.

The Future of Hacking

<<

Kev

Post Sat Jul 29, 2006 10:41 am

The Future of Hacking

  I am always tempted to predict the future when it comes to computer security.  Of course its impossible to know for sure but I think its possible to make an educated guess.  They say we are in the “the golden age of hacking” and I could not agree more.  Never have I seen more tools available for free on the net. Tools for both windows and linux and now you can actually be a decent hacker using nothing but windows. Without question this is the best of times and the worst of times to quote Dickens.  The best of times for those curious about security and how it can be breached and the worst of times if you are sitting on the net with a vulnerable computer!  I was asked to do a test at a university of their network a while back.  We connected a laptop into the network with a default install of XP sp1 and in less than 10 minutes it was hacked!  Sign of the times I would say.  It was a good demo for the "powers that be" at the school. If you are a University Admin and are having budget problems, try arranging a demo for the heads just like this if you can. In this instance it was very much an eye opener for them.

If we were to split hacking into 3 levels, say low, middle and high. Low is requiring the least amount of technical skill and relies more on social engineering and a few simple things like hardware key loggers. Middle level comprises a good skill with tools available and precompiled buffer overflows, etc.. High is someone who can think way outside the box and deepest aspects of TCP/IP and can code accordingly.
 
My strong feeling is that the middle level as I define it will be the one that will disappear in the future.  Buffer overflows will become a thing of the past. Technology is growing strongly towards that direction. Microsofts SP2 was an attempt to stop it with their DEP. It will only get better in time. Exploiting code will slowly become more and more difficult and tools that focus on that will lose more and more of their effectiveness.

  So that leaves the low and high and this is were I am willing to bet the future holds.  Hackers will either focus on things like social engineering or gaining physical access. Join a cleaning crew and place a hardware key logger. Come back the next night and retrieve it and while not very sophisticated it can be very devastating none the less. 
 
The high end will be those that understand the very core of IP6 and will understand how to manipulate packet flows in ways no one has ever thought about. 
 
Obviously if this scenario is correct, most hackers will focus on the low level and that perhaps is even scarier. Using a combination of hardware and social skills could prove the most difficult to defend against.  A security professional I know that was trained by the government was mentioning to me that there exist hardware most people are not aware of.  One device he mentioned was a piece of hardware that would strap on your leg and was hidden under your pants. You could then go to an office building and sit in the lobby reading a newspaper. As you sat there, it would sniff out traffic flowing through all the Ethernet cables running through the building.  Then you would go back to the lab and download everything. Unless that building was running everything through lead pipes, they were very vulnerable.  All I thought was " I want one!"

  If we remember, Kevin Mitnick did most of his hacks with social skills and still teaches that.  By the way, that doesn’t mean that he doesn’t have a lot of high level skills these days.  I met the instructor who gave Mitnick his CEH test. Many seemed to be surprised when they discover he actually attended a CEH boot camp. He said Mitnick had sat in on his class and asked a lot of intelligent questions and said he passed the test in the high 80’s (89?) which was the highest score he had ever seen. He also mentioned Kevin is very proud of that and if anyone has done better than that on their first attempt they should email Mitnick and let him know, lol.  Any way our job will focus more and more on educating the building personnel concerning security policies.
 
That’s the future as I see it happening. Lets wait and see!
Last edited by Kev on Sat Jul 29, 2006 5:34 pm, edited 1 time in total.
<<

LSOChris

Post Sat Jul 29, 2006 11:28 am

Re: The Future of Hacking

interesting post and you are probably right... we will see a loss of middle of the road hacking.  it will either be poorly written apps that sould have never been released to the public or real detailed reversed engineered code and exploits from prodcuts. 

i would also add that while "hacking" will move away from PC's i think it is far from gone.  now that you can basically carry a computer in your pocket in the way of your cell phone or blackberry that have lately only been safe because of their closed source OS, it will only be a matter of time before we just start hacking cell phones or even the appliances that will soon be wired into our homes.  wont be long before the thing to do will be to hack someone's fridge for hacktivism instead of their web site.
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Sat Jul 29, 2006 11:35 am

Re: The Future of Hacking

A security professional I know that was trained by the government was mentioning to me that there exist hardware most people are not aware of.  One device he mentioned was a piece of hardware that would strap on your leg and was hidden under your pants. You could then go to an office building and sit in the lobby reading a newspaper. As you sat there, it would sniff out traffic flowing through all the Ethernet cables running through the building.  Then you would go back to the lab and download everything. Unless that building was running everything through lead pipes, they were very vulnerable.  All I thought was " I want one!"

What fairy tale you are talking about ?

All in all I agree partially with what you say, but that one is really nonsense. Although tempest can be a security problem if someone is saying that it is possible to capture everything that is going over all the wires in a building with a small piece of hardware he wears under his pants that clearly shows that this guy knows nothing about that.

In theory it is possible to capture radiations from ethernet cables, electric cables, monitors etc., but you need some equipement that you certainly cannot wear under your pants. Each time that someone told me such a story I tried to get a demonstration - as far without any success. (Yes I saw someone capturing what was on a monitor using an antenna just 2 Meters away from that monitor - but does not scare me a lot. I would like to see a demonstration from the other side of the street, capturing some content of a certain Monitor in a building with 50 or 100 PCs, that would be problem. Perhaps NSA can do it - but I think that even if they can do it there are really little cases they will invest that much...)
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

Kev

Post Sat Jul 29, 2006 12:12 pm

Re: The Future of Hacking

Fairy Tale?  I hope so!  But unless you are working with the CIA and are privy to all their technology, I wouldn’t be too quick to dismiss and they have resources that go beyond what most of us have access.  We like to think that we are somehow more in the know than the big old stupid government but unfortunately that’s not always true.  Their surveillance abilities are beyond what most people are aware. There was an interesting show on the discovery channel that showed some amazing things like their ability to actually pick up subtle sound vibrations from office windows from a distance and actually hear private conversations.  I didn’t see the device this fellow was talking about, but he was very adamant that  he had been trained with it, but who really knows? Any way, thanks for the comments because this makes the forum alive.
Last edited by Kev on Sat Jul 29, 2006 12:28 pm, edited 1 time in total.
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Sat Jul 29, 2006 12:32 pm

Re: The Future of Hacking

The CIA has a lot of ressources, be it money or human power, that's true. But there are physical facts that even the CIA can't bypass. Unfortunately there are a lot of myths about what the CIA (or NSA or other governmental agency) can do (actually a lot less than most people think).

There was an interesting show on the discovery channel that showed some amazing things like their ability to actually pick up subtle sound vibrations from office windows from a distance and actually hear private conversations

That's nothing mysterious, it's just a directed microphone with high sensitivity. Depending on the quality (the distance over which it is useable) you can order different types on the internet.
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

tmartin

Recruiters
Recruiters

Posts: 46

Joined: Tue Sep 20, 2005 9:36 pm

Post Sat Jul 29, 2006 4:27 pm

Re: The Future of Hacking

Kev,
Interesting stuff. Could you please put a return between your paragraphs to help with readability? Thx.
<<

Kev

Post Sat Jul 29, 2006 5:36 pm

Re: The Future of Hacking

Yes, thanks and sorry about that.
<<

Hug_It

Newbie
Newbie

Posts: 28

Joined: Thu Feb 23, 2006 4:21 pm

Post Sun Jul 30, 2006 9:50 am

Re: The Future of Hacking

Interesting discussion.

I don't see much changing in the near future except for the targets. Slowly drifting away from the OS to the applications. With so much focus on core security principles rarely does anyone pay attention to all those misc. applications floating around the network.

As far as low to high level hackers, I don't see much change there. I have a problem with labeling criminals in a way that implies any kind of respect but the fact of the matter is physical theft is always going to be a huge threat. So low level hackers (theives) and human error is and always will be a problem.

http://www.privacyrights.org/ar/ChronDataBreaches.htm

Middle level hackers already seem to be focusing more on building bot nets and similar activities where they can make money without much exposure. Like installing spyware on their victims for profit. There will always be millions of pigeons around the world begging to be an easy target. I still run into people running Windows 95 or completely unpatched systems plugged directly into their cable modem. They aren't going anywhere soon.

High levels will continue to find vulnerabilities and develop exploits no matter what the landscape. It's what they do and systems are getting more complicated, leaving more room for possibilities.

I've never been one for conspiracy theories. Though I've never directly worked for the CIA or NSA, I have worked for government agencies in the law enforcement realm most of my career. Everytime I take a step up I always think, "I bet these guys know what they are doing and have the tools to do it.". Only to be disappointed by the fact they are just scrambling to keep their heads above water, let alone have all this neat stuff that the general public isn't privy to the existence. Just look at the FISMA report cards.
CISSP
<<

Kev

Post Sun Jul 30, 2006 11:31 am

Re: The Future of Hacking

Hey Hug_it,
  Good post and thanks for the comment. I agree and I don’t like putting labels on criminals and I certainly don’t like to romanticize them.  That’s why I don’t really like the term Black Hats.  You are probably right about the government. I will say in my dealings they are a strange mix and almost schizophrenic in nature.  What I mean is they
are a mix of really high level things along with some amazingly poor and disorganized structure that gets you wondering how they even hold it all together.

    I've never been one for conspiracy theories either, but I feel a good Admin that is security conscious should err on the side of being a little paranoid.  Perhaps one can call it an occupational hazard?  Of course you can go too far with paranoia to the point you cant function nor your network!  The key I think is to try and stay balanced with just a little dose of paranoia, LOL ! 
<<

LSOChris

Post Mon Jul 31, 2006 8:47 am

Re: The Future of Hacking

security in govt is coming around... its ALOT of computers and ALOT of different sysadmins to get on the same page at the same time, not an easy tasks. 

some businesses with a few thousand computers in multiple locations have a rough time keeping patches current and network and firewall settings where they need to be.  try multiplying that by 1000 and imagine the headache.  you may or may not be privy to the IA documentation for the govt but its coming around, enforcement and compliance are now becoming the issue rather than someone saying "they didnt know what they should be doing"
<<

Hug_It

Newbie
Newbie

Posts: 28

Joined: Thu Feb 23, 2006 4:21 pm

Post Mon Jul 31, 2006 9:04 am

Re: The Future of Hacking

No doubt on the troubles to secure governemnt networks. Not to mention, no where do you deal with the political issues a security pro has to overcome than in government offices.
CISSP
<<

Kev

Post Mon Jul 31, 2006 10:49 am

Re: The Future of Hacking

  As far as the government goes you do make a good point.  I remember a while back when I was doing a CEH boot camp in San Diego. The guy sitting next to me was from the DOD. He was stationed in Germany and he and his team were in charge of pen testing the computers in military installations through out Europe.  He was taking the CEH because he said his department was always pushing them to get new certs.  He also mentioned that by the time you include the airfare, time away and other expenses, it was costing the DOD almost $10,000 per person to take this class. 
 
  He was a very friendly fellow and very approachable, so I asked him what’s the typical OS that you encounter on base.  I was expecting and almost hoping he was going to tell me that they use some custom form of Unix or something really cool. He answered “Well actually you would be surprised how much we run into DOS.”  DOS!  I know the military is on a tight budget but come on, lol!  I joked with him saying “Isn’t this the same organization that was accused of buying $500 hammers a while back?”  He laughed.  A very interesting guy and I enjoyed talking to him.  I was surprised but he was trying to recruit new workers right out of the CEH class!  He mentioned that once people get trained and have been there a while, they leave and go on to other things.  He had no idea why because the pay was not bad. Not great, but not bad.  Starting at $80,000 and then after a few years it would be up to $120,000. The kicker was that it was tax free.  I don’t get it, but he maintained that this was the way you were paid while working for the DOD in a US military installation in Germany.

  On a side note, he said if they do find vulnerability, they don’t attempt a patch. They just wipe the drive three times and do a clean install.  Makes sense because if someone has already gained access and placed a root kit, patching at the point doesn’t do a lot of good and they can’t take a chance.
<<

tmartin

Recruiters
Recruiters

Posts: 46

Joined: Tue Sep 20, 2005 9:36 pm

Post Mon Jul 31, 2006 7:11 pm

Re: The Future of Hacking

Buffer overflows will become a thing of the past.


I think this is going to take a while. In 1999, one of the 10 largest banks was still settling federal reserve bank funds (overnight funds) with DOS 3.0. I know as I replaced that system.

Look how many Win95 boxes are still around, along with win98. I know many business still running NT 4.0 in their DMZ (we don't need no stinkin' patches!)

And on the list goes.

Also, as long as there are users, I think there will be middle ground, as there will be middle users. Buffer overflows and other things like that will only stop when they are impossible to create...

Bruce Schenier says that security needs to be easier to use and built in before it really catches on (a very loose paraphrase); he doesn't think there's much of a future in security awareness training. I just don't think that we will be able to make security easy enough for the average user, at least not in my lifetime...technology changes too fast for us to bring it down to the naive user level....

How many people do you know that still don't use computers? Too many!
<<

LSOChris

Post Mon Jul 31, 2006 9:56 pm

Re: The Future of Hacking

Kev,
that guy lied to you on so many levels i dont know where to start...

but i'll start with san diego is not even close to the closest place from germany to take a CEH class or exam...
<<

Kev

Post Tue Aug 01, 2006 12:47 am

Re: The Future of Hacking

Oh no, he was really from the DOD for sure. The instructor knew him and introduced him to the class. The instructor had trained others from his department in the past.  He was taking the class in San Diego because he had family there and had purposely scheduled it that way so that he could see them.  It was hard for him to get to the US much and it was a good opportunity for him.
Next

Return to Opinions

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software