6. Final Thoughts
So that was a class introduction to hacking. As I have said, this is the beginning of this hacking track just trying to get you into the mind center of hacking.
And again I am coming out of this from the malicious hackers’ standpoint. The reason is that if you understand how hackers really think, it is easier to defend against them. In most of the security classes that I have been part of, the problem is that you have this clean-cut mandy-pandy college kids who have not done a bad thing in their entire life, who have at no time for their life ever had to run from the cops, ever done anything bad, and they are learning security against hackers…
But the thing is they do not understand how hackers think, the way a criminal thinks, and therefore how can they really ever protect against them? So, what I am trying to give you in this hacking track is the idea how do hackers think, how do you plan attacks, how do you go in, how do you destroy systems just for shit and giggles.
You know, if you look at the companies and say “I do not like that company,” could you get system or the company out tomorrow, next week, etc.? That is what I want you to think about. That does not mean I actually want you to do that, so you know legal warning, whatever, anything you use personally that I teach you on this hacking track is all on you. That is a technical skillset, that is it.
So we have talked about what hacking is and who hackers are. Hacking is simply non-conventional ways of interacting with systems and acquiring data.
That is it. So, if you are getting to data or if you are working with systems in ways that are not in usual manner, that is hacking.
We have discussed black hats, white hats, grey hats.
Black hat hackers are evil hackers. They try to destroy stuff, steal credit card information, etc.
White hackers are flying angels with the wings of the hacking world. They only hack for good. They hack so they can find vulnerabilities and patch the vulnerabilities. So these are little goody two-shoes of the hacking world.
And there is a greater part of hacking where most of us fall in. That is basically depending on who you are talking to they may think you are a sinner or a saint. That’s what makes grey hats out of grey hats. Basically, if some people think you are great, some think you are evil, then you are a grey hat. You are in the middle.
Then talking again about ethical hacking, I argue this is simply a marketing term to make people feel better about themselves. “I am an ethical hacker!” – you know, in my book, hackers are hackers. That is just how it goes. We talk about why you hack, so that is to acquire information, whether it is to recover data of the dead hard drive, be this for stealing credit card information, etc.; it is to acquire information or for impersonation, so you are going to impersonate a person or to impersonate a system.
We have talked about the destructions; maybe you just tried to take out the system, so you are trying to do denial-of-service attacks on websites, maybe you just try to delete all the information on somebody’s server – you know, if you try to take out a competitor. And then finally – it is fun, a lot of people play Sudoku, some do hacking.
At the level of hackers, it is what you need to think about when you are thinking of hacking or protecting from hackers, is the computer science types. These are very-very smart programming types, so basically either they could have created the next version of QuickBooks or they could have created this virus. And they have decided to create this virus, just like a lot of criminals: they either could have been a police officer or a criminal.
That is, these are very smart people; do not look down at those people whatever the reason they have decided to hack systems, create viruses, etc.
Then there is a technician class like me: you use your professional technologies, simply use tools and software that have already been created. So I am not programming new viruses or antiviruses simply using somebody else’s stuff.
Then finally there are these script kiddies. They are anywhere from thirteen-year-olds to mothers, to fathers. Basically, these people only know what they are trying to do, they do not really understand systems, they do not really understand how the software they use should work, etc.; they just go on terms “I need this to happen,” so you know there might be a kid trying to destroy a teacher’s computer or might be a parent trying to see what their daughter is saying on the instant messaging. Again, they just get this little software, just like they would get Word. We have talked about how to attack.
So, we have talked about physical attacks when you actually enter the building, maybe you steal the server, maybe you get access to the computers so that you may steal data out of the server or you can create vulnerabilities on the system, or leave the system on the networks so that network is now abridged, so, like I say, you leave this one little laptop computer, you plug it into a jack somebody forgot about, and now you have access to the entire network, you can get into the network. You can go to the networks as, let us say, a temporary employee, you can go to one of those temporary job firms, they will send you out forty-five hundred companies and you get into the door that way.
Or you can go ahead and pretend, you know “I am the exterminator I know this, do lots of things.” So, when you do this make sure you have all the equipments so that people would make sure you are who you are. And just go in, so if you say that you are an exterminator, you say you have an appointment to spray some stuff, and the person would say “Ah, ok,” so as long as you have your spray can, you walk around. If anybody confronts you about it, you say “I have got appointment here, somebody left a message, so I have an appointment here at 3 o’clock, this is what I was told.” If they confront you further: “Oh, I am sorry, this might be a wrong address.” So this is the way it may happen.
Then you have a digital way of attacking a system. Again, this is what you normally think of the hacking. As you sit in the outside world you actually try to hack into the server from the outside world etc., and then you have social engineering, so social engineering is, again, you actually talk to people and try to get information out of them that way, so you go in and say: “Hey, I am with TNT, can I get your password?” etc. Or you come in and say you are a computer person and need and ask if you can get remote access to their servers. You will be surprised as in many cases you will get it.
Then you need to think about planning an attack; the first thing is to think about what you are actually trying to accomplish with the attack.
Hacking attacks – you know, everything in computers is about planning, so computers and technologies are all about projects, all about planning whatever you do; so with hacking it is the same way: what are you trying to accomplish? What data are you trying to get? Why is it valued? Whom are you going to sell it, etc.?
You can get any information in the world, but unless you are about to use it or somebody is going to buy it out of you, it is not valuable, so you need to understand what you are trying to do.
Then you have to look if you are doing a mass attack by just going out, this is common hacking, or you are doing targeted or semi-targeted attacks, so that you say that that is your competitor and you want that competitor down; then, once you know what you are trying to get or to do, then you understand how you are targeting your attacks, you sit down and come up with a plan again.
The plan may be for a day or two, and for good hackers this might be a year or two years processing, like I say going in, finding out who are the people that run the company, then getting information on those people; then doing this and that to come up with a whole dossier on the company that you can go and attack.
Finally, we talk about protecting yourself. Again, remember, that is very important both for the security and for the hacking people. As long as you are on the web you are almost always being tracked. The main reason that most people do not get caught is that it is not worth the security person’s time or energy to track you down.
So, the security vulnerabilities attacks are not considered as long as you do not hit their threshold by making your attack so painful that they decide to respond either calling the FBI or the police, and at that point, remember you can be tracked, that is why it is important: if you do hacking, do not use your home Internet connection, or that in the cafe you always go to; go to the cafe at the other side of your town. Like I said, take a map, put your hand over your eyes and throw a dart on the board.
If you are going to hack doing wardriving or using somebody’s Internet connections, do it from a random space so that it would not come back to you. Again, like I have said with login and everything, your system also logs this information. So that is a big problem, like I said, with the hackers: the FBI knocks on the door, they come in and take it out. And that is the point that they do not just sit at your PC. They take your servers, computers, everything.
And after they analyze it for a certain period of time they may or may not give it back to you. So, that is very important that you do not leave any traces of what you are doing on your system. Using Windows 7, normal OS, you create lots of log files, temporary files that could be derived by hacking people. So, if you leave this and police finds this – that is a smoking gun. Even if you delete these log files, there are ways to recreate them, so that is a smoking gun, that is why I advise you something called Live CD, where you do not actually store any data onto the hard drive of your computer, or use disposable, random, somebody else’s computer.
Again, if you hack, to make any payments use prepaid credit cards, prepaid phones, if you have to do any communication, always pay the cash – there is no trail past the cash.
If you are on the target premises – run and deny everything. If you think things are going bad – just run, most people are not going to follow you. If you are a little bit disguised, you should be fine. Even if you get talked about everything tonight, deny everything, because, unless you actually have a server in your hand, remember: we are dealing with America. God bless the USA, you know, criminals love it.
We are dealing with the American criminal justice system, they have to have something to charge you with. That is worth their time and energy. Simply saying you have been on the premises in a workman uniform – they may not like it, that may be technically against the law, but is that really going to go to the Court?
That is, as long as you have a 5-thousand-dollar server in your hand and try to walk out the door, you are probably going to jail, but if you are just on the premises doing suspicious things – nobody really is to charge you with, just deny everything. For, as stated above, according to the criminal justice funnel, out of 100% people caught only 2% actually get punishments levied against them.
So this was the introduction to hacking class, hope you enjoyed it. Now you have an idea what is going on there, you have got a dive into things like hacking DNS, phishing attacks, get-it-all attacks, all that fun stuff, so you really do have a kind of understanding of what is going on.
As you know, this was Eli the computer guy here for EverymanIT, this was introduction to hacking, and there will be another class released soon.