Black Hat Highlights Real Danger of Script Kiddies

Reckless probing by amateurs could actually be helping cybercriminals

Las Vegas

This year's Black Hat and Def Con Internet security conferences appeared more professional than in previous years, with more security professionals and government officials in attendance. But one thing the conferences didn't offer, say observers, is a picture of an organized, mature hacker underground.

That lack of maturity and organization may, in fact, make the less capable hackers more dangerous, according to many of the security experts who attended this year's 5,000-strong Black Hat Briefings and Def Con conferences this month.

Experts say script kiddies—mostly teen Web page defacers—often unwittingly aid and abet serious criminals through their reckless probing and compromising of systems. In addition, they often are the targets of coercion by criminals, who egg them on in chat rooms and other online forums. The more sophisticated criminals are then able to exploit the work of the script kiddies while remaining anonymous.

"The fact that script kiddies will blindly launch scripts against large IP blocks without any thought as to who they are attacking makes them dangerous, especially for those administrators who do not take security seriously," said Mandy Andress, president of ArcSec Technologies Inc., a consultancy in Dublin, Calif. "While I did not see any new, earth-shattering information released at Black Hat, there was enough information for the script kiddies to make them just a bit more dangerous," Andress added.

"Kids are unwittingly doing the bidding for organized crime syndicates," said Frank Cilluffo, an analyst at the Center for Strategic and International Studies in Washington.

Although the hackers who attended Black Hat and Def Con represent a cross-section of the hacking community, intelligence experts said they're more concerned about those who weren't there.

"There are others who shun the spotlight yet firmly believe in their agenda to undermine and disrupt e-commerce and commercial use of the Internet," said Gerald Freese, director of intelligence at Vigilinx Inc., a security firm in Parsippany, N.J., that specializes in threat intelligence. "These are the veterans. These are the ones that we fear the most."

Increasingly, those veterans are overseas, said Chris Klaus, founder and chief technology officer at Internet Security Systems Inc. (ISS), an Atlanta-based managed security services firm. The middle-class kids who comprise the Web page defacement community in the U.S. lack the economic motivation to commit real crimes, he said. But in Russia and other countries where economic conditions are much worse, such motivation is higher, and ISS's intrusion statistics bear that out, said Klaus.

In a recent interview, Cilluffo called the situation in Russia a "toxic blend of crime, business and politics," where senior intelligence and security officials are using their positions to commit crimes in cyberspace.

In many cases, "the chuckleheads really are providing a public service," said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

"Before the vandal hackers became so prevalent, [vendors] would take months before releasing a security patch—if they were even aware of the security bugs in their products," said Pescatore. "While most of today's hacker dudes will just be tomorrow's pinball burnouts, some of them will turn out to be the next [Steve] Wozniak—who started out building black boxes to rip off long-distance telephone service." Wozniak, of course, went on to help co-found Apple Computer Inc.


The Hacker Hierarchy

Exploits by those on the lower end of the hacker spectrum may actually be doing more to help cybercriminals than to improve Internet security.

Experimentation Vandalism Hactivism Cybercrime Information Warfare
Least Serious Most Serious
Source: Gartner Inc.

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon