From Matthew Broderick's teenage phone phreak in the 1983 movie "WarGames" to today's Russian mafia don, the image of the computer hacker has undergone some radical changes over the years. Really, though -- just who are these people, and why do they do what they do?
Over the last several weeks, we here at Dark Reading have been asking that very question. But instead of asking security "experts," we went straight to the horse's mouths -- the black hats themselves. In a survey of 116 individuals who spend at least part of every day trying to break into systems they're not authorized to access, we received a lot of feedback from people who don't fit either the image of the pimply-faced script kiddie or the hardened criminal. And, for the most part, they're anxious to break both stereotypes.
"Black hats are not as scary as they get portrayed in movies and at the Defcon convention," says Caseo, an IT security officer for a regional investment firm. "And most of them aren't teens or twenty-year-olds living in their parents' basement."
At the same time, however, many self-described "black hats" also offer a very different perspective than today's security experts and IT staffers. In our survey, we had several respondents who said that information should be available to anyone with the skills to access it. Several others suggested that corporations and governments are much greater threats to security than individual black hats. And we even heard from a few individuals who admit to stealing and selling data from their victims.
With such a diversity of views and opinions expressed in the survey and in subsequent interviews with respondents, it was difficult to find a simple, comprehensive way to relay all of the data we collected. With this in mind, we offer the following five "myths" about black hats, and some statistics and interviews that help debunk them. We hope this will help give our readers a truer picture of who the black hats are -- and how they differ from popular notions and images.
A word about the methodology of our highly-unscientific survey. The bulk of the respondents came from an emailing to the attendees of last summer's Black Hat convention in Las Vegas. We also received some responses from the Dark Reading readership, as well as a posting on ha.ckers.org.
Not surprisingly, we heard from a lot more "ethical hackers" than from admitted data thieves, so we know our data is skewed. Unfortunately, lists of hardened criminals are hard to come by (and even harder to get responses from), so it wasn't possible to get a true scientific sample. However, all of the respondents did say that they regularly try to break into computer systems they aren't authorized to access, either as a hobby or as a full-time job.
So grab a Red Bull and a grain of salt, and read on for some insights on what black hats believe to be true -- and not so true -- about today's conventional wisdom on security.
Myth 1. Most black hats are young, geeky kids.
Of the 116 people we surveyed, only one was younger than 18, and only six were younger than 24. We know this result is partially attributable to the lists that we used -- not too many teenagers can get Mom's permission to attend Black Hat in Vegas -- but many respondents also emphasized that the black hat population is becoming more mature.
Like many black hats, Tom Brennan, an ethical hacker, got started doing exploits for fun with friends in school. "When you're younger, it's for fun," he says. "But when you get bills, a house, and kids, it's always about money."
Jason Minto, owner and president of Lomin LLC -- a company that does penetration testing and security software development -- agrees. "I think the best hackers start in their youth," he says. "Growing old means they need to pay their rent or mortgage."
As they grow older, black hats become more serious about turning their hobby into a paying gig, either by finding a job on the white hat side or by selling data and exploits, survey respondents say. Fifty-four percent of those surveyed say they either hold full-time jobs with security companies or are hired as consultants to seek out clients' systems vulnerabilities.
This is not to say there aren't hobbyists out there -- more than 45 percent of respondents say they spend less than two hours a day on penetration efforts -- but IT security staffers need to know that they are dealing more frequently with mature, professional attackers, respondents say.
"There's a perception that it's the young guys that are dangerous, [but] the old guys are the masters," Brennan says. "Who would be law enforcement's worst nightmare: a young guy with a gun, or a seasoned 'Rambo'?"
Myth 2. All of today's black hats are motivated by money.
While the market for security expertise is growing, it is an overstatement to say that today's black hats are uniformly focused on profit. Nearly 29 percent of the respondents said their primary reason for attempting system penetrations is because they "enjoy the challenge." About 45 percent said they only research system vulnerabilities and do not collect or view any data.
"Most of the black hats I have had contact with are interested in the challenge, rather than financial gain," says Andy Swenson of Tribridge Inc., a penetration testing company.
And many white hats mix some black hat activity into their practices, respondents say. "I correspond fairly often with individuals who would be considered black hats by mainstream society," says TsuDohNimh, a self-described "packet junkie." "Most of them are legitimate and highly ethical professionals who hone their skills and knowledge by having a 'gray hat' side. You have to poke around -- if you don't, then you are probably in the wrong business."
Interestingly, only one respondent admitted to doing penetrations for his own financial gain, and only one respondent said he wanted "respect and notoriety among his peers" -- the two most commonly-cited motivations behind hacking.
Myth 3. There is a widespread movement toward targeted attacks on specific organizations or Websites.
While most security companies and industry experts agree that there is a trend toward targeted attacks, many rank-and-file black hats say they haven't reached that point yet.
"People think that black hats target a specific company, but they don't," says Scott Swenka, a security engineer at a large healthcard company in the Phoenix area. "They see everyone, everywhere, and everything as a resource, IP address, or number, and they will use you to their best advantage. A lot of people think their companies are too small to be targets -- but they are, and so are their neighbors."
Swenka's comments run contrary to some of the popular wisdom about attack trends, but the data in our survey suggests he may be on to something. About a tenth of respondents said they are looking for the easiest systems to penetrate; another tenth said they are looking for a challenge -- the hardest systems to penetrate.
Many black hats also indicated that they aren't targeting a specific technology. Fifty-three percent of those surveyed said they aren't choosy about which hardware or OS they attack, and 41 percent said they will go after any application environment. These results suggest that moving to a specific hardware or software platform doesn't necessarily reduce the risk of an attack.
Myth 4. Viruses and worms are a black hat's most frequent modes of attack.
If you're still living in the '90s, when worms and viruses were the most feared attack vectors, it's time to move on, according to our poll respondents. Only 12 percent of those surveyed cited worms as a favorite attack method; only 10 percent cited viruses.
By contrast, the black hats in our survey cited a number of vectors that are seldom discussed by security vendors. Sniffers, for example, were mentioned as a favorite by 67 percent of respondents, second only to buffer overflow (68 percent). SQL injection was mentioned by 64 percent of those surveyed, followed by social engineering (63 percent) and cross-site scripting (53 percent). Only 4 percent mentioned botnets.
The emphasis on SQL injection, XSS, and social engineering may indicate that black hats are targeting a specific type of data, such as personal information and sensitive company data. Virtually all of the black hats we interviewed agreed that the most valuable information is the material that can be re-sold for a profit.
"To be honest with you, I would target a hospital or healthcare facility," says Swenka. "Why? Because it's a one-stop shop. Your health records contain Social Security numbers, payment information, credit card data, insurance info, past histories, address records, and so forth. There is a lot of information that can be used for unscrupulous activity."
Myth 5. Black hats are worried about corporate defenses and law enforcement agencies.
One respondent summed it up nicely: "I cannot be caught."
In our survey, fewer than 3 percent of respondents said they worry about being caught and ending up in jail. Four percent said they worry a little bit, but they doubt they could be convicted.
"I do not believe that many of the smart ones get caught," says a senior associate at a "Big Four" security practice. "It's fairly easy to cover your tracks, especially with offshore proxies, Tor, and unprotected wireless access points. Malicious hackers who don't care about profit -- for example, those with a grudge against a company -- can leak documents with little risk of discovery."
Of the deterrents out there, respondents said the most effective products companies use are firewalls (44 percent) and multi-factor authentication (40 percent). Antivirus and anti-spam software were considered the least effective. Of the law enforcement agencies that track computer crime, the FBI was considered by far to be the most effective in the U.S. (52 percent).
Despite such deterrents, however, most black hats aren't particularly concerned about getting caught. "Do you speed on the highway, or do you drive 55 mph?" Brennan asks. "Do you ever drive home after having a few too many? That about sums it up."
Tim Wilson, Site Editor, Dark Reading