Hacking, it has become a part of daily life in our connected world.
For both individuals and corporations it has become a major part of our computing life from our laptops, to smart phones and tab-lets. We are now a society of constantly connected and online which can translate to higher threat levels and with every counter-measure we take we become more susceptible to new threats and being a victim of hacking!
Have you ever really thought about computer hacking and the people who do it? I have known throughout my 35 year career in the technology business many hackers, ones that play on the good side, and some who make a very good living on the bad side, and of course there are some who play both sides. Have you ever asked the question, what do they get out of it? They are obviously smart people, they can write solid programs with a purpose and a specific result, but why? What are they looking for? What do they get out of it? What happens to the data they steal, and if you are like me and my customers, how do you protect yourself? These are all questions that we will discuss and try to answer throughout this article.
When you think about how it's done, to most people's surprise it really isn't that hard. We always think that it is some big bad dude sitting in a dark room on a computer with neon lights and glowing posters on the wall. Although in some cases that may be true, in most cases, hacking is done through simple social engineering and human interactions simply just asking for information in a polite and interactive manner and people will generally provide them with the answers they need. From a corporate perspective that thought is very scary, but it is true, the plain and simple proof is how often do you really change passwords, or better yet how often does the CEO change his or her password? That becomes an issue when the CEO has problems, someone needs to work on their computer, his or her assistant has the password and then gives it to someone else and then to someone else and before long that password really isn't a secret any longer. Or, someone from IT calls and asks for your password, you provide it, and now your password is no longer a secret. IT should never need to ask you for your password because they can change it; however, even if you give it to them, insist that you are forced to change it when they are done.
Going back to how is it done? Step one social engineering and established user trust. Then, you have more traditional methods such as Trojan horse programs. Trojan horses are just as the name implies, it is a picture, document, PDF or other creatively disguised program that once opened or in some cases just using a mouse over executes a program or a virus which will then install other programs that could open a backdoor into your system. In a predominantly Windows world, there are some common programs used to access computers, programs such as Backorifice, Netbus, and Subseven are programs that allow for remote connections to computers that can be utilized to download or upload data to and from a computer. Denial of Service attacks, although in today's world are more of a nuisance than anything else are still out there and can cause disruptions to normal business activity either by taking down web based services or applications or simply slowing networks down to the point they create an environment of being completely unproductive.
A big weakness in most networks and they are often overlooked are unprotected network shares. First off, what is a network share? A network share is primarily a network drive that is accessible to multiple users across a local area network or wide area network. However, due to other network resources becoming smarter such as connected copiers, VoIP voice mail systems or the phone system itself that are on the network and accessed across the net-work can utilize network shares. Network shares can be exploited by intruders in an automated way, this is a very common manner by which Ransomware and CryptoLocker viruses are spread across internal and external networks. This becomes a security issue because network to network or site to site security, especially on the Internet is interdependent on each other from one computer to another. A compromised computer can cause problems across the entire interdependency of computers on the Internet or a network and this interdependency is what makes Ransomware and Crypto viruses so devastating, but more on these later.
Another common data mining process that hackers will use to watch your network and probe for vulnerabilities on the Internet is called packet sniffing or scanning. However, now that mobility devices have become so popular and increasing exponentially wire-less packet sniffing and scanning is becoming more common-place. Packet sniffing can actually capture the individual packets that data is transmitted across networks or through wireless activity.
Contained within those packets could be data such as usernames, passwords, and any proprietary data that travels in plain text. Due to the ease of setting up and utilizing a packet sniffer on the Inter-net this could potentially put thousands of usernames and pass-words at risk simply due to human error. Human error? Yes. Have you ever accidentally entered in your password in the username field? A simple mistake like that can expose you to being captured by a packet sniffer.
There are many other methods that hackers can utilize to gain access to your network or computer. The methods we have talked about is just the tip of the iceberg. However, most are dependent on a couple of factors which could include human error, human trust, or programming errors that expose weaknesses in SQL data-bases, stolen credentials, DNS high jacking, misconfiguration of network devices or computers, or unintentional information disclosure. There is not a single weakness that creates hacking opportunities, which also means there is no silver bullet for stopping it. Hacking typically requires a combination of a lot of things that have to come together in order to provide a hacking opportunity which is why network, workstation and Internet security is an ongoing, never ending process to manage the threat, mitigate the threat, and react to a threat once it is discovered.
What are hackers looking for when they try to access your system? Most people think that if your system is hacked that bells and alarms will go off, lights will flash or your system will start doing crazy things. In the case of viruses, some of those things may happen like poor system performance or pop ups when you are browsing the Internet. However, in most cases good hackers will be very difficult to track and detect because they don't want you to know they were on your system. A perfect scenario from a hackers perspective is the longer you go without realizing that your data has been stolen, the more it is worth to potential buyers on the data black market.
Let's just assume a hacker gets into your system, what are they after? In some cases the data seems harmless on the surface, but you have to put the entire puzzle together in order to fully under-stand how stolen data moves across the Internet. Then an under-standing of how that stolen data is now used to facilitate identity theft, bank fraud, credit card fraud, or simple online purchases of goods and services. In some cases, hackers are simply looking for email addresses, have you ever gotten an email from yourself, or wondered how you get on so many SPAM email lists? Online marketers pay for lists of validated emails, they not only pay to have them created to use for themselves, they will then put the lists up for sale and sell the lists to other email marketing companies.
Email addresses are just part of the story, there is more, and yes, as you put these individual pieces together, you will see how the value of the data continues to grow. If you are an online gamer, hackers could be interested in you because online games typically require a username and password, or the bigger prize may be the license key of the game you are playing. In some cases with some games you have to pay to play, so now you are exchanging currency which could be in the form of a credit card is always a major prize. Let's back up a little bit, what is the value of the username and password to a gaming system? Habit! Most people use either the same password or username for multiple things or they use some variation of the same password and username so if I can capture your username and password then chances are it will work on more than just your gaming system. Why the licensing key? Gaming has become so popular and it is a multibillion dollar a year industry, so that makes licensing keys very valuable on the black market. Of course the value of credit card information speaks for itself, but let's take that one off the table for just a second. If I was a hacker and targeted you for some reason; if I have your email address, your username and password, with just those things I am a couple of steps closer to becoming…you!
Then there is what we call reputation hacking which again is one of those nuisance things or could it be more than that? Reputation hacking is when someone hacks your Facebook page, LinkedIn page or some other social media site. OK, it's a pain, but other than sending out a few harmless messages what harm could there really be in that? I'll change my password and things will be fine. It is a wonderful connected world, and who do you connect with? Your mother? Who has a brother? His last name is your mother's maiden name? Ever use your mother's maiden name as your security passcode? Also, there are your kid's names, your dog's names, where you went to high school, your first car, where you work, your birth date, your kid's birth date, your anniversary. Social media sites are a volume of data about you, and how many of us have used parts or all of these little tidbits of information to create or manage passwords and usernames?
Now that we have some good data on you, what are we really going after? First, access of course, to your computer or your local area network. The goals may be different depending on if you personally have been targeted or if the company you work for has been targeted. Corporate networks tend to be a little harder to get to, however the process of information gathering may be similar. As an example maybe your username to your network is some variation to your naming convention in your email address? So let's start there and see how far I get with that as a username. Then your password statistically is going to be some combination of personal information that you can remember, such as the information that I gathered off your Facebook page. Now, the golden prize that I really want to get to is credit card information, banking information, website logins, mutual funds and 401K accounts, and there are many other prizes out there that feed into Identity theft and other activities all done with your name.
So, in the huge scheme of what in the world are hackers really going after? Right now the biggest thing is identity theft. In a re-cent study by the FBI 54% of incidents are based around Identity theft. Financial access makes up 17%, account access is about 11% and the surprise is corporate data is only 8%. In the corporate world the biggest threat to your company data is your employees, however 55% of Identity theft is done by an external threat. This is one study that covers a small percentage of incidents, there are larger studies, but the trends seem to follow suit.
Not all hackers are after your data, or you and your business may not be the actual target. The one thing that companies have that most hackers are not going to have is very high computing power. Again, good hackers do not want you to know that your system has been hacked, why? Because they may want to come back and use your servers to launch attacks on other businesses which may have been the original target but they needed your help to execute their plan. If their hacking efforts create issues on your servers or network, or if the footprint is too big from a business disruption perspective, such as slowness, then, the likelihood that you are going to notice and take countermeasures is much higher. Once a hacker has access to your system, there is a lot that can be done without your knowledge, and it is amazing how much can happen without your IT department even knowing it. Hackers have been known to set up web servers and use them to distribute various illegal SPAM or black market information. This activity could and does include phishing websites, malware download sites, including Ransomware and Crypto viruses, a pirated server to distribute illegal copies of software, explicit material server, webcam feeder site and traditional SPAM distribution site.
The data black market what is it and how does it work? This is something that I have written entire articles about but basically the data black market is one of the very last truly free market places where the value of something is based on the perception of the buyer to seller relationship. I think it is easy to image how the black market works from a perspective of I have stolen credit card numbers who wants to buy them. One of the most common questions though is why can't we simply follow the money and arrest these people. In most cases the actual interaction between buyer and seller is either done through chat rooms or simple email once a connection is made, then through the use of Bitcoin the actual financial transaction is completed.
Bitcoin is basically untraceable digital currency. Once a dollar has been changed into Bitcoin the tracking of that Bitcoin transaction is virtually impossible. Setting up a Bitcoin account is relatively easy; there are clearing houses or online banks such as Dwolla. Once you have an account setup at Dwolla you have to setup an ac-count at a Bitcoin exchanger and there are many to choose from. Then, you simply transfer funds into your Dwolla account, move those dollars through the exchanger which transfers the dollars to Bitcoin. Now, you can send digital funds to any other Bitcoin ac-count. The transferring of these funds can be completely anonymous and untraceable which is why authorities simply can't follow the money.
Is the world coming to an end? Nope, there are steps you can take to protect yourself. Some of these steps are going to vary depending on if you are protecting personal systems in comparison to corporate systems. Security audits on corporate networks is critical, security is not one of those do it once and forget it. Security is an ongoing never ending process that has to be paid attention to and managed and invested in on an ongoing basis. Security is not something to save money on, it should be a layered approach basically creating a maze of obstacles that have to be navigated through in order to gain access to your network. Performing security audits is the first step to understanding where you are in the many areas of security, what is good, what is bad, what are the weaknesses and how do you put a strategy in place to correct them and harden your network. Don't forget what the biggest threat to your company's actual data is, your employees. As you harden your system from external threats, you have to harden your system from internal threats.
Part of having a solid security initiative is to do employee training on their roles in managing and maintaining a solid security methodology. Corporations need to have strong policies and procedures in place to help protect the overall business, however employees will do what employees do which at times will put the business at risk. When one of these situations arise how do you react, and how do you manage from a human resources perspective a security violation without solid training and policies in place which could make your ability to take corrective action limited. Employee training should include instructions on password policies, the importance of changing passwords on a regular basis, utilizing complex passwords, and how to identify a potential risk and what to do if they think they have identified a risk factor. Employees do play a critical role in security and their understanding of why certain things happen and why the company has to take the steps it does in order to protect itself is critical to the overall security initiative.
Corporations have a much higher burden and a lot more to think about in order to have a security methodology that is effectively protecting the business, but not so tight that it is preventing your employees from doing their jobs and being productive. It is interesting to watch companies go through the evolution of developing a security protocol. On one hand they want to kill the IT department if the company gets a virus, or thinks they have an intrusion, or face some kind of data loss, or is it the company is not practicing industry standard security protocols. However, then on the other hand they won't enforce the policies they develop, or they come up with other practices that circumvent the security protocols that are designed to protect them, such as allowing for outside email addresses utilized for business purposes, or online file sharing systems. I have seen in larger companies where the protocols and procedures are so tight they have a really hard time getting tools, software and other legitimate technology resources past the IT approval processes. However, employees and corporate executives have to understand that once you open that door, it can be a very slippery slope and repairing the system is much more complicated and costly than properly protecting it in the first place.
A solid security plan always starts with having a good backup an electronic offsite backup is now considered the industry standard. However, other key components are solid complex passwords that are not similar and change on a regular basis. With the high adoption rate of mobile devices using encryption software and locking these devices is increasingly becoming a necessity in the business world. Having a layered approach to protecting your system and your data, with hardware based web filters, SPAM and Malware filters, and having a good corporate anti-virus running on all devices such as laptops, desktops, mobile devices, and servers. Having good corporate level firewalls with intrusion detection and web filtering protection, along with a good corporate level router. It is just as important to have good management of your network: eliminating old users from your domain and email systems, limiting attachments through your email systems and certainly no executable files, eliminating network shares, limiting employee's access to network resources and having proper data retention and archiving practices. I would also recommend that you limit or eliminate the practice of BYOD or Bring your own device to work plans. There are legal questions to the amount of security a company can push onto a device they don't own, along with some questions around the ownership of intellectual property once it is downloaded to a personal device.
What is the future of security and the next generation of viruses, spyware and malware mean to corporations? Typically viruses utilized by hackers will fall into two categories: Polymorphic and Metamorphic. Polymorphic viruses have a consistent virus body, which makes them easier to detect and decrypt. This also makes the design of countermeasures possible. Metamorphic viruses do not decrypt with a consistent virus body, it will change its shape but typically not its behavior. These behaviors make them very difficult to detect until the virus has already been activated, which leaves you dealing with the behavior aspect of the virus. What we have seen over the last few years is that viruses have been more metamorphic and have reached a point where they are learning on their own. This allows them to change based on the in place countermeasures that you have running on your network like anti-virus. Because of this intelligence viruses now will probe for weaknesses and then change either their body or their behavior in order to execute and infect your network which can provide hacking opportunities.
Factors to consider now that we have discussed how hacking works: what they are looking for and what the next evolution of viruses may look like. “Always on” connectivity, we all have these now; smart phones, tablets, and other mobile devices. You have to keep in mind that these are actually computers that will connect to networks that may and may not be protected. These mobile devices due to the overall lack of security have become prime targets. When you think about always being connected, one question you may ask is do I always need to be connected? Keep in mind what you are connecting to. Don't use public Wi-Fi, implement a two factor authentication processes and utilize HTTPs protocols as often as you can. Along with mobile devices come the Apps we love so much. They track everything from weight loss programs to passwords. Are you encrypting that data, or just running the app? There are over 600,000 apps and growing daily. Apps have also become a favorite target for hackers because they know that sooner or later you will connect to a network for data, email, or some-thing else. All they need is that connection using your username and password. Combine all these factors with the overall lack of security in place in corporations around the world, then you can see the future for computer hacking is very opportunistic and will become more sophisticated in the future.
I have always preached don't overlook security because your data is worth something to someone. It is simply not as hard as people think to get information about you and to become you. We as a society have become more and more connected and we see people sharing more and more information about themselves. We have seen a rise in hacking, identity theft and the black market for stolen corporate data is in the billions of dollars. The real underlying problem is not the security countermeasures that we implement that fail us, it is the humans that use the technology fail us because as much as we want to be secure we don't want the in-convenience of security. I have been in the technology business for over 35 years and there is no such thing as 100% secure be-cause of the human factor involved within security, and the lack of overall leadership within the corporate ladder to implement and stick with approved policies, procedures and enforcing strong security cultures within their organizations.