This editorial paper is a comment and review of the current state of the network security industry including "hackers" and network consultants. It is largely unfocused, yet covers a wide range of topics. No doubt this paper will cause some controversy, so please feel free to express your true feelings in emails, IRC chat sessions and in postings to the PacketStorm Forum (when it comes back). Any hacking attempts to NSW servers will be automatically counteracted with a blitzkrieg of tiny electric pulses that will disable your computer.
Almost every "hack n' cash" consultant for hire uses one or both of these tools to evaluate customer networks for vulnerabilities. ISS Scanner and Cybercop are the two leading vulnerability scanners on the market today. Unfortunately, a lot of large (and small) consulting firms are running these tools and charging clients tens, if not hundreds, of thousands of dollars to analyze the results of these products. I'm not concerned about the price and don't think that there is any price gouging, but I've noticed two trends in the industry that are worth mentioning.
First, many times, running a tool and making recommendations is all that some consultants are doing. These tools are great, but they do miss a lot of important things that a simple manual analysis will catch. They also have a lot of false positives. For instance, Cybercop used to report that any HP-UX Telnet daemon was vulnerable to the LD_PRELOAD attack. I've observed several consultants recommend turning off Telnet and patching systems even though there were no vulnerabilities. This is a dangerous state of being because it creates unnecessary work for over-worked security administrators.
Second, I've also seen a trend to over rely on the tool. My favorite example to illustrate this point was while teaching a younger security analyst. John (as in Doe) was happy to discover that ISS Scanner found all sorts of RPC services on a target government network. ISS found no vulnerabilities, but John didn't realize that there was a misconfigured firewall allowing the RPC service connectivity. Reliance on the tool didn't identify basic vulnerabilities. Another example of tool over reliance occurs when consulting companies teach their employees how to run the tool, without a thorough understanding of network security theory or even "hacker" techniques.
I was originally going to title this section "CyberCop, ISS Scanner and Nmap for Hire". I am finding that many security consultants run all three of these tools and then call it quits without doing the actual manual penetration testing. Without exploiting the discovered vulnerabilities, there is no way to know about trust relationships, false positives from the tool or how well the network users will respond to the simulated hack attempts.
Another trend in security consulting is to employ "reformed" hackers or people claiming to be hackers. This is largely a marketing technique to entice customers into the notion that you need a hacker to catch a hacker. The reality is that experienced network engineers schooled in the art of network security will run circles around your average twenty-two year old hacker. To be fair, most experienced network engineers are in their late twenty's with six to twelve years of experience. Anyone receiving advanced degrees or additional trade schooling will also tend to be older and have more experience.
These are not absolute terms, but general observations I've seen over and over again. I'm saying that in general, your average hacker that is busted by the authorities is not that sophisticated. There are exceptions, but in general your typical "white hat" security expert is smarter than your average hacker. One of these reasons is that a hacker only has to concentrate in one or two areas to discover an exploit or cracking technique. On the other hand, the "white hat" must be more than conversational in many areas of networking such as DNS, routing, firewalls, intrusion detection, system security, NT, Unix, secure web design and cryptography to name a few. They must be more than conversational or else risk becoming irrelevant and not taken seriously by nonsecurity network administrators.
Hiring an ex-hacker or anyone else for that matter to conduct a security analysis is also a matter of trust. Customers should not hire someone because they are a hacker, they should hire them because they trust them and think they will do a good job. The same goes for experienced people. Having credentials doesn't guarantee trustworthiness. Considering that there are all sorts of statistics sighting internal computer crime as the most common type, this should be considered very carefully.
Usually, the client is responsible for fixing any security problems discovered by the security consultant. Unfortunately the same financial, management and resource forces that enabled the security vulnerabilities to occur in the first place prevent fixing the discovered problems. If the security problems are fixed without changing the organization's network policy and procedures, new vulnerabilities will arise. This situation may even provide the client with a false sense of security. If the consultant is invited back with the latest copy of ISS Scanner or Ballista (Whoops!), they will likely discover a multitude of new vulnerabilities.
Another trend I have observed is for the client to purchase its own copy of ISS RealSecure or Cybercop and do their vulnerability scans themselves. It's possible, that after paying for a high priced consultant to basically demonstrate how easy it is to run one of these tools, many corporations and organizations figure they can do the job themselves. This is usually a good thing because it shows that management is somewhat committed to finding security problems.
There are many different types of IDS and Firewall products with many different available features. There have been many religious wars and ruined friendships over which security technology is the best one. After hearing much of the hype and seeing what people actually do with these products, I feel that the best security product is the one most likely to be used by the customer. This doesn't mean the most popular one purchased by a customer, but the product most likely to be used every day. This sort of cries out against the marketing hype, but I've seen it in action. One high profile government agency had their web server defaced, but their Morning Star firewall was on the job about five layers inside their network acting as a log server. I also recently had the opportunity to do some forensics work at a company, which had ISS Real Secure, but never really used it or even upgraded it in the last few years.
The point is, if someone doesn't champion a particular product and wield it like a double bladed light saber, the product won't get used. Most security products are bristling with features that the average customer isn't concerned about. Most successful security products have one or more features that make it relevant to a large number of customers. Unfortunately, this usually means having the best GUI (Consider the Real Secure IDS or the Checkpoint Firewall). It's the human or organization that uses a product that makes it effective. There are some organizations that do extremely well with only the use of TCPDUMP and router access control lists.
Direct comparisons between security products are also misleading. For any particular firewall or IDS, it is possible to develop a focused technical test that will cause one product to test drastically different than another. Depending on the purpose of the test, one product can be determined "better" than another. This is easily accomplished because many products have several different features. Emphasizing a small subset does not represent the full story. Ultimately, the customer must decide which product fits their needs the best.
Another deceiving trend in security product industry is the amount of "copy-cat" features that exist in new products. A pessimist would say that many of these features exist primarily to make marketing claims. On the other hand, an optimist would say that the more features a network security engineer has available, the better. Whichever the case, they confuse the market with features that are emphasized disproportionately.
An example that comes to mind is Back Orifice (BO) detection. For the most part, BO users do not change the default port or password. Such a configuration can easily be detected with raw signature analysis. Many experts would agree that this is the most commonly used BO configuration. Even so, many IDS products devote a large amount of resources to detect uncommon BO activity. Such detection involves keeping state and CPU usage such that BO traffic encrypted with different keys and communicating on non-elite ports will be detected. The extra detection, which is clearly superior to raw signature analysis, actually takes away from the overall performance of the IDS. The extra complexity could have been used to search for different types of attacks and the CPU resources will be spent watching a lot of traffic that is not BO related. Unfortunately, since many IDS products have touted that they detect all forms of BO activity, IDS products that don't have this detection suffer from a "Back Orifice Gap" (no pun intended). Because BO is a popular vulnerability and some products have featured their advanced BO detection techniques, many customers believe that there is a large threat from BO.
I am not aware of any software or security product that comes with a 100% money back guarantee that it won't be hacked next week when it is put onto the Internet. This is true even for Windows NT, which is "C2" rated by the NSA. Microsoft (and many other vendors) do not provide any software licenses that guarantee security. This is interesting, because many vendors do include a Y2K statement.
This situation is interesting because I've run into several different groups of people that completely believe that Windows NT is a secure networking solution. The myth that NT is "C2" compliant (which originally was for a non-networked configuration) has been perpetuated through the armies of recent MSCE graduates. For example, I've had several NT engineers tell me that PPTP is still secure and that all those Microsoft ports are OK to let through the firewall. By the way, "C2" is actually one of the lowest system security ratings that the Orange Book has to offer.
Security companies hire hackers for three reasons, maybe even more. First, there is a short supply of "skilled" network security people. Anyone that can spell CERT or UNIX usually has what it takes to qualify for an entry level security position. Anyone with more experience than that is also worth hiring. Most "hackers" tend to have a skill set that seems very appealing to a prospective client, which results in offer letters and new jobs.
Second, many companies like to perpetuate the myth that the best way to catch a hacker is with a hacker. There is a lot of marketing along these lines. Many companies identify and emphasize their own "elite group" of hackers. No other industry does this and I am not a big fan of this trend. When was the last time you heard about Boeing's crack team of aeronautical engineers? When I worked for the DOD, I was part of a group of network security engineers called "The Pit". We experienced a lot of headaches from management, co-workers and even different security organizations, simply because we were singled out. I can only imagine that there is similar resentment and misunderstanding in other organizations and at different security companies. In many ways, I also feel that these hacker sub-organizations within organizations are often exploited as "hacker poster children".
And third, some security companies hire hackers for their knowledge and personal media exposure. This is a risky trend. A few years ago, one of the leading computer security companies (let's call them HRR) had an employee well regarded in the hacking community who released several denial-of-service tools and exploits. HRR was quick to release a version of their product that detected the new attacks. Some people accused HRR of using this exposure as a media ploy. These accusations were unfair though, because HRR had demonstrated (and continues to do so) a great deal of responsibility in keeping vulnerabilities private until the vendor can produce a fix. Similarly, many security companies have also hired the actual hackers who have worked on famous tools and backdoors such as Loki and Back Orifice (BO). Strangely enough, many people have accused those companies of now having "insider" information. I think this is a bunch of nonsense because in many cases, the detection algorithms were developed before these key individuals were hired. In general, if a hacker writes a tool that gains wide acceptance in the hacker community, who better to help write detection algorithms for it? I think that the computer security companies are smart to hire the proper expertise. They will always run the risk of being perceived as conspiring with the hackers. Its also curious to see which IDS vendors produce the quickest signatures for different tools and exploits as they are published.
When hacking incidents occur, it is common for network organizations to use the opportunity to elicit more resources from upper management. It is also common to ask for resources based on the threat of hacking incidents. Resources may include money, hardware, software and most importantly, more human resources. Chances are, a hacking incident is only pointing out one of many security problems.
In many cases, it takes a security incident to get the attention of upper management. Before I started Security Wizards, I worked for a company that took security very seriously. But it wasn't always the case though. Initially, the company didn't even have a security group. But as customers were added, the number of average daily security incidents grew to be so common, that it was tracked as a monthly management statistic. These statistics were reported all the way up to the board of directors. And in order to track those security statistics and do something about them, a security group was formed. Purchasing firewalls, intrusion detection systems and vulnerability scanning software was approved once management understood that there was a real threat.
Sometimes, a network administrator will go to great lengths to prove that their network is insecure to their boss or upper management. Usually, showing how a Vice President's email can be read or their web page biography altered is enough to demonstrate vulnerabilities. I've seen many network administrators make the mistake of "proving" that a network was insecure and then not having any recommendations or security strategies ready. Stereotypically, upper management will over-react and dictate security policies that are unrealistic. Having a plan is just as important as showing the problems.
Many network organizations have security products but do not use them correctly. This section will cover a variety of misuse examples that I have run into over the years.
During a high profile hacking incident, the government web server was broken into and had its content modified with offensive material. They were using a firewall, but as a log server deep inside their network. It wasn't doing any good in there.
As I said before, I once ran into a company that was using a very old version of ISS Real Secure. The NT platform itself was very old and vulnerable to several NT attacks such as NULL users. But the bigger problem was that an out of date IDS does not detect new attacks. Another common misuse of ID products is to not check them. Real time systems like network monitors must be checked all of the time.
When I was in the Air Force, I had a friend that had two enlisted network analysts get in trouble for downloading porn from the Internet. After a short investigation, the reality was that they were browsing for drivers and configuration information and inadvertently visited a site containing pornographic key words. Most Air Force bases have some sort of network content monitors that are loaded with all sorts of hacking, information security and network abuse keywords. Originally, these systems were designed to watch network sessions for evidence of hackers. However, many installations also include a few keywords cover misuse with pornographic words and phrases like "TOP SECRET". Intrusion detection systems have high false positives and require experienced security analysts to weed out the real events from false ones. The same is true for network abuse detection systems.
I've run across at least one government organization that only allows Netscape as the "official" network browser. All outbound web traffic must go through a proxy firewall that checks each connection to make sure it is from a Netscape browser. There are administration advantages to this. Namely, supporting only one browser instead of multiple is clearly an advantage. But when this technique was first described to me, it was touted as a more "secure" technique. They were trying to prevent ActiveX content from entering their network. However, Netscape has many more active content protocols such as Java, JavaScript and Shockwave. Netscape browsers also seem to have as many local security problems as Internet Explorer. My thought was that this site should have implemented a program that would limit users to only access the Internet with the latest copy of Netscape and not just Netscape in general.
And I've also been in several situations as a consultant where a client would need to send me encrypted email. More than once I received the private key of an individual instead of their public PGP key. Typically the email would go, "Try this key instead. I sent you the wrong key". Sure enough, the email I encrypt with the second key could be decrypted with the first. I've also received emails from people using products that encrypt files into self-extracting programs. No big deal, except all to often I got the pass phrase to unlock the program in the same email or in one right after it.
I think that hackers choose their handles for a number of reasons. Not all of these reasons are necessarily good ones. Some hackers choose their names to hide their identity. This works to a certain extent, but recently, law enforcement has seemed to have no problem identifying the real individuals behind many Internet break-ins. Other hackers choose their names to sound more interesting. Nobody wants to get the latest IRIX root exploit from Melvin Schnetzlebaum or Ron Gula for that matter. Getting it from a hacker named after some cool algorithm, an electrical component or an obscure English literature character is much more fulfilling. Also, when talking to the media, a cool hacker handle is much more effective at generating publicity than hiding their identity. For example, busting into a web page and then plastering your hacker name, your hacking group's name and giving a hearty "what's up" to your innermost circle of hacker friends is not the best way to keep your identity secret.
Very few hackers get their names from other people. Fighter pilots, rugby players and Greek organizations all name their new members in formal ceremonies. I'm not suggesting that new hackers stand upon their midtower computers and slam a beer while their friends shout out names like "Bitdumper", "Data-Trespasser" and "Electron" until one sticks. I am merely suggesting that hackers earn their names from their associates. Besides, all the good names have been taken by now and new hackers need all the help they can get choosing new ones.
About three times a year, a major newspaper or magazine attempts to illicit members of the "computer underground" to lend credence to a story about computer insecurities. Many of these stories include excerpts of live hacking and quotes from the hackers which claim how easy it is to break into any network. Most technical security experts quickly discount these stories, but they have the wrong effect on the general public.
First of all, they perpetuate the myth of the "uberhacker" which threatens all networks. Considered to the population at large, the number of hackers is actually a very small percentage of the population. The real threats come from inside the workplace from everyday people. The chance of a network organization actually having to defend itself from the types of expertise that resides at the NSA, the L0pht or at ISS's X-Force is unlikely. I'm sorry ladies and gentlemen, but I don't buy into the notion that there are thousands of ex-KGB hackers working for the Russian mob now, just waiting to break into your ISP and read your private email. Most articles mention this (the insider threat, not the KGB hackers), but it's not the message that general people take away. They are worried about hackers.
Second, they make hacking look very easy. Hacking can be easy if a computer vulnerable to a certain exploit is found. The reality is that hacking a well defended network is rather difficult. Anyone who has done a three day no-holds-barred penetration test will tell you this. If their security is OK, it becomes mentally exhausting. Even when using easy exploits, it can still be rather difficult. As an ethical hacker test, I once hacked a Cray computer by finding some Suns that were vulnerable to the "slammer" attack and Rlogin trust. Even so, there were hundreds of networks involved and finding the right combination of computers that would let me onto the network with the Cray was two days of trial and error.
And third, the media also perpetuates the myth that all hackers are longhaired men with tattoos and pierced body parts. Again, the reality is that any man or woman of any age can be a threat to the security of any network. I give IBM high marks for their ad with the female and male hackers who discover the company salary list. The funny thing about that ad, was that I wasn't sure if they were ethical hackers or not.
Another way to gardener media attention is to release security information in a public announcement. Usually, this coincides with the release of a new commercial tool or security service. Such practices are a slippery slope that must be treaded carefully. When security companies brazenly release security exploit information without releasing fix information, this is usually frowned upon and ethically questionable. The right way to handle these vulnerabilities is to contact the "owner" and give them a chance to fix them. Many times, if the response from an "owner" is slow, or the fix is not encompassing enough, the vulnerability discoverers preempt the "owner" and publicly release the information.
Just because a company discovers a vulnerability, it does not mean that hordes of computer crackers have already discovered it and are actively exploiting it. Consider the recent Windows NT IIS buffer overflow discovered by eEye. In many ways, this is the first widely exploitable remote NT buffer overflow. Before the release of the advisory, there were very few reports of widespread NT IIS attacks with this method. Within several days of the release though, CERT had so many reports of incidents that they released an advisory. Prior to this, there were several buffer overflow advisories for Microsoft products, but none of them resulted in a CERT advisory or much reaction from the security industry. But since this advisory included an exploit, Microsoft was "blackmailed" into quickly providing a solution. I know many people at various ISPs and hosting companies that were wishing eEye had never released the vulnerability. They are not turning a deaf ear to the problem, they just want the solution fixed without drawing a lot of attention to it.
While Microsoft continually gets pummeled with new security flaws in their products, they do tend to fix them fairly quickly. Microsoft also tends to fix their own vulnerabilities and release advisory information (without exploits) on a continuous basis. I don't feel that finding a vulnerability and then blaming Microsoft for it is that effective. Microsoft sells GUI desktop products, not secure operating systems. The public doesn't want secure operating systems, or to phrase it more accurately, they don't want to be bothered. The only people that seem to be publicly worried about flaws in Microsoft products are hackers and security experts. For thousands of ISPs, the DOD and many people, Microsoft is still the operating system of choice and they are often singled out because of this. I feel that the public is as much to blame than Microsoft is. I think that if the public had a huge outcry for "real" network security, Microsoft would build a product that was "secure". Notice that IBM, Sun and HP haven't done a much better job at producing a "secure" operating system. And for that matter, most of the open source operating systems and the applications that run on them continue to have new vulnerabilities.
There have been other trends in the hacker community in which groups of hackers use their skills to fight evil throughout the world. We've seen examples of this with the Indian and Pakistani nuclear tests, the recent FBI crack down on hackers and even some efforts to stop child pornography rings. Let me start by saying that modifying, obtaining or destroying data that is not yours is wrong. And doing it to people on an active basis can draw a lot of attention to yourself that you may not want.
If you feel you must hack into a target country's nuclear missile systems, don't tell anyone about it! These countries take their nuclear missiles very seriously and any threat to them will be met harshly. The last thing they want is to have any doubt in their adversary's mind that their nuclear weapons are ineffective. Crossing paths with other nuclear world powers can result in incidents straight out of James Bond and Tom Clancy. Don't think that besides the United States won't spend the resources to track down a high profile hacker. Defacing web pages with lists of hacker associates only provides a list for interested organizations to start checking up on. I do acknowledge that hacking of this sort, does raise public awareness, but I still think it is a dangerous media stunt.
Hacking the US government is best accomplished in hit and run tactics. Coming back over and over again too different US government web sites is only inviting an investigation from the FBI or Secret Service. The FBI has agents in every major US city and can easily tap other local law enforcement organizations. The last thing that a hacker should do when knocking over US web sites is to A) keep doing it or B) tell their friends. Fortunately or unfortunately, most of these hackers do not realize that most computer criminals are caught with traditional criminal investigation methods. Almost all law enforcement agencies have informants and the resources to pursue every lead. Hacking US government web pages as a form of protest is also not effective at gaining attention. Only hacker news groups seem to carry this information unless the site is a major government site. And chances are that the media will report the break-in and not the message carried by the break-in.
And finally, chasing after Internet hate groups, child pornography rings and other forms of Internet vigilantism have the same sort of risks as taking the law into your own hands in the real world. Most of the publicized reports of these incidents do not include the cooperation of law enforcement for a number of reasons. Some of these reasons include that the groups are overseas and that the activity is itself illegal. As for Internet hate groups, although a majority of the world may disagree with their view points, I think that they have the same rights to have their $9.99 a month web site work as the next person. Also, don't underestimate that the target group will not have the resources (even legal resources) to find you and stop your hacking activities.
Satan was the first real tool kit that a hacker or network security analyst could publicly download and run against any network. It checked for about twelve different security vulnerabilities and was smart enough to scan networks "connected" to target networks.
Much of Satan's press and hype was because the state of networks was so bad during the early 1990's. It was common for ISPs to have NFS exports, old versions of Sendmail, and vulnerable anonymous FTP servers attached to the Internet. Nowadays, one would think that times have changed, but they haven't. Dan Farmer, one of Satan's authors, conducted an independent study of Internet vulnerabilities using an updated version of Satan. He found that many commercial, government and other types of sites still had major vulnerabilities. I think that most of this was due to the expansion of the Internet, with many new people not taking the time to secure their Internet systems.
Back Orifice is an application that provides illicit remote control of a target Windows 95 machine. All a hacker needs to do is get the BO server onto the target computer. This can be accomplished with physical access or hiding the server in a Trojan program. Trojan programs can be sent via email or even served up on FTP and Web sites.
The purpose behind BO was to show how insecure Windows computers really were, but the problem really affects all machines. Trojan software has been around almost as long as software has. UNIX computers have been vulnerable to these attacks for a very long time. There are many types of UNIX software that has been "back doored" to provide remote access to unauthorized users.
When I worked for the DOD, one of the most common network attacks we used was to embed macros in Frame Maker documents. Anyone that opened a FM document automatically executed a UNIX shell script. With this shell script, we were able to compromise target networks very effectively during ethical hacking exercises.
BO is also not the only Windows backdoor Trojan. At last count, there were 35+ different Trojan programs. Some of these even existed before BO was released in a media event.
The "ping of death" is another example of a security vulnerability that stands out in a sea of many other similar vulnerabilities. This is mostly due to the catchy name. Names such as "TearDrop" and "Nestea" do not convey exactly what they are, while the "Ping of Death" appeals to almost everyone. Even non-network literate people recognize ping as a normally benign probe or scan.
This term has been so over-hyped that many government agencies involved in this activity don't even say "information warfare" anymore. New terms now include "information dominance" and "information operations". Whatever the name, the notion of using computers to effect military and strategic victories has been around for about 5-10 years now in the public's eye.
IW has several perception problems. The first problem is that most of the experts who know anything about our real capabilities have government clearances and won't (and shouldn't) talk about them. This makes policy makers who don't have clearances make uninformed decisions. For example, the Rome Labs incident involved a lot of Air Force resources only to find a 16 year old British hacker. The Navy and the Army have similar stories. But does finding juvenile hackers justify standing up large information and network security organizations? I tend to think so, just because sooner or later we will experience organized probes into our infrastructure that will be sponsored by US adversaries. The second problem is that many computer people don't understand weapons and vice versa. I once had an Air Force major tell me that he considered his "NetRanger" IDS and "Ballista" security scanner weapons. I could see his point, but I didn't really agree with that approach. The third problem is one of coordination. At a tactical level, conducting a ping sweep of a target's IP infrastructure could provide some very good topology information. At a strategic level, such probes could be considered offensive in nature. Consider the Indian and Pakistani nuclear weapons hackers. Any probes or hacking events could have been interpreted as hostile actions of their adversaries and have heightened the situation further. There are many other problems that IW has had in becoming a real theater of war.
While in the Air Force, I got to participate in several IW and military exercises. Most of these I can't talk directly about because they were very sensitive and involved flying around in UFOs looking for mating Loch Ness Monsters. But what I can say is that there was a lot of different opinions in our nation's leadership as to how much of a threat IW was to our adversaries and to ourselves. Many people feel that the US is more vulnerable to IW attacks than other nations are. This may be true, but most modern governments do have computers and telecommunications of some sort. And most security analysts will also tell you that older data processing systems tend to have more known security problems. Of course, this was five years ago, and nowadays we hear rumors of the President tasking the CIA to find and seize Yugoslavian financial resources through "hacking" techniques.
I hear this attack over and over again. Hackers have been espousing the uses for IP fragments almost as often as researchers find new uses for vitamin C. The reality is that a long time ago, some firewalls could be bypassed by simply fragmenting network traffic. The number of vulnerable firewalls was very small and mostly effected firewalls that were based on packet filtering routers. With the advent of packet based intrusion detection systems, many people also claim that these fragments will allow attacks to occur undetected. Many IDS products do not correctly reassemble IP fragments, but some of them do. What hackers don't realize is that the fragments used to bypass firewalls and IDS systems almost never occur naturally. It is trivial to look for fragments that have very small offsets of one or two. Dragon, Shadow, TCPDUMP and other programs can be configured to do this. Network monitoring programs such as Vital Analysis will also pick up on fragmentation. Many ISPs view fragmentation as a bad thing. On a well-designed network, fragmentation shouldn't occur. Between all of the denial of service attacks and security mechanism bypassing techniques that are possible, I am aware of some ISPs that record all IP fragments for manual inspection.
Everyone makes reference to them, but who are they? And what qualifies someone from the human race to become one? Stereotypically, the term "Script Kiddy" or "Tool Bunny" makes reference to a hacker that simply uses tools without an underlying understanding of network security or possibly the specific exploit. The term became very common in the mid 1990's when "get-root" exploits were widely circulated. Running the right script was all that was required to become root.
Several examples of "script kiddy" activity are in order. My favorite story is about a hacker who was trying to bust root on a SunOS system using a bunch of SGI exploits. No matter what the hacker tried, none of the scripts worked. In a different situation, I loaded up a Linux box with almost every known remote exploit. The honey pot was routinely compromised. I observed many hackers struggle with basic UNIX commands while they were trying to install rootkits and backdoors. I got the impression that several of the hackers were busting root for the first time. On an unrelated note, I also rewrote BASH to print out random profanities to the hackers and to try and buffer overflow their Telnet clients.
But being a script kiddy also means being irresponsible and unaware of law enforcement techniques used to track hackers down. By irresponsible, I mean that many script kiddies hack sites successfully without really understanding the ramifications of what they are doing. Many of them do not know what they are risking what could include permanent law enforcement records, fines, expulsion from school and the loss of a job to name a few. The authorities catch many script kiddies because they are unaware that anyone is even interested in their activities. Most convicted hackers are surprised that the authorities would spend time to track them down.
So who are these people? Most of my experience has been that these are males in their mid to late twenties. Most of them have access to computer networks through either college or their personal computer. I've heard of several incidents involving younger kids that install Linux on their parent's cable modem equipped PC and hack from there. Internationally, there seems to be strong hacking activity from France, Russia and Germany.
There are several arguments about "degrees" or "levels" of hackers. I used to describe myself as a "Level 12 Hacker" which meant that I had passed all twelve levels of hacking as I saw them. These twelve levels can be accomplished during most forms of ethical hacking and vulnerability research. They can also be accomplished illegally of course. For those interested, they were:
Of course these twelve steps closely mirror the sort of career I've had. These days, the common joke is we need Power Point presentations to describe what we do. In the security field, there are so many different areas of expertise that we tend to feel that what we know is the most relevant. Consider the types of areas I've left out of my list of "12 levels": defeating cryptography, reconfiguring complex network devices, hacking "hard to compromise" sites, getting a foreign country seriously ticked off at you, hacking a US intelligence or military network, etc.
We are guilty of many of the same characteristics that we make fun of script kiddies for. Script kiddies are accused of using other people's work in the form of new tools and exploits. The reality is though, that there are so many new vulnerabilities out there, that it is impossible to duplicate all of the work. Consider port scanners. Even if one understands all of the different types of scanning, there are many, many different port scanners to choose from without writing one from scratch. The same is true for vulnerabilities in general. Using vulnerabilities found by someone else is something that we are all guilty of.
Possibly the only thing that separates us from the spirit of those described by the term `script kiddy' is the maturity level or social awareness that limits us from hacking into other people's sites, using malicious denial of service attacks and destroying other people's data.
Many hackers classify themselves as a "White", "Gray" or "Black" hat. The color of the hat is supposed to reflect the particular alignment of the hacker. This is very similar to alignments in Dungeons and Dragons or the hats worn by good cowboys and outlaws.
Unfortunately, there are many different interpretations of what the color of the hat really means. If hackers use their talents for good or evil then they may respectively call themselves white or black hats. There is no notion of capability or skill, only intention. Other people view the hat color as a set of network security techniques. White hat techniques include physical inspections, interviews, running vulnerability scanners on internal networks and conducting up close inspections of security equipment. On the other hand, black hat techniques include physical penetration testing, dumpster diving, social engineering, and running whichever exploit it takes to get access. The thought is that white hat testing leverages cooperation from a target network while black hat testing does not.
And then there is the "James Bond" description of a black hat. This person is personified as a paid network mercenary in their early thirties. They have knowledge of network vulnerabilities six months before anyone else does and they are not above getting jobs on the "inside" to achieve access. Persons of this category are highly professional. They never hack the same site twice. They always hack from untraceable or throw away accounts. They are usually paid to find or destroy certain types of information. The problem with this type of black hat is that they may not exist. It's a description that the security community as a whole has developed as the ultimate hacker. Unfortunately, when comparing this description to the types of hackers that are caught, they are almost always fall short of our expectations.
And finally, there are black hats that carry guns and are involved with drugs and violent crime. Increasingly, many computer crime related busts also coincide with drug trafficking and production. Many computer crimes also include telephone fraud such as cell phone cloning and long distance hacking. I have several friends that provide assistance to authorities during live hacker busts and they say that flack jackets are very common. These black hats may be at the same level of sophistication as a script kiddy, but they are violent.
Even though I feel that there are no armies of ultimate hacker black hats out there, I do think that there may be a few of them. Almost every type of trade has its best of the best elite few that transcend the genre and achieve fame and notoriety. Why can't the hacking world have its Red Barons and Michael Jordans? These hackers would not have tomorrow's new exploits, they would have exploits that the public hacking community wouldn't even come up with.
Arms dealers could be another type of black hat hacker. This type may be the ultimate script kiddy and social engineer. Imagine a hacker that identifies a site and figures out that they are using XYZ firewall, ABC server and the Alpha application. If they are well funded, there are many computer security companies out there that can tear apart any system and find a variety of vulnerabilities for a price. How easy would it be for a fairly accomplished hacker to represent himself as a reputable organization and hire a team of crack security researches to have them unwittingly find vulnerabilities in the ultimate target? This technique essentially pays for tomorrow's vulnerabilities today.
A black hat hacker may also coerce a white hack hacker to perform some sort of task. Stereotypically, blackmail, violence and other techniques would easily convince most people who have been making a living from behind the keyboard. Similarly, it may also be reasonable to expect black hats to attack white hat machines looking for new vulnerabilities and exploits.
The final type of black hat hacker is simply someone who "hacks" for a living with others into systems where getting caught is not an option. These hackers theoretically work for drug families, intelligence agencies, organized crime and the military of many different countries. One could imagine these well funded organizations meticulously duplicating a target network to perfect their attacks and then executing them with extreme proficiency.
I hope you have enjoyed this little 'rant' of random thoughts and insights about the world of network security. If I have offended anyone, that was not my intention, and you should feel free to contact me to express your opinions. I encourage all feedback and will be writing similar, but more focused editorials about other topics in network security.
Last modified: Sat Oct 30 23:12:56 PDT 2004