Month: April 2015

You Need to Learn How to Think Like a Hacker to Secure Your Network

If you watch Scorpion on CBS, you will be familiar with Walter. Walter knowns how to think like a hacker. He is one.

In fact, Walter was an malicious as a child. He hacked the government and got up to all sorts of mischief. You may view him as something of a villain, but you would be wrong. Walter may have been on the wrong side of the fence while a child, but now he works for the government and his hacking prowess is being used for good. There is nothing evil or wrong about the ability to hack, it is only how those skills are used that determines whether you are right or wrong.

You should learn how to think like a hacker!

Walter is good at his new job because he is a hacker. He therefore knows exactly how to think like a hacker. While penetration testers and reformed black hat hackers make good white hat hackers, it is possible for a hacking mindset to be developed by anyone. A sysadmin can learn how to think like a hacker!

If you want to determine how secure your network really is, you need to learn how to think like a hacker. You need to take a look at your network as if you were an outsider. Look at it as a whole. Look at the attack surface. Gain an external perspective and see it how a would-be attacker would see it.

A hacker intending on attacking your organization would start with a little research. That person would check the public face of your network, pick up information here and there, get a good picture of your network as a whole, and then use that information when attacking your company.

Take a look at your network with a fresh pair of eyes

If you wanted a new job and had secured an interview, before you attended you would conduct a little research on the company. You would need to find out some basic information. You would likely be asked about the company in the interview.

You would need to take a look at the company website, you would run a few searches through Google, you would take a look at the company’s Twitter and Facebook accounts. You would gather web-based information.

If you really wanted the job you would also gather some information from people as well. You would email anyone you knew who worked at the company and you would ask them about what it is like to work there. You would ask others their opinion of the company.

This is how a hacker would start investigating your company. With that in mind, it would therefore be important to:

  • Perform a whois search
  • Check to find out what is being said about your company on social media sites
  • What employees of the company are saying and sharing online?
  • What data does your company voluntarily give away? Do you advertise any aspect of your network structure? How many state-of-the-art servers you have for instance? What software you use? It is much easier to find an exploit if you know what software a company uses!
  • Search for your company on Google, Bing, Yahoo, and DuckDuckGo. See what information is revealed, and not just on pages 1-10!
  • Use Google hacking tools and see what documents, PDFs, and spreadsheets are available publicly. You may be surprised at what has been indexed!
  • Check out the social media profiles of your company employees – Is one member of staff a particular security risk? Do they list every aspect of their life on Facebook? Would they be a likely target of a spear phishing attack? Would a hacker have all the information they need to guess that individual’s password? Over-sharers are often the targets of phishing campaigns. So much can be learned about them online!

Hackers love phishing – it’s so easy to be handed access to data!

If you can find an easy way to hack a company would you choose that? Of course you would! You wouldn’t want to do any more work than you have to, and neither would a hacker. If you wanted to guess a password, you wouldn’t start with “hj&*HUI23YEW(.” “ You would try “QWERTY,” or “password”, or “bigguy”, or “123456” first.

Hackers will similarly start with the easiest route first, and that means trying to take advantage of some people’s naivety when it comes to IT security. Phishing is one of the easiest ways to gain access to login credentials. It is also one of the easiest security vulnerabilities to address. How would your employees deal with a phishing attack?

That is something best not left to chance!

  • Send out a regular newsletter to explain common social engineering and phishing techniques that are used by hackers
  • Show employees how to identify a phishing email
  • Conduct regular phishing email tests. Research shows that the more practice staff members have at identifying phishing emails, the better they become at spotting a scam. When a real phishing email is received, they are more likely to identify it correctly before any damage is done.
  • If new IT security policies are introduced, make sure they are explained to employees in person. This will help to make sure that they are read, understood, and their importance is made clear.

What happens when an attack does occur and a system is compromised?

You will no doubt spend an extraordinary amount of time putting defenses in place to repel an attack, but what happens if an attack is successful? Have you put defenses in place that will limit the damage caused or will an attacker manage to go from one device to another once the security perimeter is breached?

Switch and router manufacturers often have scripts that can be used for lockdowns. It is possible to disable unneeded interfaces and services, and restrict public and private addresses. Have you done this? A hacker would check this!

Learn how to think like a hacker and you will be able to make your network more secure

There is a very good reason why organizations spend big bucks on white hat hackers and get them to attempt to break through defenses and find the weak points in systems. If you learn how to think like a hacker you will be helping your organization enormously.

Start thinking like a hacker and view every node and end user as a potential entry point into your network, and it will make it easier for you to design network defenses and keep your equipment and data well secured.

Beebone Botnet Shut Down by Europol

The infamous and particularly dangerous Beebone botnet has finally been taken out of action following a joint initiative between Europol and the FBI. The Beebone botnet was believed to be controlling well over 100,000 computers late last year, and while many of the botnet infections have since been cleaned, around 12,000 computers are still believed to be infected with the malware.

Beebone botnet used to infect computers with malware

The botnet may have been relatively small, only involving around 12K computers, but it was particularly nasty. It was used to download other malware onto the computers, including password stealers, rootkits, fake security software and a host of other malicious programs. Any computer fallen victim to Beebone is therefore likely to be infected with a wide range of other malware.

The Beebone botnet proved difficult to locate

The Joint Cybercrime Action Taskforce of Europol struggled to locate the servers used for the Beebone botnet. Part of the reason was the software being used was particularly effective at avoiding detection. The polymorphic software was able to reconfigure itself frequently making it incredibly difficult to track down. Traditional signature detection methods of botnet identification were ineffective since the software was able to change its signature up to 19 times per day.

Beebone was also able to determine when it was under attack. When it detected it was being isolated or studied, it triggered a change in its unique identifier. The Beebone botnet was one of the most sophisticated ever seen.

Operation Beebone sinkholes almost 100 domains

The key to shutting down the botnet was to interfere with its ability to communicate with its command and control servers. Hacker’s instructions were thus prevented from reaching the software. In order to shut it down, the Joint Cybercrime Action Taskforce and the FBI enlisted the help of Intel Security, Shadowserver, and Kaspersky Lab and the joint operation was finally successful.

Once the malware had been isolated, the Joint Cybercrime Action Taskforce was able to identify and sinkhole around 100 domains used to communicate with the malware.

Unfortunately, while the botnet is believed to have been effectively shut down, this is only a temporary fix. Domains have been sinkholed but this is only a short-term solution. Any computer that has been infected must now be cleaned. That means some 12,000 or so computers must have the infection removed and that process is not straightforward.

The malware removal process can now start in earnest

Removing the malware is easy. Many tools have been developed to do this. In order for an infection to be cleaned, the owner of the infected computer will need to use one of those tools. For that to happen, the owner must be aware that their computer has been infected and most do not. That means Internet Service Providers will need to notify individuals known to be infected. That process may take some time but it can now start.

It is essential that all users clean the infection. It is possible that the malware installed on their computers could be reactivated if not removed.