Ethical hacking: Protect yourself online
The threat of cyber attack is greater than ever, as many high-profile targets have discovered. Rob Sharp meets the "ethical hackers" who reveal the gaps in online security and finds out how you can protect your data
Wednesday 02 September 2009
It's a quiet Saturday afternoon at a plush apartment block in West London. "Pizza," announces the delivery boy, standing in front of the building's ground-floor reception desk. He is at the luxurious entry point to the home of the chief executive of a large multinational, and security is – or should be – watertight. The large, heavily-set man working on the front desk checks down the list of deliveries set in front of him. The fast food order doesn't seem to be on there.
"Nah, I arranged it with Alice. That's his assistant," the pizza boy explains, and after the quickest of wrangles, he is ushered inside. And so, several secrets belonging to a FTSE 100 company are on their way to being compromised. That's because the delivery boy is an ethical hacker who has gone undercover to expose the everyday security flaws that can cost businesses millions. This residential adventure is all in a day's work for the security firm Vigilante Bespoke. Its mission is this: to stop the hacking activity that has moved away from offices and into the domestic desktop set-ups of celebrities and successful businessmen.
One example that shook the financial world took place in 2004, when the Japanese bank Sumitomo was the target of a cyber-heist where criminals "bugged" computers in the bank's London offices with keystroke recorders hoping to unearth high-level passwords to illegally transfer money. The plot was rumbled but it has been a wake-up call to businesses who thought their systems were safe.
Vigilante is just one of the raft of companies that have expanded or sprung up to offer the likes of password protection, file encryption, and "social engineering" (uncovering physical security weaknesses by, er, posing as pizza delivery boys). Us ordinary folk can learn something from them, too.
"The basic premise of our business is to replicate the kind of IT protection you get in the military or big corporations, and provide a service to the high-profile, high-network individuals who are more at target from attacks but don't have an IT department to protect them," explains Vigilante co-founder Oliver Crofton. "So, if I'm a celebrity, I'm an entity in my own right, I may be worth millions of pounds."
Because it's not just companies that run the risk of cyber crime. More than ever, our information is "compromised", whether it be through our Twitter feeds or our mobile phone voicemail accounts. It also seems like open season for the famous right now. Whether it's the mobile phones of Gwyneth Paltrow, George Michael and Alan Shearer or the Twitter accounts of Lily Allen, Alan Davies and Ashton Kutcher, almost no one is safe. Nicolas Sarkozy's bank account has been cracked, as have the email accounts of Miley Cyrus and Salma Hayek. And any of the methods employed to hack into their databases can be used on ordinary folk (who if anything, are likely to be more vulnerable).
Phone hacking has been making headlines recently. A would-be hacker simply calls the mobile phone number of the victim, and when the call goes through to voicemail the hacker inputs the provider's default code (if it has not been changed) and listens to that person's messages. The easy way to avoid it is to reprogramme your pin. But if the hackers were clever enough to get inside Gwyneth Paltrow's handset, then we should all protect ourselves. Then there's using the same password for all your accounts ("password"; "mother"; "1234"). Simply don't do it: Miley Cyrus did, and pictures of her in her scanties were splashed across the internet. "I think the hacker behind it was around 20," explains Crofton. "He used social engineering to gain access to Cyrus's MySpace administration, from which he obtained a list of passwords. Then it was easy for him to gain access to her email account, obtaining snaps and personal details."
To see how a normal, password-conscious consumer could be targeted, I invite Vigilante to The Independent's offices in London. Shortly after they arrive, I open my MacBook and attempt to log on to the Local Area Network (LAN). Crofton and a colleague show me a system where they can disable all the wireless networks within my area, causing my laptop to become disconnected. When I tried to reconnect, I dialled up a network created from their laptops which they can control. They now had a direct link to my machine and can see what websites I regularly visit and even upload programmes which record the keys I hit so that they can uncover my bank account details.
"There is obviously a market for that information," says Tom Beale, an ethical hacker and colleague of Crofton's. In the UK, online security companies recruit the majority of ethical hackers from university computer studies courses. That was the case with Beale, who was approached by security company MWR Info Security after he started ethical hacking while at university.
"A certain amount of credit card details can be sold on the black market, they would have a street value. So someone might have 20,000 people's credentials which he can flog off to someone that might want to use them." Vigilante aren't the only company trying to cope with burgeoning concerns. "We have had more approaches from people wanting protection," says Alistair Macrae, head of operations at London-based security firm Lynceus. "Big stories bring security to the front of people's minds; many weren't aware that such things were happening; they want to respond appropriately." Last month one of America's biggest mobile network providers, Verizon, expanded its encryption services to enable small businesses to encrypt their emails; in June, Dave DeWalt, chief executive of security software group McAfee, likened the fear of attack to "the Cold War at its height" in the 1960s and 1970s.
Over the last year there has been a huge increase in "drive-by download" attacks. These involve an attacker scanning the web looking for vulnerable websites – they upload a malicious code on to them which visitors to the site can then download. Vulnerable websites are websites that are more "dynamic and complicated", says Beale (ie the ones that employ lots of moving images or video). This is because they have more code to be infected. "There has also been a rise recently in the number of attacks where users are sent PDF documents that are essentially compromised," continues Beale. "These can allow your machine to be taken over or used to do malicious things to other people." Such indiscretions can be added to the key logging instances already mentioned, as well as vulnerabilities in the iPhone (simply by receiving a text message one could give control of one's device to a hacker, a problem cured by a patch released earlier this month) as well as the threat of botnets on Facebook, Twitter and Google (botnets can be used to infect millions of machines which then request to access a site at the same time then crash it; Twitter was crashed for two hours earlier this month because of a co-ordinated botnet attack).
So what you can do about it? "You can follow a few simple rules to minimise your chances of attack," says Crofton [see below], "but the only way you can totally be sure is by leaving your work at the office – if you have the opportunity – and being extremely vigilant. Change your default passwords and be careful what information you reveal on social networking sites. Also, don't send work to people's personal email addresses to finish when you get home. This is not a secure platform to work from. If you do want to work from home, speak with your IT department."
Cyber safety: How to protect yourself online
* Always use a firewall: you can easily download simple firewall packages, or use trusted and known anti-virus protection software. Always make sure that you regularly download updates for them.
* Do not carry out work-sensitive activity on your machine outside work; you never know who might be watching, and what technology they might have at their disposal.
* Make sure your iPhone isn't hooking up to any old network and asks you before it does; equally expect the same from your trusty laptop.
* Only download software from trusted sources on the internet; if it pops up and is covered in ladies in their scanties, someone is up to no good.
* Don't set your password as "password" (we've heard it before); try to just "pervert" memorable names with different symbols, for example Coca-cola becomes C0c4c@1a.
* Think of your technology in the same way you think of your physical stuff; you wouldn't leave your keys in the ignition of your car, so don't leave the door open to the secrets of your hard drive, either.
Life & Style blogs
In defence of liberal democracy
General Election 2015: Post-election 'shambles' looms as 70 per cent of voters say SNP 'should not be able to veto UK government policies'
The Rothschild Libel: Why has it taken 200 years for an anti-Semitic slur that emerged from the Battle of Waterloo to be dismissed?
General Election 2015: UK will be 'run for the wealthy and powerful' if Tories retain power, Labour warns
General election live: SNP suspends two members for disrupting Labour rally
General Election 2015: Sturgeon claims Scots 'appalled' by Ed Miliband's refusal to work with SNP
- 4 #JeSuisEd: People share photos of themselves eating awkwardly in solidarity with Labour leader
- 5 Women think Irish men are the sexiest, survey finds
iJobs Gadgets & Tech
£18000 - £20000 per annum: Ashdown Group: Helpdesk Analyst - Devon - £20,000 ...
£35000 - £50000 per annum + generous bonus: Ashdown Group: Business Analytics ...
£45000 - £50000 per annum: Ashdown Group: IT Project Coordinator (Software Dev...
£18000 - £23000 per annum + Uncapped OTE: SThree: SThree Trainee Recruitment C...