Information Security News: Eight Faces of a Hacker

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/document.asp?doc_id=120800

By Tim Wilson
Site Editor
Dark Reading
MARCH 29, 2007 

"If you know the enemy and you know yourself, you need not fear the 
result of a hundred battles." -- Sun Tzu, The Art of War

"Who are those guys?" -- Paul Newman, Butch Cassidy and the Sundance Kid

You fight against them every day: hackers, attackers, insiders. You know 
what they do, but not who they are. They are often nameless, usually 
faceless. You'd like to be able to guess their next move, but that can 
be pretty difficult when you don't even know what motivates them or why 
they're attacking you.

Is there a way to "profile" a hacker, the way the police might profile 
an arsonist or a serial killer? Not exactly. But quietly, a collection 
of university researchers and law enforcement agencies has been 
developing a taxonomy of the hacker community, much as an entomologist 
studies and classifies insects. And police and security experts hope 
that taxonomy will eventually help them identify and root out the 
vermin.

"To address the problems created by hackers, it is apparent that we need 
more than just technical controls," says Marc Rogers, a professor at 
Purdue University and author of the industry's most widely-used taxonomy 
of the hacker community. "We also need to start understanding the 
individuals behind the attacks."

The effort to understand the psychology of hackers and attackers is 
nothing new. Psychological studies of "phone phreaks" can be found as 
far back as the early 1980s, and MessageLabs is publishing a study on 
internal "company devils" today. The idea behind most of the studies is 
the same: to break the stereotype of the hacker as a socially-inept male 
teenager sitting behind a PC in his parents' basement.

There is no single profile of a hacker, inside or outside the company, 
Rogers says in the most recent update of his taxonomy paper. In fact, 
the idea of lumping all hackers into a single group is "analagous to 
attempting to understand criminal activity by lumping the entire 
spectrum of traditional criminals (i.e., shoplifters to homicidal 
psychopaths) into one generic group," he says. "The idea seems 
ludicrous, yet this is what we are currently doing with the criminal 
domain of computer crimes."

There has been a "huge shift" in hacker profiles in the last few years, 
as motives shift from curiosity to financial gain, says Rogers, who has 
worked with law enforcement agencies on hacker profiling and computer 
forensics. But security managers should also be wary of oversimplifying 
the new threats as well, he advised.

"For years, vendors treated the 'cyber-punk' as the boogeyman, and they 
built at least some of their business on the fear that some brilliant 
teen would launch a virus," Rogers says. "Now some of them are painting 
organized crime as the boogeyman, spreading this notion that the Russian 
mafia is out to get every business."

In reality, there are lots of different types of attackers, Rogers 
states. His taxonomy breaks them up into eight different categories, 
each with different characteristics and motivations. The taxonomy is 
frequently used by law enforcement agencies and other researchers as a 
starting point for profiling computing attackers. "It's a long way from 
perfect, but I wanted to give people something to shoot at."

1. The Novice
Sometimes called "script kiddies," this group is typically young, with 
limited skills, whose primary motivation is thrill seeking and ego 
stroking. In order to prove their worth, they attempt to "rack up" 
trophies, often using pre-written software.

2. The Cyber Punk
This group comes closest to fitting the traditional view of the hacker 
-- young males with some skills and programming capabilities with a 
desire for attention and, sometimes, monetary gain. They typically 
choose high-profile targets, and they often choose vandalism over 
outright data theft.

3. The Internal
These are the insiders -- those who use their internal system privileges 
to gain access to unauthorized data. They generally fall into two 
subcategories: disgruntled employees seeking revenge and those who are 
looking to use the data for financial gain.

4. The Petty Thief
Traditional criminals who learn how to hack in order to expand their 
field of targets. They usually are not skilled at first, but they 
sometimes become skilled over time. Their sole motivation is money.

5. The Old Guard
Motivated by curiosity and the need for an intellectual challenge, these 
highly skilled individuals are capable of writing code and scripts. 
Espousing the ideology of the first-generation hackers, they usually 
have no criminal intent but will readily post the scripts and code they 
develop.

6. The Virus Writer
This group is still being defined, Rogers says. It is made up mostly of 
young males, who tend to age out of the group once they hit their mid to 
late twenties. This group differs from the Cyber Punks in that its 
motivation is more along the lines of revenge or curiosity than 
notoriety.

7. The Professional Criminal
Highly-trained IT experts who use their skills for financial gain. They 
tend never to be caught or even come to the attention of the 
authorities, Rogers says. These are the "hired guns" employed by 
organized criminal groups.

8. The Information Warrior
Motivated by patriotism, these individuals use their skills to disrupt 
the command and control of a rival nation. They are typically highly 
trained and highly skilled.

These categories have remained fairly stable since Rogers developed the 
taxonomy in 1999, but many subcategories are evolving all the time, 
Rogers says. "I expect this to develop like an ornithology, where people 
take the basic structure and develop taxonomies for the subgroups."

One category that has gotten a good deal of attention from researchers 
is the Internal group, which has been difficult to study because of 
companies' reluctance to share information about insider threats and 
break-ins. Several researchers have published studies on the topic in 
the last two years.

The Secret Service and Carnegie Mellon University in 2005 released a 
paper that says there are no common demographics among insiders who 
damage or steal customer data, but there are indicators of risk.

Thirty-three percent of subjects were perceived by management as 
'difficult,' and 19 percent were viewed as disgruntled by other 
employees. Twenty-seven percent had come to the attention of a 
supervisor or a co-worker for behavior concerns, and another 27 percent 
had prior arrests, the study says. While 42 percent of those motivated 
by greed were female, only 4 percent of those motivated by 
disgruntlement were female.

In a study published last year, Eric Shaw, a professor at George 
Washington University, reported that most of the insiders they studied 
displayed four basic traits: a history of negative social and personal 
experience; a lack of social skills; a sense of entitlement; and ethical 
flexibility. These traits, combined with a right stress factors and 
opportunities, can lead to a higher incidence of insider attacks, he 
said.

But such studies may overlook the more frequent instance of accidental 
security exposure from inside the company. In a study being published 
today, MessageLabs found that the "devils" in most companies are not 
those that intentionally steal or damage company data, but who expose it 
to outsiders by breaking company security protocols.

According to MessageLabs, the danger comes from young, tech-savvy 
junior-level sales types who are under pressure to meet their quotas.

"The problem is that the more you lock down your systems, the less 
usable they become," notes Paul Wood, senior analyst at MessageLabs. 
"These people are under pressure to meet their objectives -- they are 
moving quickly and they don't have time for systems that aren't usable. 
So they'll use their technical skills to find a way around the policy."

These company "devils" are natural multi-taskers who will use any means 
necessary to get their jobs done -- including IM, wireless, VOIP, and 
email -- from any access point, and without regard for security policy, 
Wood explained. Their intent is not malicious, but they may create 
avenues for security breach without knowing it, he says.


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org