Hackers are all B'stards now
Crime? What crime?
Corporate security folks are lonely people
Inside a company of 1,000 employees, it's not uncommon to find just one or two security staff. Let's face it, these are lonely people. They're over-worked, understaffed, underpaid and they have no one to talk to. They fight the occasional virus outbreak, and they despise Microsoft's patch Tuesday, but otherwise there's only so much that can be done. They take smoke breaks.
The company itself might have annual revenues of several hundred million dollars, millions of dollars in revolving credit lines at various banks, and an IT budget that's in the millions as well. Let me say it again. That's just two security staff protecting a few hundred million dollars, and hmm... no recent security compromises to speak of. Yet the old lady down the street keeps getting hacked.
No recent security events except for Zotob, that is. That virus outbreak a few weeks ago hit many Fortune 100 companies hard, and should be a big eye-opener to many CIOs. Odds are good the company is still standardized on Windows 2000, after all. It doesn't have the security features of XP, and it's big bucks to upgrade. What about Linux? Mac OS X? Or status quo?
What about the 2,500 employee company with a security staff of just three? It's frightening how common this has become. We're all expected to do more with less, and carry Blackberrys and such, but how does this translate for real security? With the soft underbelly of Windows 2000 (or even Windows 95/98) still on many corporate desktops, a fat Oracle database, juicy VPNs and perhaps even IT services outsourced to a third party, well...
There's no budget for security. There's no money for security. There's no need to hire more staff. There's no money for insurance. There no risk. There's not even any proof that a real threat exists for company XYZ at all. Millions of dollars. Understaffed, under funded, no focus on security, hard to keep on top of what they've got. Windows 98. Wait a second. They're sitting ducks.
The guy siphoning off small chunks of tens of thousands dollars a month from the company payroll is laughing all the way to the Bahamas, because he's not on their payroll. His approach doesn't make him any less than a criminal, but it begs the question: is this any better than stealing money from a little old lady, and taking her life's savings right out of her bank account? Is the corporate hacker any less detached from his crime than the 2-bit Internet thug?
A changing culture
In the 1980s when I discovered the Internet, things were very different. There were smart people, mostly academics, doing smart things and having intelligent debate. I couldn't believe the size of the Internet already, even back then it absolutely blew me away what could be done. Instantly.
It was much easier to attack systems back then, too, but few people bothered -- everyone was more interested in making it all work and in building new and amazing things. I remember telneting into NetHack sites that didn't even use authentication. And I remember one of the most exuberant feelings I've ever had was back then, with the Usenet and email and telnet, and ftp, and... well, it told me that our future with technology and communications through the Internet was very bright.
In the 1990s the Internet grew and changed dramatically. It almost went supernova near the end. And then in the last five years, it's become all about penetration-exploit-and-profit, and actually quite nasty. Now people are far more interested in stealing money and identities like a stack of playing cards... as they hide behind their keyboard, remaining detached and shy and anonymous, and meek, and trying to make it all come crumbling down. How times have changed.
I enjoyed reading Markus Ranum's recent article, The Six Dumbest Ideas in Computer Security, because it shows various dumb decisions made over time by smart people amid a changing security culture, and it also seems to be bang on. It made me reflect on how much things have changed even in just the past ten years, and how back in 1995, OS/2 and Macs were still common on many desktops. Security, at the time, was nothing but a bad dream. Now we have Linux instead of OS/2, and Mac OS X has quickly outpaced the old Mac (both in marketshare and in its rate of growth). Only one dominant player has actually multiplied in size, though, and many rocks are coming in through those office windows.
More smart people are focusing on patching our current approach to security than ever before. This is very true.
And yet there are far too many smart people doing very stupid things, like hacking their neighbors and friends, little old ladies and good organizations like the Red Cross. For profit? These are sad people. Hackers have to stop detaching themselves from their crimes, and take some responsibility. They need to take a step back, see the kind of damage they have already caused, and what the community has now become.
Copyright © 2005, SecurityFocus
Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.