PDA

View Full Version : Anyone know how to hack a site/computer...?



EssieRatcliff
11-30-2008, 11:36 AM
No, I'm not up to something illegal. It's just that a character in my story is a hacker, so it would be pretty useful to know at least a little bit.
I don't think I'd be able to dodge writing about it.

Suggestions, anyone?

Ruv Draba
11-30-2008, 01:17 PM
`Hacking' a site/computer means gaining access to information and controls that you wouldn't ordinarily be allowed to access. That might include:

Accessing data that's meant to be hidden from you
Making changes to data that you shouldn't be allowed to make
Executing commands on the computer that would normally be barred to youPeople often do that to:

Steal information
Steal identities
Embezzle money or other resources
Spy on what other people are doing
Forge credentials
Cause a computer to stop working properly
Create fraudulent messages and information that may change the decisions and behaviour of others
The kinds of people who do it include:

Amateurs -- for the challenge, the thrill or the boasting rights
Free-lancer professionals or small groups -- to collect saleable information
Organised crime -- often for fraudulent or blackmail purposes
Industries -- to spy on one another, and to spy on their customers
Governments -- as per industries, but also to damage the information/communications infrastructure of rival governments
Cyber security firms -- `tiger teams' engaged by clients to see how secure they are


There are lots of ways of 'hacking' a computer, but some common ways involve:

Gaining access to someone else's password (by guessing it or stealing it)
Gaining access through an unprotected service (e.g. something that should have a password but doesn't)
Literally sitting at someone else's computer when they're logged in
'Phishing' for account information by sending fraudulent messages
Connecting to computer networks with a foreign computer, or with 'sniffer' devices that can intercept or forge messages. (This is especially easy on wireless networks)
Taking advantage of bugs in legitimate computer services -- causing them to 'crash' or 'misbehave' in ways that can allow access -- or at least cause the computer to stop working
Sending 'spyware' or virus software as attachments to other messages such as email, or embedded in documents. This may either open security holes, or capture passwords and other information
'Trojan horses' -- software posing as legitimate -- but which actually captures private information
'Social engineering' -- gaining access by just talking to someone and gaining their trust
'Spamming' the computer with messages that makes it overload to the point of becoming slow or crashingThe cost of hacking includes:

The cost of replacing any lost or corrupted data
Embezzeled money or resources
Loss of privacy
Loss of reputation
Being unable to access important services
The cost of 'cleaning' and 'repairing' any computer known to be hacked and 'checking' or 'cleaning' any computer suspected to be hacked
Liabilities to partners, customers and suppliers arising from exposing them to hacking risks tooWhen a large organisation is known to have been hacked, the costs above can run into millions.

Measures that can impede such hacking include:

Physically protecting a computer and its networks from external access
Regular patches and updates to fix known bugs in software and computer systems
Strictly limiting which computers can communicate and how (this is known as a 'firewall')
Limiting the services run on computers to just the bare essentials
Limiting the access privileges of users to just what they need
Protecting files and other data using security permissions
A reputable virus/malware checker that: 1) prevents illicit software from being installed; 2) prevents software from taking unwarranted control over the computer; 3) checks regularly to see whether such software has been installed; 4) quarantines any suspicious software
Keeping a malware-checker up to date against the latest risks
Quarantining computers during times of known security threats
'Audit trails' that track what users have been doing -- to discover how hacking occurred
Regular backups that help recover lost/corrupted data
Training computer users and people in computing environments to be suspicious, to be reticent in giving out information, and to have 'safe' computer habits (like picking 'safe' passwords and locking computers when they're away from their desks)
Training computer users not to store sensitive information on poorly protected equipmentNone of these measures is foolproof. They merely reduce the risk of hacking. The only 'guaranteed' way to avoid a computer being hacked is to leave it wrapped in its box and never use it. :tongue

Hope that this helps.

stephenf
11-30-2008, 05:33 PM
Hacking into a restricted websites is often achieved by using software that will run through all possible passwords.Thats why you should use passwords that are a mix of numbers and lower and upper case letters,still not uncrackable but it will take longer

ChaosTitan
11-30-2008, 06:07 PM
I'm going to shift this up to Story Research. Ruv Draba gave you a great reply, and you may get a few more in that forum.

RumpleTumbler
11-30-2008, 06:20 PM
First and foremost it's cracking, not hacking. There is a big difference.

If you and or your advisors don't know that then you're creating a flawed foundation because the rest of your info is likely bad. The good side of that is that the public probably won't miss a beat. The bad is that the people who get it will be appalled.

Decide what level of information you need and then find a person who actually understands it and use them as a source.

Fenika
11-30-2008, 06:43 PM
Just fyi, this info is googlable. The further you get in the process, the harder the jargon is to follow (and they assume you know what they are on about) but the basics are readily found with a few searches. If one of the initial steps confuses you, google that part.
Either way you need access and a program to do the grunt work.

Linda Adams
11-30-2008, 06:54 PM
There are a lot of business books out there that discuss how to protect networks and the basic dumb things people do or don't do. This site, Informit (http://www.informit.com/topics/topic.aspx?st=61457), sells technical books. You can register for free and read the articles and excerpts from the books.

Also check out current events. There was a recent cyberattack (http://www.latimes.com/news/nationworld/nation/la-na-cyberattack28-2008nov28,0,6441140.story)reported in the last couple of weeks.

Remember, one of the biggest problems is the employees. When I was in the military--and this was more than ten years ago--people were very careless about things like social security numbers. One time in the National Guard, they needed an attendance roster for a class and asked everyone to sign in with their name, social security number, and platoon. I ended up in argument with someone because he didn't get why it was wrong to have everyone list their SSN like that.

And it carries through to computer systems. People do dumb things and don't realize it. Like leaving the default passwords on a database or picking passwords that are "easy to remember"--or writing them down.

This is a guide on information security for businesses from the FTC: http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf. There's a list of links at the end of the article.

Adam Israel
11-30-2008, 07:47 PM
Remember, one of the biggest problems is the employees. When I was in the military--and this was more than ten years ago--people were very careless about things like social security numbers. One time in the National Guard, they needed an attendance roster for a class and asked everyone to sign in with their name, social security number, and platoon. I ended up in argument with someone because he didn't get why it was wrong to have everyone list their SSN like that.

And it carries through to computer systems. People do dumb things and don't realize it. Like leaving the default passwords on a database or picking passwords that are "easy to remember"--or writing them down.


Social Engineering (http://en.wikipedia.org/wiki/Social_engineering_(computer_security)) is another of the methods used by crackers. Fool the unsuspecting mark into giving you information.

EssieRatcliff
12-01-2008, 02:55 AM
0.o Okay, didn't know this was so involved. Thanks for the help, I'll look at all the links you've given me.
Cracking/hacking... I'll have to clear that one up.

Medievalist
12-01-2008, 03:58 AM
Social engineering and relying on bone-headed users are by far the easiest methods.

When it requires actual knowledge--and work--the prize has to be worth the effort, and by prize, I mean the counting coup aspect (the site or user in question gets you points for coolness) or the value of the hack (financially worthwhile and resellable data, or an interesting security problem to be analyzed and solved--honestly, the really really good hacks are about doing the impossible; the difficulty of the hack is seductive).

Nivarion
12-02-2008, 07:43 PM
i don't know a lot about hacking but i know enough to help you get even more specific. hackers classify themselves into two (or is it three?) classes. you have black hats and white hats.

black hats hack for self service.
white hats hack to help others.

IE, a black hat will create a virus that sends text documents to a server he can use, so that he can look at all of your text documents and find important files. then a white hat will make a counter virus that deletes the first virus, and then deletes itself.

i have a good example here.

this is blaster, (http://http://en.wikipedia.org/wiki/Blaster_worm) and it was a nasty old bug, made by a black hat. then some white hat made this (http://http://en.wikipedia.org/wiki/Nachi_worm), with good intent, and though it fixed blaster it caused more trouble for a while.

other than that. i know they use linux often because you can alter the codes freely. they can change things so that the system will behave the way they want it to and then you can get it to work around passwords and/or make it seem that the computer is a part of the system.

that and drop in OS, helps hack a computer that doesn't have anyone there. i cant get links now because i am on a school comptuer and our tech guy things linux is a swear word.

Medievalist
12-02-2008, 10:07 PM
Hackers do not identify themselves as "black hat" or "white hat"--these are external labels. So called "white hat" hackers began on the other side--it's how you learn.

The quality of your hack identifies you. You might have a handle, but it's the hack, and the style of said hack, that is the key.

benbradley
12-11-2008, 11:05 PM
Hacking into a restricted websites is often achieved by using software that will run through all possible passwords.Thats why you should use passwords that are a mix of numbers and lower and upper case letters,still not uncrackable but it will take longer
It may be helpful to use the term for this, it's called a "dictionary attack." A list of baby names might be the first thing tried, because weak passwords are often names of loved ones.

This sort of thing has been done by spammers who want only to send their spam to every email address in existence, and don't care if they send it to nonexistent emails either (because the cost of sending automated emails is essentially zero). AOL addresses are very often a first name followed by three digits, so taking advantage of this, spammers generated all the addresses from ann000@aol.com to ann999@aol.com, adam000@aol.com to adam999@aol.com, etc.

First and foremost it's cracking, not hacking. There is a big difference.

If you and or your advisors don't know that then you're creating a flawed foundation because the rest of your info is likely bad. The good side of that is that the public probably won't miss a beat. The bad is that the people who get it will be appalled.

Decide what level of information you need and then find a person who actually understands it and use them as a source.
I have to agree, though you might as well be saying alcoholism is a behavior and not a disease (okay, that's my other hobby horse). People only know what the "mainstream media" (yes, it spans across politics and includes Fox News, and predates Fox News by a wide margin) tells them.

I recall an editorial in Byte (early '80's maybe, but I think still before the popular movie "War Games" where the criminal use [pun intended] of the word hacker was used) on those awful golfers who hit people in the head with golf balls, even mentioning former President Ford in this terrible category. It ended with how the word hacker was used in the same denigrating way, and that people should let them (the enthusiastic programming community) define the word as originally intended. Or something to that effect - this was a long time ago. But even at the time I wholeheartedly agreed with the sentiment, but I thought it was too late, the vast majority of news reporters who used and and of the public who heard the word hacker in computer contexts used and understood it as meaning computer criminal. And here it is a quarter century later, the same situation, and only a few of us old farts even know there was a different meaning to the word.

But someone who gets into computer crime (and actually does RESEARCH on whatever he's trying to do) should quickly stumble on the word cracker, and if he's inquisitive at all, he'll research the difference between cracker and hacker.

Hackers do not identify themselves as "black hat" or "white hat"--these are external labels. So called "white hat" hackers began on the other side--it's how you learn.

The quality of your hack identifies you. You might have a handle, but it's the hack, and the style of said hack, that is the key.
The word 'hack' in this context could refer to the earlier/original (non-criminal) meaning of hack, meaning a crafty, insightful or brilliant program or addition or change to one of your own programs. There's "The Hacker's Dictionary" based on the "jargon File" (you can google that and find various versions, the majority of the book comes from that file), which has a lot more about computer programming than it does computer crime (though it does discuss 'cracking' and of course correctly uses these terms)
http://www.amazon.com/New-Hackers-Dictionary-3rd/dp/0262680920
And yeah, I bought each of the three editions as it came out. I even hesitate to say I knew FORTRAN in college, lest I be inundated with job offers to work on legacy systems.

johnnycannuk
12-18-2008, 12:18 AM
Purchase the book "Hacking: The art of intrusion" by Jon Erikson, second edition, and read it.

Yes, its a tech book, but it is good for beginners and shows the foundations of some of the biggest hacks and cracks out there. It even comes with a LiveCD of a system so you too can hack and crack and see the techniques first hand.

Once you have a general understanding, check out sites like milw04m and http://www.offensivecomputing.net/ and read some of the papers and techniques.

Any of this stuff can be used for good or evil - most take advantage of poor programming, not magic or mystical knowledge.

I do software security for a living... if you need any specific answered, send me a private message.

caseyquinn
12-18-2008, 01:08 AM
One thing to remember is that even if you get it all wrong you could still have a best selling novel. See Dan Brown's digital fortress for details.