Monday 27 October 2008

BBC reports rise in script kiddie activity

As you may have noticed, I like to keep an eye on the main stream media as well as the technical press. When you see a technology story appear on national news, it is either an important news story or a slow news day – but what is news to one person might be olds to another. So, the BBC report that young people are getting more involved in hacking. So, what triggered this comment? Why, that would be this BBC video

What they have there is known in the trade as a Script Kiddie. They blur the screen but it is clear that one of the forums is talking about the world’s easiest and commonest attacks, the SQL injection attack. It may be easy to do but that doesn’t make it less effective. Quite the reverse. Some very big names have been hit by that one. So, it seems that kids are being more active in low level cyber crime. Let us look at the various types of hacker that might be testing your web based solutions or sending files to choke your app through email.

The Script Kiddie. The script kiddie gets very little respect. Even the journalist was not much impressed by that one. They tend to be scavengers, picking crumbs from a rich man’s table. They will use techniques that they have learned from more experienced hackers. You might think that people with useful hacking skills would keep these things as trade secrets. Well, some do and some don’t. Those that don’t feed the script kiddies. One thing that is new is that they seem to be doing this increasingly much for profit. They used to “tag” websites with their screen names or just cause damage but it seems that they are now dabbling in a little credit card fraud. Well, times are hard and pocket money is not as easy to come by. They are sometimes minors and rarely over the age of 20. 18 is often a critical age because at that point, it stops being a problem for the parents and becomes an offence against the 1990 Computer Misuse Act punishable by 6 months to 2 years in the UK. You can get longer in the US, of course. British law is rather lenient in this regard.

“Hacker” is a bit of a problematic term because you can be a hacker and never once compromise someone’s security. A hacker can just be someone who codes down near the metal which always struck me as damn good fun. Rather than hacker, let us talk about hats.

White hats are hacking for non-malicious and generally legal reasons. You can hire white hats if you want. Just look for “Penetration testers” which is what they prefer to be called. Oh, while I am on the topic, Digital Looking Glass will be launching a PenTesting service next year. Some companies combine testing and penetration testing and that gets a lot of the glitches out of the software before it is released. It makes testing very slow and expensive but you pay your money and take your choices. There are also universities that study the techniques and responsibly report flaws to the software authors.

Grey hats have the same skills and they use them for… well, other reasons. They are not normally criminals or at worst will only break civil law rather than criminal law. As with so many things, there are shades of grey. Some will work with software vendors to get vulnerabilities fixed. Others will write exploit code and publish it to “encourage” the vendor to fix the bugs. You better bet that the script kiddies love sample code, especially when it is in a high level language that they can understand. A lot of the rootkit developers were nominal grey hats. The rootkits that we find in commercial malware (yes, there is such a thing) are normally pretty much unchanged from the sample code provided by the grey hats. The code is readily available. No really. Don’t believe me but see for yourself. Just go to www.rootkit.com. You will find a lot of script kiddies begging in the forums.

There are lots of other site for the aspiring and practicing hacker. Here are a few that I have been to in the last week:

www.hackthissite.org An excellent site with graded exercises to enable anyone to learn how to crack systems. The forums are also very useful.

www.port7alliance.com/txt/hackbg.html is a bit less up to the minute but has some nice exercises for helping the scripters make progress towards the big time.

http://www.cultdeadcow.com/ The cult of the dead cow is a well known group that have produced some remarkable tools such as Goolag which uses Google to search for vulnerable parts of sites.

http://www.governmentsecurity.org has a whole collection for a range of platforms – the formatting is not excellent but the material is generally very good.

There is plenty of material out there. If a grey hat wants to go black hat or a script kiddie decides to play in the big time then the techniques are no further away that your browser search bar. So, what sort of black hats are there?

There are some who work solo – not all computer users play well with others. They will typically be looking for anything that they can get. If they find a home system, they will gather credit card details if they can and pay for their web use for a while. Small amounts are likely to go unnoticed for a while. If they get into a company network and can steal a few then they will sell then. A good solo worker with the right connections can clear $250,000 which is not too bad when you don’t file a tax return.

The black hat gang. There are some small independent groups but generally they are run by another group. The hacker gangs are generally small although there have been reports of larger ones in China. Some have suggested that corrupt government officials are running them. Well, I don’t know because they don’t publish their accounts. All that can be said for sure is that the security guards who were standing outside were wearing Chinese military Uniforms and armed with the AK47, just like Chinese military usually are. As for the non-military ones, a lot of them are eastern European. The Solntsevskaya and Dolgopruadnanskaya organisations run multiple cybercrime gangs. They have a number of approaches. There are botnets which are used for extortion (denial of service against websites, typically online casinos), SPAM, data gathering (passwords and credit cards) and rental. They have phishing operations too – typically against western banks but also against paypal and similar organisations. Sometimes these are combined. I have seen spam bots churning out spam advertising the stolen credit card numbers for sale. I had to get the message translated. Of course, that could well have come from the next type of black hat. Some of them will be looking for whatever they can get, working much like solo black hats. You can hire them by the hour if you know the right people.

Finally, there are state run black hats – or maybe white hats. It depends where you are standing. After all, we sponsor freedom fighters and they sponsor terrorists. A number of states definitely have some very smart people hacking for them. Is this good or bad? Well, it depends on the target. The computer that you are using depends on principles developed in Bletchley Park, Station X. That was a project to break German codes and it gave us the finite state machine.There are ethical questions there which I can’t answer.

So, the BBC may well be right in saying that younger kids are getting involved in cybercrime – but let us be honest here. It is not as if there was a shortage of cybercriminals without waiting for junior to grow up.

Interesting times indeed

Signing off,

Mark Long, Digital Looking Glass Ltd

3 comments:

Anonymous said...

Interesting read, and I only have one minor comment:

The Chinese army does not use AK-47's. In fact, almost no one does today, they have heen replaced by AKM or AK-74 in most places, and most rifles commonly called AK-47 are actually AKM's. China used a rifle called Type 56, which is a modified version of the AK-47, but even that one has been replaced with the Type 81, a much more advanced rifle, still inspired by the AK-family, but with important several improvements. In other words, if the guards had AK-47's, they were most likely not army.

That concludes my nitpicking for today.

A request for an article: It would be very interesting to hear your views as a security expert on the upcoming wave of massive eavesdropping systems and databases of private information such as Echelon, Onyx or the ones put in place here in Sweden by the FRA. Will they be effective? How invasive will they be? What types of information will they handle? Will they catch crooks, or just ordinary citizens? Will they be worth it?

Mark Long said...

Hi Troberg

Thanks for the comment :-)

Ah yes, the AK74, first revealed by the ever wonderful Jane's guide to Infantry weapons (www.janesguide.com). It is an example of how espionage need not be high tech. To be honest, I couldn't tell the difference between an AK47 and an AKM without a guide and it wasn't me that went to see the workshop. It was a gentleman who worked for the US Federal Government who I do not plan to name :-)

As for the whole issue on government monitoring, I already discussed it here:

http://digitallookingglass.blogspot.com/2008/10/1984-project-delivered-late-big-brother.html

Hope that this helps

Mark

Anonymous said...

They are hard to tell apart. The easiest way is that the AKM has a black plastic grip, but not even that is sure, as several parts are interchangeable, among them the grip, and this is frequently done. It's not even uncommon to see AK-74's with an AK-47 stock. Modular design at its best! :)

I'll read the other article now.