Hacker scenario: passwords the weakest link

SUMMARY: Ed Wilson talks about the weakness of passwords.

We have all seen it in movies – the hacker thinks for a minute, types in G-O-D and voila, he is into the system. Well, in real life, this probably wouldn’t fly anymore. Why? Well, most systems have what is called a complexity filter. The password usually must combine capital letters, lower case letters, and at least a number or a symbol. Oh, yeah, they also usually have a minimum length as well. So, in real life, the password might be G0d12! Ok, so that meets complexity requirements. But is it a good password? Probably not.

Password complexity rules.

For one thing, hackers know more about password complexity requirements than you do. They also know that most systems require that passwords be changed every 30 to 45 days. They also know that everyone has lots of passwords to remember, and so to make things easy people use the same password for their email, their bank, their stock service, Facebook, Twitter, Linkedin and their network access at work and at school. AND for anything else I happened to forget. So, the G0d12! password would probably be used in December, and in January it would be G0d01! The user might be able to get away with this, depending on how many passwords the system remembers. Meaning that every January it could be G0d01! and every December it could be G0d12! as long as the system does not remember more than a dozen passwords.

Common substitution algorithms include the following:

  • @ for A
  • 0 for o
  • 1 for l
  • 2 for z
  • 3 for E
  • 5 for G
  • 7 for T
  • 9 for P
  • Z for S
  • Ph for F

Now, where are the common source of passwords:

  • Significant other first name or middle name
  • Children first name or middle name
  • Street names
  • Mythical hero’s (such as the names of NinjaTurtle, Super Hero’s, true mythical hero’s such as Z3us, Apo11o things like this
  • Literary characters (such as Tiny7im, TomSawy3r)

Pass numbers for bank machines are often social security numbers, street addresses, or birthdays.

How did the hacker find the user name:

Well user names are pretty easy. Usually they are a combination of first name and last name. Here are some combinations:

  • First and last name: such as AnnJones
  • First initial and last name: such as AJones
  • First name and first three letters of last name: such as AnnJon

Most user names are also email address in many companies, so all a hacker needs is an email, and boom they have half of the login equation. If the password is a weak one such as indicated above, then the hacker is in. If the account is one with administrator rights, then it is game over.

Hacker scenario: how does he get in (pt. 2)

SUMMARY: Ed Wilson talks about additional ways a hacker gains access to a network.

In yesterday’s article I talked about a common way the hacker gets in … someone forgot to deny access. Today I will list other ways.

How does the hacker get in – a list.

The most important thing to remember about hackers is that they are not magic. Nearly all of the time, a hacker uses, or misuses, something that is already setup. For example, if a computer is unplugged from everything, buried in a six foot deep hole in the backyard, and packed in concrete, it is more or less secure from hackers.

The other important thing to remember about hackers is that nothing is certain. Given enough time and resources probably any system in the world is vulnerable.

The other most important thing to remember about hackers is that given unrestricted physical access to a computer, it is pretty much game over.

The cardinal rule is this: if a hacker gains administrator rights, it is game over – at least as most things exist today. There are some things some companies are working on to help mitigate or reduce the risk of administrator accounts.

So, here is a list of ways a hacker may get into a network:

  • An unsecured modem – yes, don’t laugh. Some companies still have modems in use. They may be used for a remote office that only needs to upload sales information at night, but they are there. Typically, a modem used in such a scenario would not accept incoming calls – but hey, what if the salesperson configured the modem to accept incoming calls so he would access his computer at night or on the weekend, or so he could enter sales without having to come to the office.
  • A website designed for corporate users to share information.
  • A website designed for corporate users to access internal email systems.
  • A system setup for network administrators to do remote administration.
  • An old forgotten server that used to provide remote network access, but now neglected but not decommissioned because it was used by one important person who refused to upgrade to the current system.
  • A website designed to share inventory and sales with business partners.
  • A corporate presence website.
  • An e-commerce web site that offers sales to the general public.
  • A file sharing site used by corporate users that is exposed to the internet.
  • A file sharing site, setup to provide customers with the ability to share files with the company.

Most of the above require a combination of a user name and a password. Some systems require a user name, a password, and a token. Two common tokens may be either a smart card (with a chip on the back of it) or a fob with changing numbers that synchronize with an internal system back on the network. These are obviously harder to hack, but because they are becoming more commonly used, they are also coming under more scrutiny by hackers.

The weakest point of access is one guarded with only a user name and a password. Tomorrow I will talk about how hackers get around those.

A Hacker scenario: how does he get in

SUMMARY: Ed Wilson discusses a hypothetical hacker scenario, and talks about how he gains access to the network.

How does a hacker get into his / her old network.

Getting in – the easy way

One of the easiest ways for a disgruntled person to get back into their old network, is to simply log back in using whatever remote access they were granted by using their old user name and their old password. But wait, you may say, wouldn’t their old access be turned off? Wouldn’t their old user account be deleted? One would hope so. But here are some considerations:

  • Most companies, have some sort of procedure for terminating employees. This procedure usually involves multiple departments including IT, HR, Payroll, Security, and maybe Legal or other departments. Depending on how effective these departments are at working together, what sort of routing system is in place, it could take a day or more for everyone to get their specific piece of the puzzle done.
  • Most companies, with procedures for terminating employees, rely on some sort of manual process. Because people are involved, someone can always make a mistake. It might not even be a mistake. Perhaps one of the people in the chain is on vacation, or on maternity leave. This means that someone will be “covering” the job. When people “cover” a job, it often means they do the bare minimum required because they have a job of their own to do. It might also mean they they have not been completely trained to perform the other job.
  • Most companies, really do not delete ex-employee user accounts, because ex-employees often end back as current employees. So the user account usually becomes disabled. The ex-employees data is often required by the employee who replaces the ex-employee, and therefore access to the corporate data is often transferred to the replacement. Or at least is available via request. Things like e-mail are often kept for a certain period of time in case they are required (for example as evidence in a legal matter).

Whenever there is a procedure in place, there is also a chance that procedure is not updated, or completely followed. This is why companies review procedures from time to time. But just because a procedure is reviewed, it does not mean that all flaws in a procedure are caught. This is why companies have audits. But just because a company hires auditors, it does not mean the auditors catch everything. This is why we have regulators. But just because there are regulations, it does not mean the regulations are fully understood, or even implemented. This is why we have consultants, lawyers, and courts. You get the idea. At any point in the chain, there can be a breakdown. This breakdown becomes easy access for an enterprising hacker.

Anyway, you get the idea. Hope you have a great week. Join me tomorrow when I will talk about some more difficult ways the hacker may gain access to the old network.

A Hacker Scenario: a short discussion

SUMMARY: Ed Wilson talks about a hacker scenario.

A hacker scenario.

A hacker decides to target MegaCorp. Why? Remember my article about hacker motivation? It may be for revenge, it may be to make a political statement, or maybe for fun (and as a learning experiment) or maybe for profit (to gain access to trade secrets, or even to embarrass the company). Really, at this point, the motivation is not the key thing because it does not affect either the methodology, or even the outcome of the attack.

Although it will be very important for your readers. Readers want to know WHY is this hacker doing this thing. Give the hacker a compelling, and a legitimate reason. Revenge, may not ring true with the majority of your readers unless you do two things: Show in advance that the hacker has the necessary skills to pull off the hack, and show something in the hackers personality that points to the hacker actually going and doing this. Thousands of people lose their jobs every day, and yet very few of them go off on a quest to exact revenge on the company that fired them. Usually, they lick their wounds, polish up their resume, and move on with their lives.

Maybe the hacker cannot simply polish up the resume and move on. Maybe the CIO (Chief Information Officer) fired the hacker for alleged incompetence and then blackballed him / her by ruining their reputation in the IT community. Now they can’t even get an entry level job on a help desk. They can’t get unemployment benefits because they were fired for cause, the poor hacker is becoming desperate. To make matters worse, maybe the hacker can’t get health insurance and has a handicapped son. Government insurance  says he has too much money. But the money is tied up in a 401K. They say he has to sell it, but if he sells it, the government will take so much out in taxes and in penalties there will be little left to pay for his sons operation. He is caught in a between the cracks in the system and no one seems to listen or to care.

How will the hacker make any money?

How will he make any money by hacking his former company? Well he will hold them up for ransom. There are many ways of doing this, it all depends on what kind of company MegaCorp really is.

  • One way is to access their customer database, steal all of their customer data. Now what does he do with it? Well he can blackmail the company. Give me $1,000,000 dollars or I release all this customer information to the Internet. So? Well this will make the news, and the MegaCorp may lose business. Their stock may decline in value. At a minimum, it will cost them money as they notify customers, get involved with the FEDS who come and investigate. If MegaCorp is found negligent, then the company, and company officials can be fined, or even sent to jail.
  • Another way is to access their computer systems, sabotage their data backups, and then change the security permissions so that they are locked out of their own systems. Now the hacker once again issues the demand. But this time, the hacker threatens to destroy all of their data, and with it the company. Because the back up systems are also taken out, the company could be in real trouble. But don’t most companies have off site data backup? Well yeah, but suppose they didn’t. Or suppose the hacker, disabled the backup system prior to leaving, and the company did not discover that the backups were not working. Maybe it really is the CIO who is incompetent, and is more interested in reducing cost, and therefore getting a larger bonus at the end of the year, than ensuring that the IT staff has the tools to do the job. Maybe our hacker threatened to blow the whistle, and that is why the hacker was fired and blackballed. Remember, my article about people being the weakest link in the security chain? Budget cuts, increasing demands on IT Pro’s time, and reduced training can all come into play here. 
  • Maybe the hacker just steals the company secrets, and offers to sale them to a competitor, or to a foreign government.

Evaluation of the scenarios.

The trick to making either scenario one or two work is to keep the ransom demand low. Most CIO’s have a certain level of discretionary budget they can spend, without having to seek approval. If this amount is large enough to be worthwhile, our hacker friend can get the money with little hassle. In addition, if the CIO really is culpable, then there is the implicit desire for a cover-up.

If more money is required, go up a level in the food chain. Maybe the COO (chief operating officer) will desire to keep things quiet. It might even be that the board will pay the blackmail, but getting board approval will require more time, and time is not on either the companies or the hackers side.

If the hacker gets too greedy, the government will be called in. This can involve lots of different agencies depending on the company, what they do, and who the board members play golf with.

Scenario number three is much riskier. If the sale is offered to a rival company, it is quite possible that the other company is an ethical. That they would never have anything to do with stolen secrets. Most companies have mandatory ethics training for their staff, and would not have anything to do with misappropriated trade secrets. In fact, this would be a nice twist from the run of the mill stuff we see on the big screen nowadays. In fact, they might very well call in the FBI and report the attempted sell.

If an attempt is made to sell the secrets to a foreign government, the hacker could run afoul of the NSA, the CIA, the DOD, and any number of other three letter agencies. Even the US Marshals are flying around hacking cell phones these days. This particular scenario is pretty much of a fools errand, unless the hacker somehow has knowledge of international espionage. The hacker can’t just have been a US Naval intelligence officer ten years ago. This world changes dramatically every few months. So, unless the hacker has current experience they will not be successful – unless you (as the writer) want your hacker to get caught.

Hacker points of attack

SUMMARY: Ed Wilson talks about some of the tools and techniques hackers use.

This morning, I am sitting in the living room with my Surface 4 and sipping a nice cup of Assam black tea. I put a cinnamon stick in it, and just a little bit of rock sugar I brought back from Germany. It is cold outside. Well, actually cold is all relative. For Florida it is cold. For the South Pole, it would be a nice summer day I imagine.

It is this idea of relativity, that must be born in mind when talking about hackers, tools and their techniques. But before I get to that, I want to talk about the weakest link in the security chain – people.

People are the weakest link in the security chain

It really does not matter whether we are talking about information related to national security (remember the US Secretary of Defense who brought his secure laptop home a few years ago) or we are talking about mom and pops grocery store email account. There are several ways that people come into play when talking about security of information systems. Here are a few of them.

  • Setting up systems – If the person deploying the software does not understand the inherit security mechanisms of the software, it is possible they will make the wrong choices when performing the installation. Many software companies have tried to mitigate this risk by initiating a “secure by default” type of installation. One problem with this approach, is that at times the software ends up installed, but not doing everything that is expected. This leads to the second problem.
  • Configuring systems – Many times IT professionals (and others) have heavy demands on their time. They are expected to perform greater and greater duties with few and fewer resources.
    • Some of these resources including hiring expert consultants to come and perform installation and configuration of complex systems.
    • Other resources include lack of training. In the past companies would send their staff to several weeks of continuing education training classes and conferences to ensure they were up to speed with the latest technologies. Now, many companies cut back on that training and expect their staff to come up to speed by reading blogs, books, and learning on their own.
    • This becomes increasingly difficult when staffs are cut, and duties expanded. As a result when new systems are deployed, and things do not work out of the box, staff “goes on line” finds an article that says “flip this switch, make this change in the registry and it will work” but the article does not say anything about impact on security.
  • Patching systems – No software is perfect. No hardware is perfect. Therefore both software and hardware require updates to perform properly, and to remain secure.
    • Even software updates are not perfect, and at times they cause additional problems.
    • As a result, large corporate and governmental organizations employ entire groups of IT Pros who evaluate software updates against a test environment. Ideally, the test environment replicates the actual production environment. All this takes time.
    • During the time between when a security update is released, and it is evaluated and deployed the systems are vulnerable to the particular attack that the update is supposed to guard against.
    • Obviously, the same holds true for all other computers (including personal laptops, cell phones, slate and surface types of devices).
  • Passwords – Most systems rely on passwords of some sort. A weak password exposes the system to attack. If the weak password belongs to someone with Admin rights, then the entire system is subject to compromise.

Hackers probe for vulnerabilities

The task for the hacker, generally, is to find the low hanging fruit. Here are some of the trees that may provide easily accessible fruit for the hacker.

  • One way to do this, is to search for systems that are setup using only defaults. If a hacker discovers a server that is broadcasting default information, it is a good bet that the person who installed the system did not perform any additional configuration. Armed with knowledge of defaults, a hacker can then begin to probe the system to find points of entry.
  • A hacker will also search for specific services that may be available on a server. If they find the service offered, and not locked down, the hacker may be able to gain entry.
  • When a particular vulnerability is discovered, often exploit code is also developed and released to the internet. Many times, all a hacker needs to do is to download the exploit code, and search for unpatched systems to attack. At other times, when a hacker is targeting a specific system, they merely try all of the known exploits until they find the one that works (i.e. the patch that the Admin of the system failed to install).

zombies

  • Often programs, and especially hardware devices come with a preconfigured password. At times, these passwords are not changed. A rather embarrassing case happened a few years ago when the department of transportation in Maine did not change the password on the road notification signs. Someone came along and added their own message to the signs.
  • User passwords – Often users configure really weak passwords – such as their name, their significant other’s name, their pets name, their children’s names.

I was at a company once on a consulting engagement, and I was trying to get my point across to one of the Admins, and I noticed there was a company social directory laying on his desk. It listed everyone at the site, the names of their children and significant others. I picked it up and said, “This contains the passwords for half of the accounts on your system.” He said, “not mine.” To which I replied, then it is your pets name. He said, “I guess I need to change my password.”

These are all things a writer can use to help to introduce an element of realism when hackers and computer systems come into play. Start easy, start with the low hanging fruit, and then add an element of tension and excitement into the mixture. It does not take much technical knowledge to explain to the reader that the hacker gained access to the router because the person setting it up did not change the default password. It will be much more believable, and maybe you will actually be performing a great service to your reader when they say, “hmmm maybe I should change the password after all.”

What does a hacker really do?

SUMMARY: Ed Wilson talks about what hackers really do.

What do hackers really do?

  1. Well, for one thing it kind of depends on what kind of hacker one is talking about. As a writer, it is important to get this type of detail correct. If one is writing about a Script Kiddie don’t have them writing custom code to break into the NSA’s central database. It simply will not happen.
  2. For a second thing, it really depends on the target of the hack. If the object is to score free wireless access while hanging out in the hotel lobby (instead of paying the legalized robbery rate of $25.00 for a calendar day – and not even a 24 hour day) then the technique will be quite different than if the object is a pharmaceutical company web site.  
  3. For a third thing, it depends on the purpose of the hack. If the purpose is to embarrass, or otherwise call attention to something, then stealth may not be an issue. If on the other hand, the purpose is to steal trade secrets, or military secrets, the goal may be to prolong discovery.
  4. For a fourth thing, it depends on intent. Is the purpose of the hack to get in, or to shut down the system, and therefore prevent others from getting in. System shut downs are called Denial Of Service (DOS) attacks. In the past these were pretty easy to do, but most commercial, military and government systems are designed with lots of built in redundancy, and so they are harder to pull off. They are still attempted, as anyone who has ever read a router or firewall log can attest.

Well, I need to go for now. Join me tomorrow when I will talk about specific techniques that hackers employ.  Until then I hope you have a wonderful day.

How does a hacker work? (pt. 3)

SUMMARY: Ed Wilson talks about the motivation of various types of hackers.

In contrast to Script Kiddies, or hackers who are primarily seeking to explore, professional hackers engage in their activities because it is a job. There are at least four different types of professional hackers.

  1. White hats – White hat hackers (also called Ethical Hackers) are often employed by security firms to hack into a clients system. This is called Pen Testing (short for penetration testing because they seek to penetrate the clients network). This is done with the idea in mind that if the security firm is able to breach the network, the network is vulnerable to attack. The security firms document everything that is done, and also provide guidance for specific remediation of deficiencies discovered. Often the client specifies in the agreement that the hack will take place during a set period of time, and also they may place restrictions on the information provided to the security team. Most of the time, taking down the network is not a goal.
  2. Government hackers – Various countries routinely engage in hacking activities as a way to gather information. They may target military secrets, government officials, corporations, or even private citizens. Targets range from gathering information from email accounts, databases, various database servers, or phone systems. Because of the nearly inexhaustible resources of government funds, these types of hacks are nearly impossible to stop, and often are undetectable. Quite often, these hacks also involve compromising physical security as well. When one has physical access to a device, it is game over.
  3. Criminal enterprises – With resources that rival government funding, criminal enterprises have in recent years become major players in hacking. Interestingly enough, many of the computer crimes follow the same traditional crimes that the various enterprises previously engaged in: blackmail, extortion, theft, gambling, fraud all have found new homes in the virtual world. The motivation for criminal enterprises is simple: money. Anything that can net serious money becomes fair game.
  4. Independent hackers – These are either Script Kiddies or the people who were experimenting who got sucked over to the dark side (primarily so they can pay for their hardware requirements). They do things like infect thousand (or hundreds of thousands) of computers with malware that siphons off CPU time, Memory, and Internet bandwidth. These infected computers are often referred to as Zombies. The independent hackers then auction off Zombie Networks to the highest bidders, or they simply sell computer time on their Zombie Networks. Often they are selling the ability to send out massive amounts of spam, or the ability to run parallel computing to crack passwords, Mine BitCoins, or other CPU intensive tasks.

Join me tomorrow where I will begin a discussion of the different types of hacker activities. Until then, I hope you have a tremendous day.