“How I would hack you…” is a compelling opening statement to say the least. The global business community has experienced an economy left supported by our web technologies in the midst of a global pandemic, social concerns, and conflict in recent months. Prior to that, even, it would be a challenge to identify a single competitive […]
“How I would hack you…” is a compelling opening statement to say the least. The global business community has experienced an economy left supported by our web technologies in the midst of a global pandemic, social concerns, and conflict in recent months. Prior to that, even, it would be a challenge to identify a single competitive organization that does not rely on web technologies, networks, and applications to support their finances, data, services, and more.
“How I would hack you,” is a chilling statement for any supervisor, manager, or executive to hear — albeit one which should inarguably pique the interest and spark a level of intrigue of any business owner, executive, or manager.
What do you imagine a hacker really is? Does it invoke images of a dark, wet basement isolated in an old warehouse filled with green glowing computer screens and empty bottles of Mountain Dew? Do you think of a hooded figure tapping frantically at his laptop battle-station, actively gathering your passwords, usernames, and credit-card numbers? The reality might surprise you, and you may find it is a bit different than the action-movie persona you have seen.
In a recent webinar titled “How I Would Hack You: Confessions of an Ethical Hacker,” James Carroll, information security engineer at Secure Network Technologies, Inc., gives us a look under the hood of how it’s done by the pros. Carrol has served in his role at Secure Network Technologies for more than 10 years, protecting the data of clients ranging from NFL teams to small credit unions. He starts with an introduction on how he got into hacking by taking down other players’ networks in video games to give him the win and automatically level-up his account at breakneck speeds (a practice now discouraged by him since “denial-of-service” attacks are now considered a felony). Carroll then follows up with his presentation format, which covers: “Current Events; 2 Types of Hacks; How These Hacks Happen; The Anatomy of a Hack – 4 Phases of pwnage; Open-Source Intelligence Gathering; Gaining Network Access; Gaining Admin Access; and Where Does This Data Go?”
Cybersecurity concerns have become magnified during the coronavirus pandemic. As a result, COVID-19 phishing and SPAM-mailing is “absolutely skyrocketing” according to Carroll. Hackers are opportunistic people and are taking full advantage of the new density of offsite work — and the security vulnerabilities that come with it. He demonstrates current hacking trends that use “phishing” emails to elicit passwords and malicious-link clicks by unaware users.
Breaking this down further, Carroll describes that there are two typical types of hacks — “social engineering” and “people hacking.” Social engineering leverages what he calls “the obvious”:
• Phishing — Fake emails made to look like real ones in order to get users to click a link, share info, or download something they otherwise wouldn’t.
• Pretexting — Impersonating someone at your organization.
• Baiting — Leaving something like a thumb drive loaded with malware in parking lots outside congested areas like a workplace where someone might pick it up and stick it into their computer, infecting the whole network.
• Vhishing — “Voice Phishing”, where someone pretends to be an official source such as a government organization, bank, or even your own company.
• Physically Breaking Into Buildings — The good old-fashioned “smash and grab”.
He goes on to describe people hacking as the tendency of hackers to look for the weakest link in your organization’s teams and conventions to find a vulnerability. As an example, Carroll shows a video of a physical intrusion test performed by Secure Network Technologies where he was able to gain access to a corporate building simply by “tailgating.” Carroll, in fully forged corporate uniform wearing an “official” duplicated ID badge, was able to gain access just by following an actual employee who scanned their ID to open the door first. The employee took one glance at Carroll, saw the ID badge, and felt comfortable enough to hold the door open for him. He walked in without a hitch, carrying a box of USB flash drives loaded with test-malware to leave on the break-room table. This is one example of how a real hacker with malicious intent would gain access.
James recommends that employees should not be afraid to ask, “Who are you? Who are you with? Who are you here to see? What are you here for?” to unfamiliar entrants at the door of your organization. Additionally, he says it is a good practice to make everyone entering the building scan their own ID — describing instances where recently-terminated employees have come back in to steal data and compromise something within the business.
So how would James Carrol hack you? The same way an unethical hacker would. He calls this “The Anatomy of a Hack” and it consists of the following four phases:
1) Open Source Intelligence Gathering (OSINT for short). Successful criminals do their homework first. Open-source intelligence is used In the criminal sense to ascertain relationships, contact information, work info and ultimately – when and how you’re most vulnerable. It’s gathered from all the information you publish about your life via social media and more.
2) Gain Network Access. Gaining access to a network will allow a malicious actor to identify devices, servers, and users within your organization, further developing the identification of targets.
3) Gain User Access. Once hackers have identified a user and a system, they work to gain user access on a host system through using their open-source intelligence or other hacking techniques such as phishing, vishing, and pretexting.
4) Gain Admin. Access. Ultimately, gaining user access is the precursor to gaining administrator access — which is commonly attached to a user. Admin access will allow the hacker to install malicious software that can infect the entire network, in addition to gaining access to admin-restricted data and systems.
The goal of all this, in no uncertain terms, is to remain undetected. Just as malicious actors want to remain undetected while successfully stealing your valuable data, this remains an anchor for Secure Network Technologies’ own testing goals — to hack your organization in much the same fashion as a criminal might (without all the damage and fallout that comes with actually getting hacked), and then provide detailed results so your organization and its information-technology personnel know how to fix it (this is the part the bad guys hate). Some immediate recommendations Carrol makes for your organization is to exceed “best practices” for passwords, enable two-factor authentication for every app possible, and to stop putting your entire life on social media where hackers look first for sensitive personal information.
For any fellow nerds and aspiring ethical hackers out there, James shares some technical tools of the trade — software with fittingly cryptic names such as MetaZploit, Empire, Burp, Responder and SilentTrinity, among others. You can check out Secure Network Technologies at www.securenetworkinc.com/cnybj.
Rob Dracker is CEO and creative director of WMC (Weapons of Mass Creation). Contact him at rob@wmcstudios.com or (315) 935-7982. This article is originally sourced from a GoToWebinar run by Ted Hulsy, CEO of Iron Path, on June 4, 2020 featuring James Carroll, of Secure Network Technologies.