THE WRITE LINE By Indranil Chakraborty
October 12, 2020: I am a ‘hacker’ – a white hat hacker as we say in our line of work. And I am here to shed some light on the intriguing world of hacking, which many people wrongfully think is some shady hangout of faceless geeks doing mysterious things.
I am a trained and a certified ethical hacker, living and working in India. As a professional in my field, I have sort of lived out of a suitcase you can say, helping large organisations keep their sensitive data safe and sound. I have lived in different Indian cities, have worked in West Asia as well, and these days I am camped in the southern Indian city of Bengaluru, working for an international company.
Through this discussion, I want to make it clear to you that there’s something called ethical hacking that is vitally important to all of us.
I will also give you an idea of the difference between ethical hacking and malicious hacking. Point is, there’s no need to run for your dear life if your next-door neighbour turns out to be a certified hacker – your smartphone is safe probably because of that same guy!
We will also look at the various types of hackers, good and bad, that the planet is home to. And we will discuss the most common forms of malicious attacks you should be aware of as a vulnerable citizen of the digital world.
IT’S WAR… AND YOU NEED A DEFENCE
Ethical hacking is going through a boom worldwide. And that’s only because the menace of malicious hacking is on the rise in a world going digital at breakneck speed. As attacks rise and become more sophisticated, it becomes necessary for stakeholders with sensitive data to take shelter behind ethical hackers.
It’s necessary here for us to familiarise with the term internet security. It’s a certain sub-set of computer security that deals with security measures put in place to ensure activities and transactions that are done online are completely safe.
Internet security basically wards off dangerous cyber attacks targeted at browsers, networks, operating systems, and other applications we rely on daily. Malicious hacking is about exploiting loopholes and sneaking in. Internet security is a preventive measure that snuffs out the possibility and scope of a malicious hacking attempt.
What a defence ministry is to a country, internet security is to an organisation. And organisations implement different types of security measures. Specialised teams are hired to make sure all systems and servers are updated with security patches; to put foolproof firewalls in place; to keep networks properly segmented; and so on.
The idea is to make life hell for the bad guy who is trying to crack open the network, sneak in and cause havoc.
ORIGINS OF HACKING
It’s interesting to go back to the root of hacking. Many people may not be aware that cyber hacking is not a new-age phenomenon. Rather, as per records, the first instances of cyber hacking were reported way back in the 1960s – could you believe that!
Well, that was decades before even basic electronic gadgets made it to our lives – forget computers and networks.
Fast-forward to modern times, and we are deluged with digital mini-revolutions that run almost every aspect of our lives. And with that digitisation of our lives, there come risks of digital theft. From our personal data, to records of transactions we make, to the information we try to store safely because they’re sensitive – everything is at stake.
To build a fortress around the ocean of digital data that we want to preserve and protect, we have to rely on internet security.
The question that comes to mind is: generally who gets targeted by malicious hackers? Is it individuals? Or governments? Or business entities, large or small?
BAD NEWS… NO ONE IS SPARED
Alarmingly, malicious hackers target everyone. I repeat, everyone. No one is spared when it comes to who’s on the crosshairs of malicious cyber attackers. At the top of that hit list of targets are private financial organisations and government machineries.
Targeting a large, sophisticated organisation is not a cakewalk. It’s not that you just wake up one fine morning and decide to hack into a government department or the headquarters of a major company.
Hackers need to do a lot of groundwork to get started. They need to get down to ‘social engineering’ – basically researching on the target entity’s domains and sub-domains, its employee base, its history of safety and security, and so on.
From manufacturers to financial institutions to consultancy firms to payment platforms to stock exchanges to intelligence networks – to be frank, malicious hackers can and do target all of them.
Why are they targeted? Because they are all data mines. And data is the new oil, as we all know by now. Whoever deals with sensitive data or digital money will always be on the radar of hackers.
There’s something called ‘dark web’, and not many people are aware of that unknown world. Dark web is basically online content that’s not indexed by commonly used search engines. Many people also call it ‘dark net’. Vitally important and sensitive data that is stolen by malicious hackers is often sold on this dark web.
