THE HACKER

First of all, the term “hacker,” historically speaking, is inaccurate. In the early days of computing a hacker was someone who investigated the workings of computers for fun and a challenge. Cracker was a term used to identify people who would break computers to use them for free or use system resources. Somewhere between the Internet revolution and the movies, hacker was adopted to describe computer criminals.

It is essential that business and security consultants alike understand the nuances of the hacker society, social status, drivers, and most important, to whom they are attracted. It is important to understand the types of threats in order to truly gauge the risks of an organization. To ensure the value of the test is realized, it is a significant task to contemplate the types of threats that should be mimicked. This is no different from approving an internal attack to test the defensive capability against employees. Employees symbolize a type of threat and having an internal test is plausible to verify the exposure and impacts of such a threat. Not to apply this to the Internet side (or unknown elements) of the equation would be remiss.

In the following sections we take a look at some of the types of hackers, their techniques, and what can be expected from them in an effort to assist in appropriately planning the test.

TYPE OF HACKER

Hackers come in all shapes and sizes; race, religion, and age are all valid variables. First, we dispel some myths and establish a sound basis for outlining hacker types. A prevalent myth regarding hackers is that they are derelicts with limited edu- cation and poor professionalism with nothing but time to wreak havoc on the unwary. Many hackers have been known to be law-abiding citizens but with questionable ethics and a twisted sense of crime. Most of this is due to the anonymity the computer provides. A hacker may not run a red light or shoplift due to the obvious exposure and tangible and immediate reaction of the act, such as a car crash or getting caught walking out the door. Many hackers would be horrified if they had to confront their victims face to face, or witness the results of their actions. This is a critical differ- entiating factor between hackers and other forms of criminals. For example, in many cases an arsonist will start a fire to watch it destroy property with the simple intent of watching something burn. Similarly, hackers may only gain satisfaction knowing their activity is causing some form of dismay. The most basic example is people who write worms or viruses and launch them onto the Internet: the satisfaction of knowing it causes problems somewhere is pleasure enough.

Hackers rely mostly on impersonal acts and see computers as the tool. In the minds of hackers, computer systems do not physically hurt anyone. In addition, the challenge is a constant theme. There are several motives, discussed later, but all rely on a mixture of challenge and desire.

There are several types of hackers, but we can reduce this to three basic char- acteristics that we can use to categorize the enemy:

1. Script kiddies 2. Hackers 3. Über hacker

SCRIPT KIDDIES

“Script kiddie” refers to a hacker wannabe who leverages tools created by other, more knowledgeable hackers to perform malicious acts. There are several degrees of damage that can be caused by people who fall into this category. Simply stating that they are less informed and unenlightened by the art of hacking does not imme- diately insinuate they are harmless. Script kiddies can be grouped into three areas: unstructured, structured, and determined.

1. Unstructured. This group is better defined as pranksters or a nuisance that usually includes juvenile acts that are typically not long lasting. Attacks of this nature are usually port scans and minor attacks that fill logs. They have little or no capability of covering their tracks unless the program

they are using does it on their behalf. Recreational hackers, individuals who want to pursue and gain a limited understating of hacking because of the lure and excitement, also fall into this category. In many cases, the damage caused by recreational hackers is limited in scope but destructive nevertheless. Internal employees performing recreational hacking repre- sent the greatest threat to organizations. They may download tools in an attempt to perform a practical joke on their cubicle neighbor and unknow- ingly have an impact on critical systems.

2. Structured. The right tool in the wrong hands can have immense potential and combined with an opportunistic behavior can have measurable results. For example, the Distributed Denial of Service attacks (DDoS) were founded on a handful of tools that were easily installed on insecure systems around the world. Trin00 (tree-no) is one of several server/client- based tools that can be used to construct a hierarchical web of systems for a synchronized attack. By installing Zombies on remote systems, a single hacker can conduct an attack from hundreds of computers simul- taneously, overwhelming even the most robust sites. The success of the DDoS attack can be attributed to the explosion of cable modems and insecure PCs residing on the Internet and a comprehensive toolset freely available on the Internet. Therefore, it is no longer simple to say that script kiddies are less of a concern when armed with comprehensive tools. 3. Determination. The persistence of an attacker certainly increases the prob-

ability of success. If for nothing other than sheer luck, a determined script kiddie will get in eventually. When writing this book, I asked a close friend of mine and respected security professional, Stephen Coman, about determination. He replied,

Most of the hacking cases I have been involved with have had to do with a young script kiddy that just wouldn’t stop. This one kid in Texas used every attack he could compile until he found a vulnerable system. He nailed something like 200+ systems all over, based only on the fact that he tried everything until he found something that worked.

Admittedly, the shotgun approach is not the best tactic, but the determi- nation of script kiddies can be more of a problem for security adminis- trators than most of the accomplished hackers out there.

NOTE3: SOPHISTICATED TOOLS WILL COVER FOR THE UNSOPHISTICATED

Even though a script kiddie’s knowledge is limited, the proliferation of complex tools has reached staggering proportions. It requires very little understanding of security or hacking to combine several tools to obtain the desired results. Sub-7 and BackOrifice (BO) are powerful packages that can be easily installed on systems over the Internet to allow unparalleled access and control. For

example, ButtPlug is a tool that embeds BO into a common file that when executed will install BO and contact the server (hacker’s system) upon comple- tion. Once this life cycle is complete, a completely unknown entity has total control over your computer and the information that it maintains. There are several delivery techniques that range from the complex to simply sending the attachment via e-mail—sooner or later someone will run the attachment.

There are several arguments on the subject of how to categorize hackers and the impacts of script kiddies. The tools are becoming much more complex, yet easy to install and use. It is analogous to giving a bazooka to a 13-year-old kid. Automated attacks were first postulated by Donn Parker, the foremost expert on computer crime, who believes that we’ll reach a point in time when you tell a computer program what you need and it will get it—covering its tracks—all this without a shred of skill.

HACKERS

Hackers are the next step in the evolution of an attacker and make up the majority of the people who inflict chaos. Hackers explore computers for education, the challenge, and to achieve a social status among other hackers. They work diligently to obtain resources and compete with their peers to gain recognition and power within the hacking community. There is a strong sense of power in controlling remote resources for their own use and the more systems owned, the more clout in the community.

Again, hackers of any kind are not to be underestimated. These are typically very intelligent people with exceptional skills and logic. It is the latter of the two characteristics, logic, that truly separates hackers from script kiddies. Hacker logic is processing information and forming deductions based on the refusal to accom- modate traditional thinking.

The simplest and oldest trick in the book is the Fax Trick. Take two pieces of paper, tape them end to end and start the fax machine. Once the first page is through, tape the leading edge to the back of the previous page; the result is a looping effect and an endless fax. This is an incredibly simplistic example of combining out-of- the-box thinking with technology. The goal is to make a system do what is needed by exploring all the options not previously combined.

As with any classification, there are variances in the characterization that can assist in further defining, and “hacker” as a label is no exception. There are four distinguishing faculties of the hacker: malicious, solvers, hacktivist, and vigilante. Each of these has its own unique idiosyncrasy.

1. Malicious. Malicious hackers are people with the sole intent of causing damage, destruction, or disruption of information systems. Writers of malware fall directly into this category, as do people who gain access to sites and corrupt information. Hateful actions are usually based on some opinion of the target or desire to gain a reputation. In some cases, destruction

of systems and data is used as a tool to cover tracks or other attacks. These types of hackers are especially worrisome because they have the skill and no conscience for the ramification of their actions.

2. Solvers. There are hackers that gain access to systems to solve a problem they or a friend may have. Many of these attacks are based on changing or removing information to rectify a situation. Examples include obtaining software or code for personal use or changing records to eliminate evi- dence of other misconduct. Solvers also hack to prove a point and rely on the concept that they hacked a site to prove an insecurity. A report in ComputerWorldin December 2000 disclosed that a university hospital in Seattle was hacked by “Kane” in the Netherlands, who obtained 5000 patient records and posted his findings, and a copy of the records to prove his point, on SecurityFocus.com. Through interviews with Kevin Poulsen, Kane expressed that he simply wanted to expose the weakness in the hospital’s network.

3. Hacktivist. There are several hacking communities that band together for a common cause. Anarchists, racists, animal rights, and environmental protection groups are examples. The sad reality is that the law-abiding establishments with similar goals suffer from the acts of their hacker counterparts. Advocacy hackers can be exceptionally dangerous to certain businesses that support or represent antagonism. Companies that perform testing on animals, mine for resources, or simply write software are targets of hackers of this type. This is an important factor for companies wishing to have an ethical hack performed on their networks. It will help determine the scope and provider of such services based on their methodology, capa- bility, and tenacity. In addition, by stating what represents the greatest threat to your business, the testers can assume the mindset of the proposed attacker. Another aspect of hacktivism is the use of cyber assets for “positive change” or an activist agenda. As stated on thehacktivist.com:

The Hacktivist is dedicated to examining the theory and practice of hack- tivism and electronic civil disobedience while contributing to the evolution of hacktivism by promoting constructive debate, effective direct action, and creative solutions to complex problems in order to facilitate positive change.

4. Vigilantism. One aspect of hacking that you do not see on the news and in the daily paper is the vigilante groups that surreptitiously attack the Internet’s lower lifeforms, to use their terms. Child pornography is one of the darker sides of society and as with many social characteristics the Internet has amplified its availability and intensity. There are groups of extremely computer-savvy people who will do anything within their capa- bility to thwart, damage, or stop child pornography. Interestingly, this raises several questions of law and ethics. The FBI has regularly investi- gated perpetrators of computer crime only to find out their target was a ring of child pornography dealers and forced to arrest the vigilante-hacker trying to put lowlifes out of business. In most cases, vigilantes are

respected individuals in their normal surroundings, but once on the Inter- net an alternate persona takes over and the need to wage a war against the “scum of the Earth” takes over.

After the terrorist attack against the United States on September 11, 2001, hackers launched several cyber initiatives on their own. For exam- ple, the Web site for the Iranian government’s ministry of the interior, www.moi.gov.ir, was hacked in retaliation for the terrorist assaults. The presidential palace of Afghanistan, www.afghangovernment.org, was brought down for nearly a month because of endless DoS attacks against it. The FBI’s response was a statement reminding hackers that attacking Web sites and infiltrating network systems is against the law, adding Internet disruptions will only hurt America more. Moreover, law enforce- ment is concerned with vigilantes attacking systems because data used for prosecution can be lost during the attack, canceling the original intent of the vigilantes.

ÜBER HACKER

In German, übercan be loosely translated to “super.” The resulting definition is easy to interpret: “Super Hacker.” An über hacker is a person with exceptional skills, fortitude, and a long list of experiences to draw upon for future hacks. These are the elite and nearly unstoppable hackers. To be an über hacker you must have exceptional skills in programming, logic, systems, operating systems, applications, hardware, communications, and protocols along with a strong dose of attitude and unethical behavior. Über hackers are the most feared because of their capability. These are the people that write the tools used by other hackers and are sought by unscrupulous businesses and governments.

With this type of power in the hands of immoral people, the options are vast. Although some über hackers remain dormant and hide in the fog of legitimate professions, there are others who actively use their capabilities to benefit themselves or others. There are two types of super hackers: extortionists and spies.

Extortionists

A growing popularity among the best hackers is using information to pressure people and organizations into paying money to remain quiet or to stop attacking them. The irony is not only do they make substantial amounts of money doing this, but also the payers actually believe the hacker. The usual result is the organization becomes the target of other extortionists. The FBI is flooded with cases that entail organiza- tions receiving demands for money, unless . . . .

Financial institutions, online retailers, and gambling sites are typical targets due to the impact the loss of reputation can have and their access to cash. There are many examples where hackers gain access to a bank’s systems and obtain a list of accounts and personal information. Once acquired, the list is sent to the bank, proving their ownership of the information and ability to gain unauthorized access, with a note explaining that if they do not submit $20,000 U.S. they will publicize their

acts. In comparison to the potential loss of business and reputation, $20,000 is not a lot to pay, and many companies do so. It is interesting to realize that firms pay the ransom assuming the information will not be released, when in fact the people who perform these acts are obviously not people to trust. The result is other crime communities focusing on the target because they’ve been labeled a “sucker” and represent free money.

The discriminating factor between über hackers and other forms of hackers (beyond the skills) is they do not perform the attack for reputation or respect: they do it for money. Money is an enormous motivator and can grant hackers a constant influx of tools and the latest technology to support their appetite for knowledge. There are two types: hitmen and terrorists.

1. Hitman. Über hackers of this grade are usually associated with a crime organization to support a symbiotic relationship. Much like a hitman that performs deeds for the boss, hackers are called upon to gain information to control people and money — for money. An example is a hacker inserting evidence of an unlawful activity onto a government representa- tive’s computer to force him to perform acts for the benefit of the orga- nization. Yes, they are given an offer they can’t refuse.

2. Terrorist. There are numerous examples of terrorists’ activities that do not use planes or chemicals but rather the computer. To date, they have not had the same impact as 9/11 but remain a substantial threat nevertheless. It is assumed, and hoped, that government entities such as the NSA, FBI, and CIA are successful in their counterterrorism techniques.

We see computer terrorism in many forms that range from the benign to the malignant. The government is a prime example of a targeted attack by distributed groups bent on disruption. When a U.S. naval spy plane was damaged by a Chinese jet over China it was forced to land in a less-than-receptive country. In retaliation for spying, several government networks were harshly attacked by Chinese hackers in protest. Organizations that are related to government operations or technology, or public systems (e.g., water, power, transportation), or represent involvement with a community are targets of cyber terrorism. Although this book focuses on ethical hacking—a much lighter subject—it is necessary for everyone to be aware of the desire of some factions to cause damage that can lead to harming people.

Espionage

Of course, there is government espionage using people as much as technology, but