Comment If there's one thing I've learned in the past few years as editor of SecurityFocus, it's that there is absolutely no saving grace in the security world. Everyone is a target, everyone is vulnerable and exposed, and no one is safe from, well... anything.
I had a revelation the other day. I'm sorry it took me this long to figure it out. I took off my technology-is-utopian hat for a moment and was rather shocked at what I saw.
The morals and ethics that govern our real world just do not exist online.
Nowhere is this more evident than in the rapidly growing trend where hackers attack, compromise and steal money (and identities) from individuals. Whether it's the little old lady who lost $50,000 of her life's savings, or the Trojan that finds every parent's online banking account, what's the difference to a hacker?
Sitting behind a computer, any shy or docile human being can become the world's nastiest bastard of a hacker without even the slightest tinge of regret.
Attack, compromise, transfer funds, and then walk away. You might have just stolen the life savings of someone you don't know (and will never meet), so who cares? Or you've stolen the identity of someone who will feel the effects almost daily and for at least ten years down the road. But how does that affect you?
Hackers couldn't be any further detached from the damage, devastation and emotional destruction they cause. Just close the lid to your laptop computer, and move on.
Petty thieves or 2-bit thugs?
There are no morals among hackers anymore, no sense of right-or-wrong, and no appreciation of a greater good. Take the devastation caused by the tsunami last year and the destruction the Americans have faced with Katrina: dozens of phishing sites, phony donation efforts, fraud and rampant online identity theft, millions of pieces of spam and custom viruses purporting to be trojan relief efforts that were all trying to exploit the very individuals who, ironically, were offering up their funds in an effort to do some good. This is the community we work in.There are probably a dozen people trying to hack the Red Cross right now.
Would these same people break into their neighbor's home and rob an old lady at gunpoint? Or smash her head in with a sledgehammer? I'm guessing, probably not. Why? Because there's a clearer link between the crime and the consequences when you're not hiding behind your computer. The meek-human-but-vicious-hacker closes the lid of his laptop again, leaves the anonymous WiFi connection he was borrowing, and he's done.
This disturbing trend to attack individuals (and often for relatively petty amounts, at that), or emergency relief agencies, or even just the lowest hanging fruit around, is nothing short of evil and it must be stopped, exposed or redirected if it's ever going to come to an end.
Corporate security folks are lonely people
Inside a company of 1,000 employees, it's not uncommon to find just one or two security staff. Let's face it, these are lonely people. They're over-worked, understaffed, underpaid and they have no one to talk to. They fight the occasional virus outbreak, and they despise Microsoft's patch Tuesday, but otherwise there's only so much that can be done. They take smoke breaks.
The company itself might have annual revenues of several hundred million dollars, millions of dollars in revolving credit lines at various banks, and an IT budget that's in the millions as well. Let me say it again. That's just two security staff protecting a few hundred million dollars, and hmm... no recent security compromises to speak of. Yet the old lady down the street keeps getting hacked.
No recent security events except for Zotob, that is. That virus outbreak a few weeks ago hit many Fortune 100 companies hard, and should be a big eye-opener to many CIOs. Odds are good the company is still standardized on Windows 2000, after all. It doesn't have the security features of XP, and it's big bucks to upgrade. What about Linux? Mac OS X? Or status quo?
What about the 2,500 employee company with a security staff of just three? It's frightening how common this has become. We're all expected to do more with less, and carry Blackberrys and such, but how does this translate for real security? With the soft underbelly of Windows 2000 (or even Windows 95/98) still on many corporate desktops, a fat Oracle database, juicy VPNs and perhaps even IT services outsourced to a third party, well...
There's no budget for security. There's no money for security. There's no need to hire more staff. There's no money for insurance. There no risk. There's not even any proof that a real threat exists for company XYZ at all. Millions of dollars. Understaffed, under funded, no focus on security, hard to keep on top of what they've got. Windows 98. Wait a second. They're sitting ducks.
The guy siphoning off small chunks of tens of thousands dollars a month from the company payroll is laughing all the way to the Bahamas, because he's not on their payroll. His approach doesn't make him any less than a criminal, but it begs the question: is this any better than stealing money from a little old lady, and taking her life's savings right out of her bank account? Is the corporate hacker any less detached from his crime than the 2-bit Internet thug?
A changing culture
In the 1980s when I discovered the Internet, things were very different. There were smart people, mostly academics, doing smart things and having intelligent debate. I couldn't believe the size of the Internet already, even back then it absolutely blew me away what could be done. Instantly.
It was much easier to attack systems back then, too, but few people bothered -- everyone was more interested in making it all work and in building new and amazing things. I remember telneting into NetHack sites that didn't even use authentication. And I remember one of the most exuberant feelings I've ever had was back then, with the Usenet and email and telnet, and ftp, and... well, it told me that our future with technology and communications through the Internet was very bright.
In the 1990s the Internet grew and changed dramatically. It almost went supernova near the end. And then in the last five years, it's become all about penetration-exploit-and-profit, and actually quite nasty. Now people are far more interested in stealing money and identities like a stack of playing cards... as they hide behind their keyboard, remaining detached and shy and anonymous, and meek, and trying to make it all come crumbling down. How times have changed.
I enjoyed reading Markus Ranum's recent article, The Six Dumbest Ideas in Computer Security, because it shows various dumb decisions made over time by smart people amid a changing security culture, and it also seems to be bang on. It made me reflect on how much things have changed even in just the past ten years, and how back in 1995, OS/2 and Macs were still common on many desktops. Security, at the time, was nothing but a bad dream. Now we have Linux instead of OS/2, and Mac OS X has quickly outpaced the old Mac (both in marketshare and in its rate of growth). Only one dominant player has actually multiplied in size, though, and many rocks are coming in through those office windows.
More smart people are focusing on patching our current approach to security than ever before. This is very true.
And yet there are far too many smart people doing very stupid things, like hacking their neighbors and friends, little old ladies and good organizations like the Red Cross. For profit? These are sad people. Hackers have to stop detaching themselves from their crimes, and take some responsibility. They need to take a step back, see the kind of damage they have already caused, and what the community has now become.
Copyright © 2005, SecurityFocus
Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.