What is: Hacking

This is part one of the series on computer security. You can find part two on malware here.

You’ve seen it in a hundred movies: a young man in a hoodie sits in a dark room. He’s wearing fingerless gloves. His face is semi-lit by a computer screen with green lines of code running across it. He’s poised to hack the NSA, his fingers are flying across the keyboard, a red warning flashes, and he’s broken the firewall, and now he’s in, and he sees the secret files, but no! A counter-hack has started, and he’s trying to out-type them, he must defeat the unknown attacker in a digital stand-off…

Yeah, that’s not what hacking looks like. There’s no such thing as a counter-hack. If you want to stop someone from hacking your computers, just switch off the internet. And firewalls don’t do that. None of what they’re saying means anything. That code is just HTML. It looks cool, but all it does is put boxes and buttons on websites.

Hacking is like being undercover. The movies make it seem mysterious and exciting, but in reality? It’s pretty boring. It often takes months, or even years. It requires reading thousands of lines of code in the hope of finding that straw-colored needle in a haystack, an unsafe piece of code…

How Would I Know?

I want to preface this by specifying: I am not a hacker (legal or otherwise – yes, there are legal ways to be a hacker). I just know about it because of my job. Hackers typically get into computers one of two ways: either the user did something to let them in, or there is a flaw in the software, also known as a vulnerability, which they can exploit to gain access. Software developers are responsible for making sure their code is safe from hackers. And so we need to know what hackers are looking for.

A Simple Definition

The Malwarebytes antivirus company, whose job is to keep hackers out of your computers, defines hacking as follows:

Hacking refers to activities that seek to compromise digital devices, such as computers, smartphones, tablets, and even entire network.

So far so good. I think we all more or less knew that. Maybe someone you know got locked out of their Facebook account. Or maybe you got an email from your grocery store telling you that you won a prize, with a link which you clicked, and now someone on the internet has the banking information you stored on your computer the last time you bought something online. That’s the type of hacking we most often encounter on a day-to-day basis. A little different from what you see in the movies. Of course that stuff also can happen (sort of). Hacking actually has a lot of different facets. Let’s take a look.

Goals of Hacking

Spying

Probably the most common goal of hacking is to gain access to information. This information could be state secrets, like in the case of the 2020 Orion hack, where Russian government hackers (we think) spent a year compromising a monitoring tool used by the NSA, the Pentagon and Homeland Security (along with 18000 other organizations) in order to read information from their systems.

Or, the information could be your Facebook password.

It doesn’t even need to be secret information they’re after. You know those online quizzes to tell you your star sign or which superhero you are? Some of them were created by hackers to collect information that may appear in your bank’s security questions, like your mother’s birthday, or the high school you went to. Once they have that information, they can call your bank, pretending to be you, claim that “you” forgot your password and then reset it and gain access.

Theft

This leads us to the second goal of hacking: stealing money. The most obvious target for this is your online bank account, but hackers can also be more creative. In 2019, the CEO of a British energy company was tricked into wiring almost 250000 dollars to a fraudulent bank account. How did the hackers do it? They used an AI-generated voice to impersonate his boss over the phone, in the first known case of deepfake fraud.

You’ve probably had this sensitivity training at work, but remember: if someone at work starts making weird requests of you per email, make sure to ask around and confirm it’s them before complying.

Extorsion

This one is unfortunately becoming more and more common. Once a hacker has gained access to your computer, whether through compromised software or a link you clicked on, they may choose to not make their present known immediately. Instead, they can hang around in your private pictures folders, view your private browsing history, and even switch on your webcam to film you in the privacy of your home, especially if you’re one of those people whose laptop is open on their desk facing their bed, or their bathroom. Once they have something you don’t want posted on the internet, that’s when the blackmail begins. It doesn’t stop at laptops either. Security cameras and yes, nanny cams, are also popular targets.

So maybe close your laptop when you’re getting dressed, or just put some tape over the camera. If Mark Zuckerberg does it, so should you.

Ransom

The fourth goal feels a little counter-intuitive, because it’s the exact opposite of the first three goals: instead of revealing secret information, hackers try to lock it up so not even the original owners can get in. Ransomware is a type of hack that encrypts files and databases so no one can get any information out of them. Then they demand money in exchange for the keys to decrypt everything again. And if you don’t pay? They can and will simply erase everything.

Ransomware is difficult to deal with because it’s relatively easy to do and very hard to undo. Not to mention the potential damage is huge. Most companies nowadays cannot function without all the client lists, sales information, tracking and intellectual property stored in their databases. And depending on the industry, the damage can go further than that.

The infamous WannaCry malware was a particularly vicious brand of ransomware which caused chaos when it started infecting hospitals in the UK. And in 2020, the first official death due to a cybersecurity attack was announced in Germany when a ransomware attack shut down a hospital emergency room and a woman died due to delays in treatment.

