Hacker for Hire

Tips from one of the good guys

Hacker for Hire

When it comes to computer security, your biggest vulnerability may be a bit of a surprise. "I'm sorry, but no-one vets the cleaner," says Peter Wood, First Base Technologies' hacker-for-hire.

Unlike criminal hackers, Wood operates on a strictly ethical basis. He is Chief of Operations at a security consultancy and firms hire him to test their defences. But he uses the same sneaky tricks as the bad guys, which includes trying to infiltrate an office using bogus cleaners.

It takes a couple of minutes to attach a tiny keystroke logger onto someone's keyboard. These little bugs record every key press the user makes for up to eight months. Not only can this reveal network passwords but it might contain credit card numbers, home addresses, bank account details - anything that the user typed into the computer. It's not just cleaners. "Real criminals have an incredible amount of front. Most organisations have no idea how vulnerable they are to casual walk-ins."

While malicious outsiders are a genuine risk, Wood believes that the biggest threat comes from inside. So his first task is to simulate a disgruntled employee or an unsupervised visitor by plugging in his laptop to the company network. An insecure wireless networks means he doesn't even need to get inside the building to log on.

"We only need one valid user name and password to access a network," he says. "In the trade we call that 'Game Over'." It's depressingly easy to get them.

Access to almost everything comes down to passwords. Obvious choices like 'password,' 'football,' or the user's own name are so common that Wood can guess a quarter of all passwords in a couple of minutes. Using freely available hacker software, he can crack at least half of them within 24 hours.

Social engineering is another risk: "just ringing people up and asking them for their passwords works quite well, providing you have a semi-plausible story."

A surprising weakness is everyday software. Many automated back-up and anti-virus programs have their own network accounts. Any hacker worth their salt knows the default user names and passwords and, sadly, many customers never change them.

Why does all this matter? "People make assumptions about the security of data on their servers," he believes, "and they don't really think about who might be reading secret information, such as business plans, mergers and acquisitions, payroll information or staff reviews." In reality, anyone with an administrator password can read anything. Putting a file on the server is not the same as locking it up in a filing cabinet. "My bottom line here is that they have to take extra steps to protect this information and the only choice is encryption using something like Pretty Good Privacy (PGP)."

If Peter Wood had a magic wand, it would be user education. His top tips are:

1.	"In the words of Fox Mulder, 'trust no-one.' We're talking at a very personal level here. Stealing someone's logon is a portion of identity theft. It won't just impact their employer but on their life as well. It could cost them their job."
2.	"People need to understand how to choose a password that is both memorable and secure. It's actually quite easy: try the initial letters of the first line of a well-known song ('Lucy in the Sky with Diamonds') or memorable phrase ('I hate my boss because he's a stinker')."

In case you think you're not at risk, Wood has one last word of caution. "What my clients always say is 'well, we're not the Bank of England. Who wants to attack us?' They've only got to piss off one employee (and SMEs are good at that) to have a motivated would-be hacker reading the payroll, sticking porn on the CEO's hard drive, deleting work, stealing secrets. Hackers are not just a weird underground class of misfits, they're you and me."

Where next

•	See the Security Area for general advice and information.
•	Discover the three basic steps to help ensure your PC is protected.