What does a hacker do and what is hacking actually? There are no fixed definitions, but Wikipedia defines “hacking” as a measure to manipulate or completely break security mechanisms of a system. With this approach unforeseen ways of manipulating or attacking a system can be found.
Good and bad hackers
The hacker is a person who tries to manipulate software or hardware, usually to his advantage. In the media, hacking is often portrayed in a rather negative light. The person with the black hooded sweatshirt sitting alone in a basement and hacking is a popular image. However, this medial representation is a fallacy, as it is formulated in a value-neutral way.
Similar to a hammer – it can be used to drive a nail into the wall or to scare other people. This is also the case with hacking. Attackers often search for weak points in systems in a targeted manner in order to close these weak points and improve the system as a whole.
There is also no black and white definition of a good/bad hacker. Hackers are usually divided into three groups and placed in one of these categories within a cultural and political context:
- White Hat: A white hat hacker abides by applicable laws. Their knowledge is used to increase the security of computer systems and they report any security vulnerabilities found to manufacturers, operators or owners. White Hat Hacking is also known as Ethical Hacking.
- Grey Hat: Grey Hats do not necessarily abide by laws but often have a “higher purpose” in mind, such as improving society or raising awareness of responsible technology development. Often a classification of whether an action was punishable or not is dependent on one’s own social or political standpoint.
- Black Hat: Are clearly criminals, for example developers of malicious software that encrypts networks or attackers who carry out industrial espionage. In the following we describe different Black Hat attackers.
In the business environment, the credo “I have nothing to hide”, which is gladly lived in private, no longer exists. There are different types of attackers who target the data in your company, mostly the so-called blackhats.
- Collateral Damage: Large-scale hacking campaigns such as Emotet are not targeted attacks. The attackers attack blindly and want to earn as much money as possible with little effort. These attacks can drive especially small businesses to the edge of existence, as they often have no IT security strategy or backups. These attacks are not personal or targeted attacks.
- Industrial Espionage: The probability that attackers will target your company secrets has increased significantly in recent years. Often, tightly organized, professional groups are behind them. Some countries have specifically stated in their election manifestos that industrial espionage is an integral part of their strategy, so this aspect is becoming increasingly relevant for German companies as well.
Hacking has to be learned
Hacking used to be frowned upon and even today it is still often negatively affected by the media. So how do I learn hacking today? Reading IT security blogs and books will unfortunately not be enough to learn professional hacking. Fortunately, there are enough interactive formats available today that hackers of all ages can learn with.
Capture the flag” contests are especially popular among young hackers. They have to find certain “points” within a system as quickly as possible and these give points. The Cyber Security Challenge is a well-known competition and wargames are a common entry point.
Penetrationtests and Hacker
A penetration test is a comprehensive security test that is performed in an orderly manner. The pentesters (usually we work in a team) attack a system and cover up as many security holes as possible. We use the same techniques and programs that a professional attacker would use. The most obvious difference is that pentesters have a defined mission and resources.
Theoretically, an attacker has to try to attack a system for an infinite amount of time, while a pentest often only takes days or weeks. Furthermore, he must not act destructively or manipulatively, and often the main “human” gateway must not be used to attack a company.
One advantage we have as pentesters is the fact that we do not necessarily have to act in secret. A hacker will usually not start with an extensive network scan, because the probability of being discovered is then high. We can use these tools for pentesting without restrictions, because the client gives his consent.
Types of attacks, investigations and analyses
There are different forms of hacking and always several ways to Rome when it comes to manipulating data and systems. We would like to introduce a few selected ways in the following:
- Mobile Hacking: Due to the fact that we carry more and more mobile devices around with us, these systems are increasingly under attack. There are different ways to attack a mobile device, an attacker can, for example, try to get a fake application onto the smartphone or manipulate the operating system.
- Network Hacking: Hacking networks is as old as the networks themselves. Often a network is scanned first to find out which endpoints are reachable, where there are insufficient configurations and where a firewall does not work as it should. The aim is either to assess the security of the network or to specifically access a device, for example by intercepting or guessing passwords. If services are running on end devices for which there are active exploits – i.e. weak points – these can also be exploited.
- IoT Hacking: IoT Hacking is a new discipline that involves compromising devices from the Internet of Things to gain access to critical data or systems. Often IoT devices can be found unmanaged in networks and have standard passwords, making them a good target for attackers.
Goals of a hacker
As a hacker, there are many lucrative targets on the Internet as networking continues to increase and become more ubiquitous. From classic computers to networked fridges to intelligent sex toys, there is everything with an Internet connection. The cloud is a new target through which many documents that should be under lock and key have already found their way to the public, for example through misconfigured Amazon systems. All these systems are potential targets for a hacker.
In order to achieve his goals, the hacker relies on tools that have been developed or he has developed himself. There are countless programs on the Internet that are of interest to a hacker. The offer ranges up to the selection of the appropriate operating system for hackers. A browser is often sufficient for initial investigations. Numerous hacking tools for the Firefox browser are available free of charge and do a good job. From a simple network scan to complex attacks at CPU level, almost everything is available as free software (open source).
These tools are published so that the broad masses can protect themselves and the privilege of attacking systems is not granted to a few who have the necessary know-how and resources. In addition to open source applications, there are also a large number of programs that are reserved for elitist, governmental target groups.
In addition to software programs, there is also special hardware that is built only for hacking. There are, for example, freely available “USB sticks” which are actually a keyboard or merely cause very high material damage. But also manipulated charging cables for smartphones have found their way into the free trade. The manipulated devices contain malicious code which, in the worst case, is executed fully automatically.
How research contributes to IT security
So far, the article reads like a hymn of praise for the attack and for the fact that all our systems are doomed and contribute less to security. It is important for you to know how modern systems can be attacked and what means attackers have at their disposal to defend themselves accordingly. “Who brings knives to a gunfight” is the slogan here, to put it casually. You need to know where your weak points are in order to prepare and defend yourself accordingly. If you can’t do this yourself, you need to hire pentesters that can do just that and give you a meaningful report at the end.
However, there is no one hundred percent certainty. There can’t be one hundred percent security, because IT is developing rapidly and even today, general truths like
“Never patch, otherwise the system will crash”
turn into the exact opposite namely “patch now, don’t wait”. Cybercriminals specifically select the weakest ones so that they have little work to do to enrich themselves. Your goal should not be to swim faster than the shark, but only faster than the other fish. Cybercrime is also a lucrative market today, which makes more turnover than the international drug trade, so it’s about every Euro.
As already mentioned, security cannot be guaranteed one hundred percent. This can be quite frustrating on all sides, whether for providers, customers or hackers. Modern software consists of countless lines of code that can come from a wide variety of teams. Errors are also preprogrammed there. Even a supposedly harmless error can lead to serious errors in a complex software.
A further challenge, especially for the end user, is the fact that the hardware or software does not show how secure or insecure it is and that there are no seals or the like that provide security and trust. This is mainly due to the volatility of modern software. Software is no longer finished, but constantly in development and progress. A secure product tested today may have a completely different code base tomorrow. Even the most sophisticated technology, for example the development of new types of cryptography, is not free of errors and is always open to attack despite years of work by internationally recognized experts and teams.
Hacking does not equal Hacking
There are multiple attack vectors for an attacker to use when trying to penetrate infrastructure. We have already described three examples of attack vectors in the chapter Types of Hacking. In addition, there are of course other attack vectors that we will now describe.
- Malware:Devices can be infected with malware (malicious software). Malware finds its way onto devices in many different ways, for example as an attachment to an e-mail, via a website or via USB stick. Often malware leads to unwanted code on the device, which can lead to keystrokes being written down and sent to third parties or the computer being encrypted. This is then referred to as “ransomware”.
- Phishing: The attacker tries to get his victim to enter his login data on a wrong login page. Phishing is often carried out via e-mail, but can also be carried out via social networks or websites.
- Physikalischer Angriff: The attack on hardware is a simple but effective attack. Especially in small and medium-sized companies the danger of a stolen device is often underestimated. Often there are no reporting processes and follow-up actions for lost devices, which often still contain critical data or applications. Even office rooms can be a gateway if there are no sufficient access restrictions or if visitors are not accompanied and logged.
- Social Engineering: Social engineering exploits human weaknesses. Especially in combination with phishing and the physical attack, this often results in a devastating attack potential. If the hacker knows the preferences of his victims, he can write targeted phishing mails around these interests and can expect clicks on his phishing websites.
Doing nothing does not protect against punishment
The benevolent use of hacking tools is usually tolerated, but does not give you the freedom to be a fool. Outside of test systems or specially released systems, written permission and exemption from this paragraph is required.
As an operator of systems, however, negligent handling of IT security is also punishable. The basic data protection regulation formulates protection requirements “according to the state of the art”. The definition of what exactly “state of the art” is, is disputable but usually includes the encrypted connection to a website and encrypted storage of personal data. In addition, banks and KRITIS operators are subject to different requirements and standards, which are applied in different areas.
If you want to know where you currently stand with your IT security and what the next sensible steps are, then you should test RISKREX. With our technology, we offer you a resource-efficient overview of your exposure to multiple attack vectors such as social engineering, phishing and technical security vulnerabilities.
This post is also available in: Deutsch (German)