Hacker Profiling Project

Dave G. | November 7th, 2006 | Filed Under: Industry Punditry, Slashdot Rounddown

This just in off of NewsForge:

Whats the goal?

The final goal is a real and complete methodology for hacker profiling, released under GNU/FDL. This means that, at the end of our research project, if a company will send us its (as detailed as possible) logs related to an intrusion, we — exactly like in the TV show C.S.I. when evidence is found on the crime scene — will be able to provide a profile of the attacker. By “profile” we mean, for example, his technical skills, his probable geographic location, an analysis of his modus operandi, and of a lot of other, small and big, traces left on the crime scene.

Interesting. Tell me more… how do you perform profiling?

The data useful for outlining attackers’ profiles will be collected through different threefold project stages, partly overlapped: an analysis of the existing literature on the topic, the distribution of a questionnaire, and honeynets.

This is looking less promising. It sounds like someone is going to read back issues of Phrack, and send out questionnaires to hackers and ask them to fill out a form. How are they going to do that?

The complete version of the questionnaire will be distributed exclusively to the persons who we are sure belong to the hacker underground. This group will act as a control group toward those who have filled out the compact version. In order to avoid false answers, we will also compare the data from the questionnaires with the ones obtained through a honeynet of new generation, with the aim to verify if the single hacker typologies identified through the questionnaires have the technical features, modus operandi, skills, targets, and motivations proper to the category.

How would they know they are actually talking to people in ‘the underground’? How would they know the answers are honest? What kind of person who is putting their freedom at risk would confirm that they are commiting crimes and want to help someone get better at catching them?

Generally speaking, it comes out that hackers are usually brilliant, inventive, and determined. They generally feel anger and rebellion towards authorities and narrowmindedness, seen as a menace for civil liberties. Hacking is conceived as a technique and a way of life with curiosity and to put themselves through the hoops, or as a power tool useful for raising awareness among the general public about political and social issues. Normally, they are driven by the love for knowledge.

Of course! The brilliant kind. Thats not a profile, thats a stereotype.

But what about the professional types?

Nevertheless, there are also hackers who have profit purposes and, therefore, practice phishing/pharming, carding, or industrial espionage. Their preferred targets are military and governmental systems, as well as information systems of corporations, telecommunication societies, schools, and universities, but also end users and SOHO.

So the ones doing it for money have narrowed down their target selection to:

  • public sector
  • private sector
  • enterprises
  • small businesses
  • education
  • end users

every NPO just breathed a sigh of relief.

But what about skillsets?

The bulk of hackers (with low technical skills) are discouraged from systems difficult to violate: they prefer “easy” OSes such as Linux or Windows. By contrast, high-level hackers are stimulated only by systems considered “invulnerable” (*BSD, Solaris, HP/UX, VMS, IOS, Symbian) and by protocols.

Someone considers Solaris, HP/UX and NetBSD “invulnerable”?

sigh… the questionnaire is available online.

ps: Am I wrong about this? Because this seems absurd.

18 Comments so far

  • Alex

    November 7th, 2006 6:45 pm

    “Am I wrong about this? Because this seems absurd.”

    No. You’re correct. This is absurd.

  • Daniel Clemens

    November 7th, 2006 6:49 pm

    Hrm. Systems considered ‘invulnerable’(…HP/UX)…

    Hey profilers, tell me when did HP-UX start installing shadowed passwords on their OS by default?

    Yeah, thats what I thought…. Invulnerable…,

    -Daniel

  • dm

    November 7th, 2006 7:30 pm

    “exactly like in the TV show C.S.I. when evidence is found on the crime scene — will be able to provide a profile of the attacker”

    Wow, a television-inspired solution to a real world problem. Now all we need is to cast someone as the former-stripper-turned-hacker-profiler… or err, maybe not.

  • Thomas Ptacek

    November 7th, 2006 10:33 pm

    You always knew that the for-profit hackers took dead aim at the “telecommunications societies”. F’ing ITU.

  • Tommib

    November 7th, 2006 11:16 pm

    Haha, we’re back to stupidity again. This idiotic nonsense of Hacker Profiling by Internet Keeners was being promoted by JP of AntiOnline back in the day..

  • Sailor Moon

    November 8th, 2006 7:51 am

    “Profiling” may not be such a bad idea, although I wouldn’t trust their approach to gathering information.

    Psychological profiling of other kinds of criminal is often effective. The FBI has developed it’s methods by intensive study of real criminals that have been caught, not surveys of people who want to be mass murderers.

    As for “exotic” platforms, I would say that the first weapon of the serious cracker is the simulation principle. It really helps to have a replica of the system you want so you can practice attacks. Not a lot of kids know you can buy an Ultra 10 on Ebay for $300.

  • Daniel Clemens

    November 8th, 2006 10:26 am

    Another interesting note:

    –snip from slashdot–
    …this project falls under the auspices of the United Nations Interregional Crime and Justice Research Institute (UNICRI)
    —-snip—–

    All this Hacker Profiling project after the UN website got hacked….hrm….

    http://www.zone-h.org/content/view/14039/30/
    Mirror:
    http://www.zone-h.org/index2.php?option=com_mirrorwrp&Itemid=45&id=4584990

  • Dave G.

    November 8th, 2006 11:09 am

    Sailor Moon:

    Hackers have been compromising systems that they couldn’t have had on their own since the 80s. While times have definitely changed, my guess is even people new to hacking will find their way into Solaris systems and learn how to use and attack them. MOD broke into switches (DMS-100s, 5ESS) that they simply couldn’t have had in their homes.

    As far as the serious attacker goes, yah, its pretty cheap to set up a lab with all of these ‘invulnerable’ OSes.

  • Dave G.

    November 8th, 2006 11:09 am

    Sailor Moon:

    Hackers have been compromising systems that they couldn’t have had on their own since the 80s. While times have definitely changed, my guess is even people new to hacking will find their way into Solaris systems and learn how to use and attack them. MOD broke into switches (DMS-100s, 5ESS) that they simply couldn’t have had in their homes.

    As far as the serious attacker goes, yah, its pretty cheap to set up a lab with all of these ‘invulnerable’ OSes.

  • Nate

    November 8th, 2006 11:16 am

    Hey Dave G
    Hey Dave G

  • Dave G.

    November 8th, 2006 11:30 am

    my comeuppence!
    my comeuppence!

  • Jon Bowie

    November 8th, 2006 11:34 am

    I’m pretty sure that you can end up with root on a SunOS 5.x box by accident, and completely inspite of whether or you were actually trying.

  • LonerVamp

    November 8th, 2006 11:34 am

    Profiling makes sense, at least it’s something. And has been in some form of use for some time, as mentioned earlier. However, I am pretty sure if we get some real profilers commenting on this story, I think they will point out that profiling works great for outliers; people with very distinct psychological/mental problems that manifest themselves in certain, predictable ways. I doubt the same can be said for “hackers,” in the sense of the term used in the article.

    The rest of it can be simple deduction. If a “hacker’s” tools appear original and self-written in a particular language, then perhaps that will point to knowledgable about code and they speak swahili.

    Things like this are only natural extensions of our societal compulsion for information. Information will solve all of our problems, right? If you get enough of it and massage it, you can poop out anything and sell it.

    I personally think the best profiling on “hackers” was already done (I swear it was pre-2001) with the piece on how if your kid asks for a faster computer or plays Quake, they are a hacker. http://www.adequacy.org/stories/2001.12.2.42056.2147.html

  • wrc

    November 8th, 2006 11:35 am

    Huh. Someone must have gotten a grant. What’s the point?

  • Emmanuel Leroux Sanders

    November 8th, 2006 1:13 pm

    Agreed, this is pure non-sence.

    That’s like getting a profile for pedophiles by handing them out a questionaire, I’m sure you’ll get good responces.

  • PaulM

    November 8th, 2006 5:15 pm

    So I took it. It reminded me of those ‘Which Johnny Lee Miller Are You?’ quizzes that are so popular with the kids on MySpace these days.

    Anyway, this is priceless:

    * 2a) Do/did you have (or do/did you think to have) some enemies in the underground world?

    * 2b) If yes, who are (or were) they and why are (or were) they your enemies?

  • Alex

    November 8th, 2006 5:19 pm

    “Profiling makes sense, at least it’s something. “

    Hey L-V! I agree that profiling makes sense - in fact, it’s a must in my book.

    However, the approach here is really bad, and the generalizations made seem to be inspired by Hollywood. I’m betting we could go to any number of Infraguard meetings nation-wide and in an hour and a half of brainstorming have a better method.

  • Scott

    November 13th, 2006 10:27 am

    You know, I thought this election season showed us every example of bad statistical analysis being used to draw conclusions.

    I was wrong…

    This is wrong on so many levels. Someone at this project needs to read a sociology 101 test book and get a clue.

    • Leave a reply