Hollywood has a lot to answer for when it comes to the popular understanding of hacking.
The on-screen version is usually pretty dramatic, involving a lot of keyboard mashing, words like ‘firewall’ and ‘mainframe’, and often a large confirmation message flashing “HACK COMPLETE”.
Sometimes it gets very silly:
It’s understandable that the producers of TV shows and movies want to make hacking very visual and intense, but the reality is very different.
So what exactly is hacking?
Hacking can mean a lot of different things in different contexts, but a common theme is that an attacker wants to run their own code within your system.
For example, if I can get my own PHP file onto your WordPress web server via any means, with a few lines of code I can:
- Create myself an administrator account in your content management system
- Delete your administrator account(s)
- Read your database credentials
- Steal your customer data
- Deface your site
- Start serving malware to your visitors
- Delete your site entirely
Zombies and bot-nets
The most common form of hacking involves no human interaction at all.
It’s just a compromised computer (sometimes called a zombie or a bot) working its way through a list of target computers, doing the digital equivalent of a burglar trying door handles and windows looking for something unlocked.
If it finds one of those windows or doors unlocked, it might immediately break in or it might just note the address and move on to the next target.
The human controller of that zombie machine receives a nice list of compromised addresses, without doing any legwork themselves.
Here’s a small sample taken from one of our server logs on an unremarkable day:
220.127.116.11 - - [27/May/2019:22:37:58 +1200] "POST /vvv.php HTTP/1.1" 404
18.104.22.168 - - [27/May/2019:22:37:59 +1200] "POST /www.php HTTP/1.1" 404
22.214.171.124 - - [27/May/2019:22:38:01 +1200] "POST /ffr.php HTTP/1.1" 404
126.96.36.199 - - [27/May/2019:22:38:03 +1200] "POST /411.php HTTP/1.1" 404
188.8.131.52 - - [27/May/2019:22:38:05 +1200] "POST /415.php HTTP/1.1" 404
184.108.40.206 - - [27/May/2019:22:38:08 +1200] "POST /421.php HTTP/1.1" 404
220.127.116.11 - - [27/May/2019:22:38:09 +1200] "POST /444.php HTTP/1.1" 404
This is a computer in China trying out a list of different file names and attempting to send data to them, to see if they exist.
In this case, the attacker is probably looking for a malicious file left behind by a previous successful hack – in other words, checking to see if our server has already been compromised.
The same approach is used to look for old installation files, backups or pieces of software with known vulnerabilities.
Targeted hacking involves a human (or many) actively searching for a way to break into your system.
They may use automated tools or social engineering, but the important element is the attacker knows what they want and who they are attacking.
While this does make targeted hacking more serious than some bot trying to build a spam farm, it also limits the risk for many businesses as they are unlikely to be targeted in the first place.
Usually, there has to be a good reason for someone to spend their time trying to break into a specific target; their goal may be financial data, intellectual property, customer information, industrial espionage or even just good old-fashioned revenge.
Social engineering is not strictly hacking but it’s closely related.
Rather than breaking in through an unlocked window or exploiting a weakness in a particular model of lock, social engineering targets the weakest part of most security systems – the humans with the keys and passwords needed to get past it.
Classic examples of social engineering include:
- Calling someone and claiming to be from the IT department, with a plausible-sounding reason for needing their username and password
- ‘Spear phishing’, where someone is targeted by a malicious email purporting to be from their boss or another trusted person, instructing them to reveal sensitive information or even grant access to the attacker
- Leaving USB drives packed with malicious software outside a target building. The odds are pretty good that someone will find one of the drives, take it inside and plug it into their computer to see what’s on it.
Who are the hackers?
When it comes to automated hacking and bot-nets, the culprits are often criminal enterprises or individuals looking to make some money.
If you delve into some of the murkier corners of the internet, you can rent access to armies of compromised computers for the purposes of sending out a spam email campaign or inundating a competitor’s website with bogus traffic.
The critical idea here is that it’s easy to block one specific IP address if it’s up to no good, but it’s a lot harder when you are dealing with thousands of IP addresses which look just like legit customers.
Governments are also deep into the hacking business. We hear a lot about certain countries attacking others, but the reality is most governments have a cyber warfare capability of some sort.
One of the more spectacular examples was Stuxnet, an extremely targeted cyber weapon believed to be jointly developed by the United States and Israel, which managed to do physical harm to Iran’s nuclear weapons programme.
How do you avoid getting hacked?
Realistically the best you can do is mitigate the risk of being hacked by one of those automated bots.
At Mogul, we build most of our sites using open-source software like WordPress, which is a double-edged sword when it comes to security.
WordPress is not an inherently insecure system, as some would have you believe. It is however by far the biggest target for hackers because it’s also by far the most popular content management system in the world.
That popularity does come with some benefits. With so many people using and testing WordPress all the time, vulnerabilities tend to be found and fixed faster than in more obscure closed-source, proprietary systems.
We follow a few simple rules for minimising the risk to our clients, whatever system their site is built on:
As discussed above, one of the main benefits of open-source software is that vulnerabilities are found and fixed all the time. If you don’t apply security updates regularly, you’re a sitting target for automated hacks designed to find unprotected sites like yours.
Keep good backups
A good backup is one which is both recent and easily able to be restored. If your site is hacked, bear in mind that your backups will still have the same vulnerabilities as the hacked site; these need to be found and fixed before you can properly go live again.
Harden your site and keep a close eye on it
Hardening a site is a whole blog post by itself, but the general idea is to put some measures in place to thwart automated attackers.
For example, software like Fail2ban can spot patterns like that bot posting data to non-existent files discussed earlier in this post. One or two such attempts might have a legitimate explanation, but seven failed attempts in under 15 seconds? That’s entirely ban-worthy.
Another great piece of software we use is a free plugin from Sucuri. This regularly scans your website’s files and compares them to a ‘clean’ version of WordPress, so it can quickly spot the signs of a successful hack and raise the alarm.
Hacking and cyber attacks are now a fact of life. It’s not hard to mitigate most of the risk, but it does require regular maintenance and good planning if the worst comes to the worst.
If you have any questions around web security for your business, please get in touch.