Interesting piece by well-known IT figure Jeff Atwood:
On one level, this piece is a terrific summary of how hacking is done. It’s mostly not about messing with computers; it’s about messing with people. The trick in serious hacking is typically to fool someone into giving you their username and password – or to find it, usually written on a sticky note on their monitor. It’s called “social hacking”.
I’m not sure that most people understand this. From my conversations, I get the impression that most people think “hackers” can write special code that simply “gets around” the security. They think hackers perform the digital equivalent of forcing a window. In fact, modern hacking usually means nicking your key and walking through the front door.
The technique was well illustrated in the ultimate hacker film, 1983’s War Games. “They change the password every couple of weeks'” says Matthew Broderick’s character, “but I know where they write it down”. (That, by the way, is why smart systems administrators never force people to change their passwords every three months.)
But on another level, Atwood’s piece is about how the Web of passwords and information in which we now live leaves us more open than ever before to these social exploits. Online services make social hacking easier than ever before.
Atwood’s post links, among other things, to writer Mat Honan’s hacking tale – he had his iPhone, iPad and MacBook wiped and they got into his Twitter account too. How’d they do it? They rang Apple, provided a billing address and the last four digits of a credit card, and they were in. It turns out that both of these pieces of information are easy to find through other routes. Honan’s hacker used Amazon, among other things.
Honan’s vulnerabilities were the same vulnerabilities most people have. It wasn’t that he used “123456” or “password” or “welcome’ as his password, though lots of people do. His problem was that he had various pieces of information spread through multiple online services – Gmail, Apple, Amazon, Twitter and so on. The hacker could piece together the information he needed through those various services.
And there’s your problem.
Increasingly, “our information” is just a series of access codes that get us in to other people’s databases – Google, Apple, Microsoft, Intuit, NAB, CBA, Dropbox. Each of these firms has different security protocols. Put them all together, and they create a Web of vulnerability for online data.
And “online data” increasingly means “all our data”.
Our email lives online. So do our most important documents, our backups, our family photographs, our tax information, our business accounts. I think that is probably the way it should be, if only because Google knows how to back stuff up, and Uncle Bill does not.
But before this new information ecosystem can work properly, we will need to change people’s security behaviour. That is going to be very, very hard.
(Cross-posted at shorewalker.com)