Everything is Hackable, and Cyber Criminals Can't Be Tracked

Rarely a day goes by without news emerging about a giant company losing large amounts of sensitive data to a massive hacker attack. It might be Google one day, Sony the next, and a country's government agency the day after. Just replace the names, rinse, and repeat.

Reporters from across the country have approached me of late, asking for my views on the acceleration of hacker attacks and the current state of security. When I get through with my rant, they're pretty shaken. They didn't know things were as bad as they are, while I ask myself, "Where have these media types been hiding?"

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

The fact is cyber crime isn't going away anytime soon for two key reasons: First, everything is hackable. Second and more significant: Cyber criminals rarely get caught or punished for their act. As long as committing cyber crimes remains easy and lucrative, and there's no accountability, it's not going away.

Point-and-hack simplicity
Breaking into almost any company is nearly as simple as closing your eyes, pointing your finger, and saying, "Go!" In the nine years I was hired to break into organization's IT systems (always with the permission of the owner), I gained entry to every company, every hospital, every bank, every financial website, and every three-letter government agency in an hour or less -- with one exception. One company, which I had previously compromised in an hour or less, had followed my previous report's guidance. The second time around, it took me three hours to break (via a blank SQL sa password, no less).

I'm not even that good a hacker. On a scale one to ten, I'm maybe a five, yet I can break into every company I try. I can't imagine how easy it is for the good hackers.

Once you know what you're doing, hacking into company websites and computers is a cinch. Point your finger at a company. Find out which computers are under its control. Port-scan them to find listening services. Fingerprint the services to determine vendor products and versions. Find the relevant exploits. I love Secunia's Vulnerability Research Advisory database for this sort of thing. It tells me what's patched and unpatched, whether it requires local or remote access, and what type of control I can get after the exploit.

From there, search for an exploit program or exploit code (sometimes compiling is needed); alternately, write your own based on the Secunia records. There are dozens of post-MilW0rm exploit sites that can easily be found, although one of my first stops is always Metasploit.org (why work hard if you can work easy?). Once you know the basics, it's like taking candy from a baby.

Suppose you find a company with no unpatched software or vulnerabilities. No problem: Send fake emails to the end-users with exploit software attached. Social engineered emails are easy to create and always work. My favorite is to send out messages under the guise of a company's CEO or CFO with "Pending 2011 Layoffs" in the subject line. Employees open those emails and run my exploits in under 10 seconds. Picking on workers is so simple that I refuse to use that tactic.

Another favorite is to research whatever the target company is running for external facing hardware or appliances -- perimeter firewalls, antispam devices, email gateways, and so on. They may be fully patched when you first look, but write down the version numbers and tell one of the many vulnerability services to alert you when a new patch comes out. The fastest any company patches their stuff is usually measured in days to weeks. Again, it's easy pickings. And remember, I'm not that good.

Low risk, high payoff
I'm bored by stories of how this or that company was successfully hacked and came away with a laundry list of lessons that are entirely wrong. "Company X had weak passwords, unpatched software, clueless employees" -- or fill in any other problem. "The company vows to do thus-and-thus to prevent it from happening again."

Truth is Company X can't stop it from happening again. After spending all the money it has on fixing the problem, the real, underlying issues remain: Bad guys rarely get caught. Solve that problem and you solve all the others.

There are lots of bad people in this world, people who want to hurt others, take their belongings, and enrich themselves illegally. What stops most of them is the question of how not to get caught. In the real world, if you commit a significant crime, it is likely that you'll be nabbed and face real consequences. Sure, plenty of people get away, but the vast majority of criminals conducting significant crimes are found out -- not so on the Internet.

While we're pointing fingers at problems such as inaccurate antivirus products, permeable firewalls, unpatched products, and gullible employees, we're missing what really enables Internet crime to flourish. Rob a real bank, get away with a few thousand dollars, and you'll likely be arrested and go to jail. Steal tens of millions of dollars off the Internet, and almost always walk away a rich person without any likelihood of discovery.

Fix the Internet, already
The No. 1 reason why the Internet is such a dangerous place is the lack of accountability. Solve that problem and you significantly diminish Internet crime. What blows me away, year after year, is that we can create workable solutions today. We have the protocols. We have the knowledge. We have the ability to integrate every bit of today's wild Internet into tomorrow's significantly safer Internet without missing a beat or charging more money. All we need to do is put a few bright decision makers into a room for a few weeks and tell them not to come out until the new standards are created.

I'm not lying or exaggerating when I say it's truly that easy. Anyone who tells you different is overly complicating the problem and being blinded by decades of battling the odds.

It slays me that we're losing hundreds of millions of dollars to Internet crime every year. My parents' computer is not safe. My kids' computers are not safe. The companies that have my credit card information and medical information are not safe. And we could change it in a day instead of pointing fingers at each other and acting like there's nothing we can do.

I've been writing this exact same column topic for nearly five years, and I write this same message at least two or three times a year. My fear is that in another ten years, I'll still be doing it.

This story, "Everything is hackable -- and cyber criminals can't be tracked ," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Subscribe to the Security Watch Newsletter

Comments