[ISN] Know thy hacker
isn at c4i.org
Tue Feb 1 04:04:24 EST 2005
By Bob Francis
January 28, 2005
As I said last week , I recently attended a local meeting of the
Information Systems Audit and Control Association (ISACA) to hear a
presentation by Mark Loveless, who heads up the Razor research team at
As well as talking about the many daunting threats that face security
administrators, Loveless also spoke about the changing nature of the
hackers and groups that are causing security threats.
Many hackers are known as "black-hat" hackers, those who generally
hack systems for personal gain or malicious reasons. The black-hat
hacker either exploits these hacks for themselves or trades or sells
A "gray-hat" hacker hacks systems and software without the
administrator's or developer's permission in order to uncover network
or software problems. Many of these hackers used to operate alone but
now work for organized crime, foreign governments, or spammers.
According to Loveless, the black-market price for exploit code for a
known flaw -- such as some of the recently announced Internet Explorer
flaws -- is between $100 and $500. That's the price if no exploit code
is currently available; after the exploit code is made available on
public forums, the price drops to zero, under the "carrying coals to
Newcastle" principle of economics.
Exploit code for an unknown flaw is -- not surprisingly --
considerably more valuable: Prices for unknown exploits range between
$1,000 and $5,000. Among the buyers of those codes are various foreign
governments, foreign and domestic organized crime groups, and
iDefense, a company that buys the exploits then informs its clients of
Want to know who has your e-mail address? Get in line. A list of 5,000
IP addresses of computers infected with spyware and ready and able to
go into "bot" mode goes for $150 to $500.
If you're in the black market for a list of 1,000 working credit card
numbers, expect to fork over between $500 and $5,000. Some sites even
will send you a couple of free numbers to test drive prior to
purchase, Loveless says, while others have rating services of the
different credit card number sellers, much like eBay.
Prices were even cheaper for those numbers, although the price has
increased since the U.S. Secret Service began Operation Firewall, an
investigation that targets underground hacker organizations known as
Shadowcrew, Carderplanet, and Darkprofits.
What do these black-hat hackers working for spammers make for their
trouble? According to Loveless, the annual salary of a top-end,
skilled black-hat hacker working for spammers is between $100,000 and
$200,000. Not bad -- although if you are caught, legal costs will eat
that up in a matter of weeks.
Apparently not all black-hat hackers are making the big bucks,
however. I spoke recently with Dr. Bill Hancock, Savvis
Communications. chief security officer and chairman of the FCC's
National Reliability & Interoperability Council (NRIC) Homeland
Security focus group on cyber-security, who says some black-hat
hackers are wearing their hats under protest.
Hancock had dinner with a hacker from Eastern Europe last year who
said the Russian Mafia threatened his family if he did not perform
work for them. "I think it shows how serious and how difficult a
problem this can be," he says.
Indeed, but it still pays to know your foe.
More information about the ISN