What is hacking?
August 24, 2016 3:57 PM Subscribe
I don't understand hacking. How is it done?
How is hacking done? How is data stolen from a website? And how does a hacker change things on a website, like with what happened to Leslie Jones' website today. Is hacking done with a browser? Or with terminal? Does a hacker have to have a password to hack? I don't know much about computers at all, and I'm just curious to know the basics of how it's done.
How is hacking done? How is data stolen from a website? And how does a hacker change things on a website, like with what happened to Leslie Jones' website today. Is hacking done with a browser? Or with terminal? Does a hacker have to have a password to hack? I don't know much about computers at all, and I'm just curious to know the basics of how it's done.
Best answer: There are lots of methods.
Sometimes there is a direct vulnerability on a website or other server where you can pass it specially crafted magic words, or rather, code structured in a very specific way, and the website can be tricked into executing that code on the server. You can do that to give yourself a backdoor into the system and change files, etc.
A very common way to "hack" is to send people phishing emails masquerading as emails from someone they know. They'll say something like "about that morning meeting, see attached", and they have an attachment which is actually a trojan horse of some kind. The user clicks the attachment and then the emailer has access to their computer.
Another method is to use an automated password cracker to "brute force" the password, just by trying every possible combination of passwords until access is gained. This is why you should use a strong password.
Other times, people gain access to systems by tricking someone into giving them access, over the telephone. This was Kevin Mitnick's favorite thing to do.
posted by dis_integration at 4:09 PM on August 24, 2016 [5 favorites]
Sometimes there is a direct vulnerability on a website or other server where you can pass it specially crafted magic words, or rather, code structured in a very specific way, and the website can be tricked into executing that code on the server. You can do that to give yourself a backdoor into the system and change files, etc.
A very common way to "hack" is to send people phishing emails masquerading as emails from someone they know. They'll say something like "about that morning meeting, see attached", and they have an attachment which is actually a trojan horse of some kind. The user clicks the attachment and then the emailer has access to their computer.
Another method is to use an automated password cracker to "brute force" the password, just by trying every possible combination of passwords until access is gained. This is why you should use a strong password.
Other times, people gain access to systems by tricking someone into giving them access, over the telephone. This was Kevin Mitnick's favorite thing to do.
posted by dis_integration at 4:09 PM on August 24, 2016 [5 favorites]
Security questions for password resets or "forgot my email address" resets are easy to figure out for most people, and with as much information as is out there for celebrities, it's even easier.
Sometimes "hacking" is as simple as guessing the answers to security questions, or guessing passwords.
posted by erst at 4:10 PM on August 24, 2016 [2 favorites]
Sometimes "hacking" is as simple as guessing the answers to security questions, or guessing passwords.
posted by erst at 4:10 PM on August 24, 2016 [2 favorites]
Best answer: Hackers who break into computer systems (often derisively called "script kiddies") typically use known vulnerabilities in software to gain and escalate their access to the remote computer. Their goal is to trick the victim's computer into thinking they are its owner (aka "administrator" or "root") so that they can do things like edit the content of a web page or download protected files using the same sorts of tools the legitimate owner might use.
To do this they might use a number of tools including web browsers and terminals (though "terminal" is more a way of talking to your computer than a piece of hacking software in itself, the terminal is used to run software that exploits these vulnerabilities.) The people performing malicious activities in the real world are generally not clever enough to discover these exploits on their own, and instead use prepackaged software to detect vulnerabilities and perform the break-in.
posted by contraption at 4:14 PM on August 24, 2016
To do this they might use a number of tools including web browsers and terminals (though "terminal" is more a way of talking to your computer than a piece of hacking software in itself, the terminal is used to run software that exploits these vulnerabilities.) The people performing malicious activities in the real world are generally not clever enough to discover these exploits on their own, and instead use prepackaged software to detect vulnerabilities and perform the break-in.
posted by contraption at 4:14 PM on August 24, 2016
Response by poster: Thanks for the informative answers!
Could you clarify your question? I'm sure we could link you to some post-mortem write ups of attacks of interest to you or walk you through them.
Sure! Can you unpack this for me?
"...But some of the most compelling evidence linking the DNC breach to Russia was found at the beginning of July by Thomas Rid, a professor at King’s College in London, who discovered an identical command-and-control address hardcoded into the DNC malware that was also found on malware used to hack the German Parliament in 2015. According to German security officials, the malware originated from Russian military intelligence. An identical SSL certificate was also found in both breaches."
posted by Triumphant Muzak at 4:26 PM on August 24, 2016
Could you clarify your question? I'm sure we could link you to some post-mortem write ups of attacks of interest to you or walk you through them.
Sure! Can you unpack this for me?
"...But some of the most compelling evidence linking the DNC breach to Russia was found at the beginning of July by Thomas Rid, a professor at King’s College in London, who discovered an identical command-and-control address hardcoded into the DNC malware that was also found on malware used to hack the German Parliament in 2015. According to German security officials, the malware originated from Russian military intelligence. An identical SSL certificate was also found in both breaches."
posted by Triumphant Muzak at 4:26 PM on August 24, 2016
Best answer: What they're referring to is some bad software that has already been somehow installed on the DNC systems. Probably through phishing emails, or a compromised USB key or something like that. When this software gets executed, it calls out to a system somewhere on the internet (a "command and control" system) and says: Hey! I'm here. You're in. What do you want me to do? Then the hacker accesses that command and control system to send commands to the malware (like start a keylogger, give me a screenshot of the screen, try and take a picture with the webcam, etc.) The IP address of the command and control system has to be built into (hardcoded into) the malware/trojan so it knows who to contact once it has been executed.
posted by dis_integration at 4:32 PM on August 24, 2016
posted by dis_integration at 4:32 PM on August 24, 2016
Best answer: In addition to exploiting systemic security vulnerabilities (in software, operating systems, hardware) a great deal of hacking is done just by talking or writing to people. Nowadays the young'uns call many of these attacks "phishing," which involves getting someone to give you private information by pretending to be someone else. When a bunch of celebrities had their sexytimes photos leaked online awhile back, it turned out that the "hacker" basically just asked people for their passwords over e-mail and got into their accounts that way. While it's totally possible that the Jones hacker used a script to break into the hosting provider it's just as likely that they simply wrote to Jones' assistant pretending to be an admin and requested access in order to fix a "problem." Another common method to gain entry is to attach malware to an email and then use manipulation to get the recipient to click on it. Say your mom's e-mail address is mom@goggle.com and you get an e-mail from mom@gogggle.com that reads "Can you please print this for me? I'm out of ink." and has an excel attachment. You might unthinkingly click on it and unleash malware into your computer system. By the time you realize it, it could be too late to undo the damage.
Another common method of access is leaving around shiny but malware laden objects for people to plug into their laptops. Say a "dropped" thumb drive or "lost" mp3 player. This is how the CIA and the Mossad allegedly inserted malware known as Stuxnet into Iran's nuclear production facility to shut down their centrifuges.
On preview:
posted by xyzzy at 4:43 PM on August 24, 2016 [3 favorites]
Another common method of access is leaving around shiny but malware laden objects for people to plug into their laptops. Say a "dropped" thumb drive or "lost" mp3 player. This is how the CIA and the Mossad allegedly inserted malware known as Stuxnet into Iran's nuclear production facility to shut down their centrifuges.
On preview:
An identical SSL certificate was also found in both breaches.Just to add to what dis_integration said, an SSL certificate binds a cryptography key to a domain name, server, or hostname and an organizational identity or location. So it's like attaching a code to your house. If you re-use the same certificate you are essentially linking yourself to separate incidents.
posted by xyzzy at 4:43 PM on August 24, 2016 [3 favorites]
Response by poster: I realize my responses seem like they're written by a 7-year old. Sorry.
When a hacker writes a program to enter a bazillion passwords until one finally works (a brute force program?), does that mean that the program goes to the login page and automatically starts entering one password after another into the login field? When I type an incorrect password into the website's password field, I have to click a button and wait for my computer to submit the info and reload the page if the password is incorrect. How does a hacker's program submit passwords and receive responses so quickly?
posted by Triumphant Muzak at 4:44 PM on August 24, 2016
When a hacker writes a program to enter a bazillion passwords until one finally works (a brute force program?), does that mean that the program goes to the login page and automatically starts entering one password after another into the login field? When I type an incorrect password into the website's password field, I have to click a button and wait for my computer to submit the info and reload the page if the password is incorrect. How does a hacker's program submit passwords and receive responses so quickly?
posted by Triumphant Muzak at 4:44 PM on August 24, 2016
Best answer:
posted by xyzzy at 4:49 PM on August 24, 2016 [2 favorites]
How does a hacker's program submit passwords and receive responses so quickly?You can't really brute force web services or login screens anymore. Usually you try to get a copy of the encrypted password file and try to throw a dictionary at that in a program that runs a simulation of the login process on your own computer.
posted by xyzzy at 4:49 PM on August 24, 2016 [2 favorites]
Best answer: If I may try an analogy, hacking computer security is a little like breaking into a house. You have many options to get into the average house. Pick the lock? Find the key under the mat? Try every single possible key in the doorknob until one works? Try all the windows and fine one unlocked? Break a window? Go up on the roof and climb down the chimney? Dig a tunnel underneath the house and burst through the floor? Burn down the walls?
There's lots of ways to break into a house and there's lots of ways to break into a computer system. Being a good hacker is knowing how to efficiently try many different techniques until you find one that works. Ordinary sites don't require any special skill other than patience. Super-secure sites may take extra tricks, uncommon exploits, or in the most extreme case a unique zero day vulnerability no one knows yet.
I haven't read any analysis of Leslie Jones' hack yet, but a common way to hack a website like that is to find a vulnerability in the web server software. You trick the website into executing a command of your own, and then use that to open an interactive terminal session where you can start running more commands there. You could imagine Metafilter being vulnerable like this, and if I posted a well-crafted comment the contents of it might force Metafilter to run my code and then let me take over the server. (Fortunately the Metafilter folks are smart and careful and the site is pretty secure.)
It's rare for a password to be compromised for a site hack although that happens too. That's really common for celebrity Twitter/Instagram/etc accounts; they use a weak password or the same password in multiple places. Sometimes whole hosting platforms get attacked, so (say) any of 25,000 different blogs could be attacked at the same time.
posted by Nelson at 5:13 PM on August 24, 2016 [2 favorites]
There's lots of ways to break into a house and there's lots of ways to break into a computer system. Being a good hacker is knowing how to efficiently try many different techniques until you find one that works. Ordinary sites don't require any special skill other than patience. Super-secure sites may take extra tricks, uncommon exploits, or in the most extreme case a unique zero day vulnerability no one knows yet.
I haven't read any analysis of Leslie Jones' hack yet, but a common way to hack a website like that is to find a vulnerability in the web server software. You trick the website into executing a command of your own, and then use that to open an interactive terminal session where you can start running more commands there. You could imagine Metafilter being vulnerable like this, and if I posted a well-crafted comment the contents of it might force Metafilter to run my code and then let me take over the server. (Fortunately the Metafilter folks are smart and careful and the site is pretty secure.)
It's rare for a password to be compromised for a site hack although that happens too. That's really common for celebrity Twitter/Instagram/etc accounts; they use a weak password or the same password in multiple places. Sometimes whole hosting platforms get attacked, so (say) any of 25,000 different blogs could be attacked at the same time.
posted by Nelson at 5:13 PM on August 24, 2016 [2 favorites]
The guns of the Maginot line could not be turned. If you got behind them, they were useless. The same issue shows up in the movie Lawrence of Arabia with a coastal city where the guns face the sea and cannot be turned. Behind the city is a harsh desert, The Nefud. It is considered uncrossable. Lawrences decides if he crosses the desert with 50 men, more will join him. They have no trouble taking the city from thevlandward side because the artillery faces the sea and cannot be turned.
The origin of the word hacking was not specifically about computers. It started at some college and roughly means creative, brilliant, unconventional problem solving. For IT insiders, it still means that and not just breaking and entering, which is shat the general public seem to interpret the word to means.
Hackers find a vulnerability and leverage it. A small hole becomes a big hole in security and it grows from there.
posted by Michele in California at 6:13 PM on August 24, 2016 [2 favorites]
The origin of the word hacking was not specifically about computers. It started at some college and roughly means creative, brilliant, unconventional problem solving. For IT insiders, it still means that and not just breaking and entering, which is shat the general public seem to interpret the word to means.
Hackers find a vulnerability and leverage it. A small hole becomes a big hole in security and it grows from there.
posted by Michele in California at 6:13 PM on August 24, 2016 [2 favorites]
Best answer: Nobody has quite mentioned this yet, so I'll bite.
Let's say you are a hacker, and you want to crack a particular program. You're going through it with another program called a debugger or disassembler. Basically, the original programmer wrote a program which he gave to a compiler, which looked at his code and used it as a guide to write another program in "machine language" which the actual computer can execute. What you, Mr. Hacker, are looking at is the output of this compiler.
And what you're looking for are weaknesses. And hey, you find one! Here is a place where someone can enter a credit card number into a buffer, and the buffer is naturally limited to 16 characters, but the limit isn't enforced. So being a hacker you craft a way, either manually or by writing your own program, to jam a lot more data into this little buffer than it can hold. If you're very clever you can jam actual program code into that buffer and get the poorly written host program to run it. This is called "running arbitrary code," and is the very worst kind of hack because it gives your attacking code whatever privileges the program you've attacked had, which is very often admin or root on the host machine.
What your arbitrary code will almost always do is run home to the internet and fetch a much larger and more powerful big brother, which will set about nosing around the network and looking for other vulnerabilities.
And that is basically how it is done when the simpler hacks described above, like "social engineering," don't turn the trick. Most programs are written in a terrible language called C which doesn't do any bounds checking on buffers or arrays unless you as the programmer deliberately ask for it. C is used because it is fast and efficient, which are good things, but it is also like a loaded gun in the hands of a child as far as many programmers are concerned. If you aren't very careful it's easy to leave a huge hole in the wall of the fortress you think you're building.
posted by Bringer Tom at 6:29 PM on August 24, 2016 [3 favorites]
Let's say you are a hacker, and you want to crack a particular program. You're going through it with another program called a debugger or disassembler. Basically, the original programmer wrote a program which he gave to a compiler, which looked at his code and used it as a guide to write another program in "machine language" which the actual computer can execute. What you, Mr. Hacker, are looking at is the output of this compiler.
And what you're looking for are weaknesses. And hey, you find one! Here is a place where someone can enter a credit card number into a buffer, and the buffer is naturally limited to 16 characters, but the limit isn't enforced. So being a hacker you craft a way, either manually or by writing your own program, to jam a lot more data into this little buffer than it can hold. If you're very clever you can jam actual program code into that buffer and get the poorly written host program to run it. This is called "running arbitrary code," and is the very worst kind of hack because it gives your attacking code whatever privileges the program you've attacked had, which is very often admin or root on the host machine.
What your arbitrary code will almost always do is run home to the internet and fetch a much larger and more powerful big brother, which will set about nosing around the network and looking for other vulnerabilities.
And that is basically how it is done when the simpler hacks described above, like "social engineering," don't turn the trick. Most programs are written in a terrible language called C which doesn't do any bounds checking on buffers or arrays unless you as the programmer deliberately ask for it. C is used because it is fast and efficient, which are good things, but it is also like a loaded gun in the hands of a child as far as many programmers are concerned. If you aren't very careful it's easy to leave a huge hole in the wall of the fortress you think you're building.
posted by Bringer Tom at 6:29 PM on August 24, 2016 [3 favorites]
Best answer: How does a hacker's program submit passwords and receive responses so quickly?
As xyzzy says, they don't. They get their hands on a password file (basically, a list of usernames and hashed/encrypted passwords) and employ what is at this point quite sophisticated and easy-to-use password cracking software. Shorter passwords can now be brute-forced due to the level of computing power available at the desktop level (simply try every combination of 4-6 characters that exists and see which ones match the hashed/encrypted values). Longer passwords require strategies which are largely successful because it's mostly humans who make up passwords and they all employ pretty much the same tricks to come up with "unbreakable" passwords.
Ars Technica had an excellent article about this a few years back, with a followup a few months later.
But that's just password cracking.
posted by lefty lucky cat at 6:39 PM on August 24, 2016 [1 favorite]
As xyzzy says, they don't. They get their hands on a password file (basically, a list of usernames and hashed/encrypted passwords) and employ what is at this point quite sophisticated and easy-to-use password cracking software. Shorter passwords can now be brute-forced due to the level of computing power available at the desktop level (simply try every combination of 4-6 characters that exists and see which ones match the hashed/encrypted values). Longer passwords require strategies which are largely successful because it's mostly humans who make up passwords and they all employ pretty much the same tricks to come up with "unbreakable" passwords.
Ars Technica had an excellent article about this a few years back, with a followup a few months later.
But that's just password cracking.
posted by lefty lucky cat at 6:39 PM on August 24, 2016 [1 favorite]
Response by poster: I love you guys. I feel so much smarter!
posted by Triumphant Muzak at 7:08 PM on August 24, 2016 [2 favorites]
posted by Triumphant Muzak at 7:08 PM on August 24, 2016 [2 favorites]
I recommend a book called The Cuckoo's Egg by Clifford Stoll. Published in 1989, it is a memoir of how Stoll discovered that a hacker had gained access to some of the UC Berkeley computer systems. It is probably the first popular book on computer hacking. Using very readable prose, Stoll describes a number of measures and countermeasures that have become common since then.
posted by Multicellular Exothermic at 9:55 PM on August 24, 2016 [2 favorites]
posted by Multicellular Exothermic at 9:55 PM on August 24, 2016 [2 favorites]
This thread is closed to new comments.
There are infinite resources to learn more. I grew up reading Phrack and 2600. Today, the NSA is offering free cybersecurity career training. If you just want to try out hacking tools yourself you can play with Metasploit.
Most probably you just want to read about awesome things so check out the Pwnies.
posted by doteatop at 4:09 PM on August 24, 2016