There is a common perception that hacking originated as a fun activity, turned into a criminal business, and is now evolving into cyber warfare – and that during this process hacking techniques have become increasingly sophisticated. While this is true on one level, the view is based on a fundamental misconception: that the nature of hacking has changed. It has not. Any evolution in hacking techniques has been driven more by opportunity than by any change in the nature of the hacker. This article will argue the following:
- Hackers have changed very little since the 1980s (there have always been moral and immoral hackers)
- Hacking technologies have changed very little (they have always been the minimum necessary)
- Motivations have changed very little (it has always been for fun or profit)
- Opportunities have changed dramatically. It is response to opportunities that has molded and will continue to mold hacking techniques. As opportunities emerge, hackers will evolve.
In the Beginning…
The early days of hacking are described by Paul Field in his book A British Hacker in America: The Story of PMF & ‘Operation Cybersnare’. The story starts with the arrival of the first microcomputers in schools, at a time when the kids knew as much as their teachers and frequently outperformed them.
As a schoolboy, Field was driven by a desire to get the computer to do more than the supplier allowed. “Most early games used [a] type of protection, a system called ‘locking’ the file, so you could only run the program. You couldn’t load it and modify it. Just run it”, he writes. So Field hacked it – a process and motivation that is conceptually no different than jailbreaking an iPhone – to enable and allow more than Apple intended some 25 years later.
In the early days there were few opportunities to make money from hacking. Mostly it was just pirating games and other programs for personal use and trade. Again, this continues today. By the time Field left school, the internet was growing; but the web hadn’t begun. Communication was by voice telephony or by dialing in to remote private bulletin boards. This was expensive – especially if, like Field, you lived in the UK and the BBS [bulletin board system] was in America. He, along with many others, used their computing skills to phreak – hacking the telephone system to get free connections.
Even then, phreaking wasn’t always just for personal consumption. Field’s book describes his involvement in Operation Cybersnare, the US Secret Service’s first sting operation against ‘hackers’ in 1995. Field had moved to the US, and his reputation among hackers was high. Nevertheless, he was busted. Field worked with the Secret Service – on the proviso that he wouldn’t give up any of his friends.
Together they set up the snare, a BBS called Celco 51, with a Secret Service ‘trap and trace’ on all of the telephone lines. When the time came, writes Field, “There was a lot of commotion as each of the arrests went down, and I was glad to see only the people who were committing the crimes for financial gain were being arrested.”
Evidently, as early as 1995, hackers were hacking for profit, and law enforcement was setting up elaborate stings to catch them. Nothing much has changed beyond the scale of opportunity and the complexity of the challenge. That scale changed with the emergence of the World Wide Web and ecommerce around the turn of the century, and the complexity increased with the improving security of the software industry around 2005.
“Early on”, explains HD Moore, CTO of vulnerability management specialist Rapid7 and founder of Metasploit, “attacks were driven by silly things like curiosity, ego, and vengeance. As the internet became a critical component of our lives, the criminal element has found ways to extract money.”
Phi Beta Hacker
Independent security researcher and expert Graham Cluley divides the hacking fraternity into three basic categories: hobbyists, criminals and spooks. They each appear to have their own ‘era’ in the evolution of hacking, but the reality is that each category has always existed, and each category still exists today. It is the environment rather than the hacker that has changed.
Hobbyists, like the young Field, were the first on the scene. Some evolved into the early virus writers: a few were destructive, but most were in it for the kudos. “There was a badge of honor in honing code over many, many months that would prove difficult for anti-virus vendors to detect”, explains Cluley. “The ‘coolness’ of malware would be measured by the millions of mutations its polymorphic engine could produce, rather than the millions of dollars it might bring to its maker.”
Then came the criminals, who quickly realized that viruses and stealthier trojans could be used to make money via fraud. “Fake anti-virus attacks, ransomware, keyloggers and spyware were produced en masse”, Cluley recalls. “In addition, organized criminals oversaw the rise of the botnet – a way of monetizing millions of PCs, by ordering them to launch a DDoS [distributed denial-of-service] attack or spread spam campaigns.”
Now we have the spooks engaged in state-sponsored cyber espionage and warfare. We think cyber spies are new, but it is naive to think so; we think cyber war is new, but all governments have been exploring it for many years. In both cases it is cheaper, safer, and potentially more effective than traditional real-world methods.
In all three categories, the techniques are basically the same – and they are only as sophisticated as they need be. We still have the hobbyists, but now they are jailbreaking iPhones, doxing real or perceived enemies and engaging in hacktivism. Criminals are as old as society, and will never go away. Only the spooks seem to be new; but it is probably just our recognition of them that has changed.
Duck and Cover
Flame is a good example of spook-driven malware. Widely considered to be a state-produced cyber weapon, it needed to be both stealthier and more sophisticated than the average password-stealer in order to breach national defenses and stay hidden. It probably doesn’t augur a new era of malware: its ability to remain hidden for so long has as much to do with its targeted nature as the quality of its code. Many of the targets don’t have access to robust information security defenses found in other parts of the world – if they had such security, Flame would almost certainly have been discovered much earlier.
Advanced persistent threats (APTs) are another example. David Harley, senior research fellow at ESET, is dubious about the term. “I’ve always disliked it”, he says. “‘Advanced’ seems to suggest something clever, but actually a sophisticated attack is just as sophisticated as it needs to be.” In reality, nobody has come up with a definition for APT that satisfies everyone – it usually comes down to an instinctive view: ‘this is more than a common or garden-variety trojan, so it must be an APT.’
HD Moore agrees. “The criminal element has done a great job at using minimum skill to meet their goals”, he suggests. “If you look at some of the APT analyses performed by AV firms, there is often little skill involved in gaining a foothold. The same tricks that worked 10 years ago still work today.”
If there is any single characteristic of APTs, it’s that it is focused on a specific target. The evolution of such targeted attacks probably has more to do with the emergence of individual targets rather than some inherent evolution in the art of hacking.
A second element of APTs – and a major feature of the more successful contemporary malware – is stealth, or evasion. This was in response to the increasing efficiency of anti-malware software. Around 2005, Moore says, “the major software vendors started to actually improve the security of their products”. Evasion has a simple principle: avoid detection and you avoid removal.
Some of the evasion techniques used were recognized and named by security firm Stonesoft as ‘advanced evasion techniques’ (AETs). They demonstrate the action and reaction nature of hacking: a methodology is developed (delivery of trojans), blocked (by anti-malware), and refined (by the addition of AETs). The latest response from the security industry is anti-AET products and network analytics. The former seek to recognize the behavior of known evasion methods, while the latter seek to recognize the network tracks of malware, whether that malware is known or unknown.
Counterbalancing this ‘evolution of necessity’ and supporting Harley’s view that malware is only as sophisticated as it needs to be, a new espionage campaign emanating from India was discovered in May 2013 by both ESET and fellow security firm Norman. There are three features worth noting: it was successful, and it used unsophisticated malware with sophisticated social engineering. That was all that was needed, and all that was employed.
The Bare Minimum
Although it is tempting to believe that there have been different eras of hackers and hacking, such an assessment is misleading. Throughout the history of hacking there have been just two major motivations: pranks and profit. Pranks can be for innocent fun, less innocent lulz or simple revenge. Profit can be for enhanced capabilities, direct monetary gain, intellectual property or political advantage. Once the target is selected, the sophistication of the attack will be the minimum that is necessary to succeed. If no existing techniques can succeed, then new techniques will be developed – but as a reaction to current conditions, never as an end in itself.
Today, the security industry tends to react to perceived advances in hacking techniques. It is one step behind the hacker. But it will always be so, because the evolution of attack technologies is conditioned by the quality of defenses; and the evolution of motivation is controlled by the opportunity for prank or profit.