Rarely a day goes by without news emerging about a giant company losing large amounts of sensitive data to a massive hacker attack. It might be Google one day, Sony the next, and a country's government agency the day after. Just replace the names, rinse, and repeat.
Reporters from across the country have approached me of late, asking for my views on the acceleration of hacker attacks and the current state of security. When I get through with my rant, they're pretty shaken. They didn't know things were as bad as they are, while I ask myself, "Where have these media types been hiding?"
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
The fact is cyber crime isn't going away anytime soon for two key reasons: First, everything is hackable. Second and more significant: Cyber criminals rarely get caught or punished for their act. As long as committing cyber crimes remains easy and lucrative, and there's no accountability, it's not going away.
Breaking into almost any company is nearly as simple as closing your eyes, pointing your finger, and saying, "Go!" In the nine years I was hired to break into organization's IT systems (always with the permission of the owner), I gained entry to every company, every hospital, every bank, every financial website, and every three-letter government agency in an hour or less -- with one exception. One company, which I had previously compromised in an hour or less, had followed my previous report's guidance. The second time around, it took me three hours to break (via a blank SQL sa password, no less).
I'm not even that good a hacker. On a scale one to ten, I'm maybe a five, yet I can break into every company I try. I can't imagine how easy it is for the good hackers.
Once you know what you're doing, hacking into company websites and computers is a cinch. Point your finger at a company. Find out which computers are under its control. Port-scan them to find listening services. Fingerprint the services to determine vendor products and versions. Find the relevant exploits. I love Secunia's Vulnerability Research Advisory database for this sort of thing. It tells me what's patched and unpatched, whether it requires local or remote access, and what type of control I can get after the exploit.
From there, search for an exploit program or exploit code (sometimes compiling is needed); alternately, write your own based on the Secunia records. There are dozens of post-MilW0rm exploit sites that can easily be found, although one of my first stops is always Metasploit.org (why work hard if you can work easy?). Once you know the basics, it's like taking candy from a baby.
Suppose you find a company with no unpatched software or vulnerabilities. No problem: Send fake emails to the end-users with exploit software attached. Social engineered emails are easy to create and always work. My favorite is to send out messages under the guise of a company's CEO or CFO with "Pending 2011 Layoffs" in the subject line. Employees open those emails and run my exploits in under 10 seconds. Picking on workers is so simple that I refuse to use that tactic.