Giving Hackers Their Due

Like the proverbial Dutch boy with his finger in the dike to prevent the
flood, the guardians of Internet security are vastly unprepared to meet the
challenges of defaced Web sites, network intrusions and email viruses,
according to one of the country’s most notorious hackers.

The best the security industry has been able to do, says Robert Lyttle, aka
Pimpshiz, is play catch up after the fact. Instead, he said, experts
should take the time to develop a rapport and understanding of the very
community that spawns these attacks: hackers.

“Only a hacker can beat a hacker,” he said. “An average special agent
compares nowhere close to a hacker. There is no competition. Do these
agents spend countless amounts of hours learning the unthinkable? Don’t
count on it. Sadly, the hackers in the government field who have the
correct mindset aren’t the ones that are leading agencies like the
(National Infrastructure Protection Center (NIPC), when they should be.”

Lyttle is awaiting sentencing at the Superior Court of Contra Costa
Juvenille Court for his actions back in 2000, when he defaced hundreds of
sites around the world to protest the Recording Industry Association of
America (RIAA)-sponsored injunction of
file-swapping company Napster
.

While he wouldn’t talk about events related to his anti-RIAA spree, Lyttle
had a lot to say about the misperceptions of hackers and the role,
sometimes good and sometimes bad, they have on the future of the Internet.

“A vast amount of the public sees the hacker community in fear,” he
said. “They aren’t aware of the philosophies of the white, black and gray
hat hacker communities. The media does not stress on it enough to give the
public an accurate view towards hackers.”

Borrowing heavily from the Old West shows of old, hackers are generally
delineated between three camps:

  • White Hats – law-abiding individuals who look for software/network
    weaknesses and contact the owners to inform them of the vulnerability. Or,
    a hacker who hacks for the intellectual challenge only.
  • Black Hats – also called “crackers,” these malicious individuals and/or
    groups look to exploit networks and software for financial gain or to wreck
    systems, like stealing credit card numbers or delivering a distributed
    denial of service (DDoS) attack to bring networks to a halt.
  • Gray Hats – the fence-sitters in the hacking community, they are the
    kinds of people who release exploits and network cracks to both the vendor
    and the public.

The real threat, Lyttle said, comes from the legions of “script kiddies”
that populate Internet relay chat (IRC) servers around the world. Also
dubbed derogatory terms like packet monkeys, ankle-biters or just downright
clueless, they inhabit the lowest rung of the hacker community.

Script kiddies, in general, don’t have the experience or know-how to
exploits on their own. Instead, they download ready-made hacking programs
or reverse-engineer know exploits and modify for their own purposes.

Numbers available at the CERT Coordination Center, a computer security
advisory center, show script kiddies and their like are quickly becoming
adept at launching their modified programs on the Internet. The number of
incidents reported to the center more than doubled in 2001, from 21,756
cases in 2000 to 52,658.

Making the transition from computer enthusiast to would-be cracker
certainly isn’t difficult, in fact it’s as easy as visiting your favorite
search engine. A visit to Google quickly sends individuals to cracking
sites like those found here, here,
here and here.

So, when particularly nasty email viruses like Melissa and Code Red first
hit the Internet, you can expect hundreds of variants to pop up like weeds
in the weeks following the initial outbreak.

The end result is anti-virus companies like Norton and McAffee scrambling
to update their anti-virus definitions to keep up with the variants. It
also makes it extremely time- and resource-consuming for law enforcement
agencies to track down and apprehend every offender.

“A script kiddie can easily get their hands on exploits to do the dirty
work that they aren’t inclined enough to program themselves,” Lyttle
said. “We could witness cataclysmic effects on the public if enough script
kiddies got their hands on the exploit written for such a huge hole.”

To prevent this, he said, its incumbent on federal agencies and security
firms to build relationships with the hacker community, as odd as the
notion might seem. There are many stories of security firms who hire
former black- and white-hat hackers, but that isn’t enough, Lyttle said.

Calls to several security firms around the nation, asking about their
efforts to include members of the hacker community in their organizations,
went unanswered.

The Federal Bureau of Investigations is having a tough time keeping up with
the growing number of Internet-related violations. Last year, to get a
handle on the growing epidemic of security violations, it co-sponsored the
“Computer Crime and Security Survey” with the Computer Security Institute,
who authored the results.

The report concludes the threat of computer crime and security breaches
“continues unabated and that the financial toll is mounting.”

Some factoids:

  • Of the 538 security experts from government agencies, financial
    institutions, etc., that participated, 65 percent took financial losses
    related to computer breaches. Only 35 percent (or 186) would give numbers,
    a figure that came out to nearly $378 million. In 2000, the average annual
    total was $265.5 million.
  • The most serious losses came from theft of proprietary information and
    financial fraud.
  • In the past, most employers worried about inside break-ins. Not so in
    2001, with 70 percent of the thefts occurring from their Internet
    connections.

Bruce Gebhardt, FBI commander-in-charge of the Northern California office,
said in a statement the numbers keep getting larger and won’t go away on
its own.

“The results of this year’s survey again demonstrate the seriousness and
complexity of computer crime,” he said. “The dynamic vulnerabilities
associated with conducting business on-line remain a law enforcement
challenge.”

One gray-hat hacker, who goes by the handle “y t Crack” and is a senior
systems analyst at one of the Big Three auto companies in the real world
(he assures me there is no temptation working there), gives insight to the
uphill battle mainly 9-to-5 security agents have against script kiddies and
crackers.

“I used to be a pretty active Web page defacer,” y t Crack said. “I wasn’t
really malicious but it still landed me into some trouble. I’ve written
some programs for the security community and been party to discovery of a
few advisories, so I have tried to do a little bit of everything. There
are a lot of people out there that eat, breathe and sleep this stuff and I
can only begin to scrape the tip of the iceberg. “At this time I couldn’t
devote my life as some of these individuals and groups have.”

Last year marked the first real proactive steps by security experts and the
government to handle the rising trend in security vulnerabilities. Two
programs, the Honeypot Project and InfraGard, are designed to either lure
careless crackers with the promise of an unprotected Web site or give
real-time assessments of computer breaches in the industry.

It’s critical these U.S. organizations take steps to break down cracking
efforts. According to a recent report by the Riptech, Inc., a security
service outfit, security threats come from within our borders, to the tune
of 30 percent. Attacks at target-rich environments like high-tech and
financial services corporations have increased 79 percent from
July December 2001.

“Information security has emerged as a strategic concern for corporate
decision makers,” said Amit Yoran, Riptech president and chief executive
officer.

According to Christopher Casper, a White Hat hacker who goes by the handle
“RevDisk” and has been heavily involved in the hacking community for years
now, doesn’t expect an outpouring of commiseration from corporate or
federal organizations looking for help to stem the rising tide of security
break ins.

Much of that feeling is attributable to ignorance, primarily from media
outlets that sensationalize or dumb down the issues involved.

“The media acts in a very understandable manner,” he said. “They wish to
make money for the networks that sponsor them. The majority of (readers)
do not wish to know about geek code artists. Normal people barely
understand how to turn on a computer and use Word. They can’t comprehend a
more complex structure behind and between computers.”

Asked whether script kiddies will ever grow up and future security problems
go away on their own, Casper replied:

“Has forgery disappeared?”

News Around the Web