Every morning, Aidan O’ Carroll goes to work just like millions of others all over the world on their daily commutes. Wearing a custom made Italian three-piece suit, and a trademark cheeky (almost superior) smile, one could be forgiven for thinking he was the kind of slick talking, fast growing executive that he had lofty ambitions of being, almost a lifetime ago.
The skinny cry-baby that has somehow found himself immersed in this hacking world he has a love/hate relationship with for over 10 years. This is his version of the immortal, Harvey Specter. Arrogant and willing to do whatever it takes to win.
He glides through security and into the building, sits down and logs on at a computer terminal almost Anonymously, as if it is his, because his hubris leads him to believe that all computers are his if he decides so. But often, it's not his office building, or his desk or even his computer. In fact, he shouldn't really be there at all.
You see, in between running one of the most progressive web development companies in the world (as CEO 😉), Aidan is a professional white hat hacker, paid to test security systems all over the world for multinational corporations, and honey... you should see how he makes a keyboard sing. Now seen as a virtuous asset by the companies he helps to protect in his corporate world, this was not always the case..
This is a synopsis of the world that I now live in and I am going to show you that privacy is a luxury of days gone by. If you are reading this, you are more than likely doing so on your smartphone and you should know, there is always someone listening, and, in some cases, watching so if you aren’t aware of this, you should be. In an ever-growing world of technology, literally anything is possible. Technology is used day-to-day, by all industries. But what happens when it fails? People like to think it’s a glitch, that it is no big deal and that their tech will be back to normal again in a little bit. But what if there is something or someone more sinister behind it?
What hackers do is understand technology and experiment with it in ways many people never imagined. They also have a strong desire to share this information with others and to explain it to people which is why we are all so pleased with ourselves all the time. You can be taught to a degree but in the vast majority of cases hacking is a talent. You won't learn it at school. It's like being Mozart or Messi. You just realised one day you could play, you can’t explain it to people any other way.
To me, it is an art, but it is also important to recognise the dangers involved. My goal here is not to make people paranoid but to impress upon people just how easy it is for people with the appropriate skillset to ruin your business and your life, if they are so motivated. It is this motivation that I find the most interesting aspect and it falls into three categories when it comes to hacking.
1. Purely financial: Doing some shady shit because you need/want the money, so you take out a contract on the Dark Web. i.e. Husband cheats on wife. Wife pays you to steal every cent he has for her while also placing some "undesirable" content on his devices and informing the right authorities. Husband loses his job, divorce proceedings, starts drinking heavily, etc and you can pretty much guess where this is spiralling. This financial motivation can also be applied to "white hat" hacking. This is perfectly legal and usually involves testing security for a company. I will be going through an example of this below.
2. Robin Hood: The clue is in the name here. The world is a horrible place and every now and again it is good to do something which evens out the scales. It is the hacker equivalent of charity work. i.e. WhatsApp messages that were erased and not readily available are made known to open courts for judicial purposes. This kind of stuff.
3. Why not: Security firms love to slap the term "unbreakable" on their systems. I have no idea what the marketing idea is behind this, but it is the equivalent of waving a red flag at a bull. If it runs on electricity, we will get in. We don’t even need a reason. We do it just because you said we couldn’t. Idiots. Other times, it will be to test governments/banks etc, just for the craic.
I am going to walk you through a typical White Hat case for me, this is where a company hires me to purposefully infiltrate them and point out the weaknesses. Before we begin, let’s create an imaginary target for us to exploit. Let’s call this person John.
John is an executive at a Fortune 500 company and is concerned about their cybersecurity, as well as his own privacy. His company appears to have reasonable defences: a decent firewall, password policies, user access restrictions and a few other things we normally see any company run as a typical defence.
So, John hires me to test his defences. Little does he know that our testing will eventually shake him to the core. For the purposes of this article, we’re going to focus on John’s company and just how simple it would be to ruin his life. This will take approximately 1 week.
The day of the hack starts in the coffee shop whilst waiting for a drink. But it’s not my drink I’m waiting for. Following some reconnaissance work on the company over a few days, I know every morning ‘Lucy’ (a receptionist) comes into this exact coffee place with her laptop to carpe diem her day thanks to some motivational quote she saw on Instagram, I wonder how I knew that?
A spiced skinny latte to start her day. Lucy goes to sit down and places her laptop on the table with her overpriced coffee. Now Lucy is a very motivated young woman who is keen to progress in a large company so that is why she comes to the local coffee place to get a jump on the day. I introduce myself as an overseas designer who has business with her company having glanced her ID badge. I am also new to the area and need showing around.
Lucy sees my expensive suit, blue eyes and warm smile so she offers a seat upon a hello from me. She can easily Google me to find my corroborating articles online when I excuse myself to pay for her drink and I purposefully take my time doing so. What she does not see is someone who has done his research. I know what she is interested in by infiltrating her social media accounts and can steer the conversation as needed.
As a single woman she has no reason to question her young would be suitor who is laying on the charm as according to her social media, she has recently come out of a relationship that was going nowhere. Now, her Prince Charming has arrived. This is often the easiest route into a system. Pretty receptionists are my bread & butter, sorry Lucy.
Her laptop instantly starts giving away signs that it is not predominantly secure. For example, her company name, ‘7th Heaven’, flashes up on the screen upon loading. Following some quick research by linking my phone anonymously to her devices, I learn they are running laptops with old operating systems and un-restricted Administrator accounts.
A senseless move if you ask me but not uncommon. With this material, I can easily run a PSExec exploit on that laptop and gather all the information that she has. The fact she has the Windows admin rights, allows me to install and run any software that I desire.
If only Lucy had a Host Intrusion Prevention System on her laptop that would detect access coming in from different networks, but she does not, and more is the pity for her. Now, I have the access code to the company door, and I have her managers full credentials.
This allows me full reign of the company as I can print whatever ID’s etc I need. I could simply walk in, in the dead of the night and go through everything but that is too obvious & frankly too clandestine for my tastes. I decide to setup a meeting with one of their accountants just to get some simple information from the company. It’s not actually this information that I want. I want to walk through the company offices to see the lay of the land and to find out where the key information is stored.
Luckily for me, the besotted receptionist went to get me a coffee as she daydreams about hitching her star to my wagon. This conveniently allows me to install my malware onto the printer that is unguarded in the middle of the room while I explain I have the same model at my company to the unsuspecting accountant.
Now the printer may not be an obvious target for most people, but it is the most commonly used workplace device by EVERYONE in the office. It would just take one employee to print their expenses report and I would have full knowledge and control. Now, if they had a logging and prevention system like a SIEM, that would alert the administrator that a device was being accessed remotely. The printer could be removed instantly, and an investigation started. Unfortunately, for "7th Heaven", this wasn’t the case.
This place is behind with their security making everything almost too easy. Whilst showing me different areas of the office, I am clocking where the important information will be kept. Strangely, they keep this on a NAS drive placed next to a router. That shouldn’t be hard to hack and has been mentally noted.
Once I’m sitting down in a meeting room with the accountant, he receives a pressing call from Michael, followed by a message "important call back ASAP". What could that mean? I don’t know. But what I do know is that finding the phone address for all the people in this office was easily completed with a little dox I did earlier in the coffee shop. Being the excellent employee that the accountant is, he went out to return the important fake call, supposedly from Michael. Whilst doing this, he left his laptop unattended.
Lucky for me whilst the accountant & Michael were discussing the confusion caused by the call, I was able to use my USB with a Mimikatz script to extract all authorisations and saved web passwords that this nice guy has. I now have access to that NAS drive followed by any other systems that he might have access too. This wouldn’t happen if the USB devices that the company use were secured and anything new would result in a temporary power loss to that port. Then again, if that was the case people like me would not be needed.
Using the malware installed in the printer, the usernames, the passwords and data of who has access to what, I can create a modest SSH underpass remotely to the printer. Through a proxy chained TOR network and simply logging into the NAS drive with the authorisations I got from the accountant I can now help myself to all the corporate and customer data. I can anonymously download it all. Cover my tracks and encrypt the data with my own key. The company data has now disappeared leaving all their work gone forever. Not only this, I can access any employee’s personal data whenever I wish.
The lack of security on the company printer, means the hack has been made all too easy. The company will now face millions in damages and I have a meeting with John the next day. A lot has happened since I bought Lucy that spiced skinny latte hasn’t it?
I now own literally everything in John’s technological life. His home computers, his office computers and the entire company network. It will be a rather memorable meeting with him as I detail how I was able to exploit the trust he and his staff have in their technology and friends. I can tell him his personal passwords directly & give him copies of pictures or documents that are personal to him. I can log into his own corporate firewalls in front of him and stop access to anyone in the company or even change their passwords and lock them out on the spot.
Now, imagine if I was malevolent. Imagine if I wasn’t there to simply test defences and show my client their weaknesses. This happens to people all the time and some right now are even under attack as I type this. Hackers don’t have rules. They don’t have boundaries. There are no limits when it comes to families or relatives. They will exploit the weakness for their own gain. If they are hired to attack you, they will do everything and anything for money including inserting illegal documents into your computer and then alerting law enforcement.
We know that major leaders, celebrities and corporate giants are often under siege but so are average people. It’s much easier to exploit a thousand gullible people for smaller payoffs than it is to take down larger more public targets for a single pay-out.
Nothing is fool proof and the problem with defending against an attack like this is that many technological defences can be side-stepped because the hacker has gained you or a colleague’s trust. This situation is the equal of opening your door to a thief because you believed their story. Once that person is in, shielding yourself becomes harder. If you thought that this was all a fairy tale story and will never happen to you, don’t be so sure, it can happen to anyone. Just ask Lucy, who is unaware that she could have unwittingly cost her company millions.
Mark Zuckerberg is one of the most influential people to ever walk this earth and has gotten in quite a lot of trouble lately regarding stealing & selling peoples data. Do not think that your privacy is not easily stolen, it can be, and you should be vigilant regarding it and your cybersecurity.
It's 2018 and monsters no longer hide under your bed, they hide in your phone and if you aren't scared, you should be.
*Disclaimer. This article is hearsay and any resemblance to any cases in real life is purely coincidental. I was forced to add this by my solicitors. 😉