Crack the hackers

Most companies are unaware a world of crime and espionage exists just outside the corporate firewall.

  • E-Mail
By  Imthishan Giado Published  April 12, 2008

Most companies are only dimly aware that a shadowy world of organised crime, miscreants and state-sponsored espionage exists just outside the corporate firewall. Imthishan Giado talks to the individuals on the front lines of the war between hackers and the guardians of enterprise security.

When asked to describe what a typical ‘hacker' looks like, most people will resort to film clichés such as Keanu Reeves from the Matrix. The typical hacker profile is that of a dank unkempt loner who lives in a basement lit by the harsh glow of an LCD and gleefully punches away at a keyboard, defacing websites and leaving rude messages on desktops.

Banks and corporations that hold personal details will probably be the first types of targets. A lot of these new-age Web 2.0 companies and websites are also at risk.

That's the old reality, says Jeremiah Grossman, CTO and founder of web security specialists WhiteHat Security, former information security officer for Yahoo! and the keynote speaker at this month's HackInTheBox security conference in Dubai.

"It used to be about ideology, the art of the hack and getting a reputation. We're now seeing a trend towards financially motivated hacks, where a lot of smart people all over the world make their living out of doing illicit hacks online. You have rogue marketing types that hack websites to improve their global ranking. State sponsored hacking happens all the time. You also have things like the Russian Business Network hiring hackers to carrying out e-commerce type fraud and identity theft. So you'll see a wide spectrum of bad guys monetising in different types of ways," he explains.

While these attacks are a daily reality for most net citizens and corporations, Petko Petkov, founder of ethical hacker think tank GNUCitizen says that the trend has not yet reached its peak, and suggests which organisations make the most vulnerable targets.

"Banks and corporations that hold personal details will probably be the first types of targets. A lot of these new-age Web 2.0 companies and websites are also at risk. There is not one specific target - whatever is easy to compromise is a good enough target for attackers.

"The hacking business is not as mature as it will get in the future. Right now it mostly involves compromising PCs and hooking them to botnets and such, but in the future - I'm not talking about the distant future but probably a year or two ahead - organised crime will start using hacker tricks for all sort of things - modifying public records or black public relations, which is where companies hire a group of hackers to break into their competition and steal data, make it public through some channel and as such defame the company. This stuff is not uncommon - we've seen it happen and it's already been on the news," he warns.

WhiteHat's Grossman says that even though application developers are responsible for the vulnerabilities which allows hackers easy access to corporate systems, don't expect them to resolve the problem quickly.

"It's way outpacing quality assurance personnel's ability to effectively pentest [penetration test] all these vulnerabilities. Beyond that, even if we're able to know their exact location, remediation is almost impossible at this point due to the volume of work being generated," he claims.

The problem, suggests Petkov, is that enterprises have expanded too quickly, with infrastructure growth outpacing the ability of IT teams to secure it.

"I've tested numerous corporate networks where inside it's fairly relaxed because the user is trusted. With no proper segmentation between different networks and no security restrictions, it's complete chaos. Once an attacker gets into the corporate network it's a matter of time to get to the real interesting data. Many corporations try to resolve the problem on the upper level by installing firewalls, intrusion detection and sometimes prevention systems," he says.

He lists a number of possible means by which attackers can gain access to a network - and surprisingly few require sophisticated IT knowledge. One of the key problems is, as he mentioned earlier, the low levels of security within corporate networks.

While most corporations erect expensive firewalls to prevent hackers breaking in, a far easier strategy is to target senior users who travel with laptops and have corporate VPN access. Once these users connect to their home networks or public Wi-Fi hotspots, they are easy for prey for hackers who can inject their machines with malicious code and then later, steal their credentials when they reconnect to the corporate VPN.

Another method which is only slightly more involved is to erect a complete fake network. This fools laptops - which often have a preferred wireless connection list - into thinking that it is in its regular office environment. If the attacker controls the network, says Petkov, anything is possible.

"If that user starts using their e-mail client which probably runs in the background and starts performing checks, the credentials sometimes travel in the clear. When the attacker controls the network silently, they will be able to steal this information. This hack can be performed in about five minutes," he states.

Some entry methods are shockingly basic and reflect the scant attention which enterprises pay to fundamental physical security.

"One of the most basic ways of compromising a corporate network is to walk into one of the offices. The entrances sometimes have access to Ethernet sockets so the attackers install a small device and hide it away from casual observation and use it to access the corporate network. This is very basic stuff," reveals Petkov.

The tools used for these attacks are often not what one expects, says MST team chief and senior technical threat analyst MST II for the US Army, Thomas Blackard.

"I've seen people do strange things with Asus Eee PCs and a modified Sega Dreamcast with a network adapter and a modem setup in a wiring closet with access. If you have quantifiably important equipment then you need to take equitable measures to secure that from the outside world; don't use a glass door, use a metal door. You don't want to impede the users but you want to impede processes into areas where humans don't necessarily need to be," he says.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code