Gallery

Hack the hackers

Posted on 27 Jan 2005 at 14:43

Not content with stopping hackers, many people want to get their own back. Jon Thompson unmasks the Internet's vigilantes

They are computing's biggest pests, the invisible foes of every PC user, and their impact is growing by the month. Hackers and virus-writers have become so ingrained into computing culture that most of us accept them as a part of life.

But a new body of online groups is encouraging us to fight back. These self-proclaimed vigilantes say those harassed by hackers, Denial-of-Service (DoS) attacks and viruses should get their revenge by taking the law into their own hands, and they are attempting to make it easy for frustrated end users to join the fun.

So should you risk entering the shady world of hacking? Some say two wrongs do not make a right, but this is an intriguing legal grey area, so read on and form your own opinion.

Spectacular, highly disruptive attacks are relatively easy to set up because of the large number of poorly maintained and even completely unpatched machines on the Internet. The proof of this is that viruses and worms released years ago still circulate now. To organised crime, cyberspace is virgin turf and, armed with a little knowledge, international extortion and protection rackets can flourish.

The most effective way of disrupting someone's Internet presence is to prevent access to their website, and the DoS attack is the weapon of choice for many devious minds. Hackers can disguise the source of the attack by finding their way into a poorly protected system somewhere on the Internet and launching the DoS from there. This has the advantage of making it look as if the owner of the hacked machine launched the attack, and lax security might mean he's probably unaware of any suspicious activity.

There is, however, a more effective threat, capable of overwhelming a target with ease: the distributed DoS (DDoS) attack. To execute a DDoS attack, a hacker must first find and recruit an unwitting army of zombies - machines left open to known vulnerabilities. A good way of finding vast numbers of such machines is to use a virus or worm that spreads quickly and uploads DDoS software to each one.

During a DDoS attack, Internet-facing servers at the target's site have millions of requests for connections fired at them continually from all over the world. The effect is predictable: the targeted machines try to honour the requests, but soon run out of resources, they slow to a crawl and then crash. As a result, the target's Internet presence effectively vanishes.

E-commerce firms and governments have found themselves at the mercy of prolonged DDoS attacks and increasingly these come from criminal gangs, which then present the target with a ransom note. Over the past few years, online gambling businesses have come in for particular attention. US bookies traditionally become targets ahead of each year's Super Bowl. In the UK, the favourite times are the days before the Grand National and the FA Cup Final.

In 2003, the National Hi-Tech Crime Unit (NHTCU) said that it was aware of vague threats to disrupt online bookmaking, but that nothing serious had occurred. Times are changing, however, as shown by the recent attack on interactive betting site Blue Square. After a five-hour DDoS attack in October 2004, a demand arrived, apparently from Serbia, for 7,000 Euros (just under £5,000). In a sinister twist, the demand threatened to send fake emails in Blue Square's name containing child pornography.

Obviously such demands are illegal, but current UK law does not specifically criminalise DoS attacks. And even with proposed amendments in place, will there be the resources and cross-border co-operation to enforce them?