I've seen a number of blogs and comments in general regarding the growing use of the Internet and how we're being watched and whatnot. There's a number and variety of generally negative sentiments regarding the Internet, privacy, and whatnot, and while it's valid to a point, I feel it's mostly ignorance rearing its ugly head yet again. So, I figured I'd work to debunk the myths and tame some of the fears people have.
The Basics of Hacking, from a "Victim's" Standpoint
This is one of the big fears people have. What if I get hacked? What if they hack into the company's database? You hear all these stories and, for once, you think, "what if it happened to me?"
Now, I'm not going to say that it's not going to happen, because it does happen. However, more often than not, the big heists that you hear about are high profile targets that a hacker has spent literally months planning and executing.
Most of you have probably seen the military commercial that says something along the lines of "this federal building gets attacked 65 thousand times a day..." right? You know what the vast, vast majority of those are? Script kiddies. Wannabe hackers that found a script somewhere on the Internet and decided to try it against whatever target suits their fancy. Windows Firewall, as crappy as a firewall as it is (and not necessarily because it's Windows), can block nearly all of those attacks. Most of the rest of those attacks are about one or two steps above the script kiddies, they may be able to modify and/or write their own scripts to try on any given target. Some may even take the time to actually get around a basic perimeter firewall, but are stopped easily by Internet Security suites, such as Norton or McAfee, or a slightly more robust firewall than Windows Firewall (I will touch into some of the security measures in a later section). Out of those 65 thousand "attacks" per day, one or two a week (and that's generous) might actually be threatening if even basic protection is used, if that.
And that's for a government institution. On an individual level? If an individual gets "hacked," it's nearly always because of their own ignorance or just plain stupidity. Like I said before, the vast majority of hacking attempts are script kiddies, which even the dumbest of firewalls can stop without any effort. The individual is simply not worth the time for a master hacker. At worst, you've got some 16-year-old kid getting into your network, just because he can (which is more than likely a result of bad network security measures on the part of whoever set it up for you).
But Dragon, what about all those websites that always get hacked into and defaced?
Hacking websites is child's play, really. The thing about websites is that they're designed to be accessed by the general public, from the Internet. As a result, the permissions for the website itself tend to be relaxed enough for amateur hackers to play with. Website hacks are merely a nuisance in most cases, since the hackers can't usually access the data itself, just the code that controls the website.
Why is this, especially in cases where the company uses personal information from customers?
Well, it's simple, really. The web server is put in its own section of the network, known as a demilitarized zone (DMZ). This area is a sort of "no man's land" between the Internet and internal network. A basic firewall stands between the server and the Internet, and a more robust firewall and router system stands between the server and internal network. The database server sits inside the network, protected by a web of access controls, firewalls, and subnetworks, accessed by the website only when necessary and only through one specific logon unique to the web server. In some cases, the web server software is actually locked into its own segment of the computer's file system (web server software is basically a program separate from the operating system), so even if the server itself is compromised, the intruder cannot access even other parts of the computer itself.
The result, then, is that it can be fairly easy for someone to get access to a website, but it takes far more skill to actually get into the network and, therefore, to the real meat of the company.
Preventing Intrusions: Firewalls
The term "firewall" comes from architecture, actually. In building, a firewall is a fireproof wall that helps keep a fire contained to one section of a building. It's also a term used in automotives for a fireproof section separating the engine from the cab, with the same purpose as the architectural firewall. This is especially common in apartment and office buildings, where a lot of people are in one space.
In information technology, a firewall works much the same way as its namesake. Instead of actual fires, though, it's designed to block the dangers of the Internet - hacking attacks, viruses, worms, and so forth. Most people have at least one, very basic firewall if they are running Windows XP, Service Pack 2. If you have a home network or wireless connection, you also have another basic firewall - the router (basic retail routers, such as Linksys or Netgear also have basic firewalls built into them). IT firewalls, however, come in many different flavors.
Packet Filters - The first generation, and most basic of firewalls is the Packet Filter, or Stateless Packet Inspection. This type of firewall simply directs the flow of traffic based on some rules. It does not pay attention to the packet's state (whether it's part of a stream of data), but looks at each packet as an individual entity. Basically, it looks at a packet, determines what it's for, who it's from, and who it goes to.
Stateful Packet Inspection - A Stateful Packet Inspection firewall works much like a Packet Filter, except that it also looks at the state. This makes it less vulnerable to things like denial of service attacks (a DoS attack is one where a large number of identical packets are sent to a server, causing it to reach maximum connection capacity and drop legitimate requests).
Application Layer - Like the name suggests, this firewall works at the application layer. It can understand what application is trying to access the network, on what port, and with what protocol (FTP, HTTP, etc).
There are a number of others, but these are generally the common ones. Most firewalls that you'll find in retail are stateful packet inspection firewalls and are often built into routers or packaged with anti-virus software as part of an Internet Security Suite. Application layer firewalls and beyond are typically used in larger businesses that have a lot of sensitive information.
That's not to say that your standard SPI firewall isn't good enough for individual use, it's just that the individual doesn't need that type of protection. It would be like wearing a fighter pilot's gear to drive your car. Why? Because you're simply less likely of a target for the really dangerous intruders.
The Big Leagues of Hacking
The stories that you hear of businesses getting hacked into and information stolen are no small feat on the intruder's part. It takes an intimate knowledge of the company's computer systems. The intruder needs to know everything from the operating systems of all target computers, the type of firewalls and routers they use, building schedules, intrusion detection/prevention programs, and on exactly what server the desired data is stored on.
The payoff, however, is unimaginable.
Not only does the hacker obtain the information desired (ideally undetected), but also receives fame in the hacker community, especially if the target is a high-profile, dangerous target.
The stakes are high in the world of the Black Hat (illegal) hackers. Getting caught means having S.W.A.T. at your doorstep and the company's lawsuit in your hands. Depending on your targets (and criminal record), hacking can land you in solitary confinement in federal prison (if Alcatraz was still running, you'd probably be there).
White, Gray, and Black Hats
In hacking, a hacker's "legal" status is symbolized by the color of their proverbial hats. A Black Hat is one who does his work illegally and usually maliciously. Black Hats are typically the ones that steal the credit card information and whatnot.
Gray Hats are hackers who walk the line between ethical and unethical behavior. The act is still considered illegal, but the motives are benign. Many Gray Hats will do things such as hack into a system, then notify the company about how they got in and how to fix it. For the most part, companies are grateful for these people (free security consulting), but sometimes, it doesn't go so well. Adrian Lamo is one of the most well-known Gray Hat and has successfully broken into Microsoft, Ameritech, Bank of America, Sun Microsystems, and Citigroup, among others. The New York Times was his undoing.
White Hats are the ones that perform their trade legally. They're also known as Security Consultants. They are the ones that companies pay to break into their systems to find out where the weaknesses are. Kevin Mitnick, probably the most notorious hacker (former Black Hat), has a top security consulting company.
Recommended Reading and Future Entries in This Series
The world of hacking, and computers in general, is vast. So vast that it can't all be covered in one blog entry. So, I plan on writing more on the general topic of Internet and computer security. I plan to have my next entry in this series to be about identity theft, and possibly a third on social engineering, after that, I'm not sure, so I'll take any idea people may have.
You may have also noticed that I cited very few sources. That's primarily because this information comes from over a decade working with computers in general and a Bachelor's in Computer Information Systems. Much of the information stems either from classes and textbooks, or personal experience.
I do have a book that I recommend reading and is one of the basic sources for bits and pieces (particularly those regarding Kevin Mitnick and the consequences of getting caught). The book is called, The Art of Intrusion, and I highly recommend for anyone to read it. It's filled with fascinating stories about Kevin's own experiences with hacking, as well as stories of other hackers.
