Earlier this year I listened to Sabu talk. Sabu the hacker. The same guy who was the brains behind Anonymous, who knocked down email servers in Iran, who attacked DNS servers in China, who participated in the cyber fight during the Arab Spring. The same Sabu who turned on his fellow hackers, putting them behind bars in order to reduce his own prison sentence.
This is a guy who has been on the dark side and come out to tell us about it. Can we trust him? Maybe not. But when he tells his stories about the dark side of the web he has credibility.
I was at a SecureCISO conference when I met him. This is a conference that is only open to security executives. The conversations had been about budgeting, reporting structures, and dealing with bureaucracy. All the things that security leaders have to deal with and hackers don’t. Everyone in the room was a big fish. Sabu was a shark. When he stood on stage, the room went quiet, people leaned forward, and no-one wanted to miss a word. Here was the enemy. The enemy turned into something better perhaps, but still the enemy. No longer a threat hiding behind a digital veil, here he was in the flesh. I could see the wheels turning, memories of midnight calls, intrusion alerts, closing the holes, trying to reverse the damage before it was too late. Behind each of these attacks was someone like Sabu.
Then he began to talk. He told it like it was. He was just a kid, rebellious and out to make his mark. Trying to change the world. He was a dumb kid, like all kids are dumb, in that they don’t think about the consequences of their actions. But he was smart in the way that few kids are. He was one of a half dozen hackers who had the technical knowledge necessary to make the Anonymous digital mob into a real threat. And he didn’t have any moral compunction against using what he knew in order to mess up the digital world around him. He didn’t do it for money. He didn’t even do it (that much) to make a difference. Like young men everywhere, he did it to prove what he could do, to show the world that he mattered. What surprised him the most was how easy it all was. If you have skills, and an Internet connection, and you don’t think you have anything to lose, the attack surface is huge. You can impact thousands of people, hundreds of thousands of people, you can throw your weight around on the international stage.
Then when he had gone too far and the law came down on him, he worked for the Feds just long enough to put his former friends in jail. No honor among thieves.
Out of the many things that he had to say, what caught my attention?
He told us that once he had compromised a server, he took immaculate care of it. It became an asset in his arsenal. Once he’s inside, he owns that hardware, not you. That means he does all the sysadmin work necessary to keep the server up and running and reliable. He would maintain the server and correct mistakes made by the ‘other’ sysadmin. He would patch it, modify code if necessary, keep it up to date. The sloppier the other sysadmin was, the more leeway he had to manage the hardware as his own. He knew they wouldn’t notice. Why would they? It was a server that now had great uptime, it didn’t cause problems, there were squeakier wheels for the ‘real’ sysadmin to deal with. He’d taken care of a headache for them, and all he asked in return was the ability to use that server as a toehold into their organization, as a portal for stealing their secrets, and as an asset that could be used in future attacks. He thought it was a fair trade.
Once he took a server into his keeping, he would make damn sure that it had incredible uptime.
How do you know a hacker has control of your system? You know because the server runs flawlessly. Sometimes you have to look for the quiet corners, not the squeaky wheels. Sometimes the hackers are smarter than you, better coders, and better admins.