Personal tools

Hackstory Twitter Hackstory Facebook

Attrition

From Hack Story

Jump to: navigation, search
Staff Zap (Under Construction)black.jpg

http://www.darwinmag.com/read/120100/hackers.html

BY DAINTRY DUFFY

Not all hackers are bad guys. But understanding what motivates them can make you less vulnerable to an attack.

On the surface, the Web is a slick marketing and commerce tool. As you surf through sites like Yahoo and Amazon.com, the online world looks clean and orderly, the perfect place for your business to set up shop. But drill down a bit, beneath the special-interest sites and chat groups, and you'll unearth a colorful crew of subterranean Web dwellers known as hackers, crackers, phreakers and script kiddies. They travel covertly in and out of websites, looking in your shopping carts, reading your e-mails and occasionally announcing their presence by defacing a website, flooding servers (computers that host services on a network) or diverting credit card numbers for their personal use.

While these folks are generally grouped under the generic umbrella of "hackers," they have very different agendas and skill sets (see "Cast of Characters", left).

We recently spoke with three experienced hackers who cut their teeth in the underground hacking world and are now plying their trades in computer security as consultants. All three are also on the staff of Attrition.org, a website that displays defaced webpages, provides information about recent hacks and has been accused of everything from being a hacker gang to an FBI front. Jericho (a.k.a. Brian Martin, 27), Dev/Null (real name withheld, 28) and Cancer Omega (a.k.a. Jay Dyson, 38) shared with us some of their experiences within the hacker community, explaining what companies truly have to fear from hackers and what they should do to protect themselves.


DARWIN: How did you first get into hacking?

Jericho (cult hero): I've been into computers since I was 8 years old. But as far as playing around on networks or whatever, I was 18 or 19.

Dev/Null (a.k.a. Null): I've been interested in computers since my dad bought me an Apple IIE when I was 10. And I have been on the Internet since my freshman year in college in 1990. I was an English major and I hung out with a bunch of hackers. They taught me what to do on a computer, and I kind of went from there. I'm pretty much self-taught.

Cancer Omega (CO): My father was a field engineer for IBM so I was raised around computers. I was first exposed to them when I was 6, and I just thought they were magic. In 1979 I put together my first computer system, and I've been hooked ever since.

What appealed to you about it?

Null: With the Internet and computers, I could start learning and never stop. It's absolutely fascinating to ride the wave of the technology as it changes, learning things that are brand new. This was something that my father didn't know how to do.

Jericho: I guess it was my curiosity; looking to see if I could make the system do more than it advertised; seeing what else was out there; just learning how the different kinds of systems worked.

Did you ever cause any significant damage?

Null: I have not done much in the way of illegal hacking. I don't feel like I need to go barging into someone else's stuff just to learn new things, and I don't have that power-trip mentality where it's so neat to break into other people's stuff because then I'm more powerful than they are. I can't say that I've never done anything illegal, but I also speed when I get in my car.

Jericho: It never occurred to me, "Oh hey, I could mess this system up" or, "I could delete this file."


But you were going places that you weren't supposed to go, and you knew that was illegal.

Jericho: At times yes, but when I was doing it, the computer crime laws were fairly vague. There was very little prosecution, very little investigation, not that that excused it, but...what I was doing wasn't with any big criminal intent.

CO: I only did that when I was under 18 because I was very familiar with the ways the laws worked. I did go to a few places that I didn't really belong, but we all agreed on a modified Hippocratic oath. We were operating under a trust relationship, and we would not betray that trust to the point where damage was done. Our philosophy was, If you have this skill, consider it a gift and don't abuse it. And most of all, don't abuse other people. There's a difference between somebody who knows a martial art and an outright bully.


What made you decide to take a legitimate job in computer security?

Null: Well, jobs started opening up. Nobody had any idea what the Internet was going to be until the Web exploded around '94 and '95. It was then that I realized, Hey, I don't have to be a librarian for the rest of my life. I can probably get away with doing this computer stuff.

CO: The way I got into it, as a career, was that the computer industry grew up and realized that security was actually a concern.


What do your parents think? Did they always know about your hacking habit?

Jericho: Hmm...my parents had a little suspicion. They never asked me about it, and after the fact, they looked back and said, "Well, it was a risk you took, it was your decision." They're very happy with my career now.

Null: Oh yeah, [my parents] think it's great. When I was first trying to explain to them what the Internet was, they didn't understand, and they were actually very suspicious of the whole thing. They figured that if I was talking to someone who lived in Singapore, then somebody must be paying the long-distance bills. It was very difficult to explain to them that it's not like that. There was a long period of adjustment, but in the last several years as I've been publishing papers and have started to be looked on as an authority, they're very impressed. My mom thinks it's cool. She tells all of her PTA friends that her kid is a hacker.

CO: My father told me, "You ought to stop screwing around and get serious because what you're doing is never going to amount to anything." He was old school. Because he worked for IBM, his philosophy was you do it the company's way and don't even think about trying something outside the box.


Attrition.org publicizes hacking incidents on a part of its site known as the "Mirror." Doesn't that just encourage more hacking?

CO: I think the Mirror's biggest contribution to the community is to show beyond a shadow of a doubt that security through obscurity does not work. There are sites out there that nobody's heard of until they get hit. So if you think nobody's going to spank your site because you're just a mom-and-pop operation, you've got another thing coming. Ninety percent of the sites on the Mirror are just that.

Null: None of us are particularly impressed with people who deface websites. Most of what we do it for is a historical record, and we've got some very high-profile sites that have gotten hit. If these people can get hit, anyone can. In my view, our Mirror underscores the importance of having good security.


Who are most hackers these days? Are they the geeky-loner types hacking in their parents' basements? Or is that just a media clich?

Null: Oh, that is such a clich! All you have to do is look at any articles about DefConthe big hacker convention every year in Vegas. That'll dispel that myth in a heartbeat. You've got 5,000 hackers descending on Vegas for a weekend. These are not basement-dwelling types. These are fun people. Of course you're going to have the geeky loners, but there are also plenty of very clean-cut frat-guy types who are damn good at what they do.

CO: A hacker is someone who has a real love of the technology and knows it on a very intimate level. The term first got bandied about at MIT and at Berkley where people understood the technology so intimately they could literally navigate around it in the dark. Through this knowledge they started making modifications, basically hack jobs in order to accomplish objectives that were really quite legitimate. Back in those days the term hacker was really quite a compliment. Now because of popular use, people have come to mistake these script kiddies (or as some people call them script monkeys or packet monkeys) as being hackers when in fact they're not. That's like saying that someone who can start a car is a mechanic. These are just teenagers with a lot of angst and a computer; they're not hackers. They have never authored anything original. They may know how to run scripts, but anybody who can type can run a script.


Do they primarily work alone or within groups?

Jericho: A lot of what we see is that they're group-oriented. Most of them are probably scared to work alone. There's been a group called Hack Wiser; G-Force Pakistan continues to deface with its political message; recently there have been pro-Napster group hacks.

Null: A lot of people work together to a degree and then work on their own as well. For instance, I'm part of Attrition, but when I'm writing an article or doing a penetration test of a network, I'm generally on my own. But I can go to the contacts I have and ask for help if I get stuck.


What motivates most hackers? Is it largely done for sport with a few bad apples thrown in?

Null: I think it's the love of learning something brand new. It's the same thing that motivates some guys to take apart carsto find out what makes them tick. Here's a brand-new computer technology that not very many people understand. Great! Give it to me! Let me look at it, let me take it apart, let me see why it does what it does so that I can learn about it.

Jericho: And then there are a few bad apples thrown in....


Is there a hacker code of ethics?

CO: Yes there is: Do no damage. If you have to go in someplace and you're not authorized to do so, leave it in better shape than you found it. In fact, there have been systems at NASA that were breached, where the hacker actually left a nice note to the systems administrator saying, "Hi! Here's how I got in, here's how I fixed it." You don't go looking to break into machines, but every now and then there are some you just fall into.


What's the most important thing businesspeople should understand about how hackers think?

Jericho: It takes the hacker mentality to test all of the ways into a network. True hackers don't give up. They explore every possible way into a network, not just the well-known ones.

Null: The bad guys don't particularly care what damage they do. When you're spray-painting your name on an overpass, you don't care about the guy who's going to have to scrub it off. For the most part, these guys are not out to attack your company personally; they just came across your company, and it wasn't secure enough and so you got taken down.


What kind of hacking poses the biggest threat to companies?

CO: A lot of the script kiddies out there are immediately noticed because the first thing they do is deface the websiteI don't worry about those people. The people I worry about are the ones you don't know are there, the ones who are just slightly manipulating the data to suit their own ends. Those are the people to be really concerned about. If your company has data out there [on the Internet] that is strictly out there for your convenience, that same convenience makes it that much easier for an unauthorized user to access it. You need to start seriously considering just how much that convenience is worth to you because it may cost you the validity of your data. It could even cost your company's reputation.


What are the biggest red flags or invitations for a hacker to break into a site? What makes it really tempting?

Null: One unsecured machine. A couple of years ago, eBay got taken down. They had firewalls, they had really tight security, but they had one backup machine that was outside of their firewall. They had forgotten it was there. Somebody used that machine to get through their firewall because it was trusted, and they basically owned eBay's network. What makes you a target is having a glaringly weak link in an otherwise secure network. If your network is very secure, you've obviously got something to hide, and if you've got one machine out there that's wide open, somebody's going to take that out and through that machine, they're going to hit the rest of your network.

Jericho: Just having a big [corporate] name can do it, boasting that you're secure or boasting that you have security. If there's a vendor with some kind of product like a firewall or intrusion-detection system, a lot of hackers want to show them up, just to prove that there are weaknesses.


What can companies do to make their systems as unappealing and unassailable as possible?

Null: The most important thing a company can have is a security policy. If you have a good security policy and you follow it diligentlyyou make sure that all of your machines are up to patch, your passwords are good passwords, your people are following basic security practices and they're not hooking modems up on their desktopsthen you're fine. You're safe. It doesn't take a genius to have a secure network, it just takes diligence. Aside from having a really good policy and sticking to it, companies probably need a security person on their payroll. I'm not just saying that to make the demand for my position increase; security is really a constant thing. If you don't have someone who at least knows security, then in a month or two, you may be wide open and not know it because new vulnerabilities come out all the time.

CO: There's an old joke: Two guys run into a bear in the forest and the bear starts chasing them. One of the guys stops and tightens the laces on his shoes. The other guy says, "What are you doing? You can't outrun the bear!" The first guy says, "I don't have to outrun the bear, I just have to outrun you!" By the same token, your company just has to be more secure than the easy prey that's sitting out there. To do that, you have to shut off all unnecessary services, start requiring encryption for your log-on and authentication, and establish a granularity of your network. People in accounting don't need access to [information in] the engineering group.


Do you see any benefit to living in a world with hackers?

CO: Crackers do get bad-mouthed and people say they're just vandals, but they are actually showing that most sites have absolutely no security. I'll give you an example. I wouldn't call this a hack, more of a prank, but we had an [e-mail] distribution list that went to all personnel at a NASA center and there was literally no authentication on it. Someone sent e-mail to this list impersonating the director of that NASA center. From the message itself, people recognized immediately that it was a hoax. But imagine if someone with malicious intent sent out a seemingly legitimate letter with an attachment that said please download and run this. The consequences would have been devastating. And if it weren't for our little local hacker, what would prevent foreign nationals from disrupting our corporate online presence in a very large way?


How easy is it to break into the typical Fortune 500 company site?

Null: The typical Fortune 500 company usually has given some thought to security, if only because its shareholders demand it. However, I have never seen a site that I couldn't recommend some improvements on. Most companies in general could probably be gotten into within 24 hours if somebody was really dedicated.


The Liberty virus is now moving into PDAs, and people predict that cell phones will soon succumb to similar viruses. What do you see as the greatest future risks to security?

Null: I think that companies are going to find out that their biggest problems will be things that they've trusted for years. I don't know if you're aware of this, but it is possible to hack into a network through a printer. The printer has an infrared port on it, and your Palm Pilot has an infrared port on it. If I'm walking through your building with my Palm Pilot, my Palm Pilot can talk to your printer. Your printer is connected to your network. Your machines trust your printer. If I can own your printer, I can own your network. As technology grows, there's all this talk about having more and more things hooked up to the Internetlike being able to turn on your coffee machine without leaving your desk. Well, what happens if somebody owns your coffee machine? Machines, like your printers, that have always been considered harmless won't be for long. I know some people who are brilliant at finding these vulnerabilities. And that's what they're working on.

CO: The greatest future danger is the greatest past and present danger: exploitation of trust relationships. Applications, whether wireless or mail programs, operate on the trust that everyone is going to play nice. Lo and behold, not everyone is going to play nice anymore because we have these little miscreants running around doing evil things. So we have to take the world as it is. Right now, every trust relationship we have defined as an implicit rule can no longer apply. All of the viruses rely on a certain amount of trust, and it will continue to be the largest threat to security. We can't stand around and say we'll just make tougher laws. When we had a rise in burglaries we didn't make tougher laws, we made tougher locks. Likewise, we have to make tougher locks out in cyberspace. 


