FBI Agent George Wigan: He does fit the profile perfectly. He’s intelligent but an underachiever, alienated from his parents, has few friends—classic case for recruitment by the Soviets.
Lyle Watson: Now what does this say about the state of our country, hmm? I mean have you gotten any insight as to why a, a bright boy like this would jeopardize the lives of millions?
FBI Agent George Wigan: No sir. He says he does this sort of thing for fun.
(McKittrick and Wigan, speaking about hacker David Lightman, WarGames, 1983)
Before the era of cybercrime, hacking for social, political, or religious causes (so-called hacktivism), and terrorist threats to our infrastructure and monetary systems, the hacker started as an explorer and traveler on the data superhighway.
In his 60 Minutes interview with Ed Bradley, notorious hacker Kevin Mitnick made the staunch claims that he did no harm in break-ins of various computer networks and systems. When confronted with the theft of operating systems’ source code, Mitnick prevaricated, despite Bradley’s statement, “Kevin, you stole it.”
Today, we can still categorize some hackers as explorers. In fact, the title “hacker” carried the pejorative meaning only recently. Today, taxicabs are still called “hacks” in homage to the hack-kneed drivers who could navigate the complexities of their cities in their carriages-for-hire. Newspapers would hire “hack writers” for their ability to churn out articles at a high rate, often with little to no understanding of the topic. A programmer’s ability to optimize code to save space or speed execution in new and novel ways might be considered a “cool hack.”
Looking at the intent of the hacker, we can view hacking from the point of view of the attacker or the defender. Harking back to the black-and-white Westerns of the 1950s, audiences could tell the “good guys” from the “bad guys” by the color of their hats. The good guys wore white. Today, we make the distinction between black-hat and white-hat hacking. Security professionals are said to wear the white hats and the attackers black.
More recently, in an interview on 60 Minutes, Jim Lewis of the Center for Strategic and International Studies talked about international and transnational hacking by intelligence agencies, the United States included. He pointed out that we are “at the top of the pack,” but also most concerned because “we have the most to lose.” As the Edward Snowden revelations show, the US data and intelligence gathering activity net covers a broad territory. On the other hand, sources identify China as the source of the cyberbreaches of both Google in Operation Aurora and more recently against the New York Times. Cyber spies, then, capture much of the press and imagination of the public.
Starting as a data breach at Target and extending to several other companies including Neiman Marcus and Michaels Stores, cyber criminals and their attacks have also become topics for discussion. Estimates of the impact of the Target data breach are a cost of up to $1 billion with as many as 110 million individuals affected. Typically, cyber criminals try to collect information that can be monetized in the form of Personally Identifiable Information (PII), credit and debit card numbers and PINs, and other financial information.
In addition to theft of PII, criminals use malware to help further their schemes. Remote-control programs called Trojans, based on the legends of the Peloponnesian wars, can be used to hijack innocent people’s systems, stealing information directly from their computers. Using armies of hijacked systems, the so-called botnets can be used to send mass emails to entice the victims to perform unwanted actions. Very often, this spam email is used to carry the botnet programs as attachments as a means of infecting the computers that will soon be turned into zombies. Once recruited, these bots can be used to launch Denial of Service (DoS) attacks or for social engineering to lure unsuspecting victims to fake websites to steal login or financial information.
Hacktivism, hacker activity for geopolitical or social causes, often leads to either website defacement or DoS attacks. The group “Anonymous” is most famous for its political statements, whether they are in support of the website Wikileaks or simply because the group feels infringed upon when a company sells products based on the “Guy Fawkes” mask that has become its symbol. We can possibly group cyber terrorists along with hacktivists, but the instances of the former are very rare.
Related to the explorer, finally, is the script kiddie. A pejorative term in the security community, a script kiddie is someone who downloads hacking tools and launches them indiscriminately without an understanding of their use or operation. Periodically, these hackers will be newsworthy for their arrests, often in conjunction with the actions and subsequent crackdown on hacking organizations such as Anonymous.
As distinct as the categories may be, malicious hackers can cross multiple boundaries. For example, hacktivists may use botnets to launch DoS attacks and claim credit. Script kiddies may participate in the hacktivism of Anonymous, or cyber spies may steal a business’s trade secrets to benefit a competing company in a foreign country.
In the case of the cyber criminal, the analogy of black and white hats holds true. Depending on the side of the cause, however, the perspective may change when related to good vs. bad hacking. One person’s hero is another’s terrorist. Further, despite the popular negative connotations, talented programmers and systems designers can also still call themselves hackers, in the most noble and traditional sense.
In his 1986 missive, The Hacker Manifesto, “The Mentor” described the inquisitive mind of the hacker. The theme of the manifesto is one of boredom, followed by excitement at learning about computers, followed by exhilaration at the opportunity for exploration:
We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.
Today, however, the naïveté of that view of the hacker is overshadowed by the thief, the scammer and schemer, the spy, and the terrorist… all seeking to enrich themselves, to steal, or to usurp our systems or destroy our infrastructure.
Related Courses
Certified Ethical Hacker v8
The Hacker Academy Training Bundle (6-month subscription)
The Hacker Academy Training Bundle (12-month subscription)
Foundstone Ultimate Hacking: Expert