lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407202005.i6KK5FYY005884@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Motivations... (was Re: IE now on-topic 

On Tue, 20 Jul 2004 12:36:06 PDT, Andrew Latham said:

> 1. Boredom - more brains than hobbies
> 2. Needs 
> - burstable bandwidth - downloads
> - knowledge
> - bragin rights
> 3. Challenges
> 4. Other

You're equating "black hat" with one subset thereof, more or less.  It's a lot
more complicated in the real world...

I'd posit that the goals and motivations of the black hat can be classified in
three wide ranges, with totally different threat models:

1) "type of target" - you don't care who's box it is - you want "any suitable
zombie", "any suitable Windows/IIS server", "any suitable Solaris box".

2) "identity of target" - The target has been selected because it's a server
for company X, or you want to deface the webpage for organization Y, or it's
payback time for black-hat Z.

3) "monetary/related gain" - you really don't care who the target is, it's all
about the paycheck - whether it's 500K zombies created by a virus-for-pay, or a
hacking run against a server that has credit card numbers on it...

Notice that there can be overlap - a black hat engaging in (2) or (3) may very
well want to pick up a collection of type (1) stepping-stone machines to launch
the attack from.

Also, a target can be in different categories at the same time - it can be
probed by a script kiddie looking for zombies, while at the same time it's
being targeted by a disgruntled ex-employee and a professional criminal.

Understanding the differences is important - a defense sufficient to stop the
random probing (1) won't slow down either of the other two.  However, the
professional criminal is more likely to nail you with a 0-day - but will move
along if they decide the risk/payoff ratio is bad (they see you have enough
network monitors to nail their ass in court, they're outta there ;).  The
disgruntled ex-staffer may not have a 0-day - but they may well decide it's a
personal issue and *keep* attacking when a professional would move on...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040720/20ad5d6f/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