Results 1 to 6 of 6

Thread: Hacking becomes a full-time job

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Hacking becomes a full-time job

    The chief scientist of security company Internet Security Systems believes 2004 could prove to be a watershed year for hacking.

    Robert Graham says that many hackers are graduating into the pro ranks, a development that carries worrisome implications for corporate security.

    "Before this year, we really saw just kids that are playing and pretending to be masterminds," said Graham, who did important early work in the development of intrusion-prevention systems. "But this year, we saw the rise of the professional hacker."

    For many years, hackers were content with the thrill of breaking into other systems, or with whatever elevated peer status they achieved through their exploits. But not anymore, according to Graham, who says that both the pattern of hacker attacks, and the motives behind the attacks, are changing. Hackers are now far more coordinated, and they no longer merely rely on copycat tools and random attacks. What's more, Graham detects a dangerous intent to profit financially from hacking. He recently spoke with CNETAsia about this evolving security challenge.

    Q: Are hackers getting paid now?
    A: It's not so much that they get paid to hack, but that they earn money from hacking. Take phishing attacks: It's usually the people who are running the attacks themselves that are earning money; no one is paying them to do it.

    How would you define a "pro hacker"?
    Before this year, hackers really were just kids playing and pretending to be masterminds. They could download hacking utilities from the Internet, but they were really clueless. And they were relatively unskilled...and it's only after running their tools through tens of thousands of machines that they were able to find one to break into. More importantly, they weren't really criminal masterminds. It's been largely a game for hackers up until now. This is notwithstanding the fact that law enforcement agencies have been taking this game seriously--because the hackers haven't.

    This year, things are changing, and you can see it from the FBI's activities in the U.S. this year. In one arrest by the FBI, the subject was a spammer who had thousands of machines under his control used to forward spam.

    Is that pro mind-set reflected in the exploit patterns?
    Well, what I'm seeing is more hackers are now writing their own exploits. In the past, they would just use well-known attacks. Before, whenever there was a new bug, hackers would compete among themselves to see who would be the first to write exploit programs for those bugs and then publish them to Web sites and mailing lists like BugTraq and Full-Disclosure. And then everyone else would go there, download those attack programs and run them blindly.


    Today, more people write their own exploits. Why are they able to do it? If you look at the kids graduating from school all over the world, they got interested in hacking when they were, like, 12-year-olds, in the mid-'90s. Over the years, their interests have grown into a skill set that lets them write their own attack programs.

    Speaking of new exploits, what do you make of the rising number of bug variants that we've seen this year?
    In the past, antivirus vendors would compete with each other to see which would be able to write signatures faster for each new virus that came out. But with (the) Netsky and Bagle (viruses), we saw the reverse. Now we have virus writers who compete to see how fast they can update their viruses in response to each new antivirus signature. That's why we see a Netsky a, b, c, d and so on.

    But why were hackers suddenly interested in making variants?
    Well, with previous virus writers, their goal was to create a virus and see if it could be done. After that, these virus writers were done. There seems to be a change in the psyche among virus writers now. You see this with Netsky and Bagle. There are two teams of people competing with each other. The Netsky people hated the Bagle people, and Bagle people hated the Netsky people. So it was kind of like a feud between them.

    So how worried should we be? Are viruses becoming more sophisticated in a hurry?
    No. Viruses today are really no more sophisticated than they've been over the last several years. As a matter of fact, Netsky and Bagle are pretty unsophisticated. As security professionals, we know how to create a sophisticated virus. The reality is that hackers that write viruses really aren't all that smart. They focus more on whatever defenses they see. They try to do one extra step. And so we rarely see a huge advance in hacking techniques. Rather, we see gradual growth. Most virus writers only try to stay one step ahead. And only one step, not five or 10 steps.

    The bread-and-butter defense today remains the firewall. Where does this mature technology go from here?
    Firewalls have basically been supplanted by intrusion-prevention systems. In the old days, it was enough just to lock the doors. But these days, we realize that some doors have to be unlocked. And we need to protect against cases when doors aren't locked. It's like a bank. Robbers will come in and rob the bank in the day, when doors are unlocked. The problem is not that you need to find a stronger lock for the front door, because fundamentally you can't lock the front door all the time. You need to let customers in. And that's what firewalls basically are--doors that are locked.

    IPS (intrusion-prevention systems), on the other hand, are able to look for attacks coming in the open doors. IPS and firewalls are probably going to merge soon into one product. But firewall technology, by itself, is done. It already has become a commodity.

    No room for improvement at all?
    There is really going to be nothing new for firewalls. In fact, a lot of the more-complicated firewall features can actually reduce security, rather than increase it.

    How so?
    Well, the more-complicated firewall rule-sets can trip users up. Remember, firewalls are tools that you use to stop bad traffic. And how effective they are depends on your skill in using them. And the more complicated something is, and the more feature-sets it has, the more educated you'll need to be to use it right.

    And we've seen (organizations not using their firewalls correctly). For example, we find that Slammer occasionally comes through the firewalls, even though it is supposed to be blocked by the rule-sets. The reasons are varied. Sometimes it is because people go into the firewalls to open ports they shouldn't be opening. Other times they just remove the whole configuration from the firewalls and reset them back to the default state of "open," which lets everything through. They may do this for only a few seconds before they re-apply the policy again, but that is enough for Slammer to come through. And these things happen partly because of the complexities of today's firewalls. With simpler systems, you are unlikely to make those mistakes.

    How important do you think application firewalls will become in the future?
    Not very. The application firewall space really is targeted at Web applications. These firewalls are about proxying HTML or HTTP. The thing we have to remember is that no Web applications are bug free. Some have well-known bugs that people can take advantage of. Application firewalls may be able to solve some of these things, but not all.

    Let me give you an example of something that happened with me. Not long ago, I ordered a plasma screen online, which was to be shipped by a local company in Atlanta. And the company gave me a six-digit shipping number. Accidentally, I typed in an incremental of my shipping number (on the online tracking Web site). Now, a six-digit number is a small number, so of course I got someone else's user account information. And the reason that happened was due to the way they've set up their user IDs, by incrementing from a six-digit number.

    So here's the irony: Their system may be so cryptographically secure that (the) chances of an encrypted shipping number being cracked is lower than a meteor hitting the earth and wiping out civilization. Still, I could get at the next ID easily.

    There is no application firewall that can solve this problem. With applications that people are running on the Web, no amount of additive things can cure fundamental problems that are already there in the first place.

    What's security technology's next frontier?
    Voice over IP and general packet radio service are going to be the next biggest security issues.

    How big?
    Several years ago, we were researching Microsoft remote procedure call, and we were talking to the media, saying that that's going to be the next big thing, that all the worm occurrences that we've seen in the past will be nothing compared to what we are going to see happening with RPC. And of course, that was exactly what happened when Blaster and Sasser came along. We are now at the same stage with VoIP and GPRS.

    What's the lowdown on VoIP?
    VoIP is completely insecure. At the protocol level, there is no encryption and authentication. I mean, I call you, and there's no way for you to verify who I am. I can send a caller ID from the U.S. president, or the CIA, and you won't know who I am. And people can easily hack a caller ID and claim to be whoever they want.

    GPRS?
    With GPRS, the systems that mobile operators share between each other are largely wide open. Operators have so far trusted each other not to hack each other. While the average hacker from the Internet doesn't have access to these systems, the mobile operators do. And once you get into one mobile operator, you can start attacking the rest of the mobile operators via the backbone that they share. And once hackers compromise the gateway machines, they can then have fun with the internal networks, as well as come in from the Internet or handsets.
    Source : http://news.zdnet.com/2100-1009_22-5430814.html
    -Simon \"SDK\"

  2. #2
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    That's really interesting. Off topic: I drive past ISS in downtown Atl every day. I'm always like "how awesome would it be to work there?!" and then realize how hard it would be to get a job there....especially as inexperienced as I currently am. Something to aspire to. So here's a suggestion: somebody needs to write a tut on VoIP and relevant security issues associated with it.

  3. #3
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    There is a blatand misuse of terms in that article, largely dealing with the media-rotten term 'hacker' to decribe (sruprise-surprise) crackers and script-kiddies. Sure, everybody does it, but anyway, it decreases the trust the article posseses.

    I also believe [true] hackers have become a bit more socio- and politically-proactive in their manifestations, although it isn't seen immediately on a large scale. Undeground groups now have a point of more than just free information... there are bigger problems that threaten access to life, and to be able to revert to the idea of free information one must ensure one's immediate freedom at different other levels.

    As for crackers, their numbers will always increase because business on the Internet always increases. Analoguous to that, the richer a man gets, the more thieves have their eyes on his assets [and would like to raid him]. There is an increasing market for phishers and con-artists out there, and they don't have any motivation to stop from trying to get a piece of everything.
    /\\

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    This is FUD, pure FUD, no doubt designed to help a company who are loosing some of their market share.

    There is no real evidence of their being more exploit writers, there are lots of people who download an existing exploit and may change it a little, but for the most part we are still seeing exploits come out of the same places.

    Also, something that continues to gain interest is the idea of deprimiterization, something which this chap makes no mention of, but which I beleive is where the much of the future of infosec lies.

    And the "next big security issue" is probably going to remain the same as what it is now, viruses, hacking... because they still don`t seem to being properly addressed, so until we can deal with that so that it no longer poses such a problem, securing VoiP and GPRS isn`t going to be such a big deal. Also, security is being considered for those areas in their early stages, not way after the fact (as in the case of viruses etc...)
    Quis custodiet ipsos custodes

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Continuing on R0n1n's point, the fact that modifying the exploit code still allows for a hole to be exploited means that security experts, in all their forevision, still sometimes release patches that are only one step ahead of the exploit.

    It's all a game to keep the people buying more and more products, and in the interest of a capitalistic business environment, it isn't going to see a significant change anytime soon.
    /\\

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    Well were do I start with that article?

    Q: Are hackers getting paid now?
    hackers have been getting paided for years, they have just put their white hats on .

    but also on that note spamers are playing a key part in funding black hat hackers, there is an increasing tread that worms are used for the porpose of spam, someone has to right them?

    Before, whenever there was a new bug, hackers would compete among themselves to see who would be the first to write exploit programs for those bugs and then publish them to Web sites and mailing lists like BugTraq and Full-Disclosure. And then everyone else would go there, download those attack programs and run them blindly.
    That is still the case just look at the JPEG exploit

    The bread-and-butter defense today remains the firewall
    I think that has to biggest single wrong statement in the whole article. A firewall on it own only provides a single level of security. Its like saying my web site uses SSL therefore it secure. Generaly you have to allow traffic through your firewall, people need access to the web and email etc, if they are not secure then you might as well not have a firewall! Now the vast majority of large companys understand this (there will be exceptions!).

    The article then talks about about IPS systems being the future. But they will only stop script kiddies. Why do you think there are so many variations in the Netsky and Bagle? An IPS system is as only good as it signature list, just like anti virus. How a good hacker (or cracker, I'm not getting in to that debate ) can rewrite his/her exploit on the fly to try to bypass the IPS, which in some instances may only require the changing of a few bytes (in a simple case).

    There is really going to be nothing new for firewalls.
    I'll give him that

    How important do you think application firewalls will become in the future?
    Not very.
    Very true

    The thing we have to remember is that no Web applications are bug free
    Completely wrong! It is perfectly possible to a write a bug free secure application as long as you know what you are doing

    So here's the irony: Their system may be so cryptographically secure that (the) chances of an encrypted shipping number being cracked is lower than a meteor hitting the earth and wiping out civilization. Still, I could get at the next ID easily.

    There is no application firewall that can solve this problem. With applications that people are running on the Web, no amount of additive things can cure fundamental problems that are already there in the first place.
    Spot on, but the same reson why application firewalls will never work is why IPS systems will never play a big part in security. (unless you listen to the salesmen )

    Voice over IP and general packet radio service are going to be the next biggest security issues.
    Could well be right, I also predict the number security issues effecting mobile phones could also be the next "big" thing as pointed out the release of several security vulnerabilites with the java virtual machines used in modile phones.

    posted by R0n1n
    This is FUD, pure FUD, no doubt designed to help a company who are loosing some of their market share.
    could not have said it better myself


    How that is all of my chest, ill get back to my dinner

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •