The secret life of hackers

[InfoSec News <isn () c4i org>]

http://it.mycareer.com.au/news/2002/03/19/FFXL5GK5XYC.html

Tuesday 19 March, 2002 
By Suelette Dreyfus

Were you to work in a certain Federal Government agency, every morning 
you walked through the front door, you'd have to use three security 
cards and type up to 10 passwords - all before your first cup of 
coffee.

The employees have a simple solution: they leave their security cards 
in their desk drawers and sticky notes with passwords on the wall.

This is not an approved national security protocol.

Let's face it: security is a pain.

As "Gan", a highly skilled Australian hacker who used to break into 
systems illegally, says, "Security prevents people doing things - it's 
designed to automate authoritarian tendencies in an organisation.

"It works like the French legal system: you're guilty until proven 
innocent."

For the average IT manager, security is a headache. No one notices 
when you do it right, but, oh, do you hear about it when you've done 
it wrong. Finding the balance between security and convenience means 
understanding the threat. So what is out there?  

Rain Forest Puppy, an American white-hat hacker speaking at Hack 2002 
Conference and Expo opening today in Sydney, says many hackers, 
particularly the low-skilled script kiddies who use other people's 
automated hacking programs, "don't differentiate or target. It's easy 
to scan the entire Internet and pick off the weak sheep".

Script kiddies account for most attacks, according to Nesh, an 
Australian hacker who routinely pokes around other people's systems.

"They just spray the Internet," Nesh says.

Keeping your security up to date should fend off many of these 
attacks.

However, if you run a network attached to the Net, your systems 
probably have security holes that a sophisticated hacker can 
penetrate.

Nesh is a hacker-for-hire. His clients have included government 
departments and financial institutions. He doesn't want to give his 
real name, probably because he still keeps a hand in the shadows of 
the underground.

While others in the security business happily "whore their names on 
bugtraq (a security mailing list)", as he describes it, he's happy to 
work behind the scenes on paid contracts testing organisations' 
security.

It's intellectually challenging work and he doesn't have to deal with 
clients much. But there are drawbacks, like being forced to prove to 
managers that he's broken into their systems.

"They say, 'No, no, we are secure here.' Then you show them. You see 
their faces.

"It's such a negative thing, like, 'I am here to destroy you.' All you 
are doing is proving people are lazy most of the time. I don't want to 
do that in front of a client. If you break into a big bank, someone is 
going to get fired, it's true.

"I don't like busting people's balls. I don't like feeling the human 
side of it, I don't like that," he says.

At the elite end of illegal hacking, the activity is increasingly 
time-consuming. Nesh has an isolated network of more than 15 systems 
in his living room for testing code he writes to exploit security 
holes. He often takes up to three weeks to write one exploit program.

Gan estimates that, on average, "It is about five times as hard to 
write an exploit as to find the security hole in the first place."

The darker corners of the computer underground have changed 
significantly since its birth in the early 1980s. Here's what IT 
managers are up against today:

* Obsession still plays an important role in motivating the illegal 
  hacker but its focus has changed. "The obsession tends to be focused 
  on the research stage - finding the security bug and then writing 
  the exploit software to take advantage of it," Nesh says. However, 
  obsessiveness is still common among top-end hackers. "Being 
  obsessive-compulsive is better than being smart," he says. 

* At the elite end of intruders, the style of attack has moved from 
  just randomly hacking machines, though they still machine-hop to 
  hide their trails. Says Nesh, "The guys who just sit for days on 
  end and break into machines are gone. The desire to break into lots 
  of systems randomly is gone. The underground is now more geared 
  towards doing better research and selectively using that 
  information to break into machines over an extended period with a 
  specific target in mind." 

* Military sites are no longer the popular targets they once were in 
  the late 1980s, early 1990s. "No one goes for military targets any 
  more since September 11. Everyone realises you'll have a black helicopter 
  landing on your roof if you do," Nesh says. 

* "War driving" - looking for wireless networks to jack into 
  anonymously, continues to be the hottest area for illegal hacking. 
  Hackers tend to be motivated by three rewards, according to Ronald 
  Van Geijn, the director of vulnerability management at Symantec.

They are: bragging rights and recognition (particularly for defacing
websites); money (by stealing data and selling it, or by blackmailing
a victim); and demonstration (where white-hat hackers show how
security can be broken).

According to Nesh, it's still largely about achievement among peers.

"It's like climbing a ladder - you have to be respected by these 
people," Nesh says.

Top hackers often target organisations, which develop operating 
systems, with two aims: to back-door the source code and, if the code 
is proprietary, to steal it to hunt for weakness.

However, these hackers are increasingly moving towards targeting 
companies that make applications, instead of just operating systems.

Hackers - the illegal sort - tend to have day jobs. They work as 
system administrators or in some aspect of computer security. 

They don't get caught because they are very careful and know what 
they're doing.

Financial institutions tend to have the best security (because they 
can pay for it), while universities and home users tend to have the 
weakest security.

Banks do get pinched by online theft but you don't hear about it 
according to Van Geijn, because "they are very successful at 
retrieving the money".

There is strong pressure from the black-hat section of the underground 
not to release security holes. The reason? The holes are closed up 
much sooner than they used to be.

"Ten years ago, you could use a hole for six months. Now, if you tell 
three people, you're lucky if a good security hole lasts three weeks," 
Nesh says.

Some illegal hackers deliberately release false information about 
security holes in public arenas.

In one case, a black-hat hacker posted a fake security hole 
description to a security mailing list. A few days later, the vendor 
made a sheepish announcement that it was vulnerable to the imaginary 
attack - much to the hacker's amusement.

The top hackers rarely publish security holes these days. 

"There is a mystique behind being elite; the best way to do that is to 
publish something once a year," Nesh says.

"You don't have a reputation then as a media whore. If you publish 
lots of stuff then you are going to show your weaknesses."

Corporate espionage relies increasingly on illegal hacking. Van Geijn 
says an electronic intruder broke into egghead.com, an Internet direct 
marketer selling clearance bargains such as consumer electronics and 
sporting goods.

Behind the scenes, the hacker was trying to extort the company, which 
responded with a public announcement of the break-in. "The company 
subsequently filed for bankruptcy," he says.

The online porn industry apparently also has its share of corporate 
espionage.

Gan says he has been approached by online porn providers wanting him 
to to steal competitors' customer lists. He refused.

Gan says he doesn't back-door systems much but some places where he 
has left back doors have stayed "open" more than five years, in one 
case through at least one operating-system upgrade.

"One reason I never bothered to back-door much stuff is because I 
could just go in the front door," he says. "There's no better back 
door than an OS full of bugs."

HACKING GLOSSARY

* Script Kiddies (or Weenies): inexperienced, illegal hackers who use 
  hacking tools created by someone else. Usually don't understand how 
  the tools work or lack the skills to re-create them.

* White Hat: publishes security holes immediately and often notifies 
  the company to warn that its product has a problem. Only engages in 
  hacking that is legal, such as penetration testing.

* Grey Hat: sits on a security hole for a while and might use it for 
  illegal penetrations periodically. Usually has some public identity 
  in the security area but often not with real name.

* Black Hat: never releases the security hole or exploit code publicly 
  and hates it when others do. Breaks into systems illegally.

* Hacker: someone with technical ability to break open systems. Also 
  often used to suggest illegal intrusions.

* Cracker: traditionally someone who breaks copy protection on games 
  but increasingly used to describe hackers involved in unauthorised access. 

* The Underground: community of people who "think outside the box". 
  Includes illegal hacking but also a range of other activities such 
  as making "demos" (programs that show off programming skills creatively), 
  and music piracy for personal use.

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.