While corporations and law firms have been successfully infiltrated by well-trained nation state cybercriminals with unique hacking resources at their disposal, these are far from the only hackers that may be able to breach today's cyber defenses.

Given the wide availability of hacking tools and resources, even those with little experience can comprise a company's IT and web assets. Just ask Marcus Weinberger, a 15-year-old ethical hacker and son of Ben Weinberger, lawyer in residence at Prosperoware.

Marcus Weinberger, the young presenter at the “Watch a 15 Year Old Hack Your Firm's Users” session at ILTACON 2018, only got into ethical hacking recently, and is in the midst of learning some coding languages, such as Python.

But by using widely available resources like Google and GitHub, and purchasing a few relatively inexpensive tools, he has been able to learn just how easily one can infiltrate a law firm's web assets and employees.

Photo: Rhys Dipshan

Weinberger noted that some of the hardware tools he uses as an ethical hacker include “a wireless development board usually used for IT projects and home automation,” and a WiFi Pineapple device, which is “basically a tinny wireless router used for wireless penetration testing” that can be leveraged for “man-in-the-middle” attacks. While WiFi Pineapple devices can be expensive, many of the others tools can usually be bought for under $10.

To be sure, the tools Weinberger used, and the resources he relied on to learn how to use them, are far from secret. “This is not the dark web we are talking about here. All tools are all readily available to anyone here,” he noted.

There are a few types of cyberattacks noted that are fairly simple for hackers to executive. Web attacks, for example, can leverage SQL injections, which is a code technique to access a website or web application's database server to get a hold of information including password and login data.

Indeed, one can even search on Google for websites that run on programming languages like SQL or PHP to know how best to target them. “Just by finding that particular string in the URL identifies what that website is running on,” Weinberger said.

Today's hackers can also automate web attacks by using available pre-written scripts so they don't need to know how to code or create web hacking tools from scratch.

While web attacks can be easy, they may not be as devastating as the slightly more involved Wi-Fi attacks. By using Wifi Pineapple devices and related tools, for instance, hackers can access many devices connected to public, unsecured networks.

“At one point my family and I were on holiday somewhere and we were in a Walmart getting some food,” Weinberger recalled. “And my phone is rooted [which means] I can do some hacking stuff on there, and I realized I could do a 'man-in-the-middle' attack on Walmart's public Wi-Fi.”

Wi-Fi attacks are also menacing because they can trick consumer devices into automatically connecting to a malicious network without the device's user knowing.

“When your phone scans for Wi-Fi it will send out a list of networks it is looking for … and what devices do is notice that list and respond, and your phone will automatically connect to those.” By spoofing a Wi-Fi network to mimic the name of a common network that devices will likely recognize and connect to, hackers can then comprise many devices, including personal devices used by law firm employees.

And instead of relying on technical exploits, Weinberger noted that hackers can also trick users into infecting their own computers with malware by executing automated phishing attacks.

One tool he found, for example, will send a Twitter user “a direct tweet from an account they are familiar with, and the tweet can include a phishing URL” that mimics a well-known link, but is really a malicious link. All one needs to do is create a fake Twitter account and get followed by some of their targets.