I’m writing this post during the UK Corona virus lockdown in May 2020. All around the world, scientists and researchers are studying the COVID-19 virus to find out exactly how it works. And this is just the latest in a rich history of those in the medical profession studying disease to discover how it works. Once we understand how something works, we can fight against it. And that’s why we’re going to find out how hacking works today.
The first thing to understand about hackers is that, while some make lots of money from their abilities, most just enjoy the kudos and admiration of their peers. So one of the first things a black-hat hacker will do when they find a new security weakness is post it to the hacker community. Once the information it out there, the collective hacking community can start to refine attacks on that weakness.
I said “black-hat hackers” just now, which might be a term you’re not familiar with. Let me fill you in.
A black-hat hacker is someone who hacks and breaches systems without the permission of the information systems’ owner, and usually has malicious intent.
A white-hat hacker is someone who might be working for the company they’re hacking. They will have the intention of responsibly disclosing their findings to the relevant party so that these vulnerabilities can be patched and fixed before a black-hat hacker notices the same bug.
And Roger Red-Hat was the dude in the letter land books from when I was little. He’s probably not a hacker.
We talked about the Have I Been Pawned project before in this post. It’s a big database full of email addresses and other related data collected from hundreds of high profile data breaches. To be clear, the Have I Been Pawned project is a cyber security tool, and it used by folks like me to help secure systems. Its maker, Troy Hunt, spends a lot of time and effort to maintain this resource for the good of the information security community.
But there are lots more databases of usernames and passwords, and even credit card information, on the dark web, just waiting to be bought by whoever wants that information. And it’s not even expensive, even free sometimes!
This highlights what I said about hackers taking the easiest route to be able to breach your system. And this is why you must never re-use your username and password on different systems.
The idea for this blog post came to me as I was writing another security piece, and talking about how it is often good enough to cover the easy things first. and this describes how hackers operate too. They’re going to go for the soft targets before they spend too much time and energy on anything more difficult. And honestly, we’re all the same aren’t we? I find cloud technology much easier as a day-job than building houses, stacking shelves or any other real job!
With this in mind, it probably won’t surprise you to learn that there are tones of hacking tools available which someone with hardly any knowledge can use. Metasploit is a hugely popular hacking tool, and if you head to their website, you can download your very own copy for free. And if you’re stuck, just wander over to YouTube and search for Metasploit. You’ll be falling over guides on how it all works.
The Weakest Security Link
It’s us. Humans are so rubbish at information security. We are so willing to believe the person on the telephone who says they’re from the bank. Or we don’t quite read that email carefully enough to notice the dodgy link it tries to direct us to.
Attackers know this, and so we’re often the very first thing they try to hack. There have been countless books written on the subject of social engineering – a subject I find absolutely fascinating.
And this is why we have to be on our guard – there’s no antivirus for us humans! Ask yourself why someone from the organisation they say they’re from would want to know that information from you. How do they usually communicate with you? And what’s in it for you? If there’s a problem with one of your accounts and someone calls you up about it, could it wait until you look up their organisation’s number and call them back to confirm?
A social engineer doesn’t want to give you the space to think of these things. They’re too busy trying to misdirect you like a magician on stage. They want you to think about this while actually saying that. The information in your head is what they want. Hacking starts before even touching a computer, but now you know this, you can activate your firewall!
It’s Not Like Hollywood
Apart for Mr Robot – that was actually really close to how life is as an offensive security professional. But aside from that, it isn’t like in the movies. Attackers get into systems because people make silly mistakes and leave systems open to attack. Don’t let it happen to you!