Hanging out with the script kiddies
- Published
It takes time to win the trust of hackers who hang out online.
For the last six weeks I have kept strange company. I have mixed with ewhores, quizzed hardened hackers, asked account hijackers how their day is going, tried to get malware makers to talk about their trade and debated ethics with people who steal cash using remote access viruses.
All these people are on web discussion forums I joined as part of a special project taking a closer look at cyber crime. I registered on a few sites known for their interest in hacking but spent most of my time on Hack Forums. Its three million registered members make it one of the biggest places in the world for chatter about hacking - in all its forms.
It is an exhilarating place to visit. It has separate boards dedicated to all kinds of hacking activity, many of which I had heard of and some that I had not. It is also a surprisingly complex community. For every message asking "How do I hack Facebook?" there are as many debating esoteric ways to interrogate a website and find chinks in its armour to get at what lies within.
"The site at first glance seems like a bunch of monkeys trying to figure out algebra," wrote Armada, one of the site's regular members whom I spoke to.
Who are you?
The big problem I faced joining the site is that I am a nobody. Sites such as Hack Forums and many others operate on a reputation economy. Long-standing members who have proved their worth to the community and who have lots of "vouches" from others have the best reputation and highest access.
By contrast newbies, like me, get almost none. I'd have to contribute 25 good quality posts before I could send any personal messages. This would make it hard to contact people directly - my preferred method.
I could, and did, post directly to discussion groups but the risk is that as a journalist I'm a tempting target for anyone keen to make their name by catching me out. Especially as some HF residents specialise in social engineering attacks that help them take control of other people's social media accounts.
So, I went around these blocks and dropped messages to the off-board accounts that long-standing members advertised. Many use HF as a place to offer their own guides and services that are available elsewhere. I got in touch via Skype names, Jabber instant message accounts, email addresses and through website contact forms.
Most often I got no response. Or no further reply after one exchange during which I told them I worked for the BBC. A few people thought I was a cop posing as a journalist looking to trick people into opening up. One asked me to prove who I said I was by taking a picture with some photo ID.
I took the snap but just as I was about to send it some of the folks I contacted, including Armada, had checked me out and reassured themselves that I was who I said I was.
"We have members on an almost universal scale with skill sets ranging from being able to turn a computer on, to critical vulnerability exploitation," wrote Armada.
"Certainly, not all members are great hackers, and not all are completely inept either, but it varies from person to person," wrote True Demon in response to my questions. "The one great thing about HF is that it is a safe place to discuss the fine art of hacking, or whatever else catches your interest."
True Demon added that he was only giving his own opinion rather than speaking for the wider hacker community.
Smart script
The other main reason for wanting to spend time there is to get to grips with the sub-culture of teenagers who are dabbling with cyber crime.
It is not just me who is curious about members of this rapidly growing group who are often given the name "script kiddies" - this is not a term of endearment.
The UK's National Crime Agency (NCA) is also interested in them because of the growing numbers of young men it is dealing with who have been caught because they used the types of tools found on HF or employ the techniques that can be learned there.
"I can think of 10-15 arrests in the last 6 months in which all the people have been under the age of 18," said Richard Jones, head of the NCA's Prevent programme that tries to stop young people tumbling into a life of cyber crime.
Last week, the UK's South East Regional Organised Crime Unit arrested a 16-year-old from the East Midlands who is believed to be part of the Crackas With Attitude hacking group that targeted CIA director John Brennan, among others.
Earlier operations have netted fledgling hackers as young as 12.
"We are seeing more people getting into cyber crime in the UK," said Mr Jones "It is getting more accessible as well - the internet makes it very easy for young people to learn about it."
Many of the low level hacks they use are gateways to ever more nefarious activity, he told the BBC.
The "script kiddy" state of mind is one that is regularly debated on HF. On one lengthy message thread, a member called Disparity kicked off the discussion about morals by calling people who use remote access tools "worthless, ethic-lacking scum". As their name implies, remote access programs give their creators access to a victims' PC. Some use this access to spy, steal or profit.
Instead, said Disparity, such people would be better off learning more and practising more "acceptable morals".
In response, ClawzTech wrote of his victims: "If they're dumb enough to get infected, then they need to be punished."
True Demon said he was also concerned about the decisions some younger members take.
"I still worry about the ethical decisions that some HF users choose," he said. "The majority of HF users, myself included, actively discourage others from performing illegal activity with the knowledge they gain there."
He added that the "scare tactics" of the NCA and others can be counter-productive.
"They should be encouraging kids to learn this stuff, but to do so in an ethical and structured format." he said "They would have a lot more people working with their cyber-division, if they did.
"Government and law enforcement have a tendency to paint hackers as a whole in a bad light, ostracising the subculture as malicious, dangerous, and evil," he said.
"Don't you think it would be better to foster and instruct those kinds of kids to use their skills for good, rather than treating them like they are some kind of criminal?"
- Published11 February 2016
- Published1 February 2016
- Published22 January 2016
- Published8 February 2016