What does it actually mean to be a hacker?
Well here's a clip of a dark web hacker in action:
Hacking is clearly the precise combination of finding the right ski-mask, and clever use of your banana hand. The people behind the Equifax data breach in 2017 penetrated the firewall by using a technique called multi-port exploitation where they cleverly used a whole buschel of bananas to target numerous ports at once.
All jokes aside, the Equifax breach, which leaked the names, social security numbers, addresses, birth dates, and driver's license numbers of over 145 million Americans alone, was carried out by exploiting a flaw in Apache Struts, bad encryption techniques by Equifax, and insufficient breach detection mechanisms. So is this what hacking is? Finding flaws in systems, and exploiting them using advanced programming techniques? It certainly can be! While those are a lot of buzz words we hear on tv about hacking, it can also be a plethora of other things! It really boils down to the age old question... Is posting to your friends facebook feed while they use the bathroom hacking?
Hacking is defined as: "The gaining of unauthorized access to data in a system or computer".
By definition this means that posting on your friend's account is hacking! Wow! That means we are all hackers! So with this newfound knowledge about ourselves, it should be pretty easy to steal some data from one of the worlds largest credit reporting agencies! We just have to wait for the system administrator to get up to use the bathroom! While this may sound facetious and far-fetched, it brings us to most unknown hacking technique:
Social Engineering
Social engineering is: The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. That sounds really vague, so let's break it down into a couple examples.
Phishing:
Phishing is the use of deceptive websites and emails to coerce personal information out of people to gain unauthorized access to their accounts.
If we dig a little deeper into this email we gain some insight on just what phishing is. First we notice that the address we received this email from is close to wellsfargo.com but snuck an extra 's' in there to try and get the recipients to glaze over it without a second glance. Next we have an embedded hyperlink with the text: "wellsfargo.com/account", but if you hover over the link, you see that it actually links to "http://www.some-sketchy-site-that-looks-like-wells-fargo.com". A good phisher will send you to a site that looks exactly like the target sites login page, then after you type in your credentials in an input field, log them in plain text and tell the user there was an error logging in, to get even more password variations out of the user, or redirect to actual target site, and high five themselves for successfully stealing information. Next we see a phone number for a customer service line. Well if we are being smart about our security we will call the customer service line just to make sure this email is legit! So we pick up our landline and dial the number here on the screen, and get a very nice voice on the other end of the line, who is almost too eager to have us verify some account information, before telling us the link is indeed legit! Now you feel safer! Now you've given enough information to the hacker to gain access to your bank... And probably all your social media accounts... And your email... And your work email... And your work computer... And now this is a full blown corporate attack.
Front-door social engineering:
Front-door social engineering is spoofing RFID tags, following people through doors, and onto elevators or pretending to be someone else to gain access to a system illegitimately. There's a famous saying,
- "If you have a clipboard and a safety vest, you can walk in anywhere"
The same thing goes for I.T. people, and system administrators, and janitors, and anyone that works in a corporate office really. Someone wearing a white button up and a tie, could walk into a corporate office and say, "Did someone on this floor open an I.T. ticket?" Someone raises their hand, then the imposter comments, "This might take a few minutes if you want to go grab a coffee." Now this imposter is working unsupervised on a workstation copying user-data and emails to a flash drive. This sounds far fetched but it's a surprisingly common methods of "hacking". EY’s Global Information Security Survey 2017 found 74% of cyber attack sources are careless or unaware employees. [1] This is an exploit of a system, but not one that reads 1's and 0's and communicates over ethernet. This is the exploitation of people and their central nervous system. People are desperate to please, help, and avoid consequences, and hackers exploit this daily, because it's much easier than filtering through millions of lines of code on the internet to find a hole.
Cyber attacks
Don't fear! This isn't one of those articles where I lure you in with a topic like hacking and then tell you about how it isn't what you think it is, thus leaving you high and dry. There is still a large amount of cyber attacks carried out on a daily basis. This is hacking in a more traditional sense. This is the person in an abandoned warehouse surrounded by servers with 9 monitors in a grid suspended in the air, typing in a bash terminal that you see in the movies. Hacking in this sense, when broken down into smaller bits, is pretty simple and straightforward, although the techniques are not. To put it in layman's terms, hacking in this sense is finding an error in some code, and using it to gain unauthorized access to data or execute code on a remote machine. This is also a vague description, so let's break it down.
