How to watch out for hackers

Spotting a potential cyber attack is difficult, but there are some key things to look out for...


Hacking equipment

Digital video recorders and cameras are widely used by small businesses. Many of these devices are put directly on the open internet with port-forwarding, bypassing NAT (network address translation) and firewall protections. Once hackers hack into an IoT device, they can begin attempting to hack systems on an associated network.

The Holy Grail for hackers is to identify a remote code execution flaw that allows them to plant their own malicious code on vulnerable devices. Hackers exchange details on such vulnerability and the devices they affect. Resolving problems often involves a firmware upgrade that end-users seldom apply.

Shodan, the search engine for the internet of things, locates vulnerable devices passively, but real attackers would use active port-scanning.

The approach taken by the mirai malware of automating the process of hacking into devices still running default factory-set login credentials could be used to compromise the network of a business.

Sometimes the login interface is exposed directly to the internet, in which case administrative credentials can be guessed directly via SSH (secure shell) or telnet. This will generally give a login shell at which point the attacker is able to execute commands.

Alternatively, CSRF (cross-site request forgery) attacks are possible, a type of attack that involves tricking a user into viewing a webpage from a computer on a targeted network using a particular wi-fi extender with default credentials.

A proof-of-concept exploit, developed by UK security consultancy Pen Test Partners against a vulnerable wi-fi extender, downloads a copy of Netcat computer networking utility before setting up a simple reverse shell to a server on the internet.

Hackers might be able to use this CSRF to load new firmware on to a targeted device.

If it was possible to gain shell access or upload new firmware to a CCTV camera on the internal network, then the hacker is past the firewall and able to attack computers and servers on an internal network.