Thursday, May 10, 2007


While reading the well written "Intro to hackernomics" from Herbert Thompson on Network World, I noticed something quite interesting about threats motivation.

Thompson first law states that "most attackers aren't evil or insane; they just want something. ". Money is the natural choice for that something.

However, we can list several incidents that didn't generate any profit to the attacker. Is the first law of hackernomics wrong?

No. The mistake is thinking that the "something" wanted is always money. There is something that is pursued by Men even before the creation of currency: Power.

"Information is Power", said Robin Morgan. Nothing can be more precise than this concept today. The ubiquitous presence of information systems on today's world makes information like passwords and encryption keys huge power repositories. Can you imagine the power of those who have keys for military communication systems?

Sometimes (almost always) Power can be converted into money. Because of that some attacks motivations can be mistakenly interpreted as monetary. This possibility, however, can't be assumed as a rule. Several people are not directly interested in money, but eagerly pursue power. Terrorists and politicians are good examples.

Through this point of view we can understand why some apparently pointless things happen, like virus creation, denial of services attacks and website defacements. Script kiddies and teenage hackers are usually trying to show to their friends how powerful they are.

Acknowledging Power as a valid motivation for attackers makes several threats more feasible and understandable. It will allow better threat modelling and improve risk assessments. Different countermeasures can also be applied, focusing on reducing the power related to the target information instead of reducing the possibility of vulnerability exploitation.

No comments:

Post a Comment