Seven Facts That Nobody Told You About Hacking
Online security is increasingly an issue rich for headlines as everyone from movie studios and celebrities to major retailers and CENTCOM find themselves the victims of digital infiltrators. However, “hacking” is also a very technical issue and, like many technical issues, one the media often gets wrong.
So as a citizen of the 21st century, it’s increasingly important to arm yourself with some basic facts about hacking, cybersecurity, and the real threats they pose, as well as those they don’t. With that in mind, here are seven common misconceptions you might have about hacking.
1) Taking down a site is akin to hacking that site
One of the most common headline-grabbing moves by so-called hackers is to take down their site through a DDoS attack. A group calling itself Lizard Squad has been using this method to take down the networks of Playstation and Xbox Live. It’s a common method of protest by the hacker collective Anonymous, which has used it against such varied entities as the Westboro Baptist Church and, most recently, French jihadists.
These are not "hacks," however, in the traditional sense of the term. A "hacker" is defined by the National Initiative for Cybersecurity as "an unauthorized user who attempts to or gains access to an information system." Taking down a website or even a server does not take so much effort and certainly doesn’t demand infiltrating the host of the target. All you need is a simple distributed denial of service, or DDoS.
A DDoS is a network of computers all sending data packets towards one server with the goal of overloading said server. Far from many individuals sending data from their computers, however, the most common form of DDoS consists of networks of computers—typically hacked for this purpose without their owners knowing—all being used to flood a particular target.
These networks of pirate zombie computers are typically open for business: You can special order a DDoS attack on the black market for about $150 a week, similar to hiring a hitman. The attacks on PSN and Xbox, for example, are believed to have been a publicity stunt for Lizard Squad’s very own network-for-hire of home routers it has hacked for the expressed purpose of large-scale DDoS attacks.
But it’s important to remember that a DDoS site takedown is very different from hacking a site. Being able to overload a site or server is a far cry from ransacking the databases of a company, like what happened to Sony last November. To paraphrase a popular xkcd comic, it’s the difference between robbing a store and tearing down a poster the store put up.
2) A hijacked Twitter account means that company has been hacked
This week, the Twitter and YouTube accounts for CENTCOM—the Central Command of the Pentagon—were disrupted by hackers claiming to be fighting in the name of ISIS. While that sounds scary, it’s actually far more common and far less frightening than a successful attack on CENTCOM or any defense agency.
So let’s say you have a Twitter account. As it has happened to many of us, a friend contacts you and asks why you’re tweeting about this great new weight loss method you found. You think: “Crap! Someone hacked into my Twitter account!” Do you then think: “Crap! They must have all my files on my computer?” Of course not. That’s all that has happened with CENTCOM.
This is not to say the CENTCOM hijack isn't important or doesn't have grave implications for the Pentagon. Social media accounts are a good judge for password security as a whole, and if your password and username for Twitter is the same as it is on Instagram, there’s a good chance that, if one is compromised, so is the other. This is why you should be forgoing choosing your own passwords altogether and using a password manager.
Third party apps within sites, however, can threaten the stability of a service. The Syrian Electronic Army, a hacker collective of uncertain origin, has redirected hundreds of URLs by hacking software used to manage banner ads and comment boards. Still, this is a far cry from accessing sensitive data hosted by, say, Forbes or CNN.
3) Hacking takes skill and high-tech software
When a massive cache of nude photos of celebrities hit the Internet last August, the media made the perpetrators into cyberterrorism masterminds. It’s a common mistake to assume “hacks” like the Celebgate leak are done by modern-day wizards, fingers rushing over a keyboard as they coordinate some massive operation. In reality, all this kind of infiltration takes is some simple assumptions.
One of the purposes for security questions on any website is to help the site verify your identity, asking for answers about you (so you won’t forget them) but impersonal enough a stranger couldn’t easily learn them. But when you tell the site the name of your favorite pet, your mother’s maiden name, or your elementary school, you might not think about how easy that information is to find.
Have you ever mentioned your elementary school on Facebook? How about a childhood photo where you’ve tagged your favorite pet? Maybe a memoriam to your late mother wherein you use her maiden name? All of that information can be used by someone to access any account using this information as a “Forgot Password” measure.
Now, instead of just the information you put on social media, imagine you’re a huge celebrity with a Wikipedia page, hundreds of interviews, and a fanbase ravenous for any and every detail about you. What information is so private it can be trusted as a security question?
This is part of a too-often overlooked part of hacking, known as social engineering. Some of the most notorious hackers in history were best at manipulating people into revealing enough data about themselves or their systems. And it’s not just your passwords that are at risk: In 2011, security firm Bancsec showed how, with little more than an email and a phone call, you could rob a bank of $25,000 with no one the wiser.
So with just a little bit of googling and an understanding of human nature, you, too, can be a master hacker like 4chan. Popular culture often gives people the impression that computers and security systems are complex mechanisms that only an engineering whiz can understand. But these portrayals forget that humans are often the weakest part of any system and, therefore, the easiest target.
4) Anonymous is a well-organized group of genius hackers
Perhaps no group has gotten more press for its cyber exploits than Anonymous. As noted above, they often choose high-profile targets for largely simple attacks with explosive results. In the wake of the Sony Pictures hack, for instance, they managed to disrupt the entire North Korean internet with a single DDoS attack.
Far be it for anyone, however, to perceive them as some elite squadron centrally controlled and spread throughout the globe. While their cyberactivism is often impressive, they are purely an opt-in organization. This means that anyone who does anything representing Anonymous is, ipso facto, representing Anonymous. While there does appear to be a core group of organizers, they lack much power over their army of uncertain numbers.
As Gabriella Coleman of the Atlantic wrote back in 2010, "it may be impossible to gauge the intent and motive of thousands of participants, many of whom don't even bother to leave a trace of their thoughts, motivations, and reactions. Among those that do, opinions vary considerably."
This apparent organizational uncertainty and lack of "true" hacking methods has made the group more of a band of merry pranksters than some digital warrior elite. Their reliance on otherwise harmless methods like DDoS are why CNN once called them "the graffiti artists of the Internet."
But that’s not to say fairly sophisticated hacks haven’t been carried out by people claiming to represent Anonymous. Back in 2011, Sony’s Playstation Network was compromised by Anonymous, revealing the personal and financial data of over 100 million users. After that, they moved on to more serious prey, releasing the personal data of the security firm the FBI had hired to help investigate Anonymous. LulzSec, an Anonymous spin-off group, likewise purged information from security contractors and the U.S. Senate. Still, the vast majority of Anonymous actions amount to little more than temporary vandalism.
5) China is the biggest source of hacks against the U.S.
While fighting for the memory of murdered satirists like Anonymous or taking down huge gaming networks like Lizard Squad are good for headlines, they are far afield from the typical large-scale hacking incident.
Real hacks—attempts to steal personal and financial data—actually most often come from low-key targets in Eastern Europe. According to security firm Gartner, 8 percent of all noted hacks come from within Russia. U.S. ally Taiwan, curiously, comes in at second with 3 percent of hacks and Germany and the Ukraine come in at 2.6 percent and 1.8 percent, respectively. For all the hubbub about Chinese hackers, only 0.5 percent of hacks directed at the U.S. or U.S. companies have come from China.
There’s also the problem of finding where a hack came from in the first place, the primary job of firms like Gartner, Norse, and Mandiant. As Gartner Research Director Lawrence Pingree noted in the above blog post, "It is fairly well known by most security professionals that the best hackers on the planet often originate from Russia."
You wouldn’t know this from looking at the headlines. The idea of Chinese cyberespionage, for whatever reason, often finds its way into the news media while Russia’s status as our primary cyberwar antagonist goes mostly unknown among laymen.
6) Cyberattacks by countries are rare and equivalent to an act of war
Despite the notoriety of the supposedly North Korean attack against Sony Pictures, attacks against the U.S. government and American businesses by other countries are astonishingly common.
Every industry is suspect to cyberespionage by nation-states, usually in an attempt to gain an economic advantage. As DJ Summers wrote for Fortune last October, "Pilfered research from the biomedical, energy, finance, software, IT, defense, and aerospace industries creates not only economic gain but state-related advantage." Such varied data as medical patents and the source code for Microsoft applications have been stolen by Chinese and Russian hackers in the interest of competing against US firms.
Just last September, a Senate panel found 20 intrusions by Chinese hackers of defense contractors specializing in the movement and deployment of US troops. The agency that coordinates these efforts, U.S. Transportation Command, only knew about two.
Moves like these, however, are the new face of spying. And much like the cloak-and-dagger tactics of the Cold War, everybody’s doing it. Despite government claims to the contrary, NSA whistleblower Edward Snowden has implicated the U.S. in the same sort of corporate intellectual theft it has decried China for. "If there's information at Siemens [a German manufacturer and conglomerate] that's beneficial to U.S. national interests—even if it doesn't have anything to do with national security," Snowden said in an interview on German television, "then they'll take that information nevertheless."
The drama surrounding the Sony Pictures hack might confuse some people into believing cyberattacks will ultimately reach the front page because they’re so rare and damaging. However, the more salacious attacks are the ones that happen to U.S. companies every day but never make the front page of the paper.
7) Companies have to disclose if they’ve been breached
This is probably the most important misconception to have about cybersecurity as it provides a dangerously false sense of protection. In actuality, most cyberattacks are not merely underreported by the press but never publically disclosed in the first place.
Huge data breaches of credit card numbers and other data at retailers like Home Depot and Target sound the scariest, but most credit card breaches go completely unnoticed. A presentation at last year’s Blackhat Convention (a meeting of the cybersecurity industry) showed how small, point-of-sale companies can be hacked with relative ease. Even though they hold sensitive data, such companies can rarely afford the type of software and staff necessary to thwart a concerted effort by determined identity thieves.
But that’s not to say larger companies with sizable budgets and staff will always report the extent which they’ve been hacked or even be aware that they are currently victim to a hack. Last October, the New York Times reported hackers had free reign on the computers of JPMorgan for two solid months before anyone noticed. Retailer Neiman Marcus had a similar situation for five months and non-profit Goodwill allowed hackers into their system for a year and a half.
But even the hacks that reach the press cannot possibly represent all the hacking that is being done. As Bitsight cofounder Stephen Boyer told Forbes, “The math does not add up between public disclosure and what is actually going on. We know that the problem is much worse than is communicated by breach disclosure.”
There is no law forcing companies to reveal when customer data has been breached and many might avoid doing so to save face and profit. Such disclosures, experts believe, are actually crucial to the future of cybersecurity and a central part of President Barack Obama’s new push for increased cyberdefense.
Such measures could further illuminate the real risks companies, governments, and citizens face online. Cybersecurity, like any complex topic, is often subject to oversimplification and misguided half-truths. In the wake of the Sony Pictures hack, it is clear breaches, leaks, and attacks will continue to be a popular news item, making it more important than ever that every news consumer arm themselves with even a basic understanding of what’s really happening online.
Online security is increasingly an issue rich for headlines as everyone from movie studios and celebrities to major retailers and CENTCOM find themselves the victims of digital infiltrators. However, “hacking” is also a very technical issue and, like many technical issues, one the media often gets wrong.
So as a citizen of the 21st century, it’s increasingly important to arm yourself with some basic facts about hacking, cybersecurity, and the real threats they pose, as well as those they don’t. With that in mind, here are seven common misconceptions you might have about hacking.
1) Taking down a site is akin to hacking that site
One of the most common headline-grabbing moves by so-called hackers is to take down their site through a DDoS attack. A group calling itself Lizard Squad has been using this method to take down the networks of Playstation and Xbox Live. It’s a common method of protest by the hacker collective Anonymous, which has used it against such varied entities as the Westboro Baptist Church and, most recently, French jihadists.
These are not "hacks," however, in the traditional sense of the term. A "hacker" is defined by the National Initiative for Cybersecurity as "an unauthorized user who attempts to or gains access to an information system." Taking down a website or even a server does not take so much effort and certainly doesn’t demand infiltrating the host of the target. All you need is a simple distributed denial of service, or DDoS.
A DDoS is a network of computers all sending data packets towards one server with the goal of overloading said server. Far from many individuals sending data from their computers, however, the most common form of DDoS consists of networks of computers—typically hacked for this purpose without their owners knowing—all being used to flood a particular target.
These networks of pirate zombie computers are typically open for business: You can special order a DDoS attack on the black market for about $150 a week, similar to hiring a hitman. The attacks on PSN and Xbox, for example, are believed to have been a publicity stunt for Lizard Squad’s very own network-for-hire of home routers it has hacked for the expressed purpose of large-scale DDoS attacks.
But it’s important to remember that a DDoS site takedown is very different from hacking a site. Being able to overload a site or server is a far cry from ransacking the databases of a company, like what happened to Sony last November. To paraphrase a popular xkcd comic, it’s the difference between robbing a store and tearing down a poster the store put up.
2) A hijacked Twitter account means that company has been hacked
This week, the Twitter and YouTube accounts for CENTCOM—the Central Command of the Pentagon—were disrupted by hackers claiming to be fighting in the name of ISIS. While that sounds scary, it’s actually far more common and far less frightening than a successful attack on CENTCOM or any defense agency.
So let’s say you have a Twitter account. As it has happened to many of us, a friend contacts you and asks why you’re tweeting about this great new weight loss method you found. You think: “Crap! Someone hacked into my Twitter account!” Do you then think: “Crap! They must have all my files on my computer?” Of course not. That’s all that has happened with CENTCOM.
This is not to say the CENTCOM hijack isn't important or doesn't have grave implications for the Pentagon. Social media accounts are a good judge for password security as a whole, and if your password and username for Twitter is the same as it is on Instagram, there’s a good chance that, if one is compromised, so is the other. This is why you should be forgoing choosing your own passwords altogether and using a password manager.
Third party apps within sites, however, can threaten the stability of a service. The Syrian Electronic Army, a hacker collective of uncertain origin, has redirected hundreds of URLs by hacking software used to manage banner ads and comment boards. Still, this is a far cry from accessing sensitive data hosted by, say, Forbes or CNN.
3) Hacking takes skill and high-tech software
When a massive cache of nude photos of celebrities hit the Internet last August, the media made the perpetrators into cyberterrorism masterminds. It’s a common mistake to assume “hacks” like the Celebgate leak are done by modern-day wizards, fingers rushing over a keyboard as they coordinate some massive operation. In reality, all this kind of infiltration takes is some simple assumptions.
One of the purposes for security questions on any website is to help the site verify your identity, asking for answers about you (so you won’t forget them) but impersonal enough a stranger couldn’t easily learn them. But when you tell the site the name of your favorite pet, your mother’s maiden name, or your elementary school, you might not think about how easy that information is to find.
Have you ever mentioned your elementary school on Facebook? How about a childhood photo where you’ve tagged your favorite pet? Maybe a memoriam to your late mother wherein you use her maiden name? All of that information can be used by someone to access any account using this information as a “Forgot Password” measure.
Now, instead of just the information you put on social media, imagine you’re a huge celebrity with a Wikipedia page, hundreds of interviews, and a fanbase ravenous for any and every detail about you. What information is so private it can be trusted as a security question?
This is part of a too-often overlooked part of hacking, known as social engineering. Some of the most notorious hackers in history were best at manipulating people into revealing enough data about themselves or their systems. And it’s not just your passwords that are at risk: In 2011, security firm Bancsec showed how, with little more than an email and a phone call, you could rob a bank of $25,000 with no one the wiser.
So with just a little bit of googling and an understanding of human nature, you, too, can be a master hacker like 4chan. Popular culture often gives people the impression that computers and security systems are complex mechanisms that only an engineering whiz can understand. But these portrayals forget that humans are often the weakest part of any system and, therefore, the easiest target.
4) Anonymous is a well-organized group of genius hackers
Perhaps no group has gotten more press for its cyber exploits than Anonymous. As noted above, they often choose high-profile targets for largely simple attacks with explosive results. In the wake of the Sony Pictures hack, for instance, they managed to disrupt the entire North Korean internet with a single DDoS attack.
Far be it for anyone, however, to perceive them as some elite squadron centrally controlled and spread throughout the globe. While their cyberactivism is often impressive, they are purely an opt-in organization. This means that anyone who does anything representing Anonymous is, ipso facto, representing Anonymous. While there does appear to be a core group of organizers, they lack much power over their army of uncertain numbers.
As Gabriella Coleman of the Atlantic wrote back in 2010, "it may be impossible to gauge the intent and motive of thousands of participants, many of whom don't even bother to leave a trace of their thoughts, motivations, and reactions. Among those that do, opinions vary considerably."
This apparent organizational uncertainty and lack of "true" hacking methods has made the group more of a band of merry pranksters than some digital warrior elite. Their reliance on otherwise harmless methods like DDoS are why CNN once called them "the graffiti artists of the Internet."
But that’s not to say fairly sophisticated hacks haven’t been carried out by people claiming to represent Anonymous. Back in 2011, Sony’s Playstation Network was compromised by Anonymous, revealing the personal and financial data of over 100 million users. After that, they moved on to more serious prey, releasing the personal data of the security firm the FBI had hired to help investigate Anonymous. LulzSec, an Anonymous spin-off group, likewise purged information from security contractors and the U.S. Senate. Still, the vast majority of Anonymous actions amount to little more than temporary vandalism.
5) China is the biggest source of hacks against the U.S.
While fighting for the memory of murdered satirists like Anonymous or taking down huge gaming networks like Lizard Squad are good for headlines, they are far afield from the typical large-scale hacking incident.
Real hacks—attempts to steal personal and financial data—actually most often come from low-key targets in Eastern Europe. According to security firm Gartner, 8 percent of all noted hacks come from within Russia. U.S. ally Taiwan, curiously, comes in at second with 3 percent of hacks and Germany and the Ukraine come in at 2.6 percent and 1.8 percent, respectively. For all the hubbub about Chinese hackers, only 0.5 percent of hacks directed at the U.S. or U.S. companies have come from China.
There’s also the problem of finding where a hack came from in the first place, the primary job of firms like Gartner, Norse, and Mandiant. As Gartner Research Director Lawrence Pingree noted in the above blog post, "It is fairly well known by most security professionals that the best hackers on the planet often originate from Russia."
You wouldn’t know this from looking at the headlines. The idea of Chinese cyberespionage, for whatever reason, often finds its way into the news media while Russia’s status as our primary cyberwar antagonist goes mostly unknown among laymen.
6) Cyberattacks by countries are rare and equivalent to an act of war
Despite the notoriety of the supposedly North Korean attack against Sony Pictures, attacks against the U.S. government and American businesses by other countries are astonishingly common.
Every industry is suspect to cyberespionage by nation-states, usually in an attempt to gain an economic advantage. As DJ Summers wrote for Fortune last October, "Pilfered research from the biomedical, energy, finance, software, IT, defense, and aerospace industries creates not only economic gain but state-related advantage." Such varied data as medical patents and the source code for Microsoft applications have been stolen by Chinese and Russian hackers in the interest of competing against US firms.
Just last September, a Senate panel found 20 intrusions by Chinese hackers of defense contractors specializing in the movement and deployment of US troops. The agency that coordinates these efforts, U.S. Transportation Command, only knew about two.
Moves like these, however, are the new face of spying. And much like the cloak-and-dagger tactics of the Cold War, everybody’s doing it. Despite government claims to the contrary, NSA whistleblower Edward Snowden has implicated the U.S. in the same sort of corporate intellectual theft it has decried China for. "If there's information at Siemens [a German manufacturer and conglomerate] that's beneficial to U.S. national interests—even if it doesn't have anything to do with national security," Snowden said in an interview on German television, "then they'll take that information nevertheless."
The drama surrounding the Sony Pictures hack might confuse some people into believing cyberattacks will ultimately reach the front page because they’re so rare and damaging. However, the more salacious attacks are the ones that happen to U.S. companies every day but never make the front page of the paper.
7) Companies have to disclose if they’ve been breached
This is probably the most important misconception to have about cybersecurity as it provides a dangerously false sense of protection. In actuality, most cyberattacks are not merely underreported by the press but never publically disclosed in the first place.
Huge data breaches of credit card numbers and other data at retailers like Home Depot and Target sound the scariest, but most credit card breaches go completely unnoticed. A presentation at last year’s Blackhat Convention (a meeting of the cybersecurity industry) showed how small, point-of-sale companies can be hacked with relative ease. Even though they hold sensitive data, such companies can rarely afford the type of software and staff necessary to thwart a concerted effort by determined identity thieves.
But that’s not to say larger companies with sizable budgets and staff will always report the extent which they’ve been hacked or even be aware that they are currently victim to a hack. Last October, the New York Times reported hackers had free reign on the computers of JPMorgan for two solid months before anyone noticed. Retailer Neiman Marcus had a similar situation for five months and non-profit Goodwill allowed hackers into their system for a year and a half.
But even the hacks that reach the press cannot possibly represent all the hacking that is being done. As Bitsight cofounder Stephen Boyer told Forbes, “The math does not add up between public disclosure and what is actually going on. We know that the problem is much worse than is communicated by breach disclosure.”
There is no law forcing companies to reveal when customer data has been breached and many might avoid doing so to save face and profit. Such disclosures, experts believe, are actually crucial to the future of cybersecurity and a central part of President Barack Obama’s new push for increased cyberdefense.
Such measures could further illuminate the real risks companies, governments, and citizens face online. Cybersecurity, like any complex topic, is often subject to oversimplification and misguided half-truths. In the wake of the Sony Pictures hack, it is clear breaches, leaks, and attacks will continue to be a popular news item, making it more important than ever that every news consumer arm themselves with even a basic understanding of what’s really happening online.
