There is no lock which can not be opened !
Starting with this interesting statement, in this note, I will "try" to explain the hacker's perspective towards IT Security. I will also share some of the interesting case studies from my past (black-white hat life) along with the most effective countermeasures.
To start with, there are two types of hackers, namely black hat (dark side of hacking) and white hat (ethical hacking). A simple formula says that to be a good cop, you must have a mind and thought process of a criminal. So, no hacker (afaik) can claim that he directly turned into a white hat, without having committed some of the interesting things out of the following.
- Remembered the key-in sequence while your friend types it.
- Glanced and remembered the credit card details of the next person at counter.
- Knew school's LAN root credential.
- Impressed your friends while logging in to Windows 95 with their user id (by removing the pwl file via share).
- Glanced through the open/hidden shares in your office LAN and simply tried the default localadmin user/pass.
- Sniffed the office network for flying user ids and passwords of all, those who "LOVED" you
- Often used Yahoo Chat BOTs, Voice Boot, ID creator, AOL chat hacks, MSN chat hacks
- Many others...
Today, while we live in the era of grand evolution of the internet, we become prone to hacking, fishing, malware, ransomware, virus and all other threats. Now, if a person with bad intention wishes to break-into our computer/mobile, it is rather very easy.
However, the intelligent hackers try not to leave traces and that is where the forensic experts come to rescue. The following security profiles have become a key to secure the critical information:
- Security Expert / InfoSec Expert
Creates policies and processes, finalize tools and strategies to secure the critical information. SE is also responsible for validating the security measures by running the penetration tests on the enterprise resource
- Forensic Expert
Runs the forensic tools, gathers evidence, recovers information from various sources and helps in security breach incidents
With the passage of time, hackers have become more intelligent with extreme sources to earn money and buy compute/network to run distributed attacks. However, the key methodology and most effective way to hack is to adopt the COVERT procedures. Following are two basic scenarios, observe the similarity:
- Case - Yahoo Mail Password Hack
Back in 2001, there emerged a group of IT engineers, they used to create interesting chat IDs and would join Yahoo chat rooms. They will become friends with random people and within a week or so, they would gather some basic information about the person. Next, the victim's MSN or Yahoo mail was compromised using basic details like dog's name, first car etc. To surprise you almost 40% of people, I used to interact with, had the password set as "India123". I worked with the State Police to help victims of IT adolescence and conducted several workshops for different organizations on IT security awareness.
- Case - Fetch the email
Once a senior person called me in and asked to crack the email of one prominent businessman. He was accused of using money laundering and smuggling. I worked on the details for a week and then created a plan. I figured out the local computer services vendor, who was providing AMC services to this businessman. We sent a mailer with cross-scripting and clicking on the link, we executed some code in his laptop. The service company was called in to clean the virus and save the data. I was a newly appointed engineer, who went in with another familiar engineer. My aim was to copy the outlook express file into my CDR, which I did very swiftly, without even letting my "SENIOR" know. We bid goodbye to businessman and submitted the CDR to the department, which had enough evidence to build a case against him.
These two cases used Covert techniques to fetch information, which generally SPY agents do. There are other techniques I have used in the past to capture good information:
- Reading papers from trash bins
- User IDs with employee ids are often available at main entrance of most data centers, which are marked as "authorized" persons
- Listening to discussions in cafeteria or restrooms
- Reading visitor entry registers (To Meet XXXXXX)
Now, a bit on the technical side, hackers never ever do it in public. They use different paths, private VPN servers, several proxies (private and public) and other networks to reach the target. They usually scan for target service, which is known to be vulnerable. Generally stuffing comm pipe with lots of information, results in the slow response from the service or no response at all. Below is the list of most common tactics, used by hackers:
- Using private VPNs
- Additional hidden identity by using proxy servers
- Targeting most vulnerable service
- Telnet any service port will send back result whether it's listening or not
- Running port scan in intervals (Patience is the virtue)
- ARP spoof (to act as authentic source for request)
- Scanning local network for open/hidden shares
- Gather userid and passwords from public network
- Leaving Keyloggers, Programs via USB or any other means
- Run hidden FTP/Web servers from victim's computers
- Compromise the operating system files with injection of code to reveal lots of information from computer
- Running BOTs and leaving persistent threats/zombies in the system
- Owning BOTnet and keep changing the BOTserver
There are several other ways to compromise a system and breach the security. These threats call for a greater awareness of end users and improved security at the enterprise level. Now to enhance the security, following measures can be taken:
- Run penetration tests in-house with every code change for any enterprise app/resource
- Keep high vigil on latest on security breach incidents across the industry
- Enable identity-based network access to make it more secure
- Implement network behavior monitoring system and allow access to resources based on weightage
- Instead of targeting blacklist of programs, focus on white-listing of programs and files
- Make sure that enhancing the security is not eliminating the overall concept of secured access to enterprise resource
- Make sure that access to all servers/network devices etc, is managed through privileged access management tool
- Quicker reconciliation between LDAP and HRMS
Following the above methods and keeping the hacker's perspective in mind, one can lay the foundation of Information Security for any enterprise. The purpose of the post was to highlight the need for security and knowing the key concepts of hacking.
I am sure, this post was helpful in a way and served the purpose well. I would appreciate comments, likes, and suggestions.