Hackers are all B'stards now

Crime? What crime?

Reducing security risks from open source software

Corporate security folks are lonely people

Inside a company of 1,000 employees, it's not uncommon to find just one or two security staff. Let's face it, these are lonely people. They're over-worked, understaffed, underpaid and they have no one to talk to. They fight the occasional virus outbreak, and they despise Microsoft's patch Tuesday, but otherwise there's only so much that can be done. They take smoke breaks.

The company itself might have annual revenues of several hundred million dollars, millions of dollars in revolving credit lines at various banks, and an IT budget that's in the millions as well. Let me say it again. That's just two security staff protecting a few hundred million dollars, and hmm... no recent security compromises to speak of. Yet the old lady down the street keeps getting hacked.

No recent security events except for Zotob, that is. That virus outbreak a few weeks ago hit many Fortune 100 companies hard, and should be a big eye-opener to many CIOs. Odds are good the company is still standardized on Windows 2000, after all. It doesn't have the security features of XP, and it's big bucks to upgrade. What about Linux? Mac OS X? Or status quo?

What about the 2,500 employee company with a security staff of just three? It's frightening how common this has become. We're all expected to do more with less, and carry Blackberrys and such, but how does this translate for real security? With the soft underbelly of Windows 2000 (or even Windows 95/98) still on many corporate desktops, a fat Oracle database, juicy VPNs and perhaps even IT services outsourced to a third party, well...

There's no budget for security. There's no money for security. There's no need to hire more staff. There's no money for insurance. There no risk. There's not even any proof that a real threat exists for company XYZ at all. Millions of dollars. Understaffed, under funded, no focus on security, hard to keep on top of what they've got. Windows 98. Wait a second. They're sitting ducks.

The guy siphoning off small chunks of tens of thousands dollars a month from the company payroll is laughing all the way to the Bahamas, because he's not on their payroll. His approach doesn't make him any less than a criminal, but it begs the question: is this any better than stealing money from a little old lady, and taking her life's savings right out of her bank account? Is the corporate hacker any less detached from his crime than the 2-bit Internet thug?

A changing culture

In the 1980s when I discovered the Internet, things were very different. There were smart people, mostly academics, doing smart things and having intelligent debate. I couldn't believe the size of the Internet already, even back then it absolutely blew me away what could be done. Instantly.

It was much easier to attack systems back then, too, but few people bothered -- everyone was more interested in making it all work and in building new and amazing things. I remember telneting into NetHack sites that didn't even use authentication. And I remember one of the most exuberant feelings I've ever had was back then, with the Usenet and email and telnet, and ftp, and... well, it told me that our future with technology and communications through the Internet was very bright.

In the 1990s the Internet grew and changed dramatically. It almost went supernova near the end. And then in the last five years, it's become all about penetration-exploit-and-profit, and actually quite nasty. Now people are far more interested in stealing money and identities like a stack of playing cards... as they hide behind their keyboard, remaining detached and shy and anonymous, and meek, and trying to make it all come crumbling down. How times have changed.

I enjoyed reading Markus Ranum's recent article, The Six Dumbest Ideas in Computer Security, because it shows various dumb decisions made over time by smart people amid a changing security culture, and it also seems to be bang on. It made me reflect on how much things have changed even in just the past ten years, and how back in 1995, OS/2 and Macs were still common on many desktops. Security, at the time, was nothing but a bad dream. Now we have Linux instead of OS/2, and Mac OS X has quickly outpaced the old Mac (both in marketshare and in its rate of growth). Only one dominant player has actually multiplied in size, though, and many rocks are coming in through those office windows.

More smart people are focusing on patching our current approach to security than ever before. This is very true.

And yet there are far too many smart people doing very stupid things, like hacking their neighbors and friends, little old ladies and good organizations like the Red Cross. For profit? These are sad people. Hackers have to stop detaching themselves from their crimes, and take some responsibility. They need to take a step back, see the kind of damage they have already caused, and what the community has now become.

Copyright © 2005, SecurityFocus

Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.