RealTime IT News

Giving Hackers Their Due

Like the proverbial Dutch boy with his finger in the dike to prevent the flood, the guardians of Internet security are vastly unprepared to meet the challenges of defaced Web sites, network intrusions and email viruses, according to one of the country's most notorious hackers.

The best the security industry has been able to do, says Robert Lyttle, aka Pimpshiz, is play catch up after the fact. Instead, he said, experts should take the time to develop a rapport and understanding of the very community that spawns these attacks: hackers.

"Only a hacker can beat a hacker," he said. "An average special agent compares nowhere close to a hacker. There is no competition. Do these agents spend countless amounts of hours learning the unthinkable? Don't count on it. Sadly, the hackers in the government field who have the correct mindset aren't the ones that are leading agencies like the (National Infrastructure Protection Center (NIPC), when they should be."

Lyttle is awaiting sentencing at the Superior Court of Contra Costa Juvenille Court for his actions back in 2000, when he defaced hundreds of sites around the world to protest the Recording Industry Association of America (RIAA)-sponsored injunction of file-swapping company Napster.

While he wouldn't talk about events related to his anti-RIAA spree, Lyttle had a lot to say about the misperceptions of hackers and the role, sometimes good and sometimes bad, they have on the future of the Internet.

"A vast amount of the public sees the hacker community in fear," he said. "They aren't aware of the philosophies of the white, black and gray hat hacker communities. The media does not stress on it enough to give the public an accurate view towards hackers."

Borrowing heavily from the Old West shows of old, hackers are generally delineated between three camps:

  • White Hats - law-abiding individuals who look for software/network weaknesses and contact the owners to inform them of the vulnerability. Or, a hacker who hacks for the intellectual challenge only.
  • Black Hats - also called "crackers," these malicious individuals and/or groups look to exploit networks and software for financial gain or to wreck systems, like stealing credit card numbers or delivering a distributed denial of service (DDoS) attack to bring networks to a halt.
  • Gray Hats - the fence-sitters in the hacking community, they are the kinds of people who release exploits and network cracks to both the vendor and the public.

The real threat, Lyttle said, comes from the legions of "script kiddies" that populate Internet relay chat (IRC) servers around the world. Also dubbed derogatory terms like packet monkeys, ankle-biters or just downright clueless, they inhabit the lowest rung of the hacker community.

Script kiddies, in general, don't have the experience or know-how to exploits on their own. Instead, they download ready-made hacking programs or reverse-engineer know exploits and modify for their own purposes.

Numbers available at the CERT Coordination Center, a computer security advisory center, show script kiddies and their like are quickly becoming adept at launching their modified programs on the Internet. The number of incidents reported to the center more than doubled in 2001, from 21,756 cases in 2000 to 52,658.

Making the transition from computer enthusiast to would-be cracker certainly isn't difficult, in fact it's as easy as visiting your favorite search engine. A visit to Google quickly sends individuals to cracking sites like those found here, here, here and here.

So, when particularly nasty email viruses like Melissa and Code Red first hit the Internet, you can expect hundreds of variants to pop up like weeds in the weeks following the initial outbreak.

The end result is anti-virus companies like Norton and McAffee scrambling to update their anti-virus definitions to keep up with the variants. It also makes it extremely time- and resource-consuming for law enforcement agencies to track down and apprehend every offender.

"A script kiddie can easily get their hands on exploits to do the dirty work that they aren't inclined enough to program themselves," Lyttle said. "We could witness cataclysmic effects on the public if enough script kiddies got their hands on the exploit written for such a huge hole."

To prevent this, he said, its incumbent on federal agencies and security firms to build relationships with the hacker community, as odd as the notion might seem. There are many stories of security firms who hire former black- and white-hat hackers, but that isn't enough, Lyttle said.

Calls to several security firms around the nation, asking about their efforts to include members of the hacker community in their organizations, went unanswered.

The Federal Bureau of Investigations is having a tough time keeping up with the growing number of Internet-related violations. Last year, to get a handle on the growing epidemic of security violations, it co-sponsored the "Computer Crime and Security Survey" with the Computer Security Institute, who authored the results.

The report concludes the threat of computer crime and security breaches "continues unabated and that the financial toll is mounting."

Some factoids:

  • Of the 538 security experts from government agencies, financial institutions, etc., that participated, 65 percent took financial losses related to computer breaches. Only 35 percent (or 186) would give numbers, a figure that came out to nearly $378 million. In 2000, the average annual total was $265.5 million.
  • The most serious losses came from theft of proprietary information and financial fraud.
  • In the past, most employers worried about inside break-ins. Not so in 2001, with 70 percent of the thefts occurring from their Internet connections.

Bruce Gebhardt, FBI commander-in-charge of the Northern California office, said in a statement the numbers keep getting larger and won't go away on its own.

"The results of this year's survey again demonstrate the seriousness and complexity of computer crime," he said. "The dynamic vulnerabilities associated with conducting business on-line remain a law enforcement challenge."

One gray-hat hacker, who goes by the handle "y t Crack" and is a senior systems analyst at one of the Big Three auto companies in the real world (he assures me there is no temptation working there), gives insight to the uphill battle mainly 9-to-5 security agents have against script kiddies and crackers.

"I used to be a pretty active Web page defacer," y t Crack said. "I wasn't really malicious but it still landed me into some trouble. I've written some programs for the security community and been party to discovery of a few advisories, so I have tried to do a little bit of everything. There are a lot of people out there that eat, breathe and sleep this stuff and I can only begin to scrape the tip of the iceberg. "At this time I couldn't devote my life as some of these individuals and groups have."

Last year marked the first real proactive steps by security experts and the government to handle the rising trend in security vulnerabilities. Two programs, the Honeypot Project and InfraGard, are designed to either lure careless crackers with the promise of an unprotected Web site or give real-time assessments of computer breaches in the industry.

It's critical these U.S. organizations take steps to break down cracking efforts. According to a recent report by the Riptech, Inc., a security service outfit, security threats come from within our borders, to the tune of 30 percent. Attacks at target-rich environments like high-tech and financial services corporations have increased 79 percent from July December 2001.

"Information security has emerged as a strategic concern for corporate decision makers," said Amit Yoran, Riptech president and chief executive officer.

According to Christopher Casper, a White Hat hacker who goes by the handle "RevDisk" and has been heavily involved in the hacking community for years now, doesn't expect an outpouring of commiseration from corporate or federal organizations looking for help to stem the rising tide of security break ins.

Much of that feeling is attributable to ignorance, primarily from media outlets that sensationalize or dumb down the issues involved.

"The media acts in a very understandable manner," he said. "They wish to make money for the networks that sponsor them. The majority of (readers) do not wish to know about geek code artists. Normal people barely understand how to turn on a computer and use Word. They can't comprehend a more complex structure behind and between computers."

Asked whether script kiddies will ever grow up and future security problems go away on their own, Casper replied:

"Has forgery disappeared?"