Hackers are all B'stards now

Crime? What crime?

Top three mobile application threats

Corporate security folks are lonely people

Inside a company of 1,000 employees, it's not uncommon to find just one or two security staff. Let's face it, these are lonely people. They're over-worked, understaffed, underpaid and they have no one to talk to. They fight the occasional virus outbreak, and they despise Microsoft's patch Tuesday, but otherwise there's only so much that can be done. They take smoke breaks.

The company itself might have annual revenues of several hundred million dollars, millions of dollars in revolving credit lines at various banks, and an IT budget that's in the millions as well. Let me say it again. That's just two security staff protecting a few hundred million dollars, and hmm... no recent security compromises to speak of. Yet the old lady down the street keeps getting hacked.

No recent security events except for Zotob, that is. That virus outbreak a few weeks ago hit many Fortune 100 companies hard, and should be a big eye-opener to many CIOs. Odds are good the company is still standardized on Windows 2000, after all. It doesn't have the security features of XP, and it's big bucks to upgrade. What about Linux? Mac OS X? Or status quo?

What about the 2,500 employee company with a security staff of just three? It's frightening how common this has become. We're all expected to do more with less, and carry Blackberrys and such, but how does this translate for real security? With the soft underbelly of Windows 2000 (or even Windows 95/98) still on many corporate desktops, a fat Oracle database, juicy VPNs and perhaps even IT services outsourced to a third party, well...

There's no budget for security. There's no money for security. There's no need to hire more staff. There's no money for insurance. There no risk. There's not even any proof that a real threat exists for company XYZ at all. Millions of dollars. Understaffed, under funded, no focus on security, hard to keep on top of what they've got. Windows 98. Wait a second. They're sitting ducks.

The guy siphoning off small chunks of tens of thousands dollars a month from the company payroll is laughing all the way to the Bahamas, because he's not on their payroll. His approach doesn't make him any less than a criminal, but it begs the question: is this any better than stealing money from a little old lady, and taking her life's savings right out of her bank account? Is the corporate hacker any less detached from his crime than the 2-bit Internet thug?

A changing culture

In the 1980s when I discovered the Internet, things were very different. There were smart people, mostly academics, doing smart things and having intelligent debate. I couldn't believe the size of the Internet already, even back then it absolutely blew me away what could be done. Instantly.

It was much easier to attack systems back then, too, but few people bothered -- everyone was more interested in making it all work and in building new and amazing things. I remember telneting into NetHack sites that didn't even use authentication. And I remember one of the most exuberant feelings I've ever had was back then, with the Usenet and email and telnet, and ftp, and... well, it told me that our future with technology and communications through the Internet was very bright.

In the 1990s the Internet grew and changed dramatically. It almost went supernova near the end. And then in the last five years, it's become all about penetration-exploit-and-profit, and actually quite nasty. Now people are far more interested in stealing money and identities like a stack of playing cards... as they hide behind their keyboard, remaining detached and shy and anonymous, and meek, and trying to make it all come crumbling down. How times have changed.

I enjoyed reading Markus Ranum's recent article, The Six Dumbest Ideas in Computer Security, because it shows various dumb decisions made over time by smart people amid a changing security culture, and it also seems to be bang on. It made me reflect on how much things have changed even in just the past ten years, and how back in 1995, OS/2 and Macs were still common on many desktops. Security, at the time, was nothing but a bad dream. Now we have Linux instead of OS/2, and Mac OS X has quickly outpaced the old Mac (both in marketshare and in its rate of growth). Only one dominant player has actually multiplied in size, though, and many rocks are coming in through those office windows.

More smart people are focusing on patching our current approach to security than ever before. This is very true.

And yet there are far too many smart people doing very stupid things, like hacking their neighbors and friends, little old ladies and good organizations like the Red Cross. For profit? These are sad people. Hackers have to stop detaching themselves from their crimes, and take some responsibility. They need to take a step back, see the kind of damage they have already caused, and what the community has now become.

Copyright © 2005, SecurityFocus

Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.