A former head of cyber security at Barclays and RBS warns that criminals can use ‘point-and-click’ software to hack into computers because of ‘bad programming’ and negligence
A former head of cyber security at Barclays and RBS warns that criminals can use “point-and-click” software to hack into company computer systems with little knowledge of cyber security.
John Colley, who is currently co-chair of the European Advisory Board for (ISC)2, a trade body for cyber security professionals with almost 100,000 members, said that there was a “whole range” of hacking software that requires no expertise to use and is available for free online.
Many of these target vulnerabilities that are up to 20 years old, knowing that many organisations fail to patch their software. Colley says this is down to “sloppy management” and “bad programming”.
“There’s a whole range of stuff, from the very simple tools to the very complex exploits that exploit things like a zero-day vulnerability,” said Colley.
“There’s a whole underground community and black market that goes on in these things. The simple things are provided free of charge, and if you’re looking for a zero-day exploit you’re probably going to have to pay a lot for it. Ironically they’ll be paid for with fraudulent credit cards. If you’re high up the pecking order you don’t pay for anything with your own credit cards.
“They can be very simple to use, with a very good user interface, so you’ll click on ‘what do you want to do? How do you want to siege your target?’ They’ll take you through a whole load of options, and generate a piece of software you can run against your targets.
“They vary from the very ‘point-and-click’ to the sophisticated program where you have to use the command line. It’s a bit like any market, it caters for all levels of expertise. As lot of this is driven by organised crime.”
Often these targets will be an individual, perhaps chosen because they work for a company that hackers want to get a “foothold” in. Once their computer is infected, attackers can go on to gain access to a company’s network.
Many of these attacks target vulnerabilities that have long been solved. Security firms, anti-virus vendors and developers all keep an eye on hacker chat rooms to identify threats and issue solutions quickly. Unfortunately, not all companies apply these patches or update their own tools to neutralise the threats, says Colley.
“There are some very well known vulnerabilities that are unfortunately still around. We still see websites which are poorly designed and poorly implemented. It’s just bad programming, to be honest,” he said.
“Unfortunately we still see system and software being implemented with those vulnerabilities. Most of the hackers know that there’s still a rich pool out there of people who haven’t patched their systems. They’ll go for the low-hanging fruit.
“If you think of it logically, the hacker community has access to this information as does the security vendors. They actually build safeguards against these things, but unfortunately they’re not always used or understood. The vendors are fairly quick… but if no notice is taken of that then these things are still vulnerable. It’s just sloppy management.”
Colley said that when he first started working in cyber security many of the attacks took place because “curious” people wanted to test networks. Now it is largely driven by criminals for profit, which “makes it more dangerous” he said.
“In the old days if you were infected there’d be some amusing message that popped up, and that was all. The more sophisticated you are as a hacker, the more likely you are to succeed, the rewards will be greater, the targets will be smaller in number. If you’re at the other end of the spectrum, a script kiddie, there chances of success are probably a lot lower.”