What Is Hacking? How Does It Work?
It’s safe to assume that, in the internet era, all organizations and services will be targeted by malicious hackers sooner or later. It's not a matter of if, it's a matter of when.
What is Hacking, Anyway?
“Hacking," which originates from a Germanic word meaning “to cut in pieces,” is the process of compiling information (or anything, really) together in a novel way that results in something interesting or useful. In a computer context, the word originated with a positive connotation—for example, Steve Wozniak, one of Apple’s original founders, was an exceptional hacker.
Today, the term “hacker” is more frequently used to describe someone who discovers and exploits a computer system weakness or vulnerability. Hackers use vulnerabilities to block system access, gather information, or gain access to more computers in a network.
This doesn't mean that hackers are all “bad guys.” In fact, there is an ethical hacking profession known as penetration testing.
Not All Hackers Are the Same
There are a number of hacker types. Here are some of the most common terms used to describe hackers and what they do:
White hat hackers operate ethically as penetration testers. They have full, contractual permission to try and compromise a system, and operate legally. Their goal is to find system vulnerabilities and improve system security.
These hackers are the typical hoodie-wearing midnight hackers depicted in the media. They operate illegally, and exploit systems for some kind of personal gain.
Grey hat hackers operate on the fence. Most of the time, they hack with good intentions, but might not have approached the hack in a totally ethical or legal way.
Why Do People Hack?
Hacking mostly has a bad connotation—but hacker motives vary across the black, white, and grey spectrum. Here are the most common motives behind hackers.
Hackers are often motivated by obtaining stolen credit card information or selling breached information online.
Hacktivism is the use of hacking techniques to leverage political activism. Hacktivists often manipulate sites and networks as a form of protest. This usually looks like a distributed denial of service (DDoS) attack, which disrupts network access. Anonymous is a famous hacktivist group.
Stuxnet is a widely known example of a national security backed hacking strategy. Stuxnet is a computer worm that attacked Iranian nuclear facilities. The worm is presumed to be a joint effort between American and Israeli intelligence agencies. National cyber hacks tend to be extremely successful, as their teams have the resources and patience to find vulnerabilities and exploit them.
Improve Security Systems
As touched on earlier, penetration testers or white hats hack systems to test vulnerabilities to improve security.
Many hackers hack simply because they can. For some people, hacking is like a hobby—as with most pursuits, it’s another reason to connect with a community of like-minded individuals.
There Are Two Main Types of Hacks
Hacking strategies fall into one of two categories, regardless of what shade a hacker’s hat is.
Category 1: Zero-Day
The first category of hacks are never-seen-before vulnerabilities, also known as zero-day vulnerabilities. They are the most damaging because they are not patched. Security teams do not know how to defend against them, and often don't even realize a system has been compromised. The hackers behind these attacks are highly-skilled, scary-smart hackers.
For the most part, hackers “save” these attacks for something that has a huge financial return. Zero-day attacks are usually carried out on multinational businesses or national security systems.
Heartbleed was a zero-day exploit publicized in 2014 against Linux servers. (For those of you thinking, "it's ok, I use Mac/Windows," Linux servers comprise nearly 96.6% of public internet servers.)
Shockingly, there is no way of knowing how many people knew about and used the exploit before it was made public—and the code that Heartbleed exploited was introduced three years before its vulnerabilities were ever publicized.
Category 2: Everything Else
The majority of present day hacks use code that has been written by someone else and released into the wild. This kind of hacker is often called a script kiddie—they use pre existing software to launch attacks and don’t have much, if any, programming expertise.
A script kiddie process looks like this:
- Downloads a malicious code or script
- Targets it at someone or something on the internet they don't like
- Hits “run”
These hacks are fairly easy to defend against if a computer is updated.
“One of the most common ways 'done before' attacks are created is by watching the security updates for Windows, noticing the vulnerabilities they closed, and attacking those vulnerabilities on servers that haven't updated on time.” —Nick Turner, CISO, Echosec Systems
Security organizations are very good at pushing security updates once hacks have been discovered and the code is released. If a kid can find a script online, so can a security professional.
How Does Someone Hack a Computer?
Here is an easy, step-by-step process for hacking a computer:
- Ask the operator for the password.
