According to security experts, hacking is becoming easier to both do and learn.
“Four or five years ago if you wanted to hack you had to have three things: you had to have knowledge and be somewhat of an expert; you had to have time; and you had to have a motive,” said Rob Clyde, vice-president and general manager of AXENT’s security management business unit in American Fork, Utah.
But these days a simple Internet search can provide anyone with sophisticated hacking tools such as password crackers, network assessment tools or sometimes even specific information to break into certain sites without even having to run the tools first.
“If you can run a word processor or a Web browser, you can probably do this. There’s a certain amount of computer skill needed, but it’s not programming skill. It’s user skill,” said Clyde, who co-founded AXENT’s InfoSecurity SWAT team.
For those newbie hackers who want to learn more than point-and-click hacking, Chris Rouland, director of the ISS X-Force in Atlanta, said there is an emerging social structure of hacker education.
“You can’t apply too much infrastructure to it. There’s no ‘hacker bonus program.’ But typically in the computer underground, you see people who are looking to learn something from someone else.
“You see more senior and skilful hackers employing these less technically skilled attackers, or script kiddies, to enable them to have multiple hackers working on the same system,” Rouland said.
Rouland said there has been a proliferation in the last year of low-impact attacks on large companies. An experienced hacker will hire several less experienced hackers to “rattle all the doorknobs and window panes” of a large company’s network.
“It’s too much work for one person, so they effectively outsource this with some kind of transfer or incentive of knowledge to these other attackers. That way you’ve got a lot of attackers attacking one site using different techniques and checking for vulnerabilities and reporting that back, and you’ve got almost one organization attacking another organization,” Rouland said.
He said the individual hackers themselves are like free agents moving around from team to team, making them difficult to track. AXENT’s Clyde said hackers are also largely anarchists, which makes it difficult to get together in organized groups for very long.
“The ones who really know what they’re doing and are very sophisticated don’t get caught very often. But those people who are just downloading tools and running them often don’t even realize that someone’s tracking them and can catch them. As you get less sophisticated people trying this, I think you’re going to see more prosecutions,” Clyde said.
But it’s really the sophisticated ones doing the damage by releasing the latest round of viruses and trojan horses.
“Caligula was a trojan that, once installed, would take a user’s PGP keys and upload the private key to a site on the Internet so [the creators] could build a repository of these private keys,” Rouland said.
“Picture.exe was a Chinese virus that once run would look for all the e-mail addresses you’ve ever sent to and then send them encrypted to a couple of mail addresses in China,” Rouland added.
Carey Nachenberg, chief researcher of the Symantec Anti-virus Research Center in Santa Monica, Calif., said the most prevalent thing he is seeing right now is not a virus, but a worm called Happy99.exe.
“The difference between a virus and worm is a virus spreads from one file to another on a single computer and may be spread to other computers as well by sharing files. Worms spread from one computer to another over the Internet, so they’re said to infect an entire computer instead of a particular file,” Nachenberg said.
“In the case of Happy99, it installs itself on your computer in your operating system and it monitors any time you send e-mail out over your Internet connection. Then it modifies the e-mail and attaches an attachment containing the worm itself.”
When a user opens Happy99.exe, it looks simply like an animated fireworks graphic. Nachenberg said people run the attachment because it’s often coming from a friend so they assume they can trust it. He said Happy99.exe doesn’t do any damage other than clogging inboxes.
Much more spooky is NetBus 2.0 Pro, which Rouland said has positioned itself as a “remote administration and spy tool.” Released in February, NetBus 2.0 enables an attacker to remotely monitor audio and video in the victim’s site if there is a video camera or microphone attached to the computer, including built-in microphones common to laptops, Rouland said.
“The hacker could turn them on and see what’s going on,” he said.
Rouland said chat systems are great entry points for attackers into a corporate network.
“Because these are basically client/server, TCP/IP systems where they enable people to have connectivity together, they have inherent vulnerabilities and can be used to distribute files. Corporations should be careful about enabling employees to get on chat systems,” Rouland advised.
“If you’re using a technology like ICQ or IRC, even if you’re in a private room, your computer is registered on the network and you have potential vulnerability.”
Clyde said many organizations know what they have to do to protect their networks, but lack the time to get the security deployed. Both AXENT and ISS market intrusion-detection products and services, so both Clyde and Rouland recommend intrusion detection as a strong means of protection against hackers.
But Clyde said no system is unbreakable, and he stressed that even sophisticated intrusion-detection systems need to be regularly maintained and updated.
“If you know how an intrusion-detection system works and you study it long enough, you might be able to find a way not to trigger it. It’s kind of like breaking into a bank without tripping over the little electric eyes. If you knew exactly where every one was, it might not be easy, but you could do it,” Clyde said.
