The recent leaking of more than 100 million LinkedIn passwords stolen in a security breach four years ago has not only put hacking back in the news, it has increased the number of attacks on websites across the internet.
While most people worry about their emails and bank accounts when their personal details are revealed, most hackers will actually be using the data purloined from LinkedIn to try and break into the much softer targets of personal blogs and ordinary business websites.
The trouble with hacking is that it tends to involve nerds and nerds tend to talk in a language only nerds can understand. So in this article, I’ll try to translate the key concepts from nerdspeak to plain English so you can understand the basics of hacking and some of the things you should be doing to protect yourself…
Types of attack
AKA ‘brute’, ‘exhaustive key search’, ‘dictionary attack’
With it’s connotations of a shoulder barge against the door, ‘brute force’ is the crudest method of trying to gain entry to a secure website. However, ‘bloody minded’ might be a better term for this type of hack as the technique involves patience more than muscle.
Simply put, brute force is the same procedure a complete novice would use to attempt breaking into your website’s admin area – try to guess the password.
Of course, unless your password is ‘password’ or the would-be hacker has personal knowledge of words you might use (like your children’s names or favourite football team) it’s unlikely they’ll hit on the right one with random guesses, at least not before getting very bored.
Of course, real hackers don’t sit at their computers typing in ‘chantelle’, ‘dwayne’ and ‘millwall’ hoping for the best. Instead they use password-cracking software like John the Ripper or Hashcat (you’ll get used to these stupid names as we go along) to automatically make repeated guesses using predefined algorithms.
What is known as a ‘dictionary attack’ is the cybercrime equivalent of starting at ‘aardvark’ and working your way through to ‘zyzzyva’, but most brute-force algorithms involve known trends in password-setting (such as a single word followed by a year) and to save time they will run these formats first.
Of course, this still leaves billions of possible combinations and requires a lot of processing power to find the right one. However, further time can be saved if you have some clues – for instance, the length of the password.
This is why the LinkedIn leak is of use to brute-force attackers – the leaked passwords currently doing the rounds are still in an encrypted form, but a combination of an email address and a ‘hash’ (a scrambled password) of a certain length takes literally millions of guesses out of a brute-force attack.
The data can also be analysed to create lists of frequently used passwords – quite handy when you also know that common usernames (such as ‘admin’, ‘webmaster’ or ‘root’) are still used on thousands of websites. It’s still guesswork, but it’s increasingly educated.
AKA ‘sequel injection’
If trying to guess a password from a seemingly infinite number of possibilities sounds like it might eat into your social schedule, you can instead ask a website to simply tell you the password (or some other useful information).
SQL injection is an attempt to bypass the website’s security system and talk straight to the database powering it. ‘SQL’ (pronounced either ‘ess-cue-el’ or ‘sequel’) stands for ‘Structured Query Language’ and is the standard language for website databases, the place where all your content, settings and, yes, your passwords, are stored.
Websites with content management systems (CMS) will be constantly talking to their corresponding SQL databases. Of course, usually only the information you want to make public makes it onto your pages, but bad coding will sometimes result in SQL data being spewed into the public domain.
If there is no bad code, a hacker can try and add some themselves. Using features designed for user interaction (such as contact forms) they will attempt to ‘inject’ bad code that breaks the barrier between them and the database.
It works by writing a line of code with a command as simple as ‘SELECT email, password FROM users’ (this means ‘Dear website, please get me the columns “email” and “password” from the table called “users”. Much obliged.’) and submitting this in a field designed for some other user input.
The SQL syntax is designed to allow websites to retrieve any data they need from the database, so there are thousands of different commands and combinations an SQL hacker can inject. The most common involves using quote marks to confuse existing SQL statements within the code, making them think they have ended early. This means, for instance, the part of SQL code that checks if a username and password combination match can be made to return a positive result no matter what the email and password entered actually are. Eek. (You can try such an injection for yourself here.)
Of course, this is a really bad thing, but before you flee the internet in blind panic, it’s important to point out that SQL injection is only possible when the code allows it. Almost all modern websites are built to disallow anything that looks like an SQL injection in form submissions and your hosting firewall will probably be on the look-out too.
Unfortunately there are still many sites with old code or poorly written plug-ins that don’t protect against SQL injection. This type of hacking is entirely preventable, yet it also remains one of the most likely methods to succeed – in one survey it accounted for 83% of all successful hacks and two-thirds of American IT firms reported SQL breaches in another.
This is because hackers love an easy target – SQL vulnerabilities, where they exist, are easy to detect and very easy to exploit. When you get random, indecipherable submissions through your contact page, there’s a good chance it’s a hacker seeing how open your forms are to malicious code injections.
‘Denial of Service’
Large companies – the kind targeted by so-called hacktivist (‘hack-activist’) groups like Anonymous and LulzSec – ought to the have the resources and know-how to prevent both brute-force hacks and SQL injections (although the October 2015 theft of TalkTalk customer data was carried out the by the latter method), so they are more frequently targeted by ‘denial of service’ attacks.
The aim here is to deny an online service to customers and internal users by overloading it with traffic. Attackers will bombard a website with phoney requests with information until the server is completely overloaded and breaks down into quivering heap.
A common variation of DoS is ‘DDoS’, which is a distributed denial-of-service attack. The processing power behind the attack is distributed across a whole network of computers (a ‘botnet’ – more about robots here), meaning more server requests can be made from more locations. Many of the computers involved in the attack will have been commandeered in previous hacks or via the distribution of malware and their owners will have no idea what is taking place.
Mostly DoS is perpetrated out of malice or for political reasons, though a struggling server may also open itself up to security breaches allowing for data theft. Companies have also been extorted with the threat of a DoS attack that would have prevented them trading and damaged their reputation.
