This is an event & online exclusive video for you to meet our very own hacker here at Pentest People. In this video, we showcase our very own hacker, exclusively shown at one of our Concorde partner events this year.
Our “meet our hacker” video was made especially for our Concorde Partner event, to give our clients an insight into the modern world of hacking and how hackers operate, to protect businesses from these attacks by giving them key threats to look for, in case they are under attack.
Liam, Our ex hacker, answers your questions about the world of hacking and how skilled hackers operate on a day to day basis. This video provides you with everything you need to know about hackers and how to protect your business from threats & vulnerabilities.
When did you start hacking?
I guess it started when I was about 15. I found programming in school and quickly figured out that I could put my mischievous ways to better use. And that developed into hacking as well as playing around with websites, and things like that over the next couple of years.
Have you always had a passion for technology?
No, I wanted to be wanting to be a baker as a kid, if you can believe that.
What do you like about hacking?
Websites, I love websites, and they're their gold mines for attack vectors, you can do so much with so little and never leave the comfort of your own home, which you know, who wants to get off their sofa when they don't have to?
Tell us about a story related to hacking?
One story springs to mind here of course, attacking sorry, assessing a website. And there was a number of very basic misconfigurations. And one very interesting one, where you could get past the login portal just by browsing to a specific link, I won't bore you with the technicalities. And once we got in there pletely on authenticate, we managed to get ourselves found ourselves as an admin rewrote the contact details for everyone on the app. After we did that, well, we could intercept everyone's communication from the app. So that was a pretty awkward phone call afterwards.
What has hacking enabled you to do?
Well, allowed me to move out before most of them mates. You know, it's given me ability to travel the world and to Helsinki and talk to universities, it's been a bit of a wild ride for the past three or four years. Before I was a professional, there were some other things that allowed me to do to meet some very interesting people have some fascinating conversations with those people, but the less we say about that, the better.
What are a hackers motives?
Money piles and piles and piles of money, the amount that you can make from this crazy industry, when you put on that Blackhat put the hood up whatever you want to call it. You can just you know unfathomable wealth in the you know, it doesn't matter where you're operating from big gangs con to whoever they'll pay you out Donzi before they went exploded would pay you a wage that is so unbelievably larger than any sum of money that you might make in doing it legally. But we can't be doing these things illegally now.
What type of businesses do you target?
Whichever ones open their wallet fastest. Any any and or we use all sorts of techniques very much depends on what you're targeting. See applications normally where I'm going after. So and we use upstream proxies and tend to malformed requests, so the whole load of technical garbage that we would throw, throw at an application, we'd also try and target the people. The chain is only as strong as its weakest link. And invariably, the weakest link will be will be a person or a strong social engineer those just a fancy word trick is fancy way of saying tricking. And once we've tricked them again, access to sensitive information, pulling, pulling data out. And even sensitive services, we report we breach restart looking at infrastructure or cloud and there's a whole range of attacks that present themselves and ways and techniques that we'll we'll we'll try and pursue against them. But ultimately, generally it comes down to the people. What mistakes or mistakes that people made or mistakes can we make people make, to, to let us in to guess access to things and ultimately, reach reach full of compromise.
Hacking has been portrayed in a lot of movies, how much of it is fiction?
Well, quite quite a lot of it. Quite a lot of it's fiction. Hacking is not it doesn't fit very well on the computers on a TV screen and cinema screen when you're doing it properly, it's a lot of time and lots of very weird looking symbols written by people who kind of really know what they're doing. But doesn't make a lot of sense to people that don't. It's not just three clicks on a keyboard and you're in, or you're very happy when it is, but very, very rarely is normally two hours poring over things poking and prodding and testing until you finally get some kind of magic spark.
What would you say is the most common type of hacking & why?
People, hacking OSINT, fishing, phishing, vishing, smishing, things like that. There have always been the most common type of hacking, abusing the people and wetware updates, as they're called, you can't update people that you can update your software. And hackers know this. And so they use fear and mistrust or greed to to try and elicit information out of people. So the same holds true 50 years ago, we didn't call it people hacking, I was just scamming 200 years ago, people running scams and in 200 years time, people are gonna be running scams and technology has just been scamming people easier. Barring that, applications are even more commonly than that just misconfigured web servers here and some of these sticks on web server makes it Internet facing or even a web server just any kind of server on your your peripheral peripheral infrastructure. You don't patch it directly configure it correctly.
What is the biggest misconception about hackers?
Suddenly, somebody said the rural horrific, antisocial potatoes who sit in there, never see the light of day. And that's probably the biggest misconception. And it's what leads to so many of these scams that I was talking about. You're expecting some scrawny, nerdy, mainly a guy to, you know, with glasses on to come and try and break into your computer and say I'm in reality, and you're in all different shapes and sizes. And people use that to your advantage, I'll be challenging, you kind want to be friend, use that against you.
What advice do you have for businesses to keep safe?
A couple of pieces first of all, and test everything, make sure you security testing is happening quite regularly. The other is make sure your continuity plans are all in place, you know, disasters do happen, we've noticed that even if you're testing all the time, occasionally something, something will go wrong, somebody will click on a link, you know, something won't quite be flanked by one of the security controls on the technical controls, or even one of the human controls you've got in place. And at that point, having really, really solid table tops, tested, secure business continuity plans, incident response plans is so important. You need to be able to get back to business as usual as fast as you can to start minimising all the damage that could potentially be done. And all the lost revenue. Of course, you know, you've got to make sure that if you do come back for somebody to come back to that, you know, you haven't lost massive hearts, your client base because you've been down for four months, and they really needed you during that time. And then also ensure you're training people. You know, there's a too much of an us versus them in IT security. Remember, we're working on the same side, work with your employees, don't blame them. Don't do these really punitive kind of social engineering tests, where you're trying to trick people and make them feel small, work with them and train them and talk to them. Make sure your IT departments talking to the rest of your business, make sure they're invested in all the different areas that people can trust them, that they're not seen as this kind of people in the basement, we have to move beyond that. There's a lot of culture that needs to be brought up through the ranks of information security, without having that culture without having those the ability to have those conversations without having that trust, that intrinsic trust between a business and their IT department. There's no way you're going to be able to catch everything. There's no way these policies are going to work. And ultimately, there's not going to be no way to protect or properly respond to these incidents when they happen. Well, you've you've now met the hacker, hopefully not quite as scary as you might seem. Remember, we are working for you now.