Support 416-591-6711 option 1 or Email Us

Inside the Mind of a Hacker

Mon, 10 Jun 2019

Law enforcement agencies use profiling to identify potential suspects in a crime and analyze behaviour patterns to predict future incidents. Creating hacker profiles has the same endgame, catching criminals and stopping crime. Hacker profiles are created using behaviours from real hackers and analyzing actual attacks. By building personas and thinking like a hacker, organizations can create the best defence against certain types of cyber attacks and predict where and when they may next occur.

Inside the Mind of a HackerLike magicians, hustlers and crooks, hackers use our brains to trick us. They target our cognitive and psychological  weaknesses to gain entry into our systems. Ninety percent of cyber attacks occur because a human either intentionally or accidentally allowed a hacker access. To be cyber secure, you need to understand the mentality of the hacker – their motivations and thought processes. Just googling "hacker" won't get you far. And the media mainly presents images of   hoodie-wearing or ski-mask clad figures sitting in darkness lit only with the glow of their computer screens with blaring   techno music playing.

As Chris Nickerson, a hacker turned security advocate, said, “Fact. No hacker ever wears ski masks when they’re hacking.”[i] Nickerson also went on to confirm that they do sometimes wear hoodies, but rarely keep the hoods up, and he also says that blaring techno music while hacking is not mandatory.

If the media’s portrayal of hackers is so inaccurate, then who are these mysterious people and what makes them tick?

The Making of a Hacker

Hackers come from diverse backgrounds. From kids seeking notoriety to angry employees (or former employees) attempting  to exact revenge to experts employed by global cybercrime organizations. Their levels of skill also vary greatly, from   computer whizzes to the less capable hackers who use pre-written exploits widely available on the internet.  

Many started their hacking exploits innocently enough, drawn to computers in their youth for gaming, then discovering databases, Word-type software and basic programming (like QBasic). Some began hacking into friend's computers to pull pranks. The hacks escalated as their skills grew.

Former black hat hacker, Matthew Beddoes, who went by the online alias “Black Dragon,” was arrested in 2013 and sent to jail. He’d attempted to steal £6.5million worth of carbon credits from the United Nations’ computer systems. Since being released from prison, Beddoes has formed his own IT security firm, Red Dragon Security. He explains how he got into hacking:

I got into hacking because of how I spent my teenage years. First on dial-up and then on broadband, I would call up 800 numbers, look for fax machines and other systems, and try out various passwords. More often than not, I would type in “root,” and I’d be in. See, back then you didn’t need to know programming. You just needed to know where to look and understand what resources you could use to view companies’ files.

For a while, after finding these security holes, I would contact the affected company and let them know of their vulnerabilities, but they didn’t care. They essentially told me to jump off of a high building, which led me to think about how I could exploit their vulnerabilities.

Did I act out of retaliation? Possibly.

It’s never a good idea to mess with a 16-year-old, especially one who can use a computer to cause chaos. Honestly, if they had said “Thank you,” things might have turned out differently. But they didn’t.

Sadly, that’s not a unique reaction in today’s industry. In fact, I find that IT staffs generally do not want their managers to know of a vulnerability for fear of looking bad at their jobs. This creates an unhealthy environment where no one wants to hear about vulnerabilities. If you talk to the staff, they will just ignore you, and if you contact the manager, they will take it personally and think you’re criticizing their staff. You’re blocked either way.[ii]

The Hacker Profile

Professional hackers tend towards being part of one of three categories:

  • Hacktivists who are motivated by a political agenda or as retaliation against perceived wrongdoing
  • Cybercriminals who are usually driven by financial gain
  • State-sponsored networks of hackers who carry out cyber warfare against other states or government opponents

Within these broad categories are some dominant characteristics.

 

Passion Project

Some hack for the love of the sport. Beddoes says, “I loved hacking. I love how it works and operates.”[iii]

Curious-Minded

Hacking often begins with curiosity. As youth sitting in front of a computer it starts with the question - what else can this thing do? That curiosity leads to experimentation with operating systems and code. That sense of playful discovery leads to hacking. As Nickerson says, “I push buttons for a living just to see what it does.”[iv] He goes on to say though that it really isn’t about what it does, it’s more about what it can do.[v]

Can I get past the security measures? Can I control the computer? What can I make it do? What can I do with what I obtain? These are the questions that often drive hackers.

Pack Mentality

Hackers are often portrayed as loners. However, that is no longer an accurate assumption. More and more, they are a sort of community of misfits who sometimes compete against each other and sometimes band together to help each other, working together to produce increasingly more complex threats. The WannaCry ransomware attacks of 2017 are an example of the potential danger that a group of hackers can pose when they collaborate. WannaCry is estimated to have affected approximately 300,000 computers in 150 countries.

The Good, the Bad and the In-Between

Many hackers don't see themselves as clear-cut criminals. Their conscience may not reflect the clear division of black and white, often residing somewhere in a grey space.

One unnamed hacker interviewed by CNN stated that when he reads about lousy business practices or customer mistreatment online, he responds in his own way. “I try and take it in my own hands,” the anonymous hacker said. [vi]  He goes on, “We’re trying to get in and find information we can use against them. And then turn that around.”[vii] 

To him, the only truly "bad guy" was the government. He has his justification for selling exploits or stolen financial data. “The only thing I don’t ever want to do is sell to the government. While one person can use an exploit to steal credit cards, another could use it to infiltrate a political group and completely take them down. And arrest them. And completely take down an idea.”[viii]

Beddoes hacks for the underdog. He says, “I know of corporations who pay hackers to infiltrate smaller companies in order to destroy their economic competition. It’s disgusting. I hate when people are exploited. I, therefore, came up with the idea of protecting smaller businesses from these types of security incidents in order to level the economic playing field.”[ix]

Adrenaline Junkies

Accessing something you shouldn’t be able to access fills many hackers with adrenaline, which motivates them to keep pushing. One hacker said that controlling other people’s computers felt kind of God-like. An anonymous hacker said it was thrilling when you get into servers and big networks because you have access to something now that could be dangerous to both you and the company. Once you’re in that’s where the work truly starts. “Getting in and getting through the perimeter is really just half the battle. Being able to plant malware that won’t get caught, that will go under the radar of any kind of security product that they have, that’s where, kinda, the real game starts.”[x] 

The Paycheque

Hackers are people and as such, have all the mundane necessities that all people do, rent, food and clothing. Hackers make money primarily by selling exploits and different types of code. When they sell exploits, they often don't know how the information is being used – whether for good or evil purposes – and they usually don't care. The hack is the thing, and of course, the paycheque. One unidentified hacker claimed to be currently sitting in “tens of thousands” of companies’ networks, waiting.[xi]  That's a lot of potential paydays. 

Look at your environment like a hacker would. Whether it's a bank, an airport, a hospital, a retail store or a power plant, look at where it is weak. The places where humans, data and networks meet are always the weakest points – hackers know it, and you need to know that too.

 



‹ Back