As Sun Tsu wrote in his book, The Art of War:
So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss.
If you only know yourself, but not your opponent, you may win or may lose.
If you know neither yourself nor your enemy, you will always endanger yourself.
In the context of business, a businessman or businesswomen needs to understand how to secure themselves from threats, internal and external. Understanding the basic types of attacks is the foundation to, metaphorically, “knowing your enemies.”
Why People Hack?
Traditionally, hackers were split into two categories: white hat hackers and black hat hackers. The idea was that black hat hackers did things illegal purely for evil, personal gains (hot women, drugs, etc) and white hat hackers ran around with angel wings helping companies test for potential security risks.
I should also point out that there is another kind of hacker generally called a “Script Kiddie.” This kind of hacker is somebody who does not know what they are really doing, but might have a few tricks up their sleeve (maybe spent a couple hours Googling on how to hack or something). This is probably the disgruntled employee who just wants revenge, or the ex-business-partner wanting something that isn’t there’s. Be aware of who these potential people could be and what their level of skills are.
The tools of the hacker
A hacker, these days, generally has a relatively modern computer, an internet connection, and a few “tools” to be successful. These tools consist of software for tracking network traffic, trying hundreds of passwords, or preforming other basic attacks. Many of the more advanced attack require a computer with Linux, though many of the basic ones (the ones described in this article) can be done on a Windows machine (probably Mac too).
Tool 1: Sniffing
You’d be surprised how many companies don’t encrypt their webpages and login systems. If you are using a public internet connection that is not encrypted, then it is extremely easy for somebody to just “sniff” for all internet activity coming over the network. If they know what they are looking for, then it is extremely easy to pickup everything that a person is doing. If the data is encrypted somehow, however, then it all looks like gibberish. In short, SSL (secure socket layer) is the simplest form of “encryption” being used on the internet. Want to know if your connections are secure? Below is a list of different internet protocols and their “nonsecure” counterparts. Make sure you are using things encrypted if you do not want people to be able to see your passwords when using this form of hack. If you want to perform this hack, a person would download a copy of “wireshark” and watch this video on how to use it: http://www.youtube.com/watch?v=0bazkLeY6b4
|Unsecure Protocol||Secure Protocol||Purpose|
|http||https||Used for webpages. look for https:// before any webpage you go to and have to type in a password at.|
|ftp||ftps||Used for transferring files to web servers. Look for ftps:// instead of ftp://. If using file-zilla or another ftp tool, make sure to check the “use ssl encryption” box in your ftp client to force encryption.|
|There are a number of email protocols in wide usage and the protocols aren’t really “named” different if encrypted. Just make sure that you check the “use ssl encryption” box in your email program to FORCE encryption. Alternatively, use a website-based email client like gmail that forces encryption.|
Tool 2: Cracking With Brute Force
Okay, what if you could just try a million passwords until you get the right one? Enter brute force. There are many different ways to use brute force, but they all consist of trying hundreds of thousands of passwords until one works. This will fail with most high-end database systems (ex: banks will shut your account off after 5 failed login attempts), but for cracking microsoft word files, zip files, pdf files, etc, it is pretty easy. There are many tools out there that already do this. Just go to sourceforge.net and search for “brute force ____” when you need to crack a file. Some old web servers or online systems can be cracked like this, but don’t count on it. Even if you could try 10000 per minute, it could take months because of the millions of possibilities. You can narrow it down by using a “dictionary list” of the most used 1000 passwords (just google for that, too), but when that fails you’re pretty much out of luck. Brute force cracks can take a long time and should be avoided as much as possible. Sometimes, however, they can take as little as 3 or 4 minutes if you are cracking highly vulnerable things (like a Windows password given a Windows SAM Passwords File).
Tool 3: Cracking With SQL Injection
Many small business and local counties use database systems designed by “Microsoft Certified Engineers” who do not fully understand the underlying technologies. When you access a website (lets say my website), oftentimes it queries up a database for contents. That “query” may contain some of what you typed in (for example, a username or search query). So, lets say the sql code is below:
SELECT * FROM users WHERE username=’jacobbeasley’;
Okay, so I type in jacobbeasley, it generates the above query, the database returns my information and the webpage displays my personal information. Vuala, right? Foolproof? Absolutely not. You see, what if, hypothetically, you typed in a single quote into the query? Maybe you type in: jacobbeasley’; delete from users where 1; select ‘
Then the sql becomes:
SELECT * FROM users WHERE username=’jacobbeasley’; delete from users where 1; select ”;
Even the average non-sql-ite can figure out basically what is happening. You see, I effectively caused three DIFFERENT pieces of sql code to run:
1) SELECT * FROM users WHERE username=’jacobbeasley’;
2) delete from users where 1;
3) select ”;
Number 2 from above would delete all users. Obviously, very problematic. Now, if the website/database was made by a GOOD programmer, then this is preventing using a method called “escaping” in which anything the user entered is “escaped” so that the database knows to not interpret it as a separate command. Keep in mind that if weird character sets are being used, sometimes there may be multiple characters for a quotation mark, in which case if you try many types of quotation marks, you might get a hit and be able to do anything you want in the database.
Tool 4: Keyloggers and Phishing
This is one of the oldest and SIMPLEST methods of hacking a computer. A keylogger is a piece of hardware or software that logs everything someone types. Keyloggers are extremely easy to make for windows using c++ and the “getasynckeystate” function and, when combined with a little con like, “You need this software to open ____ file” you can generally get people to download the software. Then, you program the software to email you after a week everything they typed and delete itself. Phishing involves making a website that looks just like another website, but when the user logs in, you steal their username/password. You could reconfigure a person’s network settings so that a site like yahoo.com or gmail.com forwards to YOUR VERSION OF GMAIL/YAHOO instead. Then, when they try and login, you steal their passwords, store them, and display some “you need ____ update” thing. Once they update, it removes your phishing scam and the user never even knows you stole their password. Any decent antivirus software will prevent this sort of things by locking down your internet connection settings and tracking computer programs for calls to “getAsyncKeyState” or other common keylogging functions (at least, they “should” be doing this).
Tool 5: Easy Con
The weakest link in many companies is the people themselves. For example, if you made a call to a person pretending to be “tech support” from their company, you might be able to con them into giving you their passwords. Alternatively, you could call their IT person pretending to be them in order to have their “password reset” and emailed to their “new email.” Be sure to follow the “not getting caught” tips below to avoid getting caught.
Not Getting Caught
These days, everything is trackable. Here are some quick tips to avoid getting caught.
When doing things online, don’t do them under your own name or internet connection. Whenever you connect to the internet, you are given an “IP Address.” These addresses are registered by your internet service provider and it is pretty easy to figure out who you are by:
1) tracking ip addresses (it is transmitted with every webpage you request – http://www.whatismyip.com/)
2) taking ip and looking up what internet service provider it is for
3) getting court order to force the internet service provider to say what physical location (your home address) was associated with that ip at such and such a date. In effect, it will be your home location or wherever you are accessing the internet. From there, they can look at security cameras or look up who registered the internet connection to identify you.
To avoid the above, you need to “funnel” anything you do through a “proxy server” in a foreign country. Keep in mind that some proxy servers are logged, so consider going through several proxy servers or, alternatively, picking a proxy server in a country that does not trade information with other countries, such as china or north korea. You can find lists of tons of proxies on Google.
Also, if you ever make phone calls, be sure to follow the above tips AND use an online service like skype to make the phone calls. When using this service, don’t ever use your credit card. Consider either stealing somebody else’s (somebody you don’t know) or, even better, using an unverified paypal account registered to a gmail/yahoo/hotmail email that was created/accessed using a proxy, that way there is nothing tying it directly to you. To do this, however, you need to get money in the paypal account. How?
1) Open up an account with an offshore IT outsourcing service like scriptlance.com under a false identity or alias.
2) Do some work and earn some money.
3) Take that money and have it deposited in paypal account.
4) buy anything you want online and the money is virtually untracable.
5) BE SURE TO DO EVERYTHING BEHIND A PROXY! Then you’re almost 100% untouchable.
To prevent somebody from using proxy servers, have firewalls setup on your servers that block any out-of-country requests. Additionally, log people’s ip addresses and if a person logs in under one ip address and seems to “switch” ip addresses in the middle of using the site, force them to login again.
The Weakest Link
If you really want to be a good hacker, keep in mind that people are people. There’s no magic here. The best hackers are also the best con men. The weakest link is the person. It does not matter how good the security of a building or website is if the people running it are not trained in basic it policies.
1) never give out your password to anyone, ever.
2) If an IT person calls asking for your password, tell them just to reset it themselves. There is no reason why they should ask you for your password.
3) Have a process for resetting passwords that requires full identification in a manner that cannot easily be bypassed. This manner will vary from organization to organization.
4) Require antivirus software that can prevent the most common phishing and keylogger attacks.
5) have regular backups of the database made to multiple locations so that, in the event of an attack, recovery from that attack can happen fast.
6) Only whitelist your office ip addresses to be able to login to the system(s), thus preventing people from accessing them behind a proxy. This is sometimes impractical. alternatively, when they login under a new ip address, force them to complete some sort of email verification process (so the chance of someone operating behind a proxy is less likely).
7) Secure the local premise and all wireless networks in order to prevent the unauthorized on-site attacker. Use encryption methods that have not been cracked (just Google to find out if they have been cracked).
8) Have your applications tested for sql-injection and brute-force attacks. Preventing these is easy; its just a matter of following best-practices. Have it log the number of failed login attempts and prevent more than, say, 20 per hour. At 20 attacks per hour, a brute force attack will take around 2000 years.