Cracking the hackers' code

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.smh.com.au/articles/2002/08/20/1029114072039.html

By Suelette Dreyfus
August 20 2002
Next

If your organisation suffered a computer crime in the past few years
and reported it to AusCERT, it was probably an attack from outside
your walls. Nearly 90 per cent of Australian organisations that
reported an incident were attacked externally, according to the 2002
Australian Computer Crime and Security Survey. This is the first time
the threat of being attacked from outside surpassed the likelihood of
an assault from inside.

It might be increasingly difficult to keep out external hackers but
there are signs IT managers are finding it easier to win support
within companies for improving security. Management consulting firm
McKinsey & Co recently studied security best practices at Fortune 500
companies. About 30 of these companies, including AOL Time Warner,
Merrill Lynch, Microsoft and Visa International, had appointed a chief
security officer or other senior executive to oversee information
security. In some cases, this executive had the power to stop the
launch of new products or systems, and answered only to the chief
executive.

The recent AusCERT study stated that 70 per cent of Australian
organisations surveyed had increased spending on information security
in the past year.

All of this is good news for IT managers. Most attempted attacks come
via script kiddies, according to Neal Wise, senior security consultant
for eSec, a Melbourne-based security technology company. Keeping
software up to date should provide a good first-line defence but he
also recommends putting pressure on vendors to release security
patches in a timely fashion. "You can vote with your wallet," he says.

Yet Grant Bayley, organiser of Sydney's 2600 group, a gathering of
security enthusiasts, says that while the number of hackers has
increased, the percentage of highly skilled hackers has stayed the
same, suggesting their total numbers are up as well. "These are the
people who are really good at writing exploits - original and very
obscure exploits. And people don't write exploits just to have them
sit there and look pretty."

More sophisticated hackers may be more difficult to defend against, in
part because their motivations may be complex. A small subset of these
hackers obsess about a problem day after day, ignoring the rest of
their lives. If you are running a network or a system, understanding
what drives people to break in will help you to defend your
organisation.

Meeting "Higgs", formerly one of the most skilled illegal hackers of
the Australian computer underground, can be a high-stress experience;  
Higgs fidgets with other people's things until they break.

He doesn't mean to break them, he just pulls and prods at them
incessantly while he bounces his knee up and down and talks. When the
item cracks or snaps, he looks utterly surprised, as though he had no
idea the item was in his hand. He sheepishly slips the broken pieces
into his pocket, adding to his sins by running off with the evidence.

He sometimes has one-way conversations with people, meaning he talks
and they try to get a word in edgewise. He is always right, and he is
only interested in "the truth", no matter how bare and brutal. This
inflexible, seemingly arrogant attitude frequently gets him into
trouble, in part because he is usually right. Or because when he's
wrong, he's so wildly off the mark, it's funny. He's also anti-social,
partly due to shyness, but also because most people bore him. He says
they don't feed him information fast enough. "I can't do that
chit-chat stuff," he says.

Like a number of other technically elite hackers, Higgs shows
characteristics similar to those shown by people with Asperger
syndrome. This neurobiological disorder, which may resemble mild
autism, has often been misdiagnosed in the past. The condition only
made it into the Diagnostic and Statistical Manual of Mental Disorders
in 1994.

Like elite-end hackers, many "aspies" are exceptionally skilled in a
specialised area. A 2001 University of Cambridge study into the
syndrome showed a higher incidence of AS/High-Functioning Autism,
which seem to be related, among scientists and mathematicians. Tests
of 840 students showed "that mathematicians scored higher than
engineers, physical and computer sciences, who scored higher than
medicine and biology". The condition is also more common among males
and may have a genetic component.

There does not appear to be any in-depth research linking illegal
hacking and Asperger syndrome. However, one of the world's leading AS
experts, Australian clinical psychologist Tony Attwood, believes some
hackers may share characteristics with "Aspies", as they refer to
themselves.

"The link between AS and computers is well known. Computers were
designed by - and for - people with AS," Attwood, based in Queensland,
says. "Those with AS seem to know the language of computers better
than social or conventional languages. It is quite plausible that
people with AS may pursue an interest in cracking."

Historically, AS has been linked to at least one area that has become
a key part of computer security: cryptography.

"The team that cracked the Enigma code appeared to include several
individuals who showed characteristics of Asperger's," Attwood says.  
This included the father of modern computing, Alan Turing.

"It's the sheer challenge rather than any (criminal intent). It's the
pursuit of knowledge and truth - with different priorities and
perceptions ¤ They see it as an intellectual challenge and a prize,
(and) they look at the success of what they have done rather than the
consequences of the lives of people they have affected."

Aspies typically have an almost obsessional approach to solving
problems and are often oblivious to their peers' view that a given
problem is "unsolvable". Both are often prerequisites to becoming an
elite-end hacker.

What effect might hacking have on an Aspie?

"Hacking is giving them an intellectual orgasm. And they are addicted
to the intellectual orgasm," Attwood says.

This doesn't mean all illegal hackers have AS, or that these hackers
should escape criminal conviction. However, the linking of AS and
hacking could have an impact on conviction or sentencing in future.

Previously, what experts termed an extreme addiction to hacking played
a key role in a landmark British hacking case. Based on the
descriptions of the hacker's behaviour, the apparent addiction could
well have been a manifestation of AS. In a jury trial, the legal
defence team of the British hacker "Wandii" showed the hacker was
obsessed with computers and the intellectual challenge of beating
them. The jury acquitted him of criminal charges in just 90 minutes,
apparently because it decided he lacked mens rea, or awareness of
criminal wrongdoing.

"You would not use AS to say a person is of unsound mind, because such
people are very logical (if) eccentric," Attwood says.

"But (a diagnosis) could alter sentencing in two ways. First, in
(assessing) the degree of criminal intent. And, second, in deterrence.  
They may need treatment for a compulsion, which may be irresistible,
rather than a prison sentence or a psychiatric institution."

In the US, convicted hackers have been banned from using computers for
long periods as part of their sentences. Attwood says this approach is
likely to be inappropriate for Aspies. Denying them use of computers
is very different than for most people.

"What we might look at instead is controlled access in a constructive
way for convicted offenders," he says.

"Res" is a skilled Australian Black Hat hacker. Extremely private,
street smart, he holds back, watching you, taking your measure. He
slips in a little cynical humour now and again, showing he's cool but
not cold. But he's a contrast to the stereotypical Hollywood geek
hacker because he has a life.

"I haven't spent a Friday or Saturday night at home since I was 17,"  
Res says.

While not showing any visible signs of AS, he's clearly capable of
obsessional behaviour. "I am obsessive: I collect things. I like
having everything, I never delete anything. I am a radical person. I'm
all or nothing."

He says he doesn't read books but that's not quite true. He buys
technical textbooks. Other than specialist mailing lists and the
newspaper, the only other thing he reads is the Slashdot website.

The Cambridge study suggests a "continuum" of disability, "with AS as
the bridge between autism and normality". Res may represent a point on
the spectrum between AS and obsessive - a place other top hackers
might also occupy.

Hacker group 2600's Grant Bayley estimates that, based on his
experience, "You probably wouldn't find more than two AS symptoms in
any one hacker but you would find more symptoms in 50 to 70 per cent
of hackers in the mid to upper-skill level."

Higgs recognises he has some AS traits and he believes having AS could
definitely contribute to hackers rising in the ranks of the elite
underground.

"It is not that AS gets you to the top of the pile but it can help.  
Because there are some things that are broken, you are forced to use
other parts of the brain instead. The ability to blinker everything
else and not get distracted helps."

He views the AS-affected hacker mind as being like the Internet: "That
hacker's mind sees group dynamics as damage and routes around it."

However, after interacting with a number of top hackers around the
globe over several years, he argues there are other contributing
factors.

"For these people to get where they have, Asperger's isn't enough.  
They have something else. Clearly (convicted American hacker Kevin)  
Mitnick's talent doesn't just come from AS; there is something else
there. Like his social engineering talent - you just wouldn't
associate that with AS," he says.

"The 'f***-you' attitude is also a requirement. Every one (of the top
hackers) has had the 'f***-you' ingredient ¤ You cannot defy authority
and break the law thousands of times a year without the 'f***-you'
ingredient."

Suelette Dreyfus is the author of Underground and an honorary fellow
at the University of Melbourne's department of information systems.

How to deter the obsessive attacker

What is the best way to defend your network against illegal hackers
who show Asperger syndrome-like characteristics?

A former highly skilled and obsessive hacker, "Higgs" suggests
breaking the patterns of usual defensive behaviour.

Trip wires in packaged software might be anticipated by a
pattern-based hacker. "Set up trip wires that are unique," he says.

Also, use your logs in different ways for tell-tale signs of a
hacker's trespass.

"Backdoor the 'ls' command (in UNIX), which gives you a list of files.  
Record its arguments and when it is used. A (pattern-based) hacker
might not think to look for logs of that.

"Backdoor the SSH (secure shell) client to record who is using it and
when. Keep secret log files in unusual locations."



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.