Interview With A Hacker
We’ve all heard of stories of people being hacked, spoofed, spammed, and consequently learned a hard and painful lesson. Many people adopted a don’t-care attitude under the assumption that it will never happen to them - to their neighbor/friend, sure - but never them. Until it’s too late.
We’ve heard of those stories before, many times over.
We’ve heard of those stories before, many times over.
But now I managed to get hold of a sometimes-hacker who is willing to share his thoughts on everything. Hear it from the horse’s mouth. Take a look at his point of view. We are so busy protecting ourselves, we never stop and consider how hackers think and operate. Thank you to my generous interviewee - it was a blast sitting down with you and talk. :)
How do you feel about the stigma associated with hackers?
I think it’s not right. Not all hackers have malicious intentions. Some just hack for fun. Some hack to find loopholes… vulnerability checks. I mean, they’re not actually bad people. But in fact hacking is wrong. You’re actually breaching into people’s privacy so it’s very fine line between what’s right and what’s wrong. Like people say, with more knowledge, comes greater responsibilities. When you have a lot of knowledge, it’s easy to become corrupted.
Knowing how to hack doesn’t make you a bad person… using the knowledge you have can be advantageous to prevent yourself from being hacked. Consider this phrase: to catch a crook, you have to think like one.
Then there’s another group called ethical hackers. They are your typical network administrators who have undergone EC Council’s Ethical Hacker program. They deliberately find loopholes within their own networks to strengthen their securities. It’s better you breach it yourself, than someone else.
Why do hackers hack?
There are those that hack for fun. And those with malicious intentions. Those are crackers. There are also those who do it for the challenge, to show off. How do they do it? Basically, to hack, you have several basic steps. One, you determine your target. After that, you’ve got to do reconnaissance - gather info about your target. Only with enough information, then you can proceed with your attack. Once attack is done, you want to create a backdoor, so you can return at any time.
The most important part of the hacking process is reconnaissance, there are many different ways - dumpster diving, social engineering, employ the use of software to probe and discover weak points.
OK, tell me about yourself. You claim to be a hacker, so what have you done to earn that title?
Well, I have not hacked into the Pentagon, if that’s what you’re looking for. :) Just mild stuff, really. Well, I’d breached into routers and managed to retrieve passwords (TMNet passwords) and logging into other people’s content management backend, for example, Joomla, Wordpress and also customized content management. I’ve also done war driving.
War driving? What’s that?
I drive around town with a WIFI enabled laptop scanning for open, unsecured WIFI networks. Trust me, I even came across a bank with an open WIFI network. Well, that is one bank I will never do business with! :D
What kind of damage can you do if you can hack into content management softwares?
Basically, I can change the content. For example if it’s a blog, I can… well, write my own posts, write controversial things, I can plant trojans on the system. The most common thing people will do is website defacement. I can also obtain customer’s information, if it’s a commerce store; their names, addresses, credit card numbers - basically it’s a full control of the site.
Is hacking easy? Can anybody do it?
Yes, it’s easy. There are lots of tools out there, all you need is a little bit of knowledge. Those tools are not uncommon tools or hard to get tools. They are in fact legit tools. For example, you forgot your own Windows’ password. You can use a password recovery software to recover your own password. Likewise, a hacker can easily take that software and use it for their own purposes, to recover the password from the victim’s computer.
And it’s also easy because a lot of people out there never change their default passwords. These can be obtained by googling the type of content management they use, or take their best guess at common passwords like, username admin, password admin. Or your typical admin123456. Same goes for router - google the maker and model and you got it.
What do you think about online security in Malaysia? In general. Are they lax? Tight? Or downright abysmal?
I would say lax. For now. Previously it was abysmal.
As previously mentioned, a lot of WIFI hotspot out there were unprotected and open. As compared to now, most of them apply at least a minimum level of security, which will deter hackers - hackers look for easy target, easy prey. They won’t be bothered unless you are Pentagon or CIA. *LOL* But of course, there are exceptions to the rule.
Another thing is… anti-virus softwares are more easily available now and some of them are even free. A lot of people are educated about the importance now. But that’s not enough. The user must also know about keeping anti-virus up-to-date, I’ve encountered many times before users who said they have anti-virus, but they never update it! Surprise! Their systems were full of viruses! An anti-virus software that is not updated equals no anti-virus. Simple as that.
What kind advice can you give for general Internet security?
At the most basic level - install good anti-virus and firewall. They are a lot of free anti virus softwares out there. And make sure your anti-virus, firewall and operating system are updated. New viruses come out everyday, so it’s better to be safe than sorry.
Avoid obvious passwords as mentioned before. Use complex passwords. A good strong password consists of alphanumerics, special characters and capital and small letters. And of course, don’t write it down and stick it somewhere! OK… about those passwords… an example of a strong but easy to remember password that you can try is Il2enl$5 which means ‘I like to eat nasi lemak $5′- but don’t copy this! Create your own. :)
Let’s talk about file sharing.
OK, via what?
Anything. Kazaa. Emule. http. torrent. ANYTHING. Are they safe?
Somewhat safe. If you know what you’re dealing with, yes it is safe. I mean, it’s more like a ‘download at your own risk’ and ’share at your own risk’ things. I’ve no doubt there are viruses and trojans there, just be careful about what you share and take.
How can I do that? How do I become careful?
Avoid those executable softwares, and make sure it’s from a reputable or clean source where people have downloaded from it before, and they certify as free from viruses. Don’t forget to scan all your files that you’ve taken from people, and one more thing, limit your share. Don’t share your entire hard drive to the world and some of your ‘interesting’ things. You can limit to one folder, and everything in that folder is shareable. Those are the few pointers that I can give.
(we veered off topic into email security - since people can send files via emails)
As for email security, do not open or download files attachment from unknown people. Everybody receives spam nowadays. Even if it’s from your friend that you know, be wary. Especially .exe files. All online emails have anti-virus ready to scan your files before you download them. Another thing to be wary about is spoofing. Those are emails that does not originate from legit sources and their one and only aim is to obtain your personal information. For example, they can pretend to be Paypal. Maybank. Anything.
How do I know if it’s a spoof?
Check the sender. In Yahoo! Mail or Gmail, there’s a button that says “details” - click that to obtain the sender’s email. if it’s from paypal, it should end with @paypal.com. Another way is that when you read the content, use common sense… if you feel any doubt, contact the local branch. When it’s a spoof email, the main thing they’ll ask for is your password, your PIN, your personal identification, things like that. As a general rule, NEVER SHARE PERSONAL INFO OVER EMAIL. Oh, and also don’t click on links inside the emails either. They can easily set up a fake website, and farm account numbers and passwords.
OK, let’s move on. How safe are cybercafes? What are the do’s and don’t’s?
Ah… cybercafes. *proceeds to chuckle* They’re not safe. Very not. :) But then, I’m in paranoid mode. It’s a public place - anybody can go to a computer and install some kind of hardware or software. For example, a keylogger - to record whatever you type on that system. Your password to your Maybank account. Your private email to your Aunt Dorothy. Even that site you go to that nobody else knows. :D They can also dive into browser cache. Cache is a temporary storage of all the sites you visit. It can also contains open sessions - sites you have not logged out from. So, very very dangerous there.
Here are the do’s:
Do your clear your cache after you’re done.
Check to see if they have anti-virus and firewall.
Check the USB ports on your computer if it’s visible. Look for any unfamiliar devices.
Make sure you’re logged out of all your sessions - including MSN messenger, emails… etc etc.
Don’ts:
Don’t leave the station unattended.
Don’t download any personal files. Because it’s recoverable, even after deletion.
Try not to log into financial accounts. If you MUST log in, type your username halfway, then your password halfway, then complete them. What this does, is to break your username and password so that it is harder for those crooks to log into your account.
Here’s a tip. For those of you who would like to try this: you can download some portable applications - portable browsers, portable instant messengers which can be loaded into a USB drive and executes easily in a cybercafe with no traces left behind. Try portableapps.com.
What are the most common and stupidest things people do, out of blind faith or carelessness that you’ve encountered?
One friend of mine didn’t log out of his MSN on my office computer. I ran a software and managed to recover his password and now I have access to all his ‘interesting’ emails and Friendster account!
Another one is the people who NEVER changes their default username and password. You have no idea how common it is. I tried going to one website one day, and it’s running Joomla. I just logged in using the default admin username and password and wala! I was in. And I created a backdoor for myself. :) And.. the last time I checked, the backdoor is still there.
And let’s not forget Edison Chen. *smiles all around* Poor bloke just sent his computer in for repair without deleting his… *ahem* files, and next thing he knows, they were all over the Internet. So the lesson here is… there are lots of porn out there, don’t create your own! Haha… just kidding.
Do you think a campaign like EC-Council’s Complimentary Workshop can help people better protect themselves?
Most definitely. It’s basic but basic knowledge is better than no knowledge. With campaigns like these, people will become more aware of such threats. Then, when they’re ready, they can further improve themselves by doing their own research, or even take Ethical Hacking classes, also provided by EC-Council.
Credit to Ann (http://ann.twoflavours.com/?p=574)
No comments:
Post a Comment