Today hack after hack let’s say it happens. As such, people who don’t know anything about cybersecurity are more likely to have their personal information captured and used for malicious purposes than those in the know. anxiety can hear. Of course, those with knowledge of these issues may fall short of taking protective security measures in the face of cybercrime that is evolving day by day.

For example, recently leaked GTA 6 images. 17 year old hackerHe was arrested by the London police. In Turkey, there is a serious hacking audience around the age of 15-18, who spend time on platforms like Twitch and advise each other about hacking. In this article we will discuss what cybersecurity is, how hacking events develop, why cybersecurity cannot be provided in the (inter)national context, how young people hack and much more. To Yasir Gökce We asked. He was also happy to answer our questions.

Here are Yasir Gökçe’s answers…

cybersecurity; It is the systematic protection of informatics, IT and OT systems and the data processed therein against threats from cyberspace.

In general, there can be different motivations behind the hacking event.

It just entered the hacking “industry”, our script kiddies We call the amateur team hacks to develop/display their new talents and experience the satisfaction of them. Hacking into activities by states confiscating intelligence from their citizens can stand out as a resistance to this activity and the authoritarian/totalitarian mentality behind it.

On the other hand, state-backed actors are against the perceived threat group and other states. hack he can. These activities concern the law of hostility in cyberspace.

How hacking is done is a very broad and complicated subject.

Summarized; Cyber ​​attacks are carried out by exploiting information systems, processes, organizational structures and vulnerabilities in people’s consciousness. For example an internet access modem or router not configured correctly is a hacking vulnerability. Likewise, an employee who doesn’t know not to click on every link sent to them is a significant hacking vulnerability.

The part of hacks called white, red and gray is a classification that is made based on whether the hacking action is malicious or not.

The hacker who wants to highlight the vulnerabilities of the company he is targeting and who carries out the cyber attack with the company’s permission is a white hat hacker. black hat hacker, cyber attacks with the aim of inflicting damage. The gray hat hacker, on the other hand, wants to warn the company about its vulnerabilities by carrying out a cyber attack in good faith. However, he does not do this illegal activity with the permission of the directors of the company (or other organizational structure).

Except for incoming messages and direct communication; We know if the hacker places the information on a site.

In addition, companies/organizations that have lost their personal data in Europe and our country can report to the relevant authorities and persons. have been hacked have a notification obligation. As a final step, usernames and passwords in particular are offered for sale on the dark web. With a search engine covering the dark web or cyber threat intelligence activities, we might know if such a thing is happening.

In my opinion, systems should be designed and structured under the assumption that individuals are unconscious so that users are informed about their individual cybersecurity.

In this context, security by design and security by default principles stand out. In other words, a communication program must send messages by encrypting (hiding) messages directly. This should not require a separate user action or preference.

In addition, relevant professional organizations and non-governmental organizations can increase user awareness with virtual brochures supported by visuals, written without getting bogged down in technical terms. Also when an app is installed or system configuration, with pop-ups (pop-up screen) Cyber ​​security issues can be remembered and guidance can be given.

The person who realizes that he or she has been hacked can file a complaint with the ICT Crime Bureau or file a criminal complaint with the responsible public prosecutor’s office.

The entity or company responsible for protecting the individual may also be contacted and requested for an account. digital forensics Unless you are a highly sensitive institution that does not need (forensic) investigations, the first step is to disconnect the hacked system from the network. I recommend individuals far removed from the cyber world to consult an expert based on the extent of the damage and, depending on the situation, engage a legal department or a lawyer.

The recommended password change frequency is every 6 months. Password must be complex; must contain at least 12 characters, uppercase and lowercase letters, numbers and special characters.

It takes 54 years for today’s computers to crack a password like this. Quantum computers but this changes time significantly.

When registering on the sites, the relevant websites are obliged to inform us under the law on the protection of personal data about which of our information has been distributed in case of hacking.

In addition, the nature and extent of the information is made public on the dark web or ransom We can learn when we talk. When supplying data, it is important to look at the reliability of the receiving organization. Also, data must be provided (especially for online platforms) after complex password creation and authentication. Stolen data is often sold as a whole on the dark web, as I just said. Cyber ​​criminals buy them from there. Giant companies (Facebook, WhatsApp) that take advantage of the gaps in the contracts can also open their own data pool to third parties.

Stolen data can be used to display personalized ads, hold data hostage, and make ransom demands. We see stolen credit card information being used in fraud and theft. Identity and access data can be processed to provide remote access to critical systems.

Artificial intelligence integrated big data systems and programs can extract data from open or closed sources.

Huge IT companies try to do it legally. For example, it dictates a provision like “Allow access to your data if you are going to use the service we offer for free”. They analyze the data obtained in this way with artificial intelligence and offer personalized content. For example, the likeness of a product that we have just looked up via Google, as an advertisement on YouTube, falls within this scope.

A law has been drafted in Turkey based on the targeting of individuals and institutions that are victims of cybercrime. Unfortunately, the legal infrastructure governing companies’ obligation to retain data is deeply inadequate.

In other words, acquiring high security practices, good faith companies stays more. In addition, protecting information and privacy is not yet a sensitive issue in our country. On the contrary, the concept of government is based on the storage, sharing and delivery of information. Legal guarantees in favor of the individual regarding the protection of information cannot be fully elucidated. Although this has been researched in recent years, more measures are needed to protect personal data.

For example, according to CHP Vice-President Onursal Adıgüzel, BTK has requested the delivery of the most vital user data in a letter to all Internet service providers. I don’t think sensitive government data is very safe, as the news on the news that the identity information of the citizens of the states is found on the internet is sometimes true. Cyber ​​criminals try to make themselves anonymous. VPN and Tor using techniques like It is also very difficult to detect the real IP or MAC address behind the crime by bypassing these methods.

The lack of cooperation at the international level also exacerbates the challenge of tracking down cybercriminals.

The definition of cybercrime in one country, another country’s right to privacy, right to communication, freedom of expression, etc. see it as. This makes cooperation in the fight against cybercrime impossible. For example, a country has database servers In the event of a crime committed by using the server, it may not give access to the server in question.

The fact that physical damage can be done through the use of IT and OT systems has always amazed me.

For example, Russia’s access to the control systems of a power plant in Ukraine and its public power off quite interesting. Or the US hacking a significant part of Natanz’s uranium facilities in Iran (Stuxnet incident) can be given as an example.

Data protection requires a series of systematic, collective, orderly, consistent and effective (instant) actions. For example, even for children under 18 it is not difficult to hack the data of large companies.

Hacking is as simple as copying and pasting malicious code into a dataset. The cybersecurity team leaves work on weekends and evenings within the concept of overtime. Cyber ​​criminals, on the other hand, try to exploit the vulnerabilities 24/7. In addition, the costs of security measures can in some cases be higher than the costs that would arise in the event of damage. In this case passivity and accepting risks can cause. There was recently a hacking incident in Yemeksepet. However your food basket I can’t say anything about this hack without researching and checking the maturity of cybersecurity.

Editor’s Note: According to the hacker, he had hacked Yemeksepeti and had previously made a statement. In our article where we gave this explanation from here you can read. Let’s also remind you that illegal hacking is a crime. In this article, we wanted to show how wrong illegal hacking is by asking an expert. If you are not a white-collar hacker working within a company, we recommend that you do not get involved in these jobs.

To Yasir Gökce You can reach it on Twitter.

• Image Sources: Harvad Business Review, Crowd Strike, Analytics Insight, The New Yorker, BBC, Scroll.in, WIRED, Tech Crunch, Dashlane Blog, Bleeping Computer, Auth0, MIT Technology Review, Tech Crunch 2, The New York Times, VICE, Analytics Insight 2