DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded

1. Peering in the Soul of Hackers: HPP V2.0 reloaded (The Hacker’s Profiling Project) Raoul “Nobody” Chiesa Founder, President, Security Brokers SCpA Principal, Cyberdefcon Ltd. Member of ENISA PSG (Permanent Stakeholders Group) Special Advisor on the HPP project at UNICRI Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

2. Agenda        # whois From Crime to Cybercrime Hacker’s generations HPP V1.0 (2004-2011) HPP V2.0 (2011-2015) Conclusions Contacts, Q&A 2 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

3. Disclaimer ● The views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI, ENISA and its PSG, nor the companies and security communities I’m working at and/or supporting. Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013 3

4. # whois raoul  President, Founder, The Security Brokers  Principal, CyberDefcon UK  HPP Special Advisor @ UNICRI (United Nations Interregional Crime & Justice Research Institute)  PSG Member, ENISA (Permanent Stakeholders Group, European Network & Information Security Agency)  Founder, Board of Directors and Technical Commitee Member @ CLUSIT (Italian Information Security Association)  Steering Committee, AIP/OPSI, Privacy & Security Observatory  Member, Manager of the WG «Cyber World» at Italian MoD  Board of Directors, ISECOM  Board of Directors, OWASP Italian Chapter Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013 4

5. # whois UNICRI  UNICRI is the United Nations Crime & Justice Research Institute  It’s based in Turin (WHQ), Italy: nice town, give us a visit!  We mainly work on: • Trainings (Legal aspects, Cybercrime, SCADA, HPP, …) • Facilitator: allowing cool (and trusted!) entities to meet and work each others • Paperworks (somebody gotta do it…) 5 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

6. 6 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

7. Crime->Yesterday “Every new technology, opens the door to new criminal approaches”.  The relationship between technologies and criminality has always been – since the very beginning – characterized by a kind of “competition” between the good and the bad guys, just like cats and mice.  As an example, at the beginning of 1900, when cars appeared, the “bad guys” started stealing them (!)  ….the police, in order to contrast the phenomenon, defined the mandatory use of car plates…  ….and the thieves began stealing the car plates from the cars (and/or falsifying them). Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

8. Crime->Today:Cybercrime  Cars have been substituted by information You got the information, you got the power.. (at least, in politics, in the business world, in our personal relationships…) • Simply put, this happens because the “information” can be transformed at once into “something else”: 1. Competitive advantage 2. Sensible/critical information 3. Money  … that’s why all of us we want to “be secure”.  It’s not by chance that it’s named “IS”: Information Security  Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

9. What happened over the past decades? Hacking eras & Hackers’ generations Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

10. Things changed…  First generation (70’s) was inspired by the need for knowledge  Second generation (1980-1984) was driven by curiosity plus the knowledge starving: the only way to learn OSs was to hack them; later (1985-1990) hacking becomes a trend.  The Third one (90’s) was simply pushed by the anger for hacking, meaning a mix of addiction, curiosity, learning new stuff, hacking IT systems and networks, exchanging info with the underground community. Here we saw new concepts coming, such as hacker’s e-zines (Phrack, 2600 Magazine) along with BBS  Fourth generation (2000-today) is driven by angerness and money: often we can see subjects with a very low knowhow, thinking that it’s “cool & bragging” being hackers, while they are not interested in hacking & phreaking history, culture and ethics. Here hacking meets with politics (cyber-hacktivism) or with the criminal world (cybercrime). €, $ Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

11. Cybercrime: why?  QUESTION: • May we state that cybercrime – along with its many, many aspects and views – can be ranked as #1 in rising trend and global diffusion ?  ANSWER(S):  Given that all of you are attendees and speakers here today, I would say that we already are on the right track in order to analyze the problem   Nevertheless, some factors exist for which the spreading of “e-crime-based” attacks relays.  Let’s take a look at them. Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

12. Reasons/1  1. There are new users, more and more every day: this means the total amount of potential victims and/or attack vectors is increasing.  2. Making money, “somehow and straight away”. Thanks to broadband... WW Economical crisis…  3. Technical know-how public availability & ready-to-go, even when talking about average-high skills: that’s what I name “hacking pret-à-porter” 0-days, Internet distribution system / Black Markets Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

13. Reasons/2  4. It’s extremely easy to recruit “idiots” and set up groups, molding those adepts upon the bad guy’s needs (think about e-mules) Newbies, Script Kids  5. “They will never bust me”  6. Lack of violent actions Psychology, Criminology Psychology and Sociology Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

14. What the heck is changed then??  What’s really changed is the attacker’s typology  From “bored teens”, doing it for “hobby and curiosity” (obviously: during night, pizza-hut’s box on the floor and cans of Red Bull)….  ...to teenagers and adults not mandatory “ICT” or “hackers”: they just do it for the money.  What’s changed is the attacker’s profile, along with its justifications, motivations and reasons.  Let’s have a quick test! Key Note @ DefCamp 2013 14 Bucharest, Romania – November 29th , 2013

15. Hackers in their environment Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

16. “Professionals” Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

17. LOL-test 17 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

18. There’s a difference: why?  Why were the guys in the first slide hackers, and the others professionals ?  Because of the PCs ?  Because of their “look” ?  Due to the environments surrounding them ?  Because of the “expression on their faces” ? Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

19. Surprise! Everything has changed…  Erroneus media information pushed “normal people” minds to run this approach  Today, sometimes the professionals are the real criminals, and hackers “the good guys”…Think about a few incidents: • Telecom Italia scandal, Vodafone Greece Affair, NSA, GCHQ, etc…) Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

20. Welcome to HPP! Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

21. HPP V1.0  Back in 2004 we launched the Hacker’s Profiling Project - HPP: http://www.unicri.it/emerging_crimes/cybercrime/ cyber_crimes/hpp.php)  Since that year: • +1.200 questionnaires collected & analyzed • 9 Hackers profiles emerged • Two books (one in English) • Profilo Hacker, Apogeo, 2007 • Profiling Hackers: the Science of Criminal Profiling as Applied to the World of Hacking, Taylor&Francis Group, CRC Press (2009) 21 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

22. HPP V1.0: purposes & goals Analyse the hacking phenomenon in its several aspects (technological, social, legal, economical) through technical and criminological approaches. Understand the different motivations and identify the actors involved (who, not “how”). Observe those true criminal actions “on the field” . Apply the profiling methodology to collected data (4W: who, where, when, why). Acquire and disseminate knowledge. 22 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

23. HPP Questionnaires: the modules Module A Personal data (gender, age, social status, family context, study/work) Module B Relational data (relationship with: the Authorities, teachers/employers, friends/colleagues, other hackers) All questions allow anonymous answers Module C Technical and criminological data (targets, techniques/tools, motivations, ethics, perception of the illegality of their own activity, crimes committed, deterrence) 23 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

24. Some numbers Total received questionnaires: # +1200 Full questionnaires filled out - # +600* Compact questionnaires filled out - #573* *since September 2006 Mainly from: USA Italy UK Canada Lithuania Australia Malaysia Germany Brazil 24 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

25. Evaluation & Correlation standards Modus Operandi (MO) Hacking career Lone hacker or as a member of a group Principles of the hacker's ethics Motivations Crashed or damaged systems Selected targets Perception of the illegality of their own activity Relationship between motivations and targets Effect of laws, convictions and technical difficulties as a deterrent 25 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

26. Zoom: correlation standards Gender and age group Background and place of residence How hackers view themselves Family background Socio-economic background Social relationships Leisure activities Education Professional environment Psychological traits To be or to appear: the level of self-esteem Presence of multiple personalities Psychophysical conditions Alcohol & drug abuse and dependencies Definition or self-definition: what is a real hacker? Relationship data Handle and nickname Starting age Learning and training modalities The mentor's role Technical capacities (know-how) Hacking, phreaking or carding: the reasons behind the choice Networks, technologies and operating systems Techniques used to penetrate a system Individual and group attacks The art of war: examples of attack techniques Operating inside a target system The hacker’s signature Relationships with the System Administrators Motivations The power trip Lone hackers Hacker groups Favourite targets and reasons Specializations Principles of the Hacker Ethics Acceptance or refusal of the Hacker Ethics Crashed systems Hacking/phreaking addiction Perception of the illegality of their actions Offences perpetrated with the aid of IT devices Offences perpetrated without the use of IT devices Fear of discovery, arrest and conviction The law as deterrent Effect of convictions Leaving the hacker scene Beyond hacking 26 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

27. HPP V1.0: the emerged profiles… 27 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

28. Profile OFFENDER ID LONE / GROUP HACKER TARGET MOTIVATIONS / PURPOSES Wanna Be Lamer 9-16 years “I would like to be a hacker, but I can’t” GROUP End-User For fashion, It’s “cool” => to boast and brag Script Kiddie 10-18 years The script boy GROUP: but they may act alone SME / Specific security flaws To give vent of their anger / attract mass-media attention Cracker 17-30 years The destructor, burned ground LONE Business company To demonstrate their power / attract massmedia attention Ethical Hacker 15-50 years The “ethical” hacker’s world LONE / GROUP (only for fun) Vendor / Technology For curiosity (to learn) and altruistic purposes Quiet, Paranoid, Skilled Hacker 16-40 years The very specialized and paranoid attacker LONE On necessity For curiosity (to learn) => egoistic purposes Cyber-Warrior 18-50 years The soldier, hacking for money LONE “Symbol” business company / End-User For profit Industrial Spy 22-45 years Industrial espionage LONE Business company / Corporation For profit Government Agent 25-45 years CIA, Mossad, FBI, etc. LONE / GROUP Government / Suspected Terrorist/ Strategic company/ Individual Espionage/ Counter-espionage Vulnerability test Activity-monitoring Military Hacker 25-45 years LONE / GROUP Government / Strategic company Monitoring / controlling / crashing systems 28 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

29. Some comments  Since 1999 I’ve attended most of the socalled «hacking conferences».  Over the last 5 years, I’ve travelled as a speaker, evangelist, security bitch and whatever in: • • • • • .mil environments (EU, Eastern Europe) India China GCC Area 29 Malaysia Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

30. OBEDIENCE TO THE “HACKER ETHICS” CRASHED / DAMAGED SYSTEMS PERCEPTION OF THE ILLEGALITY OF THEIR OWN ACTIVITY Wanna Be Lamer NO: they don’t know “Hacker Ethics” principles YES: voluntarily or not (inexperience, lack of technical skills) YES: but they think they will never be caught Script Kiddie NO: they create their own ethics NO: but they delete / modify data YES: but they justify their actions Cracker NO: for them the “Hacker Ethics” doesn’t exist YES: always voluntarily YES but: MORAL DISCHARGE Ethical Hacker YES: they defend it NEVER: it could happen only incidentally YES: but they consider their activity morally acceptable Quiet, Paranoid, Skilled Hacker NO: they have their own personal ethics, often similar to the “Hacker Ethics” NO YES: they feel guilty for the upset caused to SysAdmins and victims Cyber-Warrior NO YES: they also delete/modify/steal and sell data YES: but they are without scruple Industrial Spy NO: but they follow some unwritten “professional” rules NO: they only steal and sell data YES: but they are without scruple Government Agent NO: they betray the “Hacker Ethics” YES (including deleting/modifying/stealing data) / NO (in stealth attacks) Military Hacker NO: they betray the “Hacker Ethics” YES (including deleting/modifying/stealing data) / NO (in stealth 30 attacks) Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

31. PROFILE MAY BE LINKED TO Wanna Be Lamer WILL CHANGE ITS BEHAVIOR? TARGET (NEW) MOTIVATIONS & PURPOSES No Script Kiddie Urban hacks No Wireless Networks, Internet Café, neighborhood, etc.. Cracker Phishing Spam Black ops Yes Companies, associations, whatever Money, Fame, Politics, Religion, etc… Ethical Hacker Black ops Probably Competitors (Telecom Italia Affair), end-users Big money Quiet, Paranoid, Skilled Hacker Black ops Yes High-level targets Hesoteric request (i.e., hack “Thuraya” for us) Cyber-Warrior CNIs attacks Gov. attacks Yes “Symbols”: from Dali Lama to UN, passing through CNIs and business companies Intelligence ? Industrial Spy Yes Business company / Corporation For profit Government Agent Probably Government / Suspected Terrorist/ Strategic company/ Individual Espionage/ Counter-espionage Vulnerability test Activity-monitoring Military Hacker Probably Government / Strategic company Monitoring / controlling / crashing systems 31 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

32. DETERRENCE EFFECT OF: LAWS CONVICTIONS SUFFERED BY OTHER HACKERS Wanna Be Lamer NULL NULL ALMOST NULL HIGH HIGH CONVICTIONS SUFFERED BY THEM TECHNICAL DIFFICULTIES Script Kiddie NULL NULL HIGH: they stop after the 1st conviction Cracker NULL NULL NULL MEDIUM NULL Ethical Hacker NULL NULL HIGH: they stop after the 1st conviction Quiet, Paranoid, Skilled Hacker NULL NULL NULL NULL Cyber-Warrior NULL NULL NULL NULL: they do it as a job Industrial Spy NULL NULL NULL NULL: they do it as a job 32 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

33. HPP V2.0: what happened?  VERY simple:  Lack of funding: for phases 3&4 we need money! • HW, SW, Analysts, Translators  We started back in 2004: «romantic hackers», + we foreseen those «new» actors tough: .GOV, .MIL, Intelligence.  We missed out: • • • • Hacktivism (!); Cybercriminals out of the «hobbystic» approach; OC; The financial aspects (Follow the Money!!). 33 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

34. HPP V2.0: next enhancements 1. Wannabe Lamer 2. Script kiddie: under development (Web Defacers, DDoS, links with distributed teams i.e. Anonymous….) 3. Cracker: under development (Hacking on-demand, “outsourced”; links with Organized Crime) 4. Ethical hacker: under development (security researchers, ethical hacking groups) 5. Quiet, paranoid, skilled hacker (elite, unexplained hacks? Vodafone GR? NYSE? Lybia TLC systems?) 6. Cyber-warrior: to be developed 7. Industrial spy: to be developed (links with Organized Crimes & Governments i.e. Comodo, DigiNotar and RSA hacks?) 8. Government agent: to be developed (“N” countries..) 9. Military hacker: to be developed (India, China, N./S. Korea, etc.) 34 X. Money Mules? Ignorant “DDoSsers”? (i.e. LOIC by Anonymous) Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

35. 35 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

36. HPP V2.0: upcoming goals Going after Cybercriminals:  Kingpins & Master minds (the “Man at the Top”) o Organized Crime o MO, Business Model, Kingpins – “How To”  Techies hired by the Organized Crime (i.e. Romania & skimming at the very beginning; Nigerian cons; Ukraine Rogue AV; Pharma ADV Campaigns; ESTDomains in Estonia; etc..)  Structure, Infrastructures (possible links with Govs & Mils?)  Money Laundering: Follow the money (Not just “e-mules”: new frameworks to “cash-out”)  Outsourcing: malware factories36 (Stuxnet? DuQu? Flame? ….) Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

37. Conclusions The whole Project is self-funded and based on independent research methodologies.  Despite many problems, we have been carrying out the Project for years.  The final methodology will be released under GNU/FDL and distributed through ISECOM.  It is welcome the research centres, public and private institutions, and governmental agencies' interest in the Project.    We think that we are elaborating something beautiful... …something that did not exist… …and it seems – really – to have a sense ! :)  It is not a simple challenge. However, we think to be on the right path. 37 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

38. Useful Community Sources Kingpin, 2012 ● Profiling Hackers: the Science of Criminal Profiling as applied to the world of hacking, CRC Press/Taylor & Francis Group, 2009 ● H.P.P. Questionnaires 2005-2010 ● Fatal System Error: the Hunt for the new Crime Lords who are bringing down the Internet, Joseph Menn, Public Affairs, 2010 ● ● Stealing the Network: How to 0wn a Continent, (an Identity), (a Shadow) (V.A.), Syngress Publishing, 2004, 2006, 2007 ● Stealing the Network: How to 0wn the Box, (V.A.), Syngress Publishing, 2003 Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, Suelette Dreyfus, Random House Australia, 1997 ● The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Clifford Stoll, DoubleDay (1989), Pocket (2000) ● ● Masters of Deception: the Gang that Ruled Cyberspace, Michelle Stalalla & Joshua Quinttner, Harpercollins, 1995 ● Kevin Poulsen, Serial Hacker, Jonathan Littman, Little & Brown, 1997 ● Takedown, John Markoff and Tsutomu Shimomura, Sperling & Kupfler, (Hyperion Books), 1996 ● The Fugitive Game: online with Kevin Mitnick, Jonathan Littman, Little & Brown, 1997 ● The Art of Deception, Kevin D. Mitnick & William L. Simon, Wiley, 2002 ● The Art of Intrusion, Kevin D. Mitnick & William L. Simon, Wiley, 2004 ● @ Large: the Strange Case of the World’s Biggest Internet Invasion, Charles Mann & David Freedman, Touchstone, 1998 Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

39. Useful Community Sources The Estonia attack: Battling Botnets and online Mobs, Gadi Evron, 2008 (white paper) ● Who is “n3td3v”?, by Hacker Factor Solutions, 2006 (white paper) ● Mafiaboy: How I cracked the Internet and Why it’s still broken, Michael Calce with Craig Silverman, 2008 ● The Hacker Diaries: Confessions of Teenage Hackers, Dan Verton, McGraw-Hill Osborne Media, 2002 ● Cyberpunk: Outlaws and Hackers on the Computer Frontier, Katie Hafner, Simon & Schuster, 1995 ● Cyber Adversary Characterization: auditing the hacker mind, Tom Parker, Syngress, 2004 ● Inside the SPAM Cartel: trade secrets from the Dark Side, by Spammer X, Syngress, 2004 ● Hacker Cracker, Ejovu Nuwere with David Chanoff, Harper Collins, 2002 ● Compendio di criminologia, Ponti G., Raffaello Cortina, 1991 ● Criminalità da computer, Tiedemann K., in Trattato di criminologia, medicina criminologica e psichiatria forense, vol.X, Il cambiamento delle forme di criminalità e devianza, Ferracuti F. (a cura di), Giuffrè, 1988 ● United Nations Manual on the Prevention and Control of Computer-related Crime, in International Review of Criminal Policy – Nos. 43 and 44 ● Criminal Profiling: dall’analisi della scena del delitto al profilo psicologico del criminale, Massimo Picozzi, Angelo Zappalà, McGraw Hill, 2001 ● Deductive Criminal Profiling: Comparing Applied Methodologies Between Inductive and Deductive Criminal Profiling Techniques, Turvey B., Knowledge Solutions Library, January, 1998 ● Malicious Hackers: a framework for Analysis and Case Study, Laura J. Kleen, Captain, USAF, US Air Force Institute of Technology ● Criminal Profiling Research Site. Scientific Offender Profiling Resource in Switzerland. Criminology, Law, Psychology, Täterpro ● Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

40. And...a gift for you all here!  Get your own, FREE copy of “F3” (Freedom from ● Fear, the United Nations magazine) issue #7, totally focused on Cybercrimes! ● DOWNLOAD: ● www.FreedomFromFearMagazine.org ● Or, email me and I will send you the full PDF (10MB) ● Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

41. Contacts • Contact presenter at rc@security-brokers.com if you are interested in: • Asking questions, getting material (links, books..) Contact presenter at chiesa@UNICRI.it if you are interested in: • Helping with the project, supporting us, donations Public Key: http://raoul.EU.org/RaoulChiesa.asc Key Note @ DefCamp 2013 Bucharest, Romania – November 29th , 2013

DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded

DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded

Recommended

More Related Content

Viewers also liked

Viewers also liked(18)

Similar to DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded

Similar to DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded(20)

More from DefCamp

More from DefCamp(20)

Recently uploaded

Recently uploaded(20)

DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded