Penetration testers, broadly, classify into two classes of existence:
- “Black hat hackers” destroy and damage things, sometimes for money and sometimes for fun. Since their activities are frequently illegal, they don’t tend to make their actions public and there aren’t many certifications to become one. They give hacking a bad name.
- “White hat hackers” are trying to find vulnerabilities before the black hats find them, often by penetration testing (“PenTesting”). Standard procedure is to announce the “exploit” to whoever can fix it, then wait about 90 days until making it public. They’re following the rules, and trying to enforce them, but have nearly the same skillset as the black hats.
The black/white hat dichotomy is, however, somewhat a matter of perspective:
- Beyond the reason why someone breaks into a computer system and what they do once they’ve entered it, there is effectively no difference between a penetration tester (PenTester) and hacker.
- Hacking on behalf of a nation in a war is a black hat activity, but can be construed as white hat for the people contracting it.
There’s a strange paradox in cybersecurity:
- Attacking a computer requires a completely different setup than defending it, and it borrows many of its ideas and concepts directly from wartime tactics.
- Successful “Red Team” cybersecurity experts will perform the same types of attacks on computers they (or their employers) to patch any holes before the black hats can get to them.
- Without them, the “Blue Team” can only protect against legitimate attacks, which is both inconsistent (because they’re unprepared) and can be very disastrous if they happen to fail.
All aspects of PenTesting are illegal unless that hacker has explicit permission in two possible ways:
- That hacker fully owns the target device.
- That hacker has a “statement of work”, which is a contract from the owner (which is the hacker’s responsibility to verify ownership) that gives explicit permission by outlining the work to be done and exactly what is allowed and forbidden.
Almost every malicious hack is performing the same abstraction: gaining more privileges on the computer than they should and then doing something with it.
An expert attacker will often have an elaborate “kill chain”, which will involve at least some of the steps in a sequential process:
- Reconnaissance – harvesting information, which can range wildly depending on their purpose
- Weaponization – after finding an exploit, create a “payload” by creating a program
- Delivery – sending the payload to the target computer, often via hyperlink or email
- Exploitation – the code is activated on the target computer
- Installation – the code creates malware on the computer
- Command & Control (C2) – the hacker can remotely manipulate the victim
- Actions on Objectives – the hacker completes their original goals
Further, hackers have become very skilled at social engineering, which allows them to do most of the above steps more efficiently or without drawing attention to themselves.
1. Recon
Since computers come in a wide variety of uses and all have operating systems that network easily with each other, the attack surface is proportionally huge compared to the past. Any information that could be useful is called intelligence, and any publicly accessible information is called “open-source intelligence” (OSINT).
OSINT is a vast concept, and can effectively apply to any information contained within a computer, context-depending:
- All social media, organization websites available to the public, or public directories.
- Any software that can sift through data.
- Any software that designs or modifies visual information, auditory information, or text information.
- Records of any sort, including government archives or public filings.
- Any information a person volunteers freely on the internet.
- Customized dashboards or search engines that more quickly work through the information.
If the hacker is targeting an organization that’s relatively secure (e.g., a bank), they can often infiltrate a related organization that isn’t secure (e.g., a custodial company), which they’ll use as a base of operations to quietly attack.
Hackers tend to “snoop” networked computers to find vulnerabilities and “backdoors”.
- “Network sniffing” uses network software to capture “packets”, which may contain things like bank account numbers and passwords.
- “Wardialing” involves entering all the phone numbers across a region to find which ones are active.
- Often, a hacker will use a “port scanner” to probe the ports that are open on the target computer.
- Sometimes, the UEFI itself can have a backdoor to gain local privileges.
By dumpster diving (or scouring landfills), hackers can find tons of private information in old computers’ memory. When a wealthier nation has waste management regulations about electronics, they may pay to export their waste to poorer countries, which end up in landfills for foreign hackers to find.
2. Weaponize
Hacking a computer uses a “vulnerability” to make an “exploit”. If that exploit is presently usable (and not merely a theoretical exploit or future exploit), it’s a “zero-day exploit”.
“Password cracking” is the most well-known, but also one of the rarest these days because of most passwords are well-encrypted. However, people still leave Post-It notes around and older encryption algorithms are often susceptible to cryptanalysis techniques.
- “Dictionary attacks” run through all the commonly used words in the dictionary to find the password. By putting numbers into the password, this won’t work.
- “Brute force attacks” involve using every possible password combination. It’s extremely time-intensive and is inherently obvious over a network to anyone tech-savvy.
There are a variety of different ways to program malicious software (“malware”) to spread on a computer or network, but it takes time to program them.
3. Deliver
“Drive-by downloads” are malware installed from a dodgy website. Some of the websites use very clever UX tricks to make people download on those websites.
A “man-in-the-middle” (MitM) attack involves appearing legitimate to stand in between a transaction. There’s a new form of it now with mobile devices called “man-in-the-mobile” (MitMO).
“Tailgating” involves physically following an authorized person into a secure area (such as a data center).
“DDos attacks” (“distributed denial of service”) blast the target computer with a tsunami of network requests from a gargantuan network of bots (“botnet”).
A “zero-click attack” doesn’t require the user to do anything, and the code will simply run without their involvement.
Sometimes, hackers can bundle “potentially unwanted programs” (PUPs) with unrelated legitimate software. This often happens as part of an installation program, especially mass-download websites like CNET Downloads or app stores. This is because the people who host the downloads don’t often put good policies in place to prevent it (which is a double-edged sword, because Apple has a history of shutting down apps arbitrarily).
