The Five (and a Half) Ways Hackers Break into Computers and Networks

October is National Cybersecurity Awareness Month, as proclaimed by the President of the United States. Since 2004, computer, network, and security professionals have used this dedicated time to “spread the word” about Cybersecurity. We talk about best practices and simple actions anyone can perform to keep themselves safe at home, work, and online.

So, in honor of Cybersecurity Awareness Month, I present the five (and a half) ways attackers breach systems and networks. These include:

1.        Having human help with poor cyber hygiene, including being tricked into activating malware,

2.       Poor authentication practices, such as recycling the same username and password,

2.a.   Gain an advantage with a malicious or subverted insider,

3.       Software and hardware are susceptible to attack because of vulnerabilities,

4.       Attack the hardware and software supply chains by Nation states and others, and

5.       One should never discount a physical threat as well.

From the list, we see that much of how a hacker completes a system or network breach depends on the cooperation of the victims - or at least insiders within a network or their computer users.

 In detail, the attacks are:

1 - Have victims help the hackers.

Whether electronic - such as fake email or websites - or person-to-person, the hacker uses confidence scams to induce the victim into doing misdeeds for the attackers. These actions hurt the organization or target network. Hackers use impersonation, deception, coercion, and forgery. And, sometimes, it is just the victim’s “naïveté.” Between junk emails and fake websites, hackers get the victims to “click on the wrong content.”

Our email inboxes are continually flooded with Junk messages - often called SPAM - from hackers who try to obtain our payment card information or steal our identities with fake ads from well-known companies (guaranteed acceptance credit card, anyone?) These try to entice us into giving away our personal and financial information. Or, the hackers may simply be after login credentials. Likewise, these messages may contain malicious attachments or links to dangerous websites that appear legitimate.

Hackers can launch attacks when a victim opens a malicious attachment or clicks on a malevolent web link.

All individuals, businesses, and governments are susceptible. We’ve also seen concerted attacks against political parties or candidates’ campaigns. This can ultimately lead to data breaches, ransomware, or both.

As Cybersecurity professionals, we see targeted attacks - as occurred in both presidential campaigns in the US - and general SPAM, which seeks victims of opportunity. After all, if ⅒ of one percent of all SPAM receivers click on a message and hackers send out 300 million messages, that’s a “hit rate” of 300,000 clicks! If even a tiny fraction of those “hits” result in a successful attack, the hackers have won.

2 - Hackers can login using the victim’s credentials.

Through naïveté, the victim might register the same username and password in multiple places and times. These identities are then stolen, guessed, or just outright purloined. For the hacker, it is sometimes as simple as asking the victim to let the hacker in. A seemingly trustworthy attacker can simply ask, “May I borrow your password?" Hackers then use these stolen credentials to carry out their misdeeds.

Released in July 2024, the infamous “RockYou2024” file contains a list of 10 billion passwords. Yes, that’s “billion” with a “B.” That’s more credentials than there are people on the earth. Freely available for download from the Internet, the RockYou2024 file consumes 146 GB of disk storage - more data than the capacity of many laptop hard drives. That’s the bad news.

The good news? RockYou2024 only contains passwords in various forms, but combined with easily accessible lists of usernames, this provides the basis for a set of powerful tools to open a system’s or network’s front door - direct login.

The mixed news? This is an arms race. Both defenders and attackers can apply new technologies for defensive and offensive purposes. A defender might monitor login attempts or use “account lockout” after someone tries several bad passwords - often why you have to reset your credentials. Attackers will use technology to their advantage. They may implement computer graphics cards as a small-scale “supercomputer,” or use Artificial Intelligence to facilitate password-cracking attempts.

Cybersecurity professionals say that “authenticating” is making a claim about who you are and then proving it. Someone typically “authenticates” to a system or network with a username and password. While we’ve used this mechanism for nearly 70 years, it has well-known problems. Unfortunately, it is still rather unlikely that we’ll get rid of this login style anytime soon. Website and application developers often take a shortcut and use an email address as a username. When a victim registers for a website, they then choose a password. Watching the news, we see that credential theft is common, including among those whose job is to keep our information safe.

When a victim uses the same login name and password at multiple sites, we say they’ve “recycled” their credentials.

Unfortunately, websites often have crappy Cybersecurity and allow the theft of the stored credentials. When hackers break into a website and steal the registered email address (used as the username), the attackers have the answer to half of the authentication puzzle.

Once the hackers have that victim’s identity, they can try the same email address and password across many other websites that use the same naming conventions for usernames. Even if the attackers fail to get the “password” part of authentication, tools such as RockYou2024 help solve the puzzle. Once hackers have a list of usernames and a set of password candidates, they can try those combinations to login to sites across the Internet. We call this “Password Spraying.”

But, sometimes, the simplest solution is directly in front of us. Businesses may display their passwords openly - as in the case of Wi-Fi - or hackers can easily guess the login information. A quick web search for “common passwords” reveals amazing results.

2a - More rarely, attackers can subvert an insider into performing nefarious deeds.

Occasionally, the news contains stories about an insider spy who got caught giving or selling secrets to enemy intelligence agencies. Nation-state or Commercial espionage (often both) are common on the Internet. Or, the hacker may use various intimidation techniques on a victim, such as kidnapping, coercion, bribery, or physical threats. Lastly, the malicious insider may have political, social, philosophical, or religious reasons for violating a system’s integrity.

Hackers can exploit malicious insiders using some of the five other techniques or launch the attack themselves.

In the movie Firewall, Harrison Ford portrays a bank Cybersecurity expert whose family is kidnapped.

The criminals subvert the main character into performing an electronic bank robbery. While fictional, the story of Firewall presents the classic insider threat.

Other insider threats include the attacker with a grudge or someone philosophically motivated. Transnational and nation-state espionage also pose real dangers.

3 - Exploiting Vulnerabilities.

The sad truth about computers is that “Hardware breaks and Software comes broken.”

Often, this broken software shows itself in bugs reflected in wrong behavior or incorrect results. Buggy software can result in erroneous calculations or even simply “junk” on the screen.

Sometimes, the bugs cause the application or system to crash. These crashes annoy the end-user but can also become a “denial of Service” (DoS) attack. Software bugs can also become vulnerabilities or misbehaviors that violate the system’s security - software vendors, such as Apple and Microsoft, regularly “patch” these holes. Hackers can take advantage and break in if someone doesn’t apply a vendor’s patches. Or, the vulnerability manifests before a vendor produces a patch as a so-called “Zero-Day Bug.”

Of course, both hardware and software can have these Zero-Day vulnerabilities.

Hackers can exploit these vulnerabilities in their various forms. Whether an attacker breaks in to intrude on a network or uses ransomware, Cybersecurity professionals call this a Data Disclosure breach. The loss can't be undone once the breach occurs and the information is in the ne'er-do-well’s hands.

In the spring of 2017, hackers started actively exploiting system vulnerabilities to deploy ransomware. Yes, there were security bugs before that. And, yes, attackers used tools to exploit these holes.

However, attacks based on a patch Microsoft called MS17-010 changed how ransomware operated. Code-named “Eternal Blue,” this vulnerability allowed malicious programs remote access for complete control of every unpatched system on the network - with full control of the victim operating system. Hackers used this vulnerability to propagate ransomware across vast swaths of businesses’ networks. Pun intended it was enough to make Cybersecurity professionals “WannaCry!”

The moral of the story is that attackers exploit known and yet-to-be-discovered vulnerabilities.

Keeping computers current with their security updates - “fully patched” in the parlance - provides an early line of defense. Unfortunately, people and organizations defer patching for many reasons, including avoiding system and network disruption. Microsoft patches have been known to cause continual reboot loops, which make systems managers cautious and “gun-shy.” More prosaically, organizations may choose to postpone patching because they (the patches) may break software supporting a mission-critical function. Lastly, regulatory requirements (such as FDA certification) may prohibit patching.

Unpatched systems are vulnerable systems.

Finally, hackers have discovered security vulnerabilities in hardware that they exploit. These attacks are largely unknown to the vendor until they are discovered and patched. While attackers exploit these heretofore unknown vulnerabilities, they are known as “Zero-Day” vulnerabilities. Because of the complexity of finding these holes, Zero-Day attacks are often the purview of nation-states and affiliated groups. Commercial VPN (Virtual Private Network) routers and remote file management devices have had Zero-Day faults within the last few years, as have Internet-facing email servers.

The US Cybersecurity and Infrastructure Security Agency (CISA) issues regular warnings about both hardware and software vulnerabilities as they are discovered and patched. I recommend that Cybersecurity professionals sign up for CISA’s email newsletters.

4 - Hack the Supply Chain.

Attacks on the hardware and software supply chain concern Cybersecurity professionals.

Put simply, hardware and software vendors become attack targets for hackers. Attackers can breach the Cybersecurity of a vendor’s network. From there, they infiltrate a product’s development environment and insert malicious code. This malware can include remote control “backdoor” tools, ransomware, or other cyber weapons. Once an attacker has penetrated a software vendor’s network, the hackers use a company’s “automatic update” mechanisms to deliver malware to the victims’ networks. Beyond software threats, hacked hardware threatens organizations and people - as has been in the news recently. Supply chain attacks have concerned the US Government since about 2005. In 2008, President Bush initiated the Comprehensive National Cybersecurity Initiative which (in part) addressed supply chain integrity.

I should note that a supply-chain attack often involves two break-ins. The first is to the software or hardware vendor’s systems, and the second is an attack against the victims.

There have been several examples of supply chain attacks in the news. In 2020, a nation-state's intelligence operatives hacked an Austin, Tx-based software vendor. The company, which produces network management and analysis software, had its software distribution packages maliciously modified to include the attacker’s remote-control software. This was then automatically propagated to victims as a software update. The net effect was to allow the nation-state’s intelligence operatives access to the victim’s computer networks. Victims included both business and government entities.

In the autumn of 2024, a physical supply chain attack caused widespread death and injury when hacked pagers and walkie-talkies were rigged with explosives and then remotely detonated.

5 - There is no security without Physical Security.

Lastly, physical attacks allow hackers to break into systems and networks. Access to a data center or networking closet is enough for attackers to “plant” their malicious systems and communications gear. Once the hacker has physical access to the system or network, they might use stolen credentials to gain logical access. This can lead to covert network access; theft of devices or other components, such as backups, can also result in data breaches.

Cybersecurity professionals often talk about a security model called “Defense-in-Depth.” Other names include “Castle-and-Moat” and the “Onion” model. In all of these metaphors, physical security is essential. Keeping physical assets secure means that attackers can’t steal them and try to extract critical information. Similarly, Cybersecurity professionals apply the logical equivalent to ephemeral environments such as Wi-Fi networks.

Part of the inspiration for this blog comes from watching the feed on LinkedIn. Periodically, a marketing person from a training company will post an infographic about cyber-attacks, hacker tools, or malware. This will draw many comments in the form of “Oohs,” “Wonderful,” and other thoughtless adulation. Often, these posts are filled with duplications or glaring omissions. What, for example, is the difference between “malware” and “ransomware?” Popular Cybersecurity courseware mimics these posts - or perhaps, the other way around. Cybersecurity is neither as simplistic nor superficial as a marketing person’s infographic on LinkedIn.

In combination, the five-and-a-half attack methods are both more fundamental and have greater complexity than an infographic on LinkedIn.

Hackers use these techniques in combination or separately to gain illicit access to systems or networks. MITRE Corporation, a “think-tank” tied to the US government and Department of Defense, has its “ATT&CK” framework, which has more than 100 examples of individual hacker techniques. Much of the early part of this “Hacking Cycle” involves the mechanisms I’ve outlined here - in greater detail. Regardless, the first step for a hacker is to break into a system or network.

 In most cases, hackers depend on the victim to help complete the attack.