"Tell me your network address man and you’re dead man."
It started just like that. An IRC participant with the handle ‘bitchchecker’ had been abusing others on German satirical site stophiphop.de. In the exchange, posted by moderator elch (German for ‘moose’) several years ago, the irate user is said to have accused the moderators of kicking him off the IRC channel associated with the site.
Ignoring their protests that he’d simply suffered from a ping timeout, he decided to flex his l33t muscles. What would the moderators do? Simple: They gave him the address 127.0.0.1, and he proceeded to use it.
Dumb and Not-so-Dumb
The internet is full of shady, smart hackers, who search for zero-days and work quietly behind the scenes building sophisticated attacks. These are the people behind advanced persistent threats. They are the authors of Stuxnet, and the perpetrators of Operation Aurora. They are driven by commercial or political gain, and they have earned their spurs through diligence, patience, and secrecy.
For every one of these, though, there are a thousand wannabes. These are computer enthusiasts, often as anti-social as ‘our friend’ bitchchecker, lured by the cachet of hacking culture. They use off-the-shelf tools to make up for their lack of knowledge. They generally don’t know what they’re doing, while the former usually do.
"Because the scripts that script kiddies run are generic, we already know about the attacks as they come in" |
Kellman Meghu, Check Point Canada |
Kellman Meghu, security engineering manager at Check Point Canada, categorizes these hackers as either script kiddies, or business-driven hackers. “Because the scripts that script kiddies run are generic, we already know about the attacks as they come in”, he says.
For those of us with a dark sense of humor, there’s nothing more enjoyable than documenting the less subtle of those attacks. Honeypots – systems specially set up to be found and attacked online – are perfect places to watch hackers at work. Sites such as iwatchedyourhack.org (down for maintenance at the time of writing), post recorded documentation of hackers trying out their skills.
The iwatchedyourhack website wasn’t around when bitchchecker launched his attack but, thankfully, moose was:
I’ll be awaiting your groovy hack attack
in 5 minutes your harddrive will be erased
In truth, things are more complex than Meghu makes out. Bitchchecker is the worst kind of hacker – both dumb, and emotionally stunted. But in many cases, educated and intellectually adept hackers can display other weaknesses. These weaknesses can be loosely mapped onto the seven deadly sins.
Greed
“The greed angle seems to catch smart people as well as the dumb ones”, says Jack Daniel, director of the National Information Security Group and co-founder of grassroots security conference network Security BSides. It is a good example of what can emerge when a smart person lacks emotional intelligence.
Albert Gonzalez, who masterminded the TJX hack in which 40 million credit cards were stolen, and who harvested 130 million credit cards from Heartland Payment Systems, is far from stupid. He was already rich when he got caught using cloned debit cards in 2003, but he just couldn’t bring himself to stop.
Gonzalez was given a deal by the US Secret Service: work with them undercover to build up a network of contacts that would then be nailed by the Feds. He agreed, but in the meantime spent his time working with a secret network of shadow contacts to infiltrate several companies; including Hannaford Bros and Dave & Buster’s. This was before Gonzalez was busted through a Ukrainian contact in 2008.
Gonzalez, who won’t get out of jail until at least 2025, bought himself a BMW, mounds of designer drugs, and stayed in lavish hotels. He hid $1.2 million (£750,000) in cash in a barrel in his parents’ house.
Pride
The first thing to bring down many hackers is their tendency to brag. For many, the prize lays not in the intellectual satisfaction of cracking a system, but in vanity, which propels them to tell of their successes.
Such was the case with Jesse William McGraw, aka ‘GhostExodus’, the leader of the hacking group Electronik Tribulation Army. McGraw worked as a security guard for United Protection Services in Dallas.
Assigned to the night shift at the Carrell Clinic, he compromised several computers, including those controlling the HVAC systems, in preparation for a DDoS attack that he dubbed 'Devil's Day'.
McGraw planned the attack for July 4 – the day after he was scheduled to leave the firm. Unfortunately, McGraw posted pictures and videos of himself online compromising the systems.
Wrath
Forget all that Old Testament, eye-for-an-eye stuff. We prefer the new, ‘happy clappy’ testament, in which the other cheek is turned, and where revenge is a dish best not served at all. Getting angry can land you in big trouble, as Terry Childs found out.
Childs, a sysadmin for the City of San Francisco, had single-handedly coordinated the fusion of the city’s various networks into a single entity, called the FiberWAN. He was the sole contact for changes to the network, and controlled the keys to the kingdom.
"The greed angle seems to catch smart people as well as the dumb ones" |
Jack Daniel, National Information Security Group |
According to the city, Childs got angry when city security manager Jeana Pieralde tried to audit his network, allegedly confronting her and taking pictures of her with his cell phone (a claim that he disputed). When she involved the CIO, Childs left, and refused to give up the passwords for the system. After being suspended for insubordination, he eventually handed over the passwords from jail after being directly visited by the mayor. Last year, Childs was sentenced to four years in prison for violating state hacking laws.
Sloth
Sometimes hackers can catch themselves out simply by failing to cover their tracks. Joe Stewart, director of malware research at SecureWorks, also points out that malware authors can often fail to understand what is retrievable from decompiled code. Researchers can find clues, including system paths with user names. This can give them clues for further research. “When in history were they not as careful? If they just got into the business of doing malware recently, they may have been in forums talking about where they live”, he says.
Even when using a very reliable proxy, hacking from home is a good example of slovenly practice. Jeffrey Lee Parsons, then, ranks among the dumbest of all hackers, for hosting an entire botnet command-and-control infrastructure using his dad’s broadband account. The boy, who wrote a derivative of the Blaster worm, had infected machines connecting to tl.t33kid. When FBI agents looked it up on the ARIN database, he had also used his own name to register it.
Gluttony
Gluttony: over-consumption, often at the expense of others. Cornell scholar Robert Morris Jr wasn’t an overeater, but the worm that he created in 1988 was. Dubbed the first computer worm, Morris wrote it to find out how big the internet really is.
He tried to make the worm ‘polite’, by having it ask a computer whether it had already been infected or not, so that it could avoid running itself more than once on a computer and using up its resources. However, Morris was afraid that sysadmins would simply program computers to falsely answer ‘yes’ to the question, preventing infection altogether. He therefore used a randomization algorithm to infect a computer anyway in one of every seven cases when a machine said that it was already compromised.
"When in history were they not as careful? If they just got into the business of doing malware recently, they may have been in forums talking about where they live" |
Joe Stewart, SecureWorks |
It was the randomization element – combined with the unanticipated spread of the worm – that effectively took the internet down. “Ultimately, many machines at locations around the country either crashed or became ‘catatonic’”, said Morris’ court appeal.
Morris is now a tenured professor at MIT.
Samy Kamkar’s Samy worm also ate up most of MySpace in 2006. The worm, which exploited browsers’ JavaScript parsing, spread to over a million users, adding the phrase ‘Samy is my hero’ to their pages.
Kamkar admitted that he didn’t realize it would spread so quickly. “Once it hit 200,000 in another few hours, I wasn’t sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito”, he said.
“It was funny how they tracked him”, says Jeff Williams, volunteer chair of the Open Web Application Security Project (OWASP). “It wasn’t via the blog post he made immediately disclosing all the details. They found a photo of him with a license plate in the background.”
Lust
Forget online Viagra sales and porn. We prefer Aristotle’s definition of lust, as the excessive love of others. Some hackers have big hearts and don’t know when to quit when trying to save others from themselves.
Adrian Lamo, ‘the homeless hacker’, springs to mind. Lamo’s MO involved hacking companies and then telling them about their weaknesses without requesting payment. Worldcom and Excite@Home were among those that thanked him for his services.
The New York Times was not so grateful after Lamo hacked into its list of expert sources, discovering their phone numbers and personal addresses, while also creating an account for himself on the firm’s LexisNexis system. After he reported the incident to Wired, the New York Times pressed charges. Maybe Lamo is guilty of pride, too?
Envy
Envy: a feeling of discontented or resentful longing. Our friend bitchchecker had this in spades. It is often linked to low self-esteem, and the wish to deprive others. Of what? Of money, love, community, or, in the case of bitchchecker and elch, of a hard drive. Having vowed to delete elch’s system, bitchchecker proceeded to aim his tools at 127.0.0.1, which is the standard loopback IP address: he was deleting his own system.
elch you son of a bitch your f: is gone and e: too
Those who succumb to envy and work to the detriment of others end up belittling only themselves.
I’m already at 30 percent of your c: drive
And eventually, disappear, not with a bang, or a whimper, but in this case, with a ping timeout as their own hard drive bites the dust.
* bitchchecker (~java@euirc-9ff3c180.dip.t-dialin.net ) Quit (Ping timeout#)
And so endeth the lesson.