Advert

What the hack

Matthew Anthony Pace examines the source code of hackers and finds that they aren’t all bad.

Nowadays, most people wouldn’t second-guess the security of the products they use in their everyday life. However, you would probably be shocked to learn that the average household has three to four unique exploitable points that a knowledgeable security expert could use to gain access to internal devices. These can then be controlled and used to steal personal information.

These household exploitable points include smart televisions, network connected set-top boxes and any kitchen appliance which has some kind of network connectivity. Of course, the people living in that household are also exploitable.

Most if not all software and hardware vulnerabilities can be traced back to developers who have either maliciously or accidently left an exploitable security point in a product or service. Accidental vulnerabilities could originate from the developers’ inexperience with security best practices or are simply inherited due to the use of a third party framework which could contain an exploitable piece of code.

There are three main types of hackers. The first are white hat, also known as ethical hackers: these hackers attack and break security for non-malicious reasons. They usual do this to test the strength of their own systems or are hired by businesses to identify any security weaknesses in their products and their existing implemented systems. This way businesses have peace of mind that if there are any issues or violations of security best practices, these are brought to their attention so they can be resolved.

Black hats will often perform these acts for nothing more than personal gain or because of the thrill of the challenge

The next type of hackers are black hat. These hackers break into secure systems to steal, modify, delete data or just make a system unusable for all other legitimate users. Black hats will often perform these acts for nothing more than personal gain or because of the thrill of the challenge. Black hats usually find vulnerabilities and keep them to themselves: they do not release them to the general public or inform the manufacturer as otherwise, a patch may be created to fix the issue.

Grey hat hackers are a combination of both black and white hackers. They usually look for vulnerabilities for the fun of it and then notify the manufacturer or owner. In most cases, grey hat hackers offer a solution against payment.

Locating new vulnerabilities is sometimes down to pure luck: someone curious enough would be wondering how a particular system functions and stumble upon a vulnerability. Other times, it is intentional: security researchers or hackers brute force their way using a number of different techniques to detect them.

One technique is packet and logic analysing, which works by capturing and reviewing the raw data that is being passed over a data bus, whether over a wireless interfaces such as Wi-Fi, Bluetooth and other radio frequencies, or over wired interfaces such as ethernet, USB and other physical connections such as micro-chip to micro-chip communication.

Another approach is for a security expert to examine the source code of the application to find any vulnerability which could be used to exploit the system. However, if the source code is not available, reverse engineering the compiled version is possible, which would have the same outcome as having the original source code.

Another technique is to exploit the human psychology. This approach uses a less technical approach: it requires the least amount knowledge on hardware and software systems and can be performed by almost anyone. This technique is known as social engineering and is an act of psychological manipulation. It works when someone tricks a vulnerable person into gaining their trust, which then can be easily used to get sensitive information such as credit card numbers, passwords and unlawful physical access to buildings. Usually, this is done just by talking and pretending to be someone else with an important status.

Any individuals looking to start a career in the security research industry should have the mindset of thinking outside the box and will have to dive deep down into the inner workings of systems to uncover new exploits. A career in the penetration testing industry would also require you to stay up-to-date with the latest techniques used and security best practices.

Matthew Anthony Pace is a software developer and electronics designer by day and a security researcher and blogger by night. He blogs at https://looku.ga .

Comments not loading? We recommend using Google Chrome or Mozilla Firefox with javascript turned on.
Comments powered by Disqus  
Advert
Advert