Schneier on Security
A blog covering security and security technology.
« Societal Security |
| Romanian Hackers »
February 15, 2011
The Seven Types of Hackers
Roger Grimes has an article describing "the seven types of malicious hackers." I generally like taxonomies, and this one is pretty good.
He says the seven types are:
- Cyber criminals
- Spammers and adware spreaders
- Advanced persistent threat (APT) agents
- Corporate spies
- Cyber warriors
- Rogue hackers
Posted on February 15, 2011 at 1:11 PM
• 64 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Where do Script Kiddies fit into this model? Rogue hackers?
There are 10 types of hackers: Those who understand binary, and those who don't. (Script kiddies tend to fall into the latter group...)
I would contend that "cyber criminals" is an overly broad term. Every other group on this list could fall under the generic cyber criminal category. How about "online (or cyber, if you must) fraudsters"? It seems that sums up group #1, which is essentially people who use technology for ill-gotten short term financial gain.
Doesn't even Bruce Schneier distinguish between hackers and crackers (anymore)?
Nevertheless what aspects do qualify a corporate spie, a spammer or a cyber warrior as a hacker in your view?
Well, If you use the mainstream definition then anyone who can do more then playing games and surfing on the web is a hacker thus your list might be correct.
its listing criminal activities but not hacker types.
PLH: Crackers are under the label "rogue hackers", but that actually should be the label instead of "rogue hackers" - that is the definition.
The title shouldn't be "7 Types of Hackers", it should be "7 Types of Computer Coercers", or just "7 Types of (Human) Computer Threats".
The "cyber-criminal" can't be used for that because that's strictly for those who use computers for crimes of profit.
"APT agent" is a dumb title for what would normally be called "intelligence agents." It's taking a TACTIC and applying it to a motivation which makes no sense at all.
"Cyber warriors" basically are "counterintelligence agents" and/or "military hackers."
Spammers, corporate spies and hacktivists are about the only reasonable labels listed. The others are poorly chosen.
As an aside, people need to give up trying to distinguish "hackers" from "crackers". That ship has sailed in ordinary discourse and never will it be put back into port. The designations of "White Hat", "Gray Hat" and "Black Hat" make more sense.
Notably, foreign intelligence agencies are missing from the list - but either directly or indirectly funded FIS agents are a pretty key group - capability-wise.
I wrote this, errr, 17 years ago (!!!), but sadly, it still relevant:
I think motivation is key to understanding any activity, and 'cyber-things' are no different.
Mostly, the 'bad' activities fall into two groups: Sabotage and/or Espionage.
Sad really that things change so little over so many years :-(
@Richard Steven Hack
Back in the day, hackers were called hackers because they where very clever and involved with
a) computer security (white-, grey- and black hats)
Some day, the media adopted the term and started to dilute it. They used it for every person who committed a crime related to computers, no matter how easy it was. Script kiddies are called hackers now.
Today, if someone calls you a hacker, you cannot know whether it's meant as a compliment, as a reference to your (alleged) criminal activity or even as an affront.
It's sad, but there is nothing we can do about it. As you have suggested, we should move on and use other terms to describe hackers. Until the media catches up again.
You can light a candle and spit into the wind if you want to, but to 99.9% of the English-speaking world, a hacker == bad person, and a cracker is something you eat or a disparaging racial slur.
Words have always changed over time, and this one already has.
Meh, Jolie made 'hacker' a trend just like The Crow did with trench coats - both revived of course by The Matrix. What can you do? At least 'phreakers' has seemingly gone by the wayside, haha! And I agree that script kiddies are not properly flogged on this list. 'Rogue Hackers' gives them waaaaay too much credit.
What about artificial scarcity enforcers, cyber warriors, government authoritarians, and other zealots?
The list left off spelunkers, usually old farts that just follow the wire to see where it goes. Used to close open gates until 1996. Don't steal, don't reel, won't even fish in the ponds.
Well, the initial quote does say 'seven types of MALICIOUS hackers'...
..not on bruce's headline. its like an insult;)
You all may be ready to give up on the word hacker. I hacked together my first HAM radio at age seven. I paid my dues, destroyed my share of devices trying to figure them out, and wear my hacker cred proudly.
I will never tire of correcting people when using the term hacker instead of cracker/ criiminal hacker/malicious hacker.
It may be futile, but so was the war my ancestors fought to create this country we call the USA. A bunch of ragtag hicks, farmers, business men taking on the most powerful country in the world. I would be ashamed to put up a lesser fight. But then, I'm just a radical hacker, wearing a dingy white hat.
I think you mean the "414s", named after the area code in Milwaukee where they lived.
Shouldn't the list be
Seriously...did anyone except Bruce read Roger's paper? The title is "Your guide to the seven types of malicious hackers..." For those of you that want to rehash the Cracker vs Hacker discussion please stop. I think Roger's question he was trying to answer was quite simple, what motivates someone to hack. As for the script kiddies comment, I the following excerpt does it justice (again from Roger's paper): "Malicious hacker No. 7: Rogue hackers
...hackers who simply want to prove their skills...[crimeware]... isn't their only objective and motivation...These are the petty criminals of the cyber world. They're a nuisance..."
Hee George. You are retired, so you can stop worry about terrorists.
If you like taxonomies, perhaps you will like my taxonomy of network security threats from my recently published PhD thesis, "Network Protocol Design with Machiavellian Robustness". The taxonomy is in chapter two.
script kiddie = Snotnose missing the physical skills to be good at sports, the technical skills to play an instrument and the social skills to get a girlfriend. Aspires to fall into one of these seven categories once he starts understanding computers.
I'm going with Richard Steven Hack for the rest, especially on the APT part. Too contaminated by HBGary these days.
The trick is to "Expropriate the expropriators"
Journalists expropriated the name "Hacker" and turned it into a bad word. Real journalists don't create stories, they report them, using information other people generated as long as they are nicely presented in a form the journo can access and at least comprehend the surface meaning of.
Script kiddies aren't hackers, they are users of other people's hacks & cracks ... as long as they are accessible and nicely packaged in an .msi file for them to install with a couple of clicks.
We should start saying, "They're just script kiddies or some other type of journo not hackers"
Time for one of your famous contests! We need a new term for the misappropriated "hacker" . Maybe you could offer a signed copy of one of your books as a prize.
Looks like people need a history on APT as well.
I think it's more interesting to taxonomize the various types of threats.
For example, threats against the security of a computer system include viruses, worms, client-software exploits, social engineering (e.g., trojans), password discovery, and physical access as ways to get in initially. Of course, multi-vector malware (or a human attacker with multiple tools) can attempt more than one of these methods.
Then there are secondary threats (threats that must be piggybacked on some other primary entry mechanism) such as privilege escalation, rootkitting, surreptitious data gathering, advertisement delivery, ransomware, practical jokes, and theft of computer or network resources (e.g., using the botnet to send spam). Again, the same attacker can do or attempt multiple things.
Denial of service is really its own category, since it doesn't necessarily require the security of the system to be compromised as such but can be a problem nonetheless in its own way.
I'll have you know that phreaking is still alive and well ;)
On another note, Bruce provides a good definition of the term hacker here: http://www.schneier.com/blog/archives/2006/09/...
Also, maybe it's time we thought up a new term for the type of hacker described in ESR's 'How To Become A Hacker' article. You know, hackers like Linus Torvalds or Larry Wall?
Using Honeypots as a useful way to detect Advanced Persistent Threat (APT) agents, sounds like the cyber equivalent of an oxymoron.
Certainly if I were contemplating a corporate network takeover, I'd create more than one level of control and give up the lowest level every so often. If nothing else this will give corporate management faith in the network administration guys, and create a backdoor that is built-into the network backup databases.
Did Roger consider that attacks on specific honeypot's were possibly intentional? Welcome to the modern "wilderness of mirrors"
@ out west
Oops. Thanks for the catch. Was living in MI at the time; was from the area, a bit "up nort."
While taxonomy can be fun, even useful, seems to me we're getting down to
what do they do
how do they do it
why do they do it
who are they
which starts getting a tad complicated.
In the "Hacktivists" category we're told to "think Wikileaks." Wikileaks itself isn't known for hacking or any of the other listed improper activities, so I wonder what Grimes meant by that. The only related cases of so-called "hacktivism" that I can think of are the recent hacking attacks on various enemies of Wikileaks by its supporters, which are not necessarily the fault of Wikileaks itself.
The "Hacker Dojo" (http://wiki.hackerdojo.com) in Mountain View, CA has this to say:
Q: What does the name "Hacker Dojo" mean? What is a hacker?
A: A hacker is anyone that is skilled at what he or she does; an artisan. A dojo is a place where one learns or trains.
Q: Can you help me break into a website?
A: No, you are confusing the word "hacker" with "cracker". Hackers build things; crackers break them. Hacker Dojo does not condone/encourage nor in any way provide tools that might be used to compromise/hack into other websites.
The "Think Wikileaks" comment was definitely a false note in the article. "Think Anonymous" would have made a lot more sense, since they're a hacktivist core with a lot of rogue hackers fooling around that increase their effective numbers.
@hacker: We need a new term for the misappropriated "hacker" .
I thought that "computer geek" took on that role.
Whether hacker ever had a negative connotation before is debatable. On the one hand, the original "hackers" at MIT were interested in model trains - not exactly a negative connotation. But those same hackers were also skilled in lockpicking and breaking into physical locations on campus. That definitely has a negative connotation, particularly to campus administrators.
So I'd say hacking used to involve both making things AND breaking them. This duality is part of the culture since some times you have to break something to make something and some times you have to make something to break something.
So I don't view the distinction between hackers and crackers as all that useful, at least not with reference to actual behavior.
Motivation would seem to be a more useful distinction. If what a hacker does is coercive in intent, then the term cracker really is an unnecessary extension of the language. "Computer criminal" is the best description.
So you have hackers who are computer criminals and those who aren't (and some who blur the lines such as hacktivists who may do illegal things but whose motivation is not necessarily coercive.)
Besides, the term "cracker" is already taken, referring to rural rednecks (and sometimes most whites) in the black community. Not to mention various foods! :-)
@ Robert T,
"Using Honeypots as a useful way to detect Advanced Persistent Threat (APT) agents, sounds like the cyber equivalent of an oxymoron."
I've said it before but it bears repeating again,
"Honeypots and Honeynets can be enumerated"
It's primarily a question of "resources", used to establish an illusion by the defenders and to detect the illusion by the attackers. And it is very very asymetric in favour of the attackers who basicaly use a third parties resources at near zero cost to themselves.
The secondary but all important issue for honey*s is differentiating between a "naive attack" and a "sophisticated enumeration".
If you think about it the researcher who is the keeper of the Honey* is by and large not interested in what appear to be "script kiddy" attacks and may not even bother to log them.
The "for gain" attacker however will usually use whatever method they can to avoid being caught (otherwise they are not going to profit). One asspect of "not going to profit" is having their hard won "zero day" being detected and nullified. Thus they will try and avoid the likes of Honey*s where they can.
Further another aspect of "not going to profit" is you don't break in every window on the off chance there might be an "old master" hanging on the wall. That level of attack will get you noticed long before you see a painting let alone an old master. Thus as a sophisiticated attacker you do research and planning and target your attack.
In general the more sophisticated an attacker the more cautious they are. Those going down the APT route are likley to be very sophisticated in their aproach as their intentions are very far from the "smash and grab" "quick profit" of the petty criminal. They will do considerable research or "enumeration" and planning before launching the covert attack.
Unfortunatly for them even on the Internet an attacker still has to come to your building and rattle the doors and windows.
They could use their sophisticated attack to sneak in and look around but this will leave traces and this is the principle a Honey*s uses to find sophisticated attacks.
Now if you consider real world "nuisance attacks" such as kidds knocking on doors and running away, the authorities will not bother with investigating unless the problem rises above a certain threashold.
The same principle applies on the Internet, some types of attack (script kiddy attacks) are of "nuisance value only" from the defenders perspective and thus do not warrant anything more than simple deterant. However what a defender may not realise is that the deterant provides the attacker with some information they can use against the defender.
Without going into details (of timestamp enumeration) an attacker can using simple but useless (from the attack perspective) attacks to gain information on how the target machine or network is being used.
From this information an attacker can make a probabilistic determination of if the target system has real users or is a Honey*s system.
If the latter then from the APT attackers perspective it is fairly pointless carrying on either enumerating or attacking the system.
Thus they avoid the Honey* systems and the researchers who run them and prolong the profitable life of their attack.
@Rookie ...not familiar with cracker as either of those two uses (food and slur). Here in Blighty, a cracker is either something you pull at Xmas getting cheap toys and jokes out of, or it's a rather stunning person (e.g., "she's a bit of a cracker").
Back to the list though ... of the groups provided, I can't work out which group "disgruntled employee" or "insider" falls into as these seem to be different threats again.
Not even a mention of the white-hats that invented most of the technology we use today. I am disappoint.
I prefer the old "white hats, grey hats, black hats and asshats" taxonomy myself.
I agree with you, Honeypots present the user with a classic "dis-information" problem. Especially when they appear to be working.
If the APT agents are not actually falling for the honeytraps then what are they doing with them? Maybe APT agents are intentionally feeding at specific honeypots, just to keep everyone busy and away from the real activity. Anytime you know your activities will be tracked, it is always better to bury the real activity in a mountain of useless but "verifiable" information.
You can cheaply rent a nice little Chinese botnet to provide cover for an attack on a local competitors database. This gives the network administrator mountains of data to act upon and a good story to tell about defeating those stupid foreigners with good old US know-how.
And so the game continues...
Article on HBGary Federal 'tracking down' anonymous members, I enjoyed the read...
The core meaning of hacker is someone who forces a program to do something that it wasn't designed to do.
When applied to source code it used to imply a hack - ie. a bad fix from a CS point of view. The original UNIX was enhanced by hackers(1) which is why it was the best target for hackers(2). After Berkeley hackers(3)(see guru(2)) fixed it in a good way, hackers(2) moved on to Windows, where they developed techniques that enabled script kiddies(see hackers(4), h4x0rz) to take over the world. Then after watching Hackers(5) some guy tried logging into his sister's Twit account using the name of her BFF as password, thus becoming a hacker(6).
I have no idea about the slur one either, but for food - do you not think of Jacobs?
(OK, so it's a low content food, but perfect with a nice cheese)
Wow. No one in England has ever heard of Ritz? Keebler? Nabisco?
Just Googled the word "crackers" and aside from some comedy club (weird) coming to the top are "cracker (pejorative)" and "cracker (food)" from Wikipedia, followed by shopping results for said food companies.
The pejorative version says "Cracker, sometimes white cracker, is a pejorative term for poor white people. It is especially used for the white inhabitants of the U.S. states of Georgia and Florida (Georgia crackers and Florida crackers), but it is also used throughout the Southern United States and more widely in North America. One theory holds that the term comes from the common diet of poor whites. According to the 1911 edition of the Encyclopedia Britannica, it is a term of contempt for the "poor" or "mean whites," particularly of the U.S. states of Georgia and Florida (see Georgia cracker and Florida cracker). Britannica notes that the term dates back to the American Revolution, and is derived from the cracked corn which formed their staple food."
The term as related to computer security only comes up further down the page from Searchsecurity at the Techtarget Web site.
Hm. Am I the only one who thought this taxonomy was rather arbitrary? E.g. the difference between 3 and 4 seems to be mainly their location, and I don't see that their behaviour differs much from several other categories.
Could somebody maybe explain why it is "pretty good"?
A page from my notebook:
You forgot to mention Joe Black. I am in a category all on my own. I am a Jedi of Cyberspace, I am a Cyberninja, I am the Information Security industry's ROCKSTAR. I am the Smokey the Bear and Michael Jordan of Cybersecurity. Get used to me I am not going anywhere, I am finally getting comfortable here in Cyberspace.
Joe Black CISSP CISM NSA-4011 Security+
Certified Ethical Hacker
Christian In Action
A US citizen with the ability to obtain a Security Clearance
Senior Cybersecurity Advisor / CEO
Black & Berg Cybersecurity Consulting, LLC
W: (402) 608-1783
Stop | Think | Connect
DoD CAGE Code 5ZUU4
Roger advocates the US national ID system to erase anonymity online and thinks the TSA is "doing a good job post-9/11".
Probably thinks that we shouldn't be afraid to give up anonymity if we have Nothing To Hide.
Of course Joe Black there seems to be voluntarily giving it up.
And where do the real hackers fit in?
You know those who made the computer world like it is today.
Those who sit days at their screens programming the next best thing to come to your computer.
Those who reassign old hardware to new destinies using a soldering iron and their imagination.
So there are 8 categories.
You bloody missed out to mention the full original article title: Your guide to the seven types of malicious hackers
Why did you leave out that magic word "malicious"?
Do you think Roger just put it there in a quest to have the longest article title? Or because he likes the word? Or maybe his cat jumped on the keyboard and mistakenly typed it in?
Now that word is missing on slashdot too.
And AGAIN the word hacker persists in it's negative assumption.
Even though Bruce dropped the word malicious from the title, he uses it in the opening line.
The title grabs your attention and then you see that he is talking about a list of malicious...it's quite clear.
Aside from the obvious I also always find it ironic when I hear whining about procedures/rules/definitions from people who say they are defending the honor of hacking. If you just sit on existing concepts and demand that everyone let them stay unchanged, then what kind of hacker are you?
@ Joe Black
Laughable. So, you passed exams that just take a few weeks of cramming (days for CEH), got some good academia in your head, and went through years of red tape? With all of Wikileaks' success against DOD, I'd say their people are the last on my list of people to call to keep my data safe from my enemies. I have few credentials and my track record is much, much better.
I think a malicious hacker stuck me in a terror database.
Off-topic, but I just ran into this hilarious post:
Hackers Infiltrate Pentagon's $300 billion fighter jet project
We often talk about high assurance. Protecting "high value assets from sophisticated attackers." So, the government has a program worth $300 billion and it got hacked to the point that they transferred "several terabytes of data?" And this is the same government saying they must be put in charge of protecting infrastructure?
If I ran a project whose secrets were worth $300 billion and very damaging upon release, I'd spend enough to ensure the secrets stayed secret. I don't know how they screwed the pooch this badly without utter incompetence. I mean, DOD definitely has the tools needed to protect data from sophisticated attackers. All those guards, tempest-protected systems, data diodes, and Type 1 crypto devices... and they lost terabytes of sensitive data on their biggest fighter jet project?
@ Nick P,
"Hackers Infiltrate Pentagon's $300 billion fighter jet project."
I just love the way they point the finger in China's direction and then say but it could have come from anywhere... 8)
However do you remember the recent "accidental" unveiling of the new Chinese stelth aircraft?
I hate to say it but the two aircraft do look a lot alike same original draft drawings perhaps ;)
But then I'm old enough to remember the "Cold War" with the Russian's "knocking off" various designs such as the UK Hawker Siddely Aviation "Jump jet" the UK/France Concord (which the US has apparently tried to knock off via the Russian knock off in more recent times...)
I don't know why the Chinese and the US just don't contract the airframe design out to the UK in the same way as they do for other engineering systems rather than buy up the companies as both ot them have been doing in more recent times.
As has been remarked before "If you want the job done propperly see the bloke in his garden shed at the bottom of a British garden" 8)
The "Think Wikileaks" comment makes me sad and a little bit angry. It's like my dad talking about cyber security and the only thing he knows how to do on his computer is play Solitaire. Wikileaks doesn't hack anything. Wikileaks is given stuff that other people hacked out. My dad was all upset that Wikileaks stole those government documents. I had to explain to him that some dude who had legitimate access to the documents abused his privileged access and then sent the results to Wikileaks.
The list lacks the "Just Because I Can" type of hackers. Just because they want to see if they can hack, or hack just because they can. That definitely does not fit to the Hacktivist, or any other category listed in the classifications above.
My hacks, unless for personal revenge, or for personal request, would usually (have) be(en) of the category Just Because I Can, and usually to do no harm, or to see if something (usually just get in and glance) can be done.
@ alice pretending to be bob
Prime example of someone commenting without reading the [whole] article. The very first line of No 7 Rogue Hackers states:
"There are hundreds of thousands of hackers who simply want to prove their skills, brag to friends, and are thrilled to engage in unauthorized activities."
Didn't make it to page two?
So Government backed Cyber Armies are not dangerous just Hacktivists.
Seems like we need a code of ethics for people like you and HBGary.
In general it seems anyone with a military background has ethics issues.
You have the doctors at Guantanamo and now rouge "security experts" that think using a virus is ok.
What HBGary was doing is illegal and was about to cause collateral damage to many young people.
What Anonymous was doing is no different than a sit in.
I am fairly disappointed with the mainstream societies, "Fox News" ,lens-view of programmers, developers and network specialists.
All in all, there is no good and there is no bad. An action that is committed, cyber or not, is neutral until a beholder views the action and begins to label it. Over time, said labels become standardized pre-dispositions that society agrees with, mainly due to their naivety and lack of understanding of the real/evolving world around them.
Business men wanted a better blackberry; we gave it to them. Social cliques wanted more control of their social lives; we created myspace, facebook and twitter. Little do these whiny consumers know, is that for each technological advancement that they agree to depend on and connect their lives with, the more power and control they give to the so-called "Hackers".
Without wasting any of my time here I would just like to state that hacking started in the earlier days before our time and probably even before the dated term. It all started with train hoppers that were striving to make changes via the information they obtained from meetings, townspeople and high ranked citizens/organizations.
If you are unaware of this fact, then you should probably do your research before you go around using the word "Hacker".
Hacking is the art of transporting unknown/sensitive information to a source in which the information would otherwise not be known/unattainable or alter and effect the integrity of what a society or mass of people already believed to be true.
Every time you see a commercial advertise colors and shapes, every song you hear, every book you read, everything that you are permitted to even do, are all forms of being hacked. In fairness, I can only state this much, assuming/respecting that most people who read this, who already know this, would rather not have me spoil the truth here.
Go read for yourselves and determine what "Hacking" really is.
Four hints(in order): Social Engineering & Networking. Espionage and Technology.
P.S. TS is a low baller for posting "terrorist"....really shows how the world-view has hacked your mind.
"Hacking is the art of transporting unknown/sensitive information to a source in which the information would otherwise not be known/unattainable or alter and effect the integrity of what a society or mass of people already believed to be true. "
Even this excerpt is too generalized and focuses on defining the term "hacker" in terms of society and peoples.
If I wanted to define Hacking in terms of technology it would probably look something like this:
"Hacking is the art of altering,delivering,integrating and maintaining external sources of information with pre-existing information systems that create a functioning source or outcome for an identified purpose, without compromising and effecting the original integrity of what already synthesizes the assimilated system."
In case you were wondering, this most likely means a "Modder" is considered a "Hacker".
Another question may come up about script kitties, but it seems that their purpose of existing is to prove that there are indeed a hierarchy of "Levels" of difficulty in whatever is being "hacked". These levels determine the so called hackers skill and type-cast. Technically a script kitty could be argued as a hacker..:( Probably not a good one.
In the end, it all depends on the situation at hand and what is needed to get the job done and not necessarily the difficulty of the task.
However it does count for kudos. :)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.