Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] 10 reasons why the Black Hats have us outgunned

Schöne Zuspitzung.

10 reasons why the Black Hats have us outgunned

By Robin Bloor
13th June 2007

Here they are:

1. The Black Hats form a well integrated community that shares knowledge

Should you, after months of research and effort, create an exploit that
allows you to hack Windows or any other frequently used software
product, you can auction the exploit on the internet in a well organised
manner. Yes, the hackers have their own auction sites (it's true). And
if you're looking to write a virus, say, well, there are hundreds of
sites out there that can provide you with source code to help you
construct something really fiendish. Different modules for setting up a
mail server or planting a specific Trojan or whatever. Open source is
all the rage, even among hackers.

2. Becoming a Black Hat is a career option even for those who are not
   super geeks.

Time was when Black Hats needed to have a computer science degree or a
similar level of exposure to computer technology in order to operate
effectively. It's comforting to know, should you want to become a Black
Hat, that the barriers to entering the trade are much lower now. It's
true that you'll never become a "legendary Black Hat" if you can't cut a
little C++ code. Nevertheless, out there on the internet there are
websites where you can buy fully functional software for launching
exploits that others have written for you. Yes, there are indeed
hacker-devoted software products freely available for purchase by anyone
capable of installing software. $200 or so should buy you something
useful (including updates).

3. There are even specialist virus tools designed to circumvent specific
   AV products.

You know how it is. You want revenge on some company or other who sold
you something that turned out to be dud and refused to allow you to
return it. So you send them a virus or two, but you just can't seem to
infect them because the AV technology they use has the signature of
every virus at your disposal. Have no fear. The same software vendors
that can sell you exploit tools also have specific viruses for sale
which are guaranteed to get around any specific AV product that you can
name. There's one for Norton, one for McAfee, one for Kaspersky, and
ones for AV products that you may never even have heard of. Hell,
there's lots of specialist software out there. If you have a budget in
the $1,000 to $5,000 region, you can even buy Trojans that are purpose
built to steal credit card data and mail it to you.

4. There are SDKs for the more advanced hackers.

"OK, nice to know that lame-brains can become hackers, but I'm more
ambitious than that. I want to cut code with the best of them. I want to
be a genuine fully fledged bad-ass Black Hat". Well Cinderella, you can
indeed go to the ball. To get started all you'll need is one of those
comprehensive hacker SDKs (cost about $320, but hey you can't be a
carpenter without tools can you?) Yes, there are indeed such products
for sale out there. It helps if you can read Russian, by the way, given
the limitations of Babel Fish.

5. There's a market for your data.

"OK, I go out onto the net and try an exploit here or there and I hit
pay dirt - a whole file of thousands of credit card details. What do I
do now?" My advice to you dear boy, is forget about trying to buy stuff
on eBay or Amazon with all that stolen data. Simply sell the data and
leave it to someone else to do all the dirty work. How much to sell for?
Well it depends, but you should be able to get $30 per credit card as an
absolute minimum and if you've got really lucky and managed to get the
PIN number of the card (a difficult data item to get your hands on) then
it should be close to $500 per card. Yes, there are markets out in
cyberspace where you can sell data - not just credit card data, but
Social Security Card data (for US citizens), birth certificate data,
billing data, and driving license data (all of which can be used to set
up bogus bank accounts).

6. There are botnets to rent.

Don't tell me, let me guess. You've got a great scheme in mind to flood
the world with a particular kind of spam and it's bound to pay off. But
you just don't have the computer power you need. Let me introduce you to
an Asian friend of mind who's been established in the Black Hat trade
for a year or two. He repeatedly floods the internet with Trojan viruses
to continuously assemble and grow a botnet. He has to keep on doing it
because every now and then PCs get cleaned and fall out of the net and
anyway the bigger the botnet the more the commercial opportunity. My
friend will rent you a portion of his botnet for 20 cents per PC per day
(roughly current rates) and he'll throw in a whole database of email
addresses too. He thinks of himself as an Internet Service Provider.

7. Some rogue websites are very subtly managed.

You're thinking of setting up a website with some "poisoned downloads"
and perhaps even a script or two which runs in the browser and will
infect visitors with a virus given half the chance, but you've heard of
security companies that send spiders round the web examining sites and
testing for malware, so they can put you on a blacklist. So what's the
point in putting in the effort if it all comes to nothing? Well don't
despair. I know a Black Hat who keeps an up-to-date list of the IP
addresses of all those spiders. He'll rent it to you and you can build
the site so that it presents innocuous executables to the spiders and
infects everyone else. Would I steer you wrong?

8. Good hackers know how to stay safe (they stay abroad)

It's what may keep you up at nights. You've pulled off some real coups;
stealing data here and there, setting up a healthy spam business,
arranging a few rogue auctions on eBay, assembling a sizable botnet and
so on. Then the news breaks that a hacker in Denmark has just been
arrested and the net is awash with pictures of him. It looks like he's
going to spend years and years in a place where champagne is never
served. That must be the third hacker arrest this year - dammit this is
becoming a dangerous profession. Sometimes hackers even get caught.
Well, please bear in mind that 30 percent of all Black Hat activity is
in the US and, well, it's not often that you hear of a US hacker getting
banged to rights. I mean the average bank robbery with a gun in the US
nets less than $10,000, while the average bank robbery with a PC nets
more than 10 times that figure. Many more of the gun-toting bank robbers
get caught than the PC-toting ones and some of them even get shot. Your
chances of getting caught are slim to zero - especially if you initiate
it all remotely through a server somewhere in Moldova. Well, OK, you're
a worrier, so move to Moldova. Sensible hackers don't hack in their own
back yard - so change back yards. And when was the last time you heard
of a hacker from Moldova getting caught?

9. The banking system has its channels

"OK so I've moved to Moldova, but how am I going to pick up the money
I'm earning?" Gosh, you don't know much about the international banking
system do you? Here's my advice. Set up a convenient little off-shore
account in the Cayman Islands and pass the money through there. Even in
this internet era when it is oh-so-difficult to ensure the secrecy of
data, no data ever seems to escape from those Cayman banks. And as
regards your Black Hat activity, my advice to you, as a Moldovan, is to
specialise in denial of service attacks (software to carry them out
available from the usual suppliers). The DOS ransom fees are around
$50,000, if you hit a big company, and you can usually extort $10,000
from the smaller ones. That's good pay for a week or two's hard hacking.

10. Not all businessmen are entirely averse to the odd hack (on a

As you seem determined to embark on a life of cybercrime I have one last
piece of advice for you. Don't ignore the business world as a lucrative
source of income. I know what you're thinking. Those guys are my prey.
Well it's true that some of them are, but some of them could become your
customers - if you make the right contacts and do the right kind of
marketing. I mean, which businessman could fail to be pleased when his
major competitor suffers a big data hack or loses a few days web
business because of a DOS attack. Which businessman doesn't think, "hey
what if I arranged for something like that to happen?" And which
businessman having formulated a good competitive tactic doesn't put it
into practice. There's good money to be made in focused hacks, theft of
intellectual property, denial of service and large scale data theft. You
might even get paid twice - by the customer and the victim.


Acknowledgments: Some of the information used to produce this article
was gathered from presentations given to me by Yuval Ben-Itzhak of
Finjan and Patricia Booth of CA, both of whom have a deep knowledge of
the extent of the IT security malaise. It's no longer just a serious
threat - it's a well organized and expanding industry.

Copyright 2007,

To unsubscribe, e-mail: infowar -
de-unsubscribe -!
- infopeace -
For additional commands, e-mail: infowar -
de-help -!
- infopeace -