Hacker Case Studies: Personality Analysis and Ethical Hacking

In studying various persons who have spoken or written about their exploits as hackers or cybersecurity criminals, it seems that we can gain some knowledge about their technical achievements by analyzing their personalities.

One person who has been well known in the hacker community for many years is Kevin Mitnick. Mitnick enjoyed great success in compromising telephone networks (phone phreaking), until he went to federal prison in the 1980s. Subsequently, he has become an influential writer and speaker about cybersecurity. One of his best known books is The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers, written with William Simon (Mitnick & Simon, 2005).

This book details the exploits of numerous hackers, alleged to be true stories, and in many of the cases describes enough about the interests and motivations of the subjects to give us some insight into their personalities.

We select just a few examples from The Art of Intrusion to identify some of the personalities and what drove them to the exploits described in the book.

Comrade

The hacker known as Comrade began his exploits as a teenager living in Miami. About some of his early works, Comrade said, “we were breaking into government sites for fun.” Comrade developed a friendship with another hacker with an Internet name of neoh, another young man who was only a year older than Comrade, but who lived 3000 miles away. About his interests, neoh said, “I don’t know why I kept doing it. Compulsive nature? Money hungry? Thirst for power? I can name a number of possibilities.” Also, neoh, in corresponding with author Mitnick, wrote: “You inspired me ...

I read every possible thing about what you did. I wanted to be a celebrity just like you.”

Another person, named Khalid Ibrahim, who claimed to be from Pakistan, began to recruit Comrade and neoh. Khalid’s interest was in working with other hackers who might be willing to hack into specific targets—first in China and then in the United States. Khalid indicated that he would pay cash for the successful penetration into the targets he indicated.

Comrade’s interest, as he indicated, was that he knew that Khalid

was paying people but I never wanted to give up my information in order to receive money. I figured that what I was doing was just looking around, but if I started receiving money, it would make me a real criminal.

Adrian Lamo

Adrian Lamo, as a teenager, lived in New England and developed his hacking skills at an early age.

Mr. Lamo, according to his parents, was involved in hacking because of a number of specific well-known hackers who were his inspiration. His strategy in hacking was to understand the thought processes of the person who designed the subject of his attacks, a specific program or network. In one case, he discovered a customer who asked for assistance with stolen credit card numbers, and the technicians who are supposed to assist did not bother responding. Then Adrian called the victim at home and asked if he had ever gotten a response. When the man said no, Adrian forwarded the correct answer and all the relevant documentation regarding the problem. As Lamo said, “I got a sense of satisfaction out of that because I want to believe in a universe where something so improbable as having your database stolen by somebody... can be explained a year later by an intruder who has compromised the company you first trusted.”

Adrian’s description of his philosophy can be summarized as: “I believe there are commonalities to any complex system, be it a computer of the universe ... Hacking has always been for me less about technology and more about religion.”

Gabriel

Gabriel lives in a small town in Canada, and his native language is French. Although he sees himself as a white hat hacker, he occasionally commits a malicious act when he finds a site “where security is so shoddy someone needed to be taught a lesson.” As a young man, he found details about the IP addresses of a small bank in the US south that nevertheless had extensive national and international ties. He discovered that one of the bank’s servers ran software that allows a user to remotely access a workstation. Eventually he found ways to remotely access terminal service, so he could essentially own the potential system. He also found the password for the bank’s firewall, and so hacking into that one machine gave access to other computer systems on the same network. As a consequence, Gabriel had access to great deal of internal information, but he did not have any interest in stealing funds.

In addition to relating individual hacker personalities, a number of authors have attempted to describe generic personality traits of hackers.

Hacker Personality Descriptions

Lee Munson is a security researcher for Comparitech and a contributor to the Sophos’ Naked Security blog. Munson has written (Munson 2016),

It’s hard to pin down just a few personality traits that define a hacker. A typical hacker profile is a male, age 14-40, with above-average intelligence, obsessively inquisitive with regards to technology, non-conformist, introverted, and with broad intellectual interests. A hacker is driven to learn everything he can about any subject that interests him.

In fact, most hackers that excel with technology also have proficiency in no technological hobbies or interests. Hackers tend to devour information, hoarding it away for some future time. Credit card and bank fraud present opportunities to use cracking to increase personal wealth.

Eric Stephen Raymond is the cofounder of the Open Source Initiative, an organization that builds bridges between the hacker community and business. Raymond has written (Raymond 2015):

Although high general intelligence is common among hackers, it is not the sine qua non one might expect. Another trait is probably even more important: the ability to mentally absorb, retain, and reference large amounts of ‘meaningless’ detail, trusting to later experience to give it context and meaning. A person of merely average analytical intelligence who has this trait can become an effective hacker. In terms of Myers-Briggs and equivalent psychometric systems, hackerdom appears to concentrate the relatively rare INTJ and INTP types; that is, introverted, intuitive, and thinker types.

Rick Nauert has over 25 years’ experience in clinical, administrative, and academic healthcare. He is currently an associate professor for Rocky Mountain University of Health Professionals doctoral program in health promotion and wellness. And Nauert likens the personality traits of hackers with the symptoms of autism (Nauert 2016).

Online hacking costs the private and corporate sectors more than $575 billion annually. While security agencies seek out “ethical” hackers to help combat such attacks, little is known about the personality traits that lead people to pursue and excel at hacking.

New research shows that a characteristic called systemizing provides insight into what makes and motivates a hacker. Intriguingly, the personality traits are similar to many autistic behaviors and characteristics ... Systemizing is the preference to apply systematic reasoning and abstract thought to things or experiences. The preference for systemizing is frequently associated with autism or Asperger’s, a milder form of autism.

Ethical Hacking

A hacker is a person with the technical skill and knowledge to break into computer systems, to access files and other information, to modify information that may be in the computer system, to utilize skills involving network technology to move from one system to another, and to implant software that may have deleterious effects on the host system.

An ethical hacker is a person with the technical skill and knowledge to carry out the same functions as aforementioned, but to resist doing so for ethical reasons.

Given the fact that there is essentially no difference in the technical skill set of a hacker or an ethical hacker, one might wonder what difference in fact can there be. It is also the case that another terminology has become widespread: The hackers are often called “black hats” and the ethical hackers “white hats.” However, to further confuse the issue, there are competitions wherein the participants are assigned to the white hat team or the black hat team, but in midcompetition, they may change hats and change roles.

This terminology is somewhat unusual. In other areas of human activity where we consider behavior as being either legal or illegal, ethical or unethical, it stretches the imagination to consider: bank robbery or ethical bank robbery; murder or ethical murder. If Robin Hood were real, he would probably like to have been considered an ethical thief.

A distinguished computer scientist named Ymir Vigfusson, originally from Iceland and more recently a professor at Emory University in Atlanta, offers courses in Ethical Hacking and has described his philosophy extremely well in a recent Ted Talk “Why I Teach People How To Hack” (https://youtu.be/KwJyKmCbOws) (Vigfusson 2015).

Prof. Vigfusson uses the term “moral compass” to describe what guides him as a professor in teaching ethical hacking to his students and also how he operates in his own practice.

Thus, it seems that the challenge in the cybersecurity profession is to find a way of identifying how an individual who can develop the requisite technical skills can rely on his or her own moral compass. Developing measures to try to predict these behaviors is a clear challenge for those persons who are not only knowledgeable about cybersecurity but also about psychology and the behavioral sciences.

Programs to Encourage the Development of Ethical Hackers

Very recently, greater attention has been drawn to initiatives that attempt to encourage the development of ethical hackers.

Donna Lu wrote in The Atlantic (Lu, 2015):

The cybersecurity expert Chris Rock is an Australian informationsecurity researcher who has demonstrated how to manipulate online death-certification systems in order to declare a living person legally dead.

Rock began researching these hacks last year, after a Melbourne hospital mistakenly issued 200 death certificates instead of discharge notices for living patients. He also uncovered similar vulnerabilities in online birth registration systems. The ability to create both birth and death certificates meant that hackers could fabricate new legal identities.

Subsequently, on August 2, 2017, Kevin Roose in the New York Times wrote (Roose 2017):

If there is a single lesson Americans have learned from the events of the past year, it might be this: hackers are dangerous people. They interfere in our elections, bring giant corporations to their knees, and steal passwords and credit card numbers by the truckload. They ignore boundaries. They delight in creating chaos.

But what if that’s the wrong narrative? What if were ignoring a different group of hackers who aren’t lawless renegades, who are in fact patriotic, public-spirited Americans who want to use their technical skills to protect our country from cyber-attacks, but are being held back by outdated rules and overly protective institutions?

In other words: What if the problem we face is not too many bad hackers, but too few good ones?

And most recently, on November 24, 2017, Anna Wiener wrote in the New Yorker (Wiener, 2017):

“Whenever I teach a security class, it happens that there is something going on in the news cycle that ties into it,” Doug Tygar, a computerscience professor at the University of California, Berkeley, told me recently. Pedagogically speaking, this has been an especially fruitful year. So far in 2017, the Identity Theft Resource Center, an American nonprofit, has tallied more than eleven hundred data breaches, the highest number since 2005. The organization’s running list of victims includes health-care providers, fast-food franchises, multinational banks, public high schools and private colleges, a family-run chocolatier, an e-cigarette distributor, and the U.S. Air Force. In all, at least a hundred and seventy-one million records have been compromised. Nearly eighty-five per cent of those can be traced to a single catastrophic breach at the credit-reporting agency Equifax.

Problems

  • 1. Read The Art of Intrusion. Identify any of the characters portrayed as female, or any of the characters described (or that you would estimate) as being over 50years in age.
  • 2. Critique the description Lee Munson has provided in this chapter of the personality traits of a hacker.
  • 3. Research the Myers-Briggs personality types indicator system (see the Chapter 3 on personality tests, also https://upload. w'ikimedia.org/wikipedia/commons/l/lf/MyersBriggsTypes. png). Identify categories unlikely to be attributed to a hacker.
  • 4. Discover if there are any professions that seem to have an overabundance of persons with Asperger’s syndrome.
  • 5. Watch the YouTube and Ted Talk by Ymir Vigfusson. What caused him joy to discover his hack and then respond to his “moral compass”?
  • 6. Find the origin of the terms “white hat” and “black hat.”

References

Lu. D. 2015. "When Ethical Hacking Can’t Compete,” The Atlantic, December 8, 2015.

Mitnick. K. & Simon, W. 2005. The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers. Wiley Publishing. Indianapolis, IN.

Munson, L. 2016. Security-FAQs. http://www.security-faqs.com/what-makes-a-hacker-hack-and-a-cracker-crack.html.

Nauert, R. 2016. PsychCentral.com. https://psychcentral.com/news/ 2016/06/02/some-personality-traits-of-hackers-resemble-autism/ 104138.html.

Raymond, E. S. 2015. Cath.org. http://www.catb.org/jargon/html/ appendixb.html.

Roose, K. 2017. “A Solution to Hackers? More Hackers,” New York Times. August 2. 2017.

Vigfusson, Y. 2015. “Why I Teach People How to Hack,” Ted Talk, March 24, 2015.

Wiener, A. 2017. “At Berkeley, A New Generation of ‘Ethical Hackers’ Learns to Wage Cyberwar,” New Yorker, November 24, 2017.

 
Source
< Prev   CONTENTS   Source   Next >