Thursday, December 29, 2011

Hackers

Hacking is not new, nor are the motives for hacking. But not all people know what they are, nor how the hackers act on their motives, nor how they can protect themselves or their companies from hacking. Let's talk about hackers for a bit.

Means

All it takes is a computer and a connection to the internet, right? Wrong. It takes mad skills to get anywhere in the hacking game. A penchant for puzzles. A love for spy vs. spy. A more than average intelligence. And it takes friends, either real people or just botnets. Or, just access to the right tools.

Attacks on organizations, particularly DDoS (distributed denial of service) attacks, are typically organized via social media, coordinated on Twitter, and accomplished with tools such as Low Orbit Ion Cannon (LOIC), a tool specifically designed to accomplish DDoS attacks. These attacks quickly make websites useless because their servers are overloaded with incoming messages.

The hacker's toolkit includes the rootkit, basically a way of achieving administrative privilege security level on a computer. Usually malware starts the ball rolling, perhaps installed by a zero-day exploit. This malware subsequently installs some processes designed to be completely undetectable that aid the hacker in accomplishing their tasks. Once a rootkit has penetrated a computer, that computer can then be used remotely and it becomes a zombie (or bot). When a large number of these computers have been secured, they become a botnet. So a hacker can, for instance, install LOIC onto several computers in this fashion to provide more power (and bandwidth) for a DDoS attack.

But, of course, it is possible to simply rent the computers to accomplish the same task. It's easy to rent hundreds of computers from Amazon Web Services. The attack against Sony Corporation's online entertainment services, which resulted in the compromise of the personal accounts of over 100 million customers, was facilitated in this way by users with fake names.

Tools are available online and some people just use them without realizing how they do their job. Such people are called script kiddies in the hacking world. Hacking tools are apparently available for several purposes. Keyloggers are a kind of malware intended to record each keystroke the computer's user types, including their username and password. They are often structured as a trojan horse, a program designed to look like a trusted system, perhaps the login screen. There are plenty of techniques used by modern hacking groups like the recently-disbanded LulzSec and the active group Anonymous.

Most of these tools and techniques are designed to penetrate a computer and obtain system administrator privilege. Once a hacker has this privilege then they can access or change any file on that computer. The files can contain other passwords, or perhaps valuable data such as credit card information or personal addresses and phone numbers. Or perhaps it contains private information.

Motive

The DARPA Shredder Challenge
In 1974 when I was a freshman at Caltech, there was a bit of hacking about. One blonde-haired "troll" was quite proud that he had penetrated a security kernel of a system remotely by hand-disassembling it from an IBM 370 machine code dump. Over Christmas break, some students orchestrated and accomplished the "McDonald's Sweepstakes Caper". I was in Steve Klein's dorm room listening to Pink Floyd's Dark Side of the Moon in Page House when someone walked in with a bag of McDonald's. A contest entry form was passed around and the guys discovered that the entry form said "enter as often as you wish". Even more damaging was that the fine print on the entry form didn't say the forms had to be handwritten or signed by a human, or even that they couldn't be printed separately. We thought this was hilarious! When I went home for Christmas break, they used a computer to print out hundreds of thousands of entry forms and distributing them into as many McDonald's as they could find. By the end of my freshman year, they had won 20% of the contest's prizes, including a car. Although the caper wasn't exactly hacking, it demonstrates the first motivation for hacking: it's for the honor of saying "I did this". Yes, it is very similar to the reason people climb Mount Everest.

So, honor and a sense of one-upmanship is a very powerful psychological motivation for hacking. Witness the years-long rivalry between MIT and Caltech that finally erupted in Caltech's cannon being stolen.

These days it's quite a challenge to keep secrets, it seems. The more valuable your secrets are, the more people are trying to get them. The more damaging your secrets are, the more people are trying to publish them. The more famous you are, the funnier people think it is to harass you. These illustrate three other motives: the criminal, social activist, and humorous motives for hacking. Nowadays, there is one more overarching reason for hacking, and its totally wrong: state-supported hacking. Hacking for destabilization, infrastructure attack, and for gaining the economic upper-hand are increasingly becoming common.

Indeed, some of the more infamous attacks use rootkits to penetrate special-purpose systems and accomplish political gains. The Greek wiretapping hack is one example: the perpetrators were never discovered. The Stuxnet virus, a brazen frontal attack on the Iranian nuclear weapon ambitions, has been long suspected to be Israeli, American, or Russian in origin but we may never know. It also attacked special-purpose hardware using a root kit.

Criminal hacks abound. Consider the phone hacking scandal involving the News of the World. The British tabloid hacked into the voice mail of the murdered school girl Milly Dowler in order to secure an interview with her mother. This was intended to sell more newspapers, so the motive was money; the act was criminal. But it was only the tip of the iceberg.

The release of damaging information often results from a sense of social activism. They believe they are advancing the cause of transparency, accountability, and freedom. The case of Bradley Manning and WikiLeaks illustrates this trend more than any other case, although it really wasn't hacking. For hacking-related social activism, it's better to look at Anonymous and the emergence of the hacktivist.

Opportunity

Hacking is definitely a crime. There's even a name for it: cybercrime. But is it the only crime being committed? Is there perhaps some stupidity or worse gross negligence that enables hacking and the subsequent loss of data, by creating a huge low-hanging-fruit opportunity? Oh, most certainly!

The largest presented opportunity is fame. But sometimes you can't help being famous. Sometimes it's not even your ambition to be famous. Still, when you are famous, people love to see what you are doing. This is why data about them is highly prized: to sell gossip zines. It appears to have become common for paparazzi to be in league with hackers, sometimes freelancing and sometimes connect with specific media outlets. Media outlets often offer huge sums for pictures of celebrities. My favorite is the National Enquirer, which offered a cool $1M for an Obama love tryst video.

The next presented opportunity is lack of proper security. This almost doesn't need to be explained. Anybody with a password of 123456 or qwerty probably doesn't know how insecure they are - simply because of cluelessness. There are plenty of available lists of common passwords. All a hacker has to do is try them. But truthfully, any word in the dictionary can be tried by using a password-cracking tool. There is even a list of commonly-used iPhone passwords. So it is very important to choose a username/password pair that is secure. They say to (1) use a word not in the dictionary, (2) have the password be 8 characters or longer, (3) include at least one or more numeral in the password, and (4) to include both upper and lower case letters. Using the same password for several accounts is also not a good idea. E-mail passwords are typically sent across the wires in plaintext format, so bear that in mind.

Sometimes getting into a computer is not very hard due to zero-day exploits: an exploit such as a buffer overrun that you can use right now (because it's installed in several running computers) that nobody knows about. And if they are in, then they don't need your password. So your security should go even deeper. Information stored on your computer that has intrinsic value, or is held in confidence for your customers should be encrypted. Failure to do so has led to several infamous hacks and also of loss of data in the wild. This is inexcusable, particularly in the presence of such viable alternatives as Transparent Database Encryption in Oracle systems.

A browser vulnerability, known as parameter tampering, where the browser address string is simply changed from one account number to the next, caught Citibank off guard when hackers used their computers to modify the string tens of thousands of times and access confidential data.

Finally, hackers are increasingly becoming emboldened by the opportunity of being able to easily sell their ill-gotten credit card and user identity information. Online bazaars are professional-looking sites that allow the hackers to easily connect with their buyers, who use the information to impersonate the victims and buy merchandise.


2 comments:

  1. I have been active in web security.

    There are at least two definitions for a hacker:

    1. An enthusiastic and skillful computer programmer or user.
    2. A person who uses computers to gain unauthorized access to data.

    Many more definitions:

    http://catb.org/jargon/html/H/hacker.html
    http://catb.org/jargon/html/introduction.html
    http://catb.org/jargon/html/meaning-of-hack.html

    However, one of the early hackers, who is the spokesman of the open software movement (as opposed to Stallman's free software movement), claims that we must not conflate the terms "cracker" with "hacker":

    http://www.catb.org/~esr/faqs/hacker-howto.html#what_is

    I agree that cracking is illegal, yet as usual the state makes laws to regulate that which they can not enforce. It is somewhat analogous to passing a law against stealing wallets that people leave on sidewalks. In reality, cracking will continue to increase, in spite of high profile busts, and the users (and their service providers) have to properly lock their data. If users leave their valuable data wide open, then the state can not protect them, no matter how many laws it passes.

    You have described some of the basic security holes that users need to address.

    Others include the fact that unless the user has set an SSL certificate in their browser, they are always vulnerable to man-in-the-middle attacks for any secure website they access, including banking websites.

    Mozilla developers expressed some interest in improving this when I pushed the issue:

    https://bugzilla.mozilla.org/show_bug.cgi?id=588704#c47

    However, they have an open bug report on this for over a decade:

    https://bugzilla.mozilla.org/show_bug.cgi?id=588704#c27

    Yet another is that browser cookies are not encrypted on the client side, so a virus can gain access to secure sites in spite of having an SSL certificate installed on your browser.

    In short, afaics the concept of secure websites is a farce.

    There there are those oxymoronic "secret" questions password recovery. The name of my first dog, where I was born, etc... are not secrets! Especially after I answer the same question on several websites (you think they are all perfectly secure??). I always answers these (if I am forced to answer) with gibberish, e.g. "kjhbjkuytv78wsdnjksnkjjn891gb ckj". Then I call or email support if I need password recovery.

    Zero-day attacks such as buffer overruns and other developer error exploits, could possibly be significantly reduced automatically at the programming language design:

    http://en.wikipedia.org/wiki/Joe-E

    Afaik, Java prevents buffer overruns, but iOS's Object C does not.

    I have also had debates with security researchers about XSS exploits which I claim are not security holes. The security hole occurs upstream. These people are in danger of ruining the internet by discarding degrees-of-freedom at the wrong layer.

    There is a lot more to say on this subject...

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete