How Can Child Hackers Hack Companies?

Today hack after hack let’s say it’s happening. In this case, individuals who do not know about cyber security are more likely to have their personal data captured and used for terrible purposes than individuals who have knowledge. anxiety can hear. Of course, those who have knowledge about these problems may be insufficient to take protective security measures in the face of information errors that develop day by day.

For example, recently leaked GTA 6 images. 17 year old hacker He was arrested by the London police. In Turkey, there is a significant group of hacking enthusiasts around the age of 15-18, who spend time on platforms such as Twitch and give advice to each other on hacking. In this article, we will discuss what cyber security is, how hacking events develop, why cyber security cannot be provided in the national and international context, how the younger audience hacks, and many more. To Yasir Gökçe we asked. He also happily answered our questions.

Here are the responses of Yasir Gökçe…

Cyber ​​security; It is the systematic protection of informatics, IT and OT systems and the data processed in these systems against threats originating from cyberspace.

In general, there may be different motivations behind the hacking event.

New to the hacking “industry” now, our script-kiddies The amateur team we call hacks only to develop/show their new talents and to experience the satisfaction of it. Hacking against the intelligence seizing activities of states on their citizens can come to the fore as a resistance against this activity and the authoritarian/totalitarian mentality behind it.

On the other hand, state-reinforced actors are against the perceived threat group and other states. hacking he can. These activities concern the law of tolerance in cyberspace.

How hacking is done is a very broad and intricate bet.

In summary; Cyber ​​attacks are carried out by exploiting information systems, processes, organizational structures and vulnerabilities in people’s consciousness. For example, an internet access modem or router The fact that it is not configured is a vulnerability for hacking. An employee who doesn’t know not to click every link sent to him is also a valuable vulnerability for hacking.

The part of hacks called white, red and gray is a classification made according to whether the hacking action is malicious or not.

The hacker who wants to draw attention to the vulnerabilities of the company he targets and who does the cyber attack with the consent of the company is a white hat hacker. black hat hacker, organizes cyber attacks with the aim of causing harm. The gray hat hacker, on the other hand, wants to warn the company about its vulnerabilities by performing a cyber-attack with appropriate intentions. But he does not do this illegal activity with the permission of the directors of the company (or any other organizational structure).

Except for incoming messages and direct contacts, that our information has been captured; We’ll know if the hacker posts the information on a site.

In addition, companies/organizations that have lost their personal data in Europe and our country, to the relevant authorities and individuals. have been hacked have an obligation to report. As the last step, especially usernames and passwords are offered for sale on the dark web. With a search engine covering the dark web or cyber threat intelligence activities, we can be aware of whether such a thing is happening.

In my opinion, systems should be designed and structured on the assumption that individuals are unconscious so that users are informed about their individual cybersecurity.

In this context, security by design and security by default principles stand out. In other words, a communication program should transmit messages by encrypting (hiding) messages directly. A separate user action or preference should not be required for this.

In addition, relevant professional organizations and non-governmental organizations can raise awareness of users with virtual brochures supported by visuals, written without bogging down on technical terms. Also, when an app is installed or the system is installed, with pop-ups (pop-up screen)Cyber ​​security issue can be reminded and guidance can be made.

The person who realizes that he has been hacked can make a complaint to the IT crimes bureau or a criminal complaint to the missionary prosecutor’s office.

The entity or company that is responsible for protecting the person can also be contacted and asked for an account. digital forensic If you are not a very sensitive institution that does not require (forensics), the first attack is to disconnect the hacked system from the network. In particular, I recommend that individuals who are far from the cyber world consult an expert according to the extent of the damage and act with the legal department or lawyer, depending on the situation.

The recommended change frequency of passwords is every 6 months. Password must be complex; must contain at least 12 characters, uppercase, lowercase, numbers and special characters.

It takes 54 years for today’s computers to crack a password like this. Quantum computershowever, this changes the time significantly.

While registering on the sites, the relevant websites are under the obligation to inform us within the framework of the Law on the Protection of Personal Information about which of our information has been circulated in the event of a random hack.

Apart from this, the nature and scope of the information is disclosed on the dark web or ransom We can learn when it comes to the subject. When delivering data, it is valuable to examine the reliability of the receiving organization. Also, data must be delivered (especially for online platforms) after generating a complex password and authenticating. Stolen data is usually sold as a whole on the dark web, as I just said. Cyber ​​bugs buy them from there. Giant companies (Facebook, WhatsApp) that take advantage of the gaps in the contracts can also open their own information pool to third parties.

The stolen information can be used to serve personalized ads, hold data hostage and demand ransom. We see that stolen credit card data is used in fraud and theft. Identity and access data, on the other hand, can be processed with the aim of providing remote access to critical systems.

Big data systems and programs integrated with artificial intelligence can obtain data from open or closed sources.

Giant IT companies trying to do it legally. For example, it dictates a decision to “allow access to your data if you are going to use the service we offer for free”. They analyze the data obtained in this form with artificial intelligence and offer personalized content. For example, the similarity of a product that we have just searched through Google, as an advertisement on YouTube, falls within this scope.

A law based on the victimization of individuals and institutions who are victims of informatics misdemeanors in Turkey has been shaped. However, unfortunately, the legal infrastructure that regulates the obligation of companies to protect information is extremely inadequate.

In other words, acquiring high security practices, to the good will of companies remains more. In addition, protecting information and privacy is not a sensitivity that has settled in our country now. On the contrary, the concept of the state is a council on the storage, sharing and delivery of information. The generic guarantees in favor of the individual regarding the protection of information cannot be fully clarified. Although studies have been carried out on this issue in recent years, there is still a need for more measures to protect personal data.

For example, according to CHP vice president Onursal Adıgüzel, BTK requested the delivery of the most vital user data in a letter it sent to all internet service providers. Considering that the news that the identity data of 50 million citizens fell on the internet in 2016 is true, I do not think that sensitive information about the state is too much of a belief. Cyber ​​bugs are trying to make themselves anonymous. VPN and Tor using techniques such as It is also very difficult to detect the real IP or MAC address behind the error by bypassing these methods.

The lack of cooperation at the international level also reinforces the challenge of detecting cybercriminals.

One country’s definition of cybercrime, another country’s right to privacy, right of communication, freedom of speech, etc. sees it as. This makes collaboration in effort with cybercriminals impossible. For example, a country has database serversIn a crime committed using the word, the subject may not be able to access the server.

The fact that physical damage can be caused by using IT and OT systems has always surprised me.

For example, Russia’s access to the control systems of a power plant in Ukraine and the public power out quite interesting. Or, the US hacking a valuable part of the Natanz uranium facilities in Iran (Stuxnet incident) can be given as an example.

Defending the data requires systematic, collective, systematic, balanced and effective (instant-occurring) actions. Thus, it is not difficult for even children under the age of 18 to hack the data of large companies.

Waste hacking is as easy as copy-paste-entering a piece of data into malicious code. The cybersecurity group quits work on weekends and evenings within the concept of overtime. Cyber ​​bugs, on the other hand, seek to exploit the vulnerabilities 24/7. In addition, the cost of security measures may exceed the cost that would arise in case of damage, in some cases. In this case inaction and accepting risk can cause. There was a hacking incident in Yemeksepet recently. Not that your food basketI can’t say anything about this hack without examining and auditing the cyber security maturity.

Editor Note: Saying that he hacked Yemeksepeti, the hacker had previously made a statement. In our article where we gave this explanation from here you can read. In addition, let us remind you again that hacking illegally is a crime. In this article, we aimed to show how wrong the hacking is by asking an expert about the issue. If you are not a white-collar hacker working within a company, we recommend that you do not get involved in these jobs.

You can reach Yasir Gökçe on Twitter.

• Image Sources:Harvad Business Review, Crowd Strike, Analytics Insight, The New Yorker, BBC, Scroll.in, WIRED, Tech Crunch, Dashlane Blog, Bleeping Computer, Auth0, MIT Technology Review, Tech Crunch 2, The New York Times, VICE, Analytics Insight 2