Forwarded from: William Knowles <wkat_private> http://www.smh.com.au/articles/2002/08/20/1029114072039.html By Suelette Dreyfus August 20 2002 Next If your organisation suffered a computer crime in the past few years and reported it to AusCERT, it was probably an attack from outside your walls. Nearly 90 per cent of Australian organisations that reported an incident were attacked externally, according to the 2002 Australian Computer Crime and Security Survey. This is the first time the threat of being attacked from outside surpassed the likelihood of an assault from inside. It might be increasingly difficult to keep out external hackers but there are signs IT managers are finding it easier to win support within companies for improving security. Management consulting firm McKinsey & Co recently studied security best practices at Fortune 500 companies. About 30 of these companies, including AOL Time Warner, Merrill Lynch, Microsoft and Visa International, had appointed a chief security officer or other senior executive to oversee information security. In some cases, this executive had the power to stop the launch of new products or systems, and answered only to the chief executive. The recent AusCERT study stated that 70 per cent of Australian organisations surveyed had increased spending on information security in the past year. All of this is good news for IT managers. Most attempted attacks come via script kiddies, according to Neal Wise, senior security consultant for eSec, a Melbourne-based security technology company. Keeping software up to date should provide a good first-line defence but he also recommends putting pressure on vendors to release security patches in a timely fashion. "You can vote with your wallet," he says. Yet Grant Bayley, organiser of Sydney's 2600 group, a gathering of security enthusiasts, says that while the number of hackers has increased, the percentage of highly skilled hackers has stayed the same, suggesting their total numbers are up as well. "These are the people who are really good at writing exploits - original and very obscure exploits. And people don't write exploits just to have them sit there and look pretty." More sophisticated hackers may be more difficult to defend against, in part because their motivations may be complex. A small subset of these hackers obsess about a problem day after day, ignoring the rest of their lives. If you are running a network or a system, understanding what drives people to break in will help you to defend your organisation. Meeting "Higgs", formerly one of the most skilled illegal hackers of the Australian computer underground, can be a high-stress experience; Higgs fidgets with other people's things until they break. He doesn't mean to break them, he just pulls and prods at them incessantly while he bounces his knee up and down and talks. When the item cracks or snaps, he looks utterly surprised, as though he had no idea the item was in his hand. He sheepishly slips the broken pieces into his pocket, adding to his sins by running off with the evidence. He sometimes has one-way conversations with people, meaning he talks and they try to get a word in edgewise. He is always right, and he is only interested in "the truth", no matter how bare and brutal. This inflexible, seemingly arrogant attitude frequently gets him into trouble, in part because he is usually right. Or because when he's wrong, he's so wildly off the mark, it's funny. He's also anti-social, partly due to shyness, but also because most people bore him. He says they don't feed him information fast enough. "I can't do that chit-chat stuff," he says. Like a number of other technically elite hackers, Higgs shows characteristics similar to those shown by people with Asperger syndrome. This neurobiological disorder, which may resemble mild autism, has often been misdiagnosed in the past. The condition only made it into the Diagnostic and Statistical Manual of Mental Disorders in 1994. Like elite-end hackers, many "aspies" are exceptionally skilled in a specialised area. A 2001 University of Cambridge study into the syndrome showed a higher incidence of AS/High-Functioning Autism, which seem to be related, among scientists and mathematicians. Tests of 840 students showed "that mathematicians scored higher than engineers, physical and computer sciences, who scored higher than medicine and biology". The condition is also more common among males and may have a genetic component. There does not appear to be any in-depth research linking illegal hacking and Asperger syndrome. However, one of the world's leading AS experts, Australian clinical psychologist Tony Attwood, believes some hackers may share characteristics with "Aspies", as they refer to themselves. "The link between AS and computers is well known. Computers were designed by - and for - people with AS," Attwood, based in Queensland, says. "Those with AS seem to know the language of computers better than social or conventional languages. It is quite plausible that people with AS may pursue an interest in cracking." Historically, AS has been linked to at least one area that has become a key part of computer security: cryptography. "The team that cracked the Enigma code appeared to include several individuals who showed characteristics of Asperger's," Attwood says. This included the father of modern computing, Alan Turing. "It's the sheer challenge rather than any (criminal intent). It's the pursuit of knowledge and truth - with different priorities and perceptions ¤ They see it as an intellectual challenge and a prize, (and) they look at the success of what they have done rather than the consequences of the lives of people they have affected." Aspies typically have an almost obsessional approach to solving problems and are often oblivious to their peers' view that a given problem is "unsolvable". Both are often prerequisites to becoming an elite-end hacker. What effect might hacking have on an Aspie? "Hacking is giving them an intellectual orgasm. And they are addicted to the intellectual orgasm," Attwood says. This doesn't mean all illegal hackers have AS, or that these hackers should escape criminal conviction. However, the linking of AS and hacking could have an impact on conviction or sentencing in future. Previously, what experts termed an extreme addiction to hacking played a key role in a landmark British hacking case. Based on the descriptions of the hacker's behaviour, the apparent addiction could well have been a manifestation of AS. In a jury trial, the legal defence team of the British hacker "Wandii" showed the hacker was obsessed with computers and the intellectual challenge of beating them. The jury acquitted him of criminal charges in just 90 minutes, apparently because it decided he lacked mens rea, or awareness of criminal wrongdoing. "You would not use AS to say a person is of unsound mind, because such people are very logical (if) eccentric," Attwood says. "But (a diagnosis) could alter sentencing in two ways. First, in (assessing) the degree of criminal intent. And, second, in deterrence. They may need treatment for a compulsion, which may be irresistible, rather than a prison sentence or a psychiatric institution." In the US, convicted hackers have been banned from using computers for long periods as part of their sentences. Attwood says this approach is likely to be inappropriate for Aspies. Denying them use of computers is very different than for most people. "What we might look at instead is controlled access in a constructive way for convicted offenders," he says. "Res" is a skilled Australian Black Hat hacker. Extremely private, street smart, he holds back, watching you, taking your measure. He slips in a little cynical humour now and again, showing he's cool but not cold. But he's a contrast to the stereotypical Hollywood geek hacker because he has a life. "I haven't spent a Friday or Saturday night at home since I was 17," Res says. While not showing any visible signs of AS, he's clearly capable of obsessional behaviour. "I am obsessive: I collect things. I like having everything, I never delete anything. I am a radical person. I'm all or nothing." He says he doesn't read books but that's not quite true. He buys technical textbooks. Other than specialist mailing lists and the newspaper, the only other thing he reads is the Slashdot website. The Cambridge study suggests a "continuum" of disability, "with AS as the bridge between autism and normality". Res may represent a point on the spectrum between AS and obsessive - a place other top hackers might also occupy. Hacker group 2600's Grant Bayley estimates that, based on his experience, "You probably wouldn't find more than two AS symptoms in any one hacker but you would find more symptoms in 50 to 70 per cent of hackers in the mid to upper-skill level." Higgs recognises he has some AS traits and he believes having AS could definitely contribute to hackers rising in the ranks of the elite underground. "It is not that AS gets you to the top of the pile but it can help. Because there are some things that are broken, you are forced to use other parts of the brain instead. The ability to blinker everything else and not get distracted helps." He views the AS-affected hacker mind as being like the Internet: "That hacker's mind sees group dynamics as damage and routes around it." However, after interacting with a number of top hackers around the globe over several years, he argues there are other contributing factors. "For these people to get where they have, Asperger's isn't enough. They have something else. Clearly (convicted American hacker Kevin) Mitnick's talent doesn't just come from AS; there is something else there. Like his social engineering talent - you just wouldn't associate that with AS," he says. "The 'f***-you' attitude is also a requirement. Every one (of the top hackers) has had the 'f***-you' ingredient ¤ You cannot defy authority and break the law thousands of times a year without the 'f***-you' ingredient." Suelette Dreyfus is the author of Underground and an honorary fellow at the University of Melbourne's department of information systems. How to deter the obsessive attacker What is the best way to defend your network against illegal hackers who show Asperger syndrome-like characteristics? A former highly skilled and obsessive hacker, "Higgs" suggests breaking the patterns of usual defensive behaviour. Trip wires in packaged software might be anticipated by a pattern-based hacker. "Set up trip wires that are unique," he says. Also, use your logs in different ways for tell-tale signs of a hacker's trespass. "Backdoor the 'ls' command (in UNIX), which gives you a list of files. Record its arguments and when it is used. A (pattern-based) hacker might not think to look for logs of that. "Backdoor the SSH (secure shell) client to record who is using it and when. Keep secret log files in unusual locations." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 08:32:23 PDT