Podcast: Why Do Hackers Hack? It’s Not Why You Think

Podcast: Why Do Hackers Hack? It’s Not Why You Think

Why do hackers want to break in? It’s a question that has been asked in lots of different ways. From why would they want to? Why would they care? And this is a really good question to ask yourself and to try and understand because often times people tend to look at what they’re protecting and say “what’s the value of this thing to me”. But is that the right question to ask?

Atomicorp provides unified workload security for cloud, data center or hybrid platforms. Built on OSSEC, the World’s Leading Open Source Server Protection Platform. See our products.

 

Podcast Transcript: Why Do Hackers Hack? Its Not Why You Think

Bret Kinsella: [00:00:00]  This is the Linux Security Podcast, Episode 12. Today we answer the question: Why bad guys hack? The answer isn’t what you expect.

Bret Kinsella: [00:00:18]  Welcome back to the Linux Security Podcast. I’m Bret Kinsella. I’m here again with Mike Shinn and we are talking about Linux and security and where the two technologies cross. And today we’re going to talk about something a little bit different. And it’s an important topic because it’s changed over time.

Bret Kinsella: [00:00:35]  And the question for you today Mike — Why do people break in anyway?

Mike Shinn: [00:00:39]  This is a great question and I’ve had people ask me this my entire career. Why do they want to break in? And in that question has been asked in lots of different ways. But you know everything from why would they want to? Why would they care? And this is a really good one to ask yourself and to try and understand because often times people tend to look at what they’re protecting and say what’s the value of this thing to me. And that’s what I need to focus on as far as protecting this thing without asking the question: What is this thing worth to the bad guys? You really miss out on whether or not this thing should even be protected or whether or not it’s adequately protected and the reasons that people break into things really bear kind of spelling out. And it goes everywhere from the common… the first reason that people broke into computers was largely to vandalize them. It was to parade in front of the world and say I’m better than you. And that’s pretty much all that it really was for the vast majority of other events that occurred a couple of decades ago. And it created a culture of people that in some regards still exists to this day that if I don’t see any overt adverse effect then I haven’t been compromised. In other words they didn’t put a banner up on the Web site. The computer’s not acting strangely. You know the hinges aren’t pulled off of my door or whatever overt thing that would occur in the past. The building hasn’t been vandalized. We haven’t been hacked into and then bad guys started to evolve. Right. Breaking into computers became profitable. There were things that you could steal from computers. Probably the one that most consumers think of as their credit cards or their personal information and that definitely happens…

Bret Kinsella: [00:02:49]  …to big business.

Mike Shinn: [00:02:51]  …people break in. It is. It is. It is a multi-billion dollar business, stealing people’s information. But sometimes people aren’t actually breaking into things for any reason other than to use your asset. In other words they don’t care what your computer does or what’s on it.

Mike Shinn: [00:03:11]  They don’t care about your information. It doesn’t matter. And we saw that start to happen with security cameras. Consumers reactions to this were understandable which was that have the if the web cam in my house or maybe the security camera mascots hacked into hackers are gonna be able to spy on me and see me walking around in my underwear. There may be some hackers out there that do that but that was not really the reason that they broke into these things. It was that those cameras or computers and they could use those computers to do stuff. And the first thing that they did was they used those computers to attack other people non attribution attacks right. The idea that if I’m using some little old lady’s computer to hack into somebody else’s computer whose computer are they going to see the attack is coming from a little old lady. So the FBI is going to go to the little old lady’s house. She doesn’t know anything about it. So I’ve covered my tracks that evolve to what if I can break into a million computers at the same time and I can have them all attack a website at the same time. I can take the website down a denial of service attack. Can’t accomplish that without lots and lots of computers. Now we’re seeing a more legitimate economic use of the asset. In other words I now have a powerful computer or many powerful computers as a bad guy.

Mike Shinn: [00:04:32]  And computers are useful to do work. So I’m going to have this computer do work for me. And we’ve started to see bad guys use these stolen computing assets to generate cryptocurrency. Right?

Bret Kinsella: [00:04:45]  …which it’s expensive.

Mike Shinn: [00:04:48]  And that generates actual revenue. So you hack into a bunch of computers and you have them do work for you and it makes you money.

Bret Kinsella: [00:04:57]  Okay. So let’s… let’s reset here. So we had this period of time when people were breaking in to do damage. So vandalism I think as you say.

Mike Shinn: [00:05:05]  That’s right.

Bret Kinsella: [00:05:05]  And then we went through a phase where it was mostly stealing something that people found a value.

Mike Shinn: [00:05:10]  That’s right.

Bret Kinsella: [00:05:11]  Credit cards, PII and then that’s even changed too because people are using it for health care.

Mike Shinn: [00:05:16]  That’s right.

Bret Kinsella: [00:05:17]  And for fraud and all these other things that aren’t right that are not really just about going to Target and buying a bunch of insurance for forty dollars.

Mike Shinn: [00:05:23]  That’s right.

Bret Kinsella: [00:05:23]  And we’ve seen people steal assets. Right? So that’s one of the big state sponsored aspects but it’s also corporate espionage and other people just looking and so they’ll go in and they’ll just take your design plans or information and they’ll sell it on the open market.

Mike Shinn: [00:05:40]  That’s right.

Bret Kinsella: [00:05:40]  Or they’ll they’ll give it to somebody else who’s competing against you.

Mike Shinn: [00:05:43]  That’s right.

Mike Shinn: [00:05:43]  So those are all you know. So we moved from the vandalism to the economic crime. And I don’t even know what to call this new thing because this is like you know where we had this old idea of like obscuring Providence. Right?

Mike Shinn: [00:05:57]  Right.

Bret Kinsella: [00:05:58]  So so you can’t do attribution.

Mike Shinn: [00:06:01]  That’s right.

Bret Kinsella: [00:06:01]  And then we had this whole idea about DDoS. So that I could. And usually the DDoS was for something else so it could distract them so I can get in.

Mike Shinn: [00:06:08]  That’s right. Or I just don’t like them.

Bret Kinsella: [00:06:12]  Yeah. That’s right. It’s very very often. And so now we have this whole thing it’s like people are looking for compute power. Because the computing power is expensive the energy is really expensive. You can just offload that to someone that doesn’t even know they’re paying for it.

Mike Shinn: [00:06:26]  That’s right. And it’s even gotten grayer. So this this well we’ll call it a realization that when you taken over a whole bunch of computers you can have them do work and potentially have them make money for you has evolved from I need to hack into them to… What if I can just get the user to do this somewhat unwittingly and we tend to think of that as oh well we got them to click on something or they installed some malware or whatever. It’s gotten even more subtle than that. It’s gotten down to the point where there are organizations that overtly have decided that their business model is going to be to put your computer to work to make them money. And we saw that with some websites that put some javascript in them to generate cryptocurrencies. So if you visited their websites and this was malicious code that a malicious person had added to this website they certainly had done that. But now this has evolved to. Wait a minute. I can build. We’ll call it in quotes a “legitimate business” where maybe I give away a bunch of stuff on my website but I’m paying the bills by getting your computer to generate cryptocurrency.

Bret Kinsella: [00:07:40]  Well how does it how does that actually work. So I hit a Web site.

Mike Shinn: [00:07:43]  Yeah yeah.

Bret Kinsella: [00:07:44]  And some script starts running?

Mike Shinn: [00:07:45]  That’s right. Yeah. So are our browsers aren’t really these passive things that that if you’ve been in this industry as long as you as you and I have you may remember way back in the days of pre HTML 1.0. Right? This was truly static content right. It was just text basically in your browser rendered some colors and you could put some images in there. We now have beyond full blown programming languages you can effectively create an entire operating system if you want to inside a browser you can do almost anything within the browser and you’re only limited by what the browser constrains you to do. So doing something as simple as doing a mathematical calculation is not something that a browser would want to prevent. Right it’s the most basic computer science concept. So these sites utilize the fact that your browser can can do this work for them. And so you go to the website and then in the background the browser is running this javascript and you’re just surfing away on the website and it’s just cranking away on your CPU just generating cryptocurrency and sending it into their account.

Bret Kinsella: [00:09:02]  And who would know because chrome uses so much memory anyway.

Mike Shinn: [00:09:07]  And these computers are so powerful nowadays that how many people would unless this thing was really crushing your computer you probably wouldn’t notice. And it begs a more fundamental question is that actually a crime? You know are you… are they actually doing anything criminal right? Is it unethical? Maybe. Is it immoral? Maybe. Right. Or is it a fair and rational trade? Right. You come to the website and maybe there I don’t know they just make something up. Maybe maybe they have a podcast right and this is how they pay for their podcast on their website is by having you generate cryptocurrency for them. And if you don’t notice it and your computer is otherwise behaving normally would you care? And to me this is this is really fascinating from a malicious point of view because this is something I would wholly expect to see happen in other ways like you download an app for your phone and instead of it having ads it’s just generating cryptocurrency. And again it is that… is that bad? Right. I mean they were monetizing it one way or they’re monetizing it another.

Bret Kinsella: [00:10:12]  It might be less intrusive.

Mike Shinn: [00:10:12]  Is it? Is it fair to everyone? You know it’s… it’s fascinating times. And this all really came about from the bad guys. Right. They innovated this. It was “Hey we’re gonna go use other people’s stuff to make us money” and then some entrepreneurs said wait a minute hold on. I could do this too.

Bret Kinsella: [00:10:32]  Well the more the more traditional way though what you’re talking about is is there actually breaking in.

Mike Shinn: [00:10:36]  Yes.

Bret Kinsella: [00:10:37]  They’re taking some sort of control over your device and making it do things that you have not authorized it to do.

Mike Shinn: [00:10:44]  That’s right. And in those cases there’s really no question that what they were doing was illegal unethical immoral all of the above because they broke into a system there was no you weren’t part of the discussion and there wasn’t sort of the implied tit for tat or whatever they just stole your stuff. And in the purely criminal sense where we see that occurring very often is on assets that are not as visible. That is to say people they’re not interactive. You know it isn’t to say these things don’t happen to laptops. It’s just to say that you might notice if your laptop is CPU is being killed by this other application. But if it’s running on all of your IP web cameras …but they’re still working… right you’re still getting the video feeds from them. Would you ever know? Unlikely that you would ever know unless you had some way of seeing the data leaving your network and you were like hey that’s not that’s not normal. That shouldn’t be there. But most people don’t have the ability to log into their cameras for example and see that the CPU is right.

Bret Kinsella: [00:11:50]  They may have excess CPU capacity.

Mike Shinn: [00:11:52]  They do. You know some of them more than others but they absolutely and it could be something else. You know the industrial control systems is another great target of this. You know and there have been some incidents where this type of malware has gotten onto systems that are largely never interacted with. They’re just collecting dust in a corner doing something. Meanwhile they’re just cranking away doing other work at the same time.

Bret Kinsella: [00:12:19]  So people used to take over webcams in order to run DDoS attacks and now they’re doing it to generate bitcoin.

Mike Shinn: [00:12:27]  …to make money.

Bret Kinsella: [00:12:28]  My how things have changed.

Mike Shinn: [00:12:30]  That’s… that’s exactly right. And this really all came about because of the bad guys there. They innovated this. They said you know is there some other way. Because it’s a business for them. Right. It’s. That’s what it is now. It’s no longer the kid breaking into something just to run up the flag and say look how clever I am. It’s it’s now organized crime people are doing this to make money.

Bret Kinsella: [00:12:55]  So we go back to the beginning here and I think you had a really important point that we started out with which was when trying to answer the question why do people break in. It’s often not for the reasons you think because they value what you have differently than you value.

Mike Shinn: [00:13:11]  That’s right. You you have to try to put yourself in the shoes of the bad guy and say why would this be valuable to them. How would they use this. And be very careful to not allow your own prejudices to steer you towards the answer that you want. Oh this isn’t that important. Why would they care? This computer doesn’t have any important information on it that if in fact that’s true that may not be the reason that they break in certainly these days there are lots of other reasons why people break into things.

Bret Kinsella: [00:13:44]  Right. Right. But one of the biggest is they like to make money.

Mike Shinn: [00:13:47]  That is definitely one of the biggest.

Bret Kinsella: [00:13:50]  Thanks a lot Mike.

Mike Shinn: [00:13:51]  Thank you.

 

Atomicorp provides unified workload security for cloud, data center or hybrid platforms. Built on OSSEC, the World’s Leading Open Source Server Protection Platform. See our products.