In this chapter, we categorize hackers into three groups that reflect different levels of experience and capabilities. Our objective is not to propagate any stereotypes but merely to create a framework so that we can talk about the “other side” and their skill levels. This information is provided to facilitate an understanding of the different types of people who are commonly called hackers. Security professionals have started using the term cracker to refer to malicious computer hackers. Unfortunately, the media and general population have given the term hacker a negative connotation, so we use it to describe any person who attempts to access a system through unauthorized channels. This chapter also presents a profile of information security professionals and discusses popular hacker and information security myths.
Categorizing hackers by the technology they deal with can be complicated. Because networking and computing technology is so vast, hackers often specialize in one or a few specific areas. For example, some focus on a particular operating system (e.g., Unix, Mac OS, Windows), some master the workings of individual applications (e.g., e-mail servers, firewalls, Web servers), and some focus on a particular type of attack, (e.g., denial of service, dial-in penetration, Web hacks). Still others use social engineering as a way to gain unauthorized access. There are a few hackers who have mastered more than one of the above issues, but only a select few have a great deal of experience in all topics.
To avoid the intricacies identified above, our characterization of hackers is based only on their overall technical competence and ability to compromise computer technology, networks, protocols, and systems. For our purposes, we divide hackers into three groups: first, second, and third tiers. These tiers form a pyramid in which there are a small number of genius-level hackers (first tier), many more second-tier hackers, and a large population in the third tier. Within our categorization, we discuss their capabilities and motivations.
First-tier hackers are programmers who have the ability to find unique vulnerabilities in existing software and to create working exploit code. These hackers, as a whole, are not seeking publicity and are rarely part of front-page news stories. As a result, they are known only to the security community for the programs they write and the exploits they have uncovered.
First-tier hackers are individuals with a deep understanding of the OSI model and the TCP stack. Coding is more than just a hobby, and they dedicate a great deal of time and energy to it. They are committed to keeping their technical knowledge and skills current. Not all tier-one hackers are malicious. In fact, some are actively involved in developing technologies that can be used to improve overall network security, such as hackers from the ISS X-force, the Bindview Razor Team, and the AXENT SWAT team (AXENT has been purchased by Symantec).
Tier-one hackers can work independently or through a network of hacking teams that run exploits from a variety of locations, making it difficult to trace the activities back to their source. These teams can be developed in Internet Relay Chat (IRC) channels, in conferences such as DefCon, or in small groups of computer-savvy friends. Often one first-tier hacker creates the programs and other members of the team run them against target networks. This creates a reputation for the group rather than a single individual.
Hackers in this tier have a technical skill level equivalent to that of system administrators. Tier-two hackers are far more common than tier-one hackers and may have experience with several operating systems, understand TCP/IP, and know how to exploit several vulnerabilities. They generally have less depth of knowledge but possibly greater breadth than the first tier. This level of hacker would be part of a security team in a large organization. Some level of programming or scripting ability is required. For example, they should be able to port a tool from one flavor of Unix to another.
A majority of security consultants fall into this tier. Tier-two hackers have worked with computers for most of their careers and understand how they work. They have an extensive collection of tools, a reliable methodology, and ability, but they generally rely on other people to identify and code most exploits due to lack of time to specialize in a particular technology.
Tier-two hackers like to play with new tools as soon as they come out and are often beta-testers and part-time developers for freeware and open source security tools. They can also be found as regular contributors to security mailing lists.
The lowest and most populated part of the pyramid is the third tier, whose members are commonly referred to as script kiddies. This terminology comes from the fact that members of this tier generally rely on previously coded scripts and prepackaged hacking tools downloaded from the Internet to do their hacking. Script kiddies are usually individuals who are intrigued by the notion of gaining unauthorized access and are open to using untested pieces of code, especially while others (target networks and users) are at risk.
For this reason, tier-three hackers get the least respect but are often the most annoying and dangerous. Tier-three hackers can cause big problems for large organizations since they are not afraid to run untested scripts against networks without truly understanding what the scripts do and what the consequences may be. This combination of irresponsible experimentation and incomplete knowledge often leads to disaster, such as the unintended loss of information.
A script or hacking tool can show the effect of a vulnerability on someone's network but should be treated with definitive care. Once a tool is aimed and fired, it will have its effect on the target regardless of the assailant's intention or understanding of how the tool works.
Of course, hackers in this tier are fairly easy to identify and/or catch (as compared with first-tier hackers). In our lab, we have seen hackers attacking our NT honeypot systems by using Unix-specific scripts (trying to NFS mount an NT share). They generally do not attempt to cover their tracks; in fact, they may perform activities that attract attention, such as running port scans against all possible ports, 1–65535. With minimal intrusion detection and monitoring capabilities these attempts can be stopped.
Tier-three hackers generally hack as a hobby and are usually in search of notoriety. They feel, perhaps from watching movies, that by successfully “hacking” a system, they will become “elite.” This is the attraction in working with a programmer —it holds the promise of valuable experience and the fame/infamy script kiddies seek. Publicity seeking is one of the main reasons why these hackers get caught. They are so interested in becoming known that they tell everyone about their latest conquest on hacker IRC channels.
Script kiddies do not necessarily have computer-related professions. In fact, given that they are often the younger people on the Internet, they may still be in high school. They run the code they find on the Internet on their office, home, or school network. Most large organizations have at least one individual with enough computer knowledge to obtain hacking tools but no authorization to run them. Curiosity about how the tools work and what information might be obtained leads to an unauthorized security breech. Tier-three hackers spend their time surfing the Internet in search of the latest and greatest automated hacker tools. Their tool set is generally entirely downloaded from the Internet as is. Often they scan the Internet looking for a site susceptible to the latest exploit they have just learned to see if it really works. Tier-three hackers are generally recipients of security mailing lists, though they may not be regular contributors, and are often vocal in hacker IRC channels.
An information security consultant typically tries to help organizations become safer and more secure from hackers. They are usually individuals with a technology-related degree or equivalent technical experience gained either professionally or as a hobby. They likely have a large collection of licensed security tools (commercial, freeware, or shareware), are familiar with all of them, have a user-level understanding of a majority of them, and are extensively experienced with the workings of one or two favorite tools in each tool category. For example, they may have a favorite port scanner, a favorite war dialer, and a favorite vulnerability scanner that they use in their penetration-testing engagements.
An information security consultant does not need to have a programmer's understanding of a network in order to be effective at performing a comprehensive analysis of a network's security posture. A consultant is most likely a member of the middle tier of hackers in terms of experience and skill. Many of the better consultants started with system administration positions.
A consultant must have a sufficient tool set and a reliable methodology for performing penetration testing. Also, the consultant's area of specialization must be relevant to the client's network environment. For example, while a Unix expert can contribute to or even perform the testing of an NT network, and someone with intimate knowledge of Check Point Firewall-1 can attack a Gauntlet firewall, the optimal case would be for the consultant's area of specialization to match with the OS type and the applications run by the client. When selecting a consultant for a security engagement, inquire as to the consultant's area of specialization before assuming they are qualified to do the job.
The most important quality an information security consultant must possess is integrity. Consultants have access to critical systems and data. In addition, the tools and techniques they use have the potential for seriously affecting production systems. An organization must be able to trust that consultants will use good judgment and discretion in the work they perform. A security consultant who leaks information from a penetration test could damage a company's stock price, image, or both. Organizations should make sure the consultants they hire possess a track record of honesty and integrity.
All the perceptions of hackers and their portrayal in movies and entertainment have lead to the development of “hacker myths.” These myths involve common misconceptions about hackers and can lead to misconceptions about how to defend against them. Here we have attempted to identify some of these myths and dispel common misconceptions.
Hackers are a well-organized, malicious group.
There is indeed a community within the hacker underground. There are hacking-related groups such as Alt-2600 and Cult of the Dead Cow, IRC “hacking” channels, and related newsgroups. However, these groups are not formed into a well-organized group that targets specific networks for hacking. They share a common interest in methods for avoiding security defenses and accessing restricted information.
If you build it, they will come; and
It is safe if you hide in the tall grass.
Both of these myths represent opposing views on the probability of being hacked. Myth 2 is indicative of the view that once an Internet presence is established, malicious hackers will begin to attempt a compromise. Myth 3 expresses the opinion that there are so many Web sites around that if you just do not make a lot of noise and do not have one of the truly big sites, publicity-seeking hackers will not bother to go after you.
The truth lies somewhere in the middle. You will probably be scanned by users with malicious intent, but it may not happen the moment your systems go online. Some scans will be by groups trying to get an idea of how many Web sites are using a particular piece of software. Others are unethical (but legal) system reconnaissance.
A good plan is to develop a security posture that balances the risk of system compromise with the costs of implementing and maintaining security measures. This will allow you to sleep at night. While you may not stamp out the chance of compromise entirely, you will have done what you can to prevent and limit the compromise without killing your budget.
Security through obscurity.
Myth 4 implies that because you are small and unknown or you hide a vulnerability, you are not at risk. For example, according to this myth, if you create a Web site but give the URL only to your friends, you don't have to worry about it being attacked. Another example we have seen is the creation of a backdoor around a firewall by putting a second network card in a DMZ system and directly connecting it to the internal network. People using such a strategy think that because they have hidden the weakness, no one will find it and the organization is safe. However, security through obscurity does not work. Someone will find the weakness or stumble upon it and the systems will be compromised.
All hackers are the same.
This myth is borne out of a lack of knowledge among the general public about the hacker community. All hackers are not the same. As mentioned above, different hackers focus on different technologies and have different purposes and skill levels. Some hackers have malicious intent; some don't. They are not all teenagers who spend far too much time in front of a computer. Not all hackers are part of a group that defaces Web sites and creates and distributes hacking tools. The range among hackers is great, and you need to defend against them all.
The spread of technology has brought computers more and more into our daily lives. It has brought along with it a collection of myths repeated so many times they seem to be true. These myths can breed either a false sense of security or a sense of paranoia. Neither of these conditions is desirable. Therefore, we seek to dispel these myths to help you further understand the computer security threat.
Virus scanning software provides total virus protection.
Virus scanning software can detect and defend against viruses with known signatures. New viruses, whose signatures have likely not been determined, may not be detected and can still pose a threat to systems. Virus scanning software needs to be upgraded regularly (at least monthly) and is generally sold on a subscription basis to automatically provide customers this level of protection.
Computer connections are untraceable.
Many people assume they cannot be traced when they are online. They erroneously believe that if they give a fake name and address when signing up for free e-mail or with an ISP for an Internet connection, they have hidden themselves among the millions of users speeding around the World Wide Web. If they steal a user name and password from someone in another state, they feel they have gained complete anonymity on the information superhighway. In reality, the use of anonymizing systems, remote networks (sometimes in different countries), and spoofing software is required to achieve even a small degree of anonymity. Even then, your ISP is probably logging your initial point of entry onto the Internet.
It is easy to go to one of the countless free e-mail services on the Internet, supply bogus information, and get an account. However, your privacy is not protected. That e-mail service knows from which Web site (if any) you came to its site and the IP address of the machine you used. It can find the owner of the IP address from a “whois” query. If you signed up from home, your ISP has likely dynamically assigned you an IP address from the collection it owns. It records the time and day that it gave you this address and can share this information with federal, state, and local authorities as well as interested corporations (though a legal warrant may be required). Additionally, the use of cookies on the Web makes information about what sites you visit and what software you own easier to track.
Even if you are able to access the Web from a private ISP, the use of Caller ID software and system callback are making it increasingly difficult to remain anonymous. As authentication mechanisms improve and the cost of disk space for logs drops, it will become even harder to obtain anonymity.
Once you delete a file, it's gone!
When you delete a file, it is not removed from the disk. Under the Windows OS, the space on the disk that is being occupied by this file is simply marked as “available space.” This allows for programs, like the Windows Recycle Bin, to undelete a file after you have erased it. Additionally, it has been proven by some forensics experts that a file can be retrieved even after it has been overwritten nine times. At that level, an electron microscope is required. However, files overwritten up to two times can be retrieved using currently available software. To effectively remove a file permanently, a program such as Wipe Disk, which overwrites a file or drive with 0s, 1s, and then 0s again, should be used. (There are some individuals who believe they can still successfully retrieve at least portions of the data from the actual physical memory.)