DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded

Key Note @ DefCamp 2013

Bucharest, Romania – November 29th , 2013

Raoul “Nobody” Chiesa

Founder, President, Security Brokers SCpA

Principal, Cyberdefcon Ltd. Member of ENISA PSG (Permanent Stakeholders Group)

Special Advisor on the HPP project at UNICRI

Peering in the Soul of Hackers:

HPP V2.0 reloaded

(The Hacker’s Profiling Project)



Agenda

# whois

From Crime to Cybercrime

Hacker’s generations

HPP V1.0 (2004-2011)

HPP V2.0 (2011-2015)

Conclusions

Contacts, Q&A

2



Disclaimer

● The views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI, ENISA and its PSG, nor the companies and security communities I’m working at and/or supporting.

3



# whois raoul President, Founder, The Security Brokers

Principal, CyberDefcon UK

HPP Special Advisor @ UNICRI (United Nations Interregional

Crime & Justice Research Institute)

PSG Member, ENISA (Permanent Stakeholders Group,

European Network & Information Security Agency)

Founder, Board of Directors and Technical Commitee

Member @ CLUSIT (Italian Information Security Association)

Steering Committee, AIP/OPSI, Privacy & Security

Observatory

Member, Manager of the WG «Cyber World» at Italian MoD

Board of Directors, ISECOM

Board of Directors, OWASP Italian Chapter

4

http://www.owasp.org/



# whois UNICRI UNICRI is the United Nations Crime & Justice Research

Institute

It’s based in Turin (WHQ), Italy: nice town, give us a

visit!

We mainly work on:

• Trainings (Legal aspects, Cybercrime, SCADA,

HPP, …)

• Facilitator: allowing cool (and trusted!) entities

to meet and work each others

• Paperworks (somebody gotta do it…) 5



6



“Every new technology,

opens the door to new criminal approaches”.

The relationship between technologies and criminality has always been – since the very beginning – characterized by a kind of “competition” between the good and the bad guys, just like cats and mice.

As an example, at the beginning of 1900, when cars appeared, the “bad guys” started stealing them (!)

….the police, in order to contrast the phenomenon, defined the mandatory use of car plates…

….and the thieves began stealing the car plates from the cars (and/or falsifying them).

Crime->Yesterday



Cars have been substituted by information

You got the information, you got the power..

(at least, in politics, in the business world, in our personal relationships…)

• Simply put, this happens because the “information” can be transformed at once into “something else”:

1. Competitive advantage

2. Sensible/critical information 3. Money

… that’s why all of us we want to “be secure”.

It’s not by chance that it’s named “IS”: Information Security

Crime->Today:Cybercrime



What happened over the past decades?

Hacking eras & Hackers’ generations



First generation (70’s) was inspired by the need for

knowledge

Second generation (1980-1984) was driven by curiosity plus

the knowledge starving: the only way to learn OSs was to

hack them; later (1985-1990) hacking becomes a trend.

The Third one (90’s) was simply pushed by the anger for

hacking, meaning a mix of addiction, curiosity, learning

new stuff, hacking IT systems and networks, exchanging

info with the underground community. Here we saw new

concepts coming, such as hacker’s e-zines (Phrack, 2600

Magazine) along with BBS

Fourth generation (2000-today) is driven by angerness and

money: often we can see subjects with a very low know-how, thinking that it’s “cool & bragging” being hackers,

while they are not interested in hacking & phreaking history, culture and ethics. Here hacking meets with politics

(cyber-hacktivism) or with the criminal world (cybercrime).

Things changed…

€, $

http://www.imdb.com/title/tt0086567/posters

http://www.imdb.com/title/tt0244244/photogallery



QUESTION: • May we state that cybercrime – along with its many, many

aspects and views – can be ranked as #1 in rising trend and global diffusion ?

ANSWER(S): Given that all of you are attendees and speakers here today, I

would say that we already are on the right track in order to analyze the problem

Nevertheless, some factors exist for which the spreading of “e-crime-based” attacks relays.

Let’s take a look at them.

Cybercrime: why?



1. There are new users, more and more

every day: this means the total amount

of potential victims and/or attack

vectors is increasing.

2. Making money, “somehow and

straight away”.

3. Technical know-how public

availability & ready-to-go, even when

talking about average-high skills: that’s what I name “hacking pret-à-porter”

Reasons/1

Thanks to

broadband...

WW Economical

crisis…

0-days, Internet

distribution

system / Black

Markets



4. It’s extremely easy to recruit “idiots” and set up groups, molding those

adepts upon the bad guy’s needs (think about e-mules)

5. “They will never bust me”

6. Lack of violent actions

Reasons/2

Newbies,

Script Kids

Psychology, Criminology

Psychology and

Sociology


Bucharest, Romania – November 29th , 2013 14

What’s really changed is the attacker’s typology

From “bored teens”, doing it for “hobby and curiosity” (obviously: during night, pizza-hut’s box on the floor and cans of Red Bull)….

...to teenagers and adults not mandatory “ICT” or “hackers”: they just do it for the money.

What’s changed is the attacker’s profile, along with its justifications, motivations and reasons.

Let’s have a quick test!

What the heck is changed then??



Hackers in their environment



“Professionals”



LOL-test

17



Why were the guys in the first slide hackers, and the others professionals ?

Because of the PCs ?

Because of their “look” ?

Due to the environments surrounding them ?

Because of the “expression on their faces” ?

There’s a difference: why?



Erroneus media information pushed

“normal people” minds to run this

approach

Today, sometimes the professionals

are the real criminals, and hackers

“the good guys”…Think about a few

incidents:

• Telecom Italia scandal, Vodafone

Greece Affair, NSA, GCHQ, etc…)

Surprise! Everything has changed…



Welcome to HPP!



HPP V1.0 Back in 2004 we launched the Hacker’s

Profiling Project - HPP: http://www.unicri.it/emerging_crimes/cybercrime/

cyber_crimes/hpp.php)

Since that year:

• +1.200 questionnaires collected & analyzed

• 9 Hackers profiles emerged

• Two books (one in English)

• Profilo Hacker, Apogeo, 2007

• Profiling Hackers: the Science of Criminal

Profiling as Applied to the World of Hacking, Taylor&Francis Group, CRC Press (2009)

21

http://www.unicri.it/emerging_crimes/cybercrime/cyber_crimes/hpp.php









HPP V1.0: purposes & goals

22

Analyse the hacking phenomenon in its several aspects

(technological, social, legal, economical) through

technical and criminological approaches.

Observe those true criminal actions “on the field” .

Understand the different motivations and identify the

actors involved (who, not “how”).

Apply the profiling methodology to collected data (4W: who, where, when, why).

Acquire and disseminate knowledge.



HPP Questionnaires: the modules

23

Module B Relational data (relationship with: the Authorities, teachers/employers, friends/colleagues, other hackers)

Module C Technical and criminological data (targets, techniques/tools, motivations, ethics, perception of the illegality of their own activity, crimes committed, deterrence)

Module A

Personal data (gender, age, social status,

family context, study/work)

All questions allow

anonymous answers



Some numbers

24

Total received questionnaires: # +1200

Full questionnaires filled out - # +600*

Compact questionnaires filled out - #573*

*since September 2006

Mainly from: USA Italy UK Canada Lithuania Australia Malaysia Germany Brazil



Evaluation & Correlation standards

25

Modus Operandi (MO)

Lone hacker or as a member of a group

Motivations

Selected targets

Relationship between motivations and targets

Hacking career

Principles of the hacker's ethics

Crashed or damaged systems

Perception of the illegality of their own activity

Effect of laws, convictions and technical difficulties as a deterrent



Zoom: correlation standards

26

Gender and age group

Background and place of residence

How hackers view themselves

Family background

Socio-economic background

Social relationships

Leisure activities

Education

Professional environment

Psychological traits

To be or to appear: the level of self-esteem

Presence of multiple personalities

Psychophysical conditions

Alcohol & drug abuse and dependencies

Definition or self-definition: what is a real hacker?

Relationship data

Handle and nickname

Starting age

Learning and training modalities

The mentor's role

Technical capacities (know-how)

Hacking, phreaking or carding: the reasons behind the choice

Networks, technologies and operating systems

Techniques used to penetrate a system

Individual and group attacks

The art of war: examples of attack techniques

Operating inside a target system

The hacker’s signature

Relationships with the System Administrators

Motivations

The power trip

Lone hackers

Hacker groups

Favourite targets and reasons

Specializations

Principles of the Hacker Ethics

Acceptance or refusal of the Hacker Ethics

Crashed systems

Hacking/phreaking addiction

Perception of the illegality of their actions

Offences perpetrated with the aid of IT devices

Offences perpetrated without the use of IT devices

Fear of discovery, arrest and conviction

The law as deterrent

Effect of convictions

Leaving the hacker scene

Beyond hacking



HPP V1.0: the emerged profiles…

27



28

Profile OFFENDER ID LONE / GROUP HACKER

TARGET MOTIVATIONS / PURPOSES

Wanna Be Lamer 9-16 years “I would like to be a hacker, but I can’t”

GROUP End-User For fashion, It’s “cool” => to boast and brag

Script Kiddie 10-18 years The script boy

GROUP: but they may act alone

SME / Specific security flaws

To give vent of their anger / attract mass-media attention

Cracker 17-30 years The destructor, burned ground

LONE Business company To demonstrate their power / attract mass-media attention

Ethical Hacker 15-50 years The “ethical” hacker’s world

LONE / GROUP (only for fun)

Vendor / Technology For curiosity (to learn) and altruistic purposes

Quiet, Paranoid, Skilled Hacker

16-40 years The very specialized and paranoid attacker

LONE On necessity For curiosity (to learn) => egoistic purposes

Cyber-Warrior 18-50 years The soldier, hacking for money

LONE “Symbol” business company / End-User

For profit

Industrial Spy 22-45 years Industrial espionage

LONE Business company / Corporation

For profit

Government Agent 25-45 years CIA, Mossad, FBI, etc.

LONE / GROUP Government / Suspected Terrorist/ Strategic company/ Individual

Espionage/ Counter-espionage Vulnerability test Activity-monitoring

Military Hacker 25-45 years LONE / GROUP Government / Strategic company

Monitoring / controlling / crashing systems



Some comments

Since 1999 I’ve attended most of the so-

called «hacking conferences».

Over the last 5 years, I’ve travelled as a

speaker, evangelist, security bitch and

whatever in: • .mil environments (EU, Eastern Europe)

• India

• China

• GCC Area

• Malaysia

29



30

OBEDIENCE TO

THE

“HACKER

ETHICS”

CRASHED / DAMAGED

SYSTEMS

PERCEPTION OF THE

ILLEGALITY OF THEIR

OWN ACTIVITY

Wanna Be Lamer

NO: they don’t

know “Hacker

Ethics” principles

YES: voluntarily or not

(inexperience, lack of

technical skills)

YES: but they think they

will never be caught

Script Kiddie NO: they create

their own ethics

NO: but they delete /

modify data

YES: but they justify their

actions

Cracker

NO: for them the

“Hacker Ethics”

doesn’t exist

YES: always voluntarily YES but: MORAL

DISCHARGE

Ethical Hacker YES: they defend it NEVER: it could happen

only incidentally

YES: but they consider

their activity morally

acceptable

Quiet, Paranoid, Skilled

Hacker

NO: they have their

own personal ethics,

often similar to the

“Hacker Ethics”

NO

YES: they feel guilty for

the upset caused to

SysAdmins and victims

Cyber-Warrior NO

YES: they also

delete/modify/steal and sell

data

YES: but they are without

scruple

Industrial Spy

NO: but they follow

some unwritten

“professional” rules

NO: they only steal and

sell data

YES: but they are without

scruple

Government Agent NO: they betray the

“Hacker Ethics”

YES (including

deleting/modifying/stealing

data) / NO (in stealth

attacks)

Military Hacker NO: they betray the

“Hacker Ethics”

YES (including

deleting/modifying/stealing

data) / NO (in stealth

attacks)



31

PROFILE MAY BE LINKED TO WILL CHANGE ITS BEHAVIOR?

TARGET (NEW) MOTIVATIONS & PURPOSES

Wanna Be Lamer No

Script Kiddie Urban hacks No Wireless Networks, Internet Café, neighborhood, etc..

Cracker Phishing Spam Black ops

Yes Companies, associations, whatever

Money, Fame, Politics, Religion, etc…

Ethical Hacker Black ops Probably Competitors (Telecom Italia Affair), end-users

Big money

Quiet, Paranoid, Skilled Hacker

Black ops Yes High-level targets Hesoteric request (i.e., hack “Thuraya” for us)

Cyber-Warrior CNIs attacks Gov. attacks

Yes “Symbols”: from Dali Lama to UN, passing through CNIs and business companies

Intelligence ?

Industrial Spy Yes Business company / Corporation

For profit

Government Agent Probably Government / Suspected Terrorist/ Strategic company/ Individual

Espionage/ Counter-espionage Vulnerability test Activity-monitoring

Military Hacker Probably Government / Strategic company

Monitoring / controlling / crashing systems



32

DETERRENCE

EFFECT OF: LAWS

CONVICTIONS

SUFFERED BY

OTHER

HACKERS

CONVICTIONS

SUFFERED BY

THEM

TECHNICAL

DIFFICULTIES

Wanna Be Lamer NULL NULL ALMOST NULL HIGH

Script Kiddie NULL NULL

HIGH: they stop

after the 1st

conviction

HIGH

Cracker NULL NULL NULL MEDIUM

Ethical Hacker NULL NULL

HIGH: they stop

after the 1st

conviction

NULL

Quiet, Paranoid,

Skilled Hacker NULL NULL NULL NULL

Cyber-Warrior NULL NULL NULL NULL: they do it

as a job

Industrial Spy NULL NULL NULL NULL: they do it

as a job



HPP V2.0: what happened? VERY simple:

Lack of funding: for phases 3&4 we need money!

• HW, SW, Analysts, Translators

We started back in 2004: «romantic hackers», + we foreseen those «new» actors tough: .GOV,

.MIL, Intelligence.

We missed out:

• Hacktivism (!);

• Cybercriminals out of the «hobbystic» approach;

• OC;

• The financial aspects (Follow the Money!!). 33



HPP V2.0: next enhancements

34

1. Wannabe Lamer

2. Script kiddie: under development (Web Defacers, DDoS, links with

distributed teams i.e. Anonymous….)

3. Cracker: under development (Hacking on-demand, “outsourced”;

links with Organized Crime)

4. Ethical hacker: under development (security researchers, ethical

hacking groups)

5. Quiet, paranoid, skilled hacker (elite, unexplained hacks? Vodafone

GR? NYSE? Lybia TLC systems?)

6. Cyber-warrior: to be developed

7. Industrial spy: to be developed (links with Organized Crimes &

Governments i.e. Comodo, DigiNotar and RSA hacks?)

8. Government agent: to be developed (“N” countries..)

9. Military hacker: to be developed (India, China, N./S. Korea, etc.)

X. Money Mules? Ignorant “DDoSsers”? (i.e. LOIC by Anonymous)



35



HPP V2.0: upcoming goals

36

Going after Cybercriminals:

Kingpins & Master minds (the “Man at the Top”)

o Organized Crime

o MO, Business Model, Kingpins – “How To”

Techies hired by the Organized Crime (i.e. Romania & skimming at the very beginning; Nigerian cons; Ukraine Rogue

AV; Pharma ADV Campaigns; ESTDomains in Estonia; etc..)

Structure, Infrastructures (possible links with Govs & Mils?)

Money Laundering: Follow the money (Not just “e-mules”: new frameworks to “cash-out”)

Outsourcing: malware factories (Stuxnet? DuQu? Flame? ….)



Conclusions

37

The whole Project is self-funded and based on independent research methodologies.

Despite many problems, we have been carrying out the Project for years.

The final methodology will be released under GNU/FDL and distributed through ISECOM.

It is welcome the research centres, public and private institutions, and governmental agencies' interest in the Project.

We think that we are elaborating something beautiful...

…something that did not exist…

…and it seems – really – to have a sense ! :)

It is not a simple challenge. However, we think to be on the right path.



Useful Community Sources ●Kingpin, 2012

●Profiling Hackers: the Science of Criminal Profiling as applied to the world of hacking, CRC Press/Taylor & Francis Group, 2009

●H.P.P. Questionnaires 2005-2010

● Fatal System Error: the Hunt for the new Crime Lords who are bringing down the Internet, Joseph Menn, Public Affairs, 2010

● Stealing the Network: How to 0wn a Continent, (an Identity), (a Shadow) (V.A.), Syngress Publishing, 2004, 2006, 2007

● Stealing the Network: How to 0wn the Box, (V.A.), Syngress Publishing, 2003

● Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, Suelette Dreyfus, Random House Australia, 1997

● The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Clifford Stoll, DoubleDay (1989), Pocket (2000)

● Masters of Deception: the Gang that Ruled Cyberspace, Michelle Stalalla & Joshua Quinttner, Harpercollins, 1995

● Kevin Poulsen, Serial Hacker, Jonathan Littman, Little & Brown, 1997

● Takedown, John Markoff and Tsutomu Shimomura, Sperling & Kupfler, (Hyperion Books), 1996

● The Fugitive Game: online with Kevin Mitnick, Jonathan Littman, Little & Brown, 1997

● The Art of Deception, Kevin D. Mitnick & William L. Simon, Wiley, 2002

● The Art of Intrusion, Kevin D. Mitnick & William L. Simon, Wiley, 2004

● @ Large: the Strange Case of the World’s Biggest Internet Invasion, Charles Mann & David Freedman, Touchstone, 1998



Useful Community Sources ●The Estonia attack: Battling Botnets and online Mobs, Gadi Evron, 2008 (white paper)

●Who is “n3td3v”?, by Hacker Factor Solutions, 2006 (white paper)

●Mafiaboy: How I cracked the Internet and Why it’s still broken, Michael Calce with Craig Silverman, 2008

●The Hacker Diaries: Confessions of Teenage Hackers, Dan Verton, McGraw-Hill Osborne Media, 2002

●Cyberpunk: Outlaws and Hackers on the Computer Frontier, Katie Hafner, Simon & Schuster, 1995

●Cyber Adversary Characterization: auditing the hacker mind, Tom Parker, Syngress, 2004

●Inside the SPAM Cartel: trade secrets from the Dark Side, by Spammer X, Syngress, 2004

●Hacker Cracker, Ejovu Nuwere with David Chanoff, Harper Collins, 2002

●Compendio di criminologia, Ponti G., Raffaello Cortina, 1991

● Criminalità da computer, Tiedemann K., in Trattato di criminologia, medicina criminologica e psichiatria forense, vol.X, Il cambiamento delle forme di criminalità e devianza, Ferracuti F. (a cura di), Giuffrè, 1988

● United Nations Manual on the Prevention and Control of Computer-related Crime, in International Review of Criminal Policy – Nos. 43 and 44

● Criminal Profiling: dall’analisi della scena del delitto al profilo psicologico del criminale, Massimo Picozzi, Angelo Zappalà, McGraw Hill, 2001

● Deductive Criminal Profiling: Comparing Applied Methodologies Between Inductive and Deductive Criminal Profiling Techniques, Turvey B., Knowledge Solutions Library, January, 1998

●Malicious Hackers: a framework for Analysis and Case Study, Laura J. Kleen, Captain, USAF, US Air Force Institute of Technology

● Criminal Profiling Research Site. Scientific Offender Profiling Resource in Switzerland. Criminology, Law, Psychology, Täterpro



And...a gift for you all here!

●Get your own, FREE copy of “F3” (Freedom from

●Fear, the United Nations magazine) issue #7, totally focused on Cybercrimes!

●DOWNLOAD:

●www.FreedomFromFearMagazine.org

●Or, email me and I will send you the full PDF (10MB)



Contacts

• Contact presenter at [email protected] if you

are interested in:

• Asking questions, getting material (links, books..)

Contact presenter at [email protected] if you are

interested in:

• Helping with the project, supporting us, donations

Public Key: http://raoul.EU.org/RaoulChiesa.asc

mailto:[email protected]




http://raoul.eu.org/RaoulChiesa.asc