How Do Hackers Actually Break into Systems and Steal Stuff?

This blog entry is targeted for people who have heard a lot about security breaches, and want to learn more about how exactly these attacks happen. Basically, I want to demystify some of the voodoo about computer security and hackers that gets perpetuated by movies and TV.

In a typical TV show, you have some super-geeky person who can effortlessly break into systems. Often, they will show a screen with lots of complex code, or a reflection of the person’s glasses with lots of data streaming past.

Most security attacks are actually much simpler than this.

A lot of attacks are based on just knowing a small secret or a little-known fact about a system. For example, you might not know that many computer systems come with well-known account names that you can look up. For example, here is a site that points to default usernames and passwords for WiFi routers. If you are still using one of these older routers, and if you didn’t change your password, any person who happens to be nearby could easily access your WiFi router. As you can see, this kind of attack doesn’t require much skill at all. (This is also why modern WiFi boxes come with usernames and passwords on a sticker on the side of the box, so people can’t just use the default usernames and passwords)

Here’s another example of making use of a little secret, one that actually worked for me a few times when I was younger. On Windows systems, the keyboard shortcut to close an app is Alt-F4. One time, I saw a computer kiosk running a demo one time, one that didn’t have a mouse (presumably to keep people from closing the main window) but it did have a keyboard. So I tried it out, and it actually worked! I could see all the other programs loaded on the computer. I ended up switching the kiosk to a game of solitaire in a small act of mischief.

Now, the two attacks above require practically no skill, just a little bit of esoteric knowledge about how computer systems work. There are lots of vulnerabilities like this, but any person with decent technical skills should be able to protect you against these kinds of basic attacks without too much effort.

However, even sophisticated attacks have essentially the same flavor as the attacks above, in terms of making use of some special knowledge about how a system works. The main difference is the level of skill and amount of effort required. Usually, at this level, there are different kinds of motivations involved, typically money rather than just mischief.

For example, a buffer overflow is a common kind of sophisticated attack. For instance, a web page might only be expecting 5 characters for a zip code, but an attacker ends up putting in 300 characters. If these 300 characters are crafted in a certain way, and if the web server doesn’t check input properly, an attacker might be able to get the system to run some chosen commands that it shouldn’t be running.

SQL injection attacks have the same general flavor as a buffer overflow. An attacker goes to a web site and puts in some database commands as input where it isn’t expected. For example, in this well-known XKCD comic strip, a mother names her child in such a way that it will try to delete the database. If the system doesn’t check input properly, the attacker can get the database to run arbitrary commands of her choosing.

Now, where it gets really interesting is that an increasing number of attacks aren’t targeting computer systems directly, but rather the people who use those computers. These kinds of attacks are known as social engineering attacks.

A great example of social engineering are phishing attacks, which are those fake emails that ask you to “please verify your account.” Stats collected by folks at Microsoft indicate that about 0.4% of people on the Internet fall for these phishing attacks (while 0.4% might seem small, multiply that by the two billion people on the Internet, and you get a really large number). Again, the key issue here is that phishing attacks require active effort by the person using the computer.

Phishing attacks are only one example. We also have fake anti-virus that can remove malware it has found on your system, fake videos asking you to update your codecs, fake sites that offer you “jobs” (but in reality you would be a money mule fraudulently transferring money or goods), fake emails requesting you respond with sensitive docs, as well as highly targeted phishing attacks that make use of a lot of contextual information about you or your organization.

At Wombat Security, our main focus is on offering effective and measurable security training to protect organizations from this last area of attacks, the ones that target the person behind the keyboard. There are a lot of security companies that offer automated tools for scanning your network, or virtual machines for checking your email attachments, or even new ways of authenticating users. And for the most part, these tools are pretty good. But, it is also because of these improvements that the bad guys are moving towards targeting people rather than computers. That’s why, as more and more of society becomes dependent on technology, we really need to make sure that the people using these systems can identify and avoid these attacks.