Hacking is not hard in the same way that string theory is hard, it’s more about patience and luck than learning abstract, complex theory. The reason why is because it’s infinitely easier to break into a system than to secure one. For a system to be secure, a sysadmin has to win every time, for it to be compromised, the hacker only needs to win once. Most hacking is almost trivially simple and I wager I could teach an average 15 year old with a passing knowledge in assembly, C and unix how to hack in just a few days, and I’m not even a hacker, just someone who’s read a bit about it. The real “skill” is in finding systems which are open to these simple exploits. Kevin Mitnicks “Art of Deception/Intrusion” books are a nice, easy intro for the non-professional into the world of hacking.
It also depends partly on what sort of hacking you are talking about, there are “exploits” which rely on flaws in the software and there is “social engineering” which relies on the human factor.
The two main exploits still around are buffer overflows and unvalidated input. Neither should be a problem in well engineered systems which is a pretty glaring indictment of the quality of Software Engineers out there.
Buffer overflow attacks work by exploiting a lazy programmers who copy user input into memory without checking how big it is. Memory is stored in a computer as a sequence of bytes which the processor is responsible for trying to intepret. One of those bytes is the “return” instruction which is in charge of telling the processor where to go after it’s executed a particular chunk of code. Immediately before the return byte, theres room to store all the data variables needed for a particular subroutine. If the program tries to write data that’s too big for the variable, then it can overwrite the return value. If you rewrite the return value with a carefully crafted variable, then you can force the program to jump to a custom bit of code that you have written which can then gain full access to the system. The only real talent required to do this is to find systems which are vunerable to buffer overflow exploits. Everything else, you could bone up on in an afternoon. The “Smashing the stack for fun and profit” article by 2600 is a very widely read intro into buffer overflows.
Unvalidated input works on largely the same principles except at a higher level. Web forms occasionally need to take input from the user and then do something with them. Eg, if your buying something on the web and your name is John Smith, then you might enter John Smith into a web form and at the back end, the server might execute something like:
SQL_UPDATE(“Name”, “John Smith”);
It simply inserts the string into a pre-assigned place in a program and then runs it.
However, if you entered something like:
John Smith"); SQL_WIPE_ENTIRE_DATABASE(); SQL_UPDATE(“HaHaHa”, "Losers you didn’t validate this input
into the name field, what will be executed is:
SQL_UPDATE(“Name”, “John Smith”);
SQL_UPDATE(“HaHaHa”, “Losers you didn’t validate this input”);
In order for this not to happen, input needs to be validated in order for malicious commands to not be inserted. The white house web site was brought down with a trivial hack that was essentially the same idea as this. Again, teaching people how to do this would take all of 15 minutes for someone familiar with a linux shell of SQL. It’s all a matter of finding vunerable pages.
There are quite a few more complicated hacks but it’s surprising the number of media hacker scares have been caused by one of these two trivial programming errors.
Social engineering is even more trivial but probably the more creative and ingenious compared to exploits. A system is really only as secure as it’s most vunerable part, when your most vunerable part is people who write their passwords down on post-it notes and stick it on their monitor, then it sometimes is really more like shooting fish in a barrel. Here are some social engineering “sploitz” that I’ve seen been made just in my general daily routine:
Our university library has a online reservation, renewal and booking system etc. The username is z<7 digit student number> ie: z1234567. For the booking system, there was a backdoor installed for the librarians so that if you entered Z<7 digit student number> as the password, then you can gain access to the system. ie: user: z1337357 pw: Z1337357. A librarian did that right in front of me when I asked how I could renew a book online. I now have access to anybodys library records… not a major accomplishement, but the same thing has happened for multi-million dollar server installations.
I used to keep a keystroke logger on my own laptop at all times. Nobody thinks twice about using someone elses machine to access sensitive materiel if they don’t have a machine handy. As a result, I managed to grab about 10 - 15 passwords in a 6 month period including one which belonged to a sys admin. I still have them but I haven’t done anything with them.
The way the computers are arranged at banks, computer support desks and other places, it’s often trivial to see what a person is typing on the keyboard. With a few months practise, virtually anyone can learn to read what a person is typing. I probably see about 10 passwords a month being typed in as I go about my daily errands. If I took the time to learn how to read keyboards, I could break into almost any of those systems.
Theres a hundred and one more ways to do social engineering if your willing to put a bit more effort into it and I bet that if you just took notice of your everyday surroundings a bit more, then you’ll start noticing these things too. In short, hacking really isn’t a mysterious, arcane and technical field, it’s mainly just tedious, lucky breaks that don’t require very much ingenuity at all.
Disclaimer: All of the above info is for educational purposes, don’t break into peoples systems. All of what I’ve said is availible in every decent book on computer security and is being taught at every decent university on network security.