Scenes From the Hacker's 'Hood

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/culture/0,1284,37238,00.html

by Chris Oakes
3:00 a.m. Jun. 27, 2000 PDT

Watching hackers in the middle of a recent Internet attack drove one
point home to security experts who listened in: These guys like to
make it up as they go along.

"The impression that most people fail to get from regular attacks is
how trivial they are," said Elias Levy, chief technology officer of
SecurityFocus.com. "These people tend to choose their targets pretty
much at random -- or whoever bothers them that day, or pisses them
off."

Levy's conclusion came following the release of SecurityFocus.com's
"Motives and Psychology of the Black-hat Community" -- an installment
in an Internet security series of papers dubbed Know Your Enemy.

The latest paper is based on the work of the group's "Honeynet
Project" -- a SecurityFocus.com team that set up a network of servers
("honeypots") intentionally made weak to lure hackers. As the hackers
used the systems as launch pads for attacks on websites and servers
elsewhere on the Internet, project members tuned in, then sat back to
observe.

The team is publishing its findings in an effort to aid security
administrators trying to bolster their Internet defenses.

"It's an interesting glimpse into the minds behind some of these
people," Levy said.

The security team got to spy on so-called "blackhat" vandals --
hackers seeking to break in to systems for malicious purposes -- as
they carried out an Internet attack from a location believed to be in
Pakistan.

The sequence began with the break-in of a Unix-based honeypot server
on the dummy network. After the break-in took place, the security team
captured all the participating hackers' conversations as they
discussed their work on an Internet relay chat (IRC) channel. The
group's activities and conversations were then monitored over a
two-week period. During that time, the project saw the group report
success at ISP break-ins, password stealing, and Web page hacking.

While no major new discoveries of hacking techniques were revealed,
the report revealed the randomness of the average attacker's mindset.

Those familiar with the hacker scene agree with that assessment.

Tweety Fish, a member of underground hacker group the Cult of the Dead
Cow, says ennui is an ever-present force in the world of Net attacks.
"Probably 90 percent of the attacks that happen are the result of
bored people on IRC trolling for unsecured systems," he said by email.

That boredom can sometimes be directed at their own kind.

On the fourth day of the attacks, the hackers decided they wanted to
"take out India with Denial of Service (DoS) attacks and bind
exploits," as the report says. But a little later the same hackers
"DoS" each other -- some of the IRC channel members conducted an
attack on other members, simply because the other hackers had
irritated them.

Levy concludes that the appearance of politics or clear direction in
Internet attacks is often belied by the overall inconsistency and
randomness of hackers once they make a break-in.

"It was a kind of funny," Levy said. "The hackers in the report) were
putting together a little blurb that they were using for the Web page
that they hacked. They talk about Pakistan and political stands and
all that other stuff -- but if you read the rest of the text, it's not
politicized at all. It's just an excuse for them to do what they do."

The Internet's most dramatic attack was a denial of service attack
last February that hobbled major sites. A hacker going by the alias
Mafiaboy was fingered as a suspect.

Tweety Fish noted that the attack as documented by SecurityFocus.com
shows both the effort required in run-of-the-mill Web page hacks, as
well as the difficulty in catching the perpetrators.

"The attackers (in the report) basically had to execute about four
commands to do everything they did," he said. "If you think about it
in that context, doing a really swell job on a defaced Web page begins
to seem like a lot of work."

Tracking and catching the "kids" who carry out such attacks is
difficult, Tweety Fish said, because hackers like these are plentiful
-- and because the type of attack itself is so easy.

"On the other hand, the (relatively mild) actions that were taken ...
are probably about as much maliciousness as most people will ever
see."

Space Rogue, editor of The Hacker News Network, said the report
accurately details what he agrees are common attacks. But conversely,
the report does not inform experts on less common -- and more
sophisticated -- attacks.

"People engaging in high-level industrial espionage and other
high-level types of Internet mayhem are likely to use less common
methods and will take greater steps to cover their tracks than the
examples in this paper," Space Rogue said by email. "It is important
to remember that most high-profile attacks have gone unsolved. The New
York Times (website), CD Universe, Stages Worm -- even the Yahoo
(denial-of-service) attack have not been solved."

He said the "mafiaboy" suspect arrested following the series of
February attacks is generally thought to be a copycat hacker.

"This report does offer a glimpse into one aspect of Internet crime,
but it would be foolish to think that this is a complete picture,"
Space Rogue said.

Tweety Fish said the overall weakness of the Net to such attacks lies
with administrators who are too busy or ill-informed to prevent them.
These administrators trust vendors to provide secure systems, but too
often the software code that ships in such products are rife with
weaknesses.

The likely Pakistani origin of the attack documented in the
SecurityFocus.com paper should not be taken as an indicator of the
common origin for denial-of-service attacks, Levy said.

"Nowadays it's pretty much a global phenomenon, really," Levy said.
"In the old days, obviously because the Internet and technology in
general tended to be concentrated in the U.S., the majority of cases
and sources were from the U.S."

As the Net has grown, the phenomenon has grown worldwide to produce
hackers from Pakistan, India, China, Taiwan, Malaysia, Indonesia, and
Japan.

"They're really all over the place," Levy said. ""As long as you can
get computers connected to the Internet, you'll find hackers."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".