Bruce Schneier

 

Home

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

Computer Security Articles

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography and Computer Security Resources

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Sony's DRM Rootkit: The Real Story | Main | U.S. Compromises Canadian Privacy »

November 17, 2005

Hackers and Criminals

More evidence that hackers are migrating into crime:

Since then, organised crime units have continued to provide a fruitful income for a group of hackers that are effectively on their payroll. Their willingness to pay for hacking expertise has also given rise to a new subset of hackers. These are not hardcore criminals in pursuit of defrauding a bank or duping thousands of consumers. In one sense, they are the next generation of hackers that carry out their activities in pursuit of credibility from their peers and the 'buzz' of hacking systems considered to be unbreakable.

Where they come into contact with serious criminals is through underworld forums and chatrooms, where their findings are published and they are paid effectively for their intellectual property. This form of hacking - essentially 'hacking for hire' - is becoming more common with hackers trading zero-day exploit information, malcode, bandwidth, identities and toolkits underground for cash. So a hacker might package together a Trojan that defeats the latest version of an anti-virus client and sell that to a hacking community sponsored by criminals.

Posted on November 17, 2005 at 12:25 PM15 CommentsView Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

s/hackers/crackers/g

Thanks.

Posted by: Tobias Weisserth at November 17, 2005 01:46 PM

" So a hacker might package together a Trojan that defeats the latest version of an anti-virus client and sell that to a hacking community sponsored by criminals."

Or the anti-virus company pays the hacker to produce a few vruis and provide the "fix" for them.

I have always thought that these companies would want virus to be produced, so you just had to pay for the software.

Posted by: Greg at November 17, 2005 01:51 PM

Come on don’t you want to be l33t?

Seriously, if I had real cash in the bank I would hire an Internet Security Expert to protect my interest BEFORE I would hire a physical security expert.
I would be more worried about someone stealing my account information than the cash in my wallet.

Posted by: Adam at November 17, 2005 01:52 PM

@Greg

Actually, I don’t think the antivirus companies have much of an interest in more viruses being produced. They like the threat, but they really don’t need more viruses, as quick responses and updates are very costly.

Today many of the security companies are spending a large part of their budget at writing signatures for the latest and greatest worm as well as staying competitive by constantly developing their software. And they have to, as somebody creating a virus that is not detectable is pretty much unacceptable.

The antivirus companies would probably prefer to have to compete on less strictly technical grounds, such as advertisement and support services. Some companies are actually moving in the support direction.

So, no, I don’t believe in that particular conspiracy, just like I don’t believe that hospitals want to keep us sick. They have too much to lose on something like that and really nothing to gain.

Posted by: Student at November 17, 2005 02:00 PM

I have thought for a long time that organized crime should be supporting open source. That is a way for them to get an OS that they can trust.
Also they have some interesting data security data requirements where it can be better to lose data than to have it fall into the wrong hands. So that they have incentive to hire people to set up systems with encrypted hard drives with the keys saved in volatile memory so that if the feds sieze the machines, powering them down will effectively destroy all of the data.

Posted by: Anonymous at November 17, 2005 03:23 PM

This is a supprise? Given the choice of hacking for fun while gaining profit or just hacking for fun, what would the majority choose?

Posted by: Brett at November 17, 2005 03:30 PM

"This is a supprise? Given the choice of hacking for fun while gaining profit or just hacking for fun, what would the majority choose?"

It's not a surprise to me.

Posted by: Bruce Schneier at November 17, 2005 05:38 PM

There's always money (often called "opportunity" in polite circles) but the bigger question is what's the risk?

Crime gets organized to increase their margins, essentially in the same way that businesses grow and get organized. Lack of resistance (preventive or detective controls) means the likelihood of hackers turning to profit is highly predictable.

In other words, where assets are found to be vulnerable concentrated threats are bound to follow if an attack (investment) can turn a profit for relatively low risk.

Posted by: Davi Ottenheimer at November 17, 2005 08:24 PM

@Student:
'Actually, I don’t think the antivirus companies have much of an interest in more viruses being produced. They like the threat, but they really don’t need more viruses, as quick responses and updates are very costly.'

If you write the virus, you know exactly how to solve it, and you're that much ahead of your competitors.

I'm not suggesting that there are many corporations that do so, but I expect that a few people (besides myself) have considered it at one point.

Posted by: Anonymous at November 17, 2005 11:51 PM

@Bruce Schneier
--
"This is a supprise? Given the choice of hacking for fun while gaining profit or just hacking for fun, what would the majority choose?"

It's not a surprise to me.
--
do you not get sarcasm or something?

Posted by: dan at November 18, 2005 06:41 AM

Oh no, please!

REAL HACKERS are not criminals. Hackers are those guys that code OpenBSD, for example. Or Linux. Hackers are those who _think_ and do some great _hacks_, they do not not hack servers for money. those guys are not _hackers_!!

Posted by: lukas at November 18, 2005 09:47 AM

Hacking is not a crime.
Making allegations otherwise should be.

Israel Torres

Posted by: Israel Torres at November 18, 2005 10:10 AM

What hackers? If sony can install malicious software on your computers without your consent why can't those so called hackers? Everyone's a potential hacker, just like everyone's a potential terrorist.

Posted by: Ari Heikkinen at November 19, 2005 09:58 PM

@lukas, Israel Torres

We lost the "hacker != cracker" nomenclature war a long time ago. I'm just waiting for someone to propose a new term for hacker.

I thought about proposing

hacker -> hakir
hacking/hackery -> hakiri

due to its similarity to fakir but a search on the net seems to indicate that that's too close to the Spanish spelling of hacker. It's also just too close phonetically to be an effective disambiguator.

Anyone have any suggestions?

Posted by: RonK at November 20, 2005 12:23 AM

Fair suggestion,
Personally, I dropped the name hacker a while ago, terming myself instead an unlocker...it didn't last, still.

Posted by: Corae Illis'dae at November 27, 2005 07:25 PM

Post a comment



Real names aren't required, but please give us something to call you. Conversations among several people called "Anonymous" get too confusing.



E-mail is optional and will not be displayed on the site.


Remember Me?


Powered by Movable Type 3.2. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT Counterpane.

 
Bruce Schneier
Blog Menu

Search


blog only
whole site

Recent Entries

Comments

Archives

Support Blogger's Rights!
Syndication
RSS 1.0 (full text)
RSS 2.0 (excerpts)
Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more