[BreachExchange] A history of hacking and hackers

[Destry Winant]

http://www.computerweekly.com/opinion/A-history-of-hacking-and-hackers

A security professional’s view on criminal hacking has shifted away
from the traditional stereotype of the hacker, towards a much more
diverse cross-section of wider society

During the early 90s, the US government decided to crack down on
criminal computer crimes in a series of raids dubbed Operation
Sundevil. The raids were carried out by the US Secret Service working
alongside local police and telecoms engineers and targeted “bulletin
boards” (now more often called forums) that were engaged in blatant
and open credit card fraud and telephone code abuse.

The people involved in such illicit activity mostly fitted a very
narrow subset of society: teenagers and young adults from middle-class
suburban homes. They had the disposable income to acquire what was at
the time cutting-edge general purpose computing technology and had
access to modems (extremely slow in the age of today’s broadband, but
life-changing technology at the time).

The modems allowed them to connect to the internet and the fledging
World Wide Web and form cliques on those bulletin boards to engage in
a range of activities – not all of them legal.

Although Sundevil was far from the only anti-hacking law enforcement
activity of the time, it is interesting because it went on to create
much of the image of the hacker in popular culture. The 1995 film
Hackersfeatures a teenage character targeted in an investigation by
doughnut-munching federal agents. His suburban bedroom, where one of
his floppy disks was hidden, was raided.

That film also captured many other aspects of hacker culture, such as
the hacking of old analogue telephone networks, known as “phreaking”,
to gain free calls, and the habit of hackers to study, and share,
treasure troves of technical information from large companies, such as
the so-called “Crayola Books” shown off by the characters.

Now, many of the hackers of yesteryear are today’s information
security (or cyber security) professionals, who work to protect
information. The dated cultural view of the elite criminal hacker has
fallen in to stereotype and myth over the decades and been overtaken
by leaps of technological progress, where general purpose computing is
in every home, and smartphones bring connectivity to people of every
background, culture, and age.

In this new landscape, newer generations of hackers are often cutting
their teeth against hardened computer systems, now armed with
antivirus, firewalls, and more sophisticated protections, rather than
the hapless, insecure, networks of the 80s.

On the other end of the spectrum, the wider prevalence of coding
skills has also resulted in “project-managed crime” – criminal
enterprises that shadow conventional IT business practices, but
develop software for criminal use by others. Ransomware, that holds a
user’s sensitive data on that computer to ransom by withholding an
encryption code, are often designed by teams of professional
criminals, including developers, testers, and project management
staff.

The now infamous ransomware WannaCry, which hit the NHS in May 2017,
is an example of this sort of software, with variants often sold
alongside commercial licenses. WannaCry was developed from the tools
of an intelligence agency, the US National Security Agency, that were
intended to protect national security, but repurposed for other uses,
rather than the tools of the hacking community.

Less so than a hacker mindset, the drivers for computer criminality
now come more from the personal motivations of all people with access
to technology (that is, almost everybody in our digital society). In
higher education in the UK, we have observed that the primary
motivator is not necessarily a drive for technical excellence, but
more typical motivators of crimes such as revenge.

Two typical cases illustrate this: in one, a student committed an
attack against an institution because he did not like the way they
responded to his reports of a mugging on campus, while in another, a
member of staff attacked their institution based on their previous
dismissal. IT crime is now an outlet for criminal intent of all
stripes; no longer the preserve of a technical elite.

There has been a transition from the black hat hackers, technical
wizards, and studious technophiles, of older decades, to anyone who
simply has the inclination to abuse the digital ecosystem. A security
professional’s view on criminal hacking has shifted away from the
traditional stereotype of the hacker, towards a much more diverse
cross-section of wider society.

As with all forecasting, outdated or prejudiced thinking will
ultimately lead to poor outcomes. Understanding criminal activities
(the business of threat intelligence) is a mandatory practice in
effective information security services.

By pooling the combined knowledge of our members (universities,
colleges and research centres), we can develop intelligence that is
both unique to academia’s problems and comprehensive in scope,
evolving and adapting to the ever-changing landscape of criminal
activities to not only better understand how it has changed, but also
to proactively meet future threats as efficiently and effectively as
possible.

One of the many challenges we have at Jisc, a not-for-profit that
provides UK universities and colleges with shared digital
infrastructure and services, is developing intelligence from our data
to understand the motivations of those who bring harm upon the UK’s
educational institutions.

With every new attempted attack, we gain a better understanding of
tools used, can observe trends in malicious behaviour, and can better
identify areas in the community where we work that are most
vulnerable. This, in turn, helps us develop and enhance cutting-edge
security services that better serve our members.