Explain how being "hacked" works.

[astro]

I’ve done some web site setup via canned programs like Frontpage but I’m relatively clueless as to the specific nuts and bolts of how the fundamental data and network structures of websites interact with users.

How are hackers able to get into sensitive commercial and governmental websites and change and destroy things? What are the doors that web masters have to leave open that allow this sort of thing to happen? Why is securing and locking down a website and not allowing outsiders to alter it so difficult?

[friedo]

It’s not particularly difficult to secure a website. The problem is the overwhelming prevalence of poorly trained administrators. Even a site that runs Microsoft software - notorious for security flaws - can be made fairly secure if you know what you’re doing.

The problem arises from bugs in software. Network communications is a hugely complex subject about which several hundred books have been written. Suffice it to say that sometimes, due to poor programming, sending a specific type of data to a server can cause the server to send back sensitive information, or provide administrative access to the evil-doer.

Many people, (security professionals, mostly) spend their time looking for such flaws. In open source software, they can look through the code to find mistakes. With proprietary software, it’s often trial and error. The great thing about computers is trial and error can be automated. These people are computer scientists and generally they are not the ones who go cracking web sites and putting up nekkid pictures. Usually, they will publish programs that demonstrate the security vulnerability (called an exploit) and then dumb people who usually don’t understand exactly what’s happening will use those programs to do nefarious things.

[Com2Kid]

*Originally posted by friedo *
**Usually, they will publish programs that demonstrate the security vulnerability (called an exploit) and then dumb people who usually don’t understand exactly what’s happening will use those programs to do nefarious things. **

Beh beh beh beh beh beh beh

Please do NOT oversimplify it like that!!! You make it sound like censoring the Scientists would put an end to hacking, it would not!!

What happens is that some lame brain who has just enough IQ points to understand WTF is going on starts up a copy of VB and shoved together a nice little GUI to automate the hacking so script kiddies can then get the run of it.

And that is NOT hacking, that is cracking. True Hacking involved numerious work arounds, social engineering, and NOT getting caught.

If you are hacked by a true hacker, you will not know it. (unless the hacker wants you to know it. )

A script kiddie on the other hand just uses pre-canned tools.

There are various security auditing companies that you can hire to test your sites/firms security. When interviewed, one of them said that one of the tactics that they use is to dress up as laborers and go to the site itself and waltz right on in the door, who the hell questions a plumber or an electrician?

Once the physical medium has been captured, no matter what security precautions you have, you are officaly screwed. (that has actualy been proven mathmaticaly, once physical access is gained, it is only a matter of time before whatever security measures are in the way eventualy fall. So far the best that anybody has managed to come up with is encasing the various important electronics in a type of Ceramic so that if anybody tries to break into it in order to read the signals flowing across it, they also break the device. But even the ceramic can be worked through harmlessly eventualy. . . . PGP encoding helps too, but that is also just a matter of time, a looong time, but time)

[KoalaBear]

As HTTP became popular, it became necessary to extend the protocol to support things it was never envisaged for – form handling, for example, which invariably relies on a program external to the web server to interpret that input in a meaningful way.

Very often these programs escape the security restrictions that would be imposed if the user were to access the same program locally via the console, thereby providing an exploitable weakness: for example, it may be possible to “spoof” the contents of a form in such a way that a field is executed as a command rather than treated as an item of data; it may also be possible to halt the interpreting program by feeding it an absurd or nonsensical value.

There are perhaps millions of ways to hack a remote system, but in the case of HTML it often revolves around functional extensions to the protocol. The web would be a read-only medium if it weren’t for things like database integration. Yet while these extensions are necessary to make the web interactive, they also expose the underlying systems to jeopardy. The alternative of course would be to AOL-ify the web so that literally every keystroke can be monitored, cleansed and sold to third parties before ever being acted upon in the manner we might expect.

Eternal vigilance, as they say, is the price of freedom.

[Triskadecamus]

If I can get your computer to do anything you didn’t expect it to do, that is a breach of your security.

An example, suitably old and out of date enough not to matter.

Once upon a time I was able to get access to a computer over a network. I couldn’t get permission to do much, but I could get a very limited permission to send email to a few selected addresses. One of the addresses was the SYSOP. I could send him a file that included a letter in regular text, which many non-savvy sysops would open up with a program that displayed text, and also could execute commands.

But my text contained a macro instruction to set up a user account granting all permissions. I could never initiate such an account, since I lack the permission in the first place. But this email handling program is being run by the SYSOP himself, and it has all permissions. Now, I can log on as the hidden user, and I have access to everything.

Now, your computer is my computer. If I want, I can lock you out.

Every change in the software complex represents a new set of interactions that can be studied for mistakes, or false assumptions. The most common false assumption made by system programmers is that the system operator will know something about system level software. That assumption is inevitably wrong somewhere. People become system operators through ownership of resources, not understanding of the system.

Once I am in your network as an apparently legitimate system user, your computer, and probably a lot of other computers on your network will work for me, and if I know more about security, and systems software than the actual administrator, I will probably be able to get through any sort of encryption you use, eventually.

It’s not hard to keep a large system safe. It is hard to make a large number of people take real security measures every time, all the time. I have one stupid PC, with one single possible connection method to the outside. I have told the other people who I am suppose to supervise what I expect of them.

Just today, I found our password written on a sticky note, on the monitor. I changed the password. Now everyone will have to come and ask me for it, and hear the password lecture again. I also deleted the pirated game someone downloaded and installed without checking with me.

It’s the people, not the machine, or even the software.

Tris

“It was a woman drove me to drink and I didn’t even have the decency to thank her.” ~ W.C. Fields ~