DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded

Peering in the Soul of Hackers:
HPP V2.0 reloaded

(The Hacker’s Profiling Project)
Raoul “Nobody” Chiesa
Founder, President, Security Brokers SCpA
Principal, Cyberdefcon Ltd.
Member of ENISA PSG (Permanent Stakeholders Group)
Special Advisor on the HPP project at UNICRI
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013

Agenda








# whois
From Crime to Cybercrime
Hacker’s generations
HPP V1.0 (2004-2011)
HPP V2.0 (2011-2015)
Conclusions
Contacts, Q&A
2


Disclaimer
●

The views expressed are those of the
author(s) and speaker(s) and do not
necessary reflect the views of UNICRI,
ENISA and its PSG, nor the companies
and security communities I’m working at
and/or supporting.

3

# whois raoul
 President, Founder, The Security Brokers
 Principal, CyberDefcon UK
 HPP Special Advisor @ UNICRI (United Nations Interregional
Crime & Justice Research Institute)
 PSG Member, ENISA (Permanent Stakeholders Group,
European Network & Information Security Agency)
 Founder, Board of Directors and Technical Commitee
Member @ CLUSIT (Italian Information Security Association)
 Steering Committee, AIP/OPSI, Privacy & Security
Observatory
 Member, Manager of the WG «Cyber World» at Italian MoD
 Board of Directors, ISECOM
 Board of Directors, OWASP Italian Chapter

4

# whois UNICRI
 UNICRI is the United Nations Crime & Justice Research
Institute
 It’s based in Turin (WHQ), Italy: nice town, give us a
visit!
 We mainly work on:

• Trainings (Legal aspects, Cybercrime, SCADA,
HPP, …)
• Facilitator: allowing cool (and trusted!) entities
to meet and work each others
• Paperworks (somebody gotta do it…)
5


6


Crime->Yesterday
“Every new technology,
opens the door to new criminal approaches”.
 The relationship between technologies and criminality has
always been – since the very beginning – characterized by a
kind of “competition” between the good and the bad guys, just
like cats and mice.

 As an example, at the beginning of 1900, when cars appeared,
the “bad guys” started stealing them (!)
 ….the police, in order to contrast the phenomenon, defined the
mandatory use of car plates…
 ….and the thieves began stealing the car plates from the cars
(and/or falsifying them).

Crime->Today:Cybercrime
 Cars have been substituted by information
You got the information, you got the power..
(at least, in politics, in the business world, in our personal
relationships…)
• Simply put, this happens because the “information” can be
transformed at once into “something else”:
1. Competitive advantage
2. Sensible/critical information
3. Money
 … that’s why all of us we want to “be secure”.
 It’s not by chance that it’s named “IS”: Information Security 

What happened over
the past decades?
Hacking eras &
Hackers’ generations

Things changed…
 First generation (70’s) was inspired by the need for
knowledge
 Second generation (1980-1984) was driven by curiosity plus
the knowledge starving: the only way to learn OSs was to
hack them; later (1985-1990) hacking becomes a trend.
 The Third one (90’s) was simply pushed by the anger for
hacking, meaning a mix of addiction, curiosity, learning
new stuff, hacking IT systems and networks, exchanging
info with the underground community. Here we saw new
concepts coming, such as hacker’s e-zines (Phrack, 2600
Magazine) along with BBS
 Fourth generation (2000-today) is driven by angerness and
money: often we can see subjects with a very low knowhow, thinking that it’s “cool & bragging” being hackers,
while they are not interested in hacking & phreaking
history, culture and ethics. Here hacking meets with politics
(cyber-hacktivism) or with the criminal world (cybercrime).

€, $


Cybercrime: why?
 QUESTION:
• May we state that cybercrime – along with its many, many
aspects and views – can be ranked as #1 in rising trend and
global diffusion ?
 ANSWER(S):
 Given that all of you are attendees and speakers here today, I
would say that we already are on the right track in order to
analyze the problem 

 Nevertheless, some factors exist for which the spreading of
“e-crime-based” attacks relays.
 Let’s take a look at them.


Reasons/1
 1. There are new users, more and more
every day: this means the total amount
of potential victims and/or attack
vectors is increasing.
 2. Making money, “somehow and
straight away”.

Thanks to
broadband...
WW Economical
crisis…

 3. Technical know-how public
availability & ready-to-go, even when
talking about average-high skills: that’s
what I name “hacking pret-à-porter”

0-days, Internet
distribution
system / Black
Markets


Reasons/2


4. It’s extremely easy to recruit “idiots” and set up groups, molding those
adepts upon the bad guy’s needs (think about e-mules)

Newbies,
Script Kids


5. “They will never bust me”



6. Lack of violent actions

Psychology, Criminology
Psychology and
Sociology


What the heck is changed then??
 What’s really changed is the
attacker’s typology
 From “bored teens”, doing it for
“hobby and curiosity” (obviously:
during night, pizza-hut’s box on the
floor and cans of Red Bull)….
 ...to teenagers and adults not
mandatory “ICT” or “hackers”: they
just do it for the money.
 What’s changed is the attacker’s
profile, along with its justifications,
motivations and reasons.

 Let’s have a quick test!
14

Hackers in their environment


“Professionals”


LOL-test

17


There’s a difference: why?

 Why were the guys in the first slide hackers,
and the others professionals ?
 Because of the PCs ?
 Because of their “look” ?
 Due to the environments surrounding them ?
 Because of the “expression on their faces” ?

Surprise! Everything has changed…

 Erroneus media information pushed
“normal people” minds to run this
approach
 Today, sometimes the professionals
are the real criminals, and hackers
“the good guys”…Think about a few
incidents:
• Telecom Italia scandal, Vodafone
Greece Affair, NSA, GCHQ, etc…)

Welcome to HPP!


HPP V1.0
 Back in 2004 we launched the Hacker’s
Profiling Project - HPP:
http://www.unicri.it/emerging_crimes/cybercrime/
cyber_crimes/hpp.php)

 Since that year:
• +1.200 questionnaires collected &
analyzed
• 9 Hackers profiles emerged
• Two books (one in English)
• Profilo Hacker, Apogeo, 2007
• Profiling Hackers: the Science of Criminal
Profiling as Applied to the World of Hacking,
Taylor&Francis Group, CRC Press (2009)
21

HPP V1.0: purposes & goals
Analyse the hacking phenomenon in its several aspects
(technological, social, legal, economical) through
technical and criminological approaches.
Understand the different motivations and identify the
actors involved (who, not “how”).

Observe those true criminal actions “on the field” .

Apply the profiling methodology to collected data
(4W: who, where, when, why).

Acquire and disseminate knowledge.

22


HPP Questionnaires: the modules
Module A
Personal data (gender, age, social status,
family context, study/work)
Module B
Relational data (relationship with:
the Authorities, teachers/employers,
friends/colleagues, other hackers)

All questions allow
anonymous
answers

Module C
Technical and criminological data (targets,
techniques/tools, motivations, ethics,
perception of the illegality of their own
activity, crimes committed, deterrence)
23


Some numbers
Total received questionnaires: # +1200
Full questionnaires filled out - # +600*

Compact questionnaires filled out - #573*
*since September 2006
Mainly from:
USA
Italy
UK
Canada
Lithuania
Australia
Malaysia
Germany
Brazil
24


Evaluation & Correlation standards
Modus Operandi (MO)

Hacking career

Lone hacker or as a
member of a group

Principles of the hacker's ethics

Motivations

Crashed or damaged systems

Selected targets

Perception of the illegality of
their own activity

Relationship between
motivations and targets

Effect of laws, convictions and
technical difficulties as a deterrent

25


Zoom: correlation standards
Gender and age group
Background and place of residence
How hackers view themselves
Family background
Socio-economic background
Social relationships
Leisure activities
Education
Professional environment
Psychological traits
To be or to appear: the level of self-esteem
Presence of multiple personalities
Psychophysical conditions
Alcohol & drug abuse and dependencies
Definition or self-definition: what is a real hacker?
Relationship data
Handle and nickname
Starting age
Learning and training modalities
The mentor's role
Technical capacities (know-how)
Hacking, phreaking or carding: the reasons behind the choice
Networks, technologies and operating systems
Techniques used to penetrate a system

Individual and group attacks
The art of war: examples of attack techniques
Operating inside a target system
The hacker’s signature
Relationships with the System Administrators
Motivations
The power trip
Lone hackers
Hacker groups
Favourite targets and reasons
Specializations
Principles of the Hacker Ethics
Acceptance or refusal of the Hacker Ethics
Crashed systems
Hacking/phreaking addiction
Perception of the illegality of their actions
Offences perpetrated with the aid of IT devices
Offences perpetrated without the use of IT devices
Fear of discovery, arrest and conviction
The law as deterrent
Effect of convictions
Leaving the hacker scene
Beyond hacking

26


HPP V1.0: the emerged profiles…

27


Profile

OFFENDER ID

LONE / GROUP
HACKER

TARGET

MOTIVATIONS /
PURPOSES

Wanna Be Lamer

9-16 years
“I would like to be a
hacker, but I can’t”

GROUP

End-User

For fashion, It’s “cool” =>
to boast and brag

Script Kiddie

10-18 years
The script boy

GROUP: but they may act
alone

SME / Specific security
flaws

To give vent of their anger
/ attract mass-media
attention

Cracker

17-30 years
The destructor, burned
ground

LONE

Business company

To demonstrate their
power / attract massmedia attention

Ethical Hacker

15-50 years
The “ethical” hacker’s
world

LONE /
GROUP (only for fun)

Vendor / Technology

For curiosity (to learn) and
altruistic purposes

Quiet, Paranoid, Skilled
Hacker

16-40 years
The very specialized and
paranoid attacker

LONE

On necessity

For curiosity (to learn) =>
egoistic purposes

Cyber-Warrior

18-50 years
The soldier, hacking for
money

LONE

“Symbol” business
company / End-User

For profit

Industrial Spy

22-45 years
Industrial espionage

LONE

Business company /
Corporation

For profit

Government Agent

25-45 years
CIA, Mossad, FBI, etc.

LONE / GROUP

Government / Suspected
Terrorist/
Strategic company/
Individual

Espionage/
Counter-espionage
Vulnerability test
Activity-monitoring

Military Hacker

25-45 years

LONE / GROUP

Government / Strategic
company

Monitoring /
controlling /
crashing systems

28


Some comments
 Since 1999 I’ve attended most of the socalled «hacking conferences».
 Over the last 5 years, I’ve travelled as a
speaker, evangelist, security bitch and
whatever in:
•
•
•
•
•

.mil environments (EU, Eastern Europe)
India
China
GCC Area
29
Malaysia


OBEDIENCE TO
THE
“HACKER
ETHICS”

CRASHED / DAMAGED
SYSTEMS

PERCEPTION OF THE
ILLEGALITY OF THEIR
OWN ACTIVITY

Wanna Be Lamer

NO: they don’t
know “Hacker
Ethics” principles

YES: voluntarily or not
(inexperience, lack of
technical skills)

YES: but they think they
will never be caught

Script Kiddie

NO: they create
their own ethics

NO: but they delete /
modify data

YES: but they justify their
actions

Cracker

NO: for them the
“Hacker Ethics”
doesn’t exist

YES: always voluntarily

YES but: MORAL
DISCHARGE

Ethical Hacker

YES: they defend it

NEVER: it could happen
only incidentally

YES: but they consider
their activity morally
acceptable

Hacker

NO: they have their
own personal ethics,
often similar to the
“Hacker Ethics”

NO

YES: they feel guilty for
the upset caused to
SysAdmins and victims

Cyber-Warrior

NO

YES: they also
delete/modify/steal and sell
data

YES: but they are without
scruple

Industrial Spy

NO: but they follow
some unwritten
“professional” rules

NO: they only steal and
sell data

YES: but they are without
scruple

Government Agent

NO: they betray the
“Hacker Ethics”

YES (including
deleting/modifying/stealing
data) / NO (in stealth
attacks)

Military Hacker

NO: they betray the
“Hacker Ethics”

YES (including
deleting/modifying/stealing
data) / NO (in stealth
30 attacks)


PROFILE

MAY BE LINKED TO

Wanna Be Lamer

WILL CHANGE ITS
BEHAVIOR?

TARGET

(NEW) MOTIVATIONS
& PURPOSES

No

Script Kiddie

Urban hacks

No

Wireless Networks, Internet
Café, neighborhood, etc..

Cracker

Phishing
Spam
Black ops

Yes

Companies, associations,
whatever

Money, Fame, Politics,
Religion, etc…

Ethical Hacker

Black ops

Probably

Competitors (Telecom
Italia Affair), end-users

Big money

Hacker

Black ops

Yes

High-level targets

Hesoteric request (i.e.,
hack “Thuraya” for us)

Cyber-Warrior

CNIs attacks
Gov. attacks

Yes

“Symbols”: from Dali Lama
to UN, passing through
CNIs and business
companies

Intelligence ?

Industrial Spy

Yes

Business company /
Corporation

For profit

Government Agent

Probably

Government / Suspected
Terrorist/
Strategic company/
Individual

Espionage/
Counter-espionage
Vulnerability test
Activity-monitoring

Military Hacker

Probably

Government / Strategic
company

Monitoring /
controlling /
crashing systems

31


DETERRENCE
EFFECT OF:

LAWS

CONVICTIONS
SUFFERED BY
OTHER
HACKERS

Wanna Be Lamer

NULL

NULL

ALMOST NULL

HIGH
HIGH

CONVICTIONS
SUFFERED BY
THEM

TECHNICAL
DIFFICULTIES

Script Kiddie

NULL

NULL

HIGH: they stop
after the 1st
conviction

Cracker

NULL

NULL

NULL

MEDIUM
NULL

Ethical Hacker

NULL

NULL

HIGH: they stop
after the 1st
conviction

Quiet, Paranoid,
Skilled Hacker

NULL

NULL

NULL

NULL

Cyber-Warrior

NULL

NULL

NULL

NULL: they do it
as a job

Industrial Spy

NULL

NULL

NULL

NULL: they do it
as a job

32


HPP V2.0: what happened?
 VERY simple:
 Lack of funding: for phases 3&4 we need money!
• HW, SW, Analysts, Translators

 We started back in 2004: «romantic hackers», +
we foreseen those «new» actors tough: .GOV,
.MIL, Intelligence.
 We missed out:
•
•
•
•

Hacktivism (!);
Cybercriminals out of the «hobbystic» approach;
OC;
The financial aspects (Follow the Money!!).
33


HPP V2.0: next enhancements
1. Wannabe Lamer
2. Script kiddie: under development (Web Defacers, DDoS, links with
distributed teams i.e. Anonymous….)
3. Cracker: under development (Hacking on-demand, “outsourced”;
links with Organized Crime)
4. Ethical hacker: under development (security researchers, ethical
hacking groups)
5. Quiet, paranoid, skilled hacker (elite, unexplained hacks? Vodafone
GR? NYSE? Lybia TLC systems?)
6. Cyber-warrior: to be developed
7. Industrial spy: to be developed (links with Organized Crimes &
Governments i.e. Comodo, DigiNotar and RSA hacks?)
8. Government agent: to be developed (“N” countries..)
9. Military hacker: to be developed (India, China, N./S. Korea, etc.)
34
X. Money Mules? Ignorant “DDoSsers”? (i.e. LOIC by Anonymous)


35


HPP V2.0: upcoming goals
Going after Cybercriminals:
 Kingpins & Master minds (the “Man at the Top”)
o

Organized Crime

o

MO, Business Model, Kingpins – “How To”

 Techies hired by the Organized Crime (i.e. Romania &
skimming at the very beginning; Nigerian cons; Ukraine Rogue
AV; Pharma ADV Campaigns; ESTDomains in Estonia; etc..)
 Structure, Infrastructures (possible links with Govs & Mils?)
 Money Laundering: Follow the money (Not just “e-mules”: new
frameworks to “cash-out”)
 Outsourcing: malware factories36
(Stuxnet? DuQu? Flame? ….)

Conclusions
The whole Project is self-funded and based on independent research
methodologies.


Despite many problems, we have been carrying out the Project for
years.


The final methodology will be released under GNU/FDL and distributed
through ISECOM.


It is welcome the research centres, public and private institutions, and
governmental agencies' interest in the Project.






We think that we are elaborating something beautiful...
…something that did not exist…

…and it seems – really – to have a sense ! :)


It is not a simple challenge. However, we think to be on the right path.
37


Useful Community Sources
Kingpin, 2012

●

Profiling Hackers: the Science of Criminal Profiling as applied to the world of hacking, CRC Press/Taylor & Francis Group,
2009
●

H.P.P. Questionnaires 2005-2010

●

Fatal System Error: the Hunt for the new Crime Lords who are bringing down the Internet, Joseph Menn, Public Affairs,
2010
●

●

Stealing the Network: How to 0wn a Continent, (an Identity), (a Shadow) (V.A.), Syngress Publishing, 2004, 2006, 2007

●

Stealing the Network: How to 0wn the Box, (V.A.), Syngress Publishing, 2003

Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, Suelette Dreyfus, Random House
Australia, 1997
●

The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Clifford Stoll, DoubleDay (1989), Pocket
(2000)
●

●

Masters of Deception: the Gang that Ruled Cyberspace, Michelle Stalalla & Joshua Quinttner, Harpercollins, 1995

●

Kevin Poulsen, Serial Hacker, Jonathan Littman, Little & Brown, 1997

●

Takedown, John Markoff and Tsutomu Shimomura, Sperling & Kupfler, (Hyperion Books), 1996

●

The Fugitive Game: online with Kevin Mitnick, Jonathan Littman, Little & Brown, 1997

●

The Art of Deception, Kevin D. Mitnick & William L. Simon, Wiley, 2002

●

The Art of Intrusion, Kevin D. Mitnick & William L. Simon, Wiley, 2004

●

@ Large: the Strange Case of the World’s Biggest Internet Invasion, Charles Mann & David Freedman, Touchstone, 1998


Useful Community Sources
The Estonia attack: Battling Botnets and online Mobs, Gadi Evron, 2008 (white paper)

●

Who is “n3td3v”?, by Hacker Factor Solutions, 2006 (white paper)

●

Mafiaboy: How I cracked the Internet and Why it’s still broken, Michael Calce with Craig Silverman, 2008

●

The Hacker Diaries: Confessions of Teenage Hackers, Dan Verton, McGraw-Hill Osborne Media, 2002

●

Cyberpunk: Outlaws and Hackers on the Computer Frontier, Katie Hafner, Simon & Schuster, 1995

●

Cyber Adversary Characterization: auditing the hacker mind, Tom Parker, Syngress, 2004

●

Inside the SPAM Cartel: trade secrets from the Dark Side, by Spammer X, Syngress, 2004

●

Hacker Cracker, Ejovu Nuwere with David Chanoff, Harper Collins, 2002

●

Compendio di criminologia, Ponti G., Raffaello Cortina, 1991

●

Criminalità da computer, Tiedemann K., in Trattato di criminologia, medicina criminologica e psichiatria forense, vol.X, Il
cambiamento delle forme di criminalità e devianza, Ferracuti F. (a cura di), Giuffrè, 1988
●

United Nations Manual on the Prevention and Control of Computer-related Crime, in International Review of Criminal
Policy – Nos. 43 and 44
●

Criminal Profiling: dall’analisi della scena del delitto al profilo psicologico del criminale, Massimo Picozzi, Angelo
Zappalà, McGraw Hill, 2001
●

Deductive Criminal Profiling: Comparing Applied Methodologies Between Inductive and Deductive Criminal Profiling
Techniques, Turvey B., Knowledge Solutions Library, January, 1998
●

Malicious Hackers: a framework for Analysis and Case Study, Laura J. Kleen, Captain, USAF, US Air Force Institute of
Technology
●

Criminal Profiling Research Site. Scientific Offender Profiling Resource in Switzerland. Criminology, Law, Psychology,
Täterpro
●


And...a gift for you all
here! 
Get your own, FREE copy of “F3” (Freedom from

●

Fear, the United Nations magazine) issue #7,
totally focused on Cybercrimes!
●

DOWNLOAD:

●

www.FreedomFromFearMagazine.org

●

Or, email me and I will send you the full PDF (10MB)

●


Contacts
• Contact presenter at rc@security-brokers.com if you
are interested in:

• Asking questions, getting material (links, books..)
Contact presenter at chiesa@UNICRI.it if you are
interested in:

• Helping with the project, supporting us, donations

Public Key:

http://raoul.EU.org/RaoulChiesa.asc


DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (18)

Similar a DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded

Similar a DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded (20)

Más de DefCamp

Más de DefCamp (20)

Último

Último (20)

DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded