See the step-by-step ways the average hacker looks for valuable data.  By: David EllisBusiness owners who have suffered a data breach at the hands of some hacker often say, “Why me? Why did the hacker choose our business?” Many people think hackers selectively pick each business they hack. However, I suspect that in 90% or more of the businesses that are hacked, it all began based with the random discovery of a hackable vulnerability. Hackers typically begin a data breach scenario by conducting port scans across large ranges of IP addresses, specifically looking for certain open ports that may provide them a place to start digging. Let me take you through a typical hacking scenario.1) Scan for open portsThe hacker starts by running a port scan to probe a large range of IP addresses, and then he heads off to bed and lets the scan run all night. The goal is to find particular open ports to exploit a known or potential vulnerability. In the morning the hacker peruses the results of last night’s port scan, looking for certain ports that are actively “listening” (meaning they’re open). He likely has some automation at work that gives him a list of IP addresses with port numbers, 20, 21, 23, 513, 3389, 5631, 5632, and so on. He’s interested in these exact ports (and a handful of others) because they all relate to some form of remote access into their networks. For example, if a hacker sees ports 5631 and 5632 are open, he knows the remote access application pcAnywhere is installed and active. Or if he sees port 3389 is open, he knows Windows Remote Desktop is likely configured. If he can hack the remote access credentials, he doesn’t have to worry at all about complex firewall configurations or other perimeter protections.If the remote access application was not configured to require two-factor authentication, he can probably guess the username and crack the password, and once he’s done that, he’s in. Everything on your system that you can see, he can see as well.SEE ALSO: Infographic: Cybercriminals Love When You Use Remote Access2) Try out default passwordsMany users fail to change or delete the default username or password that was configured with their remote access product when it was first installed. So, the hacker merely begins by trying the known pcAnywhere (or Windows Remote Desktop, or VNC, or FTP or whatever other remote tool) default username and password. At this point, does the hacker know that he’s attacking Acme Hardware? No. And he doesn’t care. He’s simply attacking a potential vulnerability via port 5631. The IP address might be for a business or it could be my grandmother’s ten-year-old PC. If the default password was left on the system, the attacker has now successfully gained access to the system. If the default password tactic doesn’t work, it’s just a minor inconvenience. Password cracking tools are plentiful and are getting more powerful all the time. At this point, the hacker runs his password-cracking tool and takes off for lunch while the tool does the heavy lifting. When he returns in an hour, or a couple of days, his tools have often detected the needed password, and he’s in.SEE ALSO: Two Factor Authentication – Security Beyond PasswordsThere are other, even less technical ways to breach perimeter security like imbedding malware in online games or other legitimate website activities and waiting for users to inadvertently download a RAT to their system. (RATS are remote access trojans, and can be purchased online for just $40. They give the hacker covert remote access and establish persistent backdoor access to your system.) These types of malware can also be accidentally installed by the user through an email phishing scam.Follow for more data security articles like this3) Once he has controlWhether the hacker cracked your remote access credentials or you opened a malicious email link, you’re now in the hacker’s clutches and he begins prospecting. Up to this point the hacker still doesn’t know if he’s hacked a business or a personal computer. Now, he looks for evidence that the system holds information of value, such as credit card account numbers, banking, real estate, or healthcare records (since these often contain social security numbers or other data that he can turn into a payday). To discover the nature of the environment where he has landed, the hacker will often run keyword searches. For example, if his keyword searches discover the system he’s hacked is a Micros system, he knows he’s in a business that accepts credit cards. (Micros is a provider of POS hardware and software used by many hotels, restaurants and other small businesses.) He will probably try Micros default passwords to try to get into their server. 