Two examples of real information warfare hacking
It's important to remember what we mean when we talk about hacking these days. Hacking has many positive connotations and is often used hand-in-hand with the term 'mashup'. Coders using APIs relating to popular web services to provide new incremental layers of user functionality is, of course, hacking -- and this is usually a good thing.
This is as opposed to hacking in the sense of malware creation. There are indeed many hackers whose core aim is destructive code creation and application destruction.
The reason that we use the same term for both is that it is largely the same skill set required to perform both.
Some of the most topical information security topics relating to developers (and users) were discussed this week at a technical discussion day hosted by SecureData at Wembley Stadium.
Some deep tech was discussed here this week. But there were some frightening IT security revelations from ground level too. Two real cyber criminal hacks were disclosed as detailed by Daniel Cuthbert at SensePost below.
<strong>Scenario 1:</strong> Do you want to know how hackers get inside big offices and start to infiltrate company systems? Hang out with the smokers and walk in through the back door.
<strong>Scenario 2:</strong> A group of hackers wanted to target the CEO of a big petrochemical company. The CEO was pretty IT savvy and quite well protected, but his PA had most of the access to sensitive data that was needed so the attack focused on her. A dummy Facebook profile was set up to look like the CEO and a simple message was sent with a link to a site harbouring intrusive and invasive malware. The PA took the bait and the hack was successful.
<img alt="Häcker_Küchen_Logo.svg.png" src="http://www.computerweekly.com/blogs/cwdn/2011/11/04/Ha%CC%88cker_Ku%CC%88chen_Logo.svg.png" width="448" height="108" class="mt-image-none" style="" />
A lot of the "how to" information needed to complete these hacks is freely available on the web. So what does it teach us?
Etienne Greeff is professional services director for SecureData and his core message when it comes to access control, passwords and information security in general is that it is... "Key is to achieve essential and then worry about excellent," as he puts it.
"The case of the PA is interesting. But to clarify, our research shows that 92% of hacks come from outside of the organisation. This whole 'greatest IT security threat comes from inside' is a fallacy. Inside staff may be 'used' by hackers as a means to facilitate an attack, but in general these employees do not themselves perpetrate the attacks themselves," said Greeff.
Greeff also highlighted a new reality of information security saying that the focus is changing from "infrastructure" protection, to "information" protection. Given that devices including smartphones and tablets are in everyone's hands now, the "perimeter" of a company's information security boundary has changed.
Interesting stuff for developers, users and (god forbid) hackers alike perhaps?
SecureData specialises in providing managed services for security and networking technologies. The company's latest news sees it providing financial support packages for customers buying its services.