Part one the Black Hats
The dilemma of the black hat hacker is not easily understood. Because this type of hacker lurks in the underground and performs criminal activities access to them and information about them is difficult to gather. There are various types of this type of hacker. Some of them deface WebPages just for amusement or to prove themselves as able to. Some are some are teenagers others are young or older adults. There is the prankster that does it for amusement. Most of these type of black hat hackers are script kiddies who don’t actually know how to write code. Although the general public may perceive that hacking is a male dominated pursuit many are women who use their sexuality as a tool in effective social engineering. This misconception by the public leaves them to be wide-open targets for this type of social engineer because they don’t suspect woman as being hackers.
Kevin Mitnick address this issue in his book The Art Of Deception. I quote Kevin saying*” You may notice I refer to social engineers, phone phreaks, and con-game operators as “he” through most of these stories. This is not chauvinism; it simply reflects the truth that most practitioners in these fields are male. But though there aren’t many women social engineers, the number is growing. There are enough female social engineers out there that you shouldn’t let your guard down just because you hear a women’s voice. In fact, female social engineers have a distinct advantage because they can use their sexuality to obtain cooperation.” Perhaps one reason some female hackers hack is to prove themselves equal to their male counterparts. The battle of the sexes has been going on a long time and will more than likely not cease in the near future.
The black hat hackers also fall into a category of highly technical ones that work for underground syndicates that are tightly knit organizations that attack major corporations. These high tech thieves are the ones that we will probably never talk to about hacking openly in a chat room, via email or on the streets. This type of black hat is in it for the money. This is the type of hacker who will write a worm to that will make your computer a Spam mail server without your knowledge. This is also the type of hacker that will control your computer remotely without you having a clue. This may be the most difficult hacker to understand because they lurk in the shadows. They do not walk around with a t-shirt that says, “I am a hacker” on their backs. To gain knowledge and data on this type of hacker is a difficult task at best. The FBI and CIA spend a huge amount of time and resources tracking this type of individual, and even they have troubles at times obtaining data they need because of the elusiveness of this type of hacker. Some of the most qualitative data that we can obtain about this type of hacker is when one of them goes straight and helps authorities in tracking others. This is why people like Kevin Mitnick, Adrian Lamos, and Frank Abagnale Jr are important in understanding these types of hackers.
With the advent of the collapse of the twin towers on 911 the world gained a wide eye at a new type of hacker the terrorists. This terrorist used both technical and social engineering skills to launch an attack on
There is also the black hat hacker who is one for the simple reason that the individual breaks the law. This type hacker does well by the spirit of the law but is considered by many to be a black hat because he breaks the letter of it. A hacker of this type is Adrian Lamos also known as the homeless hacker. This young hacker spent his days breaking into corporations to find the security loopholes and then reported them to the corporations. Many of these corporations were very thankful to him knowing that he had broken the law but did so for their benefit. Sadly he broke into the New York Times and when he offered his help to them they took offence and brought charges against him.
So we could surmise that this type of black hat is somewhat motivated by goodwill but maybe has deficient ethics.
Part two the End User
The dilemma of the end users part in security is just as essential as all other parts.
In the early days of computers the end user was the programmer and that was all there was to it, today millions and millions of end users exist. End users include the housewife with a home PC shopping on Ebay. The teenager playing online games upstairs in his bedroom. The husband watching the details of the game on ESPN’s website. The secretary sitting in a cubical on the floor of some corporate organization, and the CEO watching how the stocks of his company are doing. Categorizing the types of end users would be an enormous task and intensely time consuming. What all these end users have in common whether they realize it or not is a need to implement security protocols on their computers.
With the advent of today’s worms that are programmed to attack an organization and cripple it or promote SPAM the need for the end user to secure his or her machine is vitally important. Every end user connected to the Internet should have a firewall and an antivirus. Microsoft Corporation has defiantly realized this and has incorporated another firewall in its upcoming release of the final service pack for Windows XP. Although there are better ones available for free I applaud Microsoft for adding this to that service pack simply because from my research I have found that most end users either do not know what a firewall is or how to use one. This final service pack due to be released on AUG 24th of 2004 will also have better utilities to make Norton’s antivirus work better.
Even though I have had my prejudices and bias in the past about Microsoft’s software I am extremely happy to see that they understand the dilemma of the end users and taking measures to deal with that dilemma.
Why don’t end users secure themselves? There are many factors that go into this. Some know that they need to secure their computers but are just lazy and don’t care, some have even told me that. At least they are honest in their answers, it takes some sort of effort on their part and they don’t want to apply themselves. It doesn’t matter to them that their lack of securing their computers may hurt others so they say. I find this difficult to believe that these people are that cold hearted. I really do not think they understand the overall scope and how in the end this will not only hurt others but will also affect them in the end. One solution to this could be educating the end users about the consequences of not securing their workstations.
Another reason some end users do not secure them selves that I have found from my research is that the software needed to do it is complex and difficult for them to understand. In a day and age when most people run to and fro all day and are extremely busy most do not have the capacity to keep abreast of the knowledge as it increases beyond their scope of comprehension. This especially applies in the field of computers and the internet information changes so rapidly that no one individual is capable of knowing even half of what is the current scope of information in today’s society. The working mother with three children may feel exhausted and incapable of understanding security or how to implement it. At the same time this occurs more and more computers are manufactured and the population of end users connected to the Internet increases.
Alvin Toffler penned the book Future Shock years ago. In his book we were told to ride that wave of change how could he foresee that the wav has in this day and age become a tidal wave that could be detrimental instead of constructive to our society. Many security analysts today feel they are at Custer’s last stand unable to deal with all the new issues that every new release of software and technology poses. People at help desks are almost driven to insanity while talking to the end user. Yet the end user is a necessity without them there would be no jobs. For this reason the end-user needs to be understood rather than blamed.
Consider the working mother, the overworked secretary, the help desk technician, and a variety of others who simply feel they do not have the time to secure themselves. Combine this with other threats such as outsourcing and lay offs and we can see why today people work long hours just to keep their jobs. So somehow economics my play a part in the reasons the end users do not practice effective security measures.
Now here is the catch 22 once and end user suffers the consequences of not practicing security measures he will be more apt to learn and apply them. The end user who just got his or her identity stolen and has thousands of dollars now put on his or her credit card will now practice security measures so they don’t again have to experience that pain.
Consequences for a lack of action will motivate and end-user. Perhaps some more detailed study could be done comparing a small fine for not securing a computer to the consequences of being hacked. A study such as that may show a pattern that could be established and promote some sort of legislation in the future.
Self-esteem may also play a part in the end-user dilemma. Tapes that play in some end users heads may tell them that they are not capable of understanding and implementing security because they are too dumb or stupid. These tapes may have been embedded since early childhood. A technician who tries to teach the end user with an air of superiority may contribute to this dilemma by re-enforcing those voices in the end-users head. In today’s society a little observation will quickly reveal that older people tend to be actually scared of computers. Perhaps this is because they grew up in a time when only geniuses used them. Getting the older generation to believe they are capable of understanding and comprehending security measures will be a task that requires an understanding of there outlook and a degree of patience.
A lack of qualified personnel to train the end users in security measures is also an issue. Major corporations do indeed have seminars and lectures on this issue yet home users of computers are also subject to invasion by today’s worms and they represent a major part of the population. To arrive at any valid solution to overcoming security issues we have today the problem of qualified people to train the home user must indeed be addressed.
Should the funding of this be left to Corporations the Government or should it be equally distributed? No matter how the funding occurs to devise a program to train the home users it is quickly becoming evident that unless measures are taken soon this sector of end users will pose even more of a problem in the future.
Many end users fail to understand how their greed attributes to today’s security issues. This moral and ethical dilemma opens wide doors for hacker to exploit the end-users. (Maybe this is why many hackers refer to the end-users in there terminology as”lusers”.
And yes that is how they spell it. Hackers are not generally known to spell well. They have their own form of it sometimes referred to as Haxor.) Attempting to get something for nothing the end –user downloads video, music, and key generators from peer- to-peer programs not realizing that what they are downloading has been joined to another type of file a Trojan. When the open the file the Trojan executes in the background and now their machine is compromised and the hacker is in control. They will also open email attachments claiming that they are eligible for something free. Their lust works on this principal as well and pornographic site have become a popular way of deceiving end –users to download malicious software. This type of end user reminds me off a mouse getting caught in a trap trying to get the cheese like the mouse they act on their basic primal emotions instead of thinking things through. As long as this type of end user exists hackers will always have easy targets. There is no honor among thieves. A moral or ethical revival may be the only solution to this type of end user.
What many end –users also fail to realize is that every time they steal software it puts a developer out of a job and when the developers are not numerous enough to write secure software the end-user will suffer with a higher cost of software and less efficient software.
Part three the Developers
For the most part the developers are motivated by money. They develop technology and software to make money that’s the bottom line. The mount of money they make comes from the revenues generated by selling their products to the end-users. For various reasons the pursuit of financial gain can easily override the purposeful development of secure software and technology. The development of secure software and technology in a timely fashion is a difficult task to accomplish. For this reason many software patches are released before it is possible to test them for all the unknown security loopholes. These developers have known about the threat of hackers for a long time. The new threat is the hackers increased knowledge of exploiting the end-users. Developers are now realizing that the insecure end-user is as much of a threat to security as the hackers themselves. We now can see that major corporations such as Microsoft are paying more attention to the end-user than they have in the past as they are realizing this concept. If the concept of training the end-user had more importance in earlier days we would more than likely not have the snowball effect of that has lead to the development of highly sophisticated stealth type malware that we are plagued with today.
With recent worms programmed to launch distributed denial of service attacks against companies such as Microsoft these companies have woke up and smelled the coffee about the importance of the end user. Why? Because the attacks came from the end-users computers even though they were not aware of it. Now companies like Microsoft are eager to train these end users about firewalls and anti-virus software because every time they suffer an attack it cost them money.
These attacks have managed to make developers spend more time in developing more secure software. This concept also applies to the government. Institutions. In July of 2001 the code red worm was released into the wild. This worms purpose was to launch a distributed denial of service attack on the White House. This made our Government come to alert of the dilemma of the end user. Once again it was the end –users machines that were used to flood the White House. Since then the government has invested time and money in educating the end users. Microsoft could have learned from that but it didn’t cost them the money so they waited to learn it on their own from worms that directly attacked their corporation.
Today a lot of the development of software and technology is being outsourced to countries who do not have the same laws that we do. This will defiantly impact the security of whatever is developed and corporations doing this outsourcing to save money need to evaluate the cost of security. Our laws do not apply in foreign counties and therefore it is likely that trade secrets will be brought and sold on the black market as a result of this outsourcing.