What Hack3rs D0

What Hack3rs D0
by Sue Basko

Warning: Hackers are not allowed to read this. This is written for non-hackers only.

Hackers think they are smarter than other people.  If they are really hackers, they are probably right.  Some hackers write words using numbers. This is based on creating passwords using a combination of letters and numbers.  Can you read these? 5n00py,  M4i 7ai, 54154, smi13, 5133v3.

Hackers talk about getting v&, or vanned, which means arrested.  Some hackers with delusions of grandeur think getting arrested will make them famous.  Reality in the U.S. is that computer crime charges are so excessive that young people face long prison sentences for doing things that most people cannot even conceive of as illegal.  Therefore, when hackers are arrested, the big question is whether they will flip, or act as a confidential informant, or CI, as part of a plea deal.  One New York hacker who famously flipped upon arrest is nicknamed Sabu.  After he flipped, he got back online with an FBI handler and tricked other hackers into hacking certain targets, and all the while, they were being set up for arrest.  Sabu also got onto IRCs (internet relay chats), where he recruited hackers and also elicited incriminating statements from them.


Hackers break into websites or servers or into computers.  Hacking into a website or server is a whole lot easier to do than you might think.  Think of a website as a house.  How do you get into a house? Through a door or window.  What's the door to a  website? Having the password.  A hacker might get a password by trickery, which is known as Social Engineering.  They might also get a password by phishing, which is when they trick a person into filling out a form sent by email.  Or they might be given a password, buy a password, or crack a password.  Password cracking is usually done in phases, and when a list has been cracked, it will often be posted on the internet for anyone to use.  (Gasp!  But this is true.)

Another door into a website is called a backdoor.  Many websites, especially government websites, have a backdoor.  Since the government uses so many contractor companies, there may be hundreds or thousands of people with ready access to a backdoor.  Backdoors are also notably easy to hack.  Once a hacker is in a backdoor, they often have access to an entire row of websites, all of which are lined up on one backdoor.  This is like walking down a street and strolling into any house you wish.

What are the windows through which one may enter a website?  Those are any locations where one might enter code.  That's usually going to be a log-in or question form or other such thing.   When you log in to a website, you are  contacting the server, which compares the user name and password with a list.  You are querying the server. You may query the server in other ways using that same fill-in form.  Two of the main methods are called SQL injection and HTML injection.  SQL is "server query language." You type in code that asks the server a question and hope it responds.  It is like you are saying "Open Sesame," and it replies and opens and lets you in.  Many SQL injections rely on the fact that many users are silly and give themselves user names such as "Admin."

HTML injection or Code injection is where you are adding to the code already on the page, in any place that accepts HTML.  I think of this like throwing a rock through a window to try to get a person inside to come to the window yelling. Once they are at the window yelling, you might get them to dance, tell stories, or show you a video.  If you don't know what code to use, there are plenty of little scripts floating around the internet.  People that use pre-made coding are called "script kiddies."


Once a hacker is inside a website, what do they do?  They might deface it.  That is when something on the face of the website is changed or something is added.  It is easy to go into the HTML coding and change what the words say, change the colors, or add photos or videos.  For example, any video can be embedded off a serving site, such as youtube, just as you would add a video to any blog or site with the embed code.

Defacing a site doesn't really cause much damage, and the code can probably easily be cleaned up in a matter of minutes, especially since most people keep a copy of their site design code.  However, hacking and defacing a website will often be charged as if it is a big, serious crime, and the site owners will claim it cost thousands of dollars to fix it.  So, beware if defacing is your plan.

Another thing a hacker might do inside a website is gain access to the server to get lists of credit card numbers and passwords, or to get lists of other information.   Possessing or using stolen passwords or credit card numbers is very illegal.
  
More advanced hacking involves hacking into mechanical systems, such as the controls on cars or buildings, manufacturing plants, power plants, etc.   Computer hacking experts say it is possible to hack  computer-controlled cars and take control of the accelerator and brakes away from the drivers.  Scary!


Another main target of hackers is emails.  Hackers hack into emails and sometimes lurk for months, gathering emails or photos. They might leave without announcing themselves, but the point is usually to publicly freak people out by revealing "secret" emails.  Hackers almost always get into email accounts by getting a password.  One common way to do this is by guessing the answer to the security question. Another method is that many computers "remember" a log-in, including a password.  The account may then be easily accessed from that computer by anyone, until the password is changed.  If the email is also a door to other sites, or if the emails reveal other account log-ins or other information, all of that can be easily known by the email viewer.  That's why it is a good idea to use double validation on email accounts. Double validation is available on gmail.  Double validation means that in addition to logging in, the user must also post a code that is sent via cell phone.

Hackers might also break into Facebook or Twitter accounts.  These hacks usually involve someone who was previously trusted with the password.  Or they may be caused by using a computer that "remembers" the log-in and password.  Or they may be caused by having the accounts linked to an email which is hacked.  Twitter may also respond to code injection.


Another thing some hackers do, which is not really considered hacking, is DOSing.  DOS stands for Denial of Service. This is also known as "Tango Down."  This is an attack against a web server, or against a website (URL), IP, or router.  There are many methods of creating a DOS attack.  All the methods flood the target with packets of information that keep the target from operating normally.

Think of a website as a house on a street. Usually the car traffic moves down the street in a steady, orderly stream, so anyone can get to the house easily. Now, suppose we send a hundred cars and trucks all at the same time, or from different directions, or even at different speeds. Then, there will be a terrible traffic jam, and no one will be able to get to the house.  Those are metaphors for the ways some different types of DOS attacks work.

There are already-created DOS tools on the internet.  There are even DOS-for-hire sites.  A notorious DOSer called the Jester (@th3j35t3r on twitter) claims to use his phone for DOS attacks using a software switching method he coded.  Most DOS attacks knock a site offline for a few minutes, though a massive attack might last as long as 20 minutes.

Another form of DOS is called DDOS (distributed denial or service).  A DDOS is when the attack comes from multiple sources.  Many computers will be recruited, either with their owners consent, or often unknowingly, and have the attack malware placed onto the computers.  Such networks may require the participation of the various computer owners, or may work automatically. This is called a bot or a zombie bot.  According to reports, hundreds of thousands of Wordpress  blogs were infected with malware that turned them into a giant zombie bot.

In another incident, people protesting against Paypal for denying financial services to Wikileaks joined a DDOS attack by downloading malware.  Fourteen of those participants were charged with crimes, and are called the Paypal 14. In reality, it is estimated that tens of thousands of computers were participating in the attack.  Paypal claims it lost millions of dollars in revenue in the 20 minutes or so that the DDOS kept the site nonfunctional.  I think many participants were not fully informed and were more or less tricked into clicking and downloading the malware. Others may not have realized DDOSing is illegal.  Some participants, I think, were actually told that DDOSing is legal.

Some people think DDOS attacks should be legal as a form of First Amendment protest. The same might be said of website defacements.  As of now, these things are illegal and punished disproportionately for the relatively small and fluid amount of damage they may cause.

Another thing that wannabe hackers do is dox, or d0x.  Dox is short for documents.   Doxing may reveal the name of a person who uses a pseudonym.  This may be justified, especially if the person is using their cloak of anonymity to attack or harass others.   Other types of doxing include posting a person's address, phone number, and personal information, such as social security numbers and other information. This is almost always illegal as internet stalking or harassment.  If this is done to a law enforcement officer or certain federal employees, it can be a very serious crime.  If the intent or the result of posting a person's personal information is to harass or endanger the person, you can be sure it is illegal under some law or other.  Much of the information posted in  doxing is incorrect and as such, may be defamation and present a private cause of action (lawsuit) as well as possible criminal charges.

Many states have laws that make it a crime to reveal the home address or personal information of any law enforcement officer.  Federal law makes it a crime to reveal any of 6 pieces of information of a federal employee.  These 6 pieces of information are called "restricted personal information, " and include home address, home phone, cell phone, personal email, social security number, or home fax number.  Even if such information can be found online with a Google search, it is illegal to make it public or post it.   
Conspiracy to jump off a cliff.
Barrett Brown was charged with Conspiracy to make public such information about an FBI agent.  The Conspiracy charge claims that Mr. Brown asked someone to look up the restricted information of the FBI agent with the intent to post it online.  Please note that the indictment does not say Mr. Brown did make the information public, or even that the person who supposedly agreed to look up the information was ever able to locate it.  The indictment charges a "conspiracy," by saying there was a plan to find the information and post it, and a step was taken in furtherance of doing so.  When a person is convicted of such a "conspiracy," the punishment is the same level as if they had completed the act.

 Please note that Barrett Brown has pleaded not guilty to this charge of Conspiracy to make restricted personal information public.  It does sound like Mr. Brown was simply trying to find a phone number to call the FBI agent to try to get his computer returned so he could do his work as a writer.  The problem was that Mr. Brown lived his life online, and so his requests for assistance in finding the phone number were in themselves quite public.

A federal employee -- or anyone else, really -- should be contacted at their places of business and not at home, unless you are their personal friend.  People should not be harassed or harmed for doing their jobs.  If you disagree with this and want to do otherwise, realize the risk you are taking.     


Another form of hacking is called exploits.  This is when a hacker finds a vulnerability in a program and devises an exploit, or coding package, that takes advantage of the weakness.  Many of these are called Zero Day Exploits, meaning the exploit has already been devised and put in use when the software program is being released, before it can be patched.  
Some hackers create bundles of exploits for sale or just give them away.  This enables others to hack into programs or sites.  There are many exploit packs available for free download on the internet.   Some exploits are very specific and others are more general.