Information Security News mailing list archives
Motivation to Hack
From: William Knowles <wk () C4I ORG>
Date: Sun, 5 Nov 2000 03:29:02 -0600
Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters --------------------------------------------------------------------- Motivation to Hack By Carole Fennelly Every system connected to the Internet is exploitable by someone with sufficient motivation. The most common motivation is ego-gratification and it drives all the script-kidiots to deface Web sites -- digitally spray-painting their name on the Internet and brag to their friends. Usually, the sites they hit are pretty easy targets and the defacement is a yawn to the rest of us. A more compelling motivation is retaliation. JP Vranesevich, founder of AntiOnline and a pariah in the hacker community, inevitably had his security compromised by a determined hacker. Word of the AntiOnline intrusion spread very quickly; the intention clearly was to embarrass Vranesevich, not steal or subvert information. I recently received an advance copy of Adam Penenberg's new book "Spooked: Espionage in Corporate America" (http://www2.bestbookbuys.com/cgi-bin/bbb.cgi?ISBN=0738202711). It addresses a chilling motivation for penetrating systems: espionage. Adam writes, "The U.S. Chamber of Commerce believes espionage has led to losses to corporate shareholders of about $25 billion a year in intellectual property." As the character Deep Throat said in "All the President's Men", follow the money. Money is probably the most persuasive motivator. Yes, there are those people who can't be bought but sadly, the majority of people have their price. Corporate espionage is a multi-billion dollar industry. Many companies maintain an entire division devoted to gathering Competitive Intelligence (CI) and in some countries, governments sponsor corporate espionage. Much of "Spooked" details the conventional methods of intelligence gathering and cites specific corporate espionage cases. With this much effort and expense put into conventional intelligence gathering techniques, it's obvious that the spy community will take advantage of the intelligence gathering opportunities the Internet provides. Microsoft: The company that everyone loves to hate For years, Microsoft has been a favorite target of hackers. Talk about bragging rights! Despite their reputation for poor software security, Microsoft takes their network security pretty seriously. Thus, Microsoft haters were delighted by the recent news of Microsoft's own network being penetrated. So, why didn't someone take credit, even under a pseudonym? Microsoft, not a hacker bulletin board, reported the intrusion. Whoever did this kept it very quiet. Why? http://www.hackernews.com/arch.html?102700 Microsoft has reverted to their usual PR spin -- down playing the situation by saying they knew about the hackers all along and were monitoring them. A news article on the Microsoft site states: "The hacker may have viewed the source code for a single future product under development. Our investigation has confirmed that it has not been modified or corrupted in any way. We have no evidence to suggest that the hacker gained any other access to any other source code." http://www.microsoft.com/technet/security/001027.asp The fact that they have "no evidence" does not prove the source code used to produce Microsoft software wasn't copied. Even if Microsoft audited every machine of every internal and remote user (assuming each machine had auditing capabilities turned on), there is no way to ascertain the source code wasn't copied. I once worked at a research facility of a foreign company that was penetrated by a group out of the Netherlands. After we learned of the penetration and went through the logs on the backup tapes, we realized the intruders had been in the system for at least 6 months. Why were they so quiet? Because the best thefts are the ones you never know about and information theft is big business. Inevitably, Competitive Intelligence groups will recruit hackers to work for them. The only question is: Can they be trusted to keep their mouths shut? About the author(s) ---------------- Carole Fennelly: Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area. She is also a regular columnist for SunWorld (http://www.sunworld.com). Visit her site (http://www.wkeys.com/) or reach her at carole.fennelly () sunworld com. -------------------------------------------------------------------- RESOURCES Security Information Website Hacked http://www.vnunet.com/News/1113199 Statement from AntiOnline http://www.antionline.com/cgi-bin/News?type=antionline&date=10-30-2000&story=hackz.news Attrition Mirror http://www.attrition.org/mirror/attrition/2000/10/28/www.antionline.com/ Microsoft says it knew of hacker all along http://www.cnn.com/2000/TECH/computing/10/30/microsoft.hackers.ap/index.html If Hackers Were Smart by Brian Martin http://www.hackernews.com/bufferoverflow/99/stateofnet.html Hacker attacks Microsoft's network FBI is investigating the theft http://www.itworld.com/jitw/unxsec_nl/cma/ett_article_frame/0,,1_3212.html Was hack attack Microsoft's own fault? Observers criticize software giant?s attitude towards security http://www.itworld.com/jitw/unxsec_nl/cma/ett_article_frame/0,,1_3226,00.html Microsoft says it had eye on hacker all along http://www.itworld.com/jitw/unxsec_nl/cma/ett_article_frame/0,,1_3287.html -------------------------------------------------------------- ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Motivation to Hack William Knowles (Nov 06)