Hacking for Dummies: New Breed Learns Skills From Web
The youthfulness of hackers made the news again last month with the arrest of a 19-year-old Englishman, possibly associated with the Lulz Security "hacktivist" group, who was accused of breaking into British government servers.
Ryan Cleary fit the old stereotype of hackers as "geeks hanging out in their parents' basements." Newspaper reports labeled him a socially introverted kid with superior, self-taught computer skills that allowed him to break into closely guarded websites.
But there is new breed of hacker out there. Like Cleary, these hackers are young, said Alan Wlasuk, managing partner of Indianapolis-based 403 Web Security.
Yet this group's computer skills are more limited. Instead of spending weeks in dark rooms staring at screens, they simply take advantage of the explosion of Internet-based technologies.
"The explosion of the Internet has provided even moderately skilled kids (still early 20s max) to use downloaded tools, YouTube video instructions and easily taught basic hacking tools to pick off easy Internet targets," Wlasuk said. "One [type of hacker] is an artist. One is just lurking."
According to Wlasuk, most hackers break into computers for three reasons: greed, social activism or social acceptance. For this new breed, social acceptance is important.
"These are not kids who will empty your bank account after you inadvertently give your credentials away," Wlasuk said. "But they will let their friends know what they can do and maybe even post a brag about it.My guess is catching the old guy in the corner [of the coffeeshop] surfing lingerie websites would be a high point of [their] day."
To Amol Wagh, who describes himself as an ethical "white hat" hacker, the new hackers are a throwback to the "phone phreaks" of the 1970s — they are looking for freebies, such as free Wi-Fi or free phone calls.
Hacking for the masses
Thanks to how-to video clips and inexpensive "off-the-shelf" cybercrime software that comes with instructions and technical support, anyone can now become a hacker.
That's a far cry from the past, when hackers had to develop their own tools to identify vulnerabilities and exploit them, said Gunter Ollmann, vice president of research at the Atlanta-based information security firm Damballa.
"By 1999, access to exploit material and rudimentary tools that automated exploitation began to appear," Ollman said. "Then, by 2002, the first commercial exploit tools began to appear and, by 2005, public tools like Metasploit further lowered the barriers for would-be hackers to commence a life of crime."
"Today's tools automate 99 percent of traditional hacking techniques and the tools are readily accessible," Ollman added. "There are portals, forums and even YouTube channels that provide step-by-step instructions in their appropriate use."
Most hackers, professional and amateur, now depend on automated hacking tools.
"There are hundreds of hackeresque websites with information on how to hack a computer, how to create a keylogger, how to scan wireless traffic, and more," explained Harry Sverdlove of the Waltham, Mass.-based security firm Bit9.
"There are even commercial products available for performing many of these tasks — both legitimate products and illegal ones," Sverdlove said. "For example, there are toolkits, like Zeus, that can be purchased to create custom malware programs that target a specific computer, user or even banking site. These toolkits can be programmed to transmit stolen data back to specific locations."
How easy is it to find these tools?
"A few choice keywords on Google," Sverdlove said.
Any kind of hacker will take advantage of any hole that is open to him, and public Wi-Fi leads the list as one of the easiest avenues to get into someone else's computer.
"Using [public] Wi-Fi is like walking around the mall with your credit-card number on a sign around your neck," Wlasuk said. "Unless it is encrypted, all information sent out over a Wi-Fi network can be easily reconstructed into its original form."
"Think of it as having someone peek over your shoulder at Starbucks while you work on your notebook, iPad or smartphone," he added.
Incidentally, Wlasuk doesn't believe the LulzSec hackers, whom Ryan Cleary was associated with, are part of this new breed.
"While the LulzSec hackers seem to be young and immature — what place do silly taunts have during a CIA website attack? — their hacking skills appear to be very established and far above [that of] the bored Xbox user," Wlasuk said.