Penetration testers, broadly, classify into two classes of existence:
- “Black hat hackers” destroy and damage things, sometimes for money and sometimes for fun. Since their activities are frequently illegal, they don’t tend to make their actions public and there aren’t many certifications to become one. They give hacking a bad name.
- “White hat hackers” are trying to find vulnerabilities before the black hats find them. Standard procedure is to announce the “exploit” to whoever can fix it, then wait about 90 days until making it public. They’re following the rules, and trying to enforce them, but have nearly the same skillset as the black hats.
It’s worth noting that some of this is a matter of perspective. Hacking on behalf of a nation in a war, for example, is a black hat activity, but can be construed as white hat for some people.
There’s a strange paradox in cybersecurity. Attacking a computer requires a completely different setup than defending it, but successful “Red Team” cybersecurity experts will perform the same types of attacks on computers they (or their employers) to patch any holes before the black hats can get to them. Without them, the “Blue Team” can only protect against legitimate attacks, which is both inconsistent and very dangerous if they happen to fail.
All aspects of PenTesting are illegal unless that hacker has explicit permission in two possible ways:
- That hacker fully owns the target device.
- That hacker has a “statement of work”, which is a contract from the owner (which is the hacker’s responsibility to verify ownership) that gives explicit permission by outlining the work to be done and exactly what is allowed and forbidden.
Almost every malicious hack is performing the same abstraction: gaining more privileges on the computer than they should and then doing something with it.
An expert attacker may have an elaborate “kill chain”, which will involve a sequential process with at least some of the below steps:
- Reconnaissance – harvesting information, which can range wildly depending on their purpose
- Weaponization – after finding an exploit, create a “payload” by creating a program
- Delivery – sending the payload to the target computer, often via hyperlink or email
- Exploitation – the code is activated on the target computer
- Installation – the code creates malware on the computer
- Command & Control (C2) – the hacker can remotely manipulate the victim
- Actions on Objectives – the hacker completes their original goals
Also, hackers have become very skilled at social engineering, which allows them to do most of the above steps more efficiently or without drawing attention to themselves.
Hacking a computer uses a “vulnerability” to make an “exploit”. If that exploit is presently usable (and not merely a theoretical exploit or future exploit), it’s a “zero-day exploit”.
“Password cracking” is the most well-known, but also one of the rarest these days because of most passwords are well-encrypted. However, people still leave Post-It notes around and older encryption algorithms are often susceptible to cryptanalysis techniques.
- “Dictionary attacks” run through all the commonly used words in the dictionary to find the password. By putting numbers into the password, this won’t work.
- “Brute force attacks” involve using every possible password combination. It’s extremely time-intensive and is inherently obvious over a network to anyone tech-savvy.
Hackers tend to “snoop” networked computers to find vulnerabilities and “backdoors”.
- “Network sniffing” uses network software to capture “packets”, which may contain things like bank account numbers and passwords.
- “Wardialing” involves entering all the phone numbers across a region to find which ones are active.
- Often, a hacker will use a “port scanner” to probe the ports that are open on the target computer.
- Sometimes, the UEFI itself can have a backdoor to gain local privileges.
Hackers can find all sorts of private information stored in old computers’ memory by dumpster diving. Countries that have waste management regulations about electronics may pay to export their waste to poorer countries, which end up in landfills that foreign hackers can find.
If the hacker is targeting an organization that’s relatively secure (e.g., a bank), they can often infiltrate a related organization that isn’t secure (e.g., a custodial company), which they’ll use as a base of operations to quietly attack.
There are a variety of different ways to program malicious software (“malware”) to spread on a computer or network, but it takes time to program them.
“Drive-by downloads” are malware installed from a dodgy website. Some of the websites use very clever UX tricks to make people download on those websites.
A “man-in-the-middle” (MitM) attack involves appearing legitimate to stand in between a transaction. There’s a new form of it now with mobile devices called “man-in-the-mobile” (MitMO).
“Tailgating” involves physically following an authorized person into a secure area (such as a data center).
“DDos attacks” (“distributed denial of service”) blast the target computer with a tsunami of network requests from a gargantuan network of bots (“botnet”).
A “zero-click attack” doesn’t require the user to do anything, and the code will simply run without their involvement.
Sometimes, hackers can bundle “potentially unwanted programs” (PUPs) with unrelated legitimate software. This often happens as part of an installation program, especially mass-download websites like CNET Downloads or app stores. This is because the people who host the downloads don’t often put good policies in place to prevent it (which is a double-edged sword, because Apple has a history of shutting down apps arbitrarily).
Malicious web browser plugins are a frequent risk. A “browser hijack object” (BHO) is designed to exploit built-in features of the older Internet Explorer browser. Because IE is so closely connected to everything in Windows, it can give complete control to an outside source. However, all browsers are susceptible to unintentionally installed malware.
While the exploitation may occur at delivery, it’s not usually the case because they want to be sure they’ll get away with the action.
There are a variety of code vulnerabilities, and hackers are creative enough to always find more.
The simplest exploit is often to enter a known “default” password. There are many default passwords for computers (e.g., phone voicemail, network router admin accounts), which means the hacker doesn’t even have to guess the password.
A successful “buffer overflow” comes from the computer properly receiving a memory location outside the memory stack. By doing this, the computer will visit accurate-but-wrong memory locations, which can often have new code programmed for it.
“Non-validated input” is entering information into a program that overrides the existing code. The easiest way to do this in a text box is with commands that close the function, like ; > } ] and ), but there are many more.
A “NOP slide” uses NOP (no operation) commands from the CPU and slides data into them to make the computer carry out actions during those cycles.
A “race condition” is comes from varying speeds that information can travel. For example, sending internet data that should be coming from Australia to New York out of Chicago before Australia’s data can get there. Hackers can exploit a race condition if they have enough networking experience.
A “VM escape” finds various glitches to break out of a virtual machine into the rest of a system.
Once the hacker is in, they are free to act as they want. Computers are dumb enough that they’ll take all instructions once someone is authenticated.
Sometimes, hackers do not need to install a program, but instead can run another command:
- Change a password for something else.
- Route a phone line to somewhere else.
The amount of time the hacker needs to install their software varies, but most code can be measured in megabytes or kilobytes, so it rarely takes more than a minute or two across most of the internet. It’s rarely detectable unless the user is tech-savvy enough and fast enough to catch a small discrepancy.
This installation phase is optional, especially when it’s not malicious.
How the hacker controls their software varies wildly by how they programmed it. This often depends wildly on the purpose.
Typically, it’s simply automation from what they installed, such as routing information through a different network connection or consistently sending information remotely.
“Remote code execution” (RCE) is when the code is remotely activated, often over the internet.
Hackers’ purposes dictate much of what they do, so it all depends on what they want.
Nearly all criminal computer activities can broadly be defined as either theft (such as stealing money) or vandalism (destroying things), but hackers are often important actors in wars and large-scale political activities.
The thoroughness of the hacker determines whether governments can legitimately prosecute a hacker:
- If they want to be known or weren’t very thorough, the software will probably persist on the system until it’s removed or destroys the computer (often by burning out the CPU or hard drive).
- If they want to stay hidden, they’ll likely have the software delete itself.
- Very often, they’ll mask their entire operation through many proxy servers.
Sometimes, a hacker can install something and it’ll stay undetected for years. Security researchers hate to admit this, but hackers are literally as smart as security researchers, and it’s relatively easier to destroy/attack than defend against cyberattacks.
Computers, all the way down, are nothing but math. Therefore, any computer system with sufficient attention toward it (meaning sufficient motivation for someone to try) is going to get hacked. Efforts like encrypting everything, hardening, and enforced procedures are designed to do several things:
- Mitigate the damage or propagation of secure information.
- Make the hackers easier to catch while taking that information (or maybe even mislead them).
- Inspire the hackers to attack other, less-secure computers instead.
Here’s a list of various exploits that have become public, which is by no means in any way exhaustive:
- Some of them are really severe, and can lead to identity theft of potentially millions.
- Others were discovered by security researchers beforehand.
- Some were simply a disgruntled employee with too many permissions.
By the time you see it here, most of them have been fully patched.
- Acer (hardware company)
- Activision (game company)
- Booking.com (discount travel clearinghouse, owner of Priceline and KAYAK)
- Bumble (dating app)
- Clubhouse (hacker forum)
- Experian (credit/personal information bureau)
- 2022-07 People were having accounts hacked at Experian through the company authorizing changes from stolen personal information and updating emails that weren’t theirs.
- 2022-10 Experian had a glitch for 7 weeks that allowed viewing any consumer’s information with simply their name, address, date of birth, and social security number.
- Ferrari (auto company)
- Intel (CPU company)
- Meta: Facebook (social media company)
- Meta: WhatsApp (message service)
- Microsoft (tech company)
- Microsoft: LinkedIn (social media company)
- Microsoft: Teams (video chat service)
- Microsoft: Twitch (streaming video service)
- Microsoft: Windows (operating system)
- Nestlé (food and personal care)
- NVIDIA (graphics CPU company)
- Okta (authentication company)
- Parler (social media company)
- Robinhood (investing platform)
- Slack (messaging/chat service)
- T-Mobile (cell phone service company)
- Tesla (auto company)
- Twitter (social media company)
- Uber (ridesharing company)
- Western Digital (hard drive company)
- Wikipedia (not-for-profit public wiki)
- Zoom (videoconference service)
Affecting many organizations at once:
- Cisco (networking hardware company)
- Kaseya (networking company)
- Let’s Encrypt (certificate authority)
- Microsoft (tech company)
- Tesla (auto company)
However, sometimes people simply fail at keeping everything safely compliant: