Cracking the hackers' code

[Matthew X]

http://theage.com.au/articles/2002/08/20/1029114072039.html
By Suelette Dreyfus
August 20 2002
Next
If your organisation suffered a computer crime in the past few years and 
reported it to AusCERT, it was probably an attack from outside your walls. 
Nearly 90 per cent of Australian organisations that reported an incident 
were attacked externally, according to the 2002 Australian Computer Crime 
and Security Survey. This is the first time the threat of being attacked 
from outside surpassed the likelihood of an assault from inside.
It might be increasingly difficult to keep out external hackers but there 
are signs IT managers are finding it easier to win support within companies 
for improving security. Management consulting firm McKinsey & Co recently 
studied security best practices at Fortune 500 companies. About 30 of these 
companies, including AOL Time Warner, Merrill Lynch, Microsoft and Visa 
International, had appointed a chief security officer or other senior 
executive to oversee information security. In some cases, this executive 
had the power to stop the launch of new products or systems, and answered 
only to the chief executive.
The recent AusCERT study stated that 70 per cent of Australian 
organisations surveyed had increased spending on information security in 
the past year.
All of this is good news for IT managers. Most attempted attacks come via 
script kiddies, according to Neal Wise, senior security consultant for 
eSec, a Melbourne-based security technology company. Keeping software up to 
date should provide a good first-line defence but he also recommends 
putting pressure on vendors to release security patches in a timely 
fashion. "You can vote with your wallet," he says.
Yet Grant Bayley, organiser of Sydney's 2600 group, a gathering of security 
enthusiasts, says that while the number of hackers has increased, the 
percentage of highly skilled hackers has stayed the same, suggesting their 
total numbers are up as well. "These are the people who are really good at 
writing exploits - original and very obscure exploits. And people don't 
write exploits just to have them sit there and look pretty."
More sophisticated hackers may be more difficult to defend against, in part 
because their motivations may be complex. A small subset of these hackers 
obsess about a problem day after day, ignoring the rest of their lives. If 
you are running a network or a system, understanding what drives people to 
break in will help you to defend your organisation.
Meeting "Higgs", formerly one of the most skilled illegal hackers of the 
Australian computer underground, can be a high-stress experience; Higgs 
fidgets with other people's things until they break.
He doesn't mean to break them, he just pulls and prods at them incessantly 
while he bounces his knee up and down and talks. When the item cracks or 
snaps, he looks utterly surprised, as though he had no idea the item was in 
his hand. He sheepishly slips the broken pieces into his pocket, adding to 
his sins by running off with the evidence.
He sometimes has one-way conversations with people, meaning he talks and 
they try to get a word in edgewise. He is always right, and he is only 
interested in "the truth", no matter how bare and brutal. This inflexible, 
seemingly arrogant attitude frequently gets him into trouble, in part 
because he is usually right. Or because when he's wrong, he's so wildly off 
the mark, it's funny. He's also anti-social, partly due to shyness, but 
also because most people bore him. He says they don't feed him information 
fast enough. "I can't do that chit-chat stuff," he says.
Like a number of other technically elite hackers, Higgs shows 
characteristics similar to those shown by people with Asperger syndrome. 
This neurobiological disorder, which may resemble mild autism, has often 
been misdiagnosed in the past. The condition only made it into the 
Diagnostic and Statistical Manual of Mental Disorders in 1994.
Like elite-end hackers, many "aspies" are exceptionally skilled in a 
specialised area. A 2001 University of Cambridge study into the syndrome 
showed a higher incidence of AS/High-Functioning Autism, which seem to be 
related, among scientists and mathematicians. Tests of 840 students showed 
"that mathematicians scored higher than engineers, physical and computer 
sciences, who scored higher than medicine and biology". The condition is 
also more common among males and may have a genetic component.
There does not appear to be any in-depth research linking illegal hacking 
and Asperger syndrome. However, one of the world's leading AS experts, 
Australian clinical psychologist Tony Attwood, believes some hackers may 
share characteristics with "Aspies", as they refer to themselves.
"The link between AS and computers is well known. Computers were designed 
by - and for - people with AS," Attwood, based in Queensland, says. "Those 
with AS seem to know the language of computers better than social or 
conventional languages. It is quite plausible that people with AS may 
pursue an interest in cracking."
Historically, AS has been linked to at least one area that has become a key 
part of computer security: cryptography.
"The team that cracked the Enigma code appeared to include several 
individuals who showed characteristics of Asperger's," Attwood says. This 
included the father of modern computing, Alan Turing.
"It's the sheer challenge rather than any (criminal intent). It's the 
pursuit of knowledge and truth - with different priorities and perceptions 
¤ They see it as an intellectual challenge and a prize, (and) they look at 
the success of what they have done rather than the consequences of the 
lives of people they have affected."
Aspies typically have an almost obsessional approach to solving problems 
and are often oblivious to their peers' view that a given problem is 
"unsolvable". Both are often prerequisites to becoming an elite-end hacker.
What effect might hacking have on an Aspie?
"Hacking is giving them an intellectual orgasm. And they are addicted to 
the intellectual orgasm," Attwood says.
This doesn't mean all illegal hackers have AS, or that these hackers should 
escape criminal conviction. However, the linking of AS and hacking could 
have an impact on conviction or sentencing in future.
Previously, what experts termed an extreme addiction to hacking played a 
key role in a landmark British hacking case. Based on the descriptions of 
the hacker's behaviour, the apparent addiction could well have been a 
manifestation of AS. In a jury trial, the legal defence team of the British 
hacker "Wandii" showed the hacker was obsessed with computers and the 
intellectual challenge of beating them. The jury acquitted him of criminal 
charges in just 90 minutes, apparently because it decided he lacked mens 
rea, or awareness of criminal wrongdoing.
"You would not use AS to say a person is of unsound mind, because such 
people are very logical (if) eccentric," Attwood says.
"But (a diagnosis) could alter sentencing in two ways. First, in 
(assessing) the degree of criminal intent. And, second, in deterrence. They 
may need treatment for a compulsion, which may be irresistible, rather than 
a prison sentence or a psychiatric institution."
In the US, convicted hackers have been banned from using computers for long 
periods as part of their sentences. Attwood says this approach is likely to 
be inappropriate for Aspies. Denying them use of computers is very 
different than for most people.
"What we might look at instead is controlled access in a constructive way 
for convicted offenders," he says.
"Res" is a skilled Australian Black Hat hacker. Extremely private, street 
smart, he holds back, watching you, taking your measure. He slips in a 
little cynical humour now and again, showing he's cool but not cold. But 
he's a contrast to the stereotypical Hollywood geek hacker because he has a 
life.
"I haven't spent a Friday or Saturday night at home since I was 17," Res says.
While not showing any visible signs of AS, he's clearly capable of 
obsessional behaviour. "I am obsessive: I collect things. I like having 
everything, I never delete anything. I am a radical person. I'm all or 
nothing."
He says he doesn't read books but that's not quite true. He buys technical 
textbooks. Other than specialist mailing lists and the newspaper, the only 
other thing he reads is the Slashdot website.
The Cambridge study suggests a "continuum" of disability, "with AS as the 
bridge between autism and normality". Res may represent a point on the 
spectrum between AS and obsessive - a place other top hackers might also 
occupy.
Hacker group 2600's Grant Bayley estimates that, based on his experience, 
"You probably wouldn't find more than two AS symptoms in any one hacker but 
you would find more symptoms in 50 to 70 per cent of hackers in the mid to 
upper-skill level."
Higgs recognises he has some AS traits and he believes having AS could 
definitely contribute to hackers rising in the ranks of the elite underground.
"It is not that AS gets you to the top of the pile but it can help. Because 
there are some things that are broken, you are forced to use other parts of 
the brain instead. The ability to blinker everything else and not get 
distracted helps."
He views the AS-affected hacker mind as being like the Internet: "That 
hacker's mind sees group dynamics as damage and routes around it."
However, after interacting with a number of top hackers around the globe 
over several years, he argues there are other contributing factors.
"For these people to get where they have, Asperger's isn't enough. They 
have something else. Clearly (convicted American hacker Kevin) Mitnick's 
talent doesn't just come from AS; there is something else there. Like his 
social engineering talent - you just wouldn't associate that with AS," he says.
"The 'f***-you' attitude is also a requirement. Every one (of the top 
hackers) has had the 'f***-you' ingredient ¤ You cannot defy authority and 
break the law thousands of times a year without the 'f***-you' ingredient."
Suelette Dreyfus is the author of Underground and an honorary fellow at the 
University of Melbourne's department of information systems.
How to deter the obsessive attacker
What is the best way to defend your network against illegal hackers who 
show Asperger syndrome-like characteristics?
A former highly skilled and obsessive hacker, "Higgs" suggests breaking the 
patterns of usual defensive behaviour.
Trip wires in packaged software might be anticipated by a pattern-based 
hacker. "Set up trip wires that are unique," he says.
Also, use your logs in different ways for tell-tale signs of a hacker's 
trespass.
"Backdoor the 'ls' command (in UNIX), which gives you a list of files. 
Record its arguments and when it is used. A (pattern-based) hacker might 
not think to look for logs of that.
"Backdoor the SSH (secure shell) client to record who is using it and when. 
Keep secret log files in unusual locations."