Most security companies recommend paying the ransom.

Types of hackers

Something you need to understand about hackers is that, at their core, they are nerds. So maybe it’s not so surprising that when choosing a system to classify themselves, they picked the old Hollywood Western trope: hero cowboys wear white hats, villains wear black.

Black Hats

Black Hat hackers are “the bad guys”. Of course “bad” depends on your point of view, but in general these are the hackers who attack systems for malicious reasons, such as stealing information, locking down systems and holding them for ransom, or straight up destroying them. Yes, the US government-employed hackers (we think) who used the StuxNet virus to mess up an Iranian nuclear facility in 2010 can be considered Black Hats. So are hackers who don’t actively cause damage with the vulnerabilities they find, but who sell them on the black market to people who want to use them to cause damage.

White Hats

White Hats are traditionally seen as “the good guys”. Again, good is relative. Many White Hats work for security companies who get payed to attacks their own clients in order to find weaknesses before the Black Hat hackers do. These are known as penetration testers, or pentesters for short. Many White Hats also free-lance, finding vulnerabilities in public software for big tech companies, who pay so-called bug bounties for vulnerabilities in their code. The goal of these bug bounties is to outbid the black market.

Grey Hats

Because the world is not black and white, there is of course a middle ground. Grey Hat hackers generally have the moral code of White Hats, but they tend to take a more flexible approach towards things like the law. While White Hat will not break into a system without permission, a Grey Hat just might, although they won’t break anything once they’re inside.

A perfect example of this is Khalil Shreateh, a Palestinian security researcher who discovered a vulnerability in Facebook in 2010. After Facebook repeatedly ignored his attempts to report the vulnerability, he finally got their attention by using the vulnerability to hack Facebook and write a post on Mark Zuckerberg’s Facebook wall.

Hacktivists

There’s another breed of hacker that’s a little outside of the whole “black/white” breakdown. Whether they are good or bad really depends on your political opinions. I’m talking of course about hacktivists. Hacktivists (porte-manteau of hacking and activist) are hackers motivated by political reasons rather than financial ones. (Government employees don’t count.)

The hacker collective Anonymous are hacktivists. An example of their work is the attack against pro-Islamic State Twitter accounts, whose content they replaced with gay porn following a mass shooting at a gay nightclub in Florida which had been claimed by the terrorist group.

Social Engineers

There’s a saying in Computer Science: the biggest vulnerability in any system is located between the screen and the chair. In other words, it’s the user.

Most forms of hacking require at least some skill with computers. For social engineering, all you really need is a telephone and the ability to manipulate people. Instead of attacking your computer to get your password and banking information directly, social engineers would rather trick you into giving them that information.

Those phone calls from “Microsoft Tech support” telling you there is something wrong with your computer and asking you to follow some instructions to give them access so they can “fix” it? Yeah, that’s a very crude form of social engineering to steal information from your computer. Microsoft explicitly states on their official website that they will never call you unprompted.

The US hackers conference, DEFCON, even has a competition for hacking people over the phone. If you’re having trouble imagining what that looks like, check it out for some real-world examples. For instance, here is a video of a DEFCON social engineer demonstrate how she gets a journalist’s phone company to lock him out of his own account in under five minutes.

How to protect yourself

So after that very unsettling video, you may be wondering: how do I protect myself?

The bad news is, there’s not a lot any of us can do apart from applying common sense. A Nigerian prince who lost his fortune should be emailing a lawyer, not you. (And real Nigerians are very angry that hackers have given them this terrible reputation.)

But just in case, here are a couple of tips.

Don’t overshare

When I was a kid, we were told never to give our real names on the internet. Facebook, LinkedIn and co put an end to all that! But still. Keep your social media accounts private. If they have to be public, go over what you shared, and trim it back to avoid giving away too much. We generally reveal more than we realize online, and you never know what hackers and scammers can use against you, so be thoughtful in what you expose.

Be suspicious

If you get a phone call from “the tax agency” or an email from “your boss”, question it. Double-check against official sources. Ask questions. Ask if you can call them back on the official number listed on the website. A website you looked up yourself, not one they referred you to. Remember, most hackers play a numbers game. They’re looking for an easy target. Don’t make it easy.

Tape Your Webcam

Or if it has one of those little sliders, slide it shut.

Don’t Plug In Strange Devices

Believe it or not, dropping thumb drives in parking lots and office hallways, and even the mail, is a popular tactic among hackers. People find the devices and plug them into their laptops in order to discover the owner, unwittingly activating malicious software which infiltrates their machine. So if you don’t know where it came from, don’t plug it in.

Don’t Click On The Link In That Email

I know, it’s so tempting. But don’t do it. Don’t be an easy target.

This is part one of the series on computer security. You can continue to part two on malware here.