This is the first post in the Intro to Hacking series. In future posts I will go into technically how hacking works and how you can protect yourself, but first I’ll whet your appetite with some interesting stories.
Hacking is a broadly defined word with so many different meanings: writing clever computer code, creating an ugly yet effective solution, finding a shortcut, playing a practical joke, or the act of breaking into a computer. Guess which one I am interested in? Well I guess I’m interested in all of them, but I will be writing about breaking into computers. This subject is chock-full of incredibly entertaining stories and interesting things to learn.
There are a zillion different types of hackers. Some are good guys (white hat), some are bad guys (black hat), some it’s even hard to tell (grey hat). Some know only one way to hack and some are computer wizards who seemingly have no barriers holding them back (1337). And some technically know very little about computers and instead rely on tools built by others (script kiddies).
AIM Punters
I remember my first introduction to this world. The year was 1996 and I was finally online. America Online. AOL. And the best part about AOL was the ability to chat instantly with friends or strangers thousands of miles away. Oh the possibilities!
What does this have to do with hacking? Back in the early days of AIM (AOL instant messenger) the program wasn’t exactly robust. There were tools called punters (or IM-bombs) that exploited these weaknesses – you could use them to kick another user off AIM or even make their entire computer crash (they worked by sending HTML code or tons of invalid characters that would cause the other person’s computer to explode like the fembots in Austin Powers when he touches himself). Did I have any idea how it worked? No, and that’s the best part! The barrier was so low – all you had to do was download a program and you had incredible power over your buddies (or strangers). These AOL punters were a likely starting place for many script kiddies.
Anonymous
The motivation for this post was a hack that was recently in the news. It was so bad ass I felt compelled to share it with a larger audience. And it involves a subject that seems to be on everyone’s mind: WikiLeaks.
WikiLeaks has its own group of hacker bodyguards called Anonymous. No, this group isn’t operating under the direction of Julian Assange looking for confidential info, rather they just perform hacks that Anonymous perceives to help WikiLeaks. Namely this means attacking companies that are openly anti-WikiLeaks – for example bringing down the Visa and MasterCard websites.
This is just the beginning of the story, however. HBGary is a large computer security company with products that both allow undetected hacking and secure your system against them – it’s more complicated than that, but the point is that they are knowledgeable in the way of hackers and their credibility would take a big hit if they were hacked themselves. And that’s exactly what happened. HBGary Federal CEO Aaron Barr thought he had unmasked this secret hacker clan, was preparing to publicly name them, and shared it with the press. He also confronted one of those people. The retaliation from Anonymous was quick and trenchant.
The company used a third party vendor to create the back end database running HBGaryFederal.com. They sucked. HBGary (a security company mind you) did not audit the vendor’s work for vulnerabilities and ended up paying a heavy the price. Using SQL injection the hackers were able to extract the entire database – including the hashed passwords for all the users on the website (everything will explained by the end of the series). A couple of the passwords were remarkably vulnerable to cracking using rainbow tables (the passwords used the most common hash algorithm and only once without salting), which provided the hackers with an actual password that they could use to log in to the website as a valid user. Or deface it.
That doesn’t sounds so bad, a defaced website. But because a user reused his password in other HBGary systems, it allowed the hackers to exploit a vulnerability in Linux (that was actually already fixed, but they were still running an older version) to gain access to every system at HBGary. All backups were deleted (and honestly, who backs up their back ups?).
So some data was lost, not the end of the world. Well as luck would have it, one of the users with a simple password that was cracked was the CEO Aaron Barr. Unfortunately Aaron Barr used that same password for many many systems: email, Twitter, LinkedIn, and more. The end result? All of the CEO’s emails were released to the public, his twitter account was dominated, his private documents published, his iPad was remotely wiped, and he eventually resigned from his job to go put his life back together. Don’t mess with hackers, even if you are one yourself!
Paris Hilton’s Cell Phone
But hacking is not always so technical – there is a whole branch called social engineering. Rather than exploiting technical weaknesses in the system to get in the back door, social engineers figure out a way to walk right in the front door. This is usually done by calling someone and asking what their password is. OK, you may have to do a little back-story about how you are from the IT department or an important executive that needs access, but it sure is easy. Another example of social engineering is using important facts about the person’s life to “guess” their password – birthdays, anniversaries, kid names, pet names, etc.
Now it’s the point in the article where we learn something from Paris Hilton. Believe it or not, Paris Hilton had a smart phone before the rest of the world – the impressive Sidekick II back in 2005. Do you remember when it was hacked and all the data was posted online? Her phone book had over 500 contacts including phone numbers for numerous celebrities such as Christina Aguilera, Fred Durst, Lindsay Lohan, Usher, and Vin Diesel. They all quickly changed their numbers, but it wasn’t as easy to recover the inappropriate photos that were also on there …
So how did someone hack Paris’s cell phone? First T-Mobile had a security hole that made it possible to find out a customer’s name and phone number. The T-Mobile website also had a feature that allows you to reset your password after answering a security question to confirm that it really is you – many websites have this in case the user forgets their password. Unfortunately for Paris, 90% of the world knew the answer to her question – “what is the name of your favorite pet?” She takes her dog Tinkerbell with her everywhere and spoils it worse than the girls on MTV’s Super Sweet 16. In addition to the security question, T-Mobile also had another safety measure to thwart trouble makers – the new account password is text messaged to the phone. Surely the real owner is in possession of the phone …
Now the 17 year old hacker had Paris’s phone number and knew that she received a text message with a new account password. Using caller ID spoofing he called Paris pretending to be a T-Mobile rep – “Hey Paris, we are having some system difficulties and believe some users may have received a message about their account password being reset. Did you receive a message like this? Oh you did! Tell me what it says and I will get this straightened out right away!” Easy. With her account password the hacker had unfettered access to all of her phone’s data.
That’s enough hacking stories for one day. The next post in the series will contain more stories, and after that we will jump into the technical specifics and how to protect yourself. Please leave a comment if there is anything you have wanted to know about hacking and I’ll see if I can cover it.
Some sources:
- HBGary hack story
- How Aaron Barr unmasked Anonymous
- About how HBGary are hackers themselves
- How the HBGary Federal CEO blew his communications with Anonymous
- A book called “The Tinkerbell Hilton Diaries: My Life Tailing Paris Hilton“
Stuxnet! Do Stuxnet!
Oh hell ya! I don’t know anything about it, but will see what I can find out …
If I use a browser besides IE, aren’t there enough built in securities that I don’t have to worry about this stuff unless I am out looking for questionable websites? Should I really be concerned about protecting myself?
There are so many ways other than browsers and questionable websites. Things like your wireless network setup at home, your passwords for various websites, things to worry about at free wifi hotspots, cell phones, and more.
But the question remains – should you worry or is this just paranoia? I don’t think it matters unless someone is trying to target you. And I don’t think you’ll know whether someone is targeting you, but if you assume you are being targeted, that sure sounds like paranoia…
Also, don’t even think about trying any hacking mischief through your blog just to prove a point. That would not be appreciated.
I don’t know whether to be excited about the upcoming posts or scared because somebody is going to hack me to death. Please don’t hack me Skinner.
Also, can you blog about our government? I want to know that we have people working for the US that are legit hackers because I have this perception that all hackers are more or less freelancers who, even if they did receive a government paycheck, would still be doing selfish things, which would be especially dangerous because they’d be in a unique position with access to govt stuff.
Hopefully Google never turns evil.
fascist google?