The difficulty for victims of DoS attacks is that the attack will come from many directions at once (including from genuine users repeatedly refreshing the page trying to get the site working) making it difficult to block the malicious connections. To prevent your server crashing, you could shut it down yourself, but that’s what the attackers were probably trying to achieve in the first place. Or while you’re distracted fending off the DDoS, they might be trying to breach your security another way…
Some other hacking methods
Phishing – rather than trying to guess someone’s password, you could just send them an email asking for it. We might think we’re wise to phoney banking emails by now, but how many of us check the link we’ve just followed really is Facebook before logging in to comment? Phishing is becoming increasingly sophisticated while users are becoming lazier, expecting to share cat videos instantly without checking the security implications first.
Malware – this is virus-like software that will usually track your web activity in some way, such as recording key-strokes, including, you know, passwords. Spotting a trend yet?
‘Waterhole’ attacks – rather than try to break a company’s ramped-up security, let them come to you (like hapless wildebeest approaching a crocodile-infested watering hole) by enclosing your malware in an otherwise useful piece of software or a website employees are likely to download or use.
Remote File Inclusion (RFI) – similar to SQL injection, rather than adding lines of malicious code, you could just upload a whole file of them and hope the website isn’t checking the contents.
Social engineering – instead of messing about with fake emails, malware and injection code, it is remarkably easy to trick people into giving up the information required just by being a seemingly nice person. You could ring them up pretending to be from IT support (try enough extensions and eventually you’ll find someone with a problem), send them a ‘Trojan Horse’ USB stick purporting to be a free software sample, or better yet just sneak into their office and compromise an unattended computer.
‘Backdoor’ attacks – in programming, a backdoor is a way of logging in that bypasses usually security procedures, allowing developers to get into a system that is otherwise misbehaving to perform maintenance. It’s the tech equivalent of leaving a spare key under a flower pot – invaluable when you’re locked out of your house, but dead handy for anyone else who is supposed to be locked out.
Web security terms
‘White Hat’ vs ‘Black Hat’
Dating back to the days when the goodies and baddies of Hollywood Westerns would be distinguished by the colour of their cowboy hats (so you could tell them apart during hectic fight scenes, although it clearly has metaphorical value too), hackers who do bad things are ‘black hats’, while people with hacking skills who try to bolster website security or alert firms to flaws they’ve found in their software are ‘white hats’ (usually for a financial reward, rather than simply being on the side of right and justice).
A zero-day vulnerability is one that has already become known to the hacking community (who share such security flaws like football fans exchanging transfer gossip) meaning the software-makers have zero days to fix the problem before black hats will start exploiting it.
White hats, having discovered a vulnerability, will often alert a firm and give them a deadline before they make their exploit public – this is partly to motivate the prompt handover of reward money, though it also has the effect of forcing software firms to be more proactive in updating their software, which can only be good for users (providing they install the updates).
A ‘pen tester’ is someone who is hired by a firm to test how easy it is to penetrate their security systems. A form of white-hat hacking, it involves applying many of the techniques discussed in this article to a website, application or network to identify flaws before they are found by malicious hackers and become zero-day vulnerabilities.
Hackers gain access to websites and networks because they know how software works. It makes sense, then, that many would also be adept at writing software themselves. As long as there have been computer hackers (since the early ’80s, though Wikipedia puts the first recorded hack at 1903!) there have been hacking tools – pieces of software written to facilitate methods such as the dictionary attack or password decrypting.
These days hackers have access to whole operating systems designed to not only aid them in their nefarious doings, but also to keep their identity hidden from the authorities. Meanwhile specific ‘exploit kits’ designed to target a newly discovered vulnerability are auctioned off in shady marketplaces that are effectively eBay for hackers (and pen testers wanting to close the loopholes before the black hats find them).
Basic hacking prevention
By now, if you’re a website owner, you’re probably pretty worried. And you should be worried because hacking is a genuine threat to every website, not just the LinkedIns and TalkTalks of the world.
As you can imagine, the methods of preventing hacking are as varied and ever-changing as the hacking techniques themselves, so it would be impossible to be comprehensive in this article, but here are some basic principles you can follow to reduce the risk:
- ALWAYS keep your website’s software up to date – each update to your CMS (content management system) will contain fixes for zero-day vulnerabilities already in circulation amongst black hat hackers.
- Use established and reputable software and plug-ins – at best, poorly written code can leave you vulnerable to attack – at worst, it may already contain Trojan horse malware; the more popular your software is, the more it will be targeted by hackers, but the more often vulnerabilities will be identified and patched by white hats.
- Don’t cheap-out on development – building a secure website takes time and expertise, so if you are using bespoke functionality, don’t cut corners, rush deadlines or rely on inexperienced developers.
- Back up regularly – if you do get hacked, you’ll most probably need to revert back to a previous version of your files and database to be sure there are no nasties still lurking within (hackers will generally litter a compromised site with malware in different locations, as well as creating their own ‘backdoor’ to re-enter the site at a later date).
- Monitor file changes and user log-ins – reputable website security software will do this for you, alerting you if there is suspicious activity and automatically blocking unapproved users who might pose a threat.
- Be password smart – always use a complicated password, preferably a randomly generated one, and don’t use your website admin password on other sites; use your browser’s password manager or a service like LastPass to remember complex passwords for you; avoid using common usernames like ‘admin’ or ‘root’.
- Trust no one – don’t enter your passwords anywhere without checking the link you have followed; don’t be afraid of asking questions of anyone claiming to be technical support – a true techie will appreciate your concern for security and won’t take offence; if you share office space, lock your screen when you leave your desk.
- Don’t have nightmares.