[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 14 November, 2003, 08:50 GMT
Cracking the hacker underground
By Jo Twist
BBC News Online technology reporter

Computer hacking communities and their tools are not hard to find on the net.

Home computer
Hacker infiltrators spend a year lurking online
A simple search reveals a plethora of resources, tools, and personal homepages, most claiming to "hack" for legitimate reasons, within the law.

But there is also an entire underground network of hackers honing their tools and skills with malicious damage in mind.

"Ten years ago, 'hackers' used to mean people who tinker with computers.

"Nowadays hacking means malicious hacking. The definition has changed, so get over it," Peter Tippett, founder and chief technical officer at TruSecure told BBC News Online.

Being 'k3wl'

The underground network is vast, with thousands of individuals and groups, ranging from lurkers who are intrigued by hacker chat to "script kiddies" who try out hacker tools for a laugh.

Newsgroups, internet relay chat and increasingly, peer-to-peer chat and instant messaging, are buzzing with constant hacker chatter.

Net security companies like TruSecure in the US, have the job of keeping an eye on these groups to work out which weak net spot they are planning to attack next.

It currently tracks more than 11,000 individuals in about 900 different hacking groups and gangs.

"There are 5,500 net vulnerabilities that could be used theoretically to launch an attack, but only 80 or 90 are being used," says Mr Tippett.

"Only 16 of 4,200 of vulnerabilities actually turned into attacks last year."

TruSecure's brain database showing hacker relationships
They spend a year listening and watching - lurking - before they ever say a word in the group
Peter Tippett, TruSecure
A team of human and computer bots - artificial intelligence programs - count the vulnerabilities that pop up all over the web daily and measure the risk of security attacks for TruSecure's 700 or so customers.

But that is not enough for 21st century net security, says Mr Tippett.

A separate team at TruSecure has a more mysterious job. It is the elite group of hacker infiltrators, codename IS/Recon (Information Security Reconnaissance).

Their daily job is to "see what the bad guys say to each other and what they claim to have done" by gaining respect and building online relationships with groups with names like Hackweiser and G-force Pakistan, Mr Tippett explains.

"These are the groups of people who attack websites, write viruses, attack code, steal credit cards, and generally do nasty things," he says.

IS/Recon is like the net's A-Team, with the only difference being the team members are not renegades gone good.

"We refuse to hire hackers, that would be crazy," says Mr Tippett. "We don't do anything illegal, but we impersonate hackers."

They are all good with technology, according to Mr Tippett, but some of them have a valuable background in psychology.

This helps in understanding group behaviour and how minds work, as well as helping them to act like hackers.

"The team has an average of five or six people on them, each with 20 to 30 personalities," explains Mr Tippett.

"They usually stay on the team for a year or two then move on to something else."

In that time, they use their net personae to get to know the hackers so they can build up detailed profiles of them.

"They spend a year listening and watching - lurking - before they ever say a word in the group."

Which, says Mr Tippett, gives IS/Recon the time to develop different hacker personae around the lingo, rituals and behaviour that is expected in the underground.

Using "k3wl" instead of "cool" and making sure the "a" is always replaced by "4" may seem insignificant habits any teenager living in an SMS world might do.

But by talking the talk and virtually walking the walk, IS/Recon has gained the trust of nearly 100 different groups.

The trick is to gain enough trust to get certain individuals in the groups to "blab" and answer questions about who is who and what they are doing.

"They tell us a lot about what's going on and what that person is about in order to demonstrate how cool they are to us."

The holy grail for the team is to get hold of a copy of a tool a hacker is developing. Once tested and taken apart in the lab, preventative measures can be put in place before it is used.

Jigsaw puzzle

The hours spent gathering 200 gigabytes of information a day, are invaluable in helping to catch the small proportion of hackers who do the net severe damage.

Pieces of information about groups and individuals are put together like a giant jigsaw in TruSecure's mammoth database, nicknamed the "brain".

TruSecure's brain database showing hacker relationships
The networks in the hacker underground are complex
It graphically shows the big players, where they live, who they know, who they hate, what tools they have developed, and even whether they have a cat.

This has enabled the team to help out with 54 investigations by law enforcement agencies.

IS/Recon gave the FBI over 200 documents about the Melissa virus author after they were asked to get closer to suspects.

Although they did not know his real name, they knew his three aliases and had built a detailed profile of the author.

The team's work also helped identify the author of the high-profile LoveSan virus.

"We could say what dorm and what floor the author of the LoveSan virus was on," Mr Tippett says.

"Unfortunately, there are very few countries that have laws good enough to follow through if someone turns out to be coming from there."

Computer viruses now 20 years old
10 Nov 03  |  Technology
Users face malicious web attacks
08 Nov 03  |  Technology
Teenager critical of computer police
10 Oct 03  |  Hampshire/Dorset
Hacker hit parade goes live
05 Aug 03  |  Technology
A glimpse inside the virus writer
05 Nov 03  |  Technology
Hacker competition fails to bite
07 Jul 03  |  Technology
Computer security divides Europe
30 Oct 03  |  Technology
Second US arrest over net virus
29 Sep 03  |  Technology

The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific