A group of teenagers create a computer worm called Randex that travels across the internet, installing remote access software on thousands of innocent PCs.

In 2003, they use the resulting army of 30,000 compromised PCs, called a botnet, for the

innocuous purpose of gaining points in an online game. Although the creators have been arrested, the worm, and others like it, live on and can be used for more insidious purposes including sending spam, bringing down websites and ID theft. Today, a typical hacker isn’t so much a geeky teenager in his bedroom unleashing a virus for fun, curiosity or status but more likely to be linked to criminal gangs which use cash raised from botnets and other exploits to fund drug smuggling and even terrorist activities.

WHY DO THEY DO IT?

In the past, hackers craved the notoriety and fame that came with deciphering the ins and

outs of a computer system, or tapping into a large corporate network. Much of the time, they hacked out of curiosity or to cause mischief. Today, most of them work silently and are in it for the money.

Criminal gangs recruit hackers to do their dirty work, paying them for ready-made botnet

armies or to write or modify malicious code to be used for ID theft or extortion.

‘Over the past year, we’ve seen a sustained increase in the professionalism of cybercriminals,’ says National Hi-Tech Crime Unit Detective Superintendent, Mick Deats.

Some hackers aren’t hackers in the ‘true’ sense of the world. They’re ‘script kiddies’, who copy malicious code they find online and deploy it without fully understanding how it works.

‘People are manipulating kids who hack for financial gain, not notoriety,’ says Lee Fisher,

European security strategist for anti-virus company McAfee.

HOW DO PEOPLE HACK?

If it wasn’t for hackers, we’d probably still be in the computer security dark ages. Some hackers purposely penetrate systems in order to expose their flaws, for instance. But hacking isn’t always so noble or reliant on high-tech knowledge.

Most hackers use persuasion and deception to get the crucial information they need to do

their work – all it takes is a phone call to an IT helpdesk, where a hacker might pretend to

be a senior manager requiring a new login password or network configuration details, for example. This technique, known as social engineering, was perfected by Kevin Mitnick, a hacker famous for breaking into the Pentagon’s computer system in the 1980s.

GOOGLE HACKING

Increasingly, hackers are using web indexes like Google’s to find hidden information about

security holes on corporate networks or personal detailS That have been inadvertently

exposed online.

Google is a search engine that constantly trawls the web adding billions of websites to its

extensive index, so it inevitably indexes things that hackers would like to get their hands

on such as login pages, spreadsheets containing contact or financial information, insecure websites, passwords hidden in databases and much more. These types of pages end

up on Google often without their owners’ knowledge.

‘Hackers know we monitor them, so they use different, silent techniques such as Google

searches,’ says Graeme Pinkney, Head of Threat Intelligence at Symantec’s European offices. It’s easy for hackers to cover their tracks by making it appear as if they’re coming from somewhere else by using a ‘proxy server’, a computer that sits between them and Google.

PREVENTION BETTER THAN CURE

All this talk of hacking is probably enough to make you squirm and shut down your computer forever, but it’s important to put things into perspective. After all, when information is so accessible, it’s little wonder a few no-gooders will want their hands on it. Patching your computer by downloading the latest updates for your operating system and web browser, as well as installing firewall and anti-virus programs (see CW? Jan 05, p18) is a good start. However, social engineering is just as much to blame as not securing your PC, so exercising common sense is equally important.

By Kim Gilmour