The chief scientist of security company Internet Security Systems believes 2004 could prove to be a watershed year for hacking.
Robert Graham says many hackers are graduating into the pro ranks, a development that carries worrying implications for corporate security.
"Before this year, we really saw just kids that are playing and pretending to be masterminds," said Graham, who did important early work in the development of intrusion-prevention systems. "But this year, we saw the rise of the professional hacker."
For many years, hackers were content with the thrill of breaking into other systems, or with whatever elevated peer status they achieved through their exploits. But not anymore, according to Graham, who says that both the patterns of hacker attacks, and the motives behind the attacks, are changing. Hackers are now far more coordinated, and they no longer merely rely on copycat tools and random attacks. What's more, Graham detects a dangerous intent to profit financially from hacking. He recently spoke with ZDNet UK sister site CNETAsia about this evolving security challenge.
Q: Are hackers getting paid now?
A: It's not so much that they get paid to hack, but that they earn money from hacking. Take phishing attacks: It's usually the people who are running the attacks themselves that are earning money; no one is paying them to do it.
How would you define a "pro hacker"?
Before this year, hackers really were just kids playing and pretending to be masterminds. They could download hacking utilities from the Internet, but they were really clueless. And they were relatively unskilled...and it's only after running their tools through tens of thousands of machines that they were able to find one to break into. More importantly, they weren't really criminal masterminds. It's been largely a game for hackers up until now. This is notwithstanding the fact that law enforcement agencies have been taking this game seriously -- because the hackers haven't.
This year, things are changing, and you can see it from the FBI's activities in the US this year. In one arrest by the FBI, the subject was a spammer who had thousands of machines under his control used to forward spam.
Talkback
I found the article with Robert Graham being interviewed on internet security to be both interesting, but also a little annoying. To call these hackers stupid and only thinking of one step beyond the limits set by any type of security is very shallow minded to say the least. Children these days (Not children from the 90's revolution) are fed computer literature and manuals until they cannot see anything but code of all languages, who is to say that these "Kids" cannot, at a tender age write something that could bring down most of the internet with ease and go the extra 5 - 10 steps beyond that Robert Graham says is not possible? If Robert is as narrow minded as this, how many other interent security chief scientists think like this? And it begs the question should they be in the job they are, to under-estimate anyone is silly, to under-estimate the youth of today is VERY stupid indeed!