A hackers mind
1 April 2005 | 0
‘If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.’ – Sun Tzu, Art of War.
The Irish Honeynet Project has been actively researching and deploying the technologies that allow us to monitor and profile the blackhat community here in Ireland for nearly two years.
Considerable time and effort has been spent understanding and analysing their tools, their tactics and their behaviour. Much of our reporting to date has focused purely on the ‘what’ and ‘how’ of the blackhat community, specifically the technical tools, their use and implementation. This month’s article explores the ‘why’ – the motivation and psychology of the blackhat community.
The image of the malicious hacker that has been prevalent in popular media for some time is that of a gifted, but socially inept teenager. Generally they are visualised as male, loners with poor self-esteem and a greater ability to interact with computers and technology than with other people. Typical of this stereotype is the image that Hollywood has propagated in movies such as Sneakers, Hackers and more recently, the Matrix trilogy.
Flavours of hacker
Those who insist on clinging to this view of hackers tend to split the hacker taxonomy into four distinct groups. Firstly, there is the ‘Script-Kiddie’, consisting mainly of young males who download pre-written, pre-compiled scripts or ‘hacks’ and seem intent on vandalising or disrupting systems. The diagram below features a conversation (or argument) captured from a Honeynet between two script kiddies who are involved in stealing credit card information and is a clear demonstration of the kind of mentality these hackers tend to portray.
Secondly, there is the professional criminals or ‘Crackers’, organised groups who make a living from breaking into computer systems and selling the information.
Third comes the ‘Virus Writers’ and ‘Coders’, who perceive themselves as the elite of the blackhat community. Although they may write the code themselves, they tend not to use it themselves, leaving this to the script-kids.
Finally, there is the old school hacker. These tend to see themselves as hackers in the original sense of the word – through a clever trick (the hack), getting a piece of technology to perform a task it was never designed to do or overcome its design limits. Interestingly, many of the Honeynet volunteers worldwide would consider themselves hackers in this sense of the word.
Shy of reality
As with all stereotypes, this one does not truly reflect reality. There is a proliferation of hacking conferences, from Defcon (Defence Conference), Hope (Hackers On Planet Earth) and Blackhat (Blackhats Conference), to Infowarcon (Information Warfare Conference). This simple observation dispels the loner myth.
Like any other subculture, they are self-organising, gathering together to pursue their common interests – hacking and overcoming computer security systems. Max Kilger, resident psychologist on the Honeynet’s team, points to groups such as the Cult of the Dead Cow and other blackhat organisations that pool resources and maintain exclusive memberships, as examples of hacker organisation. ‘It’s pretty scary stuff to the uninitiated,’ Kilger argues. ‘But in fact, they are pretty predictable because social structure to a great degree shapes their behaviour. Because there’s a meritocracy, there’s a lot of status struggle. Your role or status in the community depends on how good you are.’
Despite the lack of empirical data, the industry hasn’t stopped making what behavioural psychologist Marc Rogers calls ‘sweeping generalisations’ about computer criminals. Fear, uncertainty and doubt – better known as FUD – help sell security, which is the name of the game. However, those with a handle on the hacker culture say such labels are premature and, perhaps, inaccurate.
A quick look through the ranks of the world’s most famous hackers also belies many of the other myths. Perhaps the most popular myth of all is that hackers are social misfits incapable of developing or maintaining normal relationships. Studies of computer criminals found no significant difference between the number of convicts who were married or single. As Marc Rogers says, ‘Their marital status indicates they may not be as socially dysfunctional as we thought.’ Similarly, by observing whitehats, it’s readily observed that they are as likely to be married and have kids as the rest of us.
Does knowing the enemy help? ‘Absolutely. That’s a critical component and one that hasn’t been emphasised enough in information security. Knowing who you are up against is critically important,’ Kilger says. ‘To a degree, you can anticipate their behaviours, shape their behaviours, which are important things to do.’
Kilger is currently writing a book on the computer underground, with chapters devoted to different components, such as social control, status, magic and religion. ‘They really have a very strong, resilient social structure, which surprises a lot of people,’ he says. ‘They see hackers and they look disorganised and dishevelled, and a bit on the fringe of society and anarchistic. But the actual social structure of the hacker community itself is strong, interesting and resilient.’
Call to whitehats
The Irish Honeynet project is growing rapidly. We are seeking new members who would like to be actively involved in the research and analysis of compromised systems. If you find this article interesting and have a passion for computers and computer security in particular, we want to hear from you. Please e-mail email@example.com and request an application form. Active members of the Irish Honeynet project will participate in regular meetings, will contribute to on-going Honeynet configuration and maintenance, and assist with data analysis and reporting on findings and developments. For more information please visit www.honeynet.ie.
The Irish Honeynet, set up by Espion, Deloitte and Data Electronics, operational since April 2002, is designed to mimic the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way, so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.