Who are these hackers anyway? Why not put their skill to productive use?

5 08 2012

Earlier this year, at my job, at the facility I work at, it was discovered that the site had become infected with a virus.  Later, during the incident response, other viruses were found.  In total, it took about 40 IT professionals and technicians to work for a week, around the clock,  to “clean” the site, during which time, the facility operated at significantly reduced efficiency.

This was not the first time I was involved in a virus infection remediation effort, I participated in one about a dozen years before.  I suspect I’ll be involved in another sometime.

Shortly after that incident, I began a graduate level course entitled “Information Security Management”.  During the virus incident, and in the course, I heard references to hackers being the folks creating all this havoc.   I pondered, “Who are these hackers and why are they doing this stuff?  It’s seems so senseless and a waste of time.  Can’t they find a better use of their time?  Can’t they make a career from their skill?”

What exactly is a hacker?

This was the first question I wanted answer.

According to Merriam-Webster Online dictionary, two definitions are:

  • “an expert at programming and solving problems with a computer” or
  • “A person who illegally gains access to and sometimes tampers with information in a computer system”[i].

However, in reading articles about hacking and interviews with hackers, and from responses I received to my own inquiries, I’ve come to the conclusion that the Merriam-Webster dictionary definitions are poor.

During my quest to answer this question (and others that also came to mind), I found, via web searches, some very interesting interviews that were recorded with infamous and not-so-infamous hackers.  I also conducted my own “interviews” by contacting a few high level security professionals I knew of for the purpose of this article and a term paper I am writing, and asked the following questions:

  1. Do you hack?
  2. Is IT security a top priority for your organization?
  3. Do you conduct vulnerability assessments that include attempting to hack your own systems?
  4. Do you have any employees/associates in your organization that were hired for their hacking skills, knowledge, and experience?
  5. Do you (or your organization) consider hacking experience when hiring?
  6. How do you verify hacking experience?
  7. Do you see growth in the next several decades in this field?

I won’t go into each of those questions here.  But the answers to these questions did provide some insight.  One of the responses I received (name withheld) included, what I believe is, a pretty good description of a hacker and what hacking is:

“Hacking is a mindset. Maybe one is born with it, maybe one can develop it; definitely I was born with it and have then continued to further develop it throughout my life. Hacking is not just accepting that something is, but questioning how and why it is. How does it work? Why does it work that way? How can I change it? How can I make it do something different? A hacker thinks outside the box, questions what others assume to be true, and then tries to either prove, or disprove, depending on your viewpoint. Computer hacking is questioning the “security” of a device, application, or enterprise, and then trying to prove, or disprove, the “assumption of security.”

This description was consistent with other descriptions I found on the web.  However, I also discovered that many hackers despise the idea of being associated with those that cause harm to systems and others.

As it turns out, there are good hackers and there are bad hackers, and others that are on/off the fence.

My interpretation from what I’ve read is that the good guys, folks typically working for a respected organization, are called “White Hat” hackers, and use their skill to access systems or code they are authorized to hack for the purpose of identifying vulnerabilities.  They then report their findings so that those vulnerabilities can be addressed.

The bad guys are the ones not working for a respected organization, and use their skills to gain access to systems that they do not have permission to enter.  They do not necessarily report their findings to the folks that can remedy the situation, and may use the vulnerability to perform covert actions that may cause harm of some type.  These are the “black hats”.

But are they the ones writing the viruses, worms, and such?  According to D.D. Shelby in his blog “The Viral Mind: Understanding the Motives of Malicious Coders”[ii], people writing viruses are either:

  • hobbyists
  • just having fun
  • experienced coders pushing the envelope
  • seeking fame and fortune
  • A lone madman trying to cause harm.

The hackers in the first, three categories above are generally not seeking to cause harm, but unfortunately, indirectly still do because their code still manages to get out and be put in use.  The last two categories include the truly bad hackers because they truly intend to put their code to use.

Why do they do this stuff?

According to one of my interviewees:

“The current computer hacker is motivated by

  • Financial gain,
  • Geopolitics/Righteous cause (activism), or
  • State sponsorship

Cyber-criminal organizations are run like big business and in some cases are state-sponsored or at least protected by the state. For instance the Russian mob is heavy into cyber-crime with office buildings staffed with security experts, programmers, project managers, and operations managers all functioning to create, propagate, and operate malware to steal personal information, credit information, and any type of financial information that can be used to steal money from the individual, the business, or directly from the financial institution itself.  The security resources working for these organizations are recruited, paid well, and provided with insurance, vacation, and other benefits. These organizations also troll the hacker and security conferences looking for recruits. The skilled hacker without a conscience would be well-compensated by these organizations.

Hactivism, hacking for a geopolitical or righteous cause, can be a single actor or team-based function.

Team-based operations such as those performed by Anonymous and LulzSec are gaining the most attention.  These operations are performed by actors who volunteer to participate and they tend to be loosely tied together rather than a tight, cohesive team. There is very little money involved and some of the purported leaders are supposedly security consultants working their day job for large corporations and firms. These may in some cases be examples of black-hat hackers working both sides.”

The FBI confirms the above assertions about the Russian mob.  In an article published by eWeek regarding Russian organized crime hacking, they quoted John Collingwood, FBI assistant director for public affairs saying, “For the foreseeable future, we are going to see an explosion in this area.”[iii]

Can’t they make a legal career from their skill?

Of course they can!  In fact, many do.  A perfect example is the professional that I referenced earlier in the section entitled “what is a hacker?”, and quoted above.   That professional, in fact, works for a large fortune 500 company and his credentials include:

  • Certified Information Systems Security Professional (CISSP),
  • Certified Ethical Hacker (CEH),
  • Sun Certified System Administrator (SCSA),
  •  Information Technology Infrastructure Library – Foundation (ITIL-F),
  • The Open Group Master Certified IT Architect,
  • and Enterprise Security Architect.

Another respondent to the questions I posed is the CISO for a large building material supply company.  This CISO hacks professionally and stated (in response to the question “do you hack?”), “I do this on a regular basis to understand, for example, a product or service we invest in and baseline the overall effectiveness.”

Finding a better use of their time

It will be impossible, in my opinion to stop hacking altogether, since it is founded on human curiosity.  In researching this topic, I’ve come to respect the free spirit mindset, the curiosity, ingenuity, creativity, the sense of adventure that is so much a part of what makes a true hacker what they are.  In fact, after learning about their traits, I found myself relating very well to their way of thinking.  I personally don’t take the time to hack with computers, I find myself being more focused on being a good parent and husband.  If I did not have that to do, I think I might have found hacking to be a very enjoyable past time.

Regarding the truly harmful hacking such as that generated by organized crime, and hacktivist groups, I think governmental authorities and the hacking community need to work together.  In fact, that may already be occurring.  I’ve discovered that there are large conventions held on both the black hat and white hat sides of hacking.  Interestingly enough, the Black Hat convention is for the white hats.  The DefCon convention is for all hackers and is an event that protects the attendant’s anonymity[iv].  I hope that in these conventions cross-socialization is occurring and that the white hats are getting positive help from those attending DefCon. These conventions would be a great forum for that to occur.

Going further, I hope the great minds at Defcon will use their abilities to coerce their peers to use their skills in a more productive and organized fashion.

I had a thought that it would be great if some people at DefCon would establish a non-profit that would apply their efforts to help society and technology providers make the networked world less vulnerable.  For example, at the convention, they could advertise and promote their cause and seek the participants at the convention to apply their craft toward their effort.

After having these thoughts, I spent more time on DefCon’s webpages.  In doing so, I came to realize that in fact this is happening; an organization called “Hackers for Charity” promotes their cause at DefCon.[v]

Summary

When I started this assignment, my general opinion was that what hackers do is bad.  After looking into the hacker culture, I’ve changed my mind.  They are not all bad.  As is true in all cultures, there are people behaving well, and others that are not behaving properly.  The question is: are there just a few bad apples, or are there a whole lot of them in the bushel?  Can bad apples become good apples?

Advertisements

Actions

Information

One response

9 08 2012
Subhash DV

Good topic and well written, Just I have one question.
Is any person/programmer converted into hacker, to take revenge ?
As per your interview.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: