Sunday, January 2, 2011

A Guided Tour of Hacking

"Colonel," I said in a serious tone, "let me tell you something about these locks: When the door to the safe or the top drawer of the filing cabinet is left open, it's very easy for someone to get the combination."
...
The colonel had sent a note around to everyone in the plant which said, "During his last visit, was Mr. Feynman at any time in your office, near your office, or walking through your office?" ... The ones who said yes got another note: "Please change the combination of your safe."

That was his solution: I was the danger. So they all had to change their combinations on account of me. ... Of course, their filing cabinets were still left open while they were working! —Surely You're Joking, Mr. Feynman, Richard P. Feynman & Ralph Leighton

I've known since I was 5 that I wanted to be a software developer, but for most of my life I thought that hackers were a different breed that somehow was just born knowing how to break into computers. I've flipped through several books about hacking, and they all looked very dull, and none of them really seemed to answer my burning questions; I figured that there must be some "second tier" to it where it really got interesting.

As I've gotten older and nerdier, I've discovered that hackers draw on experience as much as raw skill, just like safe crackers who develop their skills and intuitions practicing on their own safes and door locks. I would have no idea where to start breaking into a system if I didn't have day-to-day experience using secure systems (like password-protected computers).

I should mention at this point that hackers are typically pretty nice people, that the term "hacking" was used for writing software before it was used for unauthorized cyber-activity, that the preferred term for what I'm discussing here is "cracking" instead of "hacking", and that most hackers are just trying to make the general public aware of security holes before malicious people figure out how to exploit them. People who write nasty viruses and distribute malicious software are usually a quite different type of person, and many of them don't even understand the intimate details of the art of hacking. They're often referred to as "script kiddies".

I will also mention that I think sections of the book Surely You're Joking, Mr. Feynman make an excellent companion to all this information, and it's one of my favorite books to boot.


There are a lot of misconceptions floating around about what hackers do and how, and I think a lot of people I know would be interested in some of the details if those details could be explained properly. I'm going to enumerate some of the different methods hackers use, grouped by my own cleverly-conceived system of categories. It's something of an epic, but feel free to skip around.

Stealing the Key
A fairly obvious method of breaking into a house is getting a hold of the key. Usually with computers, the key in question is a password. Sometimes hacking is as simple as trying every password until one works, which is known as a "brute-force attack". Almost always the hacker will write a simple program to automatically try one password after another.

People can protect against this attack by using a long password, but often there's some trick so a hacker doesn't have to try every password. I was surprised to learn how quick it is for a hacker to try every word in the dictionary (a "dictionary attack") if you happen to pick a real word as your password. (Another such trick is the Trucha Bug on the Wii). Many login systems will also prevent you from trying too many passwords or trying passwords too quickly one-after-the-other, which helps security a lot.

But even the best password in the world won't help you if you don't keep it a secret. Tricking someone into sharing their password with you is called "social engineering", and it's easier than you might think. If you have a favorite password you use when you register for a new account online, you're pretty vulnerable to being hacked (in comic form: "Password Reuse").

Back Doors
Sometimes a hacker doesn't even need the key itself to get in. For instance, they can trick you into "leaving the door unlocked" for them by distributing game software that surreptitiously opens up your computer for them to get in while you're playing it.

You have a similar problem any time you have software checking your password: How do you know that whoever wrote the software didn't put a secret "master key" in that would give them access to your computer? How do you know the password you set is the only one that will work? Ken Thompson created a mind-blowingly elegant example of this in 1984 that covered its tracks 3 layers deep, known as the Thompson trust hack.

One other security weakness happens when "randomness" isn't random. Magicians can do some amazing card tricks based on a gimmick called a "card force", where they fool someone into "randomly" choosing one particular card from a stack. Any place where supposed randomness enters into a security system is an opportunity for an exploit. Random password generators are vulnerable, and there was a bug in an early Netscape browser with the same problem.

Picking the Lock
With some exploits, the attacker doesn't need to know anything about the key. There are systems that send the password off to another computer to ask if it's valid. All you need to do to trick a system like that is figure out how to say, "yes, whatever key you sent was valid", and pose as the validating computer. I've seen that technique used to unlock full versions of games/software. (This is almost the same thing as a "Man-in-the-Middle" attack, except in that case the attacker normally fakes communication in both directions.)

A similar hack is to break open the code of an existing program and modify it in-place so that the part that's supposed to check your password never does its job. In both of those cases, you put in a dummy password to get the ball rolling.

Breaking Down the Door
Some attacks work by blasting a system with such strange data that it doesn't know up from down anymore, and gives up protecting itself. Even though the data is strange, it has to be carefully crafted, and it usually takes insider information about how the system works to create the data properly.

For instance, several web browsers and image viewer programs will get confused if an image file claims to be one size but has too many pixels of data. And if you're very clever about it, you can inject a program into an image, or similar data, so that the computer gets tricked into running that part of the data as a program. This is usually called "smashing the stack", and is unfortunately what it takes to run software on your own Wii (see the Twilight Hack) or iPhone (see iOS jailbreaking) that isn't approved by Nintendo or Apple, respectively.

For another neat example of the same type of exploit, check out the ACS:Law data leak.

These attacks only work if there is some flaw in the way a program is written, so the best way to protect against them is to use modern software written with modern tools.

Burning Down the House
Sometimes an attacker doesn't actually care about controlling a system, but just wants to make it unusable for everyone else. A denial-of-service attack does just that, by bombing a website, say, with hundreds of hits per second, so that it can't keep up and can't function normally for regular users. This works best if it's a distributed denial-of-service, or DDoS, where lots of computers are involved in flooding the system. For a notable example, check out the Low Orbit Ion Cannon, a system used to coordinate DDoS attacks.

Often a good firewall can prevent these attacks by quickly figuring out which hits are legitimate and blocking out all the malicious hits, but if it takes more work to determine which hits are malicious than just to serve them normally, the only solution is to buy more powerful servers.

A system can also be made unusable by destroying data in a database. Many websites are poorly written and essentially hand the keyboard over to users when they ask for data from a user. Like the techniques mentioned in the previous section, someone can cleverly craft the data sent to a website so it starts interpreting part of the data as commands. There's a great demonstration in comic form here (the details are technical, but I think you'll get the gist of it).

Squatting
One final class of exploit is less catastrophic and more of a nuisance. A hacker uses your computer to do work for it in the background without your knowledge, usually along with hundreds or thousands of other computers.

When you get those incomprehensible junk emails about Viagra, those are usually sent from unsuspecting Windows computers that are way behind on their Windows Updates. Malicious hackers release worms that ruthlessly copy themselves from computer to computer, and create a massive "botnet" of infected computers. Then they direct the botnet to send out junk email to one randomly generated email address after another, and the computers work together to inflict their plague of spam on every conceivable email address.

Another possible exploit of this sort is something called "parasitic computing". Unlike worms and botnets, parasitic computing wouldn't involve installing anything on your computer. Instead it would hijack the normal proper functioning of your computer to help do calculations for another computer. The reason I say "possible exploit" is that nobody has devised any way to make productive use of parasitic computing. Every example devised so far would require more work to facilitate than it would take to just run the calculations.

No comments: