SUMMARY: Ed Wilson talks about some of the tools and techniques hackers use.
This morning, I am sitting in the living room with my Surface 4 and sipping a nice cup of Assam black tea. I put a cinnamon stick in it, and just a little bit of rock sugar I brought back from Germany. It is cold outside. Well, actually cold is all relative. For Florida it is cold. For the South Pole, it would be a nice summer day I imagine.
It is this idea of relativity, that must be born in mind when talking about hackers, tools and their techniques. But before I get to that, I want to talk about the weakest link in the security chain – people.
People are the weakest link in the security chain
It really does not matter whether we are talking about information related to national security (remember the US Secretary of Defense who brought his secure laptop home a few years ago) or we are talking about mom and pops grocery store email account. There are several ways that people come into play when talking about security of information systems. Here are a few of them.
- Setting up systems – If the person deploying the software does not understand the inherit security mechanisms of the software, it is possible they will make the wrong choices when performing the installation. Many software companies have tried to mitigate this risk by initiating a “secure by default” type of installation. One problem with this approach, is that at times the software ends up installed, but not doing everything that is expected. This leads to the second problem.
- Configuring systems – Many times IT professionals (and others) have heavy demands on their time. They are expected to perform greater and greater duties with few and fewer resources.
- Some of these resources including hiring expert consultants to come and perform installation and configuration of complex systems.
- Other resources include lack of training. In the past companies would send their staff to several weeks of continuing education training classes and conferences to ensure they were up to speed with the latest technologies. Now, many companies cut back on that training and expect their staff to come up to speed by reading blogs, books, and learning on their own.
- This becomes increasingly difficult when staffs are cut, and duties expanded. As a result when new systems are deployed, and things do not work out of the box, staff “goes on line” finds an article that says “flip this switch, make this change in the registry and it will work” but the article does not say anything about impact on security.
- Patching systems – No software is perfect. No hardware is perfect. Therefore both software and hardware require updates to perform properly, and to remain secure.
- Even software updates are not perfect, and at times they cause additional problems.
- As a result, large corporate and governmental organizations employ entire groups of IT Pros who evaluate software updates against a test environment. Ideally, the test environment replicates the actual production environment. All this takes time.
- During the time between when a security update is released, and it is evaluated and deployed the systems are vulnerable to the particular attack that the update is supposed to guard against.
- Obviously, the same holds true for all other computers (including personal laptops, cell phones, slate and surface types of devices).
- Passwords – Most systems rely on passwords of some sort. A weak password exposes the system to attack. If the weak password belongs to someone with Admin rights, then the entire system is subject to compromise.
Hackers probe for vulnerabilities
The task for the hacker, generally, is to find the low hanging fruit. Here are some of the trees that may provide easily accessible fruit for the hacker.
- One way to do this, is to search for systems that are setup using only defaults. If a hacker discovers a server that is broadcasting default information, it is a good bet that the person who installed the system did not perform any additional configuration. Armed with knowledge of defaults, a hacker can then begin to probe the system to find points of entry.
- A hacker will also search for specific services that may be available on a server. If they find the service offered, and not locked down, the hacker may be able to gain entry.
- When a particular vulnerability is discovered, often exploit code is also developed and released to the internet. Many times, all a hacker needs to do is to download the exploit code, and search for unpatched systems to attack. At other times, when a hacker is targeting a specific system, they merely try all of the known exploits until they find the one that works (i.e. the patch that the Admin of the system failed to install).
- Often programs, and especially hardware devices come with a preconfigured password. At times, these passwords are not changed. A rather embarrassing case happened a few years ago when the department of transportation in Maine did not change the password on the road notification signs. Someone came along and added their own message to the signs.
- User passwords – Often users configure really weak passwords – such as their name, their significant other’s name, their pets name, their children’s names.
I was at a company once on a consulting engagement, and I was trying to get my point across to one of the Admins, and I noticed there was a company social directory laying on his desk. It listed everyone at the site, the names of their children and significant others. I picked it up and said, “This contains the passwords for half of the accounts on your system.” He said, “not mine.” To which I replied, then it is your pets name. He said, “I guess I need to change my password.”
These are all things a writer can use to help to introduce an element of realism when hackers and computer systems come into play. Start easy, start with the low hanging fruit, and then add an element of tension and excitement into the mixture. It does not take much technical knowledge to explain to the reader that the hacker gained access to the router because the person setting it up did not change the default password. It will be much more believable, and maybe you will actually be performing a great service to your reader when they say, “hmmm maybe I should change the password after all.”