3. The Fog of Law
If you are hacking for malicious, nefarious, evil reasons, you probably already know you are on the wrong side of the law so can turn out this section; for those out there who are white or grey hat hackers you do need to listen to what I am about to talk about. You have to understand that especially in today’s climate, privacy and information security is a huge issue. On top of such a huge issue, unfortunately, people passing laws do not really understand the way technology works in the real world, and beyond that the bosses, the people that are supposed to tell you what to do really do not understand how computer and technology work. Besides, they do not understand how the law works, so that can turn into horrendous messes, so you have to be really careful as it comes to legally hacking.
The first thing you need to understand, let us underline it and make it bold, is that you have to remember that the person who owns the system is not necessarily the same person who owns the data on the system.
This is a huge, very important note. If you have a server, your client has a server, your boss has a server, just because they own a server does not entail their legal right to all the data on that server.
This is important, things like HIPA Law, the HIPA is Health, Information, Privacy Act, something like that. Basically, that is the Law that requires doctors to keep all of the patients records private; so, if the doctor allows their patients records to get out into the public, that can cause a lot of problems. Also, you can have issues where you have a corporate computer or corporate system of some sort that you give to an employee to take home etc., or to off-site sales person or to field technician, – well the computer is owned by the company, but you have to be very careful about things like email and suchlike stored on that computer.
There is a big case where a SWAT team member, I think it was out in California, not such a long time ago was issued a cell phone by the police department. So he was doing private text messaging on that cell, it was bad stuff, he was like having an affair, doing something that he was not supposed to do. Therefore he got fired from the police department.
That police officer, a SWAT team person, took the Police Department to Court, because he said it was his private information that was sitting on the phone provided to him by the Police Department, so that the Police Department violated his privacy.
That is not a joke, despite I do not understand how it gets to the Court. So he won that lawsuit – now you have to remember that, like I have said, the system might be owned by the company, but the data on the system may not be owned by it.
Please be very careful, so, as in the example above, if you have a boss, and some employee got fired, and your boss comes to you and says “I want you to hack into this (his or her) PC and get some info,” you need to be careful about what info you are getting. If you are getting there to derive info that might be private, that may be a problem for you – I am not a lawyer, not a legal expert, so I will tell you: use your gut instinct on this, so if you believe you are hacking an employee’s personal information, even if that is on corporate system – do not do it, just stay away from that. I would hardly argue if you are dealing with corporate world, organizational world, you should put for your boss, your organization leader to make every employee sign a contract that states:
“Any information that is on, or is transmitted through, the electronic devices the enterprise owns, is for public display”
So basically, like in call centers, as persons are hired they are told they will be monitored from time to time. So, if boss picks up the phone and listens to conversations that employees are having, that is the type of thing that you should have, because, as the hack is understood, you are actually the one perpetrating the hack, therefore you may get sued at the end of the day. Not only that, bosses and employees do not always think about this kind of things, and you as a professional should be thinking about this.
So, we remember the person who owns the computer is not the same person who owns the data.
What about private information, you need to understand that as you handle it there is very good chance for you to break privacy laws again; even if the data is on the corporate laptop, be careful with this.
4. Methods of Attacks
Let us talk about the ways to attack systems, a company.
The first thing you need to realize in attacks is that, as I know from the movie world, all that anybody needs to do to launch an attack against a company or whatever is that they sit down on a single computer and start typing this code really quick, and five minutes later nuclear missiles are set off in Montana or something. Well, that is not how hacking happens in the real world. Hacking is generally a multi-stage process to get to the end result: this is not something you can do sitting down at your PC generally and in half of an hour or in one hour you are going to do it. No, it is going to be multi-days, multi-weeks, possibly multi-months process. You are going to be acquiring information in numerous ways, you are going to be creating vulnerabilities in the systems you are trying to attack in numerous ways etc.
So, as regards the ways you are going to do attacks and set up the attacks for your target: you are going to be looking at physical ways, digital ways, social ways – something called social engineering.
1. Physical attack
So, the first way is to physically attack the system, open up vulnerabilities at that system. This means, if you are going to attack a company, that company is within a building, so you are going to try to get access to that building in order to
(a) either steal information directly from the equipment in the building or
(b) open up the bridge in their electronic defenses so that you can send to the outside world what has been hacked there.
So, when talking of stealing the information (a), this may be literally walking in, picking up a server, a computer, and walking out the door – physically. This may be using Linux Live CD, plugging it into the computer with your little flash drive and copy all the information to the flash drive and leave.
When talking about opening a bridge (b), this means you go in to the company, so you either go in and fake, like you say “Hey, I’m a computer technician, can I look at your systems”, and you go to server room; or you get hired so you are a temporary employee with access to the computers.
So you somehow are in and get access to their computers, and then from there you can try opening up a bridge for an attack. If you are a temporary employee, you may try to get into the router. If the router has default username and password, you may be able to open that up, as well as be able to open up ports so that you can access the system later, or can go in there and read the information to see what ports are forwarded to where, so that you have an idea what system you can attack from the outside world. Otherwise, nowadays there are these new notebooks or nettop computers, these are fully functional computers, only that they are very small in size.
So, if you have one computer set up with all tools that you need, you can literally walk into one of these offices as a temporary employee, find some little hidden corner – there are a lot of hidden corners in the offices, you know where their live jack is, so you go over, plug your little nettop into the live jack, plug into power outlet, so now we have a computer sitting inside their network that connects, accesses all their servers and computers.
If you have a way for that small computer to phone home, you then will be able to access that PC from the outside world.
Besides, you may put a little sticker on your laptop that says: “Security System! Do not Unplug!”, so that it will probably set there forever, because probably no one is going to unplug it, because it is a security device. That is a big thing, if you are going to be plugging into these kind of systems in the target building, then putting stupid little stickers like “Security! Do not unplug!” will basically help you, because secretary or the boss will come over and say: “What is this thing, I will pick it up”, but it says “Security! Do not open!” So – “Ok, we won’t touch that”.
These are the ways you can physically attack the network, so like I said, this is where you go to the physical office space, physical building, you are going to try to get entry however you can. Like I have said, you may go in, you may say you are their computer technician, say “Hi, I was called by Eli, I work for Eli the computer guy who said you were having a problem, I need to get to your server room ASAP!”, and the receptionist goes – “Ok, I will get you there”, so you walk through the door to the server room; you can do whatever you want.
Otherwise you can go in as a temporary employee trying to get access in that way. There are a lot of these buildings having waiting rooms inside. So you can get into such a waiting room, which often has active network ports on the wall, and you can just plug into those an active network port and be able to access the network that way.
The final way you can attack physically is, of course, wardriving. I do not know why it is called “wardriving” – it is when you go around and you try to find open wireless access points. So, wireless access points that have no security on them. This may enable you to walk outside the building and find there a wireless access point with no security on it so you can hack that way.
So these are the ways to physically attack the building.
2. Digital attack
Digital ways to attack the building are the standard ways you think of with hacking. If you try to do destructions, to take a network offline, you may do what is called denial-of-service attacks, or ping of death – I do not know if ping of death still works.
So, basically what you try to do is from outside world you try to flood the target with so much data that it brings all the computers on the inside of the network to a standstill, because they cannot get out to the Internet.
With digital stuff, basically this is your standard hacking, so that in the outside world you try to find open ports, try to hack into email server, try to hack into internal server, to hack into file server, etc.
The way you do this is either through normal vulnerabilities, these problems with Windows OS code, open firewalls etc; you may also use something called backdoors.
These are real problems in the technology world: as a manufacturer creates software, in many cases there are different places, points to access software so that they can do testing. So basically if you are about to test how a piece of software works, you do not want to always log in, click through different screens, you just want to get to the place you want to get to.
In many cases those backdoors are still open as the manufacturer sends software out to the public. If you understand where the backdoors are, you can go through and enter the software on the computer that way.
The final thing in the digital way is things called Easter Eggs. These are not the eggs prevalent, as they used to be. These Easter Eggs are “features” added by computer programmers to pieces of software, which only work if you know how to make them work properly.
You probably remember Easter Eggs from old Nintendo video game consoles – you know, if you press right button 5 times and left button 3 times, and use up-down feature, you may get a million lives so you may be never able to die. So computer programs such as Excel, Windows etc., have Easter Eggs in many cases; if you know they exist and how they work, that can benefit you.
3. Social engineering powered attacks
The final way to attack the system is through something called social engineering. Social engineering is not about computers. It is not about breaking into the building, hacking the system the way explained above.
The task is to acquire data from normal human beings by telling them we are people that we are not. So, basically if you call to the target of your attack and you get onto receptionist, you may say (being on the phone), “Hey, I am a technician called by your company and listen, I need remote access to the server, but got no password, so can you give me that username and password data so that I can remotely access your server?”
And they say “Oh, you are the computer company, so yes, of course, username is Administrator and password is this, and here is all the information.”
So basically social engineer is going in and saying that you are somebody you are not, to try to acquire data from people.
This may happen also like this as people call up and say: “Hi, I am with Verizon, there is a problem with your bill, you are two months late on your bill. We need to fix this – if you can give me the password to your account so that I can get into your account and figure out what is going on.”
And a lot of people think: “Oh my God, my bill is late. My password is ‘foxtrot nine four’.”
And the calling person says: “Thank you. Yes, I see your account, it is two months overdue. Would you like to pay that by credit card?”
“It should not be overdue, I remember to pay this in time”.
“Well, sir, if you do not give me this information now, you will be disconnected in 3 days.”
“Well, Ok, I will give you this credit card information so I can figure out what is going on. My credit card is Visa 9199 6664 44… etc, CSV number whatever is, say 930.”
“Thank you, Sir. Yes, we will make sure your telephone stays on.”
So the person was able to call, impersonate somebody, able to get passcode to your account, and able to get your credit card information, simply by stating they were from Verizon. This is what happens in real world, something called social engineering. That is, social engineering is when people play act to try to get info or data out of you.
So these are the main ways you attack systems:
– physical way – you go inside a building, a premise, you either install a system or physically take something;
– digital way – the normal way you think of hacking, so this is where you are from outside world trying to send viruses, malware, etc.
There is social engineering; you need to be very careful; this includes schemes like phishing scams – this is where you get fake emails, that say like “Your PayPal account has been compromised, click this link here to make sure your security settings are alright.” Ok, you click the link and go to a website that says it is PayPal; you put in your username and password, then it says “Sorry, the system is down for the moment,” but the hacker has grabbed your username and password when you plugged into that little fake website.
Well, it is a matter of later discussion.
These are the ways to attack systems.