[ISN] 10 reasons why the Black Hats have us outgunned

From: InfoSec News (alerts@private)
Date: Wed Jun 13 2007 - 22:10:35 PDT


http://www.theregister.co.uk/2007/06/13/black_hat_list/

By Robin Bloor
IT-Analysis.com
13th June 2007

Here they are:
   
1. The Black Hats form a well integrated community that shares knowledge 
   effectively.
      
Should you, after months of research and effort, create an exploit that 
allows you to hack Windows or any other frequently used software 
product, you can auction the exploit on the internet in a well organised 
manner. Yes, the hackers have their own auction sites (it's true). And 
if you're looking to write a virus, say, well, there are hundreds of 
sites out there that can provide you with source code to help you 
construct something really fiendish. Different modules for setting up a 
mail server or planting a specific Trojan or whatever. Open source is 
all the rage, even among hackers.

   
2. Becoming a Black Hat is a career option even for those who are not 
   super geeks.
      
Time was when Black Hats needed to have a computer science degree or a 
similar level of exposure to computer technology in order to operate 
effectively. It's comforting to know, should you want to become a Black 
Hat, that the barriers to entering the trade are much lower now. It's 
true that you'll never become a "legendary Black Hat" if you can't cut a 
little C++ code. Nevertheless, out there on the internet there are 
websites where you can buy fully functional software for launching 
exploits that others have written for you. Yes, there are indeed 
hacker-devoted software products freely available for purchase by anyone 
capable of installing software. $200 or so should buy you something 
useful (including updates).
   

3. There are even specialist virus tools designed to circumvent specific 
   AV products.
      
You know how it is. You want revenge on some company or other who sold 
you something that turned out to be dud and refused to allow you to 
return it. So you send them a virus or two, but you just can't seem to 
infect them because the AV technology they use has the signature of 
every virus at your disposal. Have no fear. The same software vendors 
that can sell you exploit tools also have specific viruses for sale 
which are guaranteed to get around any specific AV product that you can 
name. There's one for Norton, one for McAfee, one for Kaspersky, and 
ones for AV products that you may never even have heard of. Hell, 
there's lots of specialist software out there. If you have a budget in 
the $1,000 to $5,000 region, you can even buy Trojans that are purpose 
built to steal credit card data and mail it to you.

   
4. There are SDKs for the more advanced hackers.
      
"OK, nice to know that lame-brains can become hackers, but I'm more 
ambitious than that. I want to cut code with the best of them. I want to 
be a genuine fully fledged bad-ass Black Hat". Well Cinderella, you can 
indeed go to the ball. To get started all you'll need is one of those 
comprehensive hacker SDKs (cost about $320, but hey you can't be a 
carpenter without tools can you?) Yes, there are indeed such products 
for sale out there. It helps if you can read Russian, by the way, given 
the limitations of Babel Fish.

   
5. There's a market for your data.
      
"OK, I go out onto the net and try an exploit here or there and I hit 
pay dirt - a whole file of thousands of credit card details. What do I 
do now?" My advice to you dear boy, is forget about trying to buy stuff 
on eBay or Amazon with all that stolen data. Simply sell the data and 
leave it to someone else to do all the dirty work. How much to sell for? 
Well it depends, but you should be able to get $30 per credit card as an 
absolute minimum and if you've got really lucky and managed to get the 
PIN number of the card (a difficult data item to get your hands on) then 
it should be close to $500 per card. Yes, there are markets out in 
cyberspace where you can sell data - not just credit card data, but 
Social Security Card data (for US citizens), birth certificate data, 
billing data, and driving license data (all of which can be used to set 
up bogus bank accounts).

   
6. There are botnets to rent.
      
Don't tell me, let me guess. You've got a great scheme in mind to flood 
the world with a particular kind of spam and it's bound to pay off. But 
you just don't have the computer power you need. Let me introduce you to 
an Asian friend of mind who's been established in the Black Hat trade 
for a year or two. He repeatedly floods the internet with Trojan viruses 
to continuously assemble and grow a botnet. He has to keep on doing it 
because every now and then PCs get cleaned and fall out of the net and 
anyway the bigger the botnet the more the commercial opportunity. My 
friend will rent you a portion of his botnet for 20 cents per PC per day 
(roughly current rates) and he'll throw in a whole database of email 
addresses too. He thinks of himself as an Internet Service Provider.

   
7. Some rogue websites are very subtly managed.
      
You're thinking of setting up a website with some "poisoned downloads" 
and perhaps even a script or two which runs in the browser and will 
infect visitors with a virus given half the chance, but you've heard of 
security companies that send spiders round the web examining sites and 
testing for malware, so they can put you on a blacklist. So what's the 
point in putting in the effort if it all comes to nothing? Well don't 
despair. I know a Black Hat who keeps an up-to-date list of the IP 
addresses of all those spiders. He'll rent it to you and you can build 
the site so that it presents innocuous executables to the spiders and 
infects everyone else. Would I steer you wrong?

   
8. Good hackers know how to stay safe (they stay abroad)
      
It's what may keep you up at nights. You've pulled off some real coups; 
stealing data here and there, setting up a healthy spam business, 
arranging a few rogue auctions on eBay, assembling a sizable botnet and 
so on. Then the news breaks that a hacker in Denmark has just been 
arrested and the net is awash with pictures of him. It looks like he's 
going to spend years and years in a place where champagne is never 
served. That must be the third hacker arrest this year - dammit this is 
becoming a dangerous profession. Sometimes hackers even get caught. 
Well, please bear in mind that 30 percent of all Black Hat activity is 
in the US and, well, it's not often that you hear of a US hacker getting 
banged to rights. I mean the average bank robbery with a gun in the US 
nets less than $10,000, while the average bank robbery with a PC nets 
more than 10 times that figure. Many more of the gun-toting bank robbers 
get caught than the PC-toting ones and some of them even get shot. Your 
chances of getting caught are slim to zero - especially if you initiate 
it all remotely through a server somewhere in Moldova. Well, OK, you're 
a worrier, so move to Moldova. Sensible hackers don't hack in their own 
back yard - so change back yards. And when was the last time you heard 
of a hacker from Moldova getting caught?

   
9. The banking system has its channels
      
"OK so I've moved to Moldova, but how am I going to pick up the money 
I'm earning?" Gosh, you don't know much about the international banking 
system do you? Here's my advice. Set up a convenient little off-shore 
account in the Cayman Islands and pass the money through there. Even in 
this internet era when it is oh-so-difficult to ensure the secrecy of 
data, no data ever seems to escape from those Cayman banks. And as 
regards your Black Hat activity, my advice to you, as a Moldovan, is to 
specialise in denial of service attacks (software to carry them out 
available from the usual suppliers). The DOS ransom fees are around 
$50,000, if you hit a big company, and you can usually extort $10,000 
from the smaller ones. That's good pay for a week or two's hard hacking.
  

10. Not all businessmen are entirely averse to the odd hack (on a 
    competitor)
      
As you seem determined to embark on a life of cybercrime I have one last 
piece of advice for you. Don't ignore the business world as a lucrative 
source of income. I know what you're thinking. Those guys are my prey. 
Well it's true that some of them are, but some of them could become your 
customers - if you make the right contacts and do the right kind of 
marketing. I mean, which businessman could fail to be pleased when his 
major competitor suffers a big data hack or loses a few days web 
business because of a DOS attack. Which businessman doesn't think, "hey 
what if I arranged for something like that to happen?" And which 
businessman having formulated a good competitive tactic doesn't put it 
into practice. There's good money to be made in focused hacks, theft of 
intellectual property, denial of service and large scale data theft. You 
might even get paid twice - by the customer and the victim.

-=-

Acknowledgments: Some of the information used to produce this article 
was gathered from presentations given to me by Yuval Ben-Itzhak of 
Finjan and Patricia Booth of CA, both of whom have a deep knowledge of 
the extent of the IT security malaise. It's no longer just a serious 
threatit's a well organized and expanding industry.

Copyright 2007, IT-Analysis.com


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jun 13 2007 - 22:29:34 PDT