Evolution of the Hacker Threat

Internet attacks are increasing in number and complexity. The simplicity of attacks such as Slammer has given way to more sophisticated attacks.

Those behind Internet attacks have also changed. The cyber-criminal of today is much less likely to be the neighborhood geek recklessly unleashing malware. Instead modern cyber criminals are often motivated by politics or greed.

Since 2003 there has been a rapid increase in spyware and corporate data theft. Spyware is frequently used in identity theft and may allow access to an individual’s financial accounts. Corporate data theft attempts have focused on stored credit card information. Since the enactment of California’s SB1386, successful thefts frequently result in public disclosure. This has a double effect; consumers are warned their information has been stolen and may attempt to limit the damage to their credit, while companies suffer public embarrassment. Companies may receive a drop in stock valuation following such incidents or go out of business.

Two types of Hacking attacks:

There are many ways to divide the different hacking attacks. For the purposes of this paper we will divide them into (i) Opportunistic and (ii) Targeted

(i) Opportunistic

Opportunistic attacks do not focus on a particular target, rather they are aimed at millions of PCs. In terms of percentage success rates they are not very effective, however in absolute terms, they are very effective. Opportunistic attacks frequently focus on human weaknesses

a) The Nigerian/419 scams focus on greed and typically involve a scenario where the consumer receives an email promising them millions of dollars if they help the scammer transfer money. They usually have the net effect of draining the consumer’s bank account and stealing their identity.

b) The ‘romantic scams’ often target single girls in foreign countries. These are usually contacted through an online personal ad. After winning their trust the new boyfriend asks them to use their bank accounts to cash cheques and send the proceeds
overseas. A plausible reason is given and this usually happens for a few months. Then the police arrive and inform the girl she has been cashing modified or stolen cheques. The proceeds have disappeared at this point and so has the boyfriend,

c) Jokes and screensavers have historically had great success in forwarding viruses globally.

d) Opportunistic viruses and worms. These target millions of PCs which may are susceptible to direct attack due to suboptimal network deign and host protection. SQL Slammer, Code Red and Nimda fit into this category.

Only amateurs and those in ‘safe’ countries (where law enforcement is generally uncooperative in cyber crime investigations) launch attacks from their own PCs. With almost 50% of consumer wireless networks in the US unencrypted, Hackers can easy piggyback onto another’s network. In Europe the numbers are lower at approximately 25%. Nonetheless over 50% of those using encryption are using WEP encryption, which can be broken by experienced hackers in less than two minutes. Until WPA2 with strong passwords becomes commonplace, hackers will often find the easiest route to the internet is by piggybacking on a home user’s wireless network. The access points they use will have very limited auditing, so if the police ever show up at the owners door, there will likely be no audit trail to track back to the hacker.

With the growth in botnets, zombie armies are available for rent on the internet. These allow hackers to control millions of PCs to launch spam and zero-day remote exploits. This gives hackers a tremendous time advantage, in that they can potentially compromise machines before they get patched.

If botnets are used to launch attacks, many millions of PCs may be successfully exploited. Once compromised, Hackers may exploit them by:
· Enlisting the machines into their own zombie army for future zero-day or Distributed Denial or Service (DDoS) attacks

· Install keyloggers to steal usernames/passwords and financial information (these are frequently followed up by targeted hacking).

· Steal cached browser information: usernames, passwords, social security numbers, website accounts

· Automatically test these stolen usernames/passwords on eBay, PayPal, Hotmail, and financial sites for further access.

Brute force

Hackers may also attempt brute force attacks. They point their brute force tool at websites with millions of users. These tools automatically generate usernames and try to sequentially break into user accounts. The reason why these techniques still work is that end users typically re-use passwords. Most end users have three or four passwords which they constantly recycle on the internet. Even more worrying is the how many people share the same passwords. Many users use ‘password’, ‘qwerty’, or ‘letmein’. Lists of the top 50 passwords abound on the net. Using these we have in the past cracked between 10-15% of user accounts. If you are on a site with millions of accounts, that is a large number. These can then be tried on more secure sites which typically lock you out after a few attempts.
Brute force username attacks when combined with the most common passwords are still effective. The accounts exposed may be mined for social engineering, financial and sensitive material. At the least, these accounts may be abused to send spam or malware.

Dumpster Diving

Dumpster diving occasionally results in a plethora of information. Rather than searching for unshredded paper documents, their target is discarded hard drives. FTK, Encase and other forensic programs can be used to resurrect old deleted documents and passwords. Recently old computers donated to charities in Africa have been mined for information and resulted in many bank accounts being exposed (http://news.bbc.co.uk/2/hi/business/4790293.stm). Those selling hard drives on eBay should also be wary. The credentials and accounts gleaned are usually used to initiate targeted hacking.

(ii) Targeted

Targeted attacks generally focus on individual people or companies. Hackers frequently have a grudge against the companies or perceive there is something of value to be obtained by compromising their target. Quite often they conclude this after examining data exposed from opportunistic hacking methods.

Experienced hackers plan their attacks carefully and cover their tracks, deleting audit logs and using proxies. They also generally follow the hacking methodology (see below). Inexperienced hackers, however, frequently launch attacks from their own machines and are much easier to track down.

Targeting Individuals

In addition to hackers, both disgruntled employees and suspicious spouses frequently initiate such attacks. Those with physical access to their target’s machine may use physical keyloggers. However, these do not work on laptops and have negative repercussions if discovered. Software keyloggers are now more commonly used, and are widely advertised on the internet. Many spyware programs and malware incorporate keyloggers, the more sophisticated ones also take screenshots. Personal emails, instant messages, financial accounts and passwords are frequently harvested from keyloggers. Up-to-date anti-spyware, anti-virus and a desktop firewall is the best defence.

In recent years the phenomenon of ‘Spring Boarding” has evolved and it is being used when targeting individuals. Spring Boarding usually involves the following steps:

● Target1 has already been compromised by either opportunistic or targeted hacking. Passwords harvested and have been assimilated by hacker.

● Hacker uses this information to learn nature and extent of relationships between Target1 and prospective targets.

● Hacker uses social engineering to gain information that will compromise Target 2.

● Target2 is successfully harvested and used as a springboard to another lucrative target.

Data availability:

Recent years have seen an explosion of personal data on the internet. This makes social engineering and identity theft much easier:

· Google. Most hackers use Google to gather information on their target, be they individual or corporate. A number of books have been written showing advanced uses of Google for ‘security testing purposes’.

· Blogging: Blogs are a goldmine for social engineers. They can provide insight into a target’s day to day concerns, opinions, psyche, and friends. Sites such as MySpace, Bebo and Yahoo360 carry this further and provide photographs, personal details, hobbies, and even vacation plans.

· LinkedIn and OpenBC: Here a social engineer can view a target’s Curriculum Vitae, including where they work, who their colleagues are and what are titles they hold.
These sites, amongst others are excellent sources of information for hackers, who can misuse the data. Hackers are empowered to pass themselves off as close friends/colleagues or relatives to gain sensitive information.
Hackers may even obtain credit reports on their targets. In the past they have used the stolen information to fraudulently obtain loans, mortgages (http://attorneygeneral.utah.gov/PrRel/prmay192004.htm) and credit cards. Personal blackmail is also frequent. While trolling through e-mail and the target’s hard drive, past indiscretions may come to light. Many targets are willing to pay to keep this information confidential and are unlikely to go to authorities.

Targeting companies:

If the attack is to be carried out remotely, the step-wise hacking methodology is likely to be followed. If the hacker is nearby, and the risk of discovery is low, then opportunistic hacking may be attempted. Examples include:

· Dumpster diving

· Visiting the business pretending to be on legitimate business. If unsupervised, they attempt to find an empty cube and plant a wireless access point or password sniffer.

· Leaving malware programs onsite or in the parking lot (e.g. USB keyrings with auto loading spyware and keylogger)

· Contacting ex-employees pretending to be a recruiter for a competitor. Asking ex-employees to describe in detail their security projects.

· May leverage information gained from blogs etc to socially engineer access to the building.

Financial Incentives:

The catalyst for the change in hacking motivations in recent years has been the availability of financial incentives. Although hackers have stolen sensitive information in the past, the rise in readily available markets to sell these has lead to a demand for such information. The rise of new industries that ‘fence’ stolen information has been key.

Since mid-2005, the ability to sell and trade live bank accounts, credit card information and personal IDs on IRC channels has become widespread. The profitability of the channel ensures its success. Take the following example: An attendant in a gas/petrol station copies credit cards numbers. These are sold online at 25 cents per number. These are purchased and the credit cards are validated against e-commerce sites. Now that the cards are ‘validated’, they have a premium and are sold to the third recipient for $1 each. The final recipient prints and distributes physical reproductions of the original card, and sells these for $20 each.

‘Scholarships’ have been awarded by crime syndicates. Finders of zero-day vulnerabilities and exploits may be offered financial incentives to pass this information onto a crime syndicate rather than going through the much maligned disclosure process. These exploits are kept for targeted attacks and are amongst the most powerful tools in these organizations arsenals.

Blackmail is a formidable online tool. Personal blackmail may result from keylogging, remotely reading email, stealing embarrassing photographs and uncovering indiscretions. Companies have been targeted for extortion especially if they are high volume, high margin financial transaction sites (e.g. online casinos). These sites are commonly threatened by zero day exploits and DDoS attacks. Other companies are afraid of the costs and brand damage which result from a public exploit. Those compromised may be tempted to pay a hacker ‘hush money’ to keep their success quiet.

Stolen credit card information and cash transferred from compromised accounts are frequently used for purchasing goods. eBay vendors and e-Commerce sites are commonly victims. The goods are generally shipped to an unsuspecting home user who re-ships the goods to a foreign address for a nominal fee. These home users have often responded to jobs which advertised ‘work from home, earn money reshipping packages’ and unwittingly launder goods for an international crime syndicate. Most of the goods when received abroad are sold and converted to cash.

Cash may be transferred directly from compromised bank accounts and Paypal. These are usually sent to unsuspecting local bank accounts owned by those duped by either a ‘Nigerian’ or a ‘romantic’ scam. These may not raise red flags the money is not transferred overseas directly.

With the increase in Identity theft and the creation of markets to buy and sell identities, defrauders currently have the upper hand. As long as trusted agencies and companies lose unencrypted laptops with thousands of identities, and consumers fail to protect their identity, the situation will continue. Fraudsters will continue to obtain loans, credit cards and mortgages in victims’ names.

The Hacker methodology:

The hacker methodology is a step-by-step approach taken by many hackers. It has been made famous by George Kurtz and Stuart McClure in their book ‘Hacking Exposed’. Each step requires investigation and planning, and frequently a large repertoire of tools and skills.

System security:

One point has become obvious; Antivirus is no longer enough. Email links can send users to phishing sites where they may be exploited. Pharming can manipulate DNS to similar effect. Spyware will slow down machines and steal user data. Keyloggers can surreptitiously send logs of every keystroke via email to a hacker. Unpatched machines may become DDoS zombies. For better protection from zero-day attacks, Host Intrusion Prevention (HIPS) offers the best defence.

Reliance on just a network firewall is negligent. Wireless Access points must be secured and endpoints need layered protection.

However, no one layer of security protection will solve all problems. A multi-layered security approach must be followed. While corporate machines should investigate all of the layers below, consumer machines should have as a minimum:

· Antivirus

· Anti-Spyware

· Desktop Firewall or HIPS

· Anti-Spam filters

· Anti-Phishing technology (such as available for free from www.siteadvisor.com)

Get all the updates in RSS: