pro_hacker

12.29.00

Professional hacking.

A LookOUT! column.

Until recently, you probably hadn't give given that much thought to the words "professional" and "hacker" together. No wonder, all the publicity goes to the amateur hackers, particularly the occasionally successful, usually undernourished and always anti-social teenager. Front pages scream about denial of service attacks on eBay and Yahoo, "I love you" virus releases and defacement of such as the CIA and FBI sites.

However, it's the professionals that are harvesting cyber-garden. You thought they have too much to loose to indulge in cybercrime? Or ethical standards keeping them honest? Come on now, do you know what a doctor makes in eastern Russia these days? Or an Indian untouchable with a degree in computer science? This is a cash orient business.

Le difference.

So what's the difference between amateurs and professionals?

To start with, many professionals have first class educations. College degrees in things like computer science. They are not self taught technicians learning their craft on the swing shift or in internet chat rooms. Even Eruopol's key cyberchrime investigatoris self taught! Puts him at a disadvantage going one on one with a Cal Tek grad.

The pros, by definition, are capable of building and creating original cracking methods (* See InfoWars definition.) They have skills in a number of machine languages and more than basic knowledge of telecommunications networks. And professionals use first rate tools (workstations, servers, network analysis software, etc.). Hell, they probably have service contracts with HP.

Operating from safe havens like Russia, China, Indonesia, South America, they are very difficult for law enforcement officials to get at. Real money can buy a very private enclave.

Fruits of a good eductation.

These folks are incredibly publicity shy, so interviews are hard to come by. What we know is inferential, in many cases. But to give you an idea of the difference between the real thing and the amateur, compare the scientist hackers at Sandi Labs with the news stories you hear about the typical wiz kids staying up all night breaking into the Defense Department. For example, the Sandi team has never found a system they couldn't beat. They typically get through the most difficult firewalls in a matter of minutes, even if they preannounce that they are coming. Minutes! Remember my point about good education and tools?

Amateurs launch random viruses, institute DOS attacks on CIA, FBI, Microsoft, etc., data thrashing as a sport. They generally vandalize people and sites for publicity and to establish their reputation. Sometimes they quote vaguely about freedom of speech. Mostly they are just in it for recognition. Gosh, they have their own publicly magazines.

Show me the money!

Professionals are in it for the money. The best manipulate data only obscurely connected with money. They take the time to understand their obstacles they'll encounter. They sometimes take positions with major corporations to gain access. Most professional hacking is done by or in conjunction with insiders.

They steal data and sell it, both sides pretending this is marketing intelligence. They scam individuals or companies, again with special emphasis on victims who will stay quiet or are simply clueless. Ransom & extortion may seem a bit aggressive but apparently this approach yielded in excess $400 million pounds recently in a UK incident.

What to lookout for.

These guys are here to stay. They will impact our businesses and our personal lives. Think about theses:

Business issues

Third world style extortion or at least bribery will become a part of the cost of doing business inside the US. If a pro can nick a bank for $13 million pounds from a continent away, they will be encouraged to continue their enterprise. Businesses should install contingency plans to deal with these likelihoods.

Continued rise of professionally run "data acquisition" firms (i.e. they get your competitor's info for a fee...it's industrial espionage). Replacing international espionage, it's easier and cheaper than before. Companies need to take positions on what they allow their enthusiastic employees to do. It is illegal, by the way. Or soon will be.

Insurance, now available for things like kidnapping and business interruption, will become popular for extortion. It's easier/cheaper to capitulate than fight these guys, particularly if you have insurance. However, denial of service can harm a business's reputation as well as cause financial loss. Better double check what the policy pays for.

First world country law enforcement has kept crime like extortion in pretty good check, domestically. However, the web is international out of the box. And international treaties are MUCH slower to evolve. There will be a window of opportunity for criminals over next few years to operate with a certain disregard for laws. Don't count on law enforcement or other legal protections.

Personal issues

Insurance for e-losses will become essential for personal financial security. They probably are not covered in any personal policy these days. Get some.

Expect a rise in un-reimbursed "identity losses". Results of fraudulent use of your personal information. Not just credit cards, anywhere you have credit lines (your electronic checking account, for example). Imagine trying to prove you didn't sign up for an on-line porn service while you family and business associates watch.

More subtlety, expect advertising based on so much knowledge of you that it is not recognizable as advertising...more like a letter from a close friend.

Finally

Now forget everything I said. There are pros out there that very scary. They are called terrorists. Trained at MIT or Stanford or other prestigious schools, they live, learn and work quietly until they are called for the jihad. Then their sense of family honor or passion for a cause transforms them into something ugly. They do not want your money. They want to destroy your country.

Dan Derby