"I Had Six Backdoors Into Their Network In Less Than An Hour."
Hired hackers share real-world stories of breaking into computer systems (legally) through phishing scams and other high-tech mischief
It was a moment that would likely make any bank robber’s or computer hacker’s head spin: Joshua Crumbaugh talked his way behind the teller windows of a small bank in Maryland by posing as an IT technician working on the bank’s email system. As he installed malware designed to give him even more illegal access to the bank’s systems, he noticed the door to the vault was open. When no one was looking, he walked in. Piles of cash filled shelves, all within easy reach.
He turned around, held out his phone, and took a selfie. Later, he sent the picture to the bank’s CEO.
Fortunately, no crime had been committed. The CEO had hired Crumbaugh, a penetration tester (also known as a “pen tester”), to test the bank’s security. In his 10 years as a pen tester and CEO of PeopleSec, Crumbaugh has hacked everything from an NBA stadium to an oil rig. For the bank test, he identified the bank’s Internet Service Provider, called the bank pretending to be from the ISP’s customer service department, and set up a service appointment. “They were overly trusting,” says Crumbaugh, noting the bank’s own IT guy had also given him remote access to its systems without checking his credentials.
According to the 2016 State of Cybersecurity in Small & Medium-Sized Businesses report from the Ponemon Institute, a research center for global privacy, data and IT security issues, more than half of the 598 businesses surveyed had experienced a cyber attack in the prior year. A full half of respondents experienced data breaches involving customer and employee information. The companies surveyed spent an average of £900,000 cleaning up the mess, and many spent an additional £1 million to pay for disrupted workflow as a consequence of the security issues.
Crumbaugh and other pen testers offer their most helpful tips based on actual client experiences. In a nutshell: “Don’t be the low hanging fruit,” says Crumbaugh. “The harder you make it for hackers, the more likely they’ll move on to somebody else.”
Phishing: (noun)The attempt to obtain sensitive information such as usernames, passwords and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
Beware of thumb drives
Who doesn’t love thumb drives? They’re cute, convenient and come in all shapes and colors. And if you find one lying around the office, all you have to do to find out who it belongs to is … plug it in.
Which is exactly why hackers love them, too. Crumbaugh once hacked a major New York City hospital simply by dropping four thumb drives near the administrative offices. Each drive contained a .pdf file with a name no employee could resist: “2016 Layoffs Schedule.” Fretful administrators clicked on the file, unaware they were launching a malware program designed to infiltrate their system.
“By the time I got back to my computer, I had six backdoors into the network,” says Crumbaugh.
Even the most innocuous devices can contain malware to initiate what hackers call a HID (Human Interface Device) attack. Christopher O’Rourke, a former cyber counterintelligence expert with the Department of Defense and current founder/CEO of a security consulting firm in South Carolina, once found malware in digital picture frames that were sent as gifts to a friend’s office.
The “rule” of thumb drives: Do not plug in any unknown devices. O’Rourke also advises disabling auto-run on your computers, which prevents malware from launching automatically.
500 YearsThat's how long it could take to crack a simple 14-character password.
Pick up the phone and speak to a human
O’Rourke recalls a small defense contractor who hired him to figure out why a company had over-billed several clients to the tune of £10 million. “Somebody had stolen access to one of the contractor’s accounts, gained administrative rights, created a new person within their company with an email address, and was sending out additional bills to their legitimate clients,” says O’Rourke, who notes millions in losses could have been avoided if somebody had simply picked up the phone to confirm the transactions. (“Trust but verify,” is the phrase Crumbaugh uses to caution his own clients).
Nearly half of the cyberattacks in the Ponemon Institute study involved “phishing.” The attacker poses as a legitimate entity, often using email, to gain access to a company’s network. A typical attack: asking users to click a link that takes them to a URL resembling a real client (“l”s and “1”s may be switched out, for example). Once the user attempts to login, password information can be obtained or malware designed to collect more information can be downloaded.
Another easy way to deter phishing: enable the “auditing and logging” feature on some of the most popular email systems. “This triggers alerts and notifications when security events (like new users on your account) are happening,” says O’Rourke.
Activate your email’s “Sender Policy Framework”
The most advanced phishing attacks fall into a category all their own, called “spear phishing.” A hacker targets individuals based on personal information made available to the public, typically by the users themselves.
O’Rourke’s first step in a penetration test: hitting LinkedIn to “scrape” every person who may have worked for the company. “From there, I scrape email addresses from documents on a web page,” says O’Rourke. “Now I have a list of names, and because I have information about different people in the company, maybe I’ll pepper the email with references. Like, ‘Hey, I was talking to Rebecca in accounts payable, we need to get this email out.’” Most people aren’t paying attention to where the e-mail is coming from, says O’Rourke.
To deter spear phishing, O’Rourke recommends ensuring your email is set up with proper Sender Policy Framework (SPF) validation — a snippet of text that goes into your DNS that checks to make sure the email you’re responding to comes from a host registered with that domain. “It’s like a little lock on your browser to help make it secure,” says O’Rourke.
No, “Winter17” is not a safe password
Most pen testers will tell you one of the easiest hacks into a system is guessing a lazy password. “The most common password is the season followed by the last two digits of the year,” says Ryan Jones of Denver-based Coalfire Systems. Other common passwords: “Password1” and “[Company Name]1”.
