Know thy hacker

As I said last week, I recently attended a local meeting of the Information Systems Audit and Control Association (ISACA) to hear a presentation by Mark Loveless, who heads up the Razor research team at BindView.

As well as talking about the many daunting threats that face security administrators, Loveless also spoke about the changing nature of the hackers and groups that are causing security threats.

Many hackers are known as "black-hat" hackers, those who generally hack systems for personal gain or malicious reasons. The black-hat hacker either exploits these hacks for themselves or trades or sells that information.

A "gray-hat" hacker hacks systems and software without the administrator's or developer's permission in order to uncover network or software problems. Many of these hackers used to operate alone but now work for organized crime, foreign governments, or spammers.

According to Loveless, the black-market price for exploit code for a known flaw -- such as some of the recently announced Internet Explorer flaws -- is between $100 and $500. That's the price if no exploit code is currently available; after the exploit code is made available on public forums, the price drops to zero, under the "carrying coals to Newcastle" principle of economics.

Exploit code for an unknown flaw is -- not surprisingly -- considerably more valuable: Prices for unknown exploits range between $1,000 and $5,000. Among the buyers of those codes are various foreign governments, foreign and domestic organized crime groups, and iDefense, a company that buys the exploits then informs its clients of the flaw.

Want to know who has your e-mail address? Get in line. A list of 5,000 IP addresses of computers infected with spyware and ready and able to go into "bot" mode goes for $150 to $500.

If you're in the black market for a list of 1,000 working credit card numbers, expect to fork over between $500 and $5,000. Some sites even will send you a couple of free numbers to test drive prior to purchase, Loveless says, while others have rating services of the different credit card number sellers, much like eBay.

Prices were even cheaper for those numbers, although the price has increased since the U.S. Secret Service began Operation Firewall, an investigation that targets underground hacker organizations known as Shadowcrew, Carderplanet, and Darkprofits.

What do these black-hat hackers working for spammers make for their trouble? According to Loveless, the annual salary of a top-end, skilled black-hat hacker working for spammers is between $100,000 and $200,000. Not bad -- although if you are caught, legal costs will eat that up in a matter of weeks.

Apparently not all black-hat hackers are making the big bucks, however. I spoke recently with Dr. Bill Hancock, Savvis Communications’ chief security officer and chairman of the FCC's National Reliability & Interoperability Council (NRIC) Homeland Security focus group on cyber-security, who says some black-hat hackers are wearing their hats under protest.

Hancock had dinner with a hacker from Eastern Europe last year who said the Russian Mafia threatened his family if he did not perform work for them. "I think it shows how serious and how difficult a problem this can be," he says.

Indeed, but it still pays to know your foe.