Hackers and Criminals

More evidence that hackers are migrating into crime:

Since then, organised crime units have continued to provide a fruitful income for a group of hackers that are effectively on their payroll. Their willingness to pay for hacking expertise has also given rise to a new subset of hackers. These are not hardcore criminals in pursuit of defrauding a bank or duping thousands of consumers. In one sense, they are the next generation of hackers that carry out their activities in pursuit of credibility from their peers and the 'buzz' of hacking systems considered to be unbreakable.

Where they come into contact with serious criminals is through underworld forums and chatrooms, where their findings are published and they are paid effectively for their intellectual property. This form of hacking - essentially 'hacking for hire' - is becoming more common with hackers trading zero-day exploit information, malcode, bandwidth, identities and toolkits underground for cash. So a hacker might package together a Trojan that defeats the latest version of an anti-virus client and sell that to a hacking community sponsored by criminals.

Posted on November 17, 2005 at 12:25 PM • 16 Comments

Comments

GregNovember 17, 2005 1:51 PM

" So a hacker might package together a Trojan that defeats the latest version of an anti-virus client and sell that to a hacking community sponsored by criminals."

Or the anti-virus company pays the hacker to produce a few vruis and provide the "fix" for them.

I have always thought that these companies would want virus to be produced, so you just had to pay for the software.

AdamNovember 17, 2005 1:52 PM

Come on don’t you want to be l33t?

Seriously, if I had real cash in the bank I would hire an Internet Security Expert to protect my interest BEFORE I would hire a physical security expert.
I would be more worried about someone stealing my account information than the cash in my wallet.

StudentNovember 17, 2005 2:00 PM

@Greg

Actually, I don’t think the antivirus companies have much of an interest in more viruses being produced. They like the threat, but they really don’t need more viruses, as quick responses and updates are very costly.

Today many of the security companies are spending a large part of their budget at writing signatures for the latest and greatest worm as well as staying competitive by constantly developing their software. And they have to, as somebody creating a virus that is not detectable is pretty much unacceptable.

The antivirus companies would probably prefer to have to compete on less strictly technical grounds, such as advertisement and support services. Some companies are actually moving in the support direction.

So, no, I don’t believe in that particular conspiracy, just like I don’t believe that hospitals want to keep us sick. They have too much to lose on something like that and really nothing to gain.

AnonymousNovember 17, 2005 3:23 PM

I have thought for a long time that organized crime should be supporting open source. That is a way for them to get an OS that they can trust.
Also they have some interesting data security data requirements where it can be better to lose data than to have it fall into the wrong hands. So that they have incentive to hire people to set up systems with encrypted hard drives with the keys saved in volatile memory so that if the feds sieze the machines, powering them down will effectively destroy all of the data.

BrettNovember 17, 2005 3:30 PM

This is a supprise? Given the choice of hacking for fun while gaining profit or just hacking for fun, what would the majority choose?

Bruce SchneierNovember 17, 2005 5:38 PM

"This is a supprise? Given the choice of hacking for fun while gaining profit or just hacking for fun, what would the majority choose?"

It's not a surprise to me.

Davi OttenheimerNovember 17, 2005 8:24 PM

There's always money (often called "opportunity" in polite circles) but the bigger question is what's the risk?

Crime gets organized to increase their margins, essentially in the same way that businesses grow and get organized. Lack of resistance (preventive or detective controls) means the likelihood of hackers turning to profit is highly predictable.

In other words, where assets are found to be vulnerable concentrated threats are bound to follow if an attack (investment) can turn a profit for relatively low risk.

AnonymousNovember 17, 2005 11:51 PM

@Student:
'Actually, I don’t think the antivirus companies have much of an interest in more viruses being produced. They like the threat, but they really don’t need more viruses, as quick responses and updates are very costly.'

If you write the virus, you know exactly how to solve it, and you're that much ahead of your competitors.

I'm not suggesting that there are many corporations that do so, but I expect that a few people (besides myself) have considered it at one point.

danNovember 18, 2005 6:41 AM

@Bruce Schneier
--
"This is a supprise? Given the choice of hacking for fun while gaining profit or just hacking for fun, what would the majority choose?"

It's not a surprise to me.
--
do you not get sarcasm or something?

lukasNovember 18, 2005 9:47 AM

Oh no, please!

REAL HACKERS are not criminals. Hackers are those guys that code OpenBSD, for example. Or Linux. Hackers are those who _think_ and do some great _hacks_, they do not not hack servers for money. those guys are not _hackers_!!

Ari HeikkinenNovember 19, 2005 9:58 PM

What hackers? If sony can install malicious software on your computers without your consent why can't those so called hackers? Everyone's a potential hacker, just like everyone's a potential terrorist.

RonKNovember 20, 2005 12:23 AM

@lukas, Israel Torres

We lost the "hacker != cracker" nomenclature war a long time ago. I'm just waiting for someone to propose a new term for hacker.

I thought about proposing

hacker -> hakir
hacking/hackery -> hakiri

due to its similarity to fakir but a search on the net seems to indicate that that's too close to the Spanish spelling of hacker. It's also just too close phonetically to be an effective disambiguator.

Anyone have any suggestions?

Corae Illis'daeNovember 27, 2005 7:25 PM

Fair suggestion,
Personally, I dropped the name hacker a while ago, terming myself instead an unlocker...it didn't last, still.

max worldJuly 18, 2008 12:41 PM

i want to come in contact with any hacker because my C card was hacked and when i layed a complain,all the web maters told me that the only way to avoid hacking is tohave an idear of hacking
so i need a hacker to brief me.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..