Linux Today: Linux News On Internet Time.

RootPrompt.org: Know Your Enemy: Motives; The Motives and Psychology of the Black-hat Community

Jul 05, 2000, 16:50 (1 Talkback[s])

[ Thanks to Noel for this link. ]

"This paper is a continuation of the know Your Enemy series. This series is dedicated to learning the tools and tactics of the black-hat community. Unlike the previous papers which focused purely on the "what" and "how" of the black-hat community, specifically the technical tools, their use and implementation, this paper explores the motivation and psychology of the black-hat community, in their very own words. Part I starts with the compromise of a Solaris 2.6 system. Part II provides information rarely published, a record of conversations and actions which took place over a fourteen-day period following the compromise of a honeypot system. Learn how and why black-hats attack systems. Once the Solaris 2.6 system was compromised, the black-hat put an IRC bot on our system. This bot, configured and implemented by the black-hat, captured all their conversations on an IRC channel. We monitored these conversations over a two week period, all of which are contained here. This paper is not meant to be a generalization of the black-hat community. Instead, we present a specific incident involving several individuals. However, this should give you an idea of how certain members can think and behave. This is a common threat that we all face in the security community, and we sincerely hope other security professionals benefit from this work."

"This information was obtained through the use of a honeynet. A honeynet is a network of various honeypots, designed to be compromised by the black-hat community. While some honeypots are used to divert the attention of attackers from legitimate systems, the purpose of a honeynet is to learn the tools and tactics of the black-hat community. Most of the information provided in this document has been sanitized. Specifically, user identities and passwords, credit card numbers, and most of the system names involved have all been changed. However, the actual technical tools and the chat sessions themselves have not been sanitized. All this information was forwarded to both CERT and the FBI before being released. Also, over 370 notifications were sent out to administrators of systems we believed were compromised."

Complete Story

Related Stories: