How Do Hackers Hack?

Crimes of opportunity lead the average hacker to valuable data.

By: Steve Snelgrove

You might think hackers selectively pick each business they hack. While this may be true in high profile or hacktivism cases, I estimate 90% of hacking is done based on a system’s general lack of security. Hackers don’t think, “Today I’m going to hack Acme Hardware across the street.” They scan for the most vulnerable system and start digging.

SEE ALSO: A Hacking Scenario: How Hackers Choose Their Victims

To defend against attacks, it is important to understand that hackers have different motivations and capabilities.

SEE ALSO: Takeaways from PCI DSS 2016 Data Breach Trends

The Opportunist Hacker

A crime of opportunity

These hackers stay up-to-date on security news. Once a vulnerability is made public, it’s fairly easy to conduct a large-scale network scan for systems which exhibit symptoms of the vulnerability. After the hacker gets the list of vulnerable machines, he will do additional research on the vulnerability and attempt to enter the system. Once inside, it is often easy to pivot and reach other, less hardened machines.

A great example of opportunist hackers in action arose when news of the Heartbleed vulnerability was released in April 2014. The vulnerability was publically exposed on many news publications. Very shortly thereafter, hackers scanned the Internet for looking machines using OpenSSL, and then attempted to exploit that vulnerability and enter the system. Piece of cake.

SEE ALSO: PCI 3.1, Stop Using SSL and Early TLS Immediately

But hackers don’t necessarily require huge newsworthy vulnerabilities in order to hack. There are thousands of other publicly-known vulnerabilities they could take advantage of. For example, website forms often have validation flaws. An attacker may submit potentially malicious data on a form, which then might be echoed back to the user's browser and rendered to the screen. The screen displays a mix of server content and the attacker's malicious data. This could result in unsuspecting users being redirected to another site where credentials or session information might be captured.

Does the hacker know which business or person he’s hacking? No. And he doesn’t care. He’s attacking a system because it’s vulnerable. Once the vulnerability is identified, the hacker will then attempt to profit from the exposure.

How do I defend against this attack?

The obvious defense against the public vulnerability attack is to scan your systems in an attempt to discover vulnerabilities beforehand. Keep up-to-date on security news. Partner with a company that keeps abreast of publicly disclosed vulnerabilities. Regularly maintain and update your systems.

If a vulnerability similar to Heartbleed is released, do everything in your power to close the vulnerability ASAP. Do your best to maintain updates on all other operating systems, browsers, and servers to avoid the possibility of being a victim of a zero-day attack.

The Layabout Hacker

Brute forcing

Somewhat less effective, but still pervasive, are brute force attacks. In these attacks, attackers control an army of computers infected with malware (known as botnets or zombie computers). The attacker is able to control this network of computers, and these do the attacker’s dirty work for them.

The attacker uses botnets to access systems by guessing usernames and passwords in millions of combinations until the right combination is guessed. It’s not very effective. But, as my dad always said, “even a blind squirrel will find a nut every once and a while.”

Hackers use botnets so each hack attempt is nearly impossible to trace back to the actual hacker.

How do I defend against this attack?

The two best ways to avoid this attack is by monitoring your logs and regularly creating new passwords.

If a botnet tries to access your system through a brute force attack, your logs should record these actions. If your logs record 1,000’s of failed login attempts on your system, you’re probably being attacked.

The reason brute force attacks work so well is because millions of user credentials (usernames and passwords) have been dumped online in publicly available lists. Password lists are effective because the majority of people do not change their passwords, and use the same passwords on multiple sites/systems. To avoid this attack, change your personal and business passwords every 90 days, and never reuse passwords.

SEE ALSO: Vendor-Supplied Defaults Are A Serious Threat

Hackers have different motivations and capabilities. But these are their main methods.

Tweet

What do hackers do after they get into a system?

Now the hacker starts prospecting. Remember, before this point the hacker still doesn’t know if he’s hacked a business or a personal computer. Now, he looks for evidence that the system is doing commerce, which means credit cards, healthcare information, or other valuable data might be present. To find this data, he starts running keyword searches on the file systems and memory of the system.

For example, if his keyword searches discover that the system he’s hacked is a Micros system, he knows he has gained access to a business that accepts credit cards. (Micros is a point of sale software used by many restaurants and hotels.) He will probably try Micros default passwords to try to get into their server and thus expand the range of the attack.

Install malware

If the hacker is successful in breaching the point of sale system, he can possibly install malware. The whole point of malware is to gain access to valuable and sensitive information, such as credit card numbers, early on in the data processing stream, and attempt to divert this sensitive information so cybercriminals can reproduce cards or sell the stolen data on the black market.

Depending on the malware installed, every single customer credit card transaction made on that computer (and perhaps on the entire network) could be at risk.

SEE ALSO: How to Confront Hospital Ransomware

Pivot

By now, the hacker in this scenario has probably filtered through enough company data to realize who he’s hacked.

Perhaps the hacker has managed to attack and gain access to a national business with a chain of stores. If he finds remnant data on the system that includes the IP addresses of other chain locations, that chain will be in some serious trouble as these chain locations may have less security measures in place, and access to these associated networks could provide valuable information to the attacker.

Remnant data left on systems does occur in real world examples. In a forensic investigation my colleague David Ellis conducted, a point-of-sale equipment installer left a partial client list on each and every point-of-sale system he had installed during that year. Some 28 businesses were hacked because of the poor security awareness of that careless installer.

Leave no trace

At this point, it’s time for the hacker to get out of the hacked system. Most hackers cover their tracks to avoid detection. They encrypt card data before transferring it out of a system, erase or modify security logs, and run malware from RAM instead of the hard drive, which often goes undetected by most anti-virus software.

SEE ALSO: Hacking Trends of 2014

Hackers don’t care who you are. They just care how rich you can make them.

Read about 5 commonly overlooked security errors for tips to avoid being attacked.

Steven Snelgrove (CISSP) has been a Security Analyst at SecurityMetrics for over 7 years. Since 1980, Snelgrove has worked in the computer and telecommunications industry, and has familiarity with programming, software engineering, and network security. His current responsibilities includes the manual assessment of web applications and corporate networks, conducting ethical hacking to analyze security architecture, and consulting with organizations to help remediate issues. Snelgrove received a degree in Computer Science from Brigham Young University, and holds a CISSP (Certified Information Systems Security Professional) certification.