A frequent question people ask me, as a security professional, is why do hackers hack? The answer used to vary, but today they typically hack for the same reason I do. To make money. The difference is who pays them. Well, and that little detail called permission, of course.
How hackers make money
The main difference between an ethical hacker and an unethical one is who pays them and what they do with the information they find. I scan networks, find their weaknesses, then give a list of weaknesses to the client along with recommendations about how to fix it.
Usually I spend more of my time figuring out how to fix things, then talking to people about the fixes and testing and retesting fixes than I spend scanning. I don’t do anything else with what I find.
Most good guys specialize. There’s a big team of people I work with closely who wander around networks looking for indications that the bad guys have been there. We use some of the same tools, but not different methods. We try to stay aware of each other and frequently one team has information the other team finds useful.
I get paid the same way anyone else does. I work a similar schedule to any normal IT worker. That means sometimes I work harder on Saturday than I do on Wednesday.
Bad-guy hackers use a different business model, but it’s still a business model. Their job is to get information of value, then find a place to sell it, or if they’re doing espionage, give it to the people paying them. Defense contractor Lockheed Martin developed the Cyber Kill Chain to describe how they hack, at a high level.
Why hackers hack systems of low value
So why, then, do hackers hack home systems that might not have anything of value on them other than video game scores? Or worse yet, devices like home routers and smoke detectors?
Home networks and other low value networks are a means to an end. The hackers who breached the big-box retailer Target got in through Target’s HVAC subcontractor. It was easier to get in through the HVAC contractor than it was to go straight through Target’s own network. The HVAC vendor almost assuredly isn’t regulated nearly as hard as Target itself, so it was easier to get into the HVAC contractor, then jump over to Target’s network.
A hacker might hack a home network to conceal his or her origins. If I hack into NASA from my home network, it’s rather easy to tell that the traffic is coming from a residential Internet connection. NASA just has to go to my provider, tell them they see suspicious activity, and my provider will give them information about me. Then they can send a couple of guys in dark suits with badges to knock on my door, ask me questions, and take my computer away.
If I were going to hack into NASA (I won’t), I’d use someone else’s computer to do it. Ideally it would be someone in a different country. Better still, it would be someone who obviously isn’t a computer hacker.
It helps to have lots of jumps like this, to make my trail harder to follow. If I hack into NASA via some guy’s computer in Belgium, but I always use the same computer, it’s not too difficult to trace the traffic from NASA to Belgium and back to me. Using several different people’s computers as intermediaries is kind of like using a stolen car with someone else’s license plates to commit a crime. It slows down the investigators.
I once caught someone trying to hack into my web site so they could turn it into a fake e-commerce web page. They did a reasonable job of disguising who they were, as well. I still don’t know exactly who they were, but I know it wasn’t the government of India. The people attacking me just made it look like it was.
Why me? The attackers knew of a vulnerability in a WordPress plugin and they happened to find my site. They used that plugin to write some files to my server. The attack didn’t completely work how it was supposed to, so they ended up serving up random blog posts instead of the images they intended to serve up. They weren’t picking on me specifically. Imagine someone who knows how to break into a particular model of car. So they break into that car when they see one in a parking lot. It wasn’t anything personal.
What hackers do with the information they find
What hackers do with the information they get varies. Some sell credit card information or stolen identities in underground marketplaces. In extreme cases, they can be working for foreign governments, stealing top-secret information like defense data from one country on behalf of another. Sometimes it’s just information they’re unwilling to ask for, like health care tips.
Or, in the case of the people who hacked me, they weren’t stealing information at all. They were building a fake e-commerce web site. Whether they intended to sell counterfeit goods or steal credit card information, I don’t know. Either one would work.
What I do know is they didn’t do it for the thrill or the challenge. The days of people hacking so they can take a digital joyride are over.