Q&A with a hacker

As hackers turn to attacking mobile devices in order to steal data that can compromise your company or bank account we speak to Philip Pieterse, an ethical hacker and security consultant at SpiderLabs for Trustwave.

There are a lot of issues to cover when talking about computer security - and it is important to get a few terms out of the way first.

Any programme that is designed to make your computer do something you don't want it to is malware. This can range from programmes that damage your computer, to ones that can steal your personal data giving hackers the ability to do things like access your credit card and bank account details.

Adware is a form of malware floods your computer with advertising.

A botnet is a form of malware that allows a hacker to take control of your computer to do things like repeatedly visit websites to shut them down (Known as a DOS or denial of service attack) or send emails your contact list in the hopes of making people who trust you click on something less than trustworthy.

Trojans are programmes which are designed to look attractive on the surface, like a really nice looking poker game, but actually exist to load malware onto your computer.

Social engineering attacks are essentially where hackers turn con-artist and instead of trying to crack your computer's security, try to trick you into giving up information that they can then use to access your system.

Phishing is a form of social engineering attack in that it works by creating a website to look like an online vendor or banking website so that you end up giving it your details without the hacker having to actually break through any security measures you may have. This is why you get all those emails from banks you don't actually bank with, or claiming you have a refund from SARS.

Q: How did you get into hacking?
A: I was always interested in hacking and the concept of 'ethical hacking'. I actually began my career with the end goal of becoming an ethical hacker or a 'whitehat' hacker. I educated myself around different security and network technologies from various different vendors. I got certifications and achieved practical working experience in all the mayor security controls and also various operating systems for the likes of Windows, Linux, Unix and even some others.
I wanted to know exactly how these systems work and how administrators are defending these systems, thus giving me the 'background' knowledge of the best way to attack these systems. After 13 years in the IT Security industry, from working as a Linux/Windows support engineer, firewall administrator to a security architect, I finally became a security consultant doing penetration testing.

Q: What exactly is ethical hacking?
A: Ethical Hacking also known as Penetration Testing, is attacking a system on behalf of the company that owns that system, using the same methods, techniques and tools that are used by malicious hackers also known as 'blackhat' hackers, but in a controlled manner with a professional services wrapper around it.

Q: Is there such a thing as perfect computer security?
A: No such thing exists, but we need to strive to be as close to perfect as possible, using various security controls and being as proactive as possible.

Q: How prevalent is hacking on mobile devices in South Africa?
A: Mobile devices are being targeted more and more by criminals. The reason for example is credit cards are harder to clone, since the implementation of 'chip and pin' technology, so criminals are focusing on easier targets. According to Trustwave’s Global Security Report, the most attacked targets are web and mobile applications. The report also stated that a 400% growth of mobile malware was seen in 2012.

Q: Is South African law and law enforcement taking hacking seriously enough?
A: Yes, I believe so. For example, more law enforcement personnel are being deployed to monitor social media. Also there are companies that are very serious about security that are working closely with law enforcement to combat cybercrime.

Q: Have any mutations of Stuxnet hit mobile devices?
A: Stuxnet was designed to target and damage a certain type of industrial equipment used by the Iranian nuclear program. Many Stuxnet mutations and variant are seen across the web; so it’s reasonable to say it is not a question of will it hit mobile devices it’s when.

Q: What are the warning signs for phishing attacks?
A: Phishing attacks can be emails, text messages or phone calls from unknown sources, claiming to be a legitimate source, for example a bank or well-known company. They usually ask you to provide or verify your password or account details. Warning signs to look out for:

• Warning! Your account will be deleted if you don’t reply within 10 days
• Dear Bank Account Holder – a general, rather than specific, greeting
• A greeting packed full of errors is also a big warning sign – Accountt holder needing pdate of Pasword!
• There is no contact information or a signature

Q: Recently the game Natural Selection 2 had to deactivate a lot of Steam keys, costing the developers about $30 000, due to unethical vendors. Is this something that is going to become more of a risk on mobile devices in future?
A: This is definitely possible, as all the mobile applications stores are not controlled and governed in the same manner or with the same attentiveness. It is a lot easier for unethical vendors to sell compromised or fraudulent applications on a mobile application store with lesser security controls.

Q: A lot of malware comes in the form of Trojans, what warning signs should consumers look out for to avoid them?
A: Treat all unsolicited emails, especially from unknown senders, with caution and never click any links in these emails. Be careful when downloading executable or zip files from the Internet or via email. Many browsers and anti-virus products will warn you when you attempt to visit a website that my be harmful, avoid visiting these websites.

Q: Does adware actually make the advertisers any money?
A: There are accusations that many advertisers work directly with adware companies, even if they claim to be unaware of this.

Q: A lot of hacking is done through social engineering, where hackers use publicly available information in order to get access to computers (such as using information available on Facebook in order to work out the answer to the user’s security question) – what would you suggest users do to reduce the risk?
A: Use a strong password; make sure your password is complicated. Choose a password you have not used before. Use 'a pass phrase' rather than just passwords, and make sure it contains a mixture of numbers, letters and special characters. Enable security notifications that will send you an email every time you login or when there are any changes to your account. As for security questions, make sure they can’t be easily guessed or researched.

Q: In the same vein, a lot of corporate hacking works through social engineering attacks where hackers get information through simply asking workers, how can companies train their workers better to avoid falling for this?
A: Security awareness training is essential for employees, as it is a fact that they are often seen as the company’s weakest link. This security awareness training should cover things like for example not to give your corporate password out to anyone. Makes sure your employee’s understand that their username and password is their own confidential information, and that no one at the company will ask for their password either via a phone call or an email.

Q: What tools would you suggest for users who have been infected with malware who want to get rid of it?
A: There are various tools that can be used to firstly detect, and then try to remove malware from an infected PC. Particular tools is difficult to recommend, as they can differ depending on the operating system the PC is running and type of malware that the PC is infected with. What I can recommend is to make sure that all the infections have actually been removed, that is no easy task. This can be accomplished using your anti-virus software, or get support from you company’s IT department or computer supplier.

Q: Botnets often turn computers into zombie slaves in order to launch DOS and spam attacks on third parties – at what point does one figure stuff it and use the universal zombie repellent (AKA a shotgun to the hard drive)?
A: LOL, I like your zombie analogy. If your defences are in place, and all you security controls in affect, then you are on the right track. Your security posture can further more be tested and improved with proactive security test, also known as Penetration Testing. Even though it almost seems like the aged old battle of good vs. evil, we have to keep fighting the good fight.