The truth about hacking

We've all seen hackers on TV and in the movies. Often misanthropic loners or members of teenage gangs, they use their elite skills to break into the systems of banks, governments or sinister organisations, using cool, visual tools to crack security systems and passwords. They might face some tough opposition, but they'll tackle every obstacle thrown in their way by, well, typing really fast. At the end of the mission, they'll retire to their secretive lairs in crumbling tenement blocks, munching pizza and drinking energy drinks from behind a bank of monitors, waiting for their next attack.

Needless to say, this isn't representative of who hackers are or what they do. A hacker can be anyone from a teenage kid hacking from a bedroom to a sixty-something coder who's been hacking since the mainframe days. Some hackers are loners or misanthropes, but others may be married or have a family and hold down steady jobs. They're not using slick 3D tools or clicking buttons with skulls on them, either, but working with the tools and environments that look very similar to those used by system administrators and developers every day. So, who are the hackers, and how do they actually work?

First of all, there are many different types of hackers. For one thing, a huge number of people who would call themselves hackers don't actually do anything negative. They like to analyse systems, devices and applications, trying to work out what makes them tick and whether they could be made to work better. They sometimes come up with great ideas. Others simply want to match their wits against a system or network's security and probe for vulnerabilities, often passing on what they find to the company responsible, either for free or for financial reward. Some companies even employ these white hat' hackers full-time, and a number have turned their skills into a successful penetration testing business.

The more malicious hackers - the ones who most of us think of when we think of hackers - are more correctly known as crackers', and even here there's plenty of variety. At the lowest level you have the script kiddies, using accessible tools and ready-made scripts to attack their targets, often just to vandalise a website or steal and disseminate information for fun. Beyond them you have the more skilled hackers, who may spend months or years penetrating a government or corporate network to steal sensitive or valuable data, or put their time into developing exploits, kits and malware that other hackers can use.

Some create or spread malware to attack as many computers or devices as possible, as noisily as possible to cause an attention-grabbing stink. The more dangerous ones take their time to infiltrate specific targets, looking to steal data over a period of years or disrupt an organisation's business at the worst possible time. Hackers might be motivated by financial interests, anti-corporate rage or political activism, while some just do it for the lulz' for laughs and bragging rights. Overall, though, there's a definite move to hacking as a way to earn cash. As the white hack hacker, Billy Rios, told CNBC in July 2016, "The means have always been there, but the motivations have changed, There's so much more data that people can take advantage of and monetise."

What tends to bind them together is the way they communicate and organise. Hackers can and do congregate in public, at information security or hacking conventions such as the annual BlackHat conference, but they tend to get together through Internet groups and forums like the infamous 4Chan, with the more subversive or criminal element using IRC channels and forums on the Dark Web; the private, anonymous, underground Internet you won't find through a regular Google search.

Here hackers buy and sell tools and services, or associate in loose-knit collectives, ranging from small criminal gangs to anarchist collectives with thousands of members. The most famous of these collectives, like the politically-motivated Anonymous, will have some members who know little more than how to use a simple Distributed Denial of Service (DDoS) tool, and others capable of complex systems analysis and coding tools from scratch. Some collectives will have a defined leadership, while others will have little structure, though in practice the more expert and experienced hackers will define targets and approaches for the less expert and experienced to prioritise.

What, then, do all these hackers do? Well, the most basic hackers use terminal clients and pre-written scripts and tools, and tend to do the most damage when spreading malware or working en-masse. The serious hackers, however, tend to work in a more deliberate, highly-focused way. They'll have expertise in network, systems and application architecture and design. They'll know Bash scripting for Unix and Linux and PowerShell scripting for Windows machines. They may have skills in major application coding languages like C and Python, not to mention the languages Perl, PHP, Ruby and JavaScript used on the Web. They may also have in-depth knowledge of database management and database architecture, specifically SQL and MySQL.

Their tools terminal clients, network scanners, development environments won't look much different to those used by software developers or system administrators, while you can forget about all that frenzied typing; a lot of the tools used are fire and forget', bringing back reports on open ports and potential vulnerabilities, sometimes while the hacker pops out for lunch.

It's more how a hacker uses these tools that matters. Sometimes they'll start with a newly discovered vulnerability, scanning the Internet or trying to mass-penetrate corporate networks to find out if anyone's susceptible, and if they're worth attacking. In an increasing number of cases, though, they have a specific target in mind. Here the hacker might spend weeks or months analysing their target and their systems, probing for a weakness sloppy code, an unpatched server-side application, an open port that might give them a way in.

As part of this process, they may search for or use software to snoop out possible user credentials. While they can use brute force techniques to crack a password, they're more likely to use social engineering techniques and specifically email phishing to get what they need to get in. Last year's embarrassing, election-influencing hacks on the Democrat party machinery in the US involved exactly this kind of thing.

Sending malware through email or spreading it via an app or an infected USB stick can also be an option, enabling the hacker to log keypresses or capture screengrabs, or even audio and video from a webcam. Malware can also compromise core applications or infect devices at the firmware level, turning a PC, a server or a printer into a gateway onto the network. Last year's attack on the Bangladesh Bank and the crucial SWIFT transaction system involved a custom attack toolkit designed to hit the databases and applications used by SWIFT.

Once in, the hacker might just vandalise your systems or steal whatever data they can find, but the ones you really need to worry about are those that create a backdoor into your system they can exploit over the long term, eavesdropping on communications, sneakily transferring all your files. Compromised applications may be adding fraudulent transactions to real ones, or otherwise transferring money to a hacker-owned account. And these serious hackers aren't dumb; they're covering their tracks. These are the hackers who cause the security breaches their targets only find out about when a third-party often a customer points to some irregularity or concern. By that point, it's already much too late.

Can organisations do anything to foil these hackers? In the past, the best approach focused on perimeter control, restricting access and effectively building walls high enough and moats wide enough to keep the hackers at bay. This approach no longer works, and in an era of cloud computing and agile working practices, might not even be desirable. Instead, we need to focus more on protecting our endpoints including all devices from printers to smartphones to PCs and on making our systems as resilient as possible, so that if they are attacked, they detect the attack quickly and shrug it off. It's this thinking that's behind HP's crucial advances in security, from SureStart firmware protection to solutions that secure authentication through tokens, biometric measures and smartphone apps.

The cold, hard truth? If a serious hacker wants into your network and has the required resources, it's very hard to keep them out, but you can control how much damage they can do and how quickly you can recover. And the more you make yourself a tougher target, the more likely it is that they'll go off in search of easier prey.

Find out how to keep hackers like The Wolf away from your data...

ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.