My Analysis of Internet Crime, and How We Can Combat it.

Well, with Anonymous on the headlines again, I might as well try to present my analysis on the issue.

My analysis is this: internet criminals do not usually get caught when they fail. Consider a bank robbery, if I try to pick let’s say the lock on a bank vault and fail, the alarm would trigger, and the cops will arrest me within minutes. However, hackers who try to hack websites, if they mess up, they would not be arrested. Most IDS (intrusion detection systems) systems would simply ban the attacker’s IP for 24 hours. Thus really, if the attacker hides his/her IP address, infinite attack attempts could be made.

Compare that with traditional physical crime, say robbing a bank. If a bank robber fails to rob a bank, and say trips the security system, or gets into a shootout with security, he would most likely get arrested and get "taken out of action". In comparison, if hackers fail, nothing happens to them. I run a windows 2008 server and a cent OS server as a hobby, both are internet facing, and used as web servers. My logs tell me that I get "attacked" almost 20 times a day on each server, even though these are just some personal sites with almost no traffic. Mostly they are brute force attacks, sql injection attempts, port scans, etc, attacks that have no chance of succeeding. However, these attackers are not "taken out of action" by their failure, they simply move on to the next possible victim (the majority of the attacks are done by automated scripts, but as a guy who likes to read logs, you can quickly recognize which ones are done by newbies).

Over a scale of infinite time, even the most secure servers would succumb to attacks. After all, the attackers always have the initiative, they can try infinite times. If I fail today, I can come back tomorrow and try again.

Now we have to discuss the concept of "vulnerable time". Just as how downtime describes the amount of time a server is "down", I use the term vulnerable time to discuss the time in which the server is vulnerable to attack. Consider this: consider an internet facing application like IIS or Apache. Let’s say a huge 0-day has just been created and is currently spreading through the internet (a 0-day is an attack technique that has not been patched). If I manually apply patches, my vulnerable time would be from when the attack first appeared, to when I finally get around to patching my server. If I used an automatic patching system, my vulnerable time would be reduced to from when the attack first appeared, to when the vendor rolls out a patch.

If I have say an IDS system, the vulnerable time to would be drastically reduced. I would only be vulnerable to the attack when my application is vulnerable, and when my IDS system is vulnerable. With each layer I pile on, my vulnerable time is reduced further. However, on a scale of infinite time, when the attacker has infinite tries, the attacker would always succeed. Consider this: If I have infinite tries to rob a bank, I would eventually get it right some time. If I try to rob a bank, and I fail, I would get a long jail term, and maybe a few new bullet holes. However, if I try to hack a server and I fail, I can just try again tomorrow.

This leads me to believe, that the only effective permanent solution against internet crime is effective policing. Since on an infinite time frame, the attacker would always succeed. Unlike murders and assault, internet crime is not a spur of the moment thing. Cracking down on internet crime will deter the perpetrators on internet crime.

Most of the "pro hackers" started off as script kiddies; I would say that the absolute majority started off that way. Using scripts you can easily find off the internet, you can deal quite a bit of damage. It is in fact not too hard to hack a large amount of websites using commonly found scripts. Often, the big website hackers we read about in the news start off by defacing small sites. It’s not like the police will even bother to persecute a tiny website hacker. Yet, give him enough time, and he will move on to bigger things. If I see on my logs, a kid trying his best to clumsily exploit a SQL injection vulnerability (its easy to recognize this kind of thing, you usually see misspelled SQL commands and what not), I would check if the IP is from a residential IP address and not a known proxy or VPN. I usually just pop off an abuse complaint to the ISP. I don’t really think they would do anything, but if some script kiddie gets a warning from his ISP, it would hopefully deter him from going down that path.