Hacking Hackers and their Hacks (2018)
Hacking!
Is it cast aside teenage wunderkinds who can seemingly dissect all things computer with the crack of a laptop to create designer chaos? They are portrayed smoking cigarettes, roller blading and always have media savvy branding! Too cool!
Any time a major breach is announced, the media conjures up their classic image of this hooded jedi-like figure in a dimly lit room with 0s and 1s swirling about. Film and TV has done a superb job of portraying our favourite computer hacker as the stereotyped quirky yet heavily crafted indie kid who wields the required dexterity to power-type at a moments notice, anywhere on the planet and inject themselves straight into anything from corporate servers, to traffic light control systems to Dinosaur based fun parks. It usually involves some superb visualisations of neon landscapes and swirling equations.
James Bond took it to a new level in Skyfall with an on screen brain-like vector blob made out of mostly jibberish, except of course one word using non-hexadecimal characters which of course Bond sees which unlocks everything and turns it into a 3D map! One of my personal favourites in the film National Treasure (2?) with Nicholas Cage where he holds up an ancient ruin as he intentionally speeds through a traffic camera and then his quirky hacker sidekick flips open his laptop and “hacks” into the speed camera while driving and downloads the image. I suppose I love the implication in most hacker films that all things computer controlled are in some way connected to the internet by nothing more than perhaps, a password.
For many of us mid-life crisis age people, our introduction to hacking was the 1983 film War Games with Matthew Broderick where he uses his dial up modem to phone into Norad and starts playing a game called global thermonuclear war which, it turns out, WASN’T A GAME! It almost kicks off, that’s right, global thermonuclear war.
What’s interesting is, that was probably closer to what is possible than many modern films that followed.
Too many films to mention include The NET, the 1995 film Hackers and of course the more recent film Black Hat make hacking mindblowingly awesome. In Black Hat the main hacker, portrayed by sex throb actor Chris “Thor” Hemsworth, is in prison for being the greatest hacker ever. He’s a typical cyber-security guy, stunningly attractive, can kung fu the bollocks out of a tight spot and even though he’s been out of the game for a few years, his techie tekkers are still razor sharp. Finally a film with an absolutely correct representation of hackers. Genius kung fu mastering technology gurus. Hell yeah!
A hacking article or podcast wouldn’t be complete without mentioning the Amazon series, Mr Robot as it actually does a pretty good job of using real terminology and representing some of the aspects of a real hack correctly but somewhat obscured with a dash of artistic license. There’s even an great scene in a hotel where a few of the F-Society (the staple rag-tag group of hacking misfits) members are poking fun at films depicting the aforementioned hacking imagery as they discuss how they at no point when hacking into anything have they ever found themselves flying over a tron-like maze. I had to chuckle at it’s own self-awareness.
What Mr. Robot does is create a rough depiction of the real and probably still, most famous hacking organisation (to use that term very loosely), Anonymous. Those are the folks that made the V for Vendetta, Guy Fawkes hallowe’en mask a mainstay of hacking symbology. Of course I have one btw. Duh. My life-size cardboard Chewbacca is currently wearing it. (Drops mic)
There have been many hacking groups that have followed in the foot steps of Anonymous but few have been as well branded and achieved the same level of infamy. What is surprisingly truthful is that while Anonymous, to the lay person, is a leaderless tribe of computer genius hackers, the truth is more like they were a group of disgruntled teens and university role playing gamers who came together via the 4chan forums and decided to essentially prank or troll large companies.
For some involved with Anonymous, they did not realise the extent of their actions or the personal ramifications. They were largely famous for DDoS (Distributed Denial of Service) attacks which in their early incarnation was as simple as over-crowding a website or even a phone system with traffic in order to disrupt a target business. I think a real hacker in today’s world would look at what they did and how they did it as rather primitive.
So… I’ve indicated I hope what hacking is not. I’m going to talk about it in terms of now.. .2018. To be clear… hacking was a lot easier 5, 10… hell 20 years ago it was really really easy by comparison. Security wasn’t really given much thought back then. It really should have been and we have learned. Most of the low hanging fruit is gone thankfully, but modern network architectures using cloud technologies in combination with new software design methodologies are becoming so interwoven and complex that the attack surface has become difficult to ascertain for those trying to stop baddies making hacking is both possible and become more of an art. At times it can be what many of us consider a really boring trial and error based art. For some… that boring art is a passion.
For some… it’s a passion.
I’ll go through a few examples of what hacking is these days and apologise in advance for any hackers who might be tuning in if I’m dumbing all this down too much. I won’t mention more advanced subjects like Man in the Middle Attacks or get into any instructional content. On the flipside I also won’t get into the basics like poorly chosen passwords or pins or even some of the more blatantly mis-configured cloud storage incidents or accidentally published credentials. That’s not really hacking that just stupid. You can listen to the “I H8 Passwords” podcast for that content. I’d like it to be technically correct but accessible enough that the in-laws can understand the idea and perhaps be a little less (or a little more depending on how this goes) spooked by it.
I’ll start with the method I mentioned earlier when discussing Anonymous. DDoS or just DoS. As I mentioned earlier it means Denial of Service. The extra D at the front means Distributed or the method of using many simultaneous sources for the attack. To be fair, most Denial of Service attacks are Distributed. It’s far more effective and it’s difficult to track, detect and stop quickly. The early problems with a Denial of Service attack, to use the Anonymous example again, is that, they weren’t very Anonymous. The attacks were tracked back to certain IP addresses of real people who were subsequently imprisoned. Ironic.
Fast forward to nowish (technically 2016 for this story) and let’s talk about a recent DDoS attack using the Mirai Botnet.
A botnet is a combination of bot or automated programmatic bit of smart code or malware which is distributed across a wide network of hosts or devices and can interact as a hive for a single purpose. The hosts generally don’t know they are infected. The creation of a botnet is a clever bit of hacking in itself in that it often takes advantage of known vulnerabilities in open source software running on smart devices that are not patched or upgraded to the latest software. This in combination with sillier open doors like leaving default passwords or setting in place can lead to the take-over of internet facing and previously non-threatening Internet Of Things gadgets like smart toasters, thermostats, lightbulbs, ovens or smart teddy bears and re-purposed for nastiness.
Cue the DDoS.
The Mirai botnet took advantage of a global network of IoT devices to create some of the largest DDoS attacks in history including an attack on computer security journalist Brian Krebs’s website. That feels like a bit of a backhanded compliment. I’ll know my podcast and blog are successful when… “Awwww… a DDoS attack…guys thaaaaaanks you shouldn’t have”. Check out the IoT podcast for more exciting examples.
IoT is in the early days so you can already tell that security for those items has ended up on the cutting room floor in exchange for features and first to market success as previously isolated small device vendors struggle to grapple with the security requirements of being front line players on the cyber security battle field.
In Q3 2017, organizations faced an average of 237 DDoS attack attempts per month. And with DDoS-for-hire services, criminals can now attack and attempt to take down a company for less than $100. I stole that quote directly from an article I link to here.
Lets talk a bit about one of the most famous hacks of the decade called Heartbleed. This one is near and dear to my heart (pun intended) because it was a few of the colleagues at my workplace Synopsys who discovered it and revealed a critical software bug to the world which was allowing bad guys to send a single packet of data to a website as a “heart beat” check to see all was good but manipulate that packet to extract a response which was effectively a dump of the server’s memory. While unstructured, the bad guys pieced together repeated attempts together to build customer database and launch a series of boiler room scams against the list.
It’s worth stating that hackers are mostly after three things. Disruption, Money and or Information (which can lead to money) so when wondering if you’ll even be the target of hackers, ask yourself if you have any or all of of these things in large quantities.
Anonymous was founded on disruption. Nation State funded hacking groups, a more well known one would be the Russian group called Fancy Bear, are focused on information and political manipulation (ok probably money). The rest are after money in a more obvious way. Remember kids, information is money. Most of the modern cyber attacks on normal folks like you and I are conducted as ransomware or phishing and to those attackers, what is known as PII or Personally Identifiable Information is the key to success. You know that stuff we give away for free to Facebook who then give it away for free to people pretending to be researchers. That’s the good stuff and what attackers are after for social engineering attacks. Check the podcast on ransomware for a bit of extra detail. The idea is straight-forward enough. Knowing more about you means they can use it to convince you that they are either, your bank (in the case of Heart Bleed), your courier, your workplace, your family and the list goes on to make you give up some money or allow them in the door to install malware and hold you hostage in some form or another until you pay up.
Again like the Marai and Heartbleed scenario, there are multiple phases of work to achieve some monetary reward and each step takes a considerable amount of effort and time. I hope this is coming across as quite different from what Hollywood offers us… but then, they only have 2 hours to we’ll let it slide because it looked awesome when Charlize Theron in Fate of the Furious played the nutjob criminal, code named Cipher, and with a wave of her hacker hand found all known zero days in in the area and took over a whole city of cars driving them around and created cinematic chaos to my absolute delight!
Not that you can’t hack a car. Researchers and now rock star hacker guys Dr. Charlie Miller and Chris Valasek famously hacked a jeep and released an in-depth report on just how they did it. It took years of research and a thorough knowledge of the vehicle under attack. They were even interviewed about the film in question and succinctly dismissed it as nonsense. What I found amusing about the jeep hack was the aftermath of it. Rumour has it that a patch for their 2014 Jeep Cherokee was released by via sending owners a USB stick to plug into their vehicles prevent the unlikely abuse of the research and instantly negating all the research. The new method to hack a vehicle now, is to just send the vehicle owner a USB stick called “upgrade” and watch them mindlessly install your malware into the car.
The final realm of hacking I’d like to end on is the more traditional web application hacking where you find a poorly written website which has all of the key components for the storage of massive amount of personal data. Facebook was the example I mentioned earlier but more high profile and typical example would be Talk Talk. I mentioned Talk Talk in the data breach podcast. These types of hacks involve abusing typical paths like SQL Injections, Path Traversal and Cross Site Scripting, to name some of the higher profile methods. A cross site scripting attack is where you are asked for data under your account that will be redisplayed under another persons account. Like an AirBnB review for example. If, instead of writing a review, you wrote some javascript into the review box and the website didn’t “sanitise” the data, that script could be brought into another users browser and executed to unlock anything from downloading ransomware, to mining crypto-currencies, to DDoS attacks conducted from the victims browser.
The key culprits for these kinds of attacks are listed in something called the OWASP Top 10 which tracks the top known vulnerabilities. Amazingly, in spite of their being a plethora of automated tools and techniques like Pentration Testing, Static Code Analysis and device Fuzz Testing just to name a few, for mitigating these kinds of errors in web applications and modern IoT devices, I am still happily employed helping companies write software that best prevents them from being the next big headline. The real problem isn’t the tools but the lack of security experts and educating developers who understand how to use them. So if you’re looking for a career for your teenage daughter or son, there will be an estimated 20 million jobs going in software security and what is known as ethical hacking by 2020. If supply and demand rules have taught me anything, it might be in the interest of hackers to just go get a real job.
One last entertaining piece if you haven’t had enough. 2 IDIOTS 1 KEYBOARD. Easily the winner of the stupidest hacker based scene.
https://www.techrepublic.com/article/ddos-attacks-increased-91-in-2017-thanks-to-iot/
https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/
Skyfall Hacking – (https://www.youtube.com/watch?v=aApTVqeGJMw)
The post Hacking Hackers and their Hacks (2018) appeared first on Codifyre.
*** This is a Security Bloggers Network syndicated blog from Codifyre authored by Stephen Giguere. Read the original post at: https://codifyre.com/coding/hacking-hackers-and-their-hacks-2018/