The cost of hiring a hacker is so affordable and effective, it is no wonder the craft is expanding, reveals Eric Doyle
It’s amazing how cheap the hacking business is becoming. The whole “business” is becoming commoditised: services and hacking kits can be bought at bargain prices.
There’s no sign of a January sale, it’s not that commoditised, but prices have been falling. For somewhere around $500,000 (£312,000) you can buy the services of a team that will hack its way into almost any system you point them at.
DIY or tailored options
That figure comes from Daniel Cuthbert (pictured), assessment manager with penetration-testing and security consultancy firm SensePost. In a recent talk he gave to attendees at a SecureData conference at Wembley Stadium, he said that such a team would have a 90 percent success rate. If the target is in the highly secure 10 percent, the task is not impossible but would cost up to $10 million.
At the lower end of the budget, there are teams and individuals that can discover and use old, unpatched vulnerabilities for a mere $100,000. Plus there are plenty of DIY weaponised exploits that can be bought for $150,000, complete with a support contract and it works straight out-of-the-box – just like any commercial software package.
Cuthbert is a swaggering former hacker who runs a team of 20 staff which he claims could hack their way into “almost anything”. He is one of the best speakers on the security circuit because he does not pull his punches or try to hide anything from the audience – which often embarrasses the security industry but, at the moment, most people agree that this is no bad thing.
Browsing for a fall
The weak point of the current security armour-plating is the browser. Cuthbert claimed that these were never built with security in mind and basic flaws that have been around for years still work effectively.
“Hackers are interested in you and your browser because the browser is inherently insecure,” he said. “Exploits that were discovered 10 years ago still work so attackers are not interested in the OS but in the browser being used.”
This has allowed an Achilles’ heel to develop as companies have moved to centralised systems with the browser as the primary environment.
To demonstrate this, Cuthbert pointed out that the XSSed Website, a site that records reported XSS vulnerabilities, shows that of almost 40,000 cross-site scripting (XSS) vulnerabilities across the Internet only 2,500 had been fixed.
“Browsers weren’t meant to do what they’re doing today and they are inherently insecure – Microsoft has admitted this, Google has admitted this – that’s the nature of the browser today.”
With simple hacks being around for so long, they are well documented and it doesn’t take a genius to implement them. Cuthbert reckons that the LulzSec team were not particularly gifted as hackers but had learned how to manipulate simple hacks against their target sites. The group only gained notoriety because of the headline-grabbing exploits it managed to push to the popular press sites.
External threats proliferate
It is the external hackers who pose the greatest problem. At the same conference, Etienne Greeff, professional services director for SecureData, said that 92 percent of hacks now come from outside the organisation. Insiders may wittingly or unwittingly be used to facilitate access but not many are the actual perpetrators.
Money is the root of the attacks, Cuthbert maintained. “If crime doesn’t pay, you’re not good at doing crime,” he said.
And it is the big money aspect that attracts organised criminal gangs into the fray. Bribing insiders for information, hiring expert hackers to grab specific information, and either selling or using the information gathered for financial gains is the main activity these days in the high profile company hacks.
RSA, EMC’s security division, claims that only a couple of the company’s customers suffered a breach after the sensational theft from its SecurID site. Cuthbert begged to differ. He said that the closed-US congress in which RSA brought together many top organisations such as banks, law enforcement, military and big business security staff showed that 761 corporations were breached following the attack.
Of course, neither RSA or Cuthbert can substantiate their claims but it shows that whoever targeted the SecurID system had a ready market for their swag.