In 1986, Congress passed the “Computer Fraud and Abuse Act,” which made unauthorized access to computer systems illegal. The history of hacking, however, dates back to the early 60s, when MIT students experimented on the mainframe computer systems on campus. The first phone hackers in the 70s used toy whistles, which generated the same frequency signal as AT&T’s switching program, to make free phone calls. By the 80s, hacking moved to personal computers, and bulletin boards were used as hubs for hackers. During this time, it also became a social phenomena - a topic that became movies and the topic of interest in magazines. The reality is that hacking has evolved with computer information technology. Regardless of the various milestones in computer security, beginning with the mainstream software security movement in 1999 following the release of windows 98, hacking has always been the response to computer security. Currently, hacking continues to be in an asymmetric war with increasingly complex security layers, algorithms, and parameters.
Prior to the 1990s, hackers often had a loose “code of conduct” (5) which they would abide by. These included common ethics, such as “leave no trace,” and “information wants to be free.” Post-90s hackers are far less bound by restraints, and have very few ethical restrictions. Most younger generation hackers are ruthless, decentralized, and use their hacking skills to break into systems as a form of entertainment – or as the internet meme currently defines it, doing it “for the lulz.” (6) The most common network security exploits, including denial of service (DOS) attacks, Trojan horse, viruses/worms, and sniffing happen on a daily basis to all major service providers around the world. In 2000, the CIO of the Pentagon pleaded with the attendees at Defcon to stop targeting government systems (2), and offered jobs to “talented individuals” who wanted to help prevent these attacks. The Assistant Secretary of the DoD echoed the same thing. In 1999, there were 22,000 confirmed attacks against DoD’s systems. In 2009, there were 71,000 incidents (3). These numbers are indicative that cyber attacks have been steadily increasing, despite laws, regulations, and improved technology. In addition to Defcon, events such as the U.S. Cyber Challenge, seeks to draw hackers to show their skills, ultimately identifying the most talented so they can be hired to work as security specialists. These hosted events, and the actions undertaken by the government and other corporations, presents us with an unanswered question that also happens to be one of the topics covered in the old hackers’ code of conduct: does hacking help improve security?
The answer is complex depending on the effects of the hack, and the intentions of the hackers. Government and corporate entities have “Tiger Teams,” or a group of hackers, to try to infiltrate their systems so they can improve their security. The hackers would infiltrate a system using various exploits and attacks, and then provide details on how it was done so that vulnerability can be fixed. A combination of hacking techniques such as a vulnerability scanner, cracker, spoofing, rootkits, and impersonating legitimate users, are used to access the system. This is extremely valuable to organizations seeking to protect their data. External Tiger Teams can be attracted at websites such as FreeHackers.org, and ethicalhacker.net. Security teams from corporations anonymously set up test scenarios, then attract these hackers to see if they can break in to their system. If the system is compromised, their hope is that the hackers would expose how the exploit was accomplished. It is unclear how these external tiger teams, or “white hat” hackers, are compensated for their efforts. The demand of white hat hackers, “penetration testers,” or “ethical hackers” have been increasing steadily in the past decade. With millions lost due to security breaches and billions of dollars of data on the line, organizations are not only looking for security analysts, but talented hackers, often young computer users without formal educations, who want to use their skills in hacking to build a career. White hat hackers note that while they are inside a corporation, there is a 80-90% probability to accessing internal systems. This success rate drops to 20-30% when attempting to access company systems externally (9). Other instances of white hat hacking occurs when a professional reports a security vulnerability to an organization without exploiting it for gain, such as the recent Skype Zero Day vulnerability that only existed on mac clients (10).
On the other side of the spectrum, malicious “black hat” hackers such as members from Anonymous, presents to us “the epitome of all that the public fears in a computer criminal.” (7) The same techniques are used, but the hacker is generally ruthless in methodology. In addition to using technology, a black hat hacker often employs psychological methods to acquire access information that would otherwise be very difficult to obtain by using technological means. With phishing, a hacker can impersonate a supervisor via fake emails – a legal service that is widely available online (https://www.anonymousspeech.com/). With impersonation, a hacker can intimidate a user to give up access information. Additionally, a hacker can take advantage of someone’s helpful nature, drop names of important leaders in an organization, and feign involvement with law enforcement (8). Information such as company managers, domain owners, and email addresses can be easily found online. The exploitation of people, in some cases, is easier than the exploitation of technological vulnerabilities. Organizations spend millions every year on training their employees on cybersecurity for this very reason, and have updated policies on security on a yearly basis. Through the access of an individual’s email account, and by having access to one portion of a system, the entire network can be compromised. While malicious hackers always break a law of some form, communities for these hackers, such as the one found on www.hackanonymous.com (do not visit this link), operate legally under “educational” purposes when all of their general intentions and tools exist to cause general mayhem. Successful black hat hackers, such as Kevin Mitnick and Gary McKinnon, has cost millions of dollars in damage and crippled thousands of computers (11). Many black hat hackers remain anonymous after their illegal activity, leaving organizations struggling to patch up their system security.
Ultimately, hacking and exploiting systems improve the complexity of security measures either directly or indirectly. Directly as a result of a white hat hacker testing security vulnerabilities in a system, or indirectly as a result of attempted hacks by malicious black hat hackers. In 1998, a hacker group called L0pht (www.l0pht.com) described their behavior where members “grapples with questions of ethics and law in the line of their work.” Full disclosures are conditional and vulnerabilities are found with the intention to “secure, rather than exploit.” Like many hacker groups that were present in the 90s, present hackers not associated with organizations doing “white hat” hacking often fell into a category of “grey hat.” The reason for this is two-fold: even though a hacker does not maliciously attempt to hack a system, they cannot reveal an exploit because they fear that there would be consequences to their actions. For example, in 2010, a group known as Goatse Security discovered and reported a network flaw that reveals iPad users’ emails (12.) Upon making this vulnerability available to the public, members of the hacker group have been investigated by the FBI and prosecuted. This is a grey area since originally the hackers did not intend to profit or to harm AT&T, but still revealed the exploit publically instead of reporting the exploit to AT&T. In the end, this was still done for entertainment and “for the lulz” in this case ultimately resulted in a breach of security for all iPad users. This vulnerability, had it been found first by a black hat hacker, would have been worth a lot of money to people who operate spam bots.
As an IT consumer and professional, I believe hacking is necessary for computer security to exist and remain a market. The U.S. federal cybersecurity market is currently valuated at $55 billion for the next six years (13). The protection of information and the reconnaissance of information will always be in focus. Current military programs such as the Navy’s Information Dominance program, provides us with an IT landscape that is always in preparation for the next contingency. Hacking has evolved from simple alterations in mainframes, to an equalizer that drives an entire market through its measures and countermeasures. Hacking is necessary because humanity has not changed since the inception of hacking. Most hackers, regardless of their alignment are true technology experts. There will always be malicious hackers and the security against them will continue to become more complicated, even though the advantage will always be theirs – and the answer to the question “how do I know I am being hacked?” continues to be as elusive as “how do I successfully hack a computer.” The scale of hacking is now international, as well as national and personal to an IT consumer. The natural progression of hackers vs. secure systems will continue into the future, as it has throughout the last three decades.
7) Moore, Robert (2006). Cybercrime: Investigating High-Technology Computer Crime (1st ed.). Cincinnati, Ohio: Anderson Publishing.
10) http://www.purehacking.com/blogs/gordon-maddern/skype-0day-vulnerabilitiy-discovered-by-pure-hacking
13) http://www.marketresearchmedia.com/2009/05/25/us-federal-cybersecurity-market-forecast-2010-2015/
No comments:
Post a Comment