BY PETER WANYONYI
Digital crime is on the increase, as the ubiquity of digital devices and the ease of connectivity dumps ever more devices and gullible users on the internet. Everyone and everything is getting online – from fridges to cars to eyewear to wristwatches and heart monitors. The connection of all manner of devices to the internet and to each other creates new risks– from the risk of losing data to data pirates, to the risk of being shut down by malicious hackers.
To understand how to face these challenges and mitigate them, IT professionals have to think like the data thieves and hackers. However, this is rather geeky, and sometimes one needs to take a non-IT person, put them in the shoes of an IT professional, make them think like a hacker, and from that perspective they can then begin to appreciate the approaches a hacker uses to get at vulnerable systems.
To beat a hacker, you have to think like one. You should, indeed, become one, at least conceptually. In this case, we define a hacker as someone who gains unauthorised access to digital resources – whether for personal satisfaction or commercial gain.
First, a hacker needs motive. Motive requires attitude. Contrary to the many self-serving so-called hacking manifestos one finds online, there are hackers who are criminal and those that do it just for interest, or even to help protect digital resources. Matters not, they are all hackers.
A hacker must learn more than one programming language, and understand them thoroughly. However, not all languages are equal. C is the most powerful programming language out there, and you cannot become a hacker without a thorough grounding in the language.
Get hold of the many free online tutorials of C, and begin delving into them. C is not an easy language to learn, and there are slightly friendlier “improvements” on the language, such as C++. Eventually, a hacker will need to write C code.
C is not the only language one needs to understand to be a successful hacker. Other languages will also come in handy –JAVA, for example, Python, and C# are also important. With so many mobile apps available today, and many of them written using languages such as HTML5 and Flash, a would-be hacker will need to understand the structure, abilities and weaknesses of those languages.
C is incomplete without UNIX, the operating system that is the underlying platform of most of the internet. Indeed, UNIX also forms the core of the operating systems used to power most mobile devices: Android and Apple iOS. Understanding UNIX is, therefore, indispensable for a budding hacker. Almost all web servers are hosted on one or other version of UNIX, so breaking into them – or securing them, as the case may be – requires an indepth understanding of the operating system itself.
UNIX aside, the most vulnerable operating systems today are the various Windows platforms. To be able to access Windows systems online, the hacker will need a good grounding in Windows operating system internals. This is not too difficult. Add to that a good understanding of how networks are strung together – TCP/IP and UDP are protocols commonly used to connect computers and other digital devices.
Vulnerabilities must be sniffed out before they can be exploited. The hacker, therefore, needs powerful sniffing tools. These are network scanning tools that help pinpoint the most vulnerable network access points and hosts – they can also be used to scan WiFi and Bluetooth networks. Finding a vulnerable network host is about 40% of the hacking job already done.
With the would-be hacker proficient in C, having an excellent understanding of UNIX and Windows, as well as networking concepts, the stage is then set to begin experimenting. Very soon, however, the hacker runs into a brick wall: cryptography. Encryption is used to secure communications transiting the internet, and it is pointless to sniff out a host, break into it, access data and then be unable to decipher than data.
The hacker must learn the secrets of decryption, the picking apart of powerful algorithms to get at the data hidden beneath the layers of encryption. There are thousands of free courses in cryptography online, and that is a good place to begin once the hacker has a good enough background.
Finally, you can begin hacking. It helps to begin small – find online hacking challenges, or set up your own experiments at home or at work. There are many companies that actually pay hackers to find vulnerabilities in software: these can be a handy way to begin the journey into hacking.
As with everything else, practice makes perfect. The budding hacker must practise, hone their skills on some real targets after leaving the comfort of the experimental lab, and then grow their knowledge by attempting bigger, tougher targets.
The IT security professional who wants to secure IT assets against intrusion must think like a hacker, indeed, be a hacker, to keep these dangers at bay.