But hackers don’t target one person in a company and guess their password. They pick one password and run it through their list of employee emails — and it works surprisingly often, according to Jones. He recommends using two-step verification or authentication security, which generates a text or email with an additional password. This two-step verification process is common with online banking when a different computer or browser is used, and prompts the additional password to ensure the correct user is logging into an account.
Crumbaugh also advises using an easy-to-remember password that is at least 14 characters, rather than a shorter, complex password that uses numbers, different cases and symbols. According to Crumbaugh, a hacker can crack an 8-character password in as little as 24 hours using what’s called “brute-force attack” — a hacking program that tries every possible character combination. A 14-character or longer password, without any of the complexity, could take up to 500 years to crack simply because of the possible number of variations, Crumbaugh says.
The rule of thumb drivesAvoid plugging unknown devices into your computer, including electronic gifts and tempting thumb drives.
Restrict WiFi usage when traveling
Even if your office network is secure, it won’t help much if you’re depending on other networks while traveling on business. Navid Rachman, a technology consultant in Great Neck, New York, who specializes in helping small businesses untangle security breaches, had two clients who were phished out of £25,000 while overseas. He believes that in both cases, the clients used unsecure hotel or café WiFi networks. The hackers were able to see their emails, then create fake emails from a vendor requesting payment to a bank account.
“Unless the WiFi network is encrypted — and most cafes do not — your information is visible to someone even if the network has a password,” says Rachman. If you travel a lot and use hotel and cafe WiFi, he suggests using a Virtual Private Network (VPN), which allows you to remotely connect to your office (or home) computer and use it to work and browse the Internet over an encrypted network. There are free programs available online that allow users to create their own VPNs; paid services can also secure your connections for as little as £7 a month.
As far as keeping your office WiFi safe, along with strong passwords O’Rourke recommends setting up separate WiFi networks for employees and visitors, and using routers that support advanced security features such as Radius or Active Directory, which can sniff out unauthorized devices.
Update your software
The programs we use the most — such as Adobe Reader, Microsoft Word, web browsers and plugins — are often the ones hackers target, typically by attaching a “payload” to a .pdf file containing malware. This is why developers are constantly issuing patches and security updates. “If you don’t have your software updated, it’s vulnerable to the latest threats,” says Crumbaugh.
Back up everything
Ransomware — when a hacker infiltrates your computer and locks your files until you pay the ransom — is another growing cyber security threat. According to a 2016 study by leading tech consulting firm Osterman Research, 47 percent of businesses surveyed had experienced a “ransomware incident” in the past year. Typically, hackers charge £500 to remove the lock, but there’s an even more insidious kind of ransomware out there now. “Instead of asking users to pay the money, they ask them to infect two more users,” explains O’Rourke. “That brings up an interesting question: what if you’re a small business and can’t afford to pay?”
One solution: Back up your system daily. While it’s always good to have an extra drive on site for backing up files, O’Rourke recommends using one of the many low-cost cloud services that will sync with your system, automatically backing up files as they’re created. If you have just a few employees and use a common word processing software, the cloud storage that is included in that program may already be enough. O’Rourke says there are great cloud services available for as little £5 a month per terabyte stored.
Get more from your IT provider than antivirus
Because many small businesses don’t have the financial resources for dedicated IT departments, they pay third-party providers to set up their networks. These IT companies might provide basic security, but that may mean little more than antivirus software updates — which is no longer enough.
“We had one instance where the third party provider claimed they stopped all attacks and were perfect with security,” says O’Rourke. “I sat there with an executive at that small business, and in 30 seconds, I taught him how to make a malicious .pdf that bypassed all of the third-party company’s security. This guy had never written a line of code in his life."
O’Rourke’s advice: “Ask the provider straight up how they would handle a security incident such as phishing. What is their network incident response plan and how does it integrate with your business operations? This lets them know up front, you want to know the steps they take and what your involvement needs to be. This is crucial for business continuity. Often, those questions alone will get you a deer in headlights look.”
Keep your employees well-trained
Crumbaugh notes that even large companies with the resources for top-notch cyber security training do little more than once-a-year training with employees. “You need to remind your employees to be secure at least monthly or even weekly,” says Crumbaugh, who gives his clients what he calls “micro-training” to keep them sharp. This quick, high-frequency training and education may involve checking passwords, or test phishing to see if employees verify transactions. Any network administrator or CEO can do the same by coordinating with clients to test whether employees double-check a transaction.
Hire a pen tester
If you have the budget and want to go the extra mile, you can hire a pen tester. According to Crumbaugh, a good one costs anywhere from £25,000 to £40,000, but “price doesn’t dictate quality in this industry,” he says. Make sure they’re OSCP (Offensive Security Certified Professional) or (Offensive Security Certified Expert) certified, and ask for a sample report. “The report should not show vulnerabilities within the network, but rather show attacks the pen testers used,” Crumbaugh advises. Like the testers interviewed here, a good tester should be articulate, familiar with the latest tech and passionate. And ask for stories like the ones here. “A good pen tester will have hundreds of stories about how they got domain admin over their clients,” says Crumbaugh.
The information is provided for general informational and educational purposes only. It does not constitute professional or expert advice and does not signify an endorsement in any manner. No representations or warranties of any kind, express or implied, are made with respect to this information, including, but not limited to, the completeness, accuracy, timeliness, reliability, suitability, or availability with respect to this article or the information, products, or services. You are solely responsible for any reliance you place on this information, for any injuries or losses incurred, and for decisions made in connection with this information. Insurance underwritten by Insurance Holdings Exchange and other affiliated companies. Visit insuranceholdingsltd.com for a complete list of companies.