----
Forwarded message ----------

Date: Mon, 21 May 2001 05:42:44 -0600 (MDT) From: security curmudgeon <jericho@attrition.org> To: defaced-commentary@attrition.org Subject: [defaced-commentary] ATTRITION: Evolution


ATTRITION: Evolution

Definition

Attrition.org is a non-profit hobby site run by a handful of volunteers in their free time. Each staff member at Attrition has a day job that takes a considerable amount of time, as well as other hobbies, and a social life (despite popular rumor). Over the last two years, the site has moved from a few random specialty pages to an archive of over seven gigs of diverse material and specialized content. With no corporate backing, no income, no 'guidance', no leash and no muzzle, Attrition continued to move in a direction that values truth and bluntness over sugar coated words and fluff.

Decision

One of the most predominant sections of Attrition has been the defacement mirror. What began as a small collection of web site defacement mirrors soon turned into a near 24/7 chore of keeping it up to date. In the last month, we have experienced single days of mirroring over 100 defaced web sites, over three times the total for 1995 and 1996 combined. With the rapid increase in web defacement activity, there are times when it requires one of us to take mirrors for four or five hours straight to catch up. Add to that the scripts and utilities needed to keep the mirror updated, statistics generated, mail lists maintained, and the time required for basic functionality is immense. A "hobby" is supposed to be enjoyable. Maintaining the mirror is becoming a thankless chore.

During this time, we have struggled to keep up various other sections of Attrition that have been a core part of the site. As the mirror grew and began to consume more resources, the other sections have found themselves on the backburner and rarely updated. In essence, what was once a hobby site run in spare time for fun has turned into a beleaguring second job. A job that comes with more headache, complaints, criticisms, slander and attacks than productive output or reward. In two years we have turned away countless computer security work that could have been fulfilled by a number of us. The abuse and ignorance we deal with from defacers and defacement victims is staggering, and some of that abuse spills over into actual attacks. Attrition has been taken down more than once by massive denial of service attacks which have inconvenienced our generous upstream provider, hundreds of other colo customers, and thousands of dialup customers, making our job even more difficult.

With that, the mirror will no longer be maintained. We've served our time.

Direction

As the mirror itself is phased out, several aspects of the process will remain. One of the most useful and practical resources spawned from the mirror are the statistics generated. It is our intention to continue to perform statistical analysis of defacements by utilizing the Alldas mirror. We have already begun sharing incoming defacement notifications with them to help facilitate the accurate and consistent mirroring of sites as we learn of them. We will also continue to provide commentary and articles on high profile defacements, significant trends or other activity that warrants attention.

Resurrection and revamping of our Errata section should happen in the short term. It has been an oft overlooked resource despite the infrequent updates. With security and hackers becoming ever more popular with the press outlets, the need for vigilance is growing. It is important for members of the security community to be aware of journalists and news outlets more interested in flashy headlines and a quick buck.

The various subsections of our security page will continue to be updated including more guides to implementing security, testing security, forensics, incident response and more. No doubt various staff members will continue to add to the 'rants' page as time goes on.

Several other areas such as the image gallery, music reviews, movie reviews, poetry, contests, and the ever popular 'Going Postal' will now receive more attention.

Dedication

As more and more hours were dedicated to running the mirror, the feeling of burnout crept into a few of us. Despite this, it is our intention that we stay dedicated to Attrition and improving it on a daily basis. This doesn't mean there will be new visible content on the news page every day. It does mean that every day we will be working on one aspect of the site or another. Often times this is done by answering mail, developing small utilities to help improve the quality of administrative life, or something else not visible to the web site. We are evolving, bear with us - and we'll continue to provide the community with the quality content it's come to expect, just in a different package.



- The information and commentary is Copyright 2001, by the individual author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this mail are not necessarily the opinion of all Attrition staff members.

Commentary Archive: http://www.attrition.org/security/commentary/ The Attrition Mirror: http://www.attrition.org/mirror/attrition/ Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html

Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html Contacting Attrition Staff: staff@attrition.org

To subscribe to Defaced Commentary, send mail to majordomo@attrition.org with "subscribe defaced-commentary" in the BODY of the mail (without quotes). To unsubscribe, include "unsubscribe defaced-commentary" in the BODY of the mail.

Retrieved from "Attrition"
Hackstory.es - La historia nunca contada del underground hacker en la Península Ibérica.