By Robert Siciliano, IDTheftSecurity.com
In my quest to learn more about what makes a criminal hacker tick, I came across Mr. Raoul Chiesa when he commented on a blog post I wrote, "How I Wasted 4 Hours with a Criminal Hacker."
He warned me I was treading on dangerous ground due to the fact that when communicating with the blackhat, I used my real name and provided my Web address. His concern was a revenge hack that would clear the hacker's name amongst his hacker peers. I've danced with the devil a few times in my life and don't mind the occasional walk on the ledge.
And I'll heed his advice in the future. After a closer look, I learned he is from the United Nations, based in Italy. (Road trip anyone?). That's a cat I want to talk to who is fighting the battle 24/7/365 against the bad guy.
What do you do?
Since 2005 I've worked with the United Nations Interregional Crime & Justice Research Institute (UNICRI), where I am a Senior Advisor on Cybercrime Issues & Strategic Alliances. We develop new strategies, techniques and methodologies in order to support the Member States fighting cybercrime-related issues, supporting policy-makers, end-users and States.
I'm also an entrepreneur in the Information Security arena. I run 2 vendor-neutral consulting firms, specialized in Penetration Testing, Audit & Compliances, while the second firm supplies Digital Forensics services.
I'm into IS since 1997, while I began my interest in it - and the hacking's underground - back in 1986.
Why do you do it?
Mainly it's because of the passion. I love my job, I love what I do everyday … and this is not so common so … I'm feeling really lucky.
Talking about my role at UNICRI, I decided to join them in order to support a neutral organization that is really trying to achieve important goals.
What's your process?
Mainly building an international network of contacts; attending a huge amount of IT events all around the world, often as a speaker; trying to build an "informal communication and alert network" among LEAs, in order to simplify and speed up the process of information exchange.
We're working on various R&D projects, that help and benefit the IT and ICT community all around the world. Our main research is HPP -- Hackers Profiling Project -- where we've been able to interview more than 1,200 hackers from five different continents. It's a really huge research program that will last five years more. It's something never done before.
What are the "politics" with it, worldwide?
Politics -- especially USA and EU -- are driving towards issues related to privacy, Lawful Interception, copyright, etc. I'm a technical guy, with a technical background: I don't like politics, though it's clear to me that it's something we need, somehow.
In my humble opinion, the common mistake when politics meet IT, is that politicians are obviously not IT people, they do not have an IT background, and often they misunderstand the logistics of IT... in this scenario, (big or small) mistakes may always happen.
What is next? What's the future look like?
We are observing an incredible rise in cybercrime. New profiles of attackers arrived in the so-called "hacking underground," and the hacking world -- sometimes -- is meeting with organized crime and state-sponsored attacks. The world is changing and, basically, the keyword is "the information." In today's world, "Information is the Power," that's the sole reason why all of this is happening.
Sum up a profile of the criminal hacker today vs. 10 years ago.
There are huge differences between hackers in the past and hackers nowadays. Hackers from the past were not "mandatory" criminals. While their actions were illegal (note: during the 80s and the 90s, "hacking" was not a crime in many countries of the world. I.e. in Italy it became a crime only in 1993/1994), the global approach was much more on the "challenge," the "curiosity," as well as "teens' actions."
21st century hacking has moved towards criminality. This leads us to Cybercrime, that is de-facto composed by many different "subsections," where hacking is often related.
I am talking about spam, carding, zero-day attacks (and all the black-market there connected), obviously identity theft, scams & economical fraud, that leads us to the so-called "Underground Economy."
The on-going economical global crisis too has something to do with this: each time there's a global crisis, criminality raises up. This is exactly what's happening now, since 2009, and that will continue in 2010: people that basically are NOT criminals, may be forced/pushed to "accept" a crime deal, linked to cybercrime actions.
This happens because cybercrime does not involve "straight" criminal actions such as killing somebody with a knife or a gun, stealing a mobile phone from somebody's hands, etc... It's a not-physical crime, involving actors to think that they are not doing anything "bad." Also, cybercriminals ALWAYS think that they will "never be busted," since they rate themselves "much better, more skilled" than LE agents.
Last issue (of a really huge, huge picture!) is related to state-sponsored attacks. Recent attacks from China, Estonia and Georgia are showing us how much hacking techniques are involved in all of this. Governments are starting to hire hackers (USA, UK, China, Korea, Iran....) and set up information warfare: this will be one of the hottest keywords in the near future.
More info on our book on Hackers Profiling: http://www.amazon.com/Profiling-Hackers-Science-Criminal-Applied/dp/1420086936
Raoul Chiesa, OPSA, OPST, ISECOM International Trainer, CLUSIT, ISECOM, TSTF, OWASP Italian Chapter: Board of Directors Member Osservatorio Privacy & Sicurezza - OPSI-AIP, Comitato Esecutivo
Copyright © 2008 To Present - Information-Security-Resources.com.
Robert Siciliano is an expert on personal security and identity theft as the CEO of IDTheftSecurity.com, and is a security consultant to Intelius.com.
Only registered users can write comments.
Please login or register.