How Is Hacking Done and How Hard To Prevent It?

House Democrats Hacked
I am not looking for any “How To” info on hacking, but how is something like this still possible? Is hacking like this enabled by a stolen or “socially engineered” password?
How can it be prevented?

I’ve read that this was an example of “spearphishing”, basically a staffer was tricked into giving access to the attacker:

That link could have a fake login page that looks identical to the legitimate company’s login, which is used to harvest passwords that naive users enter. Or it might have a file that looks like a document, but is actually a piece of malware that will find files and record passwords from a user’s computer.

I’m not sure what’s the best way to prevent this. Some of these attacks can be embarrassingly obvious to anyone with a bit of common sense and savvy, and those can be reduced with training (actually read the links you click on, and recognize that the link isn’t legitimate, don’t ignore warning messages, etc.) But more sophisticated attacks can be harder to spot…

Spearphishing attacks can be very sophisticated. The terms comes in two parts - it is a phishing attack - ie the attacker is fishing for someone with an email that is crafted to look legitimate and to get them to to bite on a crafted link that causes them to eventually visit a bad site or otherwise download a tainted attack vector - and it is targeted at a particular person - hence “spear”.

Attacks can be very devious. A neat trick is to harvest people’s information from publicly available sources - Facebook, LinkedIn etc. LinkedIn is especially good - as some people provide lots of useful professional information and contacts. Then craft an email that is calculated to be interesting to them. Conferences directly related to their work, is a good one. Fake the email to be from a work colleague, or a contact in the industry they probably trust (ie harvested from LinkedIn) and direct them to a web-site that is crafted to look for all the world like a legitimate conference. And one that is of direct interest to the target. From here it isn’t hard to have them download a tainted document (perhaps a nice Word format template to craft a submission with). And so on.

There are apparently automated systems that can create a large fraction of this with little work involved.

So, the attack is mostly social engineering, but since so much of the needed information is now so readily available, to anyone on the planet, it is now not difficult.

Be clear, this is not a theoretical risk. Agencies involved in such attacks can be governments or industry players. Military or industrial espionage is a big deal. Working in any company or government agency that has valuable or sensitive information makes people a target.

Sadly it doesn’t always have to be so sophisticated. I consulted for a group a while ago that in the first couple of weeks I was there sent out an totally genuine email to all its users asking them to reset their passwords - and the link in the email was to a totally different address. Turns out the link was to the mail tracking system that allowed them to track who had clicked on the email link, and thus track the users. But they seriously expected all the users to accept this insane email, click on the random link, and actually reset their passwords. And what is worse, the users did. It would be the matter of an hour or so’s work to utterly compromise their system so badly they would have to just about rip it up and start from scratch. The professional system admins saw nothing wrong with what they were doing. And this isn’t all that uncommon.

Humans are the weakest link.

Mainly, because we are temperamental and/or lazy and will find ways to circumvent security. Like, using your own personal mail server for US Government work. I would not be surprised if personal emails were sent to work email and vice-versa. Extremely bad form.

Also, not a whole lot of people are tech savvy. Those that work in the field grossly misjudge those that aren’t. Staffers and the like are simply that, a computer, smart phone, what have you, is just a tool for them.

There are many layers of software and sub system software that interact in a high level system. It isn’t as common these days. But sometimes some piece of software can be exposed, that may have the default user and password set. Hackers know these defaults. A hacker can exploit this to maybe see other user names and passwords or to setup a new user / password with high level rights.

This sort of hack relies on someone being lazy or unaware. Not setting all the users and passwords.

Ok, I admit I have little useful information regarding the OP’s question, but since we’re on the subject of figuring out passwords: I really hate how strict password conditions are set nowadays. It’s not unusual to oblige you to use at least 8 characters of which at least one capital letter AND one number AND one non-alfanumeric sign. I can hardly remember my own password and once I do, it’s time for the system to force me to change it to something new, as in: not the same as any I used in the last 100 years.

Yes, I know this is really necessary since there will otherwise always be knuckleheads using ‘[first name]123’ as a standard password to protect vital state secrets.

And on that note, we’re back on the subject: the chain of security is as strong as the weakest link. One knucklehead in 1.000 employees is enough to break it. And since it’s becoming harder and harder to remember, more and more knuckleheads are posting their username and password on a post-it on their monitor or on a piece of paper in their wallet.

It’s taking longer than we thought …

You say that like it’s a bad thing. A piece of paper in your wallet is one of the best possible places to keep a password. What’s the failure mode you’re envisioning arising from doing that?

You could get mugged by the North Korean secret service … or simply lose it

Password security is a source of quite a bit of argument. The dangers are often misunderstood, and then you do get stupid well meaning rules that actually make security worse. Some rules that really do make things worse are things like periodic forcing of password changes.

The rules that require some simple mix of characters and letters are a attempt to foil dictionary attacks. The reality is that they help a little, in the face of certain attacks, and not at all in others.

The issue with things like passwords written on bits of paper is one that depends upon the nature of your job. If you work in an area that is actually sensitive, and there is a real danger of attack - where real danger usually means someone could make money, steal information of value - is that you could actually be personally targeted, and theft of your wallet be sadly easy way to breach security. There are places where physically writing down a password is an instant dismissal offence.

Most people don’t think they work in sensitive enough places. Many are right, but you can be surprised.

Currently the best answer seems to be a mix of technologies. If you can, use two factor authentication. Use a password manager, with a very strong master password. And do not reuse passwords between sites. The reality is that passwords mostly get broken via people, not serious technical attack. Key loggers, common passwords between sites, social engineering, cleaners looking at little bits of paper.

It’s hard to find good analogies for this, but consider the difference between combination locks and locks that require a key. To open a keyed lock you need physical access to a key or time and cover to use lock picks to open it. With a combination lock you can look over someone’s shoulder and see the combination, or find the piece of paper where they wrote it down. Computer security is more like the combination lock, you don’t need to physically touch the lock to steal the combination, and if you know it you could give the combination to someone else to open the lock even if you don’t have physical access to it.

If your security system relies on human beings doing things that are extremely difficult for human beings to do, then your security system sucks. If you need people to memorize a half dozen new arbitrary strings of characters every month they simply won’t do it. When they write down the passwords for all the different systems on a post-it on their monitor, you created that system.

If you really want a secure system, you could just lock all the users out. Except the system would be useless. It has to work for the actual human beings who are supposed to be using the system, otherwise you should just shut the whole thing down.

Hacking or cracking is a really broad term that includes lots of different techniques. As noted, the most common vulnerabilities are through social engineering or just plain stupidity. I have broken into lots of systems when I was young just by using the list of the most common passwords and could probably do it now if I wanted to.

I work as the local IT lead for a very secure facility. We have lots of hardware, software and procedures that constantly protects against common threats but we still get some unusual ones. People still try to call a random person and try to get information about a specific piece of equipment and there is no good that can come from that. The users are trained to refuse the request or at least call me and ask before they say anything, no matter how innocuous it sounds.

Nobody is going to get very far no matter how good you are once you are outside the firewall but we also have to worry about internal threats especially with outside support technicians. One of the easiest but least favorite parts of my job is doing escorts for anyone doing any work on any IT infrastructure equipment. I have to stand right next to them and have them explain to me exactly what they are doing at every step while I take notes even for multi-hour jobs. Understandably, some people really hate that but it has to be done. I have had to kick a couple out of the building, flag them as a security risk and report them to their bosses when they didn’t cooperate well enough. I think they were more incompetent than sinister but neither is allowed.

Basic hacking is not that hard once you have good systems knowledge. I have had to do it at work for good purposes (“white hat hacking”) but I could do it easily to lots of random systems around the world right now if I wanted to by doing nothing more than Google and some freely available tools. You can take control of printers, webcams and probably even some industrial equipment with ease. I am not going to tell you how to do it but Google can give you a huge list of vulnerable accounts and devices if you use the right search terms.

A major league variation on that is something like Stuxnet that was used to destroy the physical equipment being used for Iran’s nuclear arms program. That is major league hacking and well beyond the abilities of the vast majority of amateur hackers. Someone basically told their centrifuges to spin so quickly that they destroyed themeslves while showing the operators that everything was working just fine.

For some reason people tend to believe computer security should be incredibly difficult to break. When we talk about the security techniques and their complexity, encrypted keys that would take centuries to decode, multiple layers of passwords and monitoring, it all sounds like we have our data locked up like the gold in Ft. Knox, but it’s largely an illusion. To get gold out of Ft. Knox requires lots of planning and authorization, the physical process is done under the direct vision of numerous people including armed guards, credentials are checked multiple times throughout the process, and gold is heavy and slow to move. We don’t want our data locked up that tight, we want access at a moments notice and we want to move massive volumes of data quickly. We do our best to prevent easy access without authorization, but even when the best technology available is used we can’t stop the failures of the administrators and the users to maintain security. We don’t have the best technology possible because our security has to be installed in buildings of poor quality with unmarked secret entrances, hidden tunnels, and walls and doors, and windows and floors made of inferior materials that can be cut through.

Right. You have to use the appropriate level for the situation at hand. It is trivially easy to build extremely secure computer systems or buildings for that matter. The problem is that, if you make them completely secure, the security itself compromises function.

People want security until they don’t. Most people have had the experience of locking themselves out of their house or car. You want your house and car to have locks but you also want it to be hackable enough so that a skilled person can still get in fairly quickly if you screw up and lock yourself out. The same thing is true with computers. It is perfectly possible to make the security of any computer so strong that it prevents any attempts to defeat it but almost no one would want that.

Would you really want a personal computer or smartphone that permanently locks you out and destroys itself if someone enters the wrong password too many times? Would you want a car or house with security so strong that it requires a team of experts to take it apart if you locked yourself out?

I have to break into systems all the time as part of my job and it is essential to keep things running because people screw up. The problem is keeping the wrong types of people from doing that but that is a balancing act and their almost always needs to be a break glass vulnerability that lets someone in.

I’m always amazed that that still works. Back in high school (this would have been about 1995ish) I sat down in the computer lab, logged in, and the person sitting next to me said “Ha, your password is XXXXX” Yup, it was, when I asked him how he figured it out, he told me that he made a log in page that was identical to our normal one, logged in with his username on my computer before I got there, pulled up the fake page, then it logged my user name and password to his virtual drive (we all had one) and made the computer appear to freeze so that I would reboot it. The computers froze all the time, so I didn’t think anything of it, when it rebooted, I just logged in again, but he had my password. Luckily, he thought it was funny and told me, so I could change it right away.

Now, we were all CompSci people, so as soon as he told me what he had done, it made perfect sense and I probably could have created the same program in a few minutes, I’m just amazed that 20+ years later, people are still falling for the same thing…or maybe I’m more amazed that 20 years ago my high school classmate figured out on his own how to harvest passwords.

Now, I don’t know how to avoid that specific attack, other than to tell people to reboot a computer in a public space before logging into the network, but I’m always telling people that when you get an email A)hover over the links to see where they’re going to take you* and B)just go to a browser and type in the www._____.com yourself. It’s more work, but not having your computer for a few days while someone cleans it up sucks (and worse for me if I’m the one doing it).
*And, I also seem to find myself trying to explain to them that yes, it’s fake when the click here link goes to some goofy place even though all the contact us stuff in the footer goes to where it should go.

I was playing with the settings on my new phone a few weeks after I got it and just happened to notice that setting was turned ON. 15 incorrect tries and it factory resets. On the one hand, I’d hope there’s some kind of warning or maybe it gives you a waiting period (like if you wait 30 minutes the counter starts over). OTOH, I still don’t want someone else to be able to wipe my phone just by typing in the wrong password/PIN over and over.

Another major type of hacking people are concerned about is operating system/common applications programming (Windows, Flash…). Here the consensus is that techniques exist to make them much more hack-proof (like Linux is).