When people think of hackers, Hollywood-esque tropes usually come to mind. They probably imagine people in hoodies who type fast and know everything anyone could possibly know about computers and programming. The truth, though, is that as technology has improved, hacking has become democratized and accessible to the masses. Today, tons of tools automate hacking to the point where even children can learn how to infiltrate systems fairly quickly. In this post, we’re talking about how novice hackers (known as script kiddies in tech lingo), automated tools and poorly secured devices and services all come together to form the current state of cybersecurity.
What are script kiddies?
Script kiddies, sometimes referred to as skiddies or skids by hackers, are individuals who do not develop their own hacks or exploits. These individuals might have some programming knowledge or even the ability to identify vulnerabilities, but they rely on scripts and code provided by more experienced hackers when carrying out their attacks. Script kiddies aren’t kids per se, although teens and young gamers can be found participating in hacking culture. The term is generally used as derogatory slang that highlights the juvenile and unseasoned nature of script kiddies compared to other hackers. Script kiddies need documentation, support and user interfaces – all seen as forms of hand-holding within the hacking community – whereas experienced hackers build and deploy their own tools. Because of this, script kiddies are viewed as the posers of the hacking world, and they are the bane of both security experts as well as more skilled hackers. Still, their lack of experience makes them no less dangerous to the average Internet user, given that some very notable hacks were the work of script kiddies, some of which we detail later.
How hacking has changed
Aside from a handful of major hacks, such as the time a Canadian teenager known as Mafiaboy took down the websites of Amazon, CNN, Dell, E*Trade, eBay, and Yahoo in 2000 with a DDoS attack, it used to be the case that most script kiddies’ hacks were fairly basic; “tagging” or defacing websites by making simple appearance changes to sites, making small changes to vulnerable files or other prank-like behavior. With today’s tools, though, script kiddies can and have done much worse.
AutoSploit, a tool created earlier this year, is an excellent illustration of this change in hacking. Likely forgotten among many of this year’s numerous big tech headlines, AutoSploit is a tool designed by a Twitter user and released to the general public on GitHub, a code repository. By many measures, AutoSploit isn’t a sophisticated tool, as it leveraged existing tools, namely Shodan, the Internet of Things IoT search engine (something we’ve talked about before), and Metasploit, a penetration testing tool that helps researchers find vulnerabilities in order to patch them. Both tools are mostly used by so-called “white hat” hackers – academics, security experts and law enforcement – but have never been packaged together in an easy to use way. By patching these two tools together, an unknown, self-proclaimed security enthusiast created a program that could automatically search the Internet for a multitude of poorly secured devices on Shodan and test all known vulnerabilities against them with Metasploit. This clunky way of deploying attacks, known as a Hail Mary in the security world, might seem haphazard, but unfortunately, so many systems use security settings vulnerable to these basic attacks.
While the AutoSploit story might seem alarming, it’s just a large drop in an even larger bucket when it comes to the availability and proliferation of hacking tools. Hacking has become so lucrative that entire industries exist to serve the demands of amateur cybercriminals. On-demand hacking, malware-as-a-service (mirroring enterprise-level business models) and hacker tech support services are all common ways that novices can begin careers as cybercriminals.
What does this mean for me?
As a consumer or small business owner this trend should highlight just how vital cybersecurity is. Hacking isn’t a skill that only some elite tier of individuals can learn — anyone can be a hacker, and thus, anyone can be a threat to your privacy or business. This trend also highlights the failures of developers and manufacturers to secure technology. Systems, especially IoT devices and poorly configured cloud servers provide plenty of opportunity for simplistic tools to throw out exploits at random until one works. In other cases, systems are so insecure that they simply leak data on their own. That’s why it’s essential for you to take an active role in vetting the types of devices and services you use. We talk more about this as well as the dangers misconfigured technology can pose in many of our Internet of Things posts.
Keep reading our technology blog to learn about and prepare for the cybersecurity threats that small businesses and consumers face today.