Sunday, March 30, 2014

Computer Hacking

Hacking is nothing new - nor has it changed much.


I hacked my first computer back in 1976.  It wasn't that hard to do.  The computer, a brand-new PDP-11, ran on two 8" floppy drives, and had two time-shared terminals, one a DEC-50 CRT, and the other an LA-36 DECwriter printer terminal.

The Operating System ran on one floppy (those were the days!) and the second floppy could be used to store our data files and programs.

There was a login procedure with usernames and passwords that was administered by one of the teachers, who had little time to devote to the task.   The usernames and passwords were stored in plain ASCII text.

One of the more clever students figured out that if you removed the O/S floppy when you logged in, the computer would hunt for the data file containing the passwords (named "PASSWORD.TXT" of course) and when it didn't find any disc, would "bomb out" into a default "Admin" mode.

Once in "Admin" mode, you could re-insert the floppy disc and then have access to all the files, including the password files, and either add your own password, or just use the Admin password.

Of course, our teacher got wind of this and escalated matters.  He changed the name of the password file, and then tried to encrypt it using a single-letter offset code in ASCII.   "A" became "B" and "B" became "C" and so on.  It was not a hard code to crack, particularly since the algorithm was in BASIC and you could just read out the encryption technique.

He finally gave up and just let us use the computer, as it was clear that he would spend a lot of time trying to preserve security on it, and it didn't have any secret data or grades or anything on it.   Why have security for un-secure data?   The worst we could do is corrupt the O/S disc, and there were backup copies of that.

Not much has changed in the nearly 40 years I did my first hack.   Today, such "backdoor" methods of entering a site or a computer are known as "exploits".   Often you can find a weakness in a program or an O/S where you can overwhelm the system with some sort of error condition, and it will "bomb out" to a default operating mode, usually Admin.

Of course, hacking has gotten a lot more sophisticated since then, and for the most part, the biggest part of hacking today is the "phishing" aspect of it, or "social engineering" - where you try to tempt or bait a user into either (a) coughing up their usernames and passwords (or financial data) by using some sort of ruse, or (b) getting them to load executable code into their computer, again using some sort of ruse.

For example, you may get an e-mail saying that you need to appear in court, or that you have been called for jury duty, or that you are being audited by the IRS.   "Click on the attached file for more information" it says.   And the attached file is a trojan that, once loaded into your computer, lets all sorts of other unsavory characters in.

Some are not even so sophisticated.  I got one recently, from a friend, that was just a link to a .php file on a weird site.   I quickly googled it and realized it was an executable file, and moreover my friend never actually sent the e-mail.   Rather, she was hacked, and the program she loaded sent this link to everyone on her e-mail list, 10 names at a time (as "send all" is usually blocked by most e-mail programs today).  People think that just because the link is "from" a friend of theirs, it must be trustworthy.  It isn't, of course.

And of course, the stakes in hacking these days are far higher than back in 1976, when maybe we could hope to crib someone's homework or something.   Banking information, passwords, and credit card information are the real juicy tidbits that a hacker hopes to find - and use - before anyone is the wiser.

But many other hacks are (or were) just attempts to hijack your computer so that it could be used to send SPAM messages in bulk, or be used for denial of service attacks.   Zombie armies of hacked computers could be used by a hacker to send out millions of SPAM e-mails, or to attack a certain website and thus crash it.

Will hacking ever go away?   Maybe not.  Things have improved dramatically in Windows systems with the introduction of Windows Defender.   It automatically installed as part of Windows Update, for many computers, and it performs the actions of many programs, such as Spybot and Malwarebytes or any commerical virus scanner - only it is free.   Microsoft realized that they had a real problem on their hands, as such a huge percentage of Windows PCs were compromised.

Today, I am seeing a lot less of this, and a lot less SPAM than in days gone by.  And when "fixing" friend's PCs, I am seeing a lot fewer problems with malware and spyware on their hard drives.

With automatic updates and Windows Defender, it is getting harder and harder to take advantage of "exploits" in many programs, as each time an exploit is discovered, a new version of the program can be issued, forcing the hacker to find a new exploit.   This dynamic form of programming is similar to the double-encryption system used for Satellite television receivers (and yes, I wrote the Patent) where the "Smart Card" can be removed and replaced, to upgrade the encryption system, if a hacker figures out how to compromise the original.

However, social engineering and phishing will continue to be with us.   Finding exploits in programs is hard work and requires real skill.  And the exploits are only available until they are discovered an patched in the next update of the program in question.   However, if you can get the user to load a piece of malware into his computer for you, it is a lot easier to break in.

Fortunately, we do have some defense in this area as well.   Most e-mail programs do try to scan for SPAM and known phishing and social engineering e-mails.   When they see a million e-mails across their system with the same text, pointing people to the same malware site, they can flag them as SPAM or as dangerous, or just even delete them en masse.

And yea, that means that the e-mail provider has to "read your e-mail" to figure this out.   But they are not "reading" it per se but rather using a computer to hunt for patterns (e.g., heuristics).  So even on the social engineering and phishing front, there is progress.

But that being said, hacking will always be with us, just as various forms of regular crime (and raw deals and ripoffs and the like) will always be around.   Heck, even Google allows advertisements for malware and spyware sites.   (Never click on an internet Ad!  That's the moral there.)  It is up to the consumer to be aware.   When you click on a link, be careful.  It is all-too-easy to end up on a malware site.

Sadly, this means than even the best of us will get into trouble, at least once in our lives, on the Internet.