Classified by Skill Level | Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)

I l @ ve RuBoard

Among hackers, skill level is the key differentiator. There are those skilled hackers who can write code in their sleep and know UNIX software inside and out. Then there are those "wannabes" who know how to run tools which crack passwords or sniff networks, but are unable to create a new or unique attack.

A skilled hacker must have the knowledge of a good system manager, a good network manager, and a good security manager and must understand various aspects of computer technologies, including networking and operating systems. The hacker must understand what a system manager and a security manager look for to see if someone has been prowling. He must be able to tell immediately if a system is well- maintained or not in order to evaluate if the system is a good candidate to attack. He must be able to manage his own system so that when he is discovered , the system manager's task of tracking him down will be as difficult and time-consuming as possible.

The hacker must also be a good networker ; that is, he must be able to seek out other hackers and interact with them, feeding their egos and absorbing their knowledge. He will want to learn from their experiences and make profitable trades of information with them. Most hackers also desire the company of others with whom to share their exploits.

The hacker will need a good set of hacker tools. He will either need to create these tools or have access to already existing tools. To be a good hacker, he will need to understand and modify these tools to meet his specific needs.

There are a variety of categories of the hacker skill levels which can be useful in discussing and classification.

Script Kiddy

A script kiddy is someone with very little technical skill who uses scripts of programs which have been written by someone else to exploit known vulnerabilities. This hacker will often blindly follow an attack script, entering commands that may be inappropriate for the specific system that is under attack. These hackers usually compromise systems for bragging rights among their peers as to how many systems they have compromised and what well-known sites they have hacked. They may deface websites or otherwise mark their conquests, and their inexperience can also lead to inadvertent damage.

Four Israeli secondary-school students have admitted to creating the "Goner" e-mail worm as part of a competition with a rival group of hackers. The virus arrives as an e-mail attachment disguised as a screen saver. Researchers have said the economic damage was minimal; the students intent was to launch a denial-of-service attack against a rival gang of script kiddies over Internet Relay Chat. ^[12]

^[12] Perera, Rick, "Israeli Teens Arrested for 'Goner' Worm," PC World, 10 December 2001, reprinted with permission of the IDG News Service.

Script Kiddies will usually select their target by their ability to compromise it. They will sweep IPs looking for a system which has the known vulnerability which their tool of the day attacks. Once found, the tool will be launched against the system to gain privileged access. Often the entire process will be automated, so the script kiddy will start the program and come back in a day or two to see what he has succeeded in compromising .

Dedicated Hacker

A dedicated hacker will do research. He will know the ins and outs of the operating system, know what auditing and security tools there are, and how to use them to help him get in and out of systems. He will be able to write C code and shell scripts to modify tools for his needs and automate attack procedures. He reads the latest security bulletins from the Computer Emergency Response Team (CERT), the National Institute of Standards and Technology (NIST), and the vendors and the information from the underground about security holes. He will also read the security news groups and mail lists. Sometimes, a dedicated hacker will stay in a system for months or even years , until he achieves his goal.

Over a period of two years, a band of Russian hackers siphoned off an enormous amount of research and development secrets from U.S. corporate and government entities in an operation codenamed Moonlight Maze by American intelligence. The value of this stolen information is in the tens of millions ” perhaps hundreds of millions ” of dollars; there's really no way to tell. The information was shipped over the Internet to Moscow for sale to the highest bidder.

Fortunately, this threat was detected by a U.S. government agency. Unfortunately, that information was not passed on to the private institutions that it might have helped. ^[13]

^[13] "Testimony of James Adams Chief Executive Officer, Infrastructure Defense, Inc.," Committee on Governmental Affairs, United States Senate, 2 March 2000.

Skilled Hacker

The skilled hacker realizes that to really understand the system he's going to be attacking, he has to know it inside and out and understand concepts and details. This means being able to read the operating system code. For UNIX systems, this is C. So he will get Linux or the UNIX source code and see what makes it tick. He will pay attention to the interaction between systems, such as all the networking tools. It is also very helpful for him to understand the network protocols.

It is almost a given that a successful hacker will know more about the internals of the operating system than you do. However, you will know more about what your system does and how it behaves: that is, when you have peak times, what kind of users you have, and what they do on the system. This is your advantage. This is why you must be vigilant in monitoring logs and system utilization, with a lookout for suspicious activity. You will need to know how to configure your system so when something occurs it will notify you.

We often see that the hacker has an exceptional ability to write code an manipulate systems, as in this example:

Korean officers apprehended a super hacker who turned out to be a fifteen-year-old high school boy named Kim. To date, 152 people have filed complaints about the 15 super viruses Kim created and e-mailed, but police expect the final figure to be over 2,000.

Kim told police that he mailed the viruses to demonstrate his talents and to find out if anyone could develop a "vaccine" for them. The viruses were so complex that they were virtually impossible to kill. The spokesman said that Kim was known as a computer genius from the 7th grade, when he learned to handle the machine code language "assembly 3" ” one of just forty to fifty people in Korea with such a talent.

Yang Keun-won, head of the National Police Office's computer crime team, commented that a virus creator and hacker like Kim could become a "national treasure " in the information society of the future. He added that he will guide Kim along the legal path of computer work. ^[14]

^[14] "Super Hacker Apprehended," The Digital Chosun , 27 March 1999.

Superhacker

The superhacker is a hacker who does not brag and does not post information on the bulletin boards ; rather, he watches what others are doing and absorbs the information about new and different ways to compromise a system. He moves freely throughout computer systems taking what he wants without leaving a trace. If he decides that he wants to get on your system, he will eventually get there, and if he decides to crash your system, it will crash without explanation. Many consider the superhacker a myth because there is no evidence of his existence. This is the goal of many hackers. The number of hackers who fall into this category is a microscopic percent, far fewer than those who claim to be superhackers.

Max Butler, who is know to the computer underground as the incredibly skilled hacker,"Max Vision," boasted that he'd never met a computer system he couldn't crack. He was also known as "The Equalizer," a security expert. It was with this identity he was an FBI informant, reporting on the activities of other hackers. As Max Butler, he was a family man in Santa Clara, California who ran a Silicon Valley security firm. He specialized in running "penetration tests," attempting to break into corporate networks to prove that their security wasn't as good as it could be.

Max was charged with 15 counts of hacking- related crimes, including computer intrusion, possession of stolen passwords, and interception of communications.

For five years, Max passed on information about several major cracks to the FBI, including the identities of phone hackers who penetrated 3Com's PBX system in 1996 and made free long-distance calls. According to court documents, Max tracked the hackers, engaged in IRC chats with them, and gave the transcripts of those chats to the FBI. He also attended hacker convention DefCon 6 in July 1998 with specific instructions from the FBI to "collect PGP encryption keys from conference attendees and try to match people's real names to their keys." ^[15]

^[15] Greene, Thomas, C., "FBI Computer Security Consultant Busted," The Register , 27 March 2000.

I l @ ve RuBoard