“So dude, do you know hacking?” asked my friend.
“See, that’s not how it works. A great deal of hacking depends on ….”. Nah! We didn’t really have that conversation. I just answered with a “No” because “Maybe” would’ve been harder to explain.
The Hollywood stereotype suggests that hacker is a nerd, wearing a hoodie, incessantly hitting keystrokes on his black–green screen (btw, you don’t really need to type so much since computers have had an ultra-convenient “Save File” feature since eternity). As technically ridiculous it is, I don’t normally lose my mind over it. The exasperating part of this stereotype is a misbelief that a hacker —
a) can take control of anything from someone’s telephone to national security servers.
b) has mastered a complex art to do every single thing.
News of websites getting vandalised, accounts getting hacked and photos getting leaked without the technical details simply reinforce the misbelief but the truth is that real-world hacking is much simpler than it seems — at least logically simple.
What is hacking?
Because of the course of history, the term “hacking” as gained two distinct meanings, both of which are subtly related. It may mean —
a) someone who is a skilled computer expert.
b) someone who breaks into computers.
So when programmers call themselves “hacker”, chances are that they are implying the first. But hey, don’t blame the coders, it was supposed to only mean that. Richard Stallman, renowned programmer and founder of FSF, explained the term in a 1985 TV documentary — “Hackers: Wizards of the Electronic Age” —
What they had in common was mainly love of excellence and programming. They wanted to make their programs that they used be as good as they could. They also wanted to make them do neat things. They wanted to be able to do something in a more exciting way than anyone believed possible and show “Look how wonderful this is. I bet you didn’t believe this could be done.”
Somewhere down the road, the mainstream media started increasingly associating the word with cyber crime and that’s how it gained the popular notion.
The nature of hacking
Consider a family who just got back from their Christmas vacation only to find that their house has been burgled. Upon investigating, they find that nothing was broken to enter the house which makes them think that the thief must have been a skilled locksmith to through the door. But what if the thief just had a bunch of keys which he was randomly trying against the street’s houses and robbed the first one for which it worked? Does it still sound that clever? Probably not.
It’s a little parable that illustrates the real nature of hacking. It can either involve brilliant manoeuvring or be very unsophisticated, it’s simply hard to know unless you can pin down the way it was done. Let’s illustrate a real world scenario —
A few years back, my Twitter account got hacked ( yes, technical folks also get hacked if they are not careful ) and hundreds of obscene messages were broadcasted to everyone I followed. After resetting everything, I tried to reason how it could have happened. I am cautious about installing anything on my computer and use a moderately strong password. Did someone really break into my computer?
My hypothesis is that I got punished for my habit of re-using the same password everywhere. Possibly, I registered with my real name and password on a compromised website and those credentials were used to get into my Twitter account. Considering that a similar hack that happened recently where 2.5K Twitter accounts were compromised carried an almost similar explanation, it’s a quite likely possibility.
The techniques behind hacking incidents have often been straightforward. Remember the iOS celebrity photo leak in 2014? The man behind the leak admitted that he sent thousands of spoofed emails to celebrities which were made to appear as if they were from “Apple”. Once they opened the link they were confronted with a fake login screen for the victims to entered their details. One of the significant hack in the past few years but there was only a simple phishing scheme behind it.
A similar explanation goes for a majority of hacks carried out by the Hacktivist group Anonymous which has been in the news innumerable times for taking down websites. Most of their attacks involve rudimentary tools and techniques. As Infosec Institute reports, their first course of action is to scan the website for common vulnerabilities to see if it can be taken over. Failing that, their next step is to launch a DDoS attack, which is a puerile act of sending millions of meaningless requests, forcing the servers to bog down to the unanticipated traffic. It’s like sending thousands of irrelevant mails to a post office so that they can’t process the real ones (courtesy: awesome forum person).
Sometimes, the reason behind the hack can be as simple as using a password in the top 50 common password list — yes, it still happens — a lot.
If hacking is often so simple, why does it seems to be so cryptic? I can think of three reasons —
a) News about hacking is hyped without emphasising how it was done.
b) Psychologically speaking, ‘breaking’ into someone’s computer / account / smartphone sounds so petrifying that simple explanations are just not thought of.
c) Most people are not tech-savvy enough to go into details and understand how it happened.
Not everything can be hacked and hacking incidents always carry a logical explanation. To trim it down, there are chiefly two ways to do it — you can exploit the gullibility of the target or take advantage of a flaw in the technology.
Most of the hacking involves people — making them do something that they aren’t supposed to do or take advantage of unsafe security practices. Our digital footprint has become enormous and slip-ups are far easier than they used to be.
Take, for example, free WiFi. Who doesn’t like an awesome public service internet but what if it’s a trap to sniff all the traffic (and consequently, all sensitive information) from anyone who uses it? Which is which? Depends on if you can trust the owner of the hotspot. Sometimes, public WiFis can have routers that ship with the most retarded default username and password combination, which sadly, never gets changed ( it’s either “admin” / “admin” or “admin” / “password” ). So even if the owner of the hotspot wasn’t ill-intentioned, a smart hacker can use this sweet opportunity to redirect all the traffic through his computer and bingo! the live stream of what everyone is doing is ready.
Fortunately, there is no real danger if the site being browsed uses HTTPS (most major websites) but in case the password is re-used, one login attempt at an insecure website might be suffice to gain access to every account the person has.
What if someone gets hacked three weeks after using a public Wifi? There is a slim chance that the victim will have any recollection of using it — “I don’t think I did anything bad in the recent past,” she would say.
This plausible scenario illustrates why hacking people is rather simple. People aren’t conscious of dangers of their digital activities and it’s not easy to recall anything to recognise the root cause of the hack. Phishing, getting malware installed, shoulder-surfing — unsophisticated as they may sound, people fall for them every day.
Not just the normal folks, this kind of hacking is used against everyone from defence personnel to people in high corporate positions. In 2011, The Daily Dot reported how Chinese hackers gained access to Russian military servers by Spearphishing, which is the art of sending fake emails that appear from legitimate sources.
These tricks are simple enough but hey! they work.
Software is everywhere but most of it is far from perfect. Software developers are humans and they can miss things — lots of things. Sometimes they may happen to be critical to security and if they can be nefariously exploited by an outsider, they become a “vulnerability”. But it’s not just the software wherein the problems can emerge, the IT infrastructure in today’s world is way beyond complicated and the people who run it ( “System Administrators” ) can make mistakes too in building it.
Consider a small startup going live with their first prototype. Since it’s only a small startup and they are only building a prototype, they pretty okay with using convenient shortcuts. The database of their choice is MongoDB. But here’s the thing about MongoDB — by default, it exposes itself publicly to anyone having an internet connection without requiring any credentials. The defaults go unchanged and the prototyping continues.
In 2015, somewhere around 35,000 of such MongoDB installations were running on the internet with 600TB of data exposed to internet. Shodan, a search engine that caught news in 2013 is dedicated to finding such exposed devices by scanning the entire web. In a report, CNN wrote —
It’s stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot. .. What’s really noteworthy about Shodan’s ability to find all of this – and what makes Shodan so scary – is that very few of those devices have any kind of security built into them.
By weak security, they mean “admin” as their username and “1234” as their password and accessible with a simple browser. The big part of the blame here doesn’t lie on the system administrator or the device user but on the vendor — defaults should be sane and the expectations should be that they won’t be changed.
Exposed devices and software are like an open invitation for Cybercriminals. The fix to this is not that hard but forcing organisations and vendors to take the necessary steps definitely is.
The next level of vulnerability involves exploiting security problems in code.
Last year, the internet buzzed with a major bug in an open source library affecting nearly 17% of all web servers. The vulnerability, dubbed ‘Heartbleed’, allowed an outsider to decrypt sensitive encrypted information (xkcd explanation is quite good) with a cleverly crafted message. A patch was released to fix the issue but two months later, around 300,000+ websites still lay vulnerable. Maybe people behind those websites are reckless or maybe just oblivious to the news but the internet is filled with software that hasn’t had critical updates.
In 2014, browser testing company, BrowserStack was hacked with one of their servers that didn’t deploy a fix for the ‘shellshock’ vulnerability. Fortunately, they escaped with medium-level damage (just an embarrassing email) and were quick to address the issue. But for the rest of the internet? — It’s not that difficult to run a crawler that searches the web for more fishes like that.
Some vulnerabilities come in code that others have written (library and external software), some which the company itself has written. It’s hard to exploit the latter because companies don’t have their code public to inspect but there is a small trick to that. Some security mistakes are so common that it’s relatively easy to check if they exist and go on from there. OWASP, a software security community, maintains a list of top ten of them when it comes to web software.
That’s how Anonymous hacked a security company’s website, HBGary, right after their CEO claimed that he had unmasked the true faces behind of the Group — gosh! what an embarrassment. The security company had built a custom CMS instead of using an existing solution which trusted the user input a wee-bit more that it’s supposed to and gladly gave the stockpile of private data when someone made a crafted request. Anonymous — You guys got really lucky this time.
But it’s not always about these low-hanging fruits, some vulnerabilities emerge because even for the smartest programmers, it’s impossible to keep every security issue in mind when building the software. Vulnerabilities can always creep in with growing codebase with danger looming large of someone finding and exploiting it. In the past few years, companies have started shelling out monetary rewards (“bug bounties”) to people who responsibly disclose it making it a win-win situation.
Beyond this point, hacking grows considerably darker because we are not talking about celebrity photos or teenage cyber wars but big corporates, governments and espionage.
Zero Day Exploits & Complex Attacks
On August 10, Ahmed Mansoor, an internationally recognised human rights defender, got a suspicious message with a link to “secrets of emirates torture” from an unknown sender .
Fortunately, Ahmed was less gullible than the people behind the hack thought and forwarded the message to Citizen’s Lab research without opening the link. What the organisation uncovered was the most sophisticated spyware that they had ever seen — a stealth program that could install itself with just a visit on a web page and spy on everything from WhatsApp messages to calendar, phone calls and contacts without ever being detected. The scale of this hack is far above the petty crimes we just mentioned, it involves a professional Israeli hacking organisation, NSO Group and a modest fee of $650,000 for 10 iPhone users.
The hack involved using three undisclosed vulnerabilities which could have existed since iOS 7. Unfixed vulnerabilities that can be adversely exploited are called zero-day exploits and for a strongly secure operating system like iOS, they are impossibly hard to find — hard enough to land you a million-dollar paycheck if you are confident about having such a exploit.
So how did NSO group got their hands on these exploits? There is a plausible theory that they bought it from Zerodium, a big zero-day exploits middleman company whose business model is essentially simple — pay hefty amount to hackers who are able to find exploits, trade them with their client base. Considering the fact that exploits could have existed in an iOS version dating two years back, it’s reasonable to believe that hundreds, if not thousands, phones were being spied one at the time of discovery.
It’s sad, it’s dark and considerably complex but when it’s about millions of dollars, the best minds in the world can be used to do the most sinister work.
We saw how hacking can be both banal and incredibly sophisticated but in many cases, a few precautions may be enough to avert common hacking attempts (unless you have a reasonable belief that governments are ready to spend half a million dollars to spy on you). Digital security is less about installing firewalls and anti-virus software but depends more on being vigilant about everyday activity.
A nerd typing few dozen random commands won’t get your Facebook account hacked but writing down the password on your desk or using it on every other website certainly would.