This story is part of a statewide series about cyber security and small businesses, supported by the Michigan Small Business Development Center. (Read the rest of the series here.) Cyber security series editor Lauren Fay Carlson conversed with anonymous hacker "Will" to get some insight into what small businesses face when seeking protection against hackers.
Would you consider yourself a black or white-hat hacker?
I've been both. Actually, there's a third type of hacker, known as a "gray-hat hacker," which is really what I would categorize myself as now. A gray-hat hacker has black hat methods, with white hat intentions. Instead of asking for permission, a gray hat will typically check without permission, but will not use the results to blackmail, extort or sell.
Currently, most of my work is in white-hat hacking, as I work for a large cyber security firm as a security researcher and "ethical hacker."
Why would a hacker prefer a small business to a large one?
The big difference is that small businesses don't have the capabilities to detect when they've been compromised, and often don't know anything until their customers' information has been stolen, processed, sold and [is] being used against them.
In all honesty, I think small businesses are the biggest targets. Not only that, but most don't even know what to do once this information is stolen. Do they keep silent, call the police? In my experience, even if they do call the police, the hackers used enough offensive countermeasures to leave no trail behind.
What areas of vulnerability are you usually looking for when deciding on a potential target?
Generally speaking, I think the most common thing any hacker looks for is unsecured wireless connections and open ports on the network. For me, I used NMAP, or Network Map, to build a sophisticated model of a network. Nowadays, online tools make it easier than ever, primarily www.Shodan.io, which contains a huge database of a bunch of network scans that you can quickly index and sort through for just about anything on the open internet.
What types of information are you looking to acquire during a hack?
Typically, any information can be of use to me, or any hacker really. Eventually, the goal is to get some sort of root--or administrative--rights. Once you have this, you have full access to everything on the system. This can include database files, where credit cards, social security numbers, email addresses and personal addresses are stored, or can even include the ability to launch a new program to exploit the next system on the local network.
To answer the question more directly, there are really two things any hacker would be looking for: information, such as credit cards and social security numbers; and more and more often, root access, which is usually used to gain more and more exploited computers and servers.
What do you do with the information? Sell it? Trade it? Who buys it?
Any kind of sensitive data holds its value on the darknet. The darknet is an elaborate place online, which operates through randomly connected computers and lets anyone who wants to access or host a service anonymously do it for free. There are notorious sites out there for buying and selling anything and everything.
Of course, most people on the darknet aren't exactly criminals, and information about credit cards and social security numbers is probably one of the most common types of exchanges.
Is there a community of shared information among hackers?
Yes, there are several. However, most of them are exclusive, and can only be accessed by invite only. I can tell you that they will sell all sorts of data, collected from small businesses and large businesses alike.
In your experience, at what level (employee, owner, etc.) are small businesses usually leaving themselves vulnerable?
Everyone is vulnerable. No one is really safe. Even if you have the world's best antivirus software, you're still likely vulnerable to an inside attack. While larger businesses can afford IDS and IPS (intrusion detection services and intrusion prevention systems), small businesses are left in the dark. What makes it worse is that employees aren't using strong passwords, encrypting their personal devices, or are even doing things as stupid as leaving their passwords on sticker notes on their laptop computers. Furthermore, businesses are using the same network for guest wi-fi as they are conducting business on--which is a very unsafe practice.
Any advice to small business owners who want to protect themselves from hackers?
1. Always have someone with a strong understanding in network security set up your network. While it may seem costly right now, in the long run it could save your company completely.
2. Always operate on a separate network from your guests. Some higher-end wireless routers actually offer "isolation" mode, which definitely stops hackers from accessing information from a company.
3. Have password policies for your devices. A 4-digit passcode may stop some hackers, but for the most part it's pretty weak. When connecting to a network such as that provided by an airport, a user should definitely be cautious and use a VPN server. My favorite is probably Avast! SecureLine, or its more cost-effective equivalent, called BetterNet, which has been sweeping up users right and left.
4. Small businesses should also make sure to never store credit card information, either on paper or especially in the computer. If you must, make sure you are encrypting all of that data in a way that meets PCI compliance, which is essentially a set of standards set up to protect consumer information.
5. My last bit of advice is probably the most important. The truth is, everyone is susceptible to being hacked. While software companies try and develop software to better and better combat it, it's always going to be a key issue. If a small business is hacked, the most important thing is to identify what customer data has been stolen, and report it to them immediately. Prevention and honesty are always the best policies.
Support for this series is provided by the Small Business Development Center, which has just launched a free online security assessment tool and resources at www.SmallBusinessBigThreat.com to help small businesses measure their cyber security preparedness.