First things first: This wasn’t planned. We contacted The Grugq (pronounced "grug") as research for a forthcoming feature story. But the chat, as chats sometimes do, went in its own direction. Before long, we had hit on broader trends in the hacking and cracking community, the economics of the trade, and anecdotes that show how hacking is changing in some ways, and in others, staying the same as it has for a decade or more.
So much myth and conventional wisdom grows around hacking that it’s useful for security professionals to periodically take stock of what’s real and what isn’t from those who are in touch with that world.
Quickly, we should set out The Grugq’s credentials. He is a noted forensic and anti-forensic researcher. He has created anti-forensic tools to demonstrate the weakness of forensics. He has worked in information security at a large financial institution in Europe and has worked for an information security consultancy. Currently, he’s "freelancing" and doing forensics training. Despite his knowledge of what’s going on with hackers and bad guys, he claims he’s completely legit. "I don’t hack," he says flatly. But his research does keep him in touch with the community of hackers, which he says is far more nuanced and stratified than most people think.
What follows is an excerpt from an instant-message chat with Senior Editor Scott Berinato. We’ve edited for grammar and, for clarity, rearranged answers when the chat was bifurcated and two conversations were going on at once. We invite your feedback.
The Grugq: Good anti-forensics would prevent any stories, since no one would ever get called in to do the investigation. :)
CSO: That’s the problem I’m running into researching this story.
The Grugq: "Aspire to subtlety."
CSO: Good line.
The Grugq: That was the advice I got from my mentor. It’s what got me started on anti-forensics.
CSO: Who was your mentor?
The Grugq: I can’t tell you.
CSO: Can I ask why?
The Grugq: It was at a regular job. He was my boss. Very Old-school hacker.
CSO: Oh, so he was mentoring you on the side?
The Grugq: Well, I was hired to learn how to hack so I could be an in-house red team, which was novel back then.
CSO: Before everyone had a "research lab"?
The Grugq: Oh yeah, way before then.
CSO: Any other pearls of wisdom from him?
The Grugq: That was it really. Everything else was more practical. He didn’t like theory. He always wanted to see the code.
CSO: The other line you said that I like is, "If you know how to do anti-forensics, you probably don’t need anti-forensics."
The Grugq: Yeah, that was my finding when I was talking to people who did a lot of hacking. They didn’t see the need for it. Basically, it would never be an issue for them since they were too skilled to ever get caught.
CSO: But with more "regular criminals" and easier to use tools, less skilled people are glomming on to anti-forensics because without them they would get caught.
The Grugq: Yeah. The guys that need them are now starting to get their hands on them.
CSO: It seems to me, at this point, if you’re touching the hard disk when you’re hacking, you’re a little behind the times.
The Grugq: Basically, you will always need to use the disk at some point, since you need to store your tools and data somewhere.
CSO: Can you put a rootkit in the memory on a graphics card?
The Grugq: Sure.
CSO: Some have said that places like that, and servers that never reboot, can be exploited for their RAM so you don’t have to touch the disk?
The Grugq: But that will not usually be an untrusted compromised box in someone’s corporate network. That’s usually a trusted first or second bounce point. The box you trust, like your home box.
CSO: Nothing’s one to one, then, from you to the target? You move around?
The Grugq: Yeah. You basically hit a bunch of bounces first. Usually 10 or so.
CSO: Why so many bounces?
The Grugq: Well, the idea is that you want to make your point of origin untraceable. The old idea was to have a lot of boxes in different countries so that it was legally very difficult to get all the records together. These days, things are more sophisticated than those old style bounces, though. Before you used to have do log-ins to loads of boxes to do your bouncing. Now there’s packet routing software, so that rather than running a session from box A to box B to box C, you install software on a load of boxes, and then you have some packets which get routed from box A to C to target, and the other packets go from box B to box D to box A to target, and so on.
CSO: Kind of like in a play, between scenes, when the stage directions say to just scramble, go wherever so long as you end up at your spot.
The Grugq: So long as the packets get to your target, you don’t care what route they took. That is what people use these days. At least the top tier. Have a look at "the onion router" project. Basically, the trendy thing these days is to have a version of that which is private.
CSO: So some hackers have private networks like that?
The Grugq: Oh yeah.
CSO: They compromise the machines and only their traffic uses those hops? Is that a status thing?
The Grugq: It is practical. You need tools of the trade. Some of those tools are skills and software. And some are just having a lot of boxes that you can use. You need to have exploits.
CSO: Do they share their networks?
The Grugq: Not usually. If they are in a team, then they’ll share within the team.
CSO: In the bot world there seems to be many, many transactions and lots of sharing of code? You can have this exploit if I can have that one.
The Grugq: Yeah, trades used to happen a lot. But these days they are too expensive. It’s hard to arrange.
CSO: Huh. Why?
The Grugq: Well, in 2000 there were loads of good exploits which would take maybe a week to find and develop. These days it might take six months to find and develop one. That is a huge change in value.
CSO: Why so long now?
The Grugq: It is harder to find good bugs and develop good exploits for them.
CSO: It’s like overfishing?
The Grugq: It is exactly like overfishing. That is actually the analogy which Halvar uses to describe it. He takes it a bit further. Basically, there’s closed-source fishing and open-source fishing. Or ice fishing vs. fishing in a clear coral sea. :)
CSO: It makes sense. As finding exploits became automated, bugs were found and exploited rapidly. It’s like dropping those huge trawling nets.
The Grugq: The thing is, the juicy targets are still few and far between.
CSO: And this must also put a premium on socially engineering your way in.
The Grugq: Well, that is harder to do. But these days non-exploit hacking is making a comeback. The whole buffer overflow thing will die off, and what is left is the people who know how to get in without exploit. Those guys are the really old-school guys.
CSO: Right. If you can get well-meaning people to hold the door open for you, you don’t necessarily need exploit code.
The Grugq: Sure. But that social engineering is harder to pull off. It requires a different skill set.
CSO: Perhaps a different person?
The Grugq: And usually you have to physically be there.
CSO: One technique I’ve heard of is dropping USB tokens outside the doors of offices so employees will pick them up, and when they plug them in, the key installs exploits and rootkits and whatever.
The Grugq: Yeah. That is not exactly a myth, but it is also not exactly the best way to do things.
CSO: Low efficiency.
The Grugq: You will still get really good response rates sending e-mails to everyone saying "download this file and run it." Seriously.
CSO: Right. Just watch the news and then play off it. Say, "Here’s a pic of Anna Nicole’s Body" and for whatever reason, people can’t resist this. It gets into the reptilian part of their brain.
The Grugq: I’m not joking. You don’t even need to do that. You just send an e-mail which says, you can literally just say, "Run this code." Some of the anti-phishing guys I’ve worked with are just shocked at what happens. I had some friends who worked in corporate security who had to do a cleanup after they got hit with e-mails which said literally, "click on this" and they had 10 or 20 people who did. It was less than 1 percent, but it was enough. People will do it and even on a locked-down corporate PC, it doesn’t matter. If you can get an HTTP connection back out to the Web, you can then tunnel in over that.
CSO: Do you think you are good at social engineering?
The Grugq: Me? No. I’m not. I get too nervous. The key is being confident that you know what is going on. I can’t even lie to my girlfriend.
CSO: Corporate security guys hate those USB keys, by the way.
The Grugq: They are starting to get technological responses to that.
CSO: You mean besides filling the port with hot glue?
The Grugq: :) There is software to disable USB ports on Windows. I don’t think it has taken off. But it’ll be folded into McAfee or Symantec soon enough, I’m sure. We had a case once where an iPod was used to store data.
CSO: If you were motivated enough, you could just get hired by a company to exploit it, right?
The Grugq: Most hacking isn’t that targeted, though. Most of it is to build up a network of boxes. That’s still the goal. And from there you just play around. There is targeted stuff, but what has worked since the dawn of hacking is still to own the home box of the sysadmin, and then get his log-in credentials and use his access. That’s very, very common.
CSO: How big a network of boxes are hackers looking to build?
The Grugq: Depends on the motive. If you just want to have a reliable base for further hacking, you can have a few thousand or less. If you want to make proper money with spam and whatever, you want hundreds of thousands ++.
CSO: Are online payment services as porous as they are rumored to be? They seem like they’re exploited all the time. Of course that’s where the money is.
The Grugq: Yeah. They are terrible, but most of the guys who want small money like that are idiots. You’ll get guys who have 10 accounts and pass the money from account to account and then withdraw it from their private account. They get busted the next day. That’s pretty easy to trace.
CSO: That’s low level stuff?
The Grugq: Well, anything < 10K is trivial money. It isn’t worth it.
CSO: I’ve heard one of the best things to do is to play online poker with the money you make and purposely lose it to yourself, to launder it.
The Grugq: Yeah, that is one technique, but I don’t know if you can pass huge amounts like that. You’d take a lot of time to do it.
CSO: It gets suspect if two people play and one guy keeps losing, too, I suppose?
The Grugq: Well, the poker people don’t care. They get a cut. And they are all criminals anyway. Mobsters. Dodgy geezers.
CSO: So much myth and conventional wisdom builds up around this world. What would be the one thing about the state of hacking today that would surprise people the most?
The Grugq: There are still a lot of the old-school hackers who just explore. Despite the rise of commercial hacking, and the view of most hackers as stupid young kids.
CSO: So they do it just because they’re interested in how things work? Not for malfeasance or profit?
The Grugq: There are a lot of the old crew who’ve been in the scene for over a decade and they are still playing. I’ve been with guys who have access to a large percentage of the Fortune 100, but they don’t do anything with it.
CSO: Do they inform the companies? Are they Robin Hoods? Vigilantes?
The Grugq: Of course not. They break in and then sit there. Maybe they go in deeper, maybe not.
CSO: This is you?
The Grugq: No. I don’t do that sort of thing. :) I’m actually quite legit. I don’t hack.
CSO: OK, only if someone asks you to, as a pen test, say?
The Grugq: Yeah, I do pen tests, but the interesting thing for me isn’t the breaking in. It’s what you do after you break in.
CSO: How do you mean?
The Grugq: Well, this was the other thing that my mentor said to me: "What you do after you get root is what is interesting."
CSO: It’s almost as if you can tell what kind of hacker a person is by what they do after root?
The Grugq: That is exactly the case. It’s all about the motivation, and that’s displayed by how they behave once they have total control. If they make a mess and then go looking for the next place, they are kiddies. If they set up shop to run a scam, they are gangsters. And if they just poke around and then leave, they are old school. And you’ll always have those classes of people.
CSO: It’s the mix that might change, then, as the tools and defenses and so forth change?
The Grugq: Yeah, and the total number of people as well.
CSO: Right, the size and shape of the pie change.
The Grugq: The old-school guys tend to stay at a pretty constant level, with some drop-off. The kiddies either get busted, grow out of it or migrate to another section. Commercial guys, not much clue about what happens with them...