Computer hacking

11 views
0

I know what the broad sense of the term is, but what is it technically? I mean I know things like viruses and what are examples of what can be used to “”hack”.

In: 3

Unsecured websites can let you access the data behind them. Including anything they store from usernames to credit card info.

Cracking a password to access someone’s account.

Tricking people into running a program you’ve given them.

Making a lookalike website so people sign in and they just steal the username password.

Those are a few examples.

In the movies hacking is when you type on a keyboard really fast, but in real life some of the most successful hackers are just people who figured out how to convince other people to give them their password. This is social engineering, and it ranges from complex and involved (building a fake website so someone will enter their real credentials) to mundane (searching through trash for discarded documents containing personal details) to “there’s no way that can actually work” (calling someone and asking for their password).

Your brain the main tool for hacking.

Target 1 of a hack: Stupid People

This is your easiest hack. People are idiots. You walk into a parking lot, you drop 20 USB sticks with your autoloading key logger and wait. Guarantee at least 1 person plugs it into their work computer, 2-4 persons brings it home and plug it into their home PC.

Target 2 of hack: Garbage

You dumpster dive for documents. You are looking for email addresses, employee list, contact information, etc. Using this you can go back to target #1 by finding stupid people on the list and hit with emails which look official but get you to enter a password and now your account is compromised.

Target 3 of hack: Codebase

This is where you cannot do targets 1 and 2 and you must go in via a network. This can be tough if you don’t know what system you are trying to get into which is why #1 and #2 are very important to be able to do.

​

I ‘hacked’ my old works accounting system. It involved listening to the account manager typing in her password. I noticed two things, it was 9 characters and she only used the number pad to type it in. Brain starts chewing, what is 9 character long and only numeric. Phone is 7 or 10, so not a phone #. Pins are usually 4, so not a pin or double pin entry. …Is she stupid enough to be using her social security number for the password? Go to the file room, pull her investment file which contained her SS#, went to my PC, logged into the accounting system, use name, SS# and I am in. That’s a hack. Its not all PCs and typing like a moron as you see in movies, its deconstructing people and information.

It is largely about finding a way into someone else’s software or system so that you can control something or steal data.

Think of a house. If you lock the door then no one can come in and take your stuff. But if you don’t lock your door, then theft is possible. So the hacker walks up and tries your door handle to see if he can walk in and take something.

A well-designed system will have the door locked and will keep your stuff secure.

The hacker might then try other things. What about the windows, are they locked? What about the gate into the back garden, is that locked?

Again, a well-designed system will have everything locked, but the hacker will try them all anyway just in case someone is running an out-of-date system (or in case someone doesn’t understand the important of securing everything).

If these all fail, then the attacker might try something else. What about lifting all the stones and plant pots in the front garden, in case someone hid a key under one of them? This would be the equivalent of trying a bunch of common passwords in case someone didn’t understand how to make a proper password.

If the system is still secure, then the hacker might try something more sophisticated. What if they pretend to be someone else? Maybe they come to your door dressed as a courier or a policeman. Do you open your door to them and let them in because they look the part? Or do you have a sufficiently well-designed system to catch their deceit?

And so on. “Hacking” is really just about trying to find a way into someone else’s system so that you gain control or can steal data. There are all sorts of methods ranging from simple to incredibly sophisticated.

As an example, SQL injection is a type of “hacking” where a website asks you to enter something, let’s say your name, and instead of your name you can add some code instead. When you submit the form it tries to save your name to the database, but because your name is some code it actually ends up running something else on the database. Let’s say your extra code adds you to an administrator group, now you have administrator access to the website.

Another example is a website that does validation on the client side and not server side, you can change the JavaScript code and enable/disable controls you might not have access to. Let’s say you’re on the website above signing up your account and there’s a checkbox for whether you’re an Administrator but it’s grayed out. You can just update the checkbox in your browser to not be grayed out and submit the form with it checked.

Both of these examples are mostly protected against on websites these days but there are thousands of other examples and every website needs to protect against every one of them. As a “hacker” you try each one to see if any are successful against your target. There are tools that can do this checking automatically, but a clever hacker will know what to try and how to try it. Companies have similar tools they use to check if they are secure.