If you are following the security news, you will not be surprised by what I cover in this post. It’s old news already for most people working in security. But it’s worth discussing this more, to raise awareness. In a nutshell, the idea is that breaking computers is ceasing to be mainly an entertainment form for people whose computers skills are underemployed and instead it is becoming a criminal act.
The difference between hackers and crackers is one that can generate long discussions. I’ll provide some simple definitions, to set the background for this thread. My definitions may not be perfect, but I’m trying to keep them short. A hacker is basically a person looking for in-depth knowledge of a system; a cracker on the other hand is looking for ways to break systems for fun or benefit – for a cracker, knowledge is just a tool for getting acknowledged and causing disruption; for a hacker, knowledge is the main goal. Sometimes, the term hacker is applied indiscriminately to both categories, which naturally is found offensive by those in the first category. From the perspective of the law, hackers can be seen as staying (mostly) on the good side of the law, while crackers are always on the bad side (I used “mostly” earlier because legislation being what it is, what is legal in one country may not be in another one and, in particular, because hacking most obviously can come in conflict with rules restricting reverse engineering of software). With this behind, let’s resume the discussion…
There will always be hackers as long as there are people that are passionate about computer systems. No problem here. The problem is what happens with the crackers. Launching a worm was providing a way for a cracker to prove his skills and to gain notoriety, but there was no material gain from such activity – the activity could cause material loss for others, but the cracker didn’t benefit directly. Worms that replicate as fast as SQL Slammer did, for example, are of no benefit to the cracker – the worm will take machines out, making its activity obvious and eventually leading to its identification and elimination; plus, whatever exploit was used, will now be fixed and for the next worm, the cracker will have to find a new exploit. This was not a big issue when security flaws were found everywhere, but in the past few years, computer security has understandably received a lot of attention, leading to an improvement of security in all major products, so the security landscape is now considerably changed from what it was 5 years ago. It’s no longer that easy to find a new exploit, and this has important repercussions. As usual, it’s a matter of simple economics – if a necessary resource becomes scarce, its value will climb. Going forward, we’re going to see fewer worms than in the past, but this doesn’t mean we’re safe. What this means is that crackers have realized that exploits are valuable, so instead of being wasted on useless worms, they’ll now be put to use for more complex operations, such as stealing sensitive data. Unlike writing a worm, these operations will rarely be a one-man stint – they’ll involve several people, with the cracker being only one guy getting paid to provide code that exploits a vulnerability (see links at the end of this post for a more complete picture). Because exploits are sold for money, they’ll no longer be available for script kiddies, so these will most likely disappear. Look at the following two recent high profile data thefts:
This is no longer the work of people getting bored or looking to make a name for themselves in the cracker community. It’s not the work of hackers either. This is as much of a crime as a bank heist. It’s scary, but it’s what we’ll see more and more often in security news.
If there is a point to be made, I think it is that the threats to security should be taken very seriously. Do not think of attackers as teenagers killing time, think instead of them as being sophisticated criminals whose skills equal or surpass yours and who may be targetting you or your company specifically. Don’t build defenses assuming attackers have limited capabilities, build them assuming they have access to the same technology that you do, and assume that they may even understand the technology better than you do. Basically, don’t underestimate the enemy.
Here are more links about the underground economy and cybercrime. They go in much more depth into how things are working on the other side of the fence:
And one from the news: