"Knowing what makes your antagonist tick is the key to getting the result you want," says a hacker who's being pursued by journalists and the FBI. Computer Weekly interviewed him and he came out with some answers worth pondering.
Wednesday 6 October 2004
Know your enemy
A young Asian hacker who easily penetrated the databases of several large US corporations, and whose exploits made him a top target for the FBI, offers advice for dealing with foreign cybercriminals.
"Knowing what makes your antagonist tick is the key to getting the result you want," he says.
Do you think it is more difficult to hack into US corporate networks today than it was four years ago?
If we are talking about the network that existed four years ago and exists now, then it would probably be more difficult, especially if during those years a given target had experienced trespasses by hackers.
If it is a recently developed network, then chances to get access are probably better.
In general it is easier for hackers to get access to networks in countries with growing and well-developed economies, because such companies have resources to expand their networks.
In third-world countries the companies do not have the ability or resources to expand the networks, so they have to fine-tune them and work with what they have.
Should US companies worry about hackers in Russia and other countries?
Hackers from countries where the economy is less developed than the US are more motivated by money than by pride when they start trespassing on US companies - as opposed to US hackers, who are motivated more by pride than money. (There are many other ways that you can make money in the US.)
Also, money is a stronger motivator than pride. That's why people motivated by money are more dangerous. Hackers are businesspeople [if they are motivated by money]. In most cases, they are probably just having difficulties in their countries finding and exploring opportunities to work.
If a company that is hacked into can explore with a hacker his or her talents in a more peaceful way, the victim can only benefit. If these hackers are businesspeople, they can be redirected by being offered a better deal than the one they might get by creating pressure through hacking.
I deeply believe in this point. It is hard, however, to generalise too much because every case involves different kinds of people and different circumstances.
What security measures offer the best protection against hackers?
Keep the hackers occupied if you recognise them as a threat. This might be similar to what some countries have done with their nuclear scientists - Russia, for example, keeps them under close supervision and treats them well, but above all keeps them busy professionally.
Is there a certain type of network that is particularly easy to hack?
There are two types. First, those that develop custom software. They usually invest money in developing the features that software provides, but often forget about securing parts of this software.
The second type is where there is a breach in the company's infrastructure. It is not the hacking per se that is dangerous; what should concern the company is being taken advantage of by the use of that information.
For example, if one got account numbers of users of PayPal, the hacker could then contact the users in huge numbers and attempt various kinds of fraud.
Will security technologies ever be able to keep hackers out, or will hackers always find a way into corporate networks?
Software and hardware can be improved to protect against trespasses. But then hackers will concentrate on security breaches in the infrastructure of a company, or do "social engineering".
The ultimate goal is to obtain information for subsequent use, and hacking is just one of the many ways to obtain it.
Posted by iang at October 9, 2004 06:55 AM | TrackBackThe Alliance of Regulatory blind eye treatment to criminal enterprises in order to obtain on the fly intelligence has been well known for years. The two horns of this problem are how does a nations state or those that see themselves as one gather intelligence without increased cost and accountablity. The Criminal Enterprise is the solution, it is self funding only requiring a blind eye not really spending any hard currency. So acceptable levels of crime are good for entities that require intel and cannot be seen as paying for it. Terrorist use drugs to fund their efforts and trade with organized crime entities for retail distribution. The organized crime entities use hackers to obtain the information for their fraud networks. While the organized crime groups never endorse the political objectives of the terrorist they have information on them via the relationship of drugs to retail distribution and they make that availible when pressed to do so to the regulatory entity. The organized crime entity has another point of access to profit from the telemarketing and electronic fraud game including stock scams. The only issue here is that the acceptable level of crime by the organized crime entities enforces a non working intel groups sponsored by the regulatory entity. So at some point left unchecked the terrorist and the cirminals cross the line. The hacker fits into this scenario as a free agent that can decide who and when he wants to play with. This issue is not determining what makes them tick but rather finding them and using them for your own purposes. The same efforts used for ones personal efforts could prove profitable since the blind eye cannot decide if the criminal act is friend or foe they look the other way regardless. The only risk is the discovery by the terrorist or the criminal entity since the only time regulatory efforts seem to work is when they are informed by either a Terrorist or Criminal Entity. The key to any effort legal or illegal is keep it small cover your tracks and find information gatherers like hackers and earners to carry out your plan. By not getting greedy and not confronting competition you avoid the sting set ups and informants found to be the undoing of any entity. Imagine if you will the trade secrets of Google spliing out all over the net for Yahoo to see. That would be criminal and violating Googles property, why isn't Google attacked? The profile would be too high and cost to much in bad press and render the regulatory eye alive not dead. Never compete, innovate it is better to fish alone rather than with a fleet. At some point the other entities profiting from these efforts will look to control you. Never share information unless you are an equity owner in all the aspects including all the risk and never sell to strangers. These are all the same rules for drug dealing another form of acceptable criminal activity. The same scenario regulators use on drugs fits for fraud and hacking if you are small or seen to be they will avoid you since they all want the big trophy for the mantel. Never pay for the blind eye just go where they cannot see its easier than having to pay information in future. Avoid situations where leverage might be applied to you detach your vices from your activity. David Levine was picked up on coke charges first then turned the rest of the Milliken crew over to avoid a life term. Avoid people that have vices seek those that have low profiles, good skill sets, and never talk much beyond what they know. Never work with people that have gone to jail for any reason they have already turned or can be expected to quickly. Find the place that is safe then find another and another. Schedule your fraud for amounts under $10,000 and limit exposure to under 200 people, never run a fraud using the same bank account you used before and never use the same name twice. Moving at least the location of your server is critical. Never show up any where so that those that might id you know what you look like. In essence go underground, avoid everyone, trust no one, and plan your escapes at multiple levels.
Posted by: 111 at October 9, 2004 07:51 AM