Real Clear Politics / Real Clear Technology April 5, 2013 Everything You Need to Know About Hacking By _James Hamlyn_ (http://www.realcleartechnology.com/authors/?author=James+Hamlyn&id=26192)
Last week, we woke to news that the _largest cyber attack ever_ (http://www.wired.co.uk/news/archive/2013-03/27/biggest-cyber-attack-spamhaus) was underway in Europe, with reports of global internet speeds falling as a result of an assault on the anti-spamming company _Spamhaus_ (http://www.spamhaus.org/) . In recent weeks, the _Reserve Bank of Australia_ (http://realclearworld.com/topic/around_the_world/australia/?utm_source=rcw&utm_medium=link&utm_campai gn=rcwautolink) has been the target of a cyber attack, as have _South Korean banks and broadcasters_ (http://www.bbc.co.uk/news/world-asia-21855051) and _BBC Twitter accounts_ (http://www.brisbanetimes.com.au/it-pro/security-it/bbc-twitter-accounts-hacked-by-proassad-group-20130322-2gjie.html) . The above stories were all reported as “hacking” – a blanket term readily used to encompass a whole range of attacks, from crashing a server to more sophisticated infiltration, such as stealing passwords. But, generally, news stories don’t discriminate. So what are hackers and their methods really like? What follows is something of a glossary, to cut out (or at least bookmark) and keep. Types of hackers Phreakers: Perhaps the oldest type of computer hackers, Phreakers discover how telephone systems work and use their knowledge to make free phone calls. In the past, phone phreakers used what we now think of as hacking techniques to _access mainframe computers and programmable telephone switches_ (http://www.historyofphonephreaking.org/faq.php) to obtain information, alter records or evade capture. Famous (and now retired) phreakers include _Kevin Mitnick_ (http://en.wikipedia.org/wiki/Kevin_Mitnick) , _Kevin Poulsen_ (http://en.wikipedia.org/wiki/Kevin_Poulsen) and Apple founders _Steve Jobs and Steve Wozniak_ (http://www.salon.com/2013/02/16/from_phreaks_to_apple_steve_jobs_and_steve_wozniaks _eureka_moment/](http://www.salon.com/2013/02/16/from_phreaks_to_apple_steve _jobs_and_steve_wozniaks_eureka_moment/) . Crackers: These guys bypass (_crack_ (http://en.wikipedia.org/wiki/Software_cracking) ) security controls on proprietary software, DVDs, computer games and Digital Rights Management (_DRM_ (http://en.wikipedia.org/wiki/Digital_rights_management) )-protected media. Crackers trade, share and publish game “_cracks_ (http://en.wikipedia.org/wiki/Software_cracking#Methods) ”, _patches_ (http://pcsupport.about.com/od/termsp/g/patch-fix.htm) , serial numbers and _keygens_ (http://en.wikipedia.org/wiki/Keygen) (activation key generators). They also embed _malware_ (http://en.wikipedia.org/wiki/Malware) in their cracks and patches forming _Trojans_ (http://searchsecurity.techtarget.com/definition/Trojan-horse) to deter outsiders (mostly “script kiddies”; see below) from using their code. Unsuspecting people who use their cracks more often than not find themselves infected with worms and viruses (explained below). Such infections often bypass anti-virus tools and _firewalls_ (http://searchsecurity.techtarget.com/definition/firewall) , and are probably responsible for most of the malware on teenagers' home computers. Black Hat Hackers: These are crackers who actively develop malware and intrusion techniques and tools for _evil purposes_ (http://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with -arduino-microcontroller) , _Black Hats_ (http://www.pctools.com/security-news/blackhat-hacker/) are motivated by profit. Criminal organisations, foreign governments and spy agencies will pay handsomely for the latest _zero-day_ (http://linux.about.com/cs/linux101/a/0-day__zero-day.htm) (not publicly known) exploit. Journalist _Brian Krebs_ (http://en.wikipedia.org/wiki/Brian_Krebs) recently _reported a bidding war_ (https://twitter.com/briankrebs/status/292268061904482306) for a Java exploit valued at more than US$5,000. White Hat Hackers: These are the good guys. _White Hats_ (http://www.techopedia.com/definition/10349/white-hat-hacker) , also known as “ethical hackers ” and “pen-testers”, are security researchers. They _test systems_ (http://www.independent.co.uk/news/science/white-hat-hacker-discovers-names-of-anonymous-volunteers-of-genome-study-in-security-dri ll-8457739.html) (often using the same tools as Black Hats, but within the law) by conducting penetration testing and security audits as a service for businesses and organisations that don’t want to be hacked. White Hats report on any vulnerabilities found and what needs to be done to fix them. Both the _US_ (http://www.nationalccdc.org/) and _Australian_ (http://cyberchallenge.com.au/index.html) governments have set up competitions to encourage school and university students to take up (White Hat) hacking as a career. (My Swinburne team competed in the pilot version of Australia’s _Cyber Challenge in 2012_ (http://cyberchallenge.com.au/cysca-2012.html) and scored higher than all other Victorian universities.) Grey Hat Hackers: Grey Hats _generally work within the law_ (http://searchsecurity.techtarget.com/definition/gray-hat) but may publish vulnerabilities and exploits or sell exploits to unknown buyers without asking too many questions. They may also report vulnerabilities to software vendors anonymously to avoid prosecution. Unfortunately _some vendors object_ (http://www.esecurityplanet.com/headlines/article.php/3932381/Researcher-Faces-Lawsuit-for-Reportin g-Security-Flaw.htm) to having their defective code discovered and _discourage security research_ (http://www.smh.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how--770000-accounts-could-be- ripped-off-20111018-1lvx1.html) on their products. Script kiddies: Also known as “skiddies”, these are a growing number of _amateur Black Hats_ (http://en.wikipedia.org/wiki/Script_kiddie) who cannot develop their own code but can adapt other people’s exploits and use _hack tools_ (http://en.wikipedia.org/wiki/Hacking_tool) to attack organisations and each other. Script kiddies find the term _offensive_ (http://www.secpoint.com/what-is-a-script-kiddie.html) and have been known to _launch cyber-attacks_ (http://www.theregister.co.uk/2001/02/21/virus_toolkits_are_skiddie_menace/) against people who have denigrated them or their skills. It is likely that many of the “hackers” _associated with online protest group Anonymous_ (http://www.rawstory.com/rs/2011/08/04/dhs-calls-anonymous-hackers-untalented-script-kiddies-warns-of-future-attacks/) are script kiddies. Cyber-troops, cyber-soldiers: These are state-sponsored _military personnel_ (http://intelreport.mandiant.com/) trained in hacking techniques who use malware and hacking techniques to spy, gather intelligence, steal intellectual property and disrupt enemy systems. Spammers and Phishers: _Spammers_ (http://www.thefreedictionary.com/spammer) use programs – _spambots_ (http://en.wikipedia.org/wiki/Spambot) – to automatically send email, SMSs, instant messages and tweets to potential buyers of their products. _Phishers_ (http://www.thefreedictionary.com/Phisher) use the same technologies (and fake “_pharming_ (http://www.scamwatch.gov.au/content/index.phtml/itemId/829456) ” sites) to entice victims to click on links (and type in user-names and passwords) and download and install malware. The book _Spam Kings_ (http://oreilly.com/spamkings/) recounts the early history of many spammers. Types of hacks Now that we know who the bad guys are, let’s consider what they do and how their actions are likely to affect people. Script injection (SQL, JavaScript) attacks: Most websites are connected to databases. With Structured Query Language (_SQL_ (http://www.techopedia.com/definition/1245/structured-query-language-sql) ) _injection_ (http://searchsoftwarequality.techtarget.com/definition/SQL-injection) , attackers run their own code on these databases, allowing them to change records, delete data and extract private information such as credit card numbers, passwords or password hashes. _JavaScript injection_ (http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/Javascript-Injection) happens through publicly-writable web sites such as Facebook, Twitter and sites with forums and discussion boards. If not properly filtered, an attacker can upload script that extracts private information from people visiting the site. Scripts can bypass firewalls to extract user credentials, track user activities, install malware and even turn on the web camera and microphone. The simplest way to prevent such attacks is to _turn off scripting_ (http://browsers.about.com/od/internetexplorertutorials/ht/ieactivescript.htm) (in your browser). The _Firefox NoScript plug-in_ (https://addons.mozilla.org/en-US/firefox/addon/noscript/) is an easy way to do this. Password cracking: Simply put, if an attacker can guess your password, he or she can take over your computer. Most computer users are overwhelmed by the number of account names and passwords they have to remember, so they tend to _re-use them_ (http://www.infoworld.com/d/security-central/password-reuse-opens-doors-cyber-criminals-457) . An attacker can use SQL injection to recover passwords or password hashes from a poorly-secured website, and then try the same user-names and passwords to log into high-value sites such as bank accounts. Websites and email systems that restrict password length are the _easiest to attack_ (http://answers.uchicago.edu/page.php?id=16276) . Brute force attacks: These _use automated tools_ (http://en.wikipedia.org/wiki/Brute_force_attack) to guess the password or re-create the password hash. The most effective ways of _preventing this_ (http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php) is to (a) use long passwords, and (b) use different passwords. DoS/DDoS: _(Distributed) Denial of service_ (http://www.webopedia.com/TERM/D/DDoS_attack.html) attacks are generally launched against organisations, whose servers are flooded with “broken” network communications that cause the servers to slow down or even crash. Companies that rely on online trading will lose a lot of money (and reputation) if this happens, and will often _pay the attackers_ (http://negbox.com/how-price-your-ddos) to call off the attack. Viruses, worms and trojans: These are infection carriers used to distribute malware. _Viruses_ (http://www.ust.hk/itsc/antivirus/general/whatis.html) travel by _thumb drives_ (http://www.wisegeek.org/what-is-a-thumb-drive.htm) , _worms_ (http://searchsecurity.techtarget.com/definition/worm) travel through the internet, and _Trojans_ (http://searchsecurity.techtarget.com/definition/Trojan-horse) are downloaded by unsuspecting users. Anti-virus software will stop most of this, but not the latest (or _zero-day_ (http://linux.about.com/cs/linux101/a/0-day__zero-day.htm) ) malware attacks. Crimeware, hijackers and ransomware: Black Hat hacking has matured into an industry. Hackers can purchase _crimeware_ (http://www.tradingpost.com.au/Help/Trust-Safety/Protect-yourself-online/Crimeware) packs for a few thousand dollars and start up a business distributing malware, accepting payments and laundering money. _Hijackers_ (http://www.ehow.com/about_6465909_definition-computer-hijack.html) take over your web browser and redirect you to advertising sites. _Ransomware_ (http://www.microsoft.com/security/portal/shared/ransomware.aspx) infects your computer and prompts you to call a toll-free number, where you can pay to have your computer remotely “disinfected”. Man-in-the-browser malware, such as _Zeus_ (http://threatpost.com/en_us/blogs/man-browser-inside-zeus-trojan-021910) , can intercept your online banking sessions in your browser and phone, draining your account by sending money to the attackers. Bots and bot-nets: _Bots_ (http://en.wikipedia.org/wiki/Internet_bot) emulate human users. Once a bot has infected your computer, you are “owned”. Your computer (now a _zombie_ (http://netsecurity.about.com/od/frequentlyaskedquestions/qt/pr_bot.htm) ) is remotely controlled by a _bot herder_ (http://en.wikipedia.org/wiki/Bot_herder) who can use it and hundreds of thousands of other zombies to launch DDoS attacks, crack passwords, send spam and host illegal content. Protect yourself We can only minimise the risks, but the risks are well understood. Turn off scripting, maintain your anti-virus, don’t read unsolicited emails, use long passwords, use different passwords, don’t download programs you didn’t go looking for, be sceptical … and finally: learn about computer security (to find out what else you can do). There’s no need to be paranoid. Just be careful. White Hat hackers are there to help by exposing the risks and testing the systems. Trust them. They’ re the good guys. -- -- Centroids: The Center of the Radical Centrist Community <[email protected]> Google Group: http://groups.google.com/group/RadicalCentrism Radical Centrism website and blog: http://RadicalCentrism.org --- You received this message because you are subscribed to the Google Groups "Centroids: The Center of the Radical Centrist Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
