Identifying criminal hackers is no easy task even for the most gifted white hats. And, while we can't readily match a name or names to specific criminal compromises, there are things we can know about those behind the masks. It's often easy enough to identify the hacker's country of origin, the tools he used, the hacker's style and his skill level. But, what about finding the actual person or persons behind the masks? That's becoming easier too because of our observations of the personality types involved in these activities.
Over the past several weeks, I've spoken with several security professionals, hackers and a psychiatrist about the criminal hacker, his goals and his personality. My research has lead me down an interesting and enlightening path into the minds of the world's cybercriminals.
Before we trudge too deep into this discussion, let's establish a terminology baseline. Criminal hackers hit cyberspace with different backgrounds and intentions, so let's separate them into three basic types. Before anyone misunderstands, I'm only talking about criminal hackers, not security consultants or other white hat security professionals. Nor am I discussing those who hack code or programs in order to help with security. I'm focused only on criminal hackers and their personalities.
First, there's the paid criminal hacker, who is hired by organized crime groups to go after particular targets in for profit schemes. These people may have no legitimate means by which to provide for themselves or their families. What they do is illegal but it's perhaps a matter of survival for them. Organized crime groups are abundant in certain countries because they have access to skilled computer professionals, they offer lucrative jobs to people in economically depressed areas and they can be persuasive in other ways as well to get what they want. These are not the criminal hackers that we're discussing here.
Second, there are the hacktivists who have something to say to the companies or individuals to whom they direct their attacks. Their attacks and compromises are illegal but they are not after monetary gain. Their purpose in engaging in these activities is to expose, to change behavior, to boast or to cause monetary loss or damage to their targets. This type has something to prove or a personal vendetta to air and hacktivists certainly fall under the definition of criminal hacker and one of the types we're interested in for this discussion.
The third and final type is the hobby hacker. Hobby hackers usually begin their exploits as a matter of curiosity, pranksterism or fun. Their activities are still illegal and often malicious. A few use hobby hacking as a gateway activity to criminal, for profit hacking. This is the type of criminal hacker we all think of when discussing serious system compromises, social engineering attacks and corporate break-ins.
The Hacker Personality
Those who begin hacking, for whatever reason, generally fall into three personality types and often the lines are grayed and overlap. In other words, sometimes hackers will exhibit a complex variety of symptoms and behaviors that lead them deeper into the criminal aspects of hacking. Hackers are generally more intelligent than average but are also characterized by isolation, introversion, paranoia and antisocial behaviors.
Let's begin with the Antisocial personality disorder type. The National Institute of Health (NIH) defines this personality type as:
Antisocial personality disorder is a mental health condition in which a person has a long-term pattern of manipulating, exploiting, or violating the rights of others. This behavior is often criminal.
These people are perfectly suited to criminal hacking because they are able to be witty and charming, are prone to flattery and manipulating others. They also disregard the safety of themselves and others, lie, steal, fight and break the law. They often exhibit arrogance or anger and they show no guilt or remorse for their actions. People with this personality type may be substance abusers.
There is no single known cause for antisocial personality disorder, although research suggests that having an antisocial or alcoholic parent increases the risk. Child abuse and neglect are also indicated. Treatment for this affliction is among the most difficult of all personality disorders and those with antisocial personality rarely seek treatment on their own.
Most interesting is that symptoms tend to peak during late teens and early twenties. Many patients improve by their 40s, with or without treatment.
I asked Psychiatrist, Dr. Soroya Bacchus, MD, if there were any tests that could be given to children to predict this personality type and sadly the answer was, "No." She went on to say that, "There are indicators but nothing predictive can be done until age 15 or older." By then, it seems, the damage is done.
I did find one interesting common thread in speaking with Kevin Mitnick, Christopher Hadnagy, Dr. Bacchus and others: Parental involvement is a keystone. Neglectful, disconnected, disinterested or non-interactive parents produce the bulk of children with this personality type. Researchers have not discounted the genetic aspect of the disorder but the accepted opinion is that this personality type is a combination of learned behaviors, parental influence and social isolation.
A good example is Kevin Mitnick's story (from Ghost in the Wires) of how his mother (a single parent) worked two jobs to support them. He was left isolated and turned to something from which he could extract his own rewards. Plus, his exploits, such as writing a password capturing program, made him popular with teachers and other students.
The obsessive-compulsive personality disorder type is popularly known as OCD; those with the disorder exhibit such symptoms as excessive devotion to work, inability to discard items, lack of flexibility, lack of generosity, overt control, lack of affection and a preoccupation with details.
The NIH defines this disorder as:
Obsessive-compulsive personality disorder (OCPD) is a condition in which a person is preoccupied with rules, orderliness, and control.
People with this disorder tend to be high achievers and feel a sense of urgency about their actions. Symptoms of this disorder usually begin in early adulthood. Social isolation often accompanies those afflicted with OCPD.
Fortunately, effective treatments are available for OCPD and OCD and involves a combination of medication and therapy.
The third personality type that's associated with hacking is Asperger Syndrome. This form of autism is also known as pervasive development disorder and autistic spectrum disorder. It is considered to be a high functioning form of autism. People with this disorder have difficulty interacting socially, repeat behaviors and often physically clumsy. The disorder is generally believed to be genetic in nature but studies are inconclusive.
Their habits and personal interactions often lead to isolation. Asperger types have unusual eye contact, have an inability to detect sarcasm and humor, have difficulty interacting in social situations and exhibit odd body language. This type also may show delays in motor behavior resulting in clumsiness.
Other aspects may include repetitive behavior, inflexibility, inability to sense other's feelings and may obsess about a particular topic or object. Children with Asperger Syndrome may be diagnosed with ADHD and may develop physical or verbal tics.
A combined treatment (medication, therapy, social skills, speech) approach seems to be most effective.
The Masculine Pronoun
It's interesting to note that while many readers criticize me for using the masculine pronouns he and him, when referring to hackers, these disorders (Antisocial, OCPD, Asperger) occur at a much higher frequency in males than in females -- just as most (93%) of all prison inmates are male. The masculine pronoun is appropriate here. I apologize to any awesome female criminals in advance. I'm not snubbing you but the statistics are against you.
Unmasking the Hacker
Often hackers want to be caught. I know it sounds crazy but it's true. Without some exposure, they never get credit for what they've done. The problem is that they don't see anything wrong with what they're doing. If you don't believe me, read back through the symptoms of the disorders. There is a loss of sense of self--a self-imposed anonymity to the hacker. He is isolated by his personality and further isolated by his actions. It's a destructive downward spiral.
And, I don't care how clever the hacker or group of hackers is, they will be caught and exposed. Most will be further isolated in prison. A large number of inmates suffer from the same afflictions as do their hacker counterparts. Read some prison statistics--many have antisocial personality disorder.
Being somewhat socially inept makes the hacker his own worst enemy. He often exposes himself through language idiosyncrasies or outright bragging. For example, Ryan Cleary (Anonymous) exposed himself through language and things he said to the point where security professionals knew immediately that he was from the UK and between 17 and 20 years of age. Ryan Cleary was arrested and charged with five offenses under the Computer Misuse Act on June 21, 2011 by London Police.
Our stereotype of an isolated, socially awkward, gaunt hacker type isn't exaggerated, is unfortunate and accurate. We know what a hacker looks like. We know where he is. We only need his name.
The Answer to the Ultimate Question
How can we identify and stop hackers? The answer and question may never exactly match up as was seen in The Hitchhiker's Guide to the Galaxy series but there are things we can do to help identify the disorders and help those afflicted.
Criticism and harsh treatment are not the answer. In fact, those things contribute to the behaviors associated with the disorders. If you know someone with any of these personality types, get them some help in the form of a counselor or medical professional. Chances are very good that the person won't go willingly or voluntarily. It may take time to draw the person out and into therapy. Be vigilant. Be patient.
Unmasking the hacker is one issue. Fixing him is quite another.