Who is really responsible for hacker attacks?
Good con artists are rarely spontaneous. They take time to observe their victims' behaviour, then find subtle ways to exploit the predictable foibles of human nature. And, while the resulting scams may seem elaborate, once they're explained, you see how simple they really are.
The same is true with criminal hackers online. The best hacks have been accomplished without special tools or technology. What hackers need is time -- to map target networks and then locate convenient ways in.
More often than not, hackers gain entrance to networks not through gaping software or hardware security holes, but through some sort of human error. Sometimes it's something as simple as forgetting to change the default password on a router. Famed hacker Kevin Mitnick made a career out of breaking into corporate systems not with technically complex exploits but with basic "social engineering".
A new book from Syngress Press, "Stealing the Network: How to Own the Box", supports the theory that most hacks are the result of human, not computer, weakness. The authors relate a number of fictional scenarios in which corporate networks are broken into because humans left them vulnerable.
The book doesn't delve deeply into what motivates hackers. I think today their primary objective is making money, not becoming famous. In the early days of the Net hackers committed exploits to boost their ego. Now, I think, the threat of arrest has left only a few serious criminals attempting break-ins again and again. For their specialised skills, some people are willing to pay -- especially if the hacker is able to turn over 20 million credit card numbers or the latest software release from a major developer.
There are more subtle reasons for online crime, as well, such as revenge. The book tells the (fictional) story of an out-of-work IT tech who decides, after a year of unemployment, to get back at his former company. He stalks one of the company's HR employees, and eventually discovers a Post-It note containing a remote dial-in access number and password that the staffer carelessly leaves behind in a cybercafe. When the dial-in number fails to provide the sort of access he wants, the unemployed man forges a security ID out of discarded company letterhead, clear plastic coating, and electrical tape (to suggest a magnetic strip along the backside) and gains physical access to the company headquarters and ultimately the server room itself.
While the book depicts extreme behaviour, the scenarios are realistic. For instance, in one story a hacker is able to steal software code because a system administrator names the servers after their functions -- FTP server, mail server, staging server, and so on. This is something that occurs in real life, and makes the life of a criminal hacker that much easier. A reoccurring mantra in the book seems to be, "I'm not hacking the system. I'm hacking the people who designed it."
"Stealing the Network" is not for computer novices, as many technical terms are not fully explained. Still, for anyone with a modest understanding of computer security jargon and network architecture, it's a good read.
There are other books that seek to dispel the mystery behind criminal activity on the Internet, too, such as Osborne/McGraw-Hill's "Hacker's Challenge Two". The latter describes fictional attacks, then asks the reader to figure out what happened before flipping to the back of the book for the "real" explanation.
Some complain that these books are bad for security -- that they both glamourise hackers and empower those considering online crime to be more effective. I disagree. These books do not pass on any new information; they stick to material that's already been reported on by the government or the media, or is readily available on Haxor sites.
On the contrary, I believe these books can help improve the state of computer security by making more individuals and companies aware of how online crimes are actually committed -- and thus enabling them to better protect themselves in the future.