4) Install malwareIf the hacker is successful in breaching a commerce environment, he will attempt to install data-capturing malware on the POS system. His malware will seek to detect credit card data, capture it, and export it out of the system. He then either reproduces the stolen credit cards or sells the stolen account data on the black market. Depending on the malware installed, from the point of malware installation through the moment that the breach is detected and eradicated, every single customer credit card transaction made on that computer (and perhaps on the entire network) would be at risk.5) Search for affiliated IP addressesBy now, the hacker has probably sifted through enough company data to realize he’s hacked Acme Hardware. The hacker realizes he’s hit a potential jackpot, because Acme Hardware is a national chain (in this scenario). Since the hacker doesn’t know the IP addresses of the other chain locations, hacking them could be difficult. However, if he finds remnant data on the system that includes the other IP addresses, or connections to the corporate servers, Acme Hardware could be in some serious trouble (we’ve seen many cases where the breach of a single locale lead the hacker to the corporate environment and all of the stores in the chain). Remnant data left on systems does occur. In a forensic investigation we conducted, a POS installer inadvertently left a partial client list on a POS system that contained the names and IP addresses of 28 other clients. All 28 were also hacked because of a careless installer. 6) Leave no traceAt this point, the hacker has a couple of choices: he can leave the malware in place and harvest customer credit card data until the breach is discovered and/or the vulnerability is closed (the most common alternative in commerce breaches), or he can choose to clean up his tracks and get out of the hacked system (seen in cases of corporate espionage or theft of corporate secrets). Most attackers cover their tracks to avoid detection. They encrypt card data before transferring it out of a system, erase or modify security logs, run malware from RAM instead of the hard drive, which often goes undetected by most antivirus software, and employ many other “anti-forensic” tactics in order to escape unseen. SEE ALSO: How do Hackers Hack?Hackers don’t care who you are. They just care how rich you can make them.Now that you understand hackers don’t pick and choose their hacking victims out of the phone book, you should also understand the flaw in the common belief held by small businesses, “I’m too small for a hacker to care about me!”A hacker doesn’t care if you’re small. He just cares if you have data from which he can profit.TweetSo it’s more crucial than ever to implement data security! Need help securing your data? Talk to one of our consultants! David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

Crimes of opportunity lead the average hacker to valuable data. By: Steve SnelgroveYou might think hackers selectively pick each business they hack. While this may be true in high profile or hacktivism cases, I estimate 90% of hacking is done based on a system’s general lack of security. Hackers don’t think, “Today I’m going to hack Acme Hardware across the street.” They scan for the most vulnerable system and start digging.To defend against attacks, it is important to understand that hackers have different motivations and capabilities.The Opportunist HackerA crime of opportunityThese hackers stay up-to-date on security news. Once a vulnerability is made public, it’s fairly easy to conduct a large-scale network scan for systems which exhibit symptoms of the vulnerability. After the hacker gets the list of vulnerable machines, he will do additional research on the vulnerability and attempt to enter the system. Once inside, it is often easy to pivot and reach other, less hardened machines.A great example of opportunist hackers in action arose when news of the Heartbleed vulnerability was released in April 2014. The vulnerability was publically exposed on many news publications. Very shortly thereafter, hackers scanned the Internet for looking machines using OpenSSL, and then attempted to exploit that vulnerability and enter the system. Piece of cake.SEE ALSO: PCI 3.1, Stop Using SSL and Early TLS ImmediatelyBut hackers don’t necessarily require huge newsworthy vulnerabilities in order to hack. There are thousands of other publically-known vulnerabilities they could take advantage of. For example, website forms often have validation flaws. An attacker may submit potentially malicious data on a form, which then might be echoed back to the user’s browser and rendered to the screen. The screen displays a mix of server content and the attacker’s malicious data. This could result in unsuspecting users being redirected to another site where credentials or session information might be captured.Does the hacker know which business or person he’s hacking? No. And he doesn’t care. He’s attacking a system because it’s vulnerable. Once the vulnerability is identified, the hacker will then attempt to profit from the exposure.How do I defend against this attack?The obvious defense against the public vulnerability attack is to scan your systems in an attempt to discover vulnerabilities beforehand. Keep up-to-date on security news. Partner with a company that keeps abreast of publicly disclosed vulnerabilities. Regularly maintain and update your systems.If a vulnerability similar to Heartbleed is released, do everything in your power to close the vulnerability ASAP. Do your best to maintain updates on all other operating systems, browsers, and servers to avoid the possibility of being a victim of a zero-day attack. The Layabout HackerBrute forcingSomewhat less effective, but still pervasive, are brute force attacks. In these attacks, attackers control an army of computers infected with malware (known as botnets or zombie computers). The attacker is able to control this network of computers, and these do the attacker’s dirty work for them.The attacker uses botnets to access systems by guessing usernames and passwords in millions of combinations until the right combination is guessed. It’s not very effective. But, as my dad always said, “even a blind squirrel will find a nut every once and a while.”Hackers use botnets so each hack attempt is nearly impossible to trace back to the actual hacker.How do I defend against this attack?The two best ways to avoid this attack is by monitoring your logs and regularly creating new passwords.If a botnet tries to access your system through a brute force attack, your logs should record these actions. If your logs record 1,000’s of failed login attempts on your system, you’re probably being attacked.The reason brute force attacks work so well is because millions of user credentials (usernames and passwords) have been dumped online in publicly available lists. Password lists are effective because the majority of people do not change their passwords, and use the same passwords on multiple sites/systems. To avoid this attack, change your personal and business passwords every 90 days, and never reuse passwords.SEE ALSO: Vendor-Supplied Defaults Are A Serious ThreatHackers have different motivations and capabilities. But these are their main methods.TweetWhat do hackers do after they get into a system?Now the hacker starts prospecting. Remember, before this point the hacker still doesn’t know if he’s hacked a business or a personal computer. Now, he looks for evidence that the system is doing commerce, which means credit cards, healthcare information, or other valuable data might be present. To find this data, he starts running keyword searches on the file systems and memory of the system.For example, if his keyword searches discover that the system he’s hacked is a Micros system, he knows he has gained access to a business that accepts credit cards. (Micros is a point of sale software used by many restaurants and hotels.) He will probably try Micros default passwords to try to get into their server and thus expand the range of the attack.Install malwareIf the hacker is successful in breaching the point of sale system, he can possibly install malware. The whole point of malware is to gain access to valuable and sensitive information, such as credit card numbers, early on in the data processing stream, and attempt to divert this sensitive information so cybercriminals can reproduce cards or sell the stolen data on the black market.Depending on the malware installed, every single customer credit card transaction made on that computer (and perhaps on the entire network) could be at risk.PivotBy now, the hacker in this scenario has probably filtered through enough company data to realize who he’s hacked.Perhaps the hacker has managed to attack and gain access to a national business with a chain of stores. If he finds remnant data on the system that includes the IP addresses of other chain locations, that chain will be in some serious trouble as these chain locations may have less security measures in place, and access to these associated networks could provide valuable information to the attacker.Remnant data left on systems does occur in real world examples. In a forensic investigation my colleague David Ellis conducted, a point-of-sale equipment installer left a partial client list on each and every point-of-sale system he had installed during that year. Some 28 businesses were hacked because of the poor security awareness of that careless installer.Leave no traceAt this point, it’s time for the hacker to get out of the hacked system. Most hackers cover their tracks to avoid detection. They encrypt card data before transferring it out of a system, erase or modify security logs, and run malware from RAM instead of the hard drive, which often goes undetected by most anti-virus software.SEE ALSO: Hacking Trends of 2014Hackers don’t care who you are. They just care how rich you can make them.Read about 5 commonly overlooked security errors for tips to avoid being attacked.Steven Snelgrove (CISSP) has been a Security Analyst at SecurityMetrics for over 7 years. Since 1980, Snelgrove has worked in the computer and telecommunications industry, and has familiarity with programming, software engineering, and network security. His current responsibilities includes the manual assessment of web applications and corporate networks, conducting ethical hacking to analyze security architecture, and consulting with organizations to help remediate issues. Snelgrove received a degree in Computer Science from Brigham Young University, and holds a CISSP (Certified Information Systems Security Professional) certification.