Even the bad guys have vulnerabilities. It is perhaps poetic that many of the “successful” cyber criminals can be and are being hacked in the same ways they attack their legitimate targets. We tend to attribute near god-like cyber powers to these miscreants, when in reality, they write into their software the same kind of weaknesses that they are so good at exploiting.
At the SyScan 2010 Security Conference in Singapore, Laurent Oudot of Tehtri Security made exactly this point. His brief demonstrated the numerous exploitable flaws in the hacker kits available on the Web. He showed 13 unpatched vulnerabilities in some of the most widely purchased and used kits.
Additionally, Billy Rios of Google gave a similar presentation at the New York State Cyber Conference. Rios, a former U.S. Marine Corps officer and security expert walked the audience through breaking the security of a botnet software kit that would allow the user to either create bots or go after them. The bad guys need to read their own products.
On the other side, one wonders why law enforcement is not doing more “reverse hacking.” Hackers turned white hats should be recruited to attack botnet controllers and malware distribution systems through their own vulnerabilities. In the same way cops “sting” drug dealers, unscrupulous government officials, and other criminals, they should be attacking cyber criminals.
As long as we let cyber crime grow and prosper, they will become increasingly bold. My concern is the increasing likelihood that the most capable cyber criminal networks will connect with terrorist organizations. The lure of hard cash will not be turned down by the Cyber Organized Crime Underworld when offered, regardless of the source. They have large chinks in their armor, and they should be exploited now. If we continue to give the criminals a pass, and do not begin to retaliate, they will become a national security threat. Then it might be too late.