Friday, 19 May 2017

Guardian/Barclays: Confessions of a hacker: ‘I can intercept all your data’

Guardian Labs

Barclays Let's go forward
digitally safe

Confessions of a hacker: ‘I can intercept all your data’

Paid for by

Have you ever wanted to know how online criminals gain access to your computer? Here, three ethical ‘white hat’ hackers reveal the dirty tricks of the trade to help you stay one step ahead.

Hackers are renowned for their problem solving skills. “You have 20 different hackers, you’ll have 20 different solutions to a problem,” says Alex Rice. Illustration: Patrick George

Tuesday 16 May 2017 11.58 BST

“Most people see hackers in the wrong way,” says Alex Rice, chief technology officer, and co-founder of HackerOne. “They see them as attackers – so they have a checklist of defences they put up and think they’re no longer vulnerable. You should think of hackers as the kind of people who apply creativity to solving challenging problems.”

Rice works with blue-chip companies and the US Department of Defense to offer “bug bounties” – financial rewards for hackers who point out vulnerabilities (known as “white hat” hackers) rather than exploit them. “You have 20 different hackers, you’ll have 20 different solutions to a problem,” he says. “If there are 20 hackers on your side testing your defences, you’re much better prepared – understanding how hackers think is the key to defending against them.”

White hat hacker Jamie Woodruff has, for example: dressed up as a pizza boy to sneak into an office and access its network; found the dating-site profile of a powerful CEO’s daughter and picked her up for a date to lift her dad’s laptop; and scattered virus-ridden USB sticks marked “Spring Break 2016” around conferences.

Coffee shops, for Woodruff, are a goldmine. He uses a device that pretends to be a coffee shop’s genuine wifi router – it can be bought online for about £50. “Your phones are always looking for the networks that you’ve previously used, so this tricks them and I can intercept all your data,” he explains.

Most of us, of course, are unlikely to draw that level of specific attention – known as spear phishing – from a hacker. It’s typically senior company executives who are given the full, personalised services of a hacker – or even a team. Spear phishing, explains Rice, can involve scouring the target’s social media feeds to find when they’re going on holiday and then sending fake emails to their subordinates, instructing phoney invoice payments.

For most of us, a more general, scattershot level of hacking known as phishing is the most common thing we’re likely to encounter. In the UK alone, internet-enabled fraud cost Britons more than £280m a year, according to government-backed research, with the average victim losing £738. “There are skilled artist hackers and then there are criminals who are hacking,” explains David Emm, white hat hacker and principal security researcher at Kaspersky Labs. “They want a result with the minimum risk and effort possible.”

A good analogy, Emm explains, can be found on the plains of Africa. Predators watch herds of wildebeest for hours, looking for the injured or the slow. Those that are easy to attack. “Hackers are looking for loopholes – and they are doing it in bulk because some very simple scams are surprisingly effective when they reach a weaker target,” he explains. “They’ll target known vulnerabilities in common operating systems or code. A lot of us find the constant requests to update software annoying, so we switch it off. Many people are still using Windows XP, which has huge vulnerabilities and is no longer updated, that’s like going out in winter with no clothes on.”

Hackers find nothing easier than leaving malicious bits of code in online ads, that can jump on to any computer running out-of-date code, for instance, or sending out mass emails with links to fake banking sites, or infecting sites with ransomware, that can leap on to the unprotected computer and lock it down completely – demanding a small ransom for the password.

“The thing is active not passive defence,” adds Rice. “If you actively expect that a hacker will try for your bank details, you’ll be ready. You’ll update your software. You won’t click on links in emails – you’ll phone your bank to check. Be careful using public wifi. It’s not quite a jungle out there, but it’s smart to be careful.”

Learn how to protect yourself online

    Barclays Let's go forward
    digitally safe

© 2017 Guardian News and Media Limited or its affiliated companies. All rights reserved.
Post a Comment