The 5 Biggest Lies You’ve Been Told About Hacking

The 5 Biggest Lies You’ve Been Told About
Hacking – Online security is increasingly an issue
rich for headlines as everyone from movie studios
and celebrities to major retailers and
CENTCOM find themselves the victims of digital
infiltrators. However, “hacking” is also a very
technical issue and, like many technical issues,
one the media often gets wrong. So as a citizen of
the 21st century, it’s increasingly important to
arm yourself with some basic facts about hacking,
cyber security, and the real threats they pose, as
well as those they don’t. With that in mind, here
are seven common misconceptions you might
have about hacking.
1) Hacking A Site is Different From Taking it
Down
One of the most common headline-grabbing
moves by so-called hackers is to take down their
site through a DDoS attack. A group calling itself
Lizard Squad has been using this method to take
downthe networks of Playstation and Xbox Live.
It’s a common method of protest by the hacker
collective Anonymous, which has used it against
such varied entities as the Westboro Baptist
Church and, most recently, French jihadists.
These are not “hacks,” however, in the traditional
sense of the term. A “hacker” is defined by the
National Initiative for Cybersecurity as “an
unauthorized user who attempts to or gains
access to an information system.” Taking down a
website or even a server does not take so much
effort and certainly doesn’t demand infiltrating the
host of the target. All you need is a simple
distributed denial of service, or DDoS.
A DDoS is a network of computers all sending
data packets towards one server with the goal of
overloading said server. Far from many individuals
sending data from their computers, however, the
most common form of DDoS consists of networks
of computers—typically hacked for this purpose
without their owners knowing—all being used to
flood a particular target.
These networks of pirate zombie computers are
typically open for business: You can special order
a DDoS attack on the black market for about $150
a week, similar to hiring a hitman. The attacks on
PSN and Xbox, for example, are believed to have
been a publicity stunt for Lizard Squad’s very own
network-for-hire of home routers it has hacked for
the expressed purpose of large-scale DDoS
attacks.
But it’s important to remember that a DDoS site
takedown is very different from hacking a site.
Being able to overload a site or server is a far cry
from ransacking the databases of a company, like
what happened to Sony last November. To
paraphrase a popular xkcd comic, it’s the
difference between robbing a store and tearing
down a poster the store put up.
2) A hijacked Twitter account means that
company has been hacked
This week, the Twitter and YouTube accounts for
CENTCOM—the Central Command of the Pentagon
—were disrupted by hackers claiming to be
fighting in the name of ISIS. While that sounds
scary, it’s actually far more common and far less
frightening than a successful attack on CENTCOM
or any defense agency.
So let’s say you have a Twitter account. As it has
happened to many of us, a friend contacts you
and asks why you’re tweeting about this great
new weight loss method you found. You think:
“Crap! Someone hacked into my Twitter account!”
Do you then think: “Crap! They must have all my
files on my computer?” Of course not. That’s all
that has happened with CENTCOM.
This is not to say the CENTCOM hijack isn’t
important or doesn’t have grave implications for
the Pentagon. Social media accounts are a good
judge for password security as a whole, and if
your password and username for Twitter is the
same as it is on Instagram, there’s a good chance
that, if one is compromised, so is the other. This
is why you should be forgoing choosing your own
passwords altogether and using a password
manager.
Third party apps within sites, however, can
threaten the stability of a service. The Syrian
Electronic Army, a hacker collective of uncertain
origin, has redirected hundreds of URLs by
hacking software used to manage banner ads and
comment boards. Still, this is a far cry from
accessing sensitive data hosted by, say, Forbes or
CNN.
3) Hacking takes skill and high-tech
software
When a massive cache of nude photos of
celebrities hit the Internet last August, the media
made the perpetrators into cyberterrorism
masterminds. It’s a common mistake to assume
“hacks” like theCelebgate leak are done by
modern-day wizards, fingers rushing over a
keyboard as they coordinate some massive
operation. In reality, all this kind of infiltration
takes is some simple assumptions.
One of the purposes for security questions on any
website is to help the site verify your identity,
asking for answers about you (so you won’t forget
them) but impersonal enough a stranger couldn’t
easily learn them. But when you tell the site the
name of your favorite pet, your mother’s maiden
name, or your elementary school, you might not
think about how easy that information is to find.
Have you ever mentioned your elementary school
on Facebook? How about a childhood photo where
you’ve tagged your favorite pet? Maybe a
memoriam to your late mother wherein you use
her maiden name? All of that information can be
used by someone to access any account using
this information as a “Forgot Password” measure.
Now, instead of just the information you put on
social media, imagine you’re a huge celebrity with
a Wikipedia page, hundreds of interviews, and a
fanbase ravenous for any and every detail about
you. What information is so private it can be
trusted as a security question?
This is part of a too-often overlooked part of
hacking, known as social engineering. Some of the
most notorious hackers in history were best at
manipulating people into revealing enough data
about themselves or their systems. And it’s not
just your passwords that are at risk: In 2011,
security firm Bancsec showed how, with little
more than an email and a phone call, you could
rob a bank of $25,000 with no one the wiser.
So with just a little bit of googling and an
understanding of human nature, you, too, can be a
master hacker like 4chan. Popular culture often
gives people the impression that computers and
security systems are complex mechanisms that
only an engineering whiz can understand. But
these portrayals forget that humans are often the
weakest part of any system and, therefore, the
easiest target.
4) Anonymous is a well-organized group of
genius hackers
Perhaps no group has gotten more press for its
cyber exploits than Anonymous. As noted above,
they often choose high-profile targets for largely
simple attacks with explosive results. In the wake
of the Sony Pictures hack, for instance, they
managed to disrupt the entireNorth Korean
internet with a single DDoS attack.
Far be it for anyone, however, to perceive them as
some elite squadron centrally controlled and
spread throughout the globe. While their
cyberactivism is often impressive, they are purely
an opt-in organization. This means that anyone
who does anything representing Anonymous is,
ipso facto, representing Anonymous. While there
does appear to be a core group of organizers, they
lack much power over their army of uncertain
numbers.
As Gabriella Coleman of the Atlantic wrote back in
2010, “it may be impossible to gauge the intent
and motive of thousands of participants, many of
whom don’t even bother to leave a trace of their
thoughts, motivations, and reactions. Among
those that do, opinions vary considerably.”
This apparent organizational uncertainty and lack
of “true” hacking methods has made the group
more of a band of merry pranksters than some
digital warrior elite. Their reliance on otherwise
harmless methods like DDoS are why CNN once
called them “the graffiti artists of the Internet.”
But that’s not to say fairly sophisticated hacks
haven’t been carried out by people claiming to
represent Anonymous. Back in 2011, Sony’s
Playstation Network was compromised by
Anonymous, revealing the personal and financial
data of over 100 million users. After that, they
moved on to more serious prey, releasing the
personal data of the security firm the FBI had
hired to help investigate Anonymous. LulzSec, an
Anonymous spin-off group, likewise purged
information from security contractors and the U.S.
Senate. Still, the vast majority of Anonymous
actions amount to little more than temporary
vandalism.
5) China is the biggest source of hacks
against the U.S.
While fighting for the memory of murdered satirists
like Anonymous or taking down huge gaming
networks like Lizard Squad are good for headlines,
they are far afield from the typical large-scale
hacking incident.
Real hacks—attempts to steal personal and
financial data—actually most often come from
low-key targets in Eastern Europe. According to
security firm Gartner, 8 percent of all noted hacks
come from within Russia. U.S. ally Taiwan,
curiously, comes in at second with 3 percent of
hacks and Germany and the Ukraine come in at
2.6 percent and 1.8 percent, respectively. For all
the hubbub about Chinese hackers, only 0.5
percent of hacks directed at the U.S. or U.S.
companies have come from China.
There’s also the problem of finding where a hack
came from in the first place, the primary job of
firms like Gartner, Norse, and Mandiant. As
Gartner Research Director Lawrence Pingree noted
in the above blog post, “It is fairly well known by
most security professionals that the best hackers
on the planet often originate from Russia.”
You wouldn’t know this from looking at the
headlines. The idea of Chinese cyberespionage, for
whatever reason, often finds its way into the news
media while Russia’s status as our primary
cyberwar antagonist goes mostly unknown among
laymen.