In our era of "Internet everything," it is safe to assume that all services are going to be the target of malicious users. It's not a matter of if, it's a matter of when.
BUT...HOW...? And what IS hacking anyway?
Update: We outline some of the latest cyber threats in this article.
“Hacking" used to describe when a clever individual put computer parts (or anything really) together in a novel, unintended way that resulted in something cool or useful. It was used with a positive connotation. For example, Steve Wozniak, one of the original founders of Apple, was an exceptional hacker.
Today, a “hacker” is more frequently used to describe someone who discovers and takes advantage of a weakness in a computer system or network, also known as an exploit or vulnerability.
Hackers then use that exploit to block access to regular users, download information, or to gain access to more computers in the network.
This doesn't mean that hackers are all bad guys. In fact, there is a whole professional practice built around ethical hacking called "penetration testing".
Note: For the remainder of this article, we’ll use the term “hacker” as it is commonly used today: as someone who takes advantage of a weakness in a computer system or network.
HACKERS OF A DIFFERENT CLASS
There are a large number of hacker classifications defining who hackers are and why they are hacking in the first place. Here are some of the more interesting ones. Most hackers fall into one or more of these categories:
These guys do everything by the book. They have full, contractual permission to try and compromise a system. There are rules - white hats follow them.
These hackers are Bond villains. Black hat hacking is an illegal activity for some form of personal gain.
Everything in-between. Most commonly, these guys hacked something with good intentions...only they didn't ask nicely first.
Every hacker has a motive. Why people hack can vary quite a bit.
Hackers that are chasing credit card information or other financially exploitable data fall under ‘standard hacker.’
Hacktivists manipulate sites and networks as a form of protest. Case in point - the notorious hacking group called 'Anonymous'.
Nations have been known to put together hacking teams with purpose. Stuxnet is probably the best example of a presumed Nation State hack. It is also likely the most sophisticated hack that the public has ever 'known' about. With Stuxnet, a presumed American-Israeli cyber team, delayed nuclear weapons development in a number of non-allied countries, most notably Iran. Ultimately, if a Nation State wants to hack you, you are going to get hacked. National cyber teams have the resources, and more importantly, the patience to find an exploit and use it.
HACKS FALL INTO TWO MAJOR TYPES
Regardless, of legality, all of these 'hacker classifications' can fall into one of two categories of what type of hacks they carry out.
CATEGORY 1: BRAND NEW
The first category of hacks are brand new, never seen before exploits. These hacks are usually called zero-day hacks. They are, without exception, the most damaging. This is because no-one has ever seen it before, so security teams don't know how to defend against it. Or, even more frightening, don't even know that the system has been compromised. The people behind these hacks are the scary smart hackers that you don't want to cross.
For the most part, hackers will ‘save’ these attacks for something that has a huge financial return. Zero-day attacks are usually carried out on multi-national businesses or even national security systems. Hackers are not going to waste an incredibly valuable exploit on a mom-and-pop computer repair shop.
Heartbleed was a zero-day exploit publicized in 2014 against Linux servers. (For those of you thinking, "it's ok I use Mac/Windows," Linux servers comprise nearly 96.6% of public internet servers.)
Shockingly, we have no way of telling how many people knew of and used the exploit before it was made public.
...oh, and the bad code that Heartbleed exploited was introduced three years before the vulnerability was publicized...
CATEGORY 2: EVERYTHING ELSE
The second category of hacks is performed by "those who can't do, cheat." These hackers use code that has been written by someone else and released into the wild. This type of hack represents the majority of all present day hacking. The hackers behind these are, often disparagingly, referred to as "script kiddies" - kids who run pre-made malware scripts.
Basically, it looks like this:
- Download some malicious code or 'script'
- Point it at someone or something on the internet that you don't like
- Hit ‘Run’
The nice part about this type of hack is - it's pretty easy to defend against, but only !!if!! you update your computer.
“One of the most common ways for 'done before' attacks to be created is to watch the security updates for Windows, notice the vulnerabilities they closed, and then attack those vulnerabilities on servers that haven't updated on time!” – Nick Turner CISO Echosec Systems
Security organizations are very good at pushing security updates once hacks have been discovered and the code released. If a kid can find a script online, so can a security professional.
...BUT HOW DOES SOMEONE HACK A COMPUTER?
Here is a step-by-step process for the easiest method to hack a computer:
- Ask the operator for the password.
- Sign in.
Seriously. Social engineering – the practice of manipulating people into divulging information. It is by far the easiest method for gaining access to a computer system. While a user may not intentionally give away the password, some guile, a little knowledge of human nature, and a touch of trickery are more than enough to get the access you need.
Ok, ok, that's cheating...(but it works! If you're interested in seeing just how well it works, here is great video: https://youtu.be/bjYhmX_OUQQ)
Recently, a hacker stole the Twitter ID '@N' through some clever phone calls. Basically, the hacker called Paypal pretending to be an employee in order to get some basic account information about his intended victim. He then called the victim’s website hosting company, GoDaddy, and used that information to reset the passwords. After that, he held the victim’s business website hostage until the victim was forced to give up @N. That Twitter handle was roughly valued at $50,000 at the time. http://gizmodo.com/how-i-lost-my-50-000-twitter-username-1511578384
The significantly harder, programming-based, hacking involves a ton of effort and a small amount of computer code that doesn't work properly.
Many basic hacks require a hacker to find a 'needle in a haystack' part of a program's code that doesn't work properly or is insecure. Not just any misbehaving code will work - the code has to fail in a way that gets the hacker closer to his goal. Not every bug is going to end in a catastrophic, company-ending hack.
Hackers then use the malfunctioning code to force the computer to grant them full access to administrative privileges.
After that, well, it's game over.
Did you know?: If someone has physical access to a computer for an extended period of time, there is very little you can do to stop them from gaining access to the data.
SO, WHAT IS HACKING?
Hacking is like participating in the world's worst scavenger hunt. Grab clues and solve a complex logic puzzle hidden in a maze of data and code. It looks a little like this: https://4sysops.com/wp-content/uploads/2006/07/Wireshark.gif
Actually, the maze of data looks exactly like that. Wireshark is a software tool that allows someone to examine the basic details of every packet that is sent over a network (provided you have access to the data). Packets are the small bundles of information that make up Internet traffic. A 'normal' network packet export can consist of thousands of lines of packet information.
For a less technical definition of a packet check out the explanation on How Stuff Works: http://computer.howstuffworks.com/question525.htm
At each stage, the directions consist of "you might know when you see it." Oh, and no one has done it before - you are on your own. Hacking often involves experimenting and testing your hack against a simulated computer under your control.
HACKERS SEEM SO COOL IN THE MOVIES THOUGH…
Hacking isn't nearly as glamorous as Hollywood portrays. It's a lot of brute force experimentation and guesswork that can take months (or more).
Here is a great example of what hacking isn't. There is absolutely, unequivocally nothing redeemable about this example of hacking in NCIS. In the clip, two people are trying to defend from a hack by furiously typing at a keyboard while thousands of popups are barraging the screen. In reality, more hands on a keyboard are not going to help, nor do most hackers advertise their presence in your system with annoying popups. BAD Example HERE
The Social Network's depiction of Zuckerburg here is better. While it is dressed up a little and layered with a great soundtrack, his hack is technically accurate. In this clip, he navigates to different student directories to download headshots of female college students – the beginnings of what would become Facebook. He uses very basic scripts to navigate around the structure and security of each site to grab the images in an unintended way.
In the clip, he only grabbed several hundred photos from highly insecure websites over the course of a late night coding session. He even ignored the sites that were harder to access. That's a lot of work.
HOW DO ORGANIZATIONS MITIGATE HACKS?
Among other preventative measures, organizations that practice good security store the important parts of their users information in different places and under different security protocols. So, when hackers get into the computer that has a list of usernames, they don't necessarily get the list of credit cards associated with those users.
Companies can also set up network monitoring systems to try and catch a hack in progress. The system might not be able to detect the first step of the hack, but might catch the hacker while they were downloading information, or trying to do something nefarious. The company's security team can then intervene and mitigate the damage.
If the company has one aspect of their security compromised, they will issue an advisory for users to change passwords and to keep an eye out for suspicious email. The users should, however, be confident that life will resume without major trouble.
Annoying, I know!
I would, however, take changing my password over going to the DMV or getting a cavity filled.
WHOOPS, IT HAPPENED
Problems get a little more serious when organizations do not properly protect their data - like Adobe - or when the attack on the infrastructure is particularly sophisticated – such as the hack on Sony.
Adobe neglected to properly encrypt and store user information. So, when their system was hacked, it took very little effort for the hackers to reverse engineer the passwords. Security researchers said, "[Adobe] should hang their heads in shame," regarding their security systems.
Similarly, Sony failed to establish appropriate security measures. As a result, when the organization was compromised, Sony failed to detect more than 100 Terabytes of information hemorrhaging from their servers.
Hackers are looking for any information that can be valuable. This data could be your credit card number, personally identifiable information, or just generic account information.
For example, when the notorious, extra-marital affairs website Ashley Madison was hacked thousands of people were stuck in embarrassing positions. Public figures with accounts on the site faced scandal when the list of recovered email addresses was released.
Once hackers have the information, only their creativity limits how they can use it for fraud, extortion or worse.
It’s easy enough to protect you and your organization from hacks – or at least to get 99% of the way there. The first step is to listen to your IT team. As challenging as it might be to work with them, the IT guys and their security procedures are there to protect you. Working around them is exactly what a hacker is hoping to exploit.
If you don’t have an IT team, the single most important action you can take is to regularly update your computer. This will protect you from any of the common ‘done before’ attacks.
As mentioned in previous security blogs, an updated antivirus can also be a powerful tool. Often the default antivirus included with your computer will be sufficient. One step further is to use a service like Hyas Infosec.
Echosec delivers situational awareness through open source intelligence.