In the movies; you normally see a 30-something year old with a computer tap the keyboard for a few seconds, have a little montage, then say “I’m In!” then everyone celebrates and moves on. but what happens between tapping the keyboard and getting “In”. and what kinds of things can you get into? How would I go about doing this? Is there someone who could teach me, or send me a link?:dubious:
Movies are fiction, that’s not how hacking works in real life. If you have to ask how to do it then you don’t have the prerequisite knowledge for anyone to explain it to you. In addition, your request might be interpreted as asking for help breaking the law which is against the board rules.
I don’t plan on breaking the law…ever. I just want to know what it is and how to do it. I get that movies are fiction and that’s why I need truth in my thoughts
Watch War Games with Matthew Broderick and Ally Sheedy. If they are too busy, watch it alone.
It’s not like the movies, that’s for sure.
If you’re interested in doing legitimate security research and things like penetration testing, I recommend the Defensive Security Handbook and Weidman’s Penetration Testing as a starting point.
Then start learning about cryptography. Schneier’s Cryptographic Engineering is an excellent broad overview of how crypto protocols are built (and how they shouldn’t be built.) Then read Applied Cryptography for the nitty gritty.
You’ll need a solid understanding of how networks operate. I found IP Fundamentals to be a good introduction, and you’ll also want to understand ISP-level routing and configuration; I have heard good things about this book, but I haven’t read it.
But the most important thing is this: the biggest flaws in any security design is the human beings involved. In real life, a large majority of hacking involves people either not doing what they’re supposed to, or being tricked. Hadnagy’s Social Engineering: The Art of Human Hacking is a must-read on this topic.
Follow that up with Sneakers. The best and most realistic hacking movie ever made.
The girl with the uzi. Is she single?
Moderator Note
This part of the question involves “how to” information regarding illegal acts. Let’s keep everything on the legal side of the line here.
You can explain what hacking is, and can generally say how people get access to systems and in general what types of things that they can and can’t do (after all, Hollywood is extremely unrealistic in this regard and we’re all about fighting ignorance), but let’s not have any actual “how do I do this” type of info in this thread.
Do not post any “how to” info or anything that could be considered encouraging someone to actually do this type of stuff.
Seriously? No love for Firewall?
I hear you, TriPolar, but I think it can be answered generically enough to not provide any details.
Hacking simply means gaining unauthorized access to a computer. This could be by opening up someone’s top drawer or lifting up their keyboard to see their written-down password, it could be thru use of a (spear-)phishing email & getting someone to reveal their credentials to you. It could be exploiting an unpatched security flaw or some other means.
As for what you can do, it depends upon what system you access, what it does, & what authority you have with your signin. If you hacked a corporate email system by stealing a user’s credentials, about all you can do is send out some inappropriate emails under their name. This may get them fired, or may get someone to reply to ‘their’ inquiry with info that gets you closer to what you really want.
If you hack the right system at Target, you get access to everyone’s card info who shopped there in the past ___ days/weeks/months. One might use that data or more likely sell it to some ‘evildoer’ who physically produces cloned cards to make purchases in stores.
If you hack the right system in a bank, you could, in theory, use it to send yourself lots of $ before disappearing to the Caribbean.
If you do it on a TV show, you could find the exact GPS coordinates of the bad guy, who conveniently happens to be driving two blocks from where the SWAT team is staged, ready to make the takedown. :rolleyes:
From what I understand, Mr. Robot keeps it pretty real too.
If you watch that, and you say to yourself, “Self, that totally looks like something I could do because it makes so much sense to me” then go for it.
But if you have to ask, you’re not even close to being ready.
And if you do it to a TV show, you can do something like this.
While this advice is excellent, some of these books are somewhat indepth for someone with only a passing interest in the subject. I recommend *Cuckoo’s Egg *by Cliff Stoll. It is very dated, since it occurs during the late 80s’s, but it is an easy read and discusses the ins and outs of hacking (at that time).
Sure, that’s a good description of what hacking is and what it can be used to do, but it’s not as simple as what’s show on TV and the movies. Unfortunately it’s not as difficult as it should be in real-life either.
Follow that up with Hackers .
One of the silliest things I’ve ever seen, and I watch it every time it comes on.
All the movie recommendations are great.
There are many sorts of hacking, but the “I’m in” sort of thing described by the OP is sort of the “systems penetration” side of things. Essentially, it is about knowing the very technical details of how computers work such that you can convince computers to do the things you want them to, rather than the things their owners want them to.
Worth a read: The Cuckoo’s Egg, by Clifford Stoll.
Sadly the term “hacking” has been subverted from its initial meaning - which was a particularly neat bit of programming, and hackers is now associated with breaking into things rather than creating innovative programs. Be that as it may - hacking into something once mean bypassing the security with a neat clever trick - now it just means breaking in.
A lot of the movie based stuff is based upon the very early breaking of primitive access to computer systems. This was pre-internet. All you needed was the phone number of a modem attached to a computer system and some luck. Companies would provide remote access to computer systems for various reasons - staff could access from home, remote servicing, inter-computer communications, whatever. But in the end there was just a phone connection. There was a time when kids/hackers would simply dial every phone number in a block and see if a modem picked up. If it did they connected their modem, and got a basic connection. Typically they would be presented with a login screen. There were only a few computer operating systems, and the login screens were specific to each - so it was easy to tell what they were connected to. Security was typically stupidly lax back then. System admin or service accounts would often be left with default passwords, people would use a stupidly small range of passwords (it was estimated that “gandalf” would break about 5% of accounts in any university). Indeed there was a top 10 set of passwords to try - which included “password” the account name itself, the account name backwards, and so on, and it was remarkable how easily accounts could be broken into.
That was about all there was to “I’m in”. The phone number for a modem, guess an account name (easy if you had any information about the owner of the computer) and guess the password - often depressingly easy.
I managed the computer systems for the computer science department for a time back when we still had a modem pool. It wasn’t hard to improve security, but there were constant attempts to access the systems, and students would break into one another’s accounts with monotonous regularity - sometimes with extremely bad outcomes.
In reality not a huge amount has changed. You no longer need a phone number, access comes over the internet. But eventually access is often controlled by little more than a password.
The majority of of security breaches are human not technical. Poor passwords, or social engineering tricks to get humans to grant access to you have always been the real core problem with security.
There are, and have always been, technical attacks on access as well. Bugs in the access control systems have always been around, and some have been almost hilarious in their exploit-ability. Earlier I noted that the login screen a computer presented to a modem connection identified the type of computer, this would also allow a knowledgeable hacker to try some of the known exploits of buggy systems. These could be as trivial as typing in a very long user-name that overflowed an internal buffer and caused the login program to fail to correctly check the password.
Nowadays similar issues continue, with a never ending set of bugs and exploits. For instance the recent issues identified with most processor designs (meltdown and spectre being the names given to the problems) are a new way of getting computer systems to leak information, potentially leaking sensitive things like passwords to a very persistent hacker. A little while ago a similar issue (heartbleed) allowed leaking of information over internet connections. xkcd: Heartbleed Explanation
Web servers are a big problem as well. They are complicated beasts, ans this complexity, coupled with the reality that accessing them is little short of providing commands to them, means that great care needs to be taken in ensuring that a simple web request sent to the web server won’t induce it to do something bad. The classic is probably a web server that takes part of the access request and uses it to craft a database request. If someone hand crafted the web request so that that the request contained instructions to the database, and the writer of the web server didn’t ensure that such tricks were guarded against, the web server could be induced to run arbitrary requests against the database. (SQL injection vulnerability.) xkcd: Exploits of a Mom
The big problem with these exploits is that knowledgeable hackers will write exploit code, package it up, and make it available so that anyone can use them with little knowledge - the “script kiddies”.
So nowadays, “I’m in” might mean - "I tried a few well known attack scripts on a web site and I got past the protections, and now I have some access to the database.
The password is “Swordfish”. And once you can get past the giant floating polygons, you’re golden.
Brilliant book. But in terms of understanding modern exploits not so much. I re-read it a year or so ago after many years, and still greatly enjoyed it.