a physical security weakness by being aware of offices that have already been cleaned by the cleaning crew and are unoccupied (and, thus, easy to access with little chance of getting caught). For example, such a weakness might be made obvious by the fact that the office blinds are opened, and the curtains are pulled shut in the early morning.
Bypassing web access controls by elevating their privileges via a vulnerable web page, the application’s login mechanism, or a vulnerable password reset process.
Using unauthorized software that would otherwise be blocked at the firewall by changing the default TCP port on which it runs.
Setting up a wireless “evil twin” near a local Wi-Fi hotspot to entice unsuspecting Internet surfers onto a rogue network, where their information can be captured and easily manipulated.
Using an overly trusting colleague’s user ID and password to gain access to sensitive information that they’d otherwise be highly unlikely to obtain and that could then be used for ill-gotten gains.
Unplugging the power cord or Ethernet connection to a networked security camera that monitors access to the computer room or other sensitive areas and subsequently gaining unmonitored system access.
Performing SQL injection or password cracking against a website via a neighbor’s unprotected wireless network to hide the malicious user’s own identity.
Malicious hackers operate in countless ways, and this list presents only a small number of the techniques hackers may use. IT and security professionals need to think and work this way to find security vulnerabilities that may not otherwise be uncovered.
Who Breaks into Computer Systems
Computer hackers have been around for decades. Since the Internet became widely used in the 1990s, the mainstream public has started to hear more about hacking. Certain hackers, such as John Draper (also known as Captain Crunch) and Kevin Mitnick, are well known. Many more unknown hackers are looking to make names for themselves, and they’re the ones you have to look out for.
In a world of black and white, describing the typical hacker is easy. The historical stereotype of a hacker is an antisocial, pimply teenage boy. But the world has many shades of gray, and many types of people do the hacking. Hackers are unique people, so a profile is hard to outline. The best broad description of hackers is that all hackers aren’t equal. Each hacker has unique motives, methods, and skills.
Hacker skill levels
Hacker skill levels fall into three general categories:
Script kiddies: These hackers are computer novices who take advantage of the exploit tools, vulnerability scanners, and documentation available free on the Internet but who don’t have any real knowledge of what’s going on behind the scenes. They know just enough to cause you headaches but typically are very sloppy in their actions, leaving all sorts of digital fingerprints behind. Even though these guys are often the stereotypical hackers that you hear about in the news media, they need only minimal skills to carry out their attacks.
Criminal hackers: Sometimes referred to as crackers, these hackers are skilled criminal experts who write some of the hacking tools, including the scripts and other programs that the script kiddies and security professionals use. These folks also write malware to carry out their exploits from the other side of the world. They can break into networks and computers and cover their tracks. They can even make it look as though someone else hacked their victims’ systems. Sometimes, people with ill intent may not be doing what’s considered to be hacking; nevertheless, they’re abusing their privileges or somehow gaining unauthorized access.Advanced hackers are often members of collectives that prefer to remain nameless. These hackers are very secretive, sharing information with their subordinates (lower-ranked hackers in the collectives) only when they deem those subordinates to be worthy. Typically, for lower-ranked hackers to be considered worthy, they must possess unique information or take the ganglike approach by proving themselves through a high-profile hack. These hackers are some of your worst enemies in IT. (Okay, maybe they’re not as bad as untrained and careless users, but they’re close. They do go hand in hand, after all!) By understanding criminal hacker behavior, you’re simply being proactive, finding problems before they become problems.
Security researchers: These people are highly technical, publicly (or somewhat publicly) known security experts who not only monitor and track computer, network, and application vulnerabilities, but they also write tools and other code to exploit them. If these guys didn’t exist, security professionals wouldn’t have much in the way of open-source and even certain commercial security testing tools. I follow many of these security researchers on a weekly basis via their personal or company blogs, Twitter feeds, and articles, and you should too. You can review my blog (www.principlelogic.com) and the appendix of this book, which lists other sources from which you can benefit. Following the progress of these security researchers helps you stay up to date on vulnerabilities, as well as the latest, greatest security tools. I list tools and related resources from various security researchers in the appendix and throughout the book.
A study from the Black Hat security conference found that everyday IT professionals even engage in malicious and criminal activity against others. And people wonder why IT doesn’t get the respect it deserves!
Regardless of age and complexion, hackers possess curiosity, bravado, and often very sharp minds.
Hacker motivations
Perhaps more important than a hacker’s skill level is their motivation. The following groups of hackers have different motivations:
Hacktivists: These hackers try to disseminate political or social messages through their work. A hacktivist wants to raise public awareness of an issue but wants to remain anonymous. In many situations, these hackers try to take you down if you express a view that’s contrary to theirs. Examples of hacktivism are the websites that were defaced by the “Free Kevin” messages that promoted freeing Kevin Mitnick, who was in prison for his famous hacking escapades. Others cases of hacktivism include messages about legalized drugs, antiwar protests, wealth envy, big corporations, and just about any other social and political issue you can think of.
Terrorists: Terrorists (both organized and unorganized and often backed by government agencies) attack corporate or government computers and public utility infrastructures such as power grids and air-traffic control towers. They crash critical systems, steal classified data, and/or expose the personal information of government employees. Countries take the threats that these terrorists pose so seriously that many mandate information security controls in crucial industries, such as the power industry, to protect essential systems from these attacks.
Hackers for hire: These hackers are often (but not always) part of organized crime on the Internet. Many of these hackers hire out themselves or their ransomware and DoS-creating botnets for money — lots of it!
