Getting inside the minds of ethical hackers

It was Wood's team of hackers who, from his unassuming office in Shoreham-by-Sea, were responsible for penetrating security in the aforementioned hack. The attack was not difficult for Wood and Co to perpetrate though. Busting through the company's defences was startlingly simple.

"We found an internet portal for a client which led to an extranet login, which was defended only by a username and password," he told IT Pro.

"The username test' and the password testing' gave us access, over a straight SSL connection, through a Citrix gateway, which was poorly configured, so we got a command line on the Citrix server, which was in turn poorly configured so that we could enumerate all the computers on their network worldwide.

"Then a Windows account called backup', with a password of backup', allowed us to see every file on every computer in a worldwide organisation."

Disturbing to see such lax login procedures being used by large businesses, is it not? For the company's IT director, the news wasn't so good. He was given the boot.

"There were a few people who experienced the new pleasures of gardening leave," Wood said. "We don't like being the cause of that but in the end, if you are the IT director, you are the IT director, and it's your job to get it right."

For the organisation, however, the benefits were tangible and immediate. "The result of presenting those findings to the senior people at that organisation was that they changed all of those things, both tactically and systemically, so that it wouldn't occur again. We massively secured that system," Wood said.

Generally, it takes Wood or one of his team between half an hour and half a day to hack into a system. It just depends how long it takes them to find their way around the network. If you were an insider it could literally take just 10 minutes.

There were a few people who experienced the new pleasures of gardening leave.

The trouble is, IT staff setting up systems think like people who are setting up systems, not like people who are going to break into them, Wood said.

"So the same mistakes happen again and again because so many organisations have extraordinarily competent IT staff, but they don't think like attackers," he said.

In some cases, Wood has seen trivial passwords which have not changed in 12 years, often despite multiple changes in staff.

"Pretty much every time we go on site, we find an account like that say an account called backup has a password called backup," he said.

"I don't want to be unkind to the people running these businesses, in most cases it is something they've inherited from their predecessors and they've never been asked to check it. The chasm between people who think business and people who think IT is really quite wide and I don't think businesses really take on board the fact that anyone managing a network for them can access anything on that network they don't even ask the question."