Simple question: What's the purpose of obtaining illicit access to random devices on the Internet these days, considering that a large majority of attacks are now launched from cheap, readily available and poorly managed/overseen "cloud" services? Finding anything worthwhile to steal on random machines on the Internet seems unlikely, as does obtaining access superior (in e.g. location, bandwidth, anonymity, etc.) to the service from which the attack was launched.
I was thinking about this the other day as I was poking at my firewall, and hopped onto the archives (here and elsewhere) to see if I could find any discussion. I found a few mentions (e.g. "Microsoft is hacking my Asterisk???"), but I didn't catch any mention of purpose. Am I missing something obvious (either a purpose or a discussion of such)? Have I lost my mind entirely? (Can't hurt to check, as I'd likely be the last to know.)
Peter E. Fry
Questionable cloud / VPS / hosting companies are great for spammers and botnet C&C, but not so great for DDoS “ion cannons”. You still need a large volume of geographically diverse endpoints for those to be effective.
I think you’re coming at it the wrong way. It’s not going to be one, or a couple of dudes behind a screen like in the movies. It’s ran autonomously for as long as possible. Gathering information on easily accessible devices and the like. Any information gathered is information that can be sold, or used otherwise depending on what they’re grabbing.
– Ryland
The probable "purpose of obtaining illicit access to random devices on the Internet these days” is to create botnets to attack more lucrative targets or to employ them as gateway devices to provide access to local networks which may contain targets of interest.
To piggyback on this: when launching a DDoS, diversity along multiple
axes is helpful: geography, topology, connectivity, operating system, etc.
Each additional form of diversity slightly raises the bar for defenders.
Also, every compromised device may be a source of useful/saleable data,
or the gateway to more of the same or to more valuable targets or to the
compromise of people. The IoT is particularly fertile ground for this
because to a very good first approximation, "IoT security" is an oxymoron.
--rsk
Bitcoin.
There wasn't much purpose to 'hacking' for a long time. Even when talking about DDoS stuff, it's still just temporary vandalism, it's only an inconvenience, and it can be undone pretty quickly. The whole idea of providing security has been turned into a wink-wink scam where people pretend to do busy work for money but everyone knows you'll still get breached and it doesn't really matter, so long as you can blame it on someone else and it's in the fine print. Look at what a business DDoS has become, both on the provider and the protection side.
Stealing data is also a thing but even that is not inherently valuable unless you can blackmail the victim or sell it to a buyer. That kind of business requires more skills than just computer hacking to pull off, and carries a lot of risk in dealing with other humans who already know you're a data thief.
This all changed with bitcoin, because now simply gaining access and finding the data is the pay dirt and it can be claimed anonymously without dealing with any other humans.
-Laszlo
I would have to disagree. Considering the amount of people who have bitcoin, and even less the amount of people who farm it, or have farmed it before it became so difficult. It seems much more likely that the wide-spread infiltrations of every-day systems is for information and DDoS over bitcoins.
I seriously doubt it’s that hard to sell information to companies, as they most likely don’t care how you got that information.
If information wasn’t key, whether it be for selling to another party, or scraping that data for easy to social engineer targets; then I also don’t think that fraudulent calls would be so prevalent these days. Where the main target is older people who will fall for their basic tricks and end up losing potentially thousands per person.
– Ryland
Tend to agree. Despite all the advice and mindless videos out there to help people protect their data and/or not fall for basic scams, a lot of people still do. Humans’ capacity to want to believe in and trust others is a strong avenue that the scammers exploit to get paid. More so the older folk, yes, but even the young, tech-savvy; particularly those who have been too busy flipping between apps to realize that the Internet can be a dangerous place. You’d be surprised how innovative and simple these scams are, and actually becoming less and less sophisticated, which makes them even more dangerous. Mark.
It becomes more clear when you think about the options out there, and get a little creative. Now a days it’s definitely chess that’s being played.
This Solarwinds thing is going to be extremely interesting.
You're right, it really doesn't take much. Preying on humanity can yield great results.
One that has started springing up in my neck of the woods - to simplify car-jacking) - is to obtain a list of customers that subscribe to a vehicle tracking service. The thugs will then call a customer, claiming their tracking device is faulty and needs to be checked physically. The thugs will come to your home or office, tell you that in order to finalize the fix, they need to test drive your car. And boom, that's your car gone!
The hacking, now, IMHO, is to obtain user information to profile who is exploitable, and how. After that, low-tech rules.
Mark.
David Bass wrote:
It becomes more clear when you think about the options out there, and get a little creative. Now a days it’s definitely chess that’s being played.
And here I thought the purpose of hacking is (still) having fun - you know... hacking.
As to chess... I've begun to think that the game to master is now Go... capturing territory, not pieces, and instantaneous global state changes.
Miles Fidelman
Now implies change, when, in your mind, this changed from Chess to Go?
This stuff is definitely the most visible type of scamming but this is not any different from swindling people at a flea market. It isn't so much hacking as just using internet to communicate with people and then tricking them. I think this is a different skill set than gaining access to personal data though.
Gaining access to someone else's computer's files has historically not been a big deal, so I'm guessing it didn't become a huge problem because there was little to gain from doing it. It might be inconvenient for people, it might be used as part of a larger con against a victim, but it still requires a lot more steps to profit from it. We all know that we can't stop that from happening, but even going back to the early 90s we've had malware protection vendors making money off this fear, and the problem has now reached a point where the placebo security won't cut it and we'll have to start figuring this problem out.
The impact of these kinds of breaches has always been minor, but in the past 10 years we've placed more and more things into primary storage on a computer, including cryptographic secrets which only function if they're kept secret. Losing a wallet full of credit cards isn't as bad as losing a wallet full of cash. There wasn't any way to put money into computer files before, but now there is. Even if only a few people carry money, if it's easy to steal millions of wallets and costs nothing, it's worth doing it for the hope of eventually hitting a money holder.
-Laszlo
Hi,
Simple question: What's the purpose of obtaining illicit access to
random devices on the Internet these days
Don't underestimate the curiosity if pimply faced youth these days.
Wargames is still relevant.
Thanks,
Sabri
There is value in hacking services in the cloud to gain user information.
Right now, hacking credit rating clearing houses is big business, as an example, because almost every piece of single information of any economically-active member of society is on there. And there has been some success in obtaining that information, the effects of which we are not yet able to really quantify.
Mark.
Not sure it’s marked by a discrete moment in time. More that the Chinese have been playing Go, while the West mostly still plays chess - and that seems like a problem. I remember learning, decades ago, that there’s a form of Chinese poetry, written with ideographs, that has to make sense both horizontally & vertically. Essentially painting with ideographs. A mind that can handle that, and a culture that nurtures that kind of thinking - that scares the shit out of me. (And definitely makes me want to do some more acid, to keep up.) Miles
Somedays I wonder if it's some vast, well-funded, Spectre-like
organization whose backers just want to see trust in the internet
undermined in the public's eyes on behalf of their own non-internet or
anti-internet (think: phone companies who'd love to charge you per
email and web page access for example by forcing you onto some private
network) enterprises, large bricks+mortars interests etc.
David Bass wrote:
It becomes more clear when you think about the options out there, and
get a little creative. Now a days it’s definitely chess that’s being
played.
And here I thought the purpose of hacking is (still) having fun - you
know… hacking.
As to chess… I’ve begun to think that the game to master is now Go…
capturing territory, not pieces, and instantaneous global state changes.
https://fortune.com/2016/03/12/googles-go-computer-vs-human
If it were, they'd be fighting a losing battle.
The Internet has acquired exponential scale. It would never operate in such a pay-to-click model.
Mark.