Ask HN: Is black-hat hacking harder now than it was 20 years ago?

[andreim]

As a kid I was fascinated with stories of people hacking into high security places like the pentagon. But I recently realized that, while this was surely no walk in the park even 20 years ago, it must have been easier then that it is now. Things like ssh or vpn weren't around back then, and even though I'm sure they had equivalents, they were probably proprietary and thus not as secure as today's time-tested open source solutions. What do you think?

[roundsquare]

Interesting question. I'll add one more to it if you don't mind. Even if getting into the pentagon might be harder, do you think there is more data that is a) easy to get via hacking and b) useful? If so, this is an important way in which hacking is easier than it was before.

I might think there is more data like this since more people put more data on computers with less knowledge about how to protect it.

[mock]

I'd say no it isn't in the aggregate harder. There are a few of forces at play that I think lead to this.

First of all you can now buy pretty good hacking tools in a can (CANVAS, Core Impact) that come complete with non public exploits. If you don't have the money, metasploit is pretty good as well. This drastically reduces the need to know the details of a particular exploit, and reduces the amount of toolsmithing required to pull off a penetration. Also, the reality is that exploits are now a business - they're for sale, for better or for worse, on the open market. If there's one thing our PWN2OWN competition at cansecwest proved, it's that for a sufficient amount of money someone will find you a hole in anything. If you have money, even if you're not that knowledgeable, being a blackhat isn't that hard.

Second, there is more stuff to exploit now than there has ever been before, both on and off the net (I'm looking at you SCADA). At least some of that stuff will be low hanging fruit built by programmers who either did not understand how to build secure systems, or didn't expect that those systems would be reachable in the way they are now. As the internet expands, and stuff keeps getting more smarts added to it, I think there is probably a trend in which new insecure stuff is being built faster than the old stuff is being secured (not that I can prove that). Things that previously weren't considered to be security critical, now are (XSS is still barely considered a "real" exploit).

Third, information about exploits, how to write exploits, and how to find vulnerabilities is now massively more available, both because of the change in philosophy around full disclosure, and because we now have more than a decade (two maybe?) of open research into the field. Bugtraq can be argued to have revolutionized security research because it opened up what was previously secret to the eyes of interested amateurs and academics. Today there is a community of security researchers who openly publish information that previously was only the domain of governments and the occasional large defence contractor. I think probably the public community is better at it too.

Balanced against this is all the research and technology on the defensive side (also helped by full disclosure), the forced public shaming to fix-their-broken-shit of various vendors (full disclosure again), and generally better knowledge of security best practices (anyone want to guess what I attribute this to?). All of which is to say that the things that worked 20 years ago are harder today than they were 20 years ago (social engineering sadly seems to be just as easy, and if anything more prevalent now) but it hardly seems to matter since lots more is easy now.

[jodrellblank]

I have been fascinated with stories of really clever hacks into systems. I've also been told to setup a scheduled database backup and when I opened the first backup to check it was going to work, found unencrypted credit card and billing details (only a year or two ago). Only a few weeks ago I found a small company system which ships with a default admin password (a dictionary word, no less) which the end user cannot change. Weird.

Putting two and two together, I suspect that some extremely clever hacks happened (and still happen, I guess), but many many more were probably fortuitous stumbling on horrible or utterly absent security in some overlooked corner; as per dnsworks comment, except - is logging into a password-less account really 'hacking'?

[dnsworks]

Absolutely. 20 years ago telcos didn't bother adding password protection to digital "switches" because they didn't even consider war dialers or the proliferation of internal documentation through bulletin boards. Unix vendors like Microsoft (Xenix), SCO, and Sun left password-less accounts (like Root, Operator, Sync) on workstations which were then immediately plugged into a shared-bus network. Not to mention the wide-open nature of the various X.25 networks like Sprintnet which were used for inter-bank communications.

[wmf]

OTOH, learning about that stuff was much harder in those days; it was much more underground and word-of-mouth.

[dnsworks]

I don't know about that. Within a month or two of buying my first modem in 1992 I was on bulletin boards that had FIDOnet subscriptions, which quickly gave me enough information to be dangerous.