Remote Code Execution
Remote code execution is every hackers dream. A hacker finds a way to send code to a machine, which runs the code, returning information, or opening up doors for bigger exploitations. A good example is the 2015 Android Stagefright media server exploit, or the 2014 Shellshock hack which is described as "causing Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables." The technical explanation is when Bash opens a new instance, it reads a list of predefined functions in a table referred to as environment variables, and executes them without verifying they were created legitimately. This was exploited in many different vectors, such as open SSH and via DHCP requests, where a hacker could append specialized privilege escalation functions onto a request to the server that would open bash to execute the initial command, not verify the appended code, and run all the commands haphazardly.
Code Injection
Code injection is the exploitation of a computer bug that is caused by processing invalid data and is part remote code execution and part system manipulation. This is the categories that script kiddies fall into and lands high on the list of most common attacks. Code injection canvases SQL injection, scripting, and packet spoofing. This is the kind of hacking that takes advantage of poorly written code, and lack of input validation. An example is the 2012 Heartbleed attack, that was eventually patched with just one line of code! The Heartbleed attack was an exploit carried out against the Open SSL protocol being used to encrypt web traffic across the world. To verify the SSL connection was still open, the web browser would send a "heartbeat" packet to the browser, which would then respond with the size and message of the original packet, but the server wouldn't verify wether the packet it was sending back was the same size as the original, instead rendering memory overflow data. A simplified explanation:
This exploit was fixed by this single line of code (or 56 characters for the curious):
if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0;
That line isn't hard for even a beginner to read and understand, yet the effect radius of the exploit will forever be unknown.
This brings us to Spencer's top tips for avoiding getting hacked or fired for being "careless and unaware":
1:
Always lock your computers when you walk away from them! This seems obvious, but is more common than it should be! It's simple.
(⊞ Win + L) on PC, or (⌘ Command + ^ Control + Q) on mac.
Don't get data jacked while you're getting caffeine jacked!
2:
This may be a hard realty to take in.. But NO... That Nigerian Prince does NOT want to share his fortune with you. Things in life that sound too good to be true almost always are. Especially when they are communicated over email! No one will send you an email telling you how much money you've just won, or about an all expenses paid cruise for 2 that you got so lucky to be selected for! Look at Publishing Clearing House! They at least have the decency to show up to your front door with a giant check! Banks and other institutions DO NOT communicate private account information over email either. They may send you an information update verification to alert you if someone is tampering with your account, but they will not ask for any change to your personal information, or account verification over email to avoid this exact scenario. When in doubt, call your bank from the number on google, or in the yellow pages if you are still on AOL.
3:
Use a password manager! There are tons available for tons of different price points. (Again here, you get what you pay for. You might not think it's important, but would you buy your car from Wal-Mart or your prescription meds 7-11 brand? Don't be cheap with your security!)
Google has a password manager built into their programs now, iCloud has Keychain, and well-known third managers include Keeper, LastPass, and DashLane. They can help you generate long, unique passwords for every account, while never forgetting or typing one again thanks to autofill, and also protecting you from bruteforce attacks, or plain and simple weak password techniques like hunter12 (although all I see is ********). Even a super-computer will have a hard time guessing:
LdjgfdksjhgJDLRKJZSKLFJKL:hjt4io4wr8iro1euwrewpt8o43tuO*U$#*OU$O#I$J#_E)(R#$%*UEOIJDKLGSJDKFAJSDGFKJHFGUYT*U(RU#)$IU#(ru30tujsdklgjdkgjfskgjeoir#UR5q9oRU
(I would have guessed Passw0rd first, but that string would have been my second guess)
3:
Number three sucks. It's a tip that isn't really a tip, but maybe something to turn some gears in your mind to help deal with the inevitable reality. Sometimes you just can't avoid attacks. The identities compromised in the Equifax breach were unavoidable by the people actually effected. Equifax was collecting your information with the "consent" you gave by being born, or signing up for that low limit/high interest credit card at 18 so you could get 5% off at Macy's and buy cigarettes without your parents finding out. The tip here is BE READY when your information is leaked. Put a credit freeze on your account to prevent criminals from opening lines of credit under your name. Change your passwords. Enable 2 step verification for all of your accounts. Even accounts like your Snapchat, Instagram, and iCloud are still tied to other accounts, can provide verification for important accounts, or leak things to public you didn't want getting out.
It's a scary, hacked-together world out there... Don't get caught with your naughty pics on a Reddit thread, or the FBI going through your work computer at the Department of Labor because your computer gave hackers access to sensitive Department of energy nuclear data.
Top comments (1)
Great read!