Here’s how they get into your network, explains Ruth Efrain, another Kenyan hacker

Arch-rivals Samsung and Apple Wednesday decided to drop all patent disputes outside the United States, marking a partial ceasefire in a long-running legal war between the world’s two largest smartphone makers.  Photo/FILE

By PAULINE KAIRU
More by this Author

Anyone who uses the Internet is vulnerable to hacking through infiltration by malware such as Trojan horses or viruses and worms generated by hackers.

A Trojan horse is a software disguised as something else (useful link, shareware or freeware), which installs software that creates a “back door” into the company’s network. This allows the hacker to control everything going on in your computer when you use the software.

Surprisingly, the hacking techniques used against corporates, governments and individuals are very simple ­– tricking people into opening email attachments or clicking on innocent-looking website links.

At the click of a mouse, an employee can unwittingly give their systems’ passwords or, worse still, access to their systems and networks through a technique called spear-phishing, which tricks users into infecting their own computers.

This is done through “social engineering”. But hacking is not just about accessing a computer network. A world renowned hacker, Kevin Mitnick, once said, “Any organisation is as strong as the human firewall.”

Hackers first need to understand the target organisation, its structures, employees, work ethic, culture and machines they use. Most people think the first thing to attack is a website, but that is not the case.

For instance, an attacker can create a fake email account under the name of a senior staff member and dupe staff into opening an attachment ranked very important.

Employees are conditioned to respond to the boss’ email quickly, so this automatically exposes the company’s network. Getting responses from employees enables the hacker to get more information, such as the host name or IP address of their computers.

This information helps them determine the type of malware or virus to use and how to send it without detection. An email with a malware attached is then sent to the user so that, upon opening, it automatically self-executes and installs itself on the operating system, ultimately opening an encrypted channel towards the network.

From that point, the hacker has access to the target’s network and can take over.

Hackers have been known to call employees from their office phones and manipulate them into giving information on the target computer system and the commands they use to obtain protected information.

Once you are familiar with the organisation’s lingo, you can successfully social engineer employees into issuing the commands required to obtain information.
With good access, you can shut down an entire network.

That said, there is a need to be proactive when it comes to protecting your system from such attacks.

While companies spend millions of dollars on firewalls, encryption, and secure access devices, this money is all wasted because none of these measures address the weakest link in the security chain – the user.