[ISN] Cracking the hackers' code

From: InfoSec News (isnat_private)
Date: Tue Aug 20 2002 - 05:39:53 PDT

  • Next message: InfoSec News: "[ISN] PGP has been *sold*"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.smh.com.au/articles/2002/08/20/1029114072039.html
    
    By Suelette Dreyfus
    August 20 2002
    Next
    
    If your organisation suffered a computer crime in the past few years
    and reported it to AusCERT, it was probably an attack from outside
    your walls. Nearly 90 per cent of Australian organisations that
    reported an incident were attacked externally, according to the 2002
    Australian Computer Crime and Security Survey. This is the first time
    the threat of being attacked from outside surpassed the likelihood of
    an assault from inside.
    
    It might be increasingly difficult to keep out external hackers but
    there are signs IT managers are finding it easier to win support
    within companies for improving security. Management consulting firm
    McKinsey & Co recently studied security best practices at Fortune 500
    companies. About 30 of these companies, including AOL Time Warner,
    Merrill Lynch, Microsoft and Visa International, had appointed a chief
    security officer or other senior executive to oversee information
    security. In some cases, this executive had the power to stop the
    launch of new products or systems, and answered only to the chief
    executive.
    
    The recent AusCERT study stated that 70 per cent of Australian
    organisations surveyed had increased spending on information security
    in the past year.
    
    All of this is good news for IT managers. Most attempted attacks come
    via script kiddies, according to Neal Wise, senior security consultant
    for eSec, a Melbourne-based security technology company. Keeping
    software up to date should provide a good first-line defence but he
    also recommends putting pressure on vendors to release security
    patches in a timely fashion. "You can vote with your wallet," he says.
    
    Yet Grant Bayley, organiser of Sydney's 2600 group, a gathering of
    security enthusiasts, says that while the number of hackers has
    increased, the percentage of highly skilled hackers has stayed the
    same, suggesting their total numbers are up as well. "These are the
    people who are really good at writing exploits - original and very
    obscure exploits. And people don't write exploits just to have them
    sit there and look pretty."
    
    More sophisticated hackers may be more difficult to defend against, in
    part because their motivations may be complex. A small subset of these
    hackers obsess about a problem day after day, ignoring the rest of
    their lives. If you are running a network or a system, understanding
    what drives people to break in will help you to defend your
    organisation.
    
    Meeting "Higgs", formerly one of the most skilled illegal hackers of
    the Australian computer underground, can be a high-stress experience;  
    Higgs fidgets with other people's things until they break.
    
    He doesn't mean to break them, he just pulls and prods at them
    incessantly while he bounces his knee up and down and talks. When the
    item cracks or snaps, he looks utterly surprised, as though he had no
    idea the item was in his hand. He sheepishly slips the broken pieces
    into his pocket, adding to his sins by running off with the evidence.
    
    He sometimes has one-way conversations with people, meaning he talks
    and they try to get a word in edgewise. He is always right, and he is
    only interested in "the truth", no matter how bare and brutal. This
    inflexible, seemingly arrogant attitude frequently gets him into
    trouble, in part because he is usually right. Or because when he's
    wrong, he's so wildly off the mark, it's funny. He's also anti-social,
    partly due to shyness, but also because most people bore him. He says
    they don't feed him information fast enough. "I can't do that
    chit-chat stuff," he says.
    
    Like a number of other technically elite hackers, Higgs shows
    characteristics similar to those shown by people with Asperger
    syndrome. This neurobiological disorder, which may resemble mild
    autism, has often been misdiagnosed in the past. The condition only
    made it into the Diagnostic and Statistical Manual of Mental Disorders
    in 1994.
    
    Like elite-end hackers, many "aspies" are exceptionally skilled in a
    specialised area. A 2001 University of Cambridge study into the
    syndrome showed a higher incidence of AS/High-Functioning Autism,
    which seem to be related, among scientists and mathematicians. Tests
    of 840 students showed "that mathematicians scored higher than
    engineers, physical and computer sciences, who scored higher than
    medicine and biology". The condition is also more common among males
    and may have a genetic component.
    
    There does not appear to be any in-depth research linking illegal
    hacking and Asperger syndrome. However, one of the world's leading AS
    experts, Australian clinical psychologist Tony Attwood, believes some
    hackers may share characteristics with "Aspies", as they refer to
    themselves.
    
    "The link between AS and computers is well known. Computers were
    designed by - and for - people with AS," Attwood, based in Queensland,
    says. "Those with AS seem to know the language of computers better
    than social or conventional languages. It is quite plausible that
    people with AS may pursue an interest in cracking."
    
    Historically, AS has been linked to at least one area that has become
    a key part of computer security: cryptography.
    
    "The team that cracked the Enigma code appeared to include several
    individuals who showed characteristics of Asperger's," Attwood says.  
    This included the father of modern computing, Alan Turing.
    
    "It's the sheer challenge rather than any (criminal intent). It's the
    pursuit of knowledge and truth - with different priorities and
    perceptions  They see it as an intellectual challenge and a prize,
    (and) they look at the success of what they have done rather than the
    consequences of the lives of people they have affected."
    
    Aspies typically have an almost obsessional approach to solving
    problems and are often oblivious to their peers' view that a given
    problem is "unsolvable". Both are often prerequisites to becoming an
    elite-end hacker.
    
    What effect might hacking have on an Aspie?
    
    "Hacking is giving them an intellectual orgasm. And they are addicted
    to the intellectual orgasm," Attwood says.
    
    This doesn't mean all illegal hackers have AS, or that these hackers
    should escape criminal conviction. However, the linking of AS and
    hacking could have an impact on conviction or sentencing in future.
    
    Previously, what experts termed an extreme addiction to hacking played
    a key role in a landmark British hacking case. Based on the
    descriptions of the hacker's behaviour, the apparent addiction could
    well have been a manifestation of AS. In a jury trial, the legal
    defence team of the British hacker "Wandii" showed the hacker was
    obsessed with computers and the intellectual challenge of beating
    them. The jury acquitted him of criminal charges in just 90 minutes,
    apparently because it decided he lacked mens rea, or awareness of
    criminal wrongdoing.
    
    "You would not use AS to say a person is of unsound mind, because such
    people are very logical (if) eccentric," Attwood says.
    
    "But (a diagnosis) could alter sentencing in two ways. First, in
    (assessing) the degree of criminal intent. And, second, in deterrence.  
    They may need treatment for a compulsion, which may be irresistible,
    rather than a prison sentence or a psychiatric institution."
    
    In the US, convicted hackers have been banned from using computers for
    long periods as part of their sentences. Attwood says this approach is
    likely to be inappropriate for Aspies. Denying them use of computers
    is very different than for most people.
    
    "What we might look at instead is controlled access in a constructive
    way for convicted offenders," he says.
    
    "Res" is a skilled Australian Black Hat hacker. Extremely private,
    street smart, he holds back, watching you, taking your measure. He
    slips in a little cynical humour now and again, showing he's cool but
    not cold. But he's a contrast to the stereotypical Hollywood geek
    hacker because he has a life.
    
    "I haven't spent a Friday or Saturday night at home since I was 17,"  
    Res says.
    
    While not showing any visible signs of AS, he's clearly capable of
    obsessional behaviour. "I am obsessive: I collect things. I like
    having everything, I never delete anything. I am a radical person. I'm
    all or nothing."
    
    He says he doesn't read books but that's not quite true. He buys
    technical textbooks. Other than specialist mailing lists and the
    newspaper, the only other thing he reads is the Slashdot website.
    
    The Cambridge study suggests a "continuum" of disability, "with AS as
    the bridge between autism and normality". Res may represent a point on
    the spectrum between AS and obsessive - a place other top hackers
    might also occupy.
    
    Hacker group 2600's Grant Bayley estimates that, based on his
    experience, "You probably wouldn't find more than two AS symptoms in
    any one hacker but you would find more symptoms in 50 to 70 per cent
    of hackers in the mid to upper-skill level."
    
    Higgs recognises he has some AS traits and he believes having AS could
    definitely contribute to hackers rising in the ranks of the elite
    underground.
    
    "It is not that AS gets you to the top of the pile but it can help.  
    Because there are some things that are broken, you are forced to use
    other parts of the brain instead. The ability to blinker everything
    else and not get distracted helps."
    
    He views the AS-affected hacker mind as being like the Internet: "That
    hacker's mind sees group dynamics as damage and routes around it."
    
    However, after interacting with a number of top hackers around the
    globe over several years, he argues there are other contributing
    factors.
    
    "For these people to get where they have, Asperger's isn't enough.  
    They have something else. Clearly (convicted American hacker Kevin)  
    Mitnick's talent doesn't just come from AS; there is something else
    there. Like his social engineering talent - you just wouldn't
    associate that with AS," he says.
    
    "The 'f***-you' attitude is also a requirement. Every one (of the top
    hackers) has had the 'f***-you' ingredient  You cannot defy authority
    and break the law thousands of times a year without the 'f***-you'
    ingredient."
    
    Suelette Dreyfus is the author of Underground and an honorary fellow
    at the University of Melbourne's department of information systems.
    
    How to deter the obsessive attacker
    
    What is the best way to defend your network against illegal hackers
    who show Asperger syndrome-like characteristics?
    
    A former highly skilled and obsessive hacker, "Higgs" suggests
    breaking the patterns of usual defensive behaviour.
    
    Trip wires in packaged software might be anticipated by a
    pattern-based hacker. "Set up trip wires that are unique," he says.
    
    Also, use your logs in different ways for tell-tale signs of a
    hacker's trespass.
    
    "Backdoor the 'ls' command (in UNIX), which gives you a list of files.  
    Record its arguments and when it is used. A (pattern-based) hacker
    might not think to look for logs of that.
    
    "Backdoor the SSH (secure shell) client to record who is using it and
    when. Keep secret log files in unusual locations."
    
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 08:32:23 PDT