ALL HACKING IS NOT BAD
It is important to get the record straight here – that all hacking is not bad. And that brings us to a question: what are the various kinds of hacking in practice out there, good and bad?
Broadly, there are three kinds of hackers – we call them ‘black hat’ hackers, ‘white hat’ hackers and ‘grey hat’ hackers.
Let’s start with black hat hackers. These are the bad guys on the circuit. These are the malicious chaps we get to often hear about in the news. They are behind the usual scary script: someone maliciously breaks into the system, or steals sensitive data, or carries out a fraudulent transaction on behalf of a legitimate user, and so on. Black hat hackers are extremely skilful, right from coding to hacking.
Then we have the type called white hat hackers. These are the good guys (count me in!) They are safe and trusted experts in their field; they always operate within the rules and follow the laws of the organisations that hire them.
The hacking that they carry out is done entirely ethically and within the laws. They are vitally important for companies, which hire them to get a measure of how bulletproof or how weak their infrastructure level or their application level is. Basically, through them, companies get to identify security flaws that malicious guys can exploit and cause harm.
The white hat hackers’ main skills lie in defending their employers’ set-ups from cyber attacks, apart from finding security weaknesses. When cyber attacks come without any warning – which is the norm – these hackers instantly get down to action to try to minimise the risk and damage.
Now we come to the third type – grey hat hackers. These are basically freelance hackers that perform the role of white hat hackers, but from outside the organisation. They scrutinise the status of security of an organisation, and when they locate security-related flaws or loopholes that bad guys can exploit, they report it to that organisation.
It’s not exactly an altruistic job. For the priceless work they do of flagging flaws from outside, the beneficiary organisations reward them in various ways, such as by giving bug bounties, appreciation certificates, hall-of-fame honours, ‘swag’ honours, and so on.
WHAT DOES A CERTIFIED HACKER DO?
Let me go back to the good guys on the circuit and shed some light on what a certified, ethical hacker does.
Certified hackers are highly skilled in the art and craft of hacking, and yet, big organisations trust them for their integrity and confidentiality. By big organisations, I mean mostly government bodies and privately-run businesses.
Certified hackers come in different subtypes, segregated on the basis of their roles. There are security analysts, basically the breed of white hat hackers. There are teams of certified hackers that are deployed by organisations to be battle-ready for defending against cyber attacks. They are also known as ‘blue teams’ or SOCs (security operation centres). Then there are ‘red teams’ that continuously test their organisations’ overall security, covering physical set-ups to digital infrastructure to connected devices, etc.
A hired certified hacker’s usual day at work involves testing the organisation’s networks and applications to identity security-related loopholes and to ensure they are patched up so that malicious hackers are unable to make inroads.
Certified hackers come with various types of certifications that are recognised globally. And the certifications are earned through a process that is similar to how we clear board exams, then college exams, then further higher studies, and so on.
The most popular certifications are CEH, ECSA, eJPT, ecPPT, eWPT, OSCP, OSCE, OSEE, GWAPT, GPEN, among several others.
Armed with these certifications, the hackers get hired by big organisations, which are nowadays increasingly concerned about keeping their infrastructure and networks safe.
Major companies tend to maintain their own fully-hired fleet of certified hackers that constantly looks after the security. But directly hired hackers apart, there are many service-based companies that offer hacker-reliant security services to other organisations. Naturally, these service providers have trusted white hat hackers on their payrolls.
THE ATTACKS WE FACE
Let’s get down to identifying the most common types of malicious hacking that we face. Here’s a handy list:
Keylogger: It’s a simple software or hardware feature that quietly records the typing sequence and strokes of your keyboard, and saves them into log files hidden away from you. These log files are likely to contain the usernames and passwords of your email IDs and other login details. It’s also known as keyboard capturing.
The possibility of keylogger attacks is the main reason why online banking websites prompt you to use their virtual keyboards. Basically, whenever you’re keying in log-in details into a computer in a third-party or public setting, you are vulnerable to a keylogger attack.
Denial of Service and Distributed Denial of Service (DoS/DDoS): It’s a cyber attack in which a certain site or server is taken down by flash-flooding it with a massive amount of traffic. Facing a sudden deluge of traffic, the site or server is unable to process all the requests in real-time and crashes.
Fake WAP (wireless access point): In this cyber attack, the hacker uses a software to set up a fake WAP in a public place. Unaware that the WAP is fake, people connect their devices to it and end up giving the hacker access to their data unknowingly.
Phishing: This is another common form of cyber attack. The hacker makes a perfect clone of a very popular site. The hacker then sends the spoofed link to unsuspecting victims, who walk into the trap by opening it. Once the victims enter their log-in details, the hacker gets served all that information on a platter.
Virus and Trojan: These are malicious software programmes that are sheepishly installed into the victims’ systems, and the victims’ data is then sent to the hacker. Viruses and Trojans can be programmed to do weird and dangerous things, such as locking the files in your system, baiting you with fraudulent advertisements, diverting traffic, ‘sniffing’ your data, or spreading to all other devices connected to your network.
Clickjacking: In this attack, the hacker cleverly hides the actual UI where the victim is supposed to click on the webpage. So the victim is basically tricked into clicking on something invisible or disguised on a site which s/he otherwise wouldn’t have clicked. This kind of attack is common with app downloads, movie streaming, and torrent websites. Usually, hackers use this trick to earn advertising dollars. But in some cases, it can also be used to steal personal data.
Bait and switch: Here, the hacker buys advertising spaces on websites, setting up the visitors for a malware attack. Attracted by the ads, when users click on them, they get redirected to web pages infected with malware.
IS YOUR SMARTPHONE SAFE?
More and more people around the world are using smartphones rather than desktops. So a question that often comes to one’s mind is: is malicious hacking common in mobile phones?
The bad news is, yes, smartphones are quite often targeted by malicious hackers. And smartphones can be hacked in various ways.
Here’s a common trend that I have seen happen way too often. It’s that hackers typically trick and defraud smartphone users by using malware. Users get provoked into entering some malicious website, leading to a malware quietly getting downloaded into the phone.
Also in some cases, hackers successfully tempt users into installing apps that are malicious. The unsuspecting users then end up handing over sensitive data to the malicious apps.
When it comes to apps, one good thing is that the popular app stores nowadays vet their apps carefully. That means, apps that are obviously dangerous are straight away knocked off these stores.
Yet another level of security feature is also in place these days in smartphones. When apps are installed, the phone prompts users, asking them whether the apps should be given permission to access certain types of data in their phones, such as email ID, phone number, camera, sound files, contact list, multimedia gallery, etc.
For smartphone users, the good news is that all the popular social platforms and websites on which we spend much of our precious time these days, such as Gmail, Facebook, WhatsApp, Twitter, Instagram, Outlook, LinkedIn – these apps are largely secured, and a bunch of white hat hackers and grey hat hackers are continuously working to make sure they remain safe.
By the way, guys, a vital tip: never keep an easy password for your personal Wi-Fi set-up. Set a password that will make it mighty difficult for hackers to crack into your network. It serves as a simple yet powerful first barrier against hackers.
A WAR ON TWO FRONTS
The war we certified hackers are fighting with the malicious ones is being fought on two fronts: technical and psychological.
Our job, as ethical hackers, is not an easy one. It’s very challenging because it’s constantly evolving. We have to be on our toes all the time. Malicious hackers are lurking out there, and they are evolving fast. If we take the foot off the pedal – that is, if we don’t spot bugs in the network quickly enough and take too much time to fix them – the bad guys will gatecrash and take charge.
As the good old saying goes – better safe than sorry.
An undercover journalist travels from Tehran to Isfahan to Shiraz to the Strait of Hormuz in pursuit of the missing pieces of the biggest geopolitical puzzle of our times. The US-Iran cold war. Know some incredible stories from the Persian heartland. Get the book HERE.