The art of hacking becoming less sophisticated

[Ennis]

Michael Hardy News Contributor
The scariest thing about hackers is, they don't have to be technology experts anymore.

Nowadays, it often takes nothing but the ability to download a Windows program -- and a mean streak, according to Mark Fabro, a hacker who has sworn to use his powers only for good. He's director of assessment services for Secure Computing Corp., based in the California company's Toronto office.

"There are hundreds, literally hundreds and hundreds of ways to bring a system to a screeching halt, and it's all point-and-click," Fabro told a recent meeting of the National Capital Chapter of the Association for Information and Image Management, in Arlington, Va. To drive the point home, he scrolled through slide after slide showing user interfaces that make launching a packet flood or e-mail spoof as easy as firing up a personal accounting program.

"There's no command line here," he added, referring to the precise knowledge of commands and syntax required by DOS and UNIX systems. "Any one of you can do this right now, and all you need is your box at home and an Internet connection."

"It's becoming extremely easy," agreed Pete Hammes, vice president of Para-Protect Inc., a computer security firm in Alexandria, Va. "You don't have to have any knowledge about the technical details. You just have to be able to download a tool and enter the Internet address of your target."

The conventional wisdom is that most computer security threats come from inside companies, and that only programmers or other computer sophisticates could attack a corporate network from outside. Those notions are dangerously outdated, Fabro insisted.

Statistics from a 1999 survey by the FBI show that 43 percent of detected intrusion attempts came from outside the companies attacked. Only 37 percent were confirmed to come from inside, with the rest undetermined. "There is a problem on the inside, but the problem from outside is growing," Farbro warned.

Smart e-commerce companies take the threat seriously, said Elad Yoran, executive vice president at RIPTech Inc., an Alexandria, Va.-based security company.

"With the Internet and the rise of e-commerce, security has risen to the top priority," noted Yoran, whose company outsources security services. "It's a core enabling technology now."

RIPTech consults with companies to select the best combination of firewalls, intrusion detection and other software systems, and also provides around-the-clock monitoring from its Alexandria office.

The company's eSentry system reads data from client companies and alerts a RIPTech analyst of possible breaches, Yoran said. The analyst, in turn, checks the data and alerts the client.

A key weakness of many companies is that they simply don't recognize the threat, Fabro said. The FBI study found that 21 percent of companies surveyed didn't even know if anyone had tried to hack them. "The technology allows you to know yes or no," Fabro scolded. "If you don't know, that's bad."

Too many companies still aren't paying attention for varying reasons, agreed Mylissa Tsai, a research analyst with the Aberdeen Group in Boston.

"The Fortune 500s don't have the technical expertise. And if you're looking at middle-size companies, you're talking about two IT guys who are fresh out of college," she said. "There's a lack of resources out there."

"There are more hacking tools and the tools are more sophisticated," Yoran added. "There are also more targets, and relatively unsophisticated targets. People are in a mad rush to get to the Internet without taking the necessary steps to protect themselves."

"They're so focused on getting things operational that they don't think about the threats," Hammes agreed. However, it usually only takes a penetration test, where a security company hacks into a client's system to demonstrate how vulnerable it is, to get the customer's attention, he noted.

"We can show them that we were able to access one of their databases. That brings the point home, when you can show them you were able to do it," Hammes said.

Companies like RIPTech that outsource security services do stand to succeed, Tsai noted. Potential customers often like to turn their security over to outside providers, taking the burden off their own IT staffs.

However, companies can't neglect more traditional security either, Fabro noted, such as trained guards and desk clerks who keep unauthorized people away. A savvy hacker can gather useful information about a company's computer security with just a couple of minutes at an unattended terminal -- or by calling up a clerk and demanding information.

"You can do it by phone, you can do it in person," he affirmed. "I can't tell you how many times I've gotten into buildings in New York City dressed in my bike shorts as a courier."

[TheProphet]

This is a nice one Ennis.

And all of these people are making a good point. But what's to say about it. If you have only a minority of people who actually care about living secure or at least think about it.

I myself am confronted with it every day, but I sure hell can tell you that most of the folks I work with don't give a damn.

At least as long as there are still a few people out there that do something about it, I guess we should be lucky

Lets see what the rest has to say about this...

[larryjs]

Ohhh nooooo.......I look into my crystal ball...I see millions of script kiddies doing Ddos attacks with XP native gui proggies bawling

[Tedob1]

and who releases these proggies to the public, that script kiddies get their has on.
they mostly come from sites that sell their own security services.
dahh, wonder why they do that?

[Terr]

It's not so much that security intrusions require LESS knowledge overall, just that more and more people are taking advantage of programs, which are, in a sense, packaged expertise, packed by the programmer. I guess a better way to put it would be that more and more attacks are occuring due to the same amount of expertise, except it is disseminated more through exploits and precompiled programs (a la many Trojans).

So... it's not that it takes less knowledge to get into a certain type of system configuration in the first place, it's that more people are jumping on the bandwagon of applying that recipe again in similar circumstances.

[s0nIc]

hmm well it is expected that script kiddies will rise and out number the "elite" hackers. considering that anyone can write a script just by using pearl and VB orb even notepad...

we can probably lessen the number of script kiddies by stoping writting those scripts that they use.. or alteast not publishing scripts. I mean like.. you can write a script if you want.. but just dont publish it.. if u dont want to contribute to the rise of script kiddies..

i have a script that can be loaded to mIRC and unmask anyone's virtual mask in IRC and get their IP address.. now the reason why vw was created was to hide people's real host address.. but with my script i can unmask those vw mask and get their IP addresses..
but i never ever published the script.. coz i know a script kiddie will deffinately find this script useful.. if i publish my script this one will go in the top of a script kiddie's list..

and even though some people already know that i have such script.. i still refuse to give them copies.. not that im greedy.. its because i know that they will use it for nuking people over IRC..

its just all comes down to responsibility really..

"great powers comes with great responsibilities"

[UberC0der]

Nice article Ennis.

I would just disagree on one fine point with the article. That is that hackers require less knowledge.

My personal view of this is that `hacker' has essentially always meant elite proficiency in whatever it may be; programming, electrical engineering, computer security etc.

Today we have just about anyone who is interested in computer security calling themselves a hacker. In my own personal opinion by the current definition of the word, a person wishing to be called a hacker would have to display these talents at a minimum.

- Proficiency in at least one OS level programming language like C or assembly. Preferably the `hacker' would know assembly for sparc, alpha and maybe i386.

- Well rounded and thourough knowledge of the 5 main Unix flavors found on servers. Solaris, HP-UX, AIX, BSD, Linux. This would include knowledge of the system security, file systems command line differences and these shells: ksh, csh, sh, and bash.

- A high level of knowledge about NT/2000 based operating systems. Particularly permissions, security, and the command line.

- An advanced knowledge of logical errors and other such programming deficiencies that make exploits possible.

- Indepth knowledge of the standard networking protocols, and which Operating Systems/software do not follow or use them correctly. This would include an almost memorized list of well known ports, and which Operating Systems are likely to be running a particular service etc.

It was not that long ago that this was very taboo and spewed forth bogosity in the extreme to call yourself a hacker without having earned it by the respect of others who are also gifted. `Hacker' used to be a sort of praise that only the truly awe inspiring knowledge of a wizard can display.

Once again, great article Ennis.

Love 'em or hate 'em hackers of all hat colors deserve the respect to not call the wannabe's anything other than just that.. wanabe's.

[prez1]

good article, but i disagree with it's main point, using someonelses code is not hacking. if all u do is point and click, and run a script u are NOT hacking, and the term shouldn't be used to describe people who use scripts that they can't write. imho

[dfgt5]

maybe we should stop distributing pre-compiled binaries.

[souleman]

This article could have been written a few years ago. It just keeps getting easier to break into a system all the time. I remember when I first started into security, I found it amazing how easy it was to find "hacking scripts". They were always in souce code, and quite often had some error in it. The only way to run it, was to find the flaw in the code, fix it, and off you go. Then, the programmers stopped including errors. So all you had to do was compile and run. It was only a matter of time until these programs came in binary format. So what is next? A DoS version of Sam Spade? (Sam Spade is/was a collection of *nix programs that ran on a website, so windows users had access). I am waiting to see people go to supereasycrack.com, put in an address, click a button, and it will DoS the address. Not even have to download anything anymore.