"Hacking" these days - purpose?
Simple question: What's the purpose of obtaining illicit access to random devices on the Internet these days, considering that a large majority of attacks are now launched from cheap, readily available and poorly managed/overseen "cloud" services? Finding anything worthwhile to steal on random machines on the Internet seems unlikely, as does obtaining access superior (in e.g. location, bandwidth, anonymity, etc.) to the service from which the attack was launched. I was thinking about this the other day as I was poking at my firewall, and hopped onto the archives (here and elsewhere) to see if I could find any discussion. I found a few mentions (e.g. "Microsoft is hacking my Asterisk???"), but I didn't catch any mention of purpose. Am I missing something obvious (either a purpose or a discussion of such)? Have I lost my mind entirely? (Can't hurt to check, as I'd likely be the last to know.) Peter E. Fry
Questionable cloud / VPS / hosting companies are great for spammers and botnet C&C, but not so great for DDoS "ion cannons". You still need a large volume of geographically diverse endpoints for those to be effective. On Mon, Dec 14, 2020 at 9:52 AM Peter E. Fry <pfry@tailbone.net> wrote:
Simple question: What's the purpose of obtaining illicit access to random devices on the Internet these days, considering that a large majority of attacks are now launched from cheap, readily available and poorly managed/overseen "cloud" services? Finding anything worthwhile to steal on random machines on the Internet seems unlikely, as does obtaining access superior (in e.g. location, bandwidth, anonymity, etc.) to the service from which the attack was launched.
I was thinking about this the other day as I was poking at my firewall, and hopped onto the archives (here and elsewhere) to see if I could find any discussion. I found a few mentions (e.g. "Microsoft is hacking my Asterisk???"), but I didn't catch any mention of purpose. Am I missing something obvious (either a purpose or a discussion of such)? Have I lost my mind entirely? (Can't hurt to check, as I'd likely be the last to know.)
Peter E. Fry
On Mon, Dec 14, 2020 at 09:58:01AM -0500, Tom Beecher wrote:
Questionable cloud / VPS / hosting companies are great for spammers and botnet C&C, but not so great for DDoS "ion cannons". You still need a large volume of geographically diverse endpoints for those to be effective.
To piggyback on this: when launching a DDoS, diversity along multiple axes is helpful: geography, topology, connectivity, operating system, etc. Each additional form of diversity slightly raises the bar for defenders. Also, every compromised device may be a source of useful/saleable data, or the gateway to more of the same or to more valuable targets or to the compromise of people. The IoT is particularly fertile ground for this because to a very good first approximation, "IoT security" is an oxymoron. --rsk
I think you’re coming at it the wrong way. It’s not going to be one, or a couple of dudes behind a screen like in the movies. It’s ran autonomously for as long as possible. Gathering information on easily accessible devices and the like. Any information gathered is information that can be sold, or used otherwise depending on what they’re grabbing. -- Ryland From: Peter E.Fry<mailto:pfry@tailbone.net> Sent: Monday, December 14, 2020 8:55 AM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: "Hacking" these days - purpose? Simple question: What's the purpose of obtaining illicit access to random devices on the Internet these days, considering that a large majority of attacks are now launched from cheap, readily available and poorly managed/overseen "cloud" services? Finding anything worthwhile to steal on random machines on the Internet seems unlikely, as does obtaining access superior (in e.g. location, bandwidth, anonymity, etc.) to the service from which the attack was launched. I was thinking about this the other day as I was poking at my firewall, and hopped onto the archives (here and elsewhere) to see if I could find any discussion. I found a few mentions (e.g. "Microsoft is hacking my Asterisk???"), but I didn't catch any mention of purpose. Am I missing something obvious (either a purpose or a discussion of such)? Have I lost my mind entirely? (Can't hurt to check, as I'd likely be the last to know.) Peter E. Fry
The probable "purpose of obtaining illicit access to random devices on the Internet these days” is to create botnets to attack more lucrative targets or to employ them as gateway devices to provide access to local networks which may contain targets of interest. James R. Cutler James.cutler@consultant.com GPG keys: hkps://hkps.pool.sks-keyservers.net
On Dec 12, 2020, at 5:26 PM, Peter E. Fry <pfry@tailbone.net> wrote:
Simple question: What's the purpose of obtaining illicit access to random devices on the Internet these days, considering that a large majority of attacks are now launched from cheap, readily available and poorly managed/overseen "cloud" services? Finding anything worthwhile to steal on random machines on the Internet seems unlikely, as does obtaining access superior (in e.g. location, bandwidth, anonymity, etc.) to the service from which the attack was launched.
I was thinking about this the other day as I was poking at my firewall, and hopped onto the archives (here and elsewhere) to see if I could find any discussion. I found a few mentions (e.g. "Microsoft is hacking my Asterisk???"), but I didn't catch any mention of purpose. Am I missing something obvious (either a purpose or a discussion of such)? Have I lost my mind entirely? (Can't hurt to check, as I'd likely be the last to know.)
Peter E. Fry
Bitcoin. There wasn't much purpose to 'hacking' for a long time. Even when talking about DDoS stuff, it's still just temporary vandalism, it's only an inconvenience, and it can be undone pretty quickly. The whole idea of providing security has been turned into a wink-wink scam where people pretend to do busy work for money but everyone knows you'll still get breached and it doesn't really matter, so long as you can blame it on someone else and it's in the fine print. Look at what a business DDoS has become, both on the provider and the protection side. Stealing data is also a thing but even that is not inherently valuable unless you can blackmail the victim or sell it to a buyer. That kind of business requires more skills than just computer hacking to pull off, and carries a lot of risk in dealing with other humans who already know you're a data thief. This all changed with bitcoin, because now simply gaining access and finding the data is the pay dirt and it can be claimed anonymously without dealing with any other humans. -Laszlo On 2020-12-12 22:26, Peter E. Fry wrote:
Simple question: What's the purpose of obtaining illicit access to random devices on the Internet these days, considering that a large majority of attacks are now launched from cheap, readily available and poorly managed/overseen "cloud" services? Finding anything worthwhile to steal on random machines on the Internet seems unlikely, as does obtaining access superior (in e.g. location, bandwidth, anonymity, etc.) to the service from which the attack was launched.
I was thinking about this the other day as I was poking at my firewall, and hopped onto the archives (here and elsewhere) to see if I could find any discussion. I found a few mentions (e.g. "Microsoft is hacking my Asterisk???"), but I didn't catch any mention of purpose. Am I missing something obvious (either a purpose or a discussion of such)? Have I lost my mind entirely? (Can't hurt to check, as I'd likely be the last to know.)
Peter E. Fry
I would have to disagree. Considering the amount of people who have bitcoin, and even less the amount of people who farm it, or have farmed it before it became so difficult. It seems much more likely that the wide-spread infiltrations of every-day systems is for information and DDoS over bitcoins. I seriously doubt it’s that hard to sell information to companies, as they most likely don’t care how you got that information. If information wasn’t key, whether it be for selling to another party, or scraping that data for easy to social engineer targets; then I also don’t think that fraudulent calls would be so prevalent these days. Where the main target is older people who will fall for their basic tricks and end up losing potentially thousands per person. -- Ryland From: Laszlo Hanyecz<mailto:laszlo@heliacal.net> Sent: Monday, December 14, 2020 10:17 AM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: "Hacking" these days - purpose? Bitcoin. There wasn't much purpose to 'hacking' for a long time. Even when talking about DDoS stuff, it's still just temporary vandalism, it's only an inconvenience, and it can be undone pretty quickly. The whole idea of providing security has been turned into a wink-wink scam where people pretend to do busy work for money but everyone knows you'll still get breached and it doesn't really matter, so long as you can blame it on someone else and it's in the fine print. Look at what a business DDoS has become, both on the provider and the protection side. Stealing data is also a thing but even that is not inherently valuable unless you can blackmail the victim or sell it to a buyer. That kind of business requires more skills than just computer hacking to pull off, and carries a lot of risk in dealing with other humans who already know you're a data thief. This all changed with bitcoin, because now simply gaining access and finding the data is the pay dirt and it can be claimed anonymously without dealing with any other humans. -Laszlo On 2020-12-12 22:26, Peter E. Fry wrote:
Simple question: What's the purpose of obtaining illicit access to random devices on the Internet these days, considering that a large majority of attacks are now launched from cheap, readily available and poorly managed/overseen "cloud" services? Finding anything worthwhile to steal on random machines on the Internet seems unlikely, as does obtaining access superior (in e.g. location, bandwidth, anonymity, etc.) to the service from which the attack was launched.
I was thinking about this the other day as I was poking at my firewall, and hopped onto the archives (here and elsewhere) to see if I could find any discussion. I found a few mentions (e.g. "Microsoft is hacking my Asterisk???"), but I didn't catch any mention of purpose. Am I missing something obvious (either a purpose or a discussion of such)? Have I lost my mind entirely? (Can't hurt to check, as I'd likely be the last to know.)
Peter E. Fry
On 12/14/20 18:23, Ryland Kremeier wrote:
I would have to disagree. Considering the amount of people who have bitcoin, and even less the amount of people who farm it, or have farmed it before it became so difficult. It seems much more likely that the wide-spread infiltrations of every-day systems is for information and DDoS over bitcoins.
I seriously doubt it’s that hard to sell information to companies, as they most likely don’t care how you got that information.
If information wasn’t key, whether it be for selling to another party, or scraping that data for easy to social engineer targets; then I also don’t think that fraudulent calls would be so prevalent these days. Where the main target is older people who will fall for their basic tricks and end up losing potentially thousands per person.
Tend to agree. Despite all the advice and mindless videos out there to help people protect their data and/or not fall for basic scams, a lot of people still do. Humans' capacity to want to believe in and trust others is a strong avenue that the scammers exploit to get paid. More so the older folk, yes, but even the young, tech-savvy; particularly those who have been too busy flipping between apps to realize that the Internet can be a dangerous place. You'd be surprised how innovative and simple these scams are, and actually becoming less and less sophisticated, which makes them even more dangerous. Mark.
It becomes more clear when you think about the options out there, and get a little creative. Now a days it’s definitely chess that’s being played. This Solarwinds thing is going to be extremely interesting. On Mon, Dec 14, 2020 at 11:35 AM Mark Tinka <mark.tinka@seacom.com> wrote:
On 12/14/20 18:23, Ryland Kremeier wrote:
I would have to disagree. Considering the amount of people who have bitcoin, and even less the amount of people who farm it, or have farmed it before it became so difficult. It seems much more likely that the wide-spread infiltrations of every-day systems is for information and DDoS over bitcoins.
I seriously doubt it’s that hard to sell information to companies, as they most likely don’t care how you got that information.
If information wasn’t key, whether it be for selling to another party, or scraping that data for easy to social engineer targets; then I also don’t think that fraudulent calls would be so prevalent these days. Where the main target is older people who will fall for their basic tricks and end up losing potentially thousands per person.
Tend to agree.
Despite all the advice and mindless videos out there to help people protect their data and/or not fall for basic scams, a lot of people still do.
Humans' capacity to want to believe in and trust others is a strong avenue that the scammers exploit to get paid. More so the older folk, yes, but even the young, tech-savvy; particularly those who have been too busy flipping between apps to realize that the Internet can be a dangerous place.
You'd be surprised how innovative and simple these scams are, and actually becoming less and less sophisticated, which makes them even more dangerous.
Mark.
On 12/14/20 18:38, David Bass wrote:
It becomes more clear when you think about the options out there, and get a little creative. Now a days it’s definitely chess that’s being played.
You're right, it really doesn't take much. Preying on humanity can yield great results. One that has started springing up in my neck of the woods - to simplify car-jacking) - is to obtain a list of customers that subscribe to a vehicle tracking service. The thugs will then call a customer, claiming their tracking device is faulty and needs to be checked physically. The thugs will come to your home or office, tell you that in order to finalize the fix, they need to test drive your car. And boom, that's your car gone! The hacking, now, IMHO, is to obtain user information to profile who is exploitable, and how. After that, low-tech rules. Mark.
On 2020-12-14 16:48, Mark Tinka wrote:
On 12/14/20 18:38, David Bass wrote:
It becomes more clear when you think about the options out there, and get a little creative. Now a days it’s definitely chess that’s being played.
You're right, it really doesn't take much. Preying on humanity can yield great results.
One that has started springing up in my neck of the woods - to simplify car-jacking) - is to obtain a list of customers that subscribe to a vehicle tracking service. The thugs will then call a customer, claiming their tracking device is faulty and needs to be checked physically. The thugs will come to your home or office, tell you that in order to finalize the fix, they need to test drive your car. And boom, that's your car gone!
The hacking, now, IMHO, is to obtain user information to profile who is exploitable, and how. After that, low-tech rules.
Mark.
This stuff is definitely the most visible type of scamming but this is not any different from swindling people at a flea market. It isn't so much hacking as just using internet to communicate with people and then tricking them. I think this is a different skill set than gaining access to personal data though. Gaining access to someone else's computer's files has historically not been a big deal, so I'm guessing it didn't become a huge problem because there was little to gain from doing it. It might be inconvenient for people, it might be used as part of a larger con against a victim, but it still requires a lot more steps to profit from it. We all know that we can't stop that from happening, but even going back to the early 90s we've had malware protection vendors making money off this fear, and the problem has now reached a point where the placebo security won't cut it and we'll have to start figuring this problem out. The impact of these kinds of breaches has always been minor, but in the past 10 years we've placed more and more things into primary storage on a computer, including cryptographic secrets which only function if they're kept secret. Losing a wallet full of credit cards isn't as bad as losing a wallet full of cash. There wasn't any way to put money into computer files before, but now there is. Even if only a few people carry money, if it's easy to steal millions of wallets and costs nothing, it's worth doing it for the hope of eventually hitting a money holder. -Laszlo
On 12/14/20 19:44, Laszlo Hanyecz wrote:
This stuff is definitely the most visible type of scamming but this is not any different from swindling people at a flea market. It isn't so much hacking as just using internet to communicate with people and then tricking them. I think this is a different skill set than gaining access to personal data though.
Gaining access to someone else's computer's files has historically not been a big deal, so I'm guessing it didn't become a huge problem because there was little to gain from doing it. It might be inconvenient for people, it might be used as part of a larger con against a victim, but it still requires a lot more steps to profit from it. We all know that we can't stop that from happening, but even going back to the early 90s we've had malware protection vendors making money off this fear, and the problem has now reached a point where the placebo security won't cut it and we'll have to start figuring this problem out.
The impact of these kinds of breaches has always been minor, but in the past 10 years we've placed more and more things into primary storage on a computer, including cryptographic secrets which only function if they're kept secret. Losing a wallet full of credit cards isn't as bad as losing a wallet full of cash. There wasn't any way to put money into computer files before, but now there is. Even if only a few people carry money, if it's easy to steal millions of wallets and costs nothing, it's worth doing it for the hope of eventually hitting a money holder.
There is value in hacking services in the cloud to gain user information. Right now, hacking credit rating clearing houses is big business, as an example, because almost every piece of single information of any economically-active member of society is on there. And there has been some success in obtaining that information, the effects of which we are not yet able to really quantify. Mark.
David Bass wrote:
It becomes more clear when you think about the options out there, and get a little creative. Now a days it’s definitely chess that’s being played. And here I thought the purpose of hacking is (still) having fun - you know... hacking.
As to chess... I've begun to think that the game to master is now Go... capturing territory, not pieces, and instantaneous global state changes. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. In our lab, theory and practice are combined: nothing works and no one knows why. ... unknown
On Mon, 14 Dec 2020 at 19:12, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
As to chess... I've begun to think that the game to master is now Go... capturing territory, not pieces, and instantaneous global state changes.
Now implies change, when, in your mind, this changed from Chess to Go? -- ++ytti
Saku Ytti wrote:
On Mon, 14 Dec 2020 at 19:12, Miles Fidelman <mfidelman@meetinghouse.net> wrote:
As to chess... I've begun to think that the game to master is now Go... capturing territory, not pieces, and instantaneous global state changes. Now implies change, when, in your mind, this changed from Chess to Go?
Not sure it's marked by a discrete moment in time. More that the Chinese have been playing Go, while the West mostly still plays chess - and that seems like a problem. I remember learning, decades ago, that there's a form of Chinese poetry, written with ideographs, that has to make sense both horizontally & vertically. Essentially painting with ideographs. A mind that can handle that, and a culture that nurtures that kind of thinking - that scares the shit out of me. (And definitely makes me want to do some more acid, to keep up.) Miles -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. In our lab, theory and practice are combined: nothing works and no one knows why. ... unknown
Somedays I wonder if it's some vast, well-funded, Spectre-like organization whose backers just want to see trust in the internet undermined in the public's eyes on behalf of their own non-internet or anti-internet (think: phone companies who'd love to charge you per email and web page access for example by forcing you onto some private network) enterprises, large bricks+mortars interests etc. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 12/16/20 02:38, bzs@theworld.com wrote:
Somedays I wonder if it's some vast, well-funded, Spectre-like organization whose backers just want to see trust in the internet undermined in the public's eyes on behalf of their own non-internet or anti-internet (think: phone companies who'd love to charge you per email and web page access for example by forcing you onto some private network) enterprises, large bricks+mortars interests etc.
If it were, they'd be fighting a losing battle. The Internet has acquired exponential scale. It would never operate in such a pay-to-click model. Mark.
I'm not so sure. If someone got the banks, credit card (fintech), big online shopping, etc (tho not a lot of etc needed) on board, the "head count" for that wouldn't be very large, and others would join (particularly retail) just to not be left out... One can build a quite different network on top of the existing infrastructure at least to get started, NEWSTUFF/IP. That would only then require buy-in by end-users but if that's what's on their phone etc and the only way they can access banks, shopping, etc. People here would deliver all those packets since it'd just look like IP and go from there. Reminds me of the old expression "when it's time to hang the capitalists they will sell us the rope" (when it comes time to replace this internet they will deliver our packets.) The obvious (to me) change would be positive id of anyone accessing that new network. The voice system seems to have achieved this to about a 99% level which is more than good enough. And it would be a boon to them also, no more annoyingly free voice/video stuff. By which I mean if they thought it was credible they might pony up a billion or two to get it going. Then if they hit some critical mass they can consider replacing IP and routing regimens etc also (the goal being largely to secure it), on top of the existing "wire" infrastructure. On December 16, 2020 at 07:48 mark.tinka@seacom.com (Mark Tinka) wrote:
On 12/16/20 02:38, bzs@theworld.com wrote:
Somedays I wonder if it's some vast, well-funded, Spectre-like organization whose backers just want to see trust in the internet undermined in the public's eyes on behalf of their own non-internet or anti-internet (think: phone companies who'd love to charge you per email and web page access for example by forcing you onto some private network) enterprises, large bricks+mortars interests etc.
If it were, they'd be fighting a losing battle.
The Internet has acquired exponential scale. It would never operate in such a pay-to-click model.
Mark.
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 12/16/20 22:31, bzs@TheWorld.com wrote:
I'm not so sure. If someone got the banks, credit card (fintech), big online shopping, etc (tho not a lot of etc needed) on board, the "head count" for that wouldn't be very large, and others would join (particularly retail) just to not be left out...
One can build a quite different network on top of the existing infrastructure at least to get started, NEWSTUFF/IP.
That would only then require buy-in by end-users but if that's what's on their phone etc and the only way they can access banks, shopping, etc.
People here would deliver all those packets since it'd just look like IP and go from there. Reminds me of the old expression "when it's time to hang the capitalists they will sell us the rope" (when it comes time to replace this internet they will deliver our packets.)
The obvious (to me) change would be positive id of anyone accessing that new network.
The voice system seems to have achieved this to about a 99% level which is more than good enough. And it would be a boon to them also, no more annoyingly free voice/video stuff. By which I mean if they thought it was credible they might pony up a billion or two to get it going.
Then if they hit some critical mass they can consider replacing IP and routing regimens etc also (the goal being largely to secure it), on top of the existing "wire" infrastructure.
All this would achieve is break-away networks, either atop or adjacent to the current Internet. Considering that there are quite a few countries that have folk transacting more on their phones than via conventional banking means, with major content providers looking to get into that game, I don't see this working beyond a private experiment, that likely wouldn't get far. But hey, it's 2020. Crystal balls aren't what they used to be. Mark.
On Mon, Dec 14, 2020 at 12:10 PM Miles Fidelman <mfidelman@meetinghouse.net> wrote:
David Bass wrote:
It becomes more clear when you think about the options out there, and get a little creative. Now a days it’s definitely chess that’s being played. And here I thought the purpose of hacking is (still) having fun - you know... hacking.
As to chess... I've begun to think that the game to master is now Go... capturing territory, not pieces, and instantaneous global state changes.
https://fortune.com/2016/03/12/googles-go-computer-vs-human Donald d3e3e3@gmail.com Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. In our lab, theory and practice are combined: nothing works and no one knows why. ... unknown
----- On Dec 12, 2020, at 2:26 PM, Peter E. Fry pfry@tailbone.net wrote: Hi,
Simple question: What's the purpose of obtaining illicit access to random devices on the Internet these days
Don't underestimate the curiosity if pimply faced youth these days. Wargames is still relevant. Thanks, Sabri
For fun and/or profit. Like the purpose always has been. Note that the definition of fun will vary. But overcoming a challenge of some sort is almost universally considered "fun". Bjørn
participants (14)
-
Bjørn Mork
-
bzs@theworld.com
-
David Bass
-
Donald Eastlake
-
James R Cutler
-
Laszlo Hanyecz
-
Mark Tinka
-
Miles Fidelman
-
Peter E. Fry
-
Rich Kulawiec
-
Ryland Kremeier
-
Sabri Berisha
-
Saku Ytti
-
Tom Beecher