an extended period with a 
      specific target in mind." 
    * Military sites are no longer the popular targets they once were in 
      the late 1980s, early 1990s. "No one goes for military targets any 
      more since September 11. Everyone realises you'll have a black helicopter 
      landing on your roof if you do," Nesh says. 
    * "War driving" - looking for wireless networks to jack into 
      anonymously, continues to be the hottest area for illegal hacking. 
      Hackers tend to be motivated by three rewards, according to Ronald 
      Van Geijn, the director of vulnerability management at Symantec.
    They are: bragging rights and recognition (particularly for defacing
    websites); money (by stealing data and selling it, or by blackmailing
    a victim); and demonstration (where white-hat hackers show how
    security can be broken).
    According to Nesh, it's still largely about achievement among peers.
    "It's like climbing a ladder - you have to be respected by these 
    people," Nesh says.
    Top hackers often target organisations, which develop operating 
    systems, with two aims: to back-door the source code and, if the code 
    is proprietary, to steal it to hunt for weakness.
    However, these hackers are increasingly moving towards targeting 
    companies that make applications, instead of just operating systems.
    Hackers - the illegal sort - tend to have day jobs. They work as 
    system administrators or in some aspect of computer security. 
    They don't get caught because they are very careful and know what 
    they're doing.
    Financial institutions tend to have the best security (because they 
    can pay for it), while universities and home users tend to have the 
    weakest security.
    Banks do get pinched by online theft but you don't hear about it 
    according to Van Geijn, because "they are very successful at 
    retrieving the money".
    There is strong pressure from the black-hat section of the underground 
    not to release security holes. The reason? The holes are closed up 
    much sooner than they used to be.
    "Ten years ago, you could use a hole for six months. Now, if you tell 
    three people, you're lucky if a good security hole lasts three weeks," 
    Nesh says.
    Some illegal hackers deliberately release false information about 
    security holes in public arenas.
    In one case, a black-hat hacker posted a fake security hole 
    description to a security mailing list. A few days later, the vendor 
    made a sheepish announcement that it was vulnerable to the imaginary 
    attack - much to the hacker's amusement.
    The top hackers rarely publish security holes these days. 
    "There is a mystique behind being elite; the best way to do that is to 
    publish something once a year," Nesh says.
    "You don't have a reputation then as a media whore. If you publish 
    lots of stuff then you are going to show your weaknesses."
    Corporate espionage relies increasingly on illegal hacking. Van Geijn 
    says an electronic intruder broke into egghead.com, an Internet direct 
    marketer selling clearance bargains such as consumer electronics and 
    sporting goods.
    Behind the scenes, the hacker was trying to extort the company, which 
    responded with a public announcement of the break-in. "The company 
    subsequently filed for bankruptcy," he says.
    The online porn industry apparently also has its share of corporate 
    Gan says he has been approached by online porn providers wanting him 
    to to steal competitors' customer lists. He refused.
    Gan says he doesn't back-door systems much but some places where he 
    has left back doors have stayed "open" more than five years, in one 
    case through at least one operating-system upgrade.
    "One reason I never bothered to back-door much stuff is because I 
    could just go in the front door," he says. "There's no better back 
    door than an OS full of bugs."
    * Script Kiddies (or Weenies): inexperienced, illegal hackers who use 
      hacking tools created by someone else. Usually don't understand how 
      the tools work or lack the skills to re-create them.
    * White Hat: publishes security holes immediately and often notifies 
      the company to warn that its product has a problem. Only engages in 
      hacking that is legal, such as penetration testing.
    * Grey Hat: sits on a security hole for a while and might use it for 
      illegal penetrations periodically. Usually has some public identity 
      in the security area but often not with real name.
    * Black Hat: never releases the security hole or exploit code publicly 
      and hates it when others do. Breaks into systems illegally.
    * Hacker: someone with technical ability to break open systems. Also 
      often used to suggest illegal intrusions.
    * Cracker: traditionally someone who breaks copy protection on games 
      but increasingly used to describe hackers involved in unauthorised access. 
    * The Underground: community of people who "think outside the box". 
      Includes illegal hacking but also a range of other activities such 
      as making "demos" (programs that show off programming skills creatively), 
      and music piracy for personal use.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 03:22:31 PST