This was originally posted on a website I was developing over a year ago called Keenotes.
The television news reporter is talking about cyberwar. An email just arrived in your inbox from Acme Generic Social Media Website with the bad news: They've been hacked and everyone's password has been compromised. You shake your head and log onto Facebook, where your sister appears to be spamming your news feed with links to grotesque images and commanding family members to commit suicide. Before you can do anything, Windows experiences a famous "Blue Screen of Death"—that was the second time today, so you probably have a malware infection. You think to yourself, "The internet is a scary place; those hackers are so clever and malicious. Is anything safe?"
Computer hackers are a misunderstood bunch; even the definition of the word "hacker" is widely disputed and misunderstood. Throughout this article, I will be using the term "hacker" to refer to people who break into (or even completely bypass) computer systems, for the sake of compatibility with everyday speech. If it pleases the judge/jury/executioner who will inevitably read this article and throw a fit about my word choice, at the end I offer a simple, fair, and satisfying definition of hacker that, in my opinion, should satisfy both sides of that pointless bickering so everyone can move on to more important issues.
The entire basis of this article consists of personal experience defending computer systems from hackers, conversations with various members of the information security industry, and other personal experience. If you take issue with the logic or a definition, feel free to post a comment below, but attempts to tell me that my experiences are wrong will be ignored because such arguments are unresolvable.
Why Do People Get Hacked?
It's impossible to know the exact reason why a particular computer hacker does what they do, or why they target the people they do (unless they release a public statement); however, there are two significantly popular reasons why people get hacked.
"No, Windows, I don't want to update my computer."
"Shut up, Java, I'll do it later."
The number one reason why people get hacked is their own negligence and carelessness. From the gamer who doesn't want to apply critical security updates to the system administrator who doesn't want to upgrade the CMS used on their websites. Sure, you think you can put it off until tomorrow, but if a hacker's going to strike they're not going to wait and see if you patch.
When a vulnerability is found in a software product that could allow a hacker to break into the computer system that uses that product, the vendor is usually notified and they release a patch as soon as they can to prevent their customers from becoming victims (unless they're ZPanel). When an update is released that fixes a security hole, any hacker interested in exploiting that software product is therefore informed of the existence of the security hