Hacking as a Service HaaS – Security & Future

He wakesup from a dream, which he thought was a dream. In the dream world he is a hacker, and to enter the Real world, he takes the Red pill, He wakes up to the real world and fights back into the Virtual world, because He is the One – Neo.

The concept of Matrix was once rejected by analysts. But today we feel with the kind of Technology advancements, it’s not far from I-M-Possible.

I started from the “Hacker” word to bring-out another advancement of an underworld. Normally, the Hacker word is used for both good and bad guys. I`ll refer mostly to bad guys.

Let’s start from this –

Late last year, the software engineers developing a new Windows-based networking client confronted an all-too-common problem in today’s hostile internet environment:

How would they make their software resistant to the legions of enemies waiting to attack it? Particularly worrisome was a key feature of their code, a mechanism to accept updates online. If it were subverted, an attacker could slip his own program into an installed base of millions of machines.
The coders decided to fortify their software with MIT’s brand-new, high-security cryptographic hashing algorithm called MD-6. It was an ambitious choice: MD-6 had been released just two months before, and hadn’t yet faced the rigors of real-life deployment. But things turned into nightmare and  the move seemed to backfire when a security hole was found in MD-6’s reference implementation – not long after the launch. But the coders rallied, and pushed out a corrected version in a new release of their software just weeks later.
It would be a model for secure software development, except for one detail: The “Windows-based networking client” in the example above is the B-variant of the spam-spewing Conficker worm; the corrected version is Conficker C, and the hard-working security-minded coders and software engineers? A criminal gang of anonymous malware writers, likely based in Ukraine. The very first real-world use of MD-6, an important new security algorithm, was by the bad guys.

The Future of hacking: Professional, Intellectual, Innovative, smart, and above-all Highly-funded. In the old days, hackers were mostly kids and college-age enthusiasts sowing their wild seeds before fertilizing the land.

Today, the best hackers have the skill and discipline of the best legitimate programmers and security gurus. They’re using mind-bending obfuscation techniques to deliver malicious code from hacked websites undetected. They’re writing malware for mobile phones and PDAs and even embedded devices from your STB to satellite mobile/GPS systems. The underground has even embraced the next-generation internet protocol IPv6 — setting up IPv6 chat rooms, file stores and websites hidden IPv6 tunnels unkonw to the world, even as legitimate adoption lags. Compare the contrast to rest of the commercial Service Providers/Enterprises, who still find it Challenging to deploy IPv6 due to potential Security leaks.

Ten years ago, an oft-repeated aphorism held that hackers were unskilled vandals: Just because they can break a window, doesn’t mean they could build one. Today’s bad guys could handcraft the broken glass it a living Monumental legend.

Money as a Catalyst: Computer criminals are scooping in millions through various scams and attacks. It is said that he best hackers are growing up in Russia and former Soviet satellite states, where there are fewer legitimate opportunities for smart coders.

“If you’re a sophisticated team of software developers, but you happen to be in Eastern Europe, what’s your way of raising a lot of money?” says Phillip Porras, the cyber threat expert at SRI International who dissected Conficker. “Maybe we’re dealing with business models that work for countries where it’s more difficult for them to sell mainstream software.”

Result — Hacking-As-A-Service – HaaS.

The Good

Want your new piece of product to be scanned for potential vulnerabilities, before launching commercially?

Pay them a fraction of chunk-of-money and they will hack and tear-apart your app within days. The Result- You get a stable and secure App, which will probably be less vulnerable to loopholes.

You may not be aware of this, but our Top secret and most secure systems like CIA and Military operations, either hire and/or contract industry’s smartest hackers to murder their security before the bad guys do it. That’s what makes them more secure than rest of the world.

“We need those guys who could make us feel unsafe today, so that we can foresee a safer future.” says a high Official Commissioner.

Ofcourse, there are other things that make them better than others, but this point is crucial.

The Bad

Want your custom code installed in a botnet of hacked machines? No Problemo!

It’ll cost you less than $25 for a 1,000 computers, $150 if you want them exclusively, says Uri Rivner, head of new technologies at security company RSA.

Today, an amateur can get a complete malware toolkit for $200 that has capability of making damages worth Millions. Story doesn’t en here, just like SaaS – Software as a service, you can rent Big Botnets for less than a grand that could take a Complete network of computers down and/or infect them to leave it in paralysis for several days. The damage is un-countable.

Or you can pay for a custom Trojan horse that will sneak past anti-virus software, or a toolkit that will let you craft your own.

“They actually have a testing lab where they test their malicious code against the latest anti-virus companies,” says Rivner, whose group closely monitors the underground. “While most computer criminals are thugs, the programmers and software entrepreneurs supplying them are scary-smart”.

Particularly disturbing to security experts is the speed with which the bad guys are jumping on newly disclosed vulnerabilities.

“Even one year ago, a lot of these web exploit toolkits were using vulnerabilities that had been discovered one or two years prior,” says Holly Stewart, Threat Response Manager at IBM’s X-Force. “They were really, really old…. That has really changed, especially this year. We’re seeing more and more current exploits go into these toolkits. And we’re seeing exploits come out that are even just a couple days after the vulnerability announcement.”

Whats even worse is, hackers are finding or purchasing their own vulnerabilities, called “zero day” exploits, for which no security patch exists. With real money to be had, there’s evidence that legitimate security workers are being tempted themselves. In April, federal prosecutors filed a misdemeanor conspiracy charge against security consultant Jeremy Jethro for allegedly selling a “zero day” Internet Explorer exploit to accused TJ Maxx hacker Albert Gonzales. The price tag: $60,000. It could take a lot of consulting gigs to make that kind of money performing penetration tests.
The change is being felt at every level of the cyber security world. When SRI’s Porras dug into the Conficker worm — which still controls an estimated 5 million machines, mostly in China and Brazil — the update mechanism initially baffled him and his team. “I know a lot of people stared at that segment of code and couldn’t figure out what it was,” he says. It wasn’t until crypto experts analyzed it that they realized it was MD-6, which at the time was available only from the websites of MIT and the U.S. National Institute of Standards and Technologies. Other portions of Conficker were equally impressive: the way it doggedly hunts for anti-virus software on a victim’s machine, and disables it; or the peer-to-peer mechanism. “There were points where it was pretty clear that certain major threads inside Conficker C seemed to be written by different people,” he says. “It left us feeling that we had a more organized team that brought different skills to bear… They aren’t people who have day jobs.”

Looking back, the first 20 years in the war between hackers and security defenders was pretty laid back for both sides. The hackers were tricky, sometimes even ingenious, but rarely organized. A wealthy anti-virus industry rose on the simple counter-measure of checking computer files for signatures of known attacks.

Everyday more and more rootkits and shocking vulnerabilities, thanks to good guys at BlackHat conferences, who make us aware of the Industry’ most dangerous stuff.

Hackers and security researchers mixed amiably at DefCon (World’s biggest Hacker’s conference) every year, seamlessly switching sides without anyone really caring. From now on, it’s serious. In the future, there won’t be many amateurs. It’s all professional and Official.