How Most "Hacking" Works

[GAD]

I posted this in an Online Offerings thread and though it would be useful in a more public area. There is a widely held misconception about modern "hacking". For the record, "hacking" is using finding vulnerabilities or backdoors in systems using intelligence, knowledge, coding ability, and a pile of other skills that most modern "hackers" know nothing about. Real hackers are out there, though! Most of the really big data breaches are due to them, though traditionally a real hacker would call them crackers because traditionally hackers didn't really cause harm.

Anyway, here's the info:

Must be done by a bot...seems to be showing 49,000 + results = 'listings' by that 'account'

EBay is REALLY hacked majorly this time...wonder if they need to close down the site to clean it up...

@GAD, is it safe to post Ebay listings on here until this is resolved? Could clicking on a link spread that 'illness' to here? Just wondering.

Ebay is not hacked. What you're seeing is bots that are creating listings.

The "hacking" is a result of users who use the same passwords everywhere then don't change their passwords after reading in the news that there's been a major data breach that affects 2.7 million customers, etc.

BTW this is was 99% of "hacking" is: taking advantage of people who use the same password everywhere and never change them.

Here's how it works:

1. Twitter gets hacked and confirms that 5.4 million accounts were "stolen". This actually happened in 2022. This was an actual hack (probably - could have been social engineering, a disgruntled employee, or any of a number of other non-actual-hacking events, but let's say for now that they were hacked.
2. Hackers take the lists of 5.4 million accounts and do three things with them:
   1. Try to use the info to get deeper into Twitter
   2. Sell or more likely just publish the list to the dark web (ooooh scary)
   3. Use the account information to compromise other accounts on other systems. *This* is what you're seeing on Ebay

Now there is a list of 5.4 million accounts that are more or less publicly available for every teenage idiot script-kiddy malcontent on the Internet. What on such a list? It doesn't take much. How about:

USER        PASSWORD

Alfred      PASSWORD
Bob         123456
Charles     P@SSWORD
Diane       Mary
Effram      jesb2#489
Frank       112199
GAD         *#^@0h2#98
...

And yes, people still have PASSWORD as their passwords - especially users who have had accounts for 15 years. Smart companies disable the accounts and force a PW change. Not all companies are smart.

Hacker-wannabe-script-kiddie (let's call him Zippy) writes (or more likely downloads) a script that takes that list and then uses it to try and log into every major website in the world. If you can name a website, Zippy's tried to get in. How does Zippy know all the big websites? He downloaded a list.

Now the script takes the list of websites and systematically applies the list of username/passwords:

Apple.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Baidu.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
CNN.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Ebay.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Facebook.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Reddit.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...
Netflix.com: Alfred, Bob, Charles, Diane, Effram, Frank, GAD,...

If there are no login limit controls (rare today) then the script can try 1000s of users per minute. Maybe even per second. But Zippy doesn't need speed. Why? Because he has a list of already hacked systems (that he freaking downloaded) and he puts bots on 1000 compromised systems on the Internet. Now he has 1000 systems attacking 10,000 websites and reporting back when they get a working login.

Zippy leaves his bots while he spends the weekend doing whatever it is hacker-wannabe-script-kiddies do with their downtime (likely yelling obscenities at other players on Xbox Live). At the end of the weekend he checks his mail/log/system/whatever and has a report with literally hundreds of successful logins on the world's most well-known webservers.

He then either uses them or sells them, usually for gift cards, crypto, or some other untraceable replacement for money, and then just repeats the process.

This can be done from anywhere in the world at any time, and it is very difficult to stop.

 

[GAD]

Additionally, every server on the Internet (and I mean EVERY server) is constantly under brute force attack to try and get root access. Here's just one minute of my server's auth log:

Aug  8 02:15:17  sshd[1042880]: Failed password for root from 103.16.78.178 port 56204 ssh2
Aug  8 02:15:22  sshd[1042885]: Failed password for root from 103.16.78.178 port 57538 ssh2
Aug  8 02:15:27  sshd[1042887]: Failed password for root from 103.16.78.178 port 58932 ssh2
Aug  8 02:15:31  sshd[1042889]: Failed password for root from 103.16.78.178 port 59916 ssh2
Aug  8 02:15:36  sshd[1042891]: Failed password for root from 103.16.78.178 port 32994 ssh2
Aug  8 02:15:42  sshd[1042893]: Failed password for root from 103.16.78.178 port 34392 ssh2
Aug  8 02:15:49  sshd[1042895]: Failed password for root from 103.16.78.178 port 35732 ssh2
Aug  8 02:15:54  sshd[1042897]: Failed password for root from 103.16.78.178 port 37532 ssh2
Aug  8 02:16:01  sshd[1042899]: Failed password for root from 103.16.78.178 port 38984 ssh2
Aug  8 02:16:06  sshd[1042901]: Failed password for root from 103.16.78.178 port 40556 ssh2
Aug  8 02:16:12  sshd[1042903]: Failed password for root from 103.16.78.178 port 41786 ssh2

This is a script-kiddie who's trying to break into my server by using a huge list of known root passwords. Smart sysadmins don't allow remote root logins, but old operating systems used to ship with default root passwords and there are a LOT of them still out there.

All systems are under attack at all times. Modern firewalls are good at limiting this (it can be a drain because each failed attempt consumes a small bit of processing power not to mention disk for logging the failed attempt) but that's a whole different conversation.

I don't allow users on my system. You all have users on the website, but the worst a user on the website could do is post spam on the forum. That is, assuming there are no vulnerabilities in the software (which is why I had to upgrade to Xenforo after taking over: vBulliten had a vulnerability and someone was sending spam via email on the system).

Why would someone want access to my system? A compromised system is usually used to send spam or to be a bot for other script-kiddies.

 

[GAD]

BTW "script kiddie" is a well-known term in IT security. It's a sort of derogatory term for someone who has no real hacking skills of their own and just uses scripts and lists to break into systems where they don't belong.

Script kiddies are dangerous, but they are a symptom of a world where password hygiene is weak.

 

[GAD]

Oh, and as a rant (Sorry @chazmo it belongs here ) all modern password security schemes are crap. This comic sums it up nicely:



That was published in 2011, and in the 12 years since I have had this conversation with multiple IT managers, directors, and even CEOs. None of them gave a damn.

 

[walrus]

Great posts, GAD! SO different from the "old days"...

walrus

 

[GuildFS4612CE]

Thank you so much GAD...I lack your extensive technical knowledge and vocabulary...just have a logical brain...at least I did recognize it WAS a big problem...just not how huge.

Love the comic...the last panel even demonstrates the old visual assistance trick for memory recall...and I can just see it sailing right over the heads of all the 'engineers' you mention...that's the trouble with people going to school to LEARN to be Engineers...you're either born with an ambidextrous brain wired to think like a true engineer...take two entirely unrelated concepts and create a new one...or it's a waste of time...and it's the timewasters who are hired to design the world...see the safety humor/humour thread.

I was born with the brain...it is not exclusive to men...but the doors to use that path were closed to me...don't ask...a lot of potential talent in the world is wasted...think how much further advanced we all might be...

That's the end of my rant.

 

[chazmo]

Hey, @GAD, that was a great rant!

 

[GAD]

I will say that real tools where you have to make a security key (making private keys in PGP as an example) allow you to use a security phrase instead of a password, which is infinitely better than a password (see comic above).

The security keys used in Crypto are terrifically secure, but they don't allow the end user to pick the words and thus you end up with strings like this:

timber, sword, where, noodle, joy, eagle, admit, tuna, vibrant, museum, gossip, river

Who's going to remember that? Nobody, so what do people do after being warned repeatedly not to? They write the words down in a document and save them to the cloud where they're "safe". Or they write them on a notecard and put them in a drawer.

At least once a week I see someone on social media who was "hacked" only to discover that they stored their key phrase in the cloud "but just that once".

Imagine if you could make you're own phrase?

ltg, is, the, best, website, because, guild, makes, the, best, guitars, period

Which one of those lists would you remember? When making a PGP or SSH key pair I can use the second one.

To be fair, the crypto keys are words form a list of words that represent numbers blah blah blah, but my point is that the greatest security in the world will always - ALWAYS - be compromised by humans. Humans, as a whole, are lazy, dumb, impatient, undisciplined, and when it comes to security, uninterested. Humans are always the problem.

Did you know that ATM codes are four digits because the inventor's wife simply could not remember six? That's in no way a knock on that guy's wife. This is a human-wide problem.

A good friend who has spent most of his professional life as a Unix Admin once told me that "Security's job is to prevent me from doing mine." This was after I told him that my firewalls would be breaking the connections to his 60+ ultra-secure servers every 24 hours. This is a super smart guy and he was pissed at me for making him have to log into his own servers (for which he was responsible for security no less!) every day. He had it set up so that all he had to do was enter the password on his one machine and then all the root windows would be immediately available. Woof! I still make fun of him for that to this day. And he still tells me the same thing.

Security is a balance between convenience and paranoia. Convenience almost always wins.

 

[crank]

These days everyone seems to be going a step further security -wise with multi factor authentication.

 

[GAD]

These days everyone seems to be going a step further security -wise with multi factor authentication.

Multi-factor is awesome and encouraged. You can even use it here!

Using SMS like most banks seem to use is better than nothing but it's not as good as using a proper 2FA solution because SIM cloning renders SMS insecure. To be fair that's relatively uncommon, but just remember that If someone claiming to be from your phone company calls you and then asks for this information, it's almost certainly an attempt by someone to steal that info.

 

[Curlington]

Please let me know if this is a correct summary of the cartoon: The length of the password is more important than making it gibberish with special characters (assuming of course you keep the phrase very secure and not use or store it elsewhere.)

If my understanding is correct, it is super helpful info. Thank you!

 

[GAD]

Please let me know if this is a correct summary of the cartoon: The length of the password is more important than making it gibberish with special characters (assuming of course you keep the phrase very secure and not use or store it elsewhere.)

If my understanding is correct, it is super helpful info. Thank you!

The length, yes, but the point of it is that using real words in a phrase is FAR more secure than modern passwords and they’re easier for people to remember.

When people can’t remember things they write them down.