Blog Banner

How does hacking work?

NHLG Update on Pentagon Security Measures (5)

Many things in life are the victims of “Hollywood education”, where things as shown in movies and tv shows don’t work that way in the real world. For example, in Hollywood cars burst into flames and spectacular explosions in mid-air, for no apparent reason. In real life, car crashes only occasionally cause fires, and then only after impact. In this blog, we'll discuss two common misconceptions associated with hacking and shed some light on how hacking works.

“Hollywood education” is particularly prevalent around computers and hacking. Even IT professionals and programmers can fall into these traps. For example, if you believe movies and tv, your hacking ability is directly proportional to your typing speed. Scenes of hackers frantically pounding the keyboard to outrace another hacker or even the computer itself are common in pop culture. Yet real hacking is a combination of automated tools operating at computer speeds, combined with slow, patient, and methodical attacks directed by humans. There are some other common myths associated with hacking. You can’t protect your applications and the systems they run on unless you truly understand the enemy’s methods.

Hacker Facts

Myth 1 – Hackers are unlikely to find my web app 

The truth is that hackers, like all good engineers, are lazy. Poking around the internet, looking for vulnerable web apps, is too slow and labor intensive. Luckily for them, as the old iPhone ads used to say, “There’s an app for that!” Hackers use automated tools to constantly examine web apps for vulnerabilities. Once a potential weakness is identified, then the human hacker takes charge to press the attack. 

One such tool is Metasploit, which combines an automated tool with an online library of known exploits (vulnerabilities). The online library is constantly updated as new exploits are discovered. One unpatched program on your web server can leave you open to a hacker penetrating your system and either stealing data or altering the content of your app. 

In a typical attack, once Metasploit identifies an unpatched vulnerability on a web server the hacker uses it to gain access to the system. Once they get initial access, they will usually locate the web root directory and look for configuration files. These often contain unprotected connection information to an attached database service. Once in the database, the hacker can steal user identities, passwords, and other confidential information. They can also use the database as a platform from which to attack other servers in the data center.

Myth 2 – I don’t have anything a hacker would want 

In movies and tv, hackers are always trying to steal top secret government data or money from a billionaire’s offshore accounts. Since most developers will never work on an app that stores that kind of extremely valuable data, they think that they are not likely to be targeted. “Security through obscurity.”

Unfortunately, it doesn’t work out that way in practice. First, the automated tools used by hackers to find vulnerable sites (See Myth #1) don’t care what kind of data you have. Second and more importantly, what you have does have economic value, even though you may not realize it. 

Information about a web app’s registered users, even just their usernames and passwords, can always be sold to someone. A widespread black market exists for stolen personal information. The more confidential information the hacker can offer, the higher the price. For example, “full docs”, which are name, address, phone number, social security number and date of birth, can be worth $50 per individual or more. This information would allow a criminal to open a credit card account in the stolen name. This can then be used to make online purchases. Another use for stolen identity information is to file a false tax return, claiming a refund. This is becoming more common. 

Modern hackers are in it for the money and most web apps store information that is of some monetary value to hackers. Since the initial prospecting for vulnerable sites is done by automated tools, being small is no protection. If you are vulnerable, they will eventually find your site. Of course, web apps that gather highly confidential information, such as banking or health care portals, are subject to more targeted attacks.

Don't fall victim to ever-evolving cybercriminals due to being ill-prepared or misinformed. Check out New Horizons Learning Group's guide to creating Your Most Comprehensive Cybersecurity Plan. >>

New call-to-action

John DeVries

John DeVries

Other posts by John DeVries

Contact author

Related articles

Contact author

x

Subscribe for Future Blog Notifications