The dangerous evolution of the Script Kiddie

Script Kiddie: A (usually amateur) hacker who compromises files on others’ computers or launches attacks on computer systems, using widely distributed computer programs or scripts, rather than using their own unique programs or scripts – en.wiktionary.org/wiki/script_kiddie

It might be unfair to pick on Microsoft and Apple here. It’s not all their fault, but they aren’t helping situations for our beloved script kiddies.
Back in the good old days, you could grab any GUI port scanner tool (NMap only got a GUI in the last few years), and punch in a giant chunk of IP space, hit scan, go fix your self a hot chocolate, come back and get cracking. Almost all systems which you scanned were Windows. This was back in the day before Windows came with a built in firewall (XP) as well. You would look at what services were running, and no doubt you would find the majority of them were exploitable through again, a nice GUI tool you found on the internet.

If you wanted to target a particular user, say… you were just having a flame war with someone on Diablo, you could trick them into revealing their IP address from a bucket load of different ways. These were the days when people’s privacy and security were rarely thought about to the companies making software (you could argue that not much has changed, but it has to this degree)

These days it’s not that simple. Almost every home user is running some type of broadband router/modem which no doubt is running NAT and a basic firewall. Also, the majority of machines behind these will have an inbuilt firewall (XP and up + Macs) and if you are lucky, some anti virus with updated signatures. (Remember we are talking about script kiddies here before you flame me on the insecurities of the above)

Wireless networking started to take off, script kiddies jumped on board and started breaking into home networks through insecure WEP implementations. So the dilemma of being stopped by a NAT firewall was eliminated. But once on this network, using their nice GUI tools to scan the network to look for vulnerable PCs gets met with unresponsive hosts due to either a Windows firewall, or the dreaded Mac OS. (Keep in mind, if you know how to use a packet sniffer properly, you don’t fall into this category)

So as you can see… it’s getting harder for script kiddies to have their fun. This is why we are seeing so many client side attacks in the form of phishing, social engineering and praying on unsuspecting social network user’s trust. People have always been the weakest link in the security chain. This doesn’t ring more true than today when it is no longer easier to port scan a computer over the internet. (It is easier to break into company servers than it a regular home user, I don’t know what that shows us… but it is an interesting thought)

The script kiddie sees this and has to adapt to the climate. It’s evolution at its finest. And it is dangerous. There will always be masses of young computer enthusiasts (read teenagers) who push the boundaries and want to see what sort of mischievous (albeit illegal) deeds they can pull off with their new interest and knowledge in technology. It’s human nature to be curious. What is dangerous about this is, in today’s modern web2.0 society, the only avenue for the curious script kiddies is to pray on people’s trust, break into people’s social networks and to dabble within a stockpile of user’s personal and private information. We are bordering on dangerous times and breeding a bad mindset for these individuals.

I think it’s fair to say that most security professionals were once kids who dabbled with script kiddie-esque tools. It’s how we all learn. The difference being, when we were young, it was the systems in which we were trying to break, not the users behind the system.

We learnt how to hack with tools made readily available to us. We played with networks and code. We developed our skills and more often than not, found a career in it. What might be the mindset of the modern script kiddie where you can’t just ‘hack’ into your friend’s computer with ease, yet you can hack his Facebook, Myspace and Twitter etc. It’s no longer computers being attacked as a form of learning and playing, it’s actually people. I think this will bring fourth a generation of new criminals, which prey on people’s trust either for fun or profit. Not all script kiddies turn into criminals, far from it. But script kiddies from our generation weren’t having fun by infiltrating people’s personal lives, we were having fun by pushing the boundaries of technology.

I know I am sounding like an old man. It is just an interesting observation and curious on people’s thoughts.

2 thoughts on “The dangerous evolution of the Script Kiddie

  1. I don’t think the skiddie has changed much from the old days. These days you can use tools like Metasploit (or even autopwn) to easily break into machines without working knowledge of exploits. However I think you are correct in stating that home user’s personal computers do not get targeted as much. And this is probably due to the things you mentioned about port scanning over the Internet, all they find are really webservers/companys.

    You do raise a good point regarding the prevalence of social networks. And it is indeed a worry when for fun, kids are breaking into other people’s personal accounts as something easier to do than any real technical hacking (and it is still called hacking!?)

    There was an article posted the other day about a kid in the United States breaking into females Facebook accounts and sending naked pictures of them to everyone of their friends. Why? Just to be mischievous as you mentioned, but this has a detrimental impact on all involved, even the offender. Interesting times indeed.

    DJ

Comments are closed.