How You Will Be Hacked
In recent weeks we’ve seen an outbreak of hacker incursions. From government agencies like the US Dept. of Defense and Federal Reserve Bank, to media companies like Facebook, Twitter and The New York Times to the Bush family and now even Apple, the intrusions have been sophisticated and widespread.
If major institutions, with a wealth of resources and expertise at their disposal, are still vulnerable, what chance do the rest of us have?
In fact, the data do paint a grim picture. A recent study found that 90% of companies were breached at least once in the past 12 months. However, while the situation is difficult, it is not hopeless. Like any other form of attack, the first step towards protection and prevention begins with understanding the threat. Here’s an overview:
The Biggest Weakness of Any System
A computer network is more than just a collection of hardware and software protocols, but also includes the people who access it and that is every system’s greatest vulnerability. Often, rather than having to perform heroic feats of coding, intruders simply convince someone to unlock the door for them and walk right in.
In the hacker community, the technique is known as social engineering. A typical ruse is for the intruder to impersonate someone from technical support or someone else in an official capacity (even using their real name, which is fairly simple to look up online) and then under the pretext of running an audit or some diagnostics, they convince someone to give up their password.
A related approach is phishing, in which an e-mail is sent to a particular person with an attachment or a link that releases malicious code. Sometimes social engineering is involved as well, as when a report is sent from an e-mail associated with a colleague or a contrived technical service call directs an employee to the hacker’s web site.
Sometimes, hackers will go so far as to print out business cards with the company logo, show up after hours and, under the pretext of forgetting a key card, get janitorial staff to let them in. From there, a basic password cracking program loaded onto a USB drive can give them full access to the system.
Exposed Software Vulnerabilities
Every system these days incorporates a combination of technologies from a variety of sources. At any given time, there are vulnerabilities in some or all of them. Once they are exposed, they will most likely be posted to one of many hacker forums and from there they will be disseminated quickly.
A recent example is the security hole in Java that reportedly was responsible for many of the breaches lately (to patch this, see here). Most web sites use Java, so even a small vulnerability that is patched quickly is likely to lead to a number of successful incursions.
Often, software vulnerabilities are exploited by way of a code injection, in which a string of code is input into an entry field (e.g. a search box or subscription field), which unlocks the door. Once they’re in, they can often gain entry to the rest of the system and, in some cases, are even able to gain root access, which gives them administrator privileges.
Denial of Service
In truth, a hacker doesn’t even need to get into your system to do some real damage. One popular approach is the distributed denial of service attack (DDOS), which sends such a massive amount of queries that it overloads the server.
There are a few ways that this can be executed. One is to organize a mass action by encouraging enough people to download software such as the Low Orbit Ion Cannon, which continually sends query packets to a particular server. Another is to use a botnet, which can incorporate hundreds of thousands of computers to attack the target.
In either case, the result is a crashed web server for days or even weeks, which can result in either simple embarrassment or, in the worst cases, millions of dollars in lost revenues. Sometimes, the targets worsen matters by making challenging statements to the attackers, encouraging them to step up their recruiting efforts.
What To Do?
We live in a digital age and the simple reality is, sooner or later, you will be hacked. The best you can do is try to limit your vulnerability and when you finally do get hit, be prepared to respond quickly and effectively.
So the first step is to make sure your software and security protocols are up to date. Software companies often release security patches to close holes in their products. Make sure that you implement them as soon as they are released.
It’s also important that employees are aware of the possibility of phishing and other forms of social engineering and that they use secure passwords. However, also be aware that the stricter the security protocols are, the less likely that they are adhered to, so do your best to ensure that procedures are user friendly.
Finally, it is crucial to hire a competent security firm that continues to test your systems, monitors for vulnerabilities and incursions and has the ability to react quickly when they occur. Notably, in most of the attacks mentioned at the beginning of this post, the attacks were noticed immediately and contained before they could do significant damage.
– Greg
Interesting take.
Deloitte | P@$$1234: the end of strong password-only security | TMT | Technology, Media & Telecommunications | Industries
http://www.deloitte.com/view/en_GX/global/industries/technology-media-telecommunications/tmt-predictions-2013/tmt-predictions-2013-technology/9eb6f4efcbccb310VgnVCM1000003256f70aRCRD.htm?id:gx:sm:tw:Pred13:theme:150213&goback=.gde_1969704_member_214446065
Thanks Kuldip. Good info there.
– Greg