Security News > 2002 > March > The secret life of hackers
http://it.mycareer.com.au/news/2002/03/19/FFXL5GK5XYC.html Tuesday 19 March, 2002 By Suelette Dreyfus Were you to work in a certain Federal Government agency, every morning you walked through the front door, you'd have to use three security cards and type up to 10 passwords - all before your first cup of coffee. The employees have a simple solution: they leave their security cards in their desk drawers and sticky notes with passwords on the wall. This is not an approved national security protocol. Let's face it: security is a pain. As "Gan", a highly skilled Australian hacker who used to break into systems illegally, says, "Security prevents people doing things - it's designed to automate authoritarian tendencies in an organisation. "It works like the French legal system: you're guilty until proven innocent." For the average IT manager, security is a headache. No one notices when you do it right, but, oh, do you hear about it when you've done it wrong. Finding the balance between security and convenience means understanding the threat. So what is out there? Rain Forest Puppy, an American white-hat hacker speaking at Hack 2002 Conference and Expo opening today in Sydney, says many hackers, particularly the low-skilled script kiddies who use other people's automated hacking programs, "don't differentiate or target. It's easy to scan the entire Internet and pick off the weak sheep". Script kiddies account for most attacks, according to Nesh, an Australian hacker who routinely pokes around other people's systems. "They just spray the Internet," Nesh says. Keeping your security up to date should fend off many of these attacks. However, if you run a network attached to the Net, your systems probably have security holes that a sophisticated hacker can penetrate. Nesh is a hacker-for-hire. His clients have included government departments and financial institutions. He doesn't want to give his real name, probably because he still keeps a hand in the shadows of the underground. While others in the security business happily "whore their names on bugtraq (a security mailing list)", as he describes it, he's happy to work behind the scenes on paid contracts testing organisations' security. It's intellectually challenging work and he doesn't have to deal with clients much. But there are drawbacks, like being forced to prove to managers that he's broken into their systems. "They say, 'No, no, we are secure here.' Then you show them. You see their faces. "It's such a negative thing, like, 'I am here to destroy you.' All you are doing is proving people are lazy most of the time. I don't want to do that in front of a client. If you break into a big bank, someone is going to get fired, it's true. "I don't like busting people's balls. I don't like feeling the human side of it, I don't like that," he says. At the elite end of illegal hacking, the activity is increasingly time-consuming. Nesh has an isolated network of more than 15 systems in his living room for testing code he writes to exploit security holes. He often takes up to three weeks to write one exploit program. Gan estimates that, on average, "It is about five times as hard to write an exploit as to find the security hole in the first place." The darker corners of the computer underground have changed significantly since its birth in the early 1980s. Here's what IT managers are up against today: * Obsession still plays an important role in motivating the illegal hacker but its focus has changed. "The obsession tends to be focused on the research stage - finding the security bug and then writing the exploit software to take advantage of it," Nesh says. However, obsessiveness is still common among top-end hackers. "Being obsessive-compulsive is better than being smart," he says. * At the elite end of intruders, the style of attack has moved from just randomly hacking machines, though they still machine-hop to hide their trails. Says Nesh, "The guys who just sit for days on end and break into machines are gone. The desire to break into lots of systems randomly is gone. The underground is now more geared towards doing better research and selectively using that information to break into machines over an extended period with a specific target in mind." * Military sites are no longer the popular targets they once were in the late 1980s, early 1990s. "No one goes for military targets any more since September 11. Everyone realises you'll have a black helicopter landing on your roof if you do," Nesh says. * "War driving" - looking for wireless networks to jack into anonymously, continues to be the hottest area for illegal hacking. Hackers tend to be motivated by three rewards, according to Ronald Van Geijn, the director of vulnerability management at Symantec. They are: bragging rights and recognition (particularly for defacing websites); money (by stealing data and selling it, or by blackmailing a victim); and demonstration (where white-hat hackers show how security can be broken). According to Nesh, it's still largely about achievement among peers. "It's like climbing a ladder - you have to be respected by these people," Nesh says. Top hackers often target organisations, which develop operating systems, with two aims: to back-door the source code and, if the code is proprietary, to steal it to hunt for weakness. However, these hackers are increasingly moving towards targeting companies that make applications, instead of just operating systems. Hackers - the illegal sort - tend to have day jobs. They work as system administrators or in some aspect of computer security. They don't get caught because they are very careful and know what they're doing. Financial institutions tend to have the best security (because they can pay for it), while universities and home users tend to have the weakest security. Banks do get pinched by online theft but you don't hear about it according to Van Geijn, because "they are very successful at retrieving the money". There is strong pressure from the black-hat section of the underground not to release security holes. The reason? The holes are closed up much sooner than they used to be. "Ten years ago, you could use a hole for six months. Now, if you tell three people, you're lucky if a good security hole lasts three weeks," Nesh says. Some illegal hackers deliberately release false information about security holes in public arenas. In one case, a black-hat hacker posted a fake security hole description to a security mailing list. A few days later, the vendor made a sheepish announcement that it was vulnerable to the imaginary attack - much to the hacker's amusement. The top hackers rarely publish security holes these days. "There is a mystique behind being elite; the best way to do that is to publish something once a year," Nesh says. "You don't have a reputation then as a media whore. If you publish lots of stuff then you are going to show your weaknesses." Corporate espionage relies increasingly on illegal hacking. Van Geijn says an electronic intruder broke into egghead.com, an Internet direct marketer selling clearance bargains such as consumer electronics and sporting goods. Behind the scenes, the hacker was trying to extort the company, which responded with a public announcement of the break-in. "The company subsequently filed for bankruptcy," he says. The online porn industry apparently also has its share of corporate espionage. Gan says he has been approached by online porn providers wanting him to to steal competitors' customer lists. He refused. Gan says he doesn't back-door systems much but some places where he has left back doors have stayed "open" more than five years, in one case through at least one operating-system upgrade. "One reason I never bothered to back-door much stuff is because I could just go in the front door," he says. "There's no better back door than an OS full of bugs." HACKING GLOSSARY * Script Kiddies (or Weenies): inexperienced, illegal hackers who use hacking tools created by someone else. Usually don't understand how the tools work or lack the skills to re-create them. * White Hat: publishes security holes immediately and often notifies the company to warn that its product has a problem. Only engages in hacking that is legal, such as penetration testing. * Grey Hat: sits on a security hole for a while and might use it for illegal penetrations periodically. Usually has some public identity in the security area but often not with real name. * Black Hat: never releases the security hole or exploit code publicly and hates it when others do. Breaks into systems illegally. * Hacker: someone with technical ability to break open systems. Also often used to suggest illegal intrusions. * Cracker: traditionally someone who breaks copy protection on games but increasingly used to describe hackers involved in unauthorised access. * The Underground: community of people who "think outside the box". Includes illegal hacking but also a range of other activities such as making "demos" (programs that show off programming skills creatively), and music piracy for personal use. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.