There are few jobs in which you can get away with copying techniques and tricks used by criminals, but being a professional "penetration tester" is one such trade. Penetration testers are ethical hackers who by both reasonable and unreasonable methods try to defeat the digital defences set up by companies to keep out spammers, scammers and other cyber-villains. The BBC was given a demonstration of some of the tricks and techniques used by the so-called "pen testers" by professionals from security firm Sentor and Trustwave's SpiderLabs. Kalle Zetterlund from Sentor said pen testers were generally trying to persuade someone inside a company to make a mistake that, inadvertently, would let them in. Sometimes, he said, this mistake could be as simple as choosing a weak password, such as password01, which is easily found by a computer that can make thousands of guesses every second. However, he said, there was a whole host of other errors people made that, at first glance, looked innocuous but could prove dangerous.
Scattering booby-trapped USB drives in a company car park can help testers gain access
Drink deep
One technique developed by the Sentor researchers exploits "water-holing" ie targeting the places where employees gather outside work. Ideas for targets can be gleaned from social media where people regularly betray details about what they do in their spare time and where online they talk about it. The websites and discussion forums they mention in connection with a sport or hobby rarely have decent digital defences, said Mr Zetterlund. Some of those sites permit what is known as cross-site scripting which, in effect, lets an attacker run their own code on that web location.
That can make it easy to booby-trap messages on a forum and trap the real target. Others did a poor job of protecting the code behind a site or forum and inspecting that often yielded clues about vulnerabilities to which it might be susceptible.
Another route can be the weak algorithms used to generate random numbers as a "seed" for a password. "It's a fairly common mistake," said Mr Zetterlund. "And even those that use proper random number generators get so little input that you can use that to guess them." A site could be taken over using these weaknesses allowing an attacker, or ethical hacker, to start seeding chat forums with malicious messages or simply booby-trapping the site itself. These traps work best when people do not keep Java and Adobe programs up to date.
Hackers can make use of logins typed into a spoof webpage
One attack developed by Sentor's Bjorn Johansson strikes when an innocuous message is simply viewed on a compromised forum. If a machine running an old version of Java visits, it risks falling victim to the instructions contained in computer code added after the words in the subject line. Mr Johansson's code snippet opens up a connection directly to a target machine. "I can do anything you can do sitting in front of your computer," said Mr Johansson who then turned on the webcam on the compromised machine to spy on its owner. Given such access, scooping up login details for a corporate network or stealing documents would be trivial, he said.
Bugged browser
