How hacking really works (and why we should worry)

Interesting piece by well-known IT figure Jeff Atwood:
http://www.codinghorror.com/blog/2012/09/computer-crime-then-and-now.html

On one level, this piece is a terrific summary of how hacking is done. It’s mostly not about messing with computers; it’s about messing with people. The trick in serious hacking is typically to fool someone into giving you their username and password – or to find it, usually written on a sticky note on their monitor. It’s called “social hacking”.

I’m not sure that most people understand this. From my conversations, I get the impression that most people think “hackers” can write special code that simply “gets around” the security. They think hackers perform the digital equivalent of forcing a window. In fact, modern hacking usually means nicking your key and walking through the front door.

The technique was well illustrated in the ultimate hacker film, 1983’s War Games. “They change the password every couple of weeks'” says Matthew Broderick’s character, “but I know where they write it down”. (That, by the way, is why smart systems administrators  never force people to change their passwords every three months.)

But on another level, Atwood’s piece is about how the Web of passwords and information in which we now live leaves us more open than ever before to these social exploits. Online services make social hacking easier than ever before.

Atwood’s post links, among other things, to writer Mat Honan’s hacking tale – he had his iPhone, iPad and MacBook wiped and they got into his Twitter account too. How’d they do it? They rang Apple, provided a billing address and the last four digits of a credit card, and they were in. It turns out that both of these pieces of information are easy to find through other routes. Honan’s hacker used Amazon, among other things.

Honan’s vulnerabilities were the same vulnerabilities most people have. It wasn’t that he used “123456” or “password” or “welcome’ as his password, though lots of people do. His problem was that he had various pieces of information spread through multiple online services – Gmail, Apple, Amazon, Twitter and so on. The hacker could piece together the information he needed through those various services.

And there’s your problem.

Increasingly, “our information” is just a series of access codes that get us in to other people’s databases – Google, Apple, Microsoft, Intuit, NAB, CBA, Dropbox. Each of these firms has different security protocols. Put them all together, and they create a Web of vulnerability for online data.

And “online data” increasingly means “all our data”.

Our email lives online. So do our most important documents, our backups, our family photographs, our tax information, our business accounts. I think that is probably the way it should be, if only because Google knows how to back stuff up, and Uncle Bill does not.

But before this new information ecosystem can work properly, we will need to change people’s security behaviour. That is going to be very, very hard.

(Cross-posted at shorewalker.com)

About David Walker

David Walker runs editorial consultancy Shorewalker DMS (shorewalker.net), editing and advising business and government on reports and other editorial content. David has previously edited Acuity magazine and the award-winning INTHEBLACK business magazine, been chief operating officer of online publisher WorkDay Media, held policy and communications roles at the Committee for Economic Development of Australia and the Business Council of Australia and run the website for online finance start-up eChoice. He has qualifications in law and corporate finance. He has written on economics, business and public policy from Melbourne, Adelaide and the Canberra Press Gallery.
This entry was posted in Information, IT and Internet, Web and Government 2.0. Bookmark the permalink.
Subscribe
Notify of
guest
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Tel
Tel
9 years ago

There’s a fair number of simple but effective brute-force attacks out there as even a casual glance at any server logs will testify. I dunno how many they catch out with that stuff, but must be enough to encourage them to keep trying.

I also get buckets of virus-infected spam emails, phishing scams, offers from Nigeria, you name it… they wouldn’t send that stuff if someone out there wasn’t falling for it. Remember the good old days, when you could just scam people with common or garden Ponzi schemes, and fictional reserve banking? Where did we go wrong?

derrida derider
derrida derider
9 years ago

One way to get into a secure system is to “lose” a few USB keys in the nearby streets. Its amazing the number of people who’ll want to see what’s on that thing they found on the pavement. Your secure network need not even have any link at all to the outside world.
As a rule people are more easily hacked than computers.

desipis
9 years ago

But before this new information ecosystem can work properly, we will need to change people’s security behaviour. That is going to be very, very hard.

We should focus on the behaviour of organisations that operate these systems, not on the behaviour of people that use them. In a society where people don’t take reasonable care of things such as their health or superannuation, you’re not going to get people to take responsibility for informational security.

I think the best way forward is to make organisations strictly liable for the consequences of the misuse of any information they store. Once a data breach is proven, any potentially related damage (e.g. identity theft) becomes presumed. Alternatively a statutory penalty rate could be attached to each type of data which multiplied by the amount of data stolen for all breaches. It might be an idea to sprinkle unique ‘finger-print’ data into each system in order to establish proof of where the information leaked from. This will provide the incentives for organisations to seek out the best way to protect people’s information, including the best way to police the people that use their systems.