- Sign in.
Seriously. Social engineering, the practice of manipulating people to divulge information, is by far the easiest method of gaining access to a computer system. Users might not intentionally give away their password—but some guile, psychology knowledge, and a touch of trickery are more than enough for hackers to get what they want.
This might seem like an exaggeration (“I would never fall for that...”)—but a surprising number of people willingly give their information away after viewing a well-composed phishing email.
A few years ago, a hacker stole the Twitter ID @N (which is apparently valued at $50,000) through some clever phone calls. Basically, the hacker called Paypal and used social engineering tactics to obtain the victim’s last four credit card digits. He then called the victim’s website hosting company, GoDaddy, and used the credit card information to reset passwords. The hacker then held the victim’s business website hostage until the victim was forced to give up @N.
Programming-based hacking is significantly harder, involving a lot of effort to find exposed vulnerabilities. Hackers exploit vulnerable code to gain full system administrative privileges. Many basic hacks require a “needle in a haystack” approach to find insecure pieces of a program's code—and not just any misbehaving code will work. It must fail in a way that benefits the hacker.
Did you know?: If someone has physical access to a computer for an extended period of time, there is very little you can do to stop them from gaining data access.
Hackers Seem So Cool In The Movies, Though!
Hacking isn't nearly as glamorous as Hollywood portrays. It's a lot of brute force experimentation and guesswork that can take months (or more).
Here is a great example of what hacking isn't. In the clip, two people are trying to defend from a hack by furiously typing while thousands of popups barrage the screen. More hands on a keyboard are not helpful, nor do most hackers advertise their presence on a system with annoying pop-ups.
The Social Network's depiction of Zuckerburg here is better. While it is dressed up, his hack is technically accurate—he navigates to different student directories and uses basic scripts to navigate around the structure and security of each site to download images. He only grabs several hundred photos from highly insecure websites over the course of a late night coding session, ignoring sites that were harder to access. That would be a lot of work.
How Do Organizations Mitigate Hacks?
Organizations that practice good security store important user information in different places under different security protocols. That way, when hackers get into a computer with a username list, they don't necessarily get other personal information, such as credit cards. Firewalls also help protect a network against cyberattacks.
Organizations can set up network monitoring systems to catch a hacks in progress. The system might overlook first moves, but can catch hackers downloading information or committing other nefarious activities. The company's security team can then intervene and mitigate damage. Organizations can also use data discovery tools to find early data breach or hacking evidence on sites like Pastebin and the dark web.
Secure companies also educate their personnel about security best practices, such as password practices, 2-factor authentication, and how to identify phishing emails or social engineering. They also issue advisories if suspicious activity occurs.
Whoops, It Happened
Adobe neglected to properly encrypt and store user information. When their system was hacked, it took very little effort for hackers to reverse engineer passwords. Security researchers said that the company "should hang their heads in shame," regarding their security systems. Sony also failed to establish adequate system security, failing to detect more than 100 terabytes of information hemorrhaging from their servers.
Hackers look for any valuable data. This could be a variety of things—personally identifiable information, financial information, code, classified documents, and more. This information is often sold, used for extortion, or used to harass and intimidate individuals.
How to Protect Yourself
There are a number of steps you can take on an individual or organizational level to defend against hackers:
- Consult your organization’s IT team and implement their best practices
- Install updates regularly
- Invest in antivirus software
- Use novel passwords for each account and store them in a tool like LastPass
- Use 2-factor authentication
- Invest in cybersecurity training to educate personnel about security best practices and tactics like social engineering and phishing
- Use a firewall to secure an organization’s network
- Use secure WiFi connections
- Back up data
- Keep devices stored securely
- Use data discovery tools to proactively find and mitigate cybersecurity threats
Hackers and their strategies come in all shapes and sizes—but one thing is certain: it’s a matter of when, not if, organizations will be targeted by malicious actors. The consequences of a data breach can be devastating for both individual victims and an organization’s global reputation. Investing time and resources in basic security practices, software, training, and threat detection tools is the best way to prepare for the inevitable.
Echosec Systems allows users to quickly detect information leaks and bad actors by scanning marketplaces, discussion forums, and other deep and dark web sites.