Cracking the hackers' code
Matthew X
profrv at nex.net.au
Sun May 9 03:28:28 PDT 1999
http://theage.com.au/articles/2002/08/20/1029114072039.html
By Suelette Dreyfus
August 20 2002
Next
If your organisation suffered a computer crime in the past few years and
reported it to AusCERT, it was probably an attack from outside your walls.
Nearly 90 per cent of Australian organisations that reported an incident
were attacked externally, according to the 2002 Australian Computer Crime
and Security Survey. This is the first time the threat of being attacked
from outside surpassed the likelihood of an assault from inside.
It might be increasingly difficult to keep out external hackers but there
are signs IT managers are finding it easier to win support within companies
for improving security. Management consulting firm McKinsey & Co recently
studied security best practices at Fortune 500 companies. About 30 of these
companies, including AOL Time Warner, Merrill Lynch, Microsoft and Visa
International, had appointed a chief security officer or other senior
executive to oversee information security. In some cases, this executive
had the power to stop the launch of new products or systems, and answered
only to the chief executive.
The recent AusCERT study stated that 70 per cent of Australian
organisations surveyed had increased spending on information security in
the past year.
All of this is good news for IT managers. Most attempted attacks come via
script kiddies, according to Neal Wise, senior security consultant for
eSec, a Melbourne-based security technology company. Keeping software up to
date should provide a good first-line defence but he also recommends
putting pressure on vendors to release security patches in a timely
fashion. "You can vote with your wallet," he says.
Yet Grant Bayley, organiser of Sydney's 2600 group, a gathering of security
enthusiasts, says that while the number of hackers has increased, the
percentage of highly skilled hackers has stayed the same, suggesting their
total numbers are up as well. "These are the people who are really good at
writing exploits - original and very obscure exploits. And people don't
write exploits just to have them sit there and look pretty."
More sophisticated hackers may be more difficult to defend against, in part
because their motivations may be complex. A small subset of these hackers
obsess about a problem day after day, ignoring the rest of their lives. If
you are running a network or a system, understanding what drives people to
break in will help you to defend your organisation.
Meeting "Higgs", formerly one of the most skilled illegal hackers of the
Australian computer underground, can be a high-stress experience; Higgs
fidgets with other people's things until they break.
He doesn't mean to break them, he just pulls and prods at them incessantly
while he bounces his knee up and down and talks. When the item cracks or
snaps, he looks utterly surprised, as though he had no idea the item was in
his hand. He sheepishly slips the broken pieces into his pocket, adding to
his sins by running off with the evidence.
He sometimes has one-way conversations with people, meaning he talks and
they try to get a word in edgewise. He is always right, and he is only
interested in "the truth", no matter how bare and brutal. This inflexible,
seemingly arrogant attitude frequently gets him into trouble, in part
because he is usually right. Or because when he's wrong, he's so wildly off
the mark, it's funny. He's also anti-social, partly due to shyness, but
also because most people bore him. He says they don't feed him information
fast enough. "I can't do that chit-chat stuff," he says.
Like a number of other technically elite hackers, Higgs shows
characteristics similar to those shown by people with Asperger syndrome.
This neurobiological disorder, which may resemble mild autism, has often
been misdiagnosed in the past. The condition only made it into the
Diagnostic and Statistical Manual of Mental Disorders in 1994.
Like elite-end hackers, many "aspies" are exceptionally skilled in a
specialised area. A 2001 University of Cambridge study into the syndrome
showed a higher incidence of AS/High-Functioning Autism, which seem to be
related, among scientists and mathematicians. Tests of 840 students showed
"that mathematicians scored higher than engineers, physical and computer
sciences, who scored higher than medicine and biology". The condition is
also more common among males and may have a genetic component.
There does not appear to be any in-depth research linking illegal hacking
and Asperger syndrome. However, one of the world's leading AS experts,
Australian clinical psychologist Tony Attwood, believes some hackers may
share characteristics with "Aspies", as they refer to themselves.
"The link between AS and computers is well known. Computers were designed
by - and for - people with AS," Attwood, based in Queensland, says. "Those
with AS seem to know the language of computers better than social or
conventional languages. It is quite plausible that people with AS may
pursue an interest in cracking."
Historically, AS has been linked to at least one area that has become a key
part of computer security: cryptography.
"The team that cracked the Enigma code appeared to include several
individuals who showed characteristics of Asperger's," Attwood says. This
included the father of modern computing, Alan Turing.
"It's the sheer challenge rather than any (criminal intent). It's the
pursuit of knowledge and truth - with different priorities and perceptions
¤ They see it as an intellectual challenge and a prize, (and) they look at
the success of what they have done rather than the consequences of the
lives of people they have affected."
Aspies typically have an almost obsessional approach to solving problems
and are often oblivious to their peers' view that a given problem is
"unsolvable". Both are often prerequisites to becoming an elite-end hacker.
What effect might hacking have on an Aspie?
"Hacking is giving them an intellectual orgasm. And they are addicted to
the intellectual orgasm," Attwood says.
This doesn't mean all illegal hackers have AS, or that these hackers should
escape criminal conviction. However, the linking of AS and hacking could
have an impact on conviction or sentencing in future.
Previously, what experts termed an extreme addiction to hacking played a
key role in a landmark British hacking case. Based on the descriptions of
the hacker's behaviour, the apparent addiction could well have been a
manifestation of AS. In a jury trial, the legal defence team of the British
hacker "Wandii" showed the hacker was obsessed with computers and the
intellectual challenge of beating them. The jury acquitted him of criminal
charges in just 90 minutes, apparently because it decided he lacked mens
rea, or awareness of criminal wrongdoing.
"You would not use AS to say a person is of unsound mind, because such
people are very logical (if) eccentric," Attwood says.
"But (a diagnosis) could alter sentencing in two ways. First, in
(assessing) the degree of criminal intent. And, second, in deterrence. They
may need treatment for a compulsion, which may be irresistible, rather than
a prison sentence or a psychiatric institution."
In the US, convicted hackers have been banned from using computers for long
periods as part of their sentences. Attwood says this approach is likely to
be inappropriate for Aspies. Denying them use of computers is very
different than for most people.
"What we might look at instead is controlled access in a constructive way
for convicted offenders," he says.
"Res" is a skilled Australian Black Hat hacker. Extremely private, street
smart, he holds back, watching you, taking your measure. He slips in a
little cynical humour now and again, showing he's cool but not cold. But
he's a contrast to the stereotypical Hollywood geek hacker because he has a
life.
"I haven't spent a Friday or Saturday night at home since I was 17," Res says.
While not showing any visible signs of AS, he's clearly capable of
obsessional behaviour. "I am obsessive: I collect things. I like having
everything, I never delete anything. I am a radical person. I'm all or
nothing."
He says he doesn't read books but that's not quite true. He buys technical
textbooks. Other than specialist mailing lists and the newspaper, the only
other thing he reads is the Slashdot website.
The Cambridge study suggests a "continuum" of disability, "with AS as the
bridge between autism and normality". Res may represent a point on the
spectrum between AS and obsessive - a place other top hackers might also
occupy.
Hacker group 2600's Grant Bayley estimates that, based on his experience,
"You probably wouldn't find more than two AS symptoms in any one hacker but
you would find more symptoms in 50 to 70 per cent of hackers in the mid to
upper-skill level."
Higgs recognises he has some AS traits and he believes having AS could
definitely contribute to hackers rising in the ranks of the elite underground.
"It is not that AS gets you to the top of the pile but it can help. Because
there are some things that are broken, you are forced to use other parts of
the brain instead. The ability to blinker everything else and not get
distracted helps."
He views the AS-affected hacker mind as being like the Internet: "That
hacker's mind sees group dynamics as damage and routes around it."
However, after interacting with a number of top hackers around the globe
over several years, he argues there are other contributing factors.
"For these people to get where they have, Asperger's isn't enough. They
have something else. Clearly (convicted American hacker Kevin) Mitnick's
talent doesn't just come from AS; there is something else there. Like his
social engineering talent - you just wouldn't associate that with AS," he says.
"The 'f***-you' attitude is also a requirement. Every one (of the top
hackers) has had the 'f***-you' ingredient ¤ You cannot defy authority and
break the law thousands of times a year without the 'f***-you' ingredient."
Suelette Dreyfus is the author of Underground and an honorary fellow at the
University of Melbourne's department of information systems.
How to deter the obsessive attacker
What is the best way to defend your network against illegal hackers who
show Asperger syndrome-like characteristics?
A former highly skilled and obsessive hacker, "Higgs" suggests breaking the
patterns of usual defensive behaviour.
Trip wires in packaged software might be anticipated by a pattern-based
hacker. "Set up trip wires that are unique," he says.
Also, use your logs in different ways for tell-tale signs of a hacker's
trespass.
"Backdoor the 'ls' command (in UNIX), which gives you a list of files.
Record its arguments and when it is used. A (pattern-based) hacker might
not think to look for logs of that.
"Backdoor the SSH (secure shell) client to record who is using it and when.
Keep secret log files in unusual locations."
More information about the Testlist
mailing list