What hacking incidents have I heard of? Plenty, you’ll be surprised. But I’m not going to talk about them today. Instead, I will take you through the mind of a hacker. See what they look out for and more importantly, how you can prevent yourself from falling victim to a hacker. (Photos taken from my own collection).
Movies often portray hackers as geeks or nerds who spent most of their time in front of their Unix systems, looking through lines of green code in the middle of the night. The reality is far from that. Most people don’t realize that hackers are often just ordinary people like you and me. They go to school or college, or have regular jobs. But their curiosity on how a system works often bring them further than where most people would go.
Poking through sensitive information, looking for holes in security systems, and devising methods to exploit potential flaws are just some of the things that they do. Most hackers are known for their ability to think outside of the box and to come up with unique solutions for problems, including ways to get into a secured system. Some do it for the knowledge, some do it for the thrill and some do it for the money. Some just do it because they can. Here are just some of the things hackers do, and how you can protect yourself against them.
Trust is not always good.
Trusting strangers in cyberspace is a big mistake. Users who are unfamiliar with computers and the Internet often fall victim to these hackers. One of the easiest thing to do is sending a Trojan. Trojans can be hidden inside legitimate programs. When that program is run, it silently installs itself to the victim’s computer and lets the hacker take over control of the computer. The victim will not suspect a thing. The hacker can then easily steal the victim’s sensitive information like passwords and credit card information. Trojans can often cause more damage than viruses.
Just some of the harmless things the Sub7 trojan can do. It can also steal passwords, credit card numbers and wipe out your entire hard disk.
Prevention: Do not accept suspicious programs from strangers, especially from instant messengers. Do not download anything from an untrusted source. Treat executable files (.exe) with a certain level of suspicion. Be paranoid, change your passwords often.
Websites are usually secure, making it hard for hackers to exploit. A website can be vulnerable to attacks if the server contains outdated software that have security holes, or is improperly configured. Badly written scripts can open up a server to malicious attacks.
One interesting hack involved a local website. Due to a configuration error when setting up the website, the administrator password was readable to anyone who knew where to look. I was able to login as the administrator and the power to screw up the entire website was in my hands. But instead, I fired off an email to the administrator telling him how to fix it. The website is still up and running till today.
Prevention: Keep server software updated and all security holes patched. Never install scripts that may have security vulnerabilities. Monitor server logs frequently to detect suspicious activities. Subscribe to a mailing list like SecurityFocus.com’s Bugtrac to keep up to date with the latest vulnerabilities.
When wireless started to gain popularity, a new form of hacking called wardriving started. You just take your wifi-enabled laptop and drive around to look for unsecured wireless networks. In fact, you can try it now by downloading NetStumbler. Then you connect to them to either surf the web for free or gain access to sensitive information. A lot of people have unsecured wireless access points. At least one bank I know has unsecured wireless networks.
What wireless users do not realize is when they are connected to an unsecured wireless network, they are sending information through the air unencrypted. Anyone within the range of the wireless network can see what they are doing. I can sit at Starbucks and read everyone’s MSN conversations with just my laptop. There is no privacy at all.
Prevention: Try not to use unsecured wireless networks for sensitive work. Normal web browsing is alright, as long as you are not concerned about others knowing about the sites that you are visiting. To be safe, tunnel through an encrypted virtual private network (VPN). This way, information sent over the air will be encrypted and not readable by anyone.
Hacking is not limited to websites only. Anything can be hacked and exploited. Even network devices (Read more: router hacking). There was a discovery of a serious flaw in a local ISP’s modem some years back. The flaw enabled malicious hackers to gain access to sensitive subscribers’ information. That can later be used to purchase access to wireless hotspots and make voip calls to land lines and mobile phones at the expense of the victims. The hack is untraceable until the damage is reflected on next month’s bill.
Prevention: Change your network devices’ default login passwords. The list of default passwords can be found here. Knowing the model of your router, the hacker will have no difficult in logging in if you have the default password on. Always be observant of any unusual changes or symptoms to your network. A slow connection might mean someone else is leaching your internet bandwidth.
As mentioned, trusting strangers in cyberspace is a bad mistake. But having passwords that can be easily guessed is even worse. People often think that no one would bother to guess their passwords. It is not a myth that most people have “password” as their password. Hackers gaining access to email accounts can lead to serious disclosure of sensitive information. When government departments have email accounts with easy-to-guess passwords, you know that a more serious approach to cybersecurity is needed.
Prevention: Simple. Do not use easy to guess passwords. Change passwords frequently. If you’re afraid of forgetting your own password, use a password that makes sense, like “i12have4kids” or “ilove2blog4fun”. You can try phonetic passwords too. They’re easy to remember, but hard to guess. Companies and organizations should have security awareness campaigns to promote good security practices.
Port scanning is carried out to find an open port on a server to exploit. Open ports can led to very serious security issues. I have come across websites with their FTP servers (port 21) wide open to the public. This means anyone and everyone can change the server files and run malicious scripts. The website can easily be defaced and probably destroyed if desired. There are a lot of free port scanners that are available online, which makes it easy for anyone to do a port scan.
Before TMNET decided to block port 25, some badly configured SMTP (simple mail transfer protocol) servers allowed anonymous users to send email to any address. These servers became the proxy for spammers to send large amounts of junk email. A hacker can also use these servers to spoof emails. They can spoof an email to make it appear to come from a trusted source and trick their victims into revealing sensitive information like credit card numbers or account password.
Other open ports may allow unauthorized access to different services of a server. If a telnet service that allows anonymous login is running and port 23 is open to the public, anyone can login and use the telnet server. With the proper tools, a hacker may be able to execute malicious scripts (example: shell code) to gain administrator privileges and take over the server.
Prevention: Do not keep any unnecessary ports open to the public. If open ports are required, limit the access to a pool of IP addresses only. An authentication system should also be built into the publicly accessible service. Not doing so is equivalent to leaving the front door open to a busy street. Installing a firewall is sufficient enough to restrict access to most ports. For home users, Sygate Personal Firewall is an excellent choice.
The above is by no means a complete guide to prevent hacker attacks. Hackers will always come up with new ways of getting into a system. We can only make it harder for them, hoping that they will target an easier victim.
You can also get yourself updated and familiar with how hackers operate, what tools they use and how to prevent hacker attacks by attending a Complimentary Workshop on Cybersecurity organized by EC-Council Academy. It’s free so sign up now. You might be surprised at what you may learn about hackers. Trust me, what you know previously about hackers may be irrelevant after this workshop.
If you want to try some harmless hacking, head over to Hack This Site! and try out their hacking challenges. Some are really challenging but solutions are provided if you get stuck.
Till next time, happy hacking! Continue reading