Open Source: Democratizing Cyberattacks
For years now, open source has been an important part of software development—and thanks to it, we’ve all benefited from more and more powerful software and services. Programmers have the ability to tap into a huge repository of information, examples and code that make it infinitely easier for them to build on innovations past to develop new ones. In a sense, open source has democratized programming, making it easier for more people to collaborate and develop more and better products.
It was the hacker culture of the 1990s and 2000s that led to the rise of open source. One of the principles of the original hackers—the kids and adults who hacked systems out of curiosity or for the fun of it—was that “information should be free.” They applied this to the world of software, developing free alternatives to the Big Box software that cost hundreds of dollars per license in the old days.
The open source concept has been so successful, that it’s been exported to the darker side of digital, including cyberattacks. In essence, attackers do the same thing as legitimate programmers, but their programs are designed not to help but to damage. It makes sense, then, that they would also build repositories that other attackers could draw on to develop ever more destructive malware. Here, the open source concept has democratized cyberattacks—making it easier for even script kiddies to do serious damage with relatively sophisticated malware.
As one expert put it, “Hacking is big business and very well organized today. Organized crime syndicates and terrorist organizations are all trying to scam and steal bank account or credit card information, and other personal data while foreign governments are mainly interested in stealing intellectual property or industrial secrets for profit or technical gain.”
Attackers are warping the principles of “information must be free” to help themselves to credit card data, Social Security numbers, electronic deposits, etc. And they are using the open source concept to share malware; you can download “live malwares” using the same open source GNU General Public License that “legitimate” open software uses. It’s as if a Frankenstein monster, created to serve its master, rose up and began wreaking destruction on everything in its path.
This easy access to all sorts of hacking tools may be responsible for the significant spike in cyberattacks of all kinds in recent years. To hack a system, you don’t need the professional programming skills you once did; it’s enough to download an appropriate tool from the malware repository and follow the instructions on one of the myriad “how to hack” websites. The threat pool just grew by thousands of percent.
A good example of this in action is the Social Engineering Toolkit—a preprogrammed Linux application that automatically runs routines that makes stealing user credentials a breeze. The application has various modules designed to fool users into sharing their credentials and/or get them to click on links that will install credential-stealing malware on their systems.
For example, a hacker can choose to use the Web-Jacking Attack module, which provides a legitimate-looking URL (i.e., not connected to a malware site) that, when clicked, opens a pop-up window that contains a different URL, one that leads to a malware site where a keylogger or other malware can be installed. All the hacker has to do is choose the malware, choose the site they want to forge and create a web link. It’s all free, and, as the site notes, “for educational purposes only.”
There’s an open source hacking program for practically every need: AirCrack-NG for stealing WiFi passwords; Hydra, for brute-force password cracking; Metasploit, “the world’s most used penetration tool”; and many, many more. Most are automated, requiring just filling in the details of the victims (email address, URL, etc.). Many of them, by the way, are built into the Kali Linux distribution (also open source), so would-be hackers don’t even have to download and install or configure their tools.
With attacks so easy to carry out, organizations need to work double-time to avoid getting hit. One way they can do that is to download these same tools and investigate their vulnerabilities. Kali Linux, and most of the tools used for cyberattacks, were actually developed to prevent hacking—to enable organizations to do penetration testing and harden their weak spots. By hacking themselves, organizations can uncover the vulnerabilities in their systems before the hackers do, and take the appropriate steps to defend themselves.
Along with that, organizations should be hardening their cyberdefenses. It is important to audit all of the major channels where attackers can penetrate an organization and ensure security systems are equipped with advanced threat protection, particularly as more and more attackers are capable of utilizing advanced techniques. In addition, these systems must be able to adapt quickly as new attack techniques emerge.
“Democracy is the worst form of Government except for all other forms,” it’s been said—and having free access to information, data, software and services is generally a lot better than having to pay for those things. But, if you and I have access to those things, so do people with not so great intentions. Our objective must be to take advantage of the benefits that open source has brought us—and avoid the threats that openness poses.
