10 reasons why the Black Hats have us outgunned
So, you want to be a hacker? It's as easy as...
Here they are:
- The Black Hats form a well integrated community that shares knowledge effectively.
Should you, after months of research and effort, create an exploit that allows you to hack Windows or any other frequently used software product, you can auction the exploit on the internet in a well organised manner. Yes, the hackers have their own auction sites (it's true). And if you're looking to write a virus, say, well, there are hundreds of sites out there that can provide you with source code to help you construct something really fiendish. Different modules for setting up a mail server or planting a specific Trojan or whatever. Open source is all the rage, even among hackers.
- Becoming a Black Hat is a career option even for those who are not super geeks.
Time was when Black Hats needed to have a computer science degree or a similar level of exposure to computer technology in order to operate effectively. It's comforting to know, should you want to become a Black Hat, that the barriers to entering the trade are much lower now. It's true that you'll never become a "legendary Black Hat" if you can't cut a little C++ code. Nevertheless, out there on the internet there are websites where you can buy fully functional software for launching exploits that others have written for you. Yes, there are indeed hacker-devoted software products freely available for purchase by anyone capable of installing software. $200 or so should buy you something useful (including updates).
- There are even specialist virus tools designed to circumvent specific AV products.
You know how it is. You want revenge on some company or other who sold you something that turned out to be dud and refused to allow you to return it. So you send them a virus or two, but you just can't seem to infect them because the AV technology they use has the signature of every virus at your disposal. Have no fear. The same software vendors that can sell you exploit tools also have specific viruses for sale which are guaranteed to get around any specific AV product that you can name. There's one for Norton, one for McAfee, one for Kaspersky, and ones for AV products that you may never even have heard of. Hell, there's lots of specialist software out there. If you have a budget in the $1,000 to $5,000 region, you can even buy Trojans that are purpose built to steal credit card data and mail it to you.
- There are SDKs for the more advanced hackers.
"OK, nice to know that lame-brains can become hackers, but I'm more ambitious than that. I want to cut code with the best of them. I want to be a genuine fully fledged bad-ass Black Hat". Well Cinderella, you can indeed go to the ball. To get started all you'll need is one of those comprehensive hacker SDKs (cost about $320, but hey you can't be a carpenter without tools can you?) Yes, there are indeed such products for sale out there. It helps if you can read Russian, by the way, given the limitations of Babel Fish.
- There's a market for your data.
"OK, I go out onto the net and try an exploit here or there and I hit pay dirt - a whole file of thousands of credit card details. What do I do now?" My advice to you dear boy, is forget about trying to buy stuff on eBay or Amazon with all that stolen data. Simply sell the data and leave it to someone else to do all the dirty work. How much to sell for? Well it depends, but you should be able to get $30 per credit card as an absolute minimum and if you've got really lucky and managed to get the PIN number of the card (a difficult data item to get your hands on) then it should be close to $500 per card. Yes, there are markets out in cyberspace where you can sell data - not just credit card data, but Social Security Card data (for US citizens), birth certificate data, billing data, and driving license data (all of which can be used to set up bogus bank accounts).
- There are botnets to rent.
Don't tell me, let me guess. You've got a great scheme in mind to flood the world with a particular kind of spam and it's bound to pay off. But you just don't have the computer power you need. Let me introduce you to an Asian friend of mind who's been established in the Black Hat trade for a year or two. He repeatedly floods the internet with Trojan viruses to continuously assemble and grow a botnet. He has to keep on doing it because every now and then PCs get cleaned and fall out of the net and anyway the bigger the botnet the more the commercial opportunity. My friend will rent you a portion of his botnet for 20 cents per PC per day (roughly current rates) and he'll throw in a whole database of email addresses too. He thinks of himself as an Internet Service Provider.
- Some rogue websites are very subtly managed.
You're thinking of setting up a website with some "poisoned downloads" and perhaps even a script or two which runs in the browser and will infect visitors with a virus given half the chance, but you've heard of security companies that send spiders round the web examining sites and testing for malware, so they can put you on a blacklist. So what's the point in putting in the effort if it all comes to nothing? Well don't despair. I know a Black Hat who keeps an up-to-date list of the IP addresses of all those spiders. He'll rent it to you and you can build the site so that it presents innocuous executables to the spiders and infects everyone else. Would I steer you wrong?
- Good hackers know how to stay safe (they stay abroad)
It's what may keep you up at nights. You've pulled off some real coups; stealing data here and there, setting up a healthy spam business, arranging a few rogue auctions on eBay, assembling a sizable botnet and so on. Then the news breaks that a hacker in Denmark has just been arrested and the net is awash with pictures of him. It looks like he's going to spend years and years in a place where champagne is never served. That must be the third hacker arrest this year - dammit this is becoming a dangerous profession. Sometimes hackers even get caught. Well, please bear in mind that 30 percent of all Black Hat activity is in the US and, well, it's not often that you hear of a US hacker getting banged to rights. I mean the average bank robbery with a gun in the US nets less than $10,000, while the average bank robbery with a PC nets more than 10 times that figure. Many more of the gun-toting bank robbers get caught than the PC-toting ones and some of them even get shot. Your chances of getting caught are slim to zero - especially if you initiate it all remotely through a server somewhere in Moldova. Well, OK, you're a worrier, so move to Moldova. Sensible hackers don't hack in their own back yard - so change back yards. And when was the last time you heard of a hacker from Moldova getting caught?
- The banking system has its channels
"OK so I've moved to Moldova, but how am I going to pick up the money I'm earning?" Gosh, you don't know much about the international banking system do you? Here's my advice. Set up a convenient little off-shore account in the Cayman Islands and pass the money through there. Even in this internet era when it is oh-so-difficult to ensure the secrecy of data, no data ever seems to escape from those Cayman banks. And as regards your Black Hat activity, my advice to you, as a Moldovan, is to specialise in denial of service attacks (software to carry them out available from the usual suppliers). The DOS ransom fees are around $50,000, if you hit a big company, and you can usually extort $10,000 from the smaller ones. That's good pay for a week or two's hard hacking.
- Not all businessmen are entirely averse to the odd hack (on a competitor)
As you seem determined to embark on a life of cybercrime I have one last piece of advice for you. Don't ignore the business world as a lucrative source of income. I know what you're thinking. Those guys are my prey. Well it's true that some of them are, but some of them could become your customers - if you make the right contacts and do the right kind of marketing. I mean, which businessman could fail to be pleased when his major competitor suffers a big data hack or loses a few days web business because of a DOS attack. Which businessman doesn't think, "hey what if I arranged for something like that to happen?" And which businessman having formulated a good competitive tactic doesn't put it into practice. There's good money to be made in focused hacks, theft of intellectual property, denial of service and large scale data theft. You might even get paid twice - by the customer and the victim.
Acknowledgments: Some of the information used to produce this article was gathered from presentations given to me by Yuval Ben-Itzhak of Finjan and Patricia Booth of CA, both of whom have a deep knowledge of the extent of the IT security malaise. It's no longer just a serious threat—it's a well organized and expanding industry.
Copyright © 2007, IT-Analysis.com