Forget the outdated hacker image of a spotty anarchic teenager holed up in his bedroom defacing the websites of global organizations; today’s hackers are not only older but more determined than ever to claim your cash and identity.
Many early depictions of hackers on the silver screen portrayed relatively benign individuals, such as Matthew Broderick’s teenage boy in the 1984 film, War Games or Val Kilmer’s young prodigy in Real Genius. But over the years the hacker’s screen persona has become more complex and multi-faceted in line with the public’s ambivalence towards them and their criminal activities. As a result, we have seen in recent years the hacker depicted as a terrorist threat in the James Bond film Goldeneye, a cog caught up in a malicious plot in Hackers and a pawn in a battle against artificial intelligence software in The Matrix.
Real life hackers have also evolved with the times. Prior to the Millennium, hackers could largely be divided into two groups: a minority of intelligent, computer-literate individuals that hacked into some of the most secure websites in the world for kudos within the hacking community or to show their defiance of global establishments; and a second group that worked with serious organized crime gangs to garner funds for their illegal activities, such as prostitution, drug trafficking and pornography.
Since then, organized crime units have continued to provide a fruitful income for a group of hackers that are effectively on their payroll. Their willingness to pay for hacking expertise has also given rise to a new subset of hackers. These are not hardcore criminals in pursuit of defrauding a bank or duping thousands of consumers. In one sense, they are the next generation of hackers that carry out their activities in pursuit of credibility from their peers and the ‘buzz’ of hacking systems considered to be unbreakable.
Where they come into contact with serious criminals is through underworld forums and chatrooms, where their findings are published and they are paid effectively for their intellectual property. This form of hacking – essentially ‘hacking for hire’ – is becoming more common with hackers trading zero-day exploit information, malcode, bandwidth, identities and toolkits underground for cash. So a hacker might package together a Trojan that defeats the latest version of an antivirus client and sell that to a hacking community sponsored by criminals.
These packages are often put together using some of the tools available in the marketplace today. Anyone can take advantage of these products, which are often sold legally as applications to protect children from harm on the internet, for example, by tracking their discussions in chatrooms. But in the wrong hands these tools can be used to malicious intent and, indeed, have already spawned a new form of hacker.
The recent incident of the cyber extortion attack is a perfect example of this new form of hacking. The attack attempted to extort money from users by encrypting files on the user’s hard drive by holding files to ransom and then requesting payment for a decoder tool.
Collectively, these hackers pose a growing threat to businesses and individuals. In the U.K. for example 40 percent of all financial crime businesses suffered in 2003 were attributed to phishing and other hi-tech crime, such as spyware, viruses and Trojan horses. These crimes cost businesses in the country in excess of $4.7 billion during 2004.
So how can organizations defend themselves against these new threats and hacker profiles? A recent white paper from research firm IDC revealed that 90 percent of breaches in security originate from within the company. Obviously, telling employees not to use the internet will never work – some employees will continue to disobey orders even if their intention is benign. Therefore, organizations need to put in place an employee internet management strategy that provides an automatic means of controlling internet usage while educating users on the dangers posed by their activities.
In addition, employers need to carry out a review of their organization’s internal processes and policies to find out what strategies are in place to track data and internet use, respond to an IT security breach and ensure compliance with standards such as ISO17799 or regulations such as the Sarbanes-Oxley Act.
For organizations with a mobile workforce, there are further IT security challenges in protecting mobile devices, such as PDAs and laptops, from offering hackers another backdoor into the organization. Employers must broaden their IT security policy to take into account changing working practices and make sure that they have safeguards in place – such as an acceptable internet usage policy – to protect every corner of the company from the new generation of hackers.
Above all, organizations need to realize that hackers are not the sole preserve of the big screen but pose a real threat to every business and consumer. Therefore, the more secure an organization can make its IT infrastructure, the more chance it has of creating its own happy ending.
The author is technical director for EMEA at Websense