Malicious web browser plugins are a frequent risk. A “browser hijack object” (BHO) is designed to exploit built-in features of the older Internet Explorer browser. Because IE is so closely connected to everything in Windows, it can give complete control to an outside source. However, all browsers are susceptible to unintentionally installed malware.
4. Exploit
While the exploitation may occur at delivery, it’s not usually the case because they want to be sure they’ll get away with the action.
There are a variety of code vulnerabilities, and hackers are creative enough to always find more.
The simplest exploit is often to enter a known “default” password. There are many default passwords for computers (e.g., phone voicemail, network router admin accounts), which means the hacker doesn’t even have to guess the password.
A successful “buffer overflow” comes from the computer properly receiving a memory location outside the memory stack. By doing this, the computer will visit accurate-but-wrong memory locations, which can often have new code programmed for it.
“Non-validated input” is entering information into a program that overrides the existing code. The easiest way to do this in a text box is with commands that close the function, like ; > } ] and ), but there are many more.
A “NOP slide” uses NOP (no operation) commands from the CPU and slides data into them to make the computer carry out actions during those cycles.
A “race condition” is comes from varying speeds that information can travel. For example, sending internet data that should be coming from Australia to New York out of Chicago before Australia’s data can get there. Hackers can exploit a race condition if they have enough networking experience.
A “VM escape” finds various glitches to break out of a virtual machine into the rest of a system.
- In the 2017 Pwn2Own conference, a researcher used a JavaScript bug in Microsoft Edge to exploit a Windows 10 kernel bug to exploit a hardware simulation bug in VMware.
5. Install
Once the hacker is in, they are free to act as they want. Computers are dumb enough that they’ll take all instructions once someone is authenticated.
Sometimes, hackers do not need to install a program, but instead can run another command:
- Change a password for something else.
- Route a phone line to somewhere else.
The amount of time the hacker needs to install their software varies, but most code can be measured in megabytes or kilobytes, so it rarely takes more than a minute or two across most of the internet. It’s rarely detectable unless the user is tech-savvy enough and fast enough to catch a small discrepancy.
This installation phase is optional, especially when it’s not malicious.
6. Control/Command
How the hacker controls their software varies wildly by how they programmed it. This often depends wildly on the purpose.
Typically, it’s simply automation from what they installed, such as routing information through a different network connection or consistently sending information remotely.
“Remote code execution” (RCE) is when the code is remotely activated, often over the internet.
7. Aftermath
Hackers’ purposes dictate much of what they do, so it all depends on what they want.
Nearly all criminal computer activities can broadly be defined as either theft (such as stealing money) or vandalism (destroying things), but hackers are often important actors in wars and large-scale political activities.
The thoroughness of the hacker determines whether governments can legitimately prosecute a hacker:
- If they want to be known or weren’t very thorough, the software will probably persist on the system until it’s removed or destroys the computer (often by burning out the CPU or hard drive).
- If they want to stay hidden, they’ll likely have the software delete itself.
- Very often, they’ll mask their entire operation through many proxy servers.
Sometimes, a hacker can install something and it’ll stay undetected for years. Security researchers hate to admit this, but hackers are literally as smart as security researchers, and it’s relatively easier to destroy/attack than defend against cyberattacks.
Listed Exploits
Computers, all the way down, are nothing but math. Therefore, any computer system with sufficient attention toward it (meaning sufficient motivation for someone to try) is going to get hacked. Efforts like encrypting everything, hardening, and enforced procedures are designed to do several things:
- Mitigate the damage or propagation of secure information.
- Make the hackers easier to catch while taking that information (or maybe even mislead them).
- Inspire the hackers to attack other, less-secure computers instead.
Here’s a list of various exploits that have become public, which is by no means in any way exhaustive:
- Some of them are really severe, and can lead to identity theft of potentially millions.
- Others were discovered by security researchers beforehand.
- Some were simply a disgruntled employee with too many permissions.
By the time you see it here, most of them have been fully patched.
Specific entities:
- Governments
- Acer (hardware company)
- Activision (game company)
- Booking.com (discount travel clearinghouse, owner of Priceline and KAYAK)
- Bumble (dating app)
- Clubhouse (hacker forum)
- Experian (credit/personal information bureau)
- 2022-07 People were having accounts hacked at Experian through the company authorizing changes from stolen personal information and updating emails that weren’t theirs.
- 2022-10 Experian had a glitch for 7 weeks that allowed viewing any consumer’s information with simply their name, address, date of birth, and social security number.
- Ferrari (auto company)
- Intel (CPU company)
- Meta: Facebook (social media company)
- Meta: WhatsApp (message service)
- Microsoft (tech company)
- Microsoft: LinkedIn (social media company)
- Microsoft: Teams (video chat service)
- Microsoft: Twitch (streaming video service)
- Microsoft: Windows (operating system)
- Nestlé (food and personal care)
- NVIDIA (graphics CPU company)
- Okta (authentication company)
- Parler (social media company)
- Robinhood (investing platform)
- Slack (messaging/chat service)
- T-Mobile (cell phone service company)
- Tesla (auto company)
- Twitter (social media company)
- Uber (ridesharing company)
- Western Digital (hard drive company)
- Wikipedia (not-for-profit public wiki)
- Zoom (videoconference service)
Affecting many organizations at once:
- Cisco (networking hardware company)
- Kaseya (networking company)
- Let’s Encrypt (certificate authority)
- Microsoft (tech company)
- Tesla (auto company)
Incompetence
However, sometimes people simply fail at keeping everything safely compliant: