As the European director of a leading security software company, I’m often asked: “What’s the most common type of hacker and attack?” Over time, I’ve gradually discovered that members of the general public hold a somewhat romantic image of hackers. One mental picture involves an emaciated young man in a poverty-stricken corner of the world. Greasy-haired and red-eyed, he types late into the night on an old TRS-80 workstation, trying desperately to access your American Express or Visa account number for nefarious purposes…
Another favoured image is of a cherub-faced pre-teen with extreme computer skills and little or no knowledge of law and order. Thanks to too much hardware and all-too-little parental supervision, the young girl creates a new virus that brings down every business in London and across America’s Eastern seaboard.
In fact, both of these images couldn’t be further from reality.
According to the Federal Bureau of Investigation (FBI), the most common hacker is probably sitting at a desk near you right now! This is someone who arrives at work early in the morning, takes his or her turn to clean out the office fridge, tells side-splittingly funny stories at lunch and, at some point, makes a very dumb move. It often starts when this ‘hacker-next-door’ sees a file directory or workstation that’s simply too juicy to pass by. One named ‘Salary Comparison’, for example. It’s simply too tempting not to peak inside.
Motivated by curiosity and revenge
In other words, curiosity is one scenario motivating the most common hacker. Another is revenge. These situations take place when a web-savvy employee is ticked off. Maybe their Christmas salary increase or yearly bonus didn’t make them too merry. Perhaps their boss just handed them a personal Work Improvement Plan, and a reason to cause mischief. This same ‘hacker-next-door’ spends some time on the network and wonders… What if I could find a way in to the e-mail server files? What if I could open a few financial statements?
A further, common reason for hacking is industrial espionage. What organisation has the time to conduct professional, in-depth background checks on every temporary IT consultant? Often, this part-time help is called upon when matters are desperate, and corners are most easily cut.
The result is that individuals you don’t really know from Adam are afforded access to the most sensitive and impenetrable of your company’s systems (more of which anon).
However, no matter what the reason, the FBI’s research suggests that internal hacker attacks make up 70% of all security breaches.
The next question that needs to be answered is: “How do these attackers gain access to critical systems?” The answer is: “All-too-easily!” Once that ‘hacker-next-door’ decides to break into a target system, their next stop is a search engine. A few key words later, and anyone can discover that the most common – and effective – type of hack into a target system is to become what’s known as a Script Kiddie. Script Kiddies use default lists of privileged passwords, or the super user/administrative codes built into every piece of hardware and software.
Have you ever noticed the Administrator ID next to your name when you log-in? That’s a privileged user and password, a backdoor into your system built by the manufacturer. It cannot be disabled. It can’t be destroyed.
Default Administrator passwords
Let’s turn back to our ‘hacker-next-door’ who wants access to the ‘Salary Comparison’ workstation. They don’t know who owns this workstation, but they can conduct a search to find out what the default Administrator passwords are for a Dell Latitude D600.
According to the Cyber-Ark Enterprise Privileged Password Survey carried out late last year, 20% of all workstations have an Administrator ID that’s still set to the default password. If the built-in default doesn’t work, the would-be hacker may try some simple passwords like CompanyName123. You’d be stunned how often these basic password scenarios – also available as mini computer programs on the Internet – are the fastest way into any organisation’s data.
Once the hacker enters a target system with a privileged password, the evil-doer now has more access to data than the system’s legitimate users. I know of one company, for example, where a disgruntled IT professional changed EVERY password on the network. All of the software had to be reloaded. In essence, the company in question was forced to close down for days. Meanwhile, the angry ex-employee denied all knowledge of the incident.
Who could prosecute him? The deed was done under an anonymous identity… that of the Administrator.
Another recent example of a Script Kiddie in action took place at the FBI hq! In this case, the ‘hacker-next-door’ was a paid consultant. The suspect used “computer programs easily found on the Internet” to go snooping into passwords and files throughout the organisation (including data relating to the Witness Protection Programme). In no time at all, the suspect gained access to the passwords of 38,000 employees (including that of FBI director Robert Mueller).
So there you have it. The most common hacker is actually someone working in your organisation today. A non-professional trouble-maker who, when tempted, can easily find his or her way into your company’s most sensitive data banks.
Who’s looking at you?
This leads me on to another question that I’m commonly asked: “Why do most enterprises leave their privileged passwords, the keys to their kingdom, open and unmanaged?” The reason is simple. Manually changing these codes is extremely time-consuming, and so this type of back door generally remains open. Visit professional hacker sites and you’ll discover their biggest complaint about Script Kiddies is not that they exist… but that once these amateurs do something flagrant and dumb with privileged passwords, these wonderful secret passages into a company’s data become closed to the ‘professionals’.
Of course there are automated means of securely changing privileged passwords, and to tie an individual ID to a shared one. This very software is now being used by many security-savvy enterprises worldwide.
However, until these solutions become standard tools in most corporate enterprises, I’d keep a close eye on those around you. You never know who is privileged to access YOUR information!