[ISN] Cracking the hacker underground

From: InfoSec News (isn@private)
Date: Fri Nov 14 2003 - 06:43:57 PST

  • Next message: InfoSec News: "RE: [ISN] Microsoft's hacker bounty is wasted money"

    http://news.bbc.co.uk/2/hi/technology/3246375.stm
    
    By Jo Twist 
    BBC News Online technology reporter 
    14 November, 2003
    
    A simple search reveals a plethora of resources, tools, and personal 
    homepages, most claiming to "hack" for legitimate reasons, within the 
    law. 
    
    But there is also an entire underground network of hackers honing 
    their tools and skills with malicious damage in mind. 
    
    "Ten years ago, 'hackers' used to mean people who tinker with 
    computers. 
    
    "Nowadays hacking means malicious hacking. The definition has changed, 
    so get over it," Peter Tippett, founder and chief technical officer at 
    TruSecure told BBC News Online. 
    
    Being 'k3wl' 
    
    The underground network is vast, with thousands of individuals and 
    groups, ranging from lurkers who are intrigued by hacker chat to 
    "script kiddies" who try out hacker tools for a laugh. 
    
    Newsgroups, internet relay chat and increasingly, peer-to-peer chat 
    and instant messaging, are buzzing with constant hacker chatter. 
    
    Net security companies like TruSecure in the US, have the job of 
    keeping an eye on these groups to work out which weak net spot they 
    are planning to attack next. 
    
    It currently tracks more than 11,000 individuals in about 900 
    different hacking groups and gangs. 
    
    "There are 5,500 net vulnerabilities that could be used theoretically 
    to launch an attack, but only 80 or 90 are being used," says Mr 
    Tippett. 
    
    "Only 16 of 4,200 of vulnerabilities actually turned into attacks last 
    year." 
    
    A team of human and computer bots - artificial intelligence programs - 
    count the vulnerabilities that pop up all over the web daily and 
    measure the risk of security attacks for TruSecure's 700 or so 
    customers. 
    
    But that is not enough for 21st century net security, says Mr Tippett. 
    
    A separate team at TruSecure has a more mysterious job. It is the 
    elite group of hacker infiltrators, codename IS/Recon (Information 
    Security Reconnaissance). 
    
    Their daily job is to "see what the bad guys say to each other and 
    what they claim to have done" by gaining respect and building online 
    relationships with groups with names like Hackweiser and G-force 
    Pakistan, Mr Tippett explains. 
    
    "These are the groups of people who attack websites, write viruses, 
    attack code, steal credit cards, and generally do nasty things," he 
    says. 
    
    IS/Recon is like the net's A-Team, with the only difference being the 
    team members are not renegades gone good. 
    
    "We refuse to hire hackers, that would be crazy," says Mr Tippett. "We 
    don't do anything illegal, but we impersonate hackers." 
    
    They are all good with technology, according to Mr Tippett, but some 
    of them have a valuable background in psychology. 
    
    This helps in understanding group behaviour and how minds work, as 
    well as helping them to act like hackers. 
    
    "The team has an average of five or six people on them, each with 20 
    to 30 personalities," explains Mr Tippett. 
    
    "They usually stay on the team for a year or two then move on to 
    something else." 
    
    In that time, they use their net personae to get to know the hackers 
    so they can build up detailed profiles of them. 
    
    "They spend a year listening and watching - lurking - before they ever 
    say a word in the group." 
    
    Which, says Mr Tippett, gives IS/Recon the time to develop different 
    hacker personae around the lingo, rituals and behaviour that is 
    expected in the underground. 
    
    Using "k3wl" instead of "cool" and making sure the "a" is always 
    replaced by "4" may seem insignificant habits any teenager living in 
    an SMS world might do. 
    
    But by talking the talk and virtually walking the walk, IS/Recon has 
    gained the trust of nearly 100 different groups. 
    
    The trick is to gain enough trust to get certain individuals in the 
    groups to "blab" and answer questions about who is who and what they 
    are doing. 
    
    "They tell us a lot about what's going on and what that person is 
    about in order to demonstrate how cool they are to us." 
    
    The holy grail for the team is to get hold of a copy of a tool a 
    hacker is developing. Once tested and taken apart in the lab, 
    preventative measures can be put in place before it is used. 
    
    Jigsaw puzzle 
    
    The hours spent gathering 200 gigabytes of information a day, are 
    invaluable in helping to catch the small proportion of hackers who do 
    the net severe damage. 
    
    Pieces of information about groups and individuals are put together 
    like a giant jigsaw in TruSecure's mammoth database, nicknamed the 
    "brain". 
    
    It graphically shows the big players, where they live, who they know, 
    who they hate, what tools they have developed, and even whether they 
    have a cat. 
    
    This has enabled the team to help out with 54 investigations by law 
    enforcement agencies. 
    
    IS/Recon gave the FBI over 200 documents about the Melissa virus 
    author after they were asked to get closer to suspects. 
    
    Although they did not know his real name, they knew his three aliases 
    and had built a detailed profile of the author. 
    
    The team's work also helped identify the author of the high-profile 
    LoveSan virus. 
    
    "We could say what dorm and what floor the author of the LoveSan virus 
    was on," Mr Tippett says. 
    
    "Unfortunately, there are very few countries that have laws good 
    enough to follow through if someone turns out to be coming from 
    there." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Nov 14 2003 - 09:37:34 PST