'Super simple' hacking tricks revealed

2014-12-05 08:29 - Duncan Alfreds, Fin24
Post a comment 3

It is easy to plant infected flash drives as a way for hackers to compromise computer networks. (Duncan Alfreds, Fin24)


Cape Town - While cyber security breaches continue to make tech news headlines, experts have revealed that it is surprisingly easy to compromise individuals and companies.

This year, large corporations such as Target, Home Depot and eBay have experienced cyber security lapses as hackers appear to run riot through security protocols.

But while the breaches themselves appear spectacular, a cyber security expert revealed that simple social engineering tools are easily employed to gain unauthorised access.

"We would actually go and visit the client and we distribute USB sticks: Leave it in the bathrooms, leave it the meeting rooms; put it on the desks," Trustwave cyber security expert Leon Van Aswegen told Fin24.

Trustwave is often tasked with investigating whether a company's security is up to scratch, and through its Spiderlabs division, employs ethical hackers who test all aspects of cyber security.

Simple strategy

"On the USB is a piece of code, if you open it up... people want to do the right thing. You make it look legitimate - put your pictures on there, make it look like its personal images and the person wants to return it to you because you're going to lose your data," said Van Aswegen of how the social engineering trick works.

"As soon as a click on a folder or anything, the script runs and you know that data is lost."

But it's not only one person that can be easily compromised with a planted flash drive. People in an office keen to track the owner of a lost stick will often share the device with colleagues.

Spam remains an effective way to deliver malware to computer users. (Duncan Alfreds, Fin24)

"The funny thing is that if you start to number your devices, and this is where awareness comes in: It's not just one individual - they even share that disk, they plug into various machines and in that way you compromise not just one individual, but potentially six or seven," Van Aswegen said.

This way, even if the first individual doesn't have administrator rights to the company's server infrastructure, by sharing the harmful stick, a hacker could potentially hit on somebody that does have privileges.

But there are far more simple methods to compromise a company.

Many firms recycle paper and don't think twice about the information printed on the paper. This information can include financial statements, business proposals and even strategy.


"If I'm a syndicate stealing information in the business of fraud, I'm going to target that driver. I'm going to offer him R10 000 a month to provide me with that information - it's as simple as that," said David Taylor of how easy it would be to target the person who collects recycled paper from corporations.

Taylor is a former associate professor of ICT law and founder of CyCaD - a cyber war NGO.

And few companies consider the integrity of third party service providers who conduct maintenance tasks in the office.

"If you have a technician who comes to service the photocopy machine, are you aware that there are still images stored on the hard drive?" Taylor added.

Ultimately, weak implementation of security protocols play an important role in making companies vulnerable to cyber security intrusion.

The 2014 Trustwave Global Security Report found that weak passwords contributed to 31% of intrusions the company investigated in 2013.

The most commonly used password was "123456", followed by "123456789", "1234" and "password".

"It is a very big problem, and I'll tell you why: People are lazy. So if your company policy says to you that you've got to use a minimum of eight characters… users themselves, because they work for the company, they don't really care," said Andrew Kirkland, Trustwave regional director for Africa.

Watch Leon Van Aswegen explain why people don't take their computer security seriously.

- Follow Duncan on Twitter

Read more about: trustwave  |  cybercrime

Read Fin24’s Comments Policy

24.com publishes all comments posted on articles provided that they adhere to our Comments Policy. Should you wish to report a comment for editorial review, please do so by clicking the 'Report Comment' button to the right of each comment.

Comment on this story
Comments have been closed for this article.