Cracking the hacker underground

[InfoSec News <isn () c4i org>]

http://news.bbc.co.uk/2/hi/technology/3246375.stm

By Jo Twist 
BBC News Online technology reporter 
14 November, 2003

A simple search reveals a plethora of resources, tools, and personal 
homepages, most claiming to "hack" for legitimate reasons, within the 
law. 

But there is also an entire underground network of hackers honing 
their tools and skills with malicious damage in mind. 

"Ten years ago, 'hackers' used to mean people who tinker with 
computers. 

"Nowadays hacking means malicious hacking. The definition has changed, 
so get over it," Peter Tippett, founder and chief technical officer at 
TruSecure told BBC News Online. 

Being 'k3wl' 

The underground network is vast, with thousands of individuals and 
groups, ranging from lurkers who are intrigued by hacker chat to 
"script kiddies" who try out hacker tools for a laugh. 

Newsgroups, internet relay chat and increasingly, peer-to-peer chat 
and instant messaging, are buzzing with constant hacker chatter. 

Net security companies like TruSecure in the US, have the job of 
keeping an eye on these groups to work out which weak net spot they 
are planning to attack next. 

It currently tracks more than 11,000 individuals in about 900 
different hacking groups and gangs. 

"There are 5,500 net vulnerabilities that could be used theoretically 
to launch an attack, but only 80 or 90 are being used," says Mr 
Tippett. 

"Only 16 of 4,200 of vulnerabilities actually turned into attacks last 
year." 

A team of human and computer bots - artificial intelligence programs - 
count the vulnerabilities that pop up all over the web daily and 
measure the risk of security attacks for TruSecure's 700 or so 
customers. 

But that is not enough for 21st century net security, says Mr Tippett. 

A separate team at TruSecure has a more mysterious job. It is the 
elite group of hacker infiltrators, codename IS/Recon (Information 
Security Reconnaissance). 

Their daily job is to "see what the bad guys say to each other and 
what they claim to have done" by gaining respect and building online 
relationships with groups with names like Hackweiser and G-force 
Pakistan, Mr Tippett explains. 

"These are the groups of people who attack websites, write viruses, 
attack code, steal credit cards, and generally do nasty things," he 
says. 

IS/Recon is like the net's A-Team, with the only difference being the 
team members are not renegades gone good. 

"We refuse to hire hackers, that would be crazy," says Mr Tippett. "We 
don't do anything illegal, but we impersonate hackers." 

They are all good with technology, according to Mr Tippett, but some 
of them have a valuable background in psychology. 

This helps in understanding group behaviour and how minds work, as 
well as helping them to act like hackers. 

"The team has an average of five or six people on them, each with 20 
to 30 personalities," explains Mr Tippett. 

"They usually stay on the team for a year or two then move on to 
something else." 

In that time, they use their net personae to get to know the hackers 
so they can build up detailed profiles of them. 

"They spend a year listening and watching - lurking - before they ever 
say a word in the group." 

Which, says Mr Tippett, gives IS/Recon the time to develop different 
hacker personae around the lingo, rituals and behaviour that is 
expected in the underground. 

Using "k3wl" instead of "cool" and making sure the "a" is always 
replaced by "4" may seem insignificant habits any teenager living in 
an SMS world might do. 

But by talking the talk and virtually walking the walk, IS/Recon has 
gained the trust of nearly 100 different groups. 

The trick is to gain enough trust to get certain individuals in the 
groups to "blab" and answer questions about who is who and what they 
are doing. 

"They tell us a lot about what's going on and what that person is 
about in order to demonstrate how cool they are to us." 

The holy grail for the team is to get hold of a copy of a tool a 
hacker is developing. Once tested and taken apart in the lab, 
preventative measures can be put in place before it is used. 

Jigsaw puzzle 

The hours spent gathering 200 gigabytes of information a day, are 
invaluable in helping to catch the small proportion of hackers who do 
the net severe damage. 

Pieces of information about groups and individuals are put together 
like a giant jigsaw in TruSecure's mammoth database, nicknamed the 
"brain". 

It graphically shows the big players, where they live, who they know, 
who they hate, what tools they have developed, and even whether they 
have a cat. 

This has enabled the team to help out with 54 investigations by law 
enforcement agencies. 

IS/Recon gave the FBI over 200 documents about the Melissa virus 
author after they were asked to get closer to suspects. 

Although they did not know his real name, they knew his three aliases 
and had built a detailed profile of the author. 

The team's work also helped identify the author of the high-profile 
LoveSan virus. 

"We could say what dorm and what floor the author of the LoveSan virus 
was on," Mr Tippett says. 

"Unfortunately, there are very few countries that have laws good 
enough to follow through if someone turns out to be coming from 
there." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.