Full Disclosure mailing list archives

Re: Motivations... (was IE now on-topic

From: Andrew Latham <lathama () lathama com>
Date: Tue, 20 Jul 2004 13:37:00 -0700 (PDT)

Thank you. 

I was fishing for info and found a gold mine. So to put it very vaugly we could
say that greed, anger, or boredom.

So as a moralist/agnostic geek - translated - I truely do understand most all
of the sides and agree with everyone to a degree

What are the important things to think about to secure any client.

1. Leaving employees.
2. Current employees.
3. Targeted systems (how interesting do I look to a black hat.)
4. Financial gain - how to apply this vaugly to most clients?


-- Valdis.Kletnieks () vt edu wrote:

On Tue, 20 Jul 2004 12:36:06 PDT, Andrew Latham said:

1. Boredom - more brains than hobbies
2. Needs 
- burstable bandwidth - downloads
- knowledge
- bragin rights
3. Challenges
4. Other


You're equating "black hat" with one subset thereof, more or less.  It's a
lot
more complicated in the real world...

I'd posit that the goals and motivations of the black hat can be classified
in
three wide ranges, with totally different threat models:

1) "type of target" - you don't care who's box it is - you want "any suitable
zombie", "any suitable Windows/IIS server", "any suitable Solaris box".

2) "identity of target" - The target has been selected because it's a server
for company X, or you want to deface the webpage for organization Y, or it's
payback time for black-hat Z.

3) "monetary/related gain" - you really don't care who the target is, it's
all
about the paycheck - whether it's 500K zombies created by a virus-for-pay, or
a
hacking run against a server that has credit card numbers on it...

Notice that there can be overlap - a black hat engaging in (2) or (3) may
very
well want to pick up a collection of type (1) stepping-stone machines to
launch
the attack from.

Also, a target can be in different categories at the same time - it can be
probed by a script kiddie looking for zombies, while at the same time it's
being targeted by a disgruntled ex-employee and a professional criminal.

Understanding the differences is important - a defense sufficient to stop the
random probing (1) won't slow down either of the other two.  However, the
professional criminal is more likely to nail you with a 0-day - but will move
along if they decide the risk/payoff ratio is bad (they see you have enough
network monitors to nail their ass in court, they're outta there ;).  The
disgruntled ex-staffer may not have a 0-day - but they may well decide it's a
personal issue and *keep* attacking when a professional would move on...

ATTACHMENT part 2 application/pgp-signature




=====
*----------------------------------------------------------*
Andrew Latham AKA: LATHAMA (lay-th-ham-eh) - LATHAMA.COM
LATHAMA () LATHAMA COM - LATHAMA () YAHOO COM
If yahoo.com is down we have bigger problems than my email!
*----------------------------------------------------------*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: antisemtism, FD and bandwidth - what I want out of it, (continued)
- - - Re: antisemtism, FD and bandwidth - what I want out of it Maarten (Jul 22)
    - Re: antisemtism, FD and bandwidth - why it's all a joke VX Dude (Jul 22)
    - Re: IE Pablo (Jul 22)
    - Re[2]: IE partysan_FFF (Jul 22)
- Re: IE Cory Crawford (Jul 20)
  - Re: IE Valdis . Kletnieks (Jul 20)
    - Re: IE Full-Disclosure (Jul 20)
    - Threat Models (was Re: IE Valdis . Kletnieks (Jul 20)
    - Re: IE now on-topic Andrew Latham (Jul 20)
    - Motivations... (was Re: IE now on-topic Valdis . Kletnieks (Jul 20)
    - Re: Motivations... (was IE now on-topic Andrew Latham (Jul 20)
    - Re: Motivations... of White Hats VX Dude (Jul 21)
- RE:IE John Dowling (Jul 20)
- RE: IE Jos Osborne (Jul 21)
  - Re: IE Syke (Jul 21)
- RE: IE rst (Jul 21)