How many times did we listen to stereotypes on hackers? How many times did we hear sentences such as “he’s a teenager, myope, fat and dirty”: probably, he’s hacker” ?
And, how long did we hear that hackers are criminals, stealing credit cards and ruin the whole cyberworld ?
On the other side, all the times I’m consulting some big firms and I’m asking themselves “Who are you scared by, script-kiddies running known exploits, or industrial espionage attackers?” the answer basically is “We don’t know”, no matter if you are speaking at huge banks, industry or whatever.
Well, these are just a few facts that lead myself, back in 2005, to start HPP, the Hackers Profiling Project. Our goal was to fight those cliché’ and wrong stereotypes regarding hackers, trying to identify the real hackers categories, working on profiles and behaviors, performing a real screenshot of nowaday’s hackers underground.
In order to accomplish this, we tried to learn if it was possible to apply the Criminal Profiling science to the world of Hacking. What I mean is adapting profiling to a new and innovative project, in order to trace the psychological, behavioral and motivational profile of those who practice hacking in its various forms, such as:
- Evolution of the Science of Criminal Profiling
- Criminal Profiling and Hacking
- Hacking and Cybercrime
- Hacking: roots, evolution, the typologies of attack, the players
Criminal Profiling VS Hacking: a first comparision
While dealing with these really interesting issues and aspects, I’ve found a few similar links between Criminal Profiling and Hacking, while I’ve found a lot of different aspects as well.
Seriality: both IT attacks and serial crimes are “serial”.
It is difficult to find a hacker’s modus operandi because behaviors are standardized, used by different individuals and thus do not reflect the the subject’s personality, since hackers’ attack techniques must be tailored to the characteristics of the system they want to explore and exploit.
The attack strategies and methodologies are different and they mirror the offenders’ differing motivations.
The crime scene is completely different from a homicide’s: it is not a physical place but an electronic abstraction where the fingerprints analysis and the offender’s traces DNA are replaced with the of log files’ analysis of the violated computer system. Similarly, the physical distance between the hacking PC and the hacked PC (victim) is relative in cyberspace.
Hacking is a broad term: it doesn’t refer exclusively to a crime; on the contrary, it refers to a wide world.
We should also add to the above how “cybercrime” is not a brand new approach to crime itself: hacking and the so-called “White-Collar crime”, in fact, is something studied and analyzed since the past.
White collar crime: Sutherland – American criminologist (1939) → a crime committed by a respectable person with a high social status within its profession, which therefore implies the abuse of trust.
(see also: http://en.wikipedia.org/wiki/White-collar_crime)
►Crimes committed in the realm of the productive activities and business;
►Crimes committed by abusing of that type of trust that springs from social status and in virtue of the activity carried out;
►Complex and clever crimes are very difficult to discover without specific competencies;
► Overlapping between the business world and crime in which companies are no longer the victims, but perpetrators themselves, involved in market manipulation, fiscal frauds, etc because they are driven by the need for competitiveness.
Talking about Hacking and Cybercrime today, we can state that cybercrime is a crime committed through the use or assistance of computer systems and telecommunications networks → cyber criminal.
We can find some differences, tough:
Crime weapon → PC
Crime scene → inside the PC and in Cyberspace (national and international data networks, therefore becoming a transnational crime)
Discovery by the victim (owner of the property) → it is complex because the “subtracted virtual property" (ex: file) is not a "physical property" and, because it is copied, it remains in the system of the attacked computer.
Analyzing the hacking history at an high level, we may categorize different developments and behaviors into three different eras:
1980: while computer viruses had only destructive purposes, since there was no interest to snatch the information in a computer system (but only to make them useless), hacking experiences its explorative approach, where the primary objective is to satiate “the curiosity” and the hunger for learning IT systems and networks.
1990: digital crimes start taking advantage of the diffusion of intelligent and self-replicating viruses; the attacker’s purpose is fame and visibility (ex: viruses like “I love you" or "Veronika"). X.25 Data Networks, toll-free numbers, calling cards and PBX systems are the preferred targets.
2000 to present: digital crimes have evolved and we can currently find relations between the world of hacking and organized crime (small/medium/large ones). CyberCrime’s goal is to use tools that exploit the vulnerabilities of operating systems and software applications, with the purpose of stealing information.
Victims → individuals: virus, worm, phishing, spamming, spyware, bots, etc.
Victims → companies: theft of sensitive information, attacks to critical national infrastructures, mining the continuity and reliability of the software applications, theft of banking credentials in economic and financial services, identity theft, blackmail and extortion, attacks by competitors in the business environments, cyber-terrorism.
Hacking: what is it ?
Hacking has to do with “a technical attitude and pleasure in solving problems and exceeding limits. Hacking involves planning, organization, wit and intelligence”
The “hacker culture” is a subculture, based on voluntary participation, developed in the Sixties in the United States in computer and academic environments (Laboratory of Artificial Intelligence of the Massachusetts Institute of Technology MIT, University of Berkeley in California, Carnegie Mellon University) working on minicomputers and on the early experiments with ARPAnet. In the Seventies, this culture merges with the technical culture of the Internet pioneers, and in the Eighties with the Unix culture.
From the mid-Nineties it started basically coinciding with the Open Source movement.
The above lead us to the following “Assumptions”:
- Great value attributed to the freedom of information
- Information Sharing
- Defending the right to use a project’s code to develop another one, independent and parallel (project fork)
- Tendency of taking humorously the serious things and of taking their humor seriously
|MIT: Fifties||hacking is experienced as something fun, creative and harmless|
|MIT: Mid-Fifties||More rebellious connotation: in this competitive climate, hacking is a reaction to it (tunnel hacking = unauthorized raids in the undergrounds, from which phone hacking will later be born = same raids but in the campus’ telephone system)|
|MIT: End of the Fifties||Computer hacking = students keen of railway modeling, working on managing the system of electronic circuits of miniature railways. The affinity with sophisticated electronic systems and the aversion towards the "prohibitions of entry" bring them to put their hands on the TX-0 (one of the first models of computers) with the same spirit of creative game|
|Between Fifties and Sixties||Hacking = putting together various programs regardless of the procedures used in writing the “official” software, with the objective of increasing its efficiency and speed. The term is also indicates making programs with the only purpose of having good time and to entertain|
|Early Sixties||The hackers of the MIT give birth to Spacewar, the first free interactive videogame.|
|The Sixties||Concepts like innovation, collectivity and shared ownership of the software become the watershed between computer hacking, tunnel hacking and phone hacking. Computers hackers based their own activity on collaboration and open recognition of innovation. Tunnel and phone hacking was characterized by the secretiveness of their activities, conducted alone or in small groups.|
|Mid Sixties||The term “hacker” describes an elite of programmers and the term also becomes used as an adjective for an esteemed colleague.|
|Late Sixties||To be called a hacker, writing a good software was no longer enough, you had to belong and contribute to a hacking culture. The hackers in élite institutions (MIT and Stanford) began talking about ethics.|
|Early Eighties||Great diffusion of computers: “common” programmers keep in touch with high-level hackers through ARPAnet. Such proximity allows these programmers to take over some of the hackers’ "anarchist" philosophies and the cultural taboo originated from MIT of avoiding intentionally harmful behaviors, is partially lost.|
|From Eighties until present day||Younger programmers begin testing their own abilities with malevolent ends and the term “hacker” takes on a negative connotation. To differentiate themselves from this other type of programmers, hackers coin the term cracker.|
Hackers categorization: a very first list of actors
It’s assumed that the very first hacker’s categorization ever, works on the following actors:
Black-hat: those who violate information systems, with or without personal advantage. They are rallied on the "bad" side, crossing over the clear demarcation line between "love for hacking" and the deliberate execution of criminal actions. For these actors, it is normal to violate an information system and to penetrate it its most secret meanders, stealing information and, given their hacker’s profile, reselling them to foreign countries.
Grey-hat: those who don't want to be labeled as "black or white" and can consider themselves "ethical hackers." They often could have performed intrusions in information systems, but they have decided not to use this approach.
White-hat: also defined "hunters", they have the necessary skill to be a black-hat, but they have decided to side with “the good guys”. They collaborate with the Authorities and the Police, they are in the first row in anti computer-crime operations, they are advisors for governments and companies; in their life they don't usually violate computer systems, or if they do, it is never for criminal purposes or for economic gain.
HPP – The Hackers Profiling Project
HPP started back in September 2004, when I decided to work on hacker’s profiling, along with Dr. Stefania Ducci, Mr. Alessio L.R. “mayhem” Pennasilico and Dr. Elisa Bortolani.
Among our key goals, we’ve identified the following objectives:
- Analysing the phenomenon – technological, social and economic – of hacking its multiple facets, through a psychological, sociologic and criminological approach
- Understanding hackers’ different motivations and discovering the actors involved
- Observing “in the field” (real) criminal actions
- Applying the profiling methodology to the data collected
- Learning from the acquired knowledge and sharing it (awareness)
- Going straight to the “source”
Talking about resources, everything since then has been a voluntary work carried out by HPP’s Core Team; here’s the project phases:
- Theoretical Data Collection: plan and distribute different forms of questionnaires to different target.
- Observation: participate to “IT underground security” events (EU, Asia, USA, Australia)
- Archiving: create a database to classify and process the data collected during Phase 1
- “Live” Data Collection: design and start producing new generation, highly customized honey-net systems
- G&C Analysis – Gap Analysis: correlation between the data collected through the questionnaires, data coming from the honey-net and profiles from relevant literature
- HPP “Live” Assessment (24/7): constant assessments of profiles and correlations of the modus operandi, through the data coming from Phase 4
- Final Profiling: revision, redefinition and fine-tuning of the different hacker profiles used as standard de-facto
- Dissemination of the model: final elaboration of the results, drafting and publication of the methodology, followed by awareness raising and training
More info on HPP may be found at: http://www.unicri.it/wwd/cyber_crime/hpp.php
Hackers: the 9 emerged profiles
After years of research, the Core Team identified the following hacker’s categories, well resumed in the following graph, then detailed in the next text.
- Wannabe Lamer: subjects with a low-competence profile who solicite anyone, even in public spaces, various types of help: “Yo! Whatz da best way 2 hack www.nasa.gov? C’mon, tell me man!!!!!”
- Script kiddie: they aim at weak systems with specific vulnerabilities (known or presumed). They are not endowed with great experience or technical skills, so their specialty is to use tools made by others to carry out violations, which they tend to immediately boast about. (sub-category) The “37337 K-rAd iRC #hack o-day exploitz” guy: subjects that would do anything to become famous, including using "brutal means" to get where they want to. They don't explore, they use what they find already available. They can be dangerous because they have tools to exploit 0-day vulnerabilities (unknown weaknesses). Many Internet attacks bear their signature
- Cracker: "hackers" create, "crackers" destroy. Subjects with the know-how who commit really harmful actions. They remain in the system as long as they can and, when they think they are losing control, "they annul" it (erasing files, logs, etc).
- Ethical Hacker: subjects with a 360 knowledge of operational systems, endowed with great curiosity; they explore other’s PCs, discovering their vulnerabilities and informing the owner. They don't act for profit or for fame, but for passion.
- Quiet, paranoid and skilled hacker: a hacker who is taciturn, paranoid and specialized, who is therefore difficult to detect or find. He explores operating systems for a long period, without leaving trace or signature. What motivates him is the desire to increase his own know-how.
- Cyber-warrior: a mercenary who sells himself to the best offer, whose abilities have evolved in time. Both him and his targets share a low profile: he prefers to attack an Internet Service Provider instead of a multinational company. He is not interested in who he hits or why: he acts for money or for an ideal. He doesn't usually leave traces. He's smart, but not convinced of what he’s doing, so he "feels dirty.“
- Industrial Spy: he acts for money, he is highly skilled, with a lot of experience, and can be dangerous if he's looking for confidential material. Many insiders fall in this category.
- Government Agent: subjects with a solid hacking background who act for "political and economic objectives." They are secret agents who operate in the underground world.
- Military hacker: hackers serving the Armed Forces (literature and direct knowledge of cases from the Core Team during the meetings).
These two final tables supply, along with a description of each profile, their preferences while hacking, their targets and motivations.
|Description||Lonely or Group Member||Target||Motivations|
18-50 Years Old The mercenary
|Lonely||Symbolic corporations & organizations, final user||For Profit|
|Industrail Spy||22-45 Years Old, The Industrial Spy||Lonely||Business companies, multinational corporations||For Profit|
|Government Agent||25-45 Years Old, The Government Agent (CIA, Mossad, FBI etc)||Lonely or in a group||Governments, terrorist suspects, strategic companies, individuals||As a Job (espionage/ counterespionage/ activity monitoring)|
|Military Hacker||25-45 Years Old, Enlisted to fight "with a computer"||Lonely or Group Member||Governments, Strategic Companies||As a job or for a cause (action to control / damage systems)|
|Description||Lonely or Group Member||Target||Motivations|
|Wannabe Lamer||9-18 Yers Old "wannabe a hacker but are not able to"||Group||Final Users||For Fashion|
|Script Kiddie||10-18 Years Old, Script Kid||Group||PMI with unknown vulnerabilities||To discharge anger and attract attention|
|Cracker||17-30 Years Old, The destroyer||Lonely||Private corporations||To show power and attract attention|
|Ethical Hacker||15-50 Years Old, hacker per excellence||Lonely (in a group for fun/research)||Big Firms, complex systems, whereever there is a challenge||For curiosity to learn improve the world|
|Quiet, paranoid, Skilled Hacker||16-40 Years Old, tacturnm paranoid and specialized hacker||Lonely||According to necessity||For curiosity to learn, for egoism or specific motivations.|
Raoul “Nobody” Chiesa is 36 years old and lives in Turin, Italy. At UNICRI (United Nations Interregional Crime & Justice Research Institute) he’s a Senior Advisor on Cybercrime and manager for Strategic Alliances. Raoul is also a member of ENISA (European Network Information & Security Agency) Permanent Stakeholders Group (PSG) and a recognized international security expert.He can be contacted at chiesa [at] UNICRI [dot] IT