Hacker Series - How I Met Your Data
OR...5 Ways To Keep Hackers Out


Shawn Stewart
Mr. Stewart has 25 years of experience with hundreds of international, commercial, military, and government IT projects. He holds certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell, and others. He has a Masters in Cybersecurity, a Bachelors in IT, a Minor in Professional Writing, and is a published author.
I am a hacker. Collectively, my friends and I stole, or at least disrupted, several trillion dollars last year to finance physical war, our countries, and ourselves.
Who Am I?
I am a nameless, faceless person at a keyboard, almost always employed by a nation-state who usually finds themselves on the wrong side of global sanctions. While you know about threats from China, Russia, Iran, North Korea, and India, know that I could be your neighbor, doctor, kid’s best friend, or mother. The odds, though, say I work at the direction or under the blind eye of one of these nations.
The image is what you think when you hear “Hacker”. But I work in an office, just like most of you. We gossip at the coffeepot, same as you. The only difference is, at my desk, I’m searching for vulnerable computer systems and devices. I probably don’t see the proceeds of my work since it goes to the government to fund troops advancing in a foreign country or to their many counterintelligence groups. I have a stable paycheck to support my family by using the skills that I have. You and I are very similar.
Why Am I A Hacker?
Well, some of us have no choice. I could be a highly intelligent youth enlisted in the military who trains me and orders me to hack. I could just be an entrepreneurial individual with no regard for international law and no fear of getting caught. So what if you figure out who I am and where I work? None of the countries listed, except India, has an extradition treaty with the United States. And you certainly aren’t coming to Moscow or Beijing to arrest me.
Odds are, even if you had the skills and tools to track me, you still couldn’t, as most of us work behind military-grade firewalls and use military-grade encryption. Or, my favorite, I hack from a computer I’ve compromised in the US. Sure, you see videos all the time of amateurs in India getting reverse-hacked by a dude with blue hair or with a cool Russian nickname. Those guys are scammers, not hackers, and most of them call you asking for gift cards. I don’t need to call you and I don’t take gift cards.
How Do I Hack?
Now that you know who I am and why I hack, let me show you what I do. My day is ordered. You see, the Internet allows me to interconnect with every other Internet user in the world. Devices on the open Internet require an Internet Protocol, or IP, address to connect. Everyone on the Internet has one. Some are static but most change regularly and all are handed out by the primary Internet carriers, like AT&T, Verizon, Comcast and T-Mobile. They take zero responsibility for the traffic on the Internet, they simply get paid to put you out there, sheep in the dark woods surrounded by wolves.
The IP addresses on the Internet are a finite range but the devices connected to the addresses are constantly changing. Right now, your public IP address can be determined by going to WhatIsMyIPAddress.com (Link). See how Internet devices are connected in this blog (How The Internet Works). All you need to worry about is what I see when I scan that address. And I scan every address on the Internet. It takes a while and my scans are always running. But what am I looking for?
I use a free scan tool, such as NMAP (Link), to ping every address on the Internet, or, in my case, I have a subset of the 1.5 billion addresses for the United States, maybe 1 million. I ping my 1 million addresses and any device that answers is added to a second list. These are low-hanging fruit. Secured Internet-connected devices should NEVER reply to a ping. The IP addresses that did not ping, I will perform a stealth scan to see if anything is listening on the address. If so, they go into a third list called Challenges. These will likely go to a group of firewall hackers to scan for open ports. I now have a list of potential, connected targets.
Don’t try to port scan the Internet. You will get banned by your Internet Service Provider (ISP) and, in rare instances, could get sued. You are NOT a hacker! Leave that to the pros.
Why Do Hackers Care?
Who do these devices belong to? Where are they? Who owns them? Don’t care. I am searching for vulnerable systems. Those are all questions to ask before setting the ransom payment. Right now, I only want information. My next scan is a detailed port listing. I should be able to determine, with some accuracy, what type of device it is and what version of software it is running.
Why is that important? Every computer system has vulnerabilities. Manufacturers and vendors send out constant updates to software to ensure when new issues are discovered, they are patched and prevent someone like me from gaining access. Microsoft sends out updates every Tuesday. Fortunately for me, people are lazy or ignorant. Most systems have updates sent by the vendor quarterly. Most systems on the Internet have never been patched or updated. If I can determine what type of device I’m connecting to and its software version, I simply search Mitre’s public database of Common Vulnerabilities and Exposures (CVEs) (Link). From there, I can learn exactly how to access the system without a login.
How You Can Help Hackers!
Scanning is only one way to find connections. My personal favorite plays on the misplaced trust of humans. If you don’t know what Phishing is, you need to retake your corporate cybersecurity training or read about it here (Link). Phishing messages come through email or cell phone text messages that appear to be real and legitimate, but are really a message from me. When you click on that link to view the $1,000 invoice I claim you paid to the Geek Squad (read about it here), my malware software installs on your computer. Sure, I’ll show you a phony invoice, but now, I have a command and control application running on your computer or phone.
Drive by Downloads are similar. These are little applications that install on your computer without your knowledge when you point your web browser to places you shouldn’t go. You know what I mean, those naughty sites! But also clickbait sites are swarming with Drive by Downloads. What is clickbait? Would you like to see what the Prince and Princess eat for breakfast everyday that makes them so pretty? That’s clickbait. No one really cares, but aren’t you just a little curious? That curiosity could be my ticket into your phone or computer.
Sounds too easy? It is, because most people who connect to the Internet, and that’s all of us, by the way, falsely believe their Internet or cell phone provider is keeping them safe. They aren’t. They aren’t even trying. If I can get into one computer, or phone, or television in your house or office, I can get into everything else. So how to protect yourself from me?
Five (5) Ways To Hide On The Internet:
1) Have a professional configure your Internet connection – Quality Internet firewalls are not cheap. The box from your ISP is NOT secure. Work with a professional to size and purchase the right equipment. Then have that professional configure the equipment to vendor and industry best practices. Stay hidden online. Use encryption whenever you can.
2) Keep all your systems up to date – The firewall will need updates, as will every device you have, your phone, your computer, your doorbell camera. Most vendors have the option of automatic updates. Don’t think your home or office equipment needs updates? Check Mitre’s website for Common Vulnerabilities and Exposures (CVEs) (Link) and search for it. Surprise! You are vulnerable!
3) Don’t Skimp – Buy the right software to protect your systems and remove old equipment that no longer gets updates. Stop buying old equipment and software on eBay! If you say you run a reputable business that protects the data of its employees, vendors, contractors, and customers, prove it!
4) Never click anything you don’t recognize – Having Internet access is a responsibility, not a right. Consider using trusted DNS or a monitored proxy service. Learn what phishing is and how to avoid it. Don’t go to websites you don’t really trust. No Clickbait!
5) GeoFencing – If you don’t need to communicate with a country, remove it from the list of IP addresses you communicate with on your firewall. Ask your ISP to block any traffic from countries you don’t need to reach. This works both ways. You can’t reach them but they can’t reach you.
Need Help?
Reach out to us! We’re all in this together. Visit our contact page to submit an inquiry. Also, please follow us on social media for the latest updates.