Hack attack Featured

6:29am EDT December 22, 2004
The profile of your typical hacker has changed dramatically in the last year or so. What started out as mostly kids seeing what kind of trouble they could cause has now become organized criminals from around the globe. And no matter what your business does, you might be the next target.

"Hackers started out as just people who were curious," says Tom Patterson, a security expert and author of "Mapping Security," a book aimed at helping corporate America defend itself from hackers. "They weren't out to hurt anyone, they were just curious to see if they could hack into a computer. They wanted to see if they could do something that would give them some personal pride in their peer group."

Patterson says that most of the early hackers were under the age of 25 and didn't necessarily have a lot of skill.

"There are kits available for download where 99 percent of a virus is already written," says Patterson. "It's pretty easy to become a troublemaker. There are thousands of people out there writing viruses; some of it works, some of it doesn't, but it's all open source and free information.

"There are lots of troublemakers out there today, and there will be a lot more tomorrow. There are lots of viruses coming out, but if you look at all the viruses, a handful are significantly different than what's been done in the past. The rest are just copycats. They're skript kiddies -- they take an existing script and add their own name."

About a year ago, the profile suddenly changed. The same software used by troublemaking kids started being used by people with a more criminal intent.

"We got to just about the 10-year mark where we had been using the Internet and started to rely on it," says Patterson. "Suddenly there were credit card numbers by the thousands, credit reports and other valuable data accessible via the Internet. It didn't take long for the same technology to be used by organized crime."

These criminals are located around the world, but the hotbeds of activity are in Brazil, Russia and Eastern Europe.

"The first attacks they did were very profitable," says Patterson. "They were denial-of-service attacks, and they didn't have to write complex software or be a brain surgeon to pull it off."

Using simple code, these crime groups could commandeer computers from around the world to flood a target with requests, forcing it to shut down. For some sites, a constant flow of consumer interaction is vital.

Some of the first targets were online gambling sites. The crime groups would contact them and demand large amounts of money; if they didn't get it, they would shut down the site during peak gambling times.

The tactic quickly spread, and now companies of all types that rely on the Internet are targeted. Patterson notes that the cost of these attacks isn't limited to soft money estimated on lost revenue for down time, but real money being exchanged.

"Credit card numbers and identities are being traded on the black market," says Patterson. "The threat level is absolutely raised. These are more determined attacks, and they are armed with the same tools that were once scoffed at. It didn't matter before when someone would deface your Web site with a fuzzy bunny, but these same types of attacks are now being used to steal millions. Everyone is taking it much more seriously now."

How to reach: Tom Patterson, www.mappingsecurity.com