All it takes is a computer and a connection to the internet, right? Wrong. It takes mad skills to get anywhere in the hacking game. A penchant for puzzles. A love for spy vs. spy. A more than average intelligence. And it takes friends, either real people or just botnets. Or, just access to the right tools.
Attacks on organizations, particularly DDoS (distributed denial of service) attacks, are typically organized via social media, coordinated on Twitter, and accomplished with tools such as Low Orbit Ion Cannon (LOIC), a tool specifically designed to accomplish DDoS attacks. These attacks quickly make websites useless because their servers are overloaded with incoming messages.
The hacker's toolkit includes the rootkit, basically a way of achieving administrative privilege security level on a computer. Usually malware starts the ball rolling, perhaps installed by a zero-day exploit. This malware subsequently installs some processes designed to be completely undetectable that aid the hacker in accomplishing their tasks. Once a rootkit has penetrated a computer, that computer can then be used remotely and it becomes a zombie (or bot). When a large number of these computers have been secured, they become a botnet. So a hacker can, for instance, install LOIC onto several computers in this fashion to provide more power (and bandwidth) for a DDoS attack.
But, of course, it is possible to simply rent the computers to accomplish the same task. It's easy to rent hundreds of computers from Amazon Web Services. The attack against Sony Corporation's online entertainment services, which resulted in the compromise of the personal accounts of over 100 million customers, was facilitated in this way by users with fake names.
Tools are available online and some people just use them without realizing how they do their job. Such people are called script kiddies in the hacking world. Hacking tools are apparently available for several purposes. Keyloggers are a kind of malware intended to record each keystroke the computer's user types, including their username and password. They are often structured as a trojan horse, a program designed to look like a trusted system, perhaps the login screen. There are plenty of techniques used by modern hacking groups like the recently-disbanded LulzSec and the active group Anonymous.
Most of these tools and techniques are designed to penetrate a computer and obtain system administrator privilege. Once a hacker has this privilege then they can access or change any file on that computer. The files can contain other passwords, or perhaps valuable data such as credit card information or personal addresses and phone numbers. Or perhaps it contains private information.
|The DARPA Shredder Challenge|
So, honor and a sense of one-upmanship is a very powerful psychological motivation for hacking. Witness the years-long rivalry between MIT and Caltech that finally erupted in Caltech's cannon being stolen.
These days it's quite a challenge to keep secrets, it seems. The more valuable your secrets are, the more people are trying to get them. The more damaging your secrets are, the more people are trying to publish them. The more famous you are, the funnier people think it is to harass you. These illustrate three other motives: the criminal, social activist, and humorous motives for hacking. Nowadays, there is one more overarching reason for hacking, and its totally wrong: state-supported hacking. Hacking for destabilization, infrastructure attack, and for gaining the economic upper-hand are increasingly becoming common.
Indeed, some of the more infamous attacks use rootkits to penetrate special-purpose systems and accomplish political gains. The Greek wiretapping hack is one example: the perpetrators were never discovered. The Stuxnet virus, a brazen frontal attack on the Iranian nuclear weapon ambitions, has been long suspected to be Israeli, American, or Russian in origin but we may never know. It also attacked special-purpose hardware using a root kit.
Criminal hacks abound. Consider the phone hacking scandal involving the News of the World. The British tabloid hacked into the voice mail of the murdered school girl Milly Dowler in order to secure an interview with her mother. This was intended to sell more newspapers, so the motive was money; the act was criminal. But it was only the tip of the iceberg.
The release of damaging information often results from a sense of social activism. They believe they are advancing the cause of transparency, accountability, and freedom. The case of Bradley Manning and WikiLeaks illustrates this trend more than any other case, although it really wasn't hacking. For hacking-related social activism, it's better to look at Anonymous and the emergence of the hacktivist.
Hacking is definitely a crime. There's even a name for it: cybercrime. But is it the only crime being committed? Is there perhaps some stupidity or worse gross negligence that enables hacking and the subsequent loss of data, by creating a huge low-hanging-fruit opportunity? Oh, most certainly!
The largest presented opportunity is fame. But sometimes you can't help being famous. Sometimes it's not even your ambition to be famous. Still, when you are famous, people love to see what you are doing. This is why data about them is highly prized: to sell gossip zines. It appears to have become common for paparazzi to be in league with hackers, sometimes freelancing and sometimes connect with specific media outlets. Media outlets often offer huge sums for pictures of celebrities. My favorite is the National Enquirer, which offered a cool $1M for an Obama love tryst video.
The next presented opportunity is lack of proper security. This almost doesn't need to be explained. Anybody with a password of 123456 or qwerty probably doesn't know how insecure they are - simply because of cluelessness. There are plenty of available lists of common passwords. All a hacker has to do is try them. But truthfully, any word in the dictionary can be tried by using a password-cracking tool. There is even a list of commonly-used iPhone passwords. So it is very important to choose a username/password pair that is secure. They say to (1) use a word not in the dictionary, (2) have the password be 8 characters or longer, (3) include at least one or more numeral in the password, and (4) to include both upper and lower case letters. Using the same password for several accounts is also not a good idea. E-mail passwords are typically sent across the wires in plaintext format, so bear that in mind.
Sometimes getting into a computer is not very hard due to zero-day exploits: an exploit such as a buffer overrun that you can use right now (because it's installed in several running computers) that nobody knows about. And if they are in, then they don't need your password. So your security should go even deeper. Information stored on your computer that has intrinsic value, or is held in confidence for your customers should be encrypted. Failure to do so has led to several infamous hacks and also of loss of data in the wild. This is inexcusable, particularly in the presence of such viable alternatives as Transparent Database Encryption in Oracle systems.
A browser vulnerability, known as parameter tampering, where the browser address string is simply changed from one account number to the next, caught Citibank off guard when hackers used their computers to modify the string tens of thousands of times and access confidential data.
Finally, hackers are increasingly becoming emboldened by the opportunity of being able to easily sell their ill-gotten credit card and user identity information. Online bazaars are professional-looking sites that allow the hackers to easily connect with their buyers, who use the information to impersonate the victims and buy merchandise.