0845 053 0399

Generally speaking, there are three types of “hacker” who will use one, or all, of three different types of hack. Whether the hacker is hacking for fun, monetary gain or a cause is largely irrelevant in the eyes of the law whose job it is to prosecute the offender or the victim who is left to clean up after the hacker has done their dirty deed.

Note: This is not meant to be a definitive guide to hacking but rather a simplified view on how hackers operate and, knowing how the bad guys operate, keeping them off your computers.

Hacking method 1: Drive-by attack

Drive-by 1:

• Hacker inserts an image/sound file/animation in a legitimate webpage
• That image/sound file/animation contains a malicious script (mini program) which is run when the webpage is loaded into a user’s unpatched/unsecure web browser
• The script installs some type of virus on the user’s machine, potentially uploading confidential information to the hacker’s computer or allowing the hacker backdoor access to the user’s computer

Drive-by 2:

• Hacker designs a webpage that looks identical to some other legitimate page but contains a malicious script (mini-program)
• Hacker places a link on a 3rd, also legitimate, website such as a forum or social- networking website and entices users to click the seemingly legitimate link
• User clicks on the link, the seemingly legitimate page opens and the script runs and installs some type of virus on the user’s machine potentially uploading confidential information to the hacker’s computer or allowing the hacker backdoor access to the user's computer

Drive-by 3:

• Hacker sends out hundreds/thousands of emails spoofing the sender’s name so that the email seems to come from a legitimate source
• The recipient of the email is requested to click on a seemingly legitimate webpage link in the email
• The target webpage contains a malicious script which, when loaded into the user’s unpatched/insecure web browser installs some type of virus on the user’s machine, potentially uploading confidential information to the hacker’s computer or allowing the hacker backdoor access to the user’s computer.

Drive-by 4:

• Hacker sends out hundreds/thousands of emails spoofing the sender’s name so that the email seems to come from a legitimate source
• The email contains an attachment in the form of a Word document/PDF file/image/sound file/animation which has been altered to contain some form of virus or script
• When the recipient opens the attachment the virus is installed on the user’s computer potentially uploading confidential information to the hacker’s computer or allowing the hacker backdoor access to the user’s computer

Hacking method 2: Opportunistic attack

These types of attack are semi-malicious crimes of opportunity rather than a deliberate attempt to “break-and-enter”. The usual procedure is:

1. The hacker will scan a range of internet address to see which ones respond.
2. Those he/she gets a response from will go on a list which will in turn be read by a piece of software called a “port scanner”. The port scanner will probe each of the internet addresses to see if the device behind the address will   let network traffic through and may be set to probe for the type of operating system that the device is running.
3. Those devices which report that they are open to receive traffic will then be put on a second list
4. That second list may then be read by another piece of software called a “vulnerability scanner” to test each of the devices to see if they are susceptible to known attack methods using known weaknesses in the operating system or running programs.
5. Those devices which react positively to the second scan will then be exploited by the hacker either using dedicated software or by manually entering commands on their computer. Once exploited the target machine is effectively owned by the hacker.

Hacking method 3: Targeted or “Sniper” attack

These attacks are deliberate but usually not malicious in that the attacker does not intend to harm the network infrastructure. These are calculated attempts to extract data from an organisation sometimes for financial reward, sometimes for bragging rights and sometimes for a cause. Examples of this type of hack would be to steal credit/debit card numbers, personal details such as Social Security numbers, passport or ID details or even social networking website logins.

These details will probably be sold on for short-term financial return or used by the hackers themselves in the course of some fraudulent activity.

Further examples of this type of hack in the corporate environment would be the theft of client lists for resale to a competitor or for publication, theft of intellectual data such as source code, patent-pending designs, merger and acquisition plans or theft of the company’s financial data. Any of these could be extremely damaging to a company’s reputation or ability to continue trading, especially where penalties for a data breach are levied by a regulatory organization.

The methods used by the hacker/s in this type of attack usually consist of the following:

Reconnaissance – Profile the target

1. What information can be gathered from public sources such as Google searches, Companies House, McRae’s Blue Book, Applegate etc.
2. Has the company advertised details of their IT infrastructure, for example, on job boards on technical help forums?
3. What is the organisation’s email address naming convention?
4. Have any email addresses been made public and are they usable for phishing?
5. As most email addresses are the same as the user names, could the user name be used to log in to Outlook Web Access or a company VPN (once a login username is found various tools can be used to guess the password)
6. Is the target’s private IP address accessible from its public IP address?
7. Does the company’s server report its platform? If so, are there any known weaknesses for this operating system?

Probe the target – develop an attack strategy

1. Test the company’s publicly accessible infrastructure e.g. an email server, database server, web server or router to see whether any of the services will accept anonymous network traffic. This is called a port scan.
2. As part of the port scan, establish what the device is e.g. firewall, router or server and try and enumerate it to see which vendor manufactured the device/software running on the device
3. Establish whether the device has any known weaknesses or design flaws which may allow the intruder to gain access to it
4. Some hackers may even contact the company directly (via email or telephone) in an effort to find out who the senior IT person is in an effort to “socially engineer” them or one of the junior IT engineers into giving away confidential IT related information.

Invade

1. Having “mapped” the target’s weaknesses the hacker will now attempt to gain access to the target’s network
2. This may include sending virus-infected email attachments or emails with links to compromised websites to the target’s employees to try and get one of them to infect their PC with a backdoor Trojan
3. It is more likely that a skilled professional will attempt direct penetration of the target’s network by exploiting one of the weaknesses found during the probing phase which is why active patching of operating systems and running programs is vital)
4. Should the hacker not be able to use existing weaknesses they would then try more sophisticated attacks using such measures as automated password guessing, sniffing the network for traffic containing passwords, spoofing network traffic to make the target’s network traffic go through their servers, buffer overflows or stack smashing

Create Backdoor

1. This step may be excluded if the attack is a quick “smash-and-grab” data theft as in the case of a contracted hack where a company hires a hacker to steal a competitor’s data
2. Having invaded the target’s network the hacker will now set up a backdoor so that he/she can access the target’s assets at will
3. With the backdoor set up the hacker will browse the target’s files and folders at their leisure looking for valuable data and extracting it as found

Remove traces
Once completed the hacker is going to do as much as possible to remove the evidence of their visit. This generally involves deleting all log entries that may reveal their unauthorised access, deleting or hiding any files they may have created on the servers or workstations or renaming the user account they created to gain/maintain access.

Evading/Mitigating Hacks
Based on the knowledge of the above we can eliminate or mitigate the risks of being “hacked” by employing some fairly easy to implement measures:

Evading drive-by hacks
As illustrated above, drive-by hacks tend to come from email or website sources. The simple ways to reduce the probability of getting hacked via email are:

1. Treat all email with skepticism, even those purporting to be from friends or colleagues
2. Never click on webpage links provided in an email – type them into your browser’s address bar manually (sometimes easier said than done)
3. Never open email attachments from an email – save it on to your hard-drive first and scan that saved file with your antivirus software. If it is a compressed file, such as a zip file, scan the zip file first then extract the file onto your hard- drive then scan the extracted file again (some anti-virus products aren’t very good at reading compressed/encrypted files)

To reduce exposure to malicious/compromised websites

1. Keep your web browser and all its add-ons up-to-date. Without an automated patching tool this can prove cumbersome but 1 hour's worth of patching is better than 24 hour's worth of system rebuilding.
2. Keep an eye on your address bar and be aware of the actual website address that you are being redirected to. The website "www.google.com" is not the same as "www.google.willhackforfun.com"
3. Look for the little padlock or the letters "https" in the browser's address bar when performing any kind of login. These means that the websites you are talking to are secure (most of the time)

Evading opportunistic hacks

1. Block ICMP (Ping packets) on the router or firewall. If the hacker does a ping scan on a range of IP address yours won’t reply to their scan thereby making his/her life more difficult
2. Close any unneeded “listening” ports on your router/firewall – services that run on your server or computer will open “ports” to send traffic out on to the internet or to receive traffic from the internet. Many of these services don’t need access to the internet so explicitly deny them at the firewall or disable the services from the operating system’s management console
3. Use a stateful firewall so that incoming traffic is only allowed if it is replying to outgoing traffic
4. Keep the firmware on the routers and firewalls up-to-date, this often eliminates bugs or weaknesses that are found, and ALWAYS change default usernames and passwords.
5. Keep the operating system and 3rd party programs patched and up-to-date

Evading targetted hacks
These are the most complicated and challenging attacks to evade. All things being equal, a well-resourced, determined, patient hacker will eventually get through even the most sophisticated defenses.

The key to making their lives as difficult as possible and keep them guessing is to use multi-layered defense. For most small and medium businesses much of what follows may not be necessary but it is up to the reader to pick-and-choose what would work best for them based on a thorough risk analysis.

Level 1
should be a good spam-management system which filters out as much spam as possible before it hits the network

Level 2
should be a firewall or ideally be a stateful Intrusion Detection System with anti-virus awareness and IP address spoofing awareness. This would filter out illegitimate traffic but allow legitimate traffic through

Level 3
should be a DMZ (De-militarized Zone) where public facing servers are located. These would be the webservers, email servers & middleware servers, i.e. any server that needs to be able to receive anonymous traffic from the internet

Level 4
another stateful Intrusion Detection System or Network Intrussion Detection System further refining the traffic and combing it for invalid/harmful, albeit legitimate, traffic. This level would also filter out-going traffic so that any confidential files could not be leaked out of the organisation and that communication with forbidden servers could not take place

Level 5
a sound, tested, well explained and understood IT Security Policy which applies at all levels of the organization, especially senior management. If everyone knows what is allowed and the reasons that some things are not allowed they are more likely to follow the guidelines that helps secure the organisation's IT infrastructure and, by extension, its valuable data.
Such a policy will also help with the “who-needs-to-do-what” in the event a breach should occur. See HERE (coming soon) for more information on IT Security policies

Level 6
servers and workstations must have an anti-virus package which is kept up-to-date at all times and which scans files on access. Workstations should also have an ancillary spyware detection package as many of the modern viruses can evade common anti-virus packages. Workstations should also have a firewall installed or the built-in one turned on and configured properly to further filter out any hazardous network traffic

Level 7
the organisation's last line of defense & possibly the most important but most neglected level. User education. An educated user who is aware of “secure computing” makes far fewer mistakes in judgment

Level 8
a pair of eyes. Having all the best technologies in the world is useless if their alarm bells start ringing and there is no-one to hear them. Having a good systems administrator combing the logs for illegitimate activity and reacting to it promptly will defeat a hacker (nearly) every time