Hacker secret war: the secret world behind black hat, white hat and gray hat

[[120968]]

QQ numbers, credit card passwords, corporate core databases, in the underground black industry chain, all information on the Internet may become a tool for black hat hackers to make money. In the battle between white hat hackers and black hat hackers, winning once is not a win, and losing once is a loss forever.

“There are three kinds of people in the world: those who have been hacked, those who don’t know they have been hacked, and those who don’t admit they have been hacked.”

A young man in a grey shirt and black trousers was giving a speech. He was of medium height, thin, and had one hand in his pocket, looking a little nervous. There were more than 300 people sitting in the audience, most of them were hackers from all over the world. The audience only knew that the young man's online name was "Pig Man", and that he was the top white hat hacker in the Wuyun community.

In the hacker world, the names of black hats and white hats represent two opposing roles: villains who profit from network information and heroes who protect network security. This saying comes from early American Westerns that used white hats and black hats to distinguish between good and evil.

This was at the first Wuyun Security Summit on September 12, 2014. The organizer of the summit was Wuyun.com, a well-known third-party security vulnerability platform in China. Wuyun.com was founded by Fang Xiaodun, a former Baidu security expert, in 2010 and has gradually become a gathering place for white hat hackers. They are like the "woodpeckers" of the Internet, monitoring the vulnerabilities of various websites at any time and issuing warnings.

"Then I thought of the fourth possibility, which is being hacked," continued "Pig Man" in his southern accent. He was not exaggerating. On the other side of the podium, an attack on the audience's mobile phones was underway - at least three people's bank card balances and one person's stock trading information appeared on the conference projection screen.

In the online world composed of information flows, such attacks happen almost every moment. The more people rely on the Internet, the more dangerous they are.

When hackers were born, the world was actually different. The word "hacker" originally referred to workers who chopped wood with axes. This word was introduced into the computer circle in the 1960s. According to the book "Hackers: Heroes of the Computer Age", this group originated from the Massachusetts Institute of Technology in the 1950s. A group of students believed that information should be open and accessible to everyone. So they broke into a computer system that was restricted by the authorities.

Chinese hackers did not appear until the 1990s. They initially started by cracking software and copying small software using floppy disks. Their first collective action was quite characteristic of the times: after the anti-Chinese incident in Indonesia, they sent spam to the mailboxes of Indonesian government websites.

The initial idealism was gradually replaced by the temptation of money. In the underground world where black hats hide, an industry chain of buying and selling information has been formed, which has brought huge profits to black hats. Fang Xiaodun, the founder of Wuyun, once said in an interview that it is possible that an inconspicuous hacker will one day find that he lives in a good house and drives a good car. "The current income gap between the strongest black hats and white hats is about the difference between a daily salary of 10,000 and a monthly salary of 10,000."

The threat of black hats has led to a surge in market demand for network security. According to a report by the professional magazine "Information Security and Communication Confidentiality", in 2012, the scale of China's network security industry reached 21.64 billion yuan, a year-on-year increase of 20.9%. Among A-share listed companies, at least 12 are involved in network security concepts, not including Qihoo 360 (NYSE: QIHU), which is listed in the United States and has a maximum market value of 10 billion US dollars. This company claims to have "the most powerful white hat army in the Eastern Hemisphere."

On the secret battlefield, the battle between white hats and black hats has already begun. They cannot see each other, and can only feel each other's presence when they fight each other again and again.

"Black and White" Offensive and Defensive Battle

Every "letter" is like a cow. After being skinned, boned, and meat cut, by 7 o'clock in the morning, only a pool of blood is left.

[[120969]]

Meng Zhuo, co-founder of Wuyun, his ID on Wuyun is "Mad Dog".

In the hacker world, the names of black hat and white hat represent two opposing roles - villains who profit from network information and heroes who protect network security. They cannot see each other and can only feel each other's presence when they fight each other again and again.

Unlike the imagined magic world, the confrontation between black hats and black hats often does not occur at the same time. Lin Wei, deputy director of the attack and defense laboratory of Qihoo 360, told the Southern Weekend reporter that they often face vulnerability mining beforehand or the crime scene left by black hats afterwards.

Their most common task is to follow the traces to fix the vulnerability and even find the attacker. White hats may also use attack methods - implanting Trojans in the intruder's web page and locating the intruder when he tries to operate.

"Vulnerabilities" are the focus of both sides' attack and defense. A vulnerability is a defect in a network system that can be exploited. Once a black hat finds a vulnerability, they can quickly launch an attack.

Take the "envelope number" (i.e. stolen QQ number) industry as an example. 31 analysts who have worked at Microsoft, Baidu, and McKinsey formed a research team called TOMsInsight. In a report, they described the entire process of selling stolen goods: a group of QQ user names and passwords obtained by discovering vulnerabilities, implanting Trojans, or other attack methods is called a "letter", and an envelope is a collection of 10,000 (or 1,000) letters. Getting this information is called "taking the letter".

Then comes the "cleaning of messages", where the Q coins and game equipment in the account are transferred and sold, and the "pretty accounts" that are more valuable are picked out. After being washed, these "second-hand messages" become an excellent platform for pushing various messages: mass advertising, fraudulent information, and embedded advertising in QQ space. Finally, the QQ accounts that have been drained clean are sold to hackers to compile password dictionaries.

At dawn the next day, the users whose QQ accounts were stolen usually found that their QQ accounts were stolen, so they changed their passwords or took security measures, making the large number of accounts in the envelope invalid. Therefore, the entire process of selling stolen goods is concentrated between 12 o'clock in the evening and 7 o'clock in the morning. Each "letter" is like a cow. After skinning, bone removal, and meat cutting, at 7 o'clock in the morning, only a pool of blood is left.

Hackers often attack by invading websites, implanting Trojans, promoting and attracting traffic for advertisers, stealing valuable account information such as QQ numbers, using negative SEO information in "black links" to blackmail, or more directly, by cracking the manufacturer's core database and extorting or selling it online. The core code, financial information and accumulated massive user data of enterprises, which are of great commercial value, are also the focus of black hat attacks.

Everyone knows that no system is perfect and unbreakable. The idea of ​​most security systems is to increase the time and technical cost of hackers to break through, so as to force attackers to give up.

In the battle between white hat hackers and black hat hackers, winning once is not a win, and losing once is a loss forever. "Pig Man" said, "As long as you are hacked once, as long as the hacker takes away enough information, he can still use the information he obtained in the past to hack again next time."

In the Wuyun community, white hats are searching for vulnerabilities almost all the time. "Pig Man" made his own scanner to search for all vulnerabilities. Instead of searching for vulnerabilities one by one, he has realized automatic attacks, and ranks first in the Wuyun community Rank value (the total score of the submitted vulnerabilities). "You only need to enter a domain name and scan it with a scanner, which does not require physical effort. The scope is now the whole world." He told the Southern Weekend reporter.

As the black hats' financial resources have been cut off, security companies like Wuyun and Qihoo 360 have also become the targets of crazy attacks by black hats.

"It happens several times every month, which is very abnormal for a website of Wuyun's size," said Meng Zhuo, co-founder of Wuyun. His ID on Wuyun is "Mad Dog," although this is far from his fair image.

Qihoo 360 chairman Zhou Hongyi was also nearly attacked. Once, Qihoo 360's internal information security department discovered an internal IP anomaly - a visitor accessed the wireless network and tried to brute force Zhou Hongyi's password to enter 360's intranet. Since Zhou Hongyi's account, or email address, is public, once the password is cracked, the hacker will gain access to the intranet, and it will be difficult to detect even if they lurk for a long time, and the information they may have access to is unimaginable.

"We sent people to track the signal and almost caught it, but lost it at an elevator entrance," an internal security expert of Qihoo 360 told a reporter from Southern Weekend. This incident even prompted 360 to start developing wireless security products to make up for its shortcomings in wireless.

The rise of white hats

On Zhihu, after the question "How to hack Zhihu" was raised, he posted the connection password of the password library and the information structure of user data.

An internal PPT from 360 company shows that before 2008, security companies generally had low net profits, and in large companies such as BAT (Baidu, Alibaba, and Tencent), the security department was not a value-generating department and was not taken seriously.

In recent years, the prosperity of the black hat underground industry chain has invisibly raised the value of white hats, which has also become a motivation for many hackers to join the white hat group. A group of IDs with legendary stories have been converted to real names, left to start their own businesses, or have been printed on employee cards of major Internet companies.

Qihoo 360 Chairman Zhou Hongyi even went to other places to look for "Internet prodigies". Previously, he had built a luxurious team in the industry by attracting high salaries. MJ0011 (real name Zheng Wenbin), who was once called the "driver prodigy", is currently the chief engineer of Qihoo 360. In an interview with a Southern Weekend reporter, he mentioned twice that "Mr. Zhou is very loyal." Zhou Hongyi once specifically asked Zheng Wenbin to stay when he made a departmental change.

"After the speech, 'Pig Man''s' net worth may exceed one million," said a core team member of Wuyun.

After the "Pig Man" speech, a Southern Weekend reporter asked him for an interview via QQ. Soon, he sent a screenshot of the Southern Weekend address book in 2013 via QQ, "You should have been employed for less than a year, right? You were not in last year's address book."

Such "showmanship" has become a habit for "Pig Man". He tried to roam Tencent's internal network four times in 2013 and finally succeeded. The serial posts of the four intrusions were regarded as "masterpieces" by many white hats. His predecessor, Tencent Security's senior hacker lake2, also wrote an article about his experience of fighting with him as a review of his own defense system.

He has another ID "Wang Yin" on the famous Q&A community "Zhihu". After the question "How to hack Zhihu" was raised, he posted the connection password of the password library and the information structure of user data in the follow-up post.

The true identity of "Pig Man" remains a mystery. At least three senior hackers, including lake2 from Tencent Security, believe that "Pig Man" is the legendary hacker "V", who is famous but never shows up.

Wu Hanqing, a hacker who was once a senior security expert at Alibaba, wrote in a blog post in 2013 about a legendary hacker named "V" who had accumulated a database of 1.3 billion pieces of data after deduplication. "Each record contained user names, passwords, ID numbers (social security IDs), mobile phone numbers, email addresses, login IP addresses and other information, covering half of the Internet."

"V" never deletes data or causes damage after the intrusion, nor does he use the results of the intrusion to make a profit. "He still adheres to the ancient hacker code, just like the knights in the Middle Ages were obsessed with chivalry."

The hacker career of "Pig Man" began with the theft of a game prop. When he was in the first grade of junior high school, his level 35 magician account in Shanda Legend Zone 44 was stolen. "I had just obtained a magic shield and it was stolen. I was very disappointed." More than ten years later, he still regards this experience as a shame.

The magic shield is a necessary item for the magician character in the game to learn key skills. When he went to search for relevant information on the search engine, the word "Trojan" appeared. Feeling lost and bored because his account was stolen, "Pig Man" walked out of the online game "Legend" and entered a larger game field.

Rebellion, challenge, and the desire to "break the rules" are almost all the reasons why hackers start their careers. If it weren't for bypassing the Internet cafe's charging system, cracking the password set by parents on the computer to play games secretly, or getting a small amount of Q coins, many white hats who submit vulnerabilities on the Internet may not know where they are now.

Fang Xiaodun said, "Cybersecurity issues themselves exist in the violation of norms, and the core of dealing with cybersecurity issues lies in breaking the rules." This knowledge is not taught in traditional classrooms, and related majors have only appeared in recent years.

In the world of white hats, there are few "cyber doctors" with formal education, but more "dog butchers" who come from the grassroots. After making their way in the cyber world and obtaining their own "magic wands", they choose to wear their own white hats. Wu Hanqing told the Southern Weekend reporter, "In Alibaba, half of the most core people (in security) did not have a bachelor's degree."

There are 6,214 white hats like "Pig Man" registered on the Wuyun platform, and more than 1,000 of them are active, enough to form several Internet companies focusing on security. The technical strength of the 20 core white hats among them may not be underestimated by any professional manufacturer. In the recruitment requirements of many Internet companies, submitting vulnerabilities on Wuyun has even become a prerequisite.

After having many hacker experts, Wuyun has gradually reaped rich rewards. During the entire Wuyun Summit, Yang Wei, a member of the Wuyun management team, kept answering calls and messages, including many business calls from "crowd testing". "Crowd testing" is a crowdsourcing production model in which manufacturers provide products and Wuyun organizes white hats to find security vulnerabilities for them.

Yang Wei didn’t bring his business card. “If I had brought 100 business cards, they would have been very popular. The public testing queue has been extended to October. There may be more than a dozen projects a month, and the total amount is 500,000 to 600,000 yuan.” He spoke very quickly.

Discovering vulnerabilities has its own price. Many Internet companies and security companies will offer rewards, and those who submit vulnerabilities may receive a considerable cash reward. At the end of some vulnerability posts, there will be a golden dollar sign. In the monthly "tycoon list" of major manufacturers, it is not uncommon to see people earning tens of thousands of dollars by submitting vulnerabilities.

Gray hats roaming on the dangerous border

Most testing is done without authorization.

[[120970]]

13-year-old hacker "Wang Ge" attended the first Wuyun Security Summit. (Photo by Liu Zhiyi)

On the evening after the first Wuyun Summit, more than 100 white hats gathered in a bar called "WOOYUN CLUB" in Beijing's 798 Art District. This is a hacker bar founded by Wuyun.com in August 2014. It is only in trial operation now, and the drink menu has not yet been printed.

The code strings on the glass wall and the graffiti on the exterior wall of the bar are from the hacker world, and almost every term corresponds to a form of cyber attack. People who come in and out of this bar mostly use their network IDs to identify themselves, and the wine list also has names of drinks that only hackers can understand, such as the "DDoS" cocktail. "DDoS" is a common traffic attack method that aims to occupy a large amount of network resources for a period of time and paralyze the server.

The white hats sitting in the bar are in the light, and the black hats are in the dark. In fact, there is a gray area that is neither black nor white.

In many vulnerability descriptions submitted by "Pig Man" to Wuyun, there is a statement that "no in-depth research has been done", which means that the vulnerability was discovered but no data was illegally stolen. This is also the boundary that most white hats face when looking for vulnerabilities. When responding, manufacturers often add a sentence, "Please pay attention to comply with relevant national laws during security testing."

Many white hats covet the killer weapon that "Pig Man" has used many times - the vulnerability scanner, and hope to make it public. But Pig Man does not seem to have such plans. Obviously, it is not easy to guarantee himself, and it is difficult for him to guarantee that everyone who gets the "weapon" will not "do in-depth research".

Wu Hanqing told the Southern Weekend reporter that according to the new amendment to the Criminal Law, any unauthorized intrusion into another person's computer is illegal. Wuyun also wrote in the "Information Security Protection and Statement" that "white hats need to ensure the legality of the methods, means, tools and means of researching vulnerabilities, and Wuyun does not bear any legal responsibility for this."

The fact is that most tests are conducted without authorization, and many white hats are walking on the dangerous border that is not guarded by anyone.

When talking about the boundary between black hats and white hats, a Wuyun white hat said that there is almost no difference in the process of early analysis and obtaining vulnerabilities. "White hats will say they are white hats, and black hats will never say they are black hats. Everyone just has different ways of using them in the end."

An administrator who was responsible for managing a company's email system repaired the system after the vulnerability was reported and thanked the white hat hackers. However, he was reluctant to have too much contact with hackers, whether black hat or white hat, because he was afraid that his privacy would be exposed.

"After all, it is an industry with a strong offensive nature, and (hackers) will make people distrust them," said a security expert from Qihoo 360.

In the early days of its development, Wuyun was seen by enterprises as a concentration camp for hackers. Such distrust was like ice. In the eyes of enterprises, those who came to them with their own vulnerabilities were often either malicious competitors or hackers who wanted to extort money. A large state-owned enterprise once asked Wuyun to delete its vulnerability information. After being rejected, it blocked Wuyun's traffic and reopened it after repeated coordination.

In fact, the boundary between white hat and black hat is blurred. According to many insiders, the value of many database vulnerabilities has been almost squeezed out before they are released. Some black hats first make black money, then disguise themselves and enter enterprises, white hat teams or join the Wuyun platform, which are all ways to "launder white".

One of the principles of most Internet companies is that they will never hire people with black hat experience. "There was a case where a well-known social networking site hired a former 'black hat', and he figured out the system within a month and eventually dragged the company's database," the security expert from Qihoo 360 told the Southern Weekend reporter.

It is almost impossible for someone who has done black hat work to become a white hat again, unless you can successfully conceal your past - change your vest and start all over again in the online world.

"We can only see what he did on the Wuyun platform. We have neither the ability nor the obligation to find out all his past experiences." Fang Xiaodun's idea is not complicated. "Let good people be good people, and let bad people want to be good people."

With long hair and a short beard, he looks more like an artist. His idea is to let white hats live a clean and free WOOHO (Wooyun Home Office) life - no matter where you are, as long as you turn on your computer, rely on your own technical strength to find vulnerabilities and submit vulnerabilities, you can make a living from this and be free and happy.

It looks tempting. But the complexity of the matter is that the entire online world is gray. If there is any difference, it is only a difference in grayness. Fang Xiaodun and his partners admit that this is no exception in the arena of "hats".

Link to this article: http://www.oschina.net/news/56023/hackers