Mattia Campagnano

Mattia Campagnano

Wednesday, December 17, 2014

How to think like a hacker

I'm a hacker sitting in a dark cyberpunk room looking for suckers like you.

You hear about a security breach and you blame it on hackers.

Whose fault is if your password is 123456? Whose fault is if you are so lazy when it comes down to protect your money and your information?

The truth is you deserve to get screwed. I worked hard to learn all I needed to know, sacrificed hours, days and years of my life to learn how to use my full power.

Yes, I'm a criminal mind but you may be an unknowingly accomplice when you're careless and think breaches can never happen to you. Well, I got news for you.

The fact you've never been attacked doesn't necessarily imply you'll never be in the future.

Well, today's your lucky day because I'm an ethical hacker. What? You thought all hackers were bad, didn't you?

Probably you don't know that most software you use and the Internet itself has been created by ethical hackers.

We're weird guys who try to understand which way a bad guy could screw your system. We patch all the holes we find before they can be used against you.

You could probably need to hire someone like me one of these days. Do you think this is wasting money? Do you know how much money Sony lost as a consequence of the latest security breach?

Billions of dollars. The harm caused to the company image and the customers' trust goes beyond any possible economic assessment, though, because it's going to last for years.

Do I have your attention now?

If you want to secure your network and your system, you need to think like a bad guy and know how (black hat) hackers work.

Analyze your network

The first stage of an attack is called reconnaissance. The hacker tries to gather information about your company and your network which could facilitate getting access to the system.

Try to hack yourself and see what kind of response and which services you can access from outside your network. You could be surprised by what you find.

Google yourself to make sure no confidential information is available to the general public and, if you find something out there that shouldn't be for all to see, take it down immediately for good.

Some hacks available for Google may allow an attacker to access reserved databases and information, if the system administrator doesn't correctly protect them and doesn't change the default security settings.

For more information about it, you can visit Google Dorks. If you find anything confidential after this search, take the necessary actions immediately.

Another dangerous type of attack is social engineering. Attackers leverage, in this case, on psychological manipulation techniques rather than on technical skills. They try to trick authorized users to reveal their access credentials in several ways (by pretending to be a customer who has forgotten or lost its username and password needed to access its account, or a help desk technician who is updating or verifying the company's systems asking the user for their credentials to install software, etc.). These are only some limited examples, but these guys are pretty ingenious.

How can you prevent this risk? I know, the standard response is to train your employees on company's policies and tell them they don't have to reveal this type of information to anyone, unless A, B or C happens and blah blah blah.

13 pages of a Word document, surely important, which your employees will forget as soon as they leave the room.

The best way to understand where you're at from a security standpoint is to attack your call center yourself by using these techniques. You'll probably get shocked by the results.

I know, you thought a 13 page Word document and a training session would give you a peace of mind, but companies are made up of people and they are the weakest link, in information security.

A document is a waste of time if the people in your company don't fully understand why you're doing this, why it's important and what aftermaths can directly impact them. Unless they share it because this means defending their jobs in the first place.

The main point here isn't to learn a document by heart but to make sure the company can keep being in business, as the most harmful breaches led some organizations to close for good.

A good way to prevent from giving away too much information on the network is to restrict the execution of commands like ping or traceroute from outside the network. This solution is commonly implemented by several major corporations.

Intelligence on the network can also be gathered by using public registries and whois or lookup services.

An alternative for UNIX/Linux systems is to run the nslookup command from Terminal (in Windows, from Command Prompt)

Close the holes

Don't leave any unused ports or services open. It'd be as if you'd protect your front door with armed guards leaving the back door(s) open.

Any unused service or ports can be used to gain access the system, so you want to disable them right away.

Implement strong passwords but don't exaggerate. The best option is to realize single sign-on solutions or, for more critical systems, one-time password implementations or a combination of biometric samples and password authentication. Forcing users to remember 30 different passwords will cause them to write them down on a sticky note left on their desktops, for everyone to see (yeah, I've seen this, too).

Passwords should be changed often for them to be effective, but you should be clear about what methods to use in order to create a new password. Otherwise, you could have a bunch of users locked out and several help desk tickets created, which could facilitate social engineering attacks.

SQL injection is an often overlooked attack,  successful though being quite old, because of sloppy security settings.

To minimize the risk of breaches, your company must be on top of state-of-the-art technology and security implementations as long as possible. For each dollar spent in IT security, bad guys spend one dollar trying to develop exploits.

Don't rely too much on automated solutions because the most dangerous attacks come from zero-day vulnerabilities. In other words, attackers analyze the software and its related documentation, looking for potential vulnerabilities and weaknesses overlooked by the developers.

One they find one, they develop a proof of concept, which could be successfully used to exploit the vulnerabilities and gain access to, or harm, a system.

Information security professionals must reason like an attacker would and analyze the software for potential vulnerabilities. The fact you have an IDS or IPS installed is important, but it becomes much less helpful if an attacker finds a way to hide or obfuscate its activity.

The biggest problem with security software is the possibility of false positives. A skilled hacker could find a way to disguise its attack like a normal network activity or something different from what it really is.

The best security system relies on email, web firewalls and endpoint protection.

However, these solutions must be supported by a critical thinking and a wide professional experience, vital in order to distinguish what it seems to be going on from what it is actually going on.

Don't overlook disgruntled employees because, being inside the security perimeter, they're the most dangerous attackers.

Of course, there's much more to say about this topic, but I think or, at least, I hope you got the picture.

So, from now on, when you hear about a security breach, just start wondering: what did they do wrong? What could have been done to prevent this? What do I learn from this?

Hopefully you won't be the next victim.

If you haven't learned anything from all this, you could probably need one like me in the next year, or so, so drop me a line.


No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Contact Form


Email *

Message *