Hackers are all B'stards now

Crime? What crime?

Choosing a cloud hosting partner with confidence

Corporate security folks are lonely people

Inside a company of 1,000 employees, it's not uncommon to find just one or two security staff. Let's face it, these are lonely people. They're over-worked, understaffed, underpaid and they have no one to talk to. They fight the occasional virus outbreak, and they despise Microsoft's patch Tuesday, but otherwise there's only so much that can be done. They take smoke breaks.

The company itself might have annual revenues of several hundred million dollars, millions of dollars in revolving credit lines at various banks, and an IT budget that's in the millions as well. Let me say it again. That's just two security staff protecting a few hundred million dollars, and hmm... no recent security compromises to speak of. Yet the old lady down the street keeps getting hacked.

No recent security events except for Zotob, that is. That virus outbreak a few weeks ago hit many Fortune 100 companies hard, and should be a big eye-opener to many CIOs. Odds are good the company is still standardized on Windows 2000, after all. It doesn't have the security features of XP, and it's big bucks to upgrade. What about Linux? Mac OS X? Or status quo?

What about the 2,500 employee company with a security staff of just three? It's frightening how common this has become. We're all expected to do more with less, and carry Blackberrys and such, but how does this translate for real security? With the soft underbelly of Windows 2000 (or even Windows 95/98) still on many corporate desktops, a fat Oracle database, juicy VPNs and perhaps even IT services outsourced to a third party, well...

There's no budget for security. There's no money for security. There's no need to hire more staff. There's no money for insurance. There no risk. There's not even any proof that a real threat exists for company XYZ at all. Millions of dollars. Understaffed, under funded, no focus on security, hard to keep on top of what they've got. Windows 98. Wait a second. They're sitting ducks.

The guy siphoning off small chunks of tens of thousands dollars a month from the company payroll is laughing all the way to the Bahamas, because he's not on their payroll. His approach doesn't make him any less than a criminal, but it begs the question: is this any better than stealing money from a little old lady, and taking her life's savings right out of her bank account? Is the corporate hacker any less detached from his crime than the 2-bit Internet thug?

A changing culture

In the 1980s when I discovered the Internet, things were very different. There were smart people, mostly academics, doing smart things and having intelligent debate. I couldn't believe the size of the Internet already, even back then it absolutely blew me away what could be done. Instantly.

It was much easier to attack systems back then, too, but few people bothered -- everyone was more interested in making it all work and in building new and amazing things. I remember telneting into NetHack sites that didn't even use authentication. And I remember one of the most exuberant feelings I've ever had was back then, with the Usenet and email and telnet, and ftp, and... well, it told me that our future with technology and communications through the Internet was very bright.

In the 1990s the Internet grew and changed dramatically. It almost went supernova near the end. And then in the last five years, it's become all about penetration-exploit-and-profit, and actually quite nasty. Now people are far more interested in stealing money and identities like a stack of playing cards... as they hide behind their keyboard, remaining detached and shy and anonymous, and meek, and trying to make it all come crumbling down. How times have changed.

I enjoyed reading Markus Ranum's recent article, The Six Dumbest Ideas in Computer Security, because it shows various dumb decisions made over time by smart people amid a changing security culture, and it also seems to be bang on. It made me reflect on how much things have changed even in just the past ten years, and how back in 1995, OS/2 and Macs were still common on many desktops. Security, at the time, was nothing but a bad dream. Now we have Linux instead of OS/2, and Mac OS X has quickly outpaced the old Mac (both in marketshare and in its rate of growth). Only one dominant player has actually multiplied in size, though, and many rocks are coming in through those office windows.

More smart people are focusing on patching our current approach to security than ever before. This is very true.

And yet there are far too many smart people doing very stupid things, like hacking their neighbors and friends, little old ladies and good organizations like the Red Cross. For profit? These are sad people. Hackers have to stop detaching themselves from their crimes, and take some responsibility. They need to take a step back, see the kind of damage they have already caused, and what the community has now become.

Copyright © 2005, SecurityFocus

Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.