[ISN] Know thy hacker

InfoSec News isn at c4i.org
Tue Feb 1 04:04:24 EST 2005 

http://www.infoworld.com//article/05/01/28/05OPsecadvise_1.html

By Bob Francis 
January 28, 2005 

As I said last week [1], I recently attended a local meeting of the
Information Systems Audit and Control Association (ISACA) to hear a
presentation by Mark Loveless, who heads up the Razor research team at
BindView.

As well as talking about the many daunting threats that face security 
administrators, Loveless also spoke about the changing nature of the 
hackers and groups that are causing security threats. 

Many hackers are known as "black-hat" hackers, those who generally 
hack systems for personal gain or malicious reasons. The black-hat 
hacker either exploits these hacks for themselves or trades or sells 
that information. 

A "gray-hat" hacker hacks systems and software without the 
administrator's or developer's permission in order to uncover network 
or software problems. Many of these hackers used to operate alone but 
now work for organized crime, foreign governments, or spammers. 

According to Loveless, the black-market price for exploit code for a 
known flaw -- such as some of the recently announced Internet Explorer 
flaws -- is between $100 and $500. That's the price if no exploit code 
is currently available; after the exploit code is made available on 
public forums, the price drops to zero, under the "carrying coals to 
Newcastle" principle of economics. 

Exploit code for an unknown flaw is -- not surprisingly -- 
considerably more valuable: Prices for unknown exploits range between 
$1,000 and $5,000. Among the buyers of those codes are various foreign 
governments, foreign and domestic organized crime groups, and 
iDefense, a company that buys the exploits then informs its clients of 
the flaw. 

Want to know who has your e-mail address? Get in line. A list of 5,000 
IP addresses of computers infected with spyware and ready and able to 
go into "bot" mode goes for $150 to $500. 

If you're in the black market for a list of 1,000 working credit card 
numbers, expect to fork over between $500 and $5,000. Some sites even 
will send you a couple of free numbers to test drive prior to 
purchase, Loveless says, while others have rating services of the 
different credit card number sellers, much like eBay. 

Prices were even cheaper for those numbers, although the price has 
increased since the U.S. Secret Service began Operation Firewall, an 
investigation that targets underground hacker organizations known as 
Shadowcrew, Carderplanet, and Darkprofits. 

What do these black-hat hackers working for spammers make for their 
trouble? According to Loveless, the annual salary of a top-end, 
skilled black-hat hacker working for spammers is between $100,000 and 
$200,000. Not bad -- although if you are caught, legal costs will eat 
that up in a matter of weeks. 

Apparently not all black-hat hackers are making the big bucks, 
however. I spoke recently with Dr. Bill Hancock, Savvis 
Communications. chief security officer and chairman of the FCC's 
National Reliability & Interoperability Council (NRIC) Homeland 
Security focus group on cyber-security, who says some black-hat 
hackers are wearing their hats under protest. 

Hancock had dinner with a hacker from Eastern Europe last year who 
said the Russian Mafia threatened his family if he did not perform 
work for them. "I think it shows how serious and how difficult a 
problem this can be," he says. 

Indeed, but it still pays to know your foe.

[1] http://www.infoworld.com/infoworld/article/05/01/21/04secadvise_1.html

More information about the ISN mailing list