What things does a hacker need to know

Security

Anything that has a chip can be hacked - but not all hacks look the same, even if the basic patterns are mostly identical. Because with millions of infected computers and company networks every day, innovative attacks remain in short supply. Therefore, it is not difficult to discover the really new types of attacks. The extreme hacks of recent years presented here stand out from the crowd because of their targets or because of completely new methods. They push the limits of what security professionals previously considered possible and open our eyes to new weak points and risks.

ATMs

Most ATMs are equipped with an embedded OS and are accordingly vulnerable. Mostly they are Windows versions, rarely Linux. In addition, these embedded operating systems often have Java implemented and are hardly ever patched. And if there are updates, then guaranteed not every month, but rather sporadically. The ATM software that is still installed on the OS contains additional security holes that are very easy to exploit. The machine manufacturers set simple default passwords before they send the machines so that the banks can set them up more quickly - even remotely. Very few of them change the default settings later. The consequences of this chain of errors: ATMs are often hacked, especially when they have been refilled.

The most notorious ATM hacker was "Barnaby Jack", who died in 2013. He excited his audience at security conferences by setting up one or two standard ATMs on stage and having them pay out counterfeit money a few minutes later. To do this, he used a variety of tricks - his most tried and tested method was to insert a malware-infected USB stick into the ATM's USB port, which is almost always present - this is often not well enough hidden, let alone secured. The malware then connected to the remote access console via a known network port and exploited a publicly known vulnerability, which completely compromised the machine. Now Jack could execute administration commands and withdraw the money. This attack became known as "jackpotting" and its demonstration at events caused quite a few cheers among the spectators, as the following video shows:

Pacemakers and insulin syringes

After all, Barnaby Jack's ATM attack led the manufacturers to think about it and later know how to ward off the simplest attack vectors. Jack therefore turned to another industry in order to delight it with his hacking knowledge - the health industry. Among other things, he learned very quickly to remotely attack cardiac pacemakers and insulin injections. Most medical devices require five to ten years of development, testing, and certification time before they can be used on a living object. What sounds good at first has a downside: At the time of its practical use, all software has already been at least five years old and is accordingly unsafe. Another bad thing is that developers often rely on the lack of transparency in their hardware and software when it comes to device security. True to the motto "Security by Obscurity": Because nobody except the manufacturer receives the source code and blueprint, the whole thing will be safe.

It will not get better. In April 2014 "Wired" published an article about how easy it is to hack hospital equipment - mostly because standard passwords are built in and cannot be changed later. Of course, medical devices have to be easy to use and still work even if existing safety measures have been undermined. This is what makes protecting them so challenging. Long, complex and constantly changing passwords stand in the way of easy operation, which is why they are rarely used. In addition, almost all communication between these devices is unauthorized and unencrypted.

  1. Tip 1: variance is important
    In the meantime, the question is actually more when, and not whether the password leak will occur. You can minimize the damage if you use a separate password for EVERY online account. Of course, it's hard to remember all of these passwords - especially if you don't want them to be predictable. This is where password managers come in. If you know the problem with a lot of passwords, you should get one. The software is now available for most browsers and operating systems - including mobile devices.
  2. Tip 2: maintain complexity
    Most password managers can generate complex passwords. This feature is important because most websites store passwords in the form of so-called 'hashes'. Depending on the algorithm, these hashes can be cracked. In this case, a very complex password makes it difficult for an attacker to read it. We therefore recommend passwords with at least twelve characters - using upper and lower case, numbers and special characters.
    Normally you only have to remember one master password with a password manager. In addition, to be on the safe side, you should have the IDs for important accounts (e.g. e-mail) ready in case the password manager is not available for any reason. Little trick: word sequences with numbers and capital letters are just as difficult to crack as generic ones. For example: "Cats, dogs, rabbits, my3 favorite animals".
  3. Tip 3: online or offline?
    Password managers are based on various security concepts. An offline manager does not synchronize the data across different devices. So you have to touch the encrypted database after every password change. Or you can use a cloud service like Dropbox to synchronize. Online password managers synchronize your passwords across all of your devices - some even offer web-based access to the database.
    If you choose one of the service-based implementations, pay attention to the architecture and ensure that the database is decrypted locally within the application or the browser - so that the master password is never in the access area of ​​the service provider got.
  4. Tip 4: not just a master
    Strictly speaking, it shouldn't be a good idea to protect all your IDs with just one master password - after all, this creates a large attack surface. For this reason, some password managers offer two-factor authentication. In this case, an additional input code can be set up for access to the database. You should pay attention to this feature and activate it when available.
  5. <\ br> Even if you use a password manager: If one of your online accounts also offers two-factor authentication, use this. An additional protective layer can't hurt.
    Tip 5: take advantage of opportunities

Use further security options offered by your password manager. For example, some offer the option of an automatic log-off - which is particularly important when using public computers. Such features can also help prevent malware or viruses from infecting your computer.

Attackers who find the right ports can read out and change the data on the devices without causing the slightest disturbance in the operational process - neither the device itself, nor the control software or other systems involved, such as linked patient databases, notice anything. Most medical devices forego a basic integrity check, which would reveal most such defective changes immediately.

Medical devices have been attacked by hackers for almost ten years. White hats often target medical devices at popular hacker conferences, so their vulnerabilities are well known. The developers of these devices are working to close the largest security gaps, but the long development cycles make a timely solution difficult. But the mere fact that it would not cost criminals a lot of effort to kill people via Medical IT shows that it is high time to take care of protecting against pacemakers and insulin injections, but also other medical equipment.

Card skimming

Card skimmers are a little less life-threatening, but at least they can shake up your finances tremendously. The underlying hack is relatively simple: the attacker places a so-called skimmer on a device with an input keyboard - such as ATMs, gas pumps or payment terminals - in order to access debit and credit card data including PIN as soon as they are typed in.

Skimmers have to a large extent professionalized their methods - if they initially still worked with skimmers that were quickly recognizable as such, at least for experts, their current devices are so hidden and more and more often built into the inside of the machine that they cannot be discovered. Some already work with Bluetooth, so that the skimmers are a few meters away and can access the stolen data right away - in the past, they always had to dismantle the skimmer in order to be able to read the information.

Skimmers often deploy their instruments by the dozen in a geographically limited area - often near highways to be able to disappear quickly - and use the stolen data to produce new, forged cards. In the next step, they hire a whole crowd of accomplices who withdraw money with the forged cards or use the cards in some other way - for example, by selling expensive goods under someone else's name that they do not even own. It all happens very quickly, usually within a few hours - if the fraud is discovered, the skimmers and their prey are already over the mountains.

Technology journalist Brian Krebs, who has dealt extensively with the subject of skimming, recently reported on a success against card skimming - for example, the police installed GPS trackers in detected skimmers that were still active. This enabled the people behind it to be found and arrested. Of course, this method only helps with skimmers that still have to be dismantled, not with Bluetooth-supported operations.

Wireless card hacking

If you are traveling with a credit or debit card that supports "contactless payment" via RFID - such as MasterCard PayPass or American Express ExpressPay - you can quickly become the victim of a hacker who only briefly walks past you and your wallet in your pocket . Unprotected RFID sensors can be hacked - this also applies to passports, access cards to buildings and tracking stickers on products. RFID transmitters charged with low-voltage radio waves release the data stored on them without any problems. Magnetic stripes from credit cards are similarly insecure - any magnetic stripe reader that can be found in web shops for less than 20 euros can read them. The only difference: RFID chips can be read without the attacker ever having to be in possession of the card.

A distance of around one meter from the RFID sensor is sufficient for a contactless RFID attack. And it can be assumed that this distance will soon increase - then it should be possible to carry out an RFID hack at a distance of a hundred meters or more. A horror idea: the attacker sits down in a hotel lobby, a restaurant or a busy intersection and accesses thousands of card and passport data within minutes.