Infosecurity

Know your enemy: a profile of a hacker

By Alice Kok | 21 May 2009

Hackers - who are they, and why do they do what they do? Alice Kok is given a glimpse into the murky underworld of cyber crime by one of the world’s most prolific hackers

View photos

Related Categories

• INFOSECURITY

From this Section

• FEATURE

Mchael Valentine Smith (or Valsmith, as is his web nickname) is the founder and CEO of Attack Research, a firm he set up last year that offers intelligence on why and how computer attacks happen. He is an active member of the world’s most influential info-security communities like Defcon, Metasploit and Black Hat and, as such, he knows as much as there is to know about cyber crime and cyber criminals. Val ‘talked’ to me using AIM, the instant messaging service. What follows is a transcript from our conversation.

Q: What’s your definition of a hacker?

Hackers are really just explorers. They understand how computers work, and enjoy finding their way around computer systems to make things happen that aren’t supposed to. The original hackers started at MIT (Massachusetts Institute of Technology), but hacker culture began in the cryptography world; people who build codes and other people who try to break them. ‘Cryptos’ were one of the first groups on the internet.

Q: So it isn’t a culture driven by malicious intent, rather a case of tools falling into the wrong hands?

Sometimes the things hackers figure out are used by people with dubious motives. But then the same applies to phones and telemarketing, stamps and mail fraud. What do hackers do when they convene at events like Black Hat and Defcon? Jeff Moss [a prominent ‘white hat’ hacker] runs both of these big security conferences. He makes sure hackers can get exposure and get their research published. This research can be beneficial for a number of reasons. Consumers get to know if the products they are buying are unsafe. Vendors get free quality assurance testing—even if a lot of them don’t appreciate the bad publicity. And researchers learn about new techniques and ways to improve their work. The conferences have a culture of trust and transparency although people all use aliases and don’t like having their picture taken.

Q: How often do companies contact hackers for help?

It’s getting more and more common. You often see articles these days about so and so fixing a problem. But it’s usually kept confidential. How about the public sector? Do governments get hackers to test their systems or do they rely fully on vendors? That I don’t know. It is something no one talks about. But I’d presume so, yes.

Q: What’s hot in the hacker community right now?

In the past, people would ‘run exploits’ directly at a port on an operating system (OS), but now with firewalls and intrusion prevention systems that has become much harder. So now hackers attack the client rather than the OS and get users to click on web sites or open files that give them access through the firewall. You go after the web browser, the email client or the document reader: Firefox, Internet Explorer, Safari, Adobe Acrobat, Microsoft Word and Excel… The next big thing will be attacking the Apple OS X because it is so easy. And attacking Microsoft Vista, because it is so hard. The bad guys are going after money and most people run Windows. So most attacks are against Windows because that’s where the money is. The bad guys aren‘t attacking Apple yet, simply because there are not enough people using Apple operating systems. If Apple was on as many computers as Windows, hackers would have a field day. Apple’s underlying operating system security is very, very poor. It is about ten years behind everyone else’s.

Q: Which operating systems do you rate highly?

I don’t have an OS preference. I really like Apple, but it is not secure. Linux has a lot of good technology to prevent hacks, but fewer people use it compared to Microsoft—much like Apple. Windows Vista is pretty tough to break into, but all OS have problems.

Q: How about when biometrics access control comes about? I read that at Blackhat this year, Vietnamese hackers proved that facial recognition systems can be bypassed.

Pretty much anything can be bypassed. It is a matter of time and money. If a hacker spends 30 days on an exploit instead of doing his usual research for US$150 an hour, he loses a lot of money.

Q: Are do you guys usually look for exploits?

Researchers usually look at Microsoft patches, and reverse engineer them to find bugs. You either do it for kicks, or you tell Microsoft and earn money out of it.

Q: Are there cases of security people crossing over to the dark side and using their knowledge to do harm?

Yes, and I know one such guy personally. But it’s not common.

Q: What are your proudest achievements so far, hacking-wise…

I’ve done a lot of things. I founded Offensive Computing, a computer security community, which has the largest publicly available malware connection on the internet. And also Attack Research, which is tracking and analysing the infrastructures of Russian and Chinese hackers. For Black Hat and Defcon, I‘m going to release a tool to help penetration testers phish, and some PDF reverse-engineering tools too. At Black Hat, our talk was about hacking without exploits. Most people focus on exploits like buffer overflows. But you can get information from the internet that lets you break in without exploits, or you can use configuration settings. These cannot be patched or detected as easily as exploits, which means you can slip in and out of the system without being detected. For example, if we can get on one computer in a network, and the company uses a certain piece of software for authenticating users, we can hijack other users’ access code and impersonate them.

Q: What’s the motivation for bad hackers to get into ordinary people’s computers?

Bad guys get money for every piece of spyware they install and every computer they add to their botnet [a group of hacked computers]. And there are those who steal information or identities and get money through credit card details and social security numbers. The bad guys also steal account information and sell it on. Another way of earning money is to direct web traffic to certain web sites that need an audience for their advertisers.

Q: Tell me about hacking and the underground economy

It’s a complicated ecosystem. There are the guys who write the tools. Then there are the guys who use the tools to hack. Then there are the guys who buy information from the hackers. The information is re-sold or used to buy merchandise for sale on eBay. Then there are the mules; unsuspecting people who move money between banks for a small cut. Turns out the banks make the most money because of the transaction fees! Security companies make a bundle, too, because they sell products to everyone to stop information theft—without actually stopping it. The really smart guys who write the hacking tools make the least money out of anyone.

Q: Is there a vendor capable of stopping these thefts?

No. The smart guy does it for fun, money, a little bit of fame or to learn stuff. But vendors don’t really have an interest in stopping it. They need it to go on so they can keep on selling their wares. But I don’t think vendors could win even if they wanted to. Anything can be broken into. Vendors could try to make it harder though, like Linux and Microsoft are trying to. But a lot of them are not trying hard enough. Symantec, for example. But then the banks don’t really want to stop it either, because they just push the costs to the merchants who push it on to their consumers. Would a normal end-user be better off without any vendor security products then? You’d probably need firewalls and anti-virus programmes. Running a Macintosh is ok for now, but not for long. What I usually tell people is to do important, sensitive stuff only from a Linux boot CD.

Q: What about governments—what are they doing to stop it?

Governments don’t seem interested. They focus more on surveillance, intelligence and cyber warfare. Small-scale crimes are not a major priority.

Q: Tell me more about credit card information—what is it good for?

Most credit cards are not much use. They are either deactivated quickly, or have low credit limits. Credit cards only pay in bulk for organised crime syndicates which use them to make lots of small purchases, then sell them on eBay. There are small timers and big timers, but I don’t know who the key players are. It is very hard to attribute things on the internet.

Q: So isn’t hacking more trouble than it is worth?

That’s the funny thing. There’s always value in hacking. There is always data people do not want you to have that you can make use of somehow. But you can make so much more money being a researcher if you are good enough. Or at least, make money through legal means, whether through penetration testing or researching. Most hackers who present at conferences do that kind of work full-time. For Cisco, TippingPoint, Symantec, Microsoft or ioactive. The average salary is US$140,000 a year, basic. Then there are bonuses, money for speaking and training. On one of the jobs, I was making a dollar every four seconds! I could be breaking into governments’ or people’s computers to steal money, but I make more money with no risk being legitimate. If you sell your exploits to TippingPoint or iDefense (companies that deal in exploit intelligence), you can get lots of money—up to US$100,000 for a single exploit!