The Players - Hackers, Crackers, Phreaks, and Other Dudes
Over the years, we have been able to glean ideas about the characteristics of this tribe (Players - Hackers, Crackers, Phreaks, and the other dudes). For this information, we are all indebted to researchers such as Sarah Gordon, Dorothy Denning, Ray Kaplan, and, more recently, the members of the Honeynet Project.
A Couple of Provisos: Whenever you deal with people, there will always be exceptions. Some seem to pursue security breaking from motives that are, if not exactly admirable, at least untainted by thoughts of commerce or attention. Indeed, we can't really say that all endeavors related to the creation of viral software or intrusion utilities are even illegal. While most of the activity involved in security breaking is highly repetitive, there are also those few who do come up with one or two original ideas and experiment with them.
As another example of a deviation from a stereotype, most studies of those involved in security breaking activities have been done in western societies: Europe, North America, and Australia. Recently, groups have been quite visible in china.
There are two major populations:
- Red Guests
- Black or terrible Guests
The black guests are apparently quite akin to Western groups, with a lack of cooperation, anti-establishment positions, and random activities.
The red guests, on the other hand, seem to form very stable groups, are executives in technology companies, have links with the Chinese government, and run coordinated exercises. In this case, we have a very large group running completely contrary to the expected norms for the community, and this may be derived from the differing foundations of Eastern and Western social thought. Therefore, we can't make blanket statements about all of those within such a community.
However, as with almost any stereotypes, there are reasons for the characterizations presented here. Particularly in doing forensic analysis, we need to beware of falling into mental traps occasioned by our own "profiles" of the adversary. If we get too caught up in any one idea, we are going to blind ourselves to important evidence, whether it be proof of innocence or guilt. While it is beneficial to have an idea of the attributes of the majority of the people we are studying, it is absolutely vital always to accept the possibility of exceptions.
However, as with almost any stereotypes, there are reasons for the characterizations presented here. Particularly in doing forensic analysis, we need to beware of falling into mental traps occasioned by our own "profiles" of the adversary. If we get too caught up in any one idea, we are going to blind ourselves to important evidence, whether it be proof of innocence or guilt. While it is beneficial to have an idea of the attributes of the majority of the people we are studying, it is absolutely vital always to accept the possibility of exceptions.
Types of Blackhats
The blackhat community is extremely fragmented. Not only are there different groups, often at odds with each other, but the types of activities also differ.
Despite the evil genii portrayed in fiction about "hackers," there is a great deal of specialization in the real blackhat groups, and those from one clique seldom do much exploration in the other fields. Some are trying to break into or intrude on computer systems or networks. These are the ones who most frequently are given the hacker sobriquet, and are usually referred to as "crackers" (or system crackers, to distinguish them from the software piracy-type crackers) by the security community. Despite the general public reputation, few of these people do any programming or create any sort of software, malicious or otherwise. There are a limited number of system crackers who do analyze software, and particularly system software, for weaknesses, and who then write exploit tools to automate the process of breaking in. However, these tools are, generally speaking, not a major problem. They are specific to a given system and version, and, even if distributed and utilized, have very limit-lar vulnerability is widely exploited, then it tends to become known and patched quickly.
Crackers
Despite the evil genii portrayed in fiction about "hackers," there is a great deal of specialization in the real blackhat groups, and those from one clique seldom do much exploration in the other fields. Some are trying to break into or intrude on computer systems or networks. These are the ones who most frequently are given the hacker sobriquet, and are usually referred to as "crackers" (or system crackers, to distinguish them from the software piracy-type crackers) by the security community. Despite the general public reputation, few of these people do any programming or create any sort of software, malicious or otherwise. There are a limited number of system crackers who do analyze software, and particularly system software, for weaknesses, and who then write exploit tools to automate the process of breaking in. However, these tools are, generally speaking, not a major problem. They are specific to a given system and version, and, even if distributed and utilized, have very limit-lar vulnerability is widely exploited, then it tends to become known and patched quickly.
Other blackhats specialize in gaining unauthorized use of telephone switches and systems, usually for their own aims and amusement but possibly to obtain or even reselling phone service. Those interested in breaking into or otherwise manipulating the telephone system are referred to (and refer to themselves) as -phone phreaks,” using the punning variant spelling. This is generally shortened to phreaks" in common usage. (Variant spelling, and even the use of nonalphabetic characters, is a characteristic of most blackhat communities. The effect is to define the population of the group, separating those who know the jargon, and therefore belong, from those who do not. Thus, those within can see themselves as members of an elite club but probably represent it as "leet" or "3!33t." Hence also the reference to dudes' in the title of this article. The act of manipulating the phone system is known as "phreaking." Some are primarily interested in damaging or corrupting files, particularly in public ways, such as defacing Web sites. This runs
HACKTIVISM
Hacktivism is a convenient label, but a poorly defined term. Hacktivism can be anything that the user, generally a journalist, defines.
- It can be writing a new utility and releasing the same with\attached political or social advertising.
- It can be developing a new Web site to promote civil rights or social change.
- It can also be developing online direct actions against corporations or governments, through mechanisms using the Internet.
Blackhat Products
Most of the end result of blackhat activity consists of compromised systems, defaced Web pages, and pointlessly consumed bandwidth. Overall, this might be of interest to those investigating network forensics but isn't of much use for us in software forensics. However, attack tools, distributed denial of service (DDoS) kits, trojans, viruses, worms, remote access trojans (RATS), and other forms of malware are.
We will, of course, want to find out as much as possible about what the specific piece of malware does. We also want to know about the author, if we can. Becoming familiar with the broad classes of malicious software can help point out, in general outline, the functions to look for. Knowing the class of malware may also help us to identify the author because blackhats tend to be just as specialized as any other type of programmer. It is sometimes difficult to make a hard and fast distinction between malware and bugs.
We will, of course, want to find out as much as possible about what the specific piece of malware does. We also want to know about the author, if we can. Becoming familiar with the broad classes of malicious software can help point out, in general outline, the functions to look for. Knowing the class of malware may also help us to identify the author because blackhats tend to be just as specialized as any other type of programmer. It is sometimes difficult to make a hard and fast distinction between malware and bugs.
What is a Trojan horse program?
A trojan is a program that pretends to do one thing while performing another unwanted action. The extent of the "pretense" may vary greatly, Many of the early PC trojans relied merely on the filename and a description on a bulletin board. "Login" trojans, popular among university student mainframe users, mimicked the screen display and the prompts of the normal login program and could, in fact, pass the username and password along to the valid login program at the same time that they stole the user data. Some trojans may contain actual code that does what it is supposed to be doing while performing additional nasty acts that it does not tell you about.A major component of the trojan design is social engineering. Trojan programs are advertised (in some sense) as having some positive utility. The term positive can be in some dispute because a great many trojans promise pornography or access to pornography, and this still seems to be depressingly effective. However, other promises can be made as well. A recent email virus, in generating its messages, carried a list of a huge variety of subject lines, promising pornography, humor, virus information, an antivirus program, and information about the abuse of the recipient's account. Sometimes the message is simply vague and relies on curiosity. A logic bomb is generally implanted in or coded as part of an application under development or maintenance. Unlike a RAT or trojan, it is difficult to implant a logic bomb after the fact, unless it is during program maintenance. A trojan or a virus may contain a logic bomb as part of the payload. A logic bomb involves no reproduction and no particular social engineering. A persistent legend regarding logic bombs involves what is known as the salami scam. According to the story, this involves siphoning off small amounts of money (in some versions, fractions of a cent) credited to the account of the programmer over a very large number of transactions. Although these stories appear in several computer security texts, the author has a standing challenge to anyone to come up with a documented case of such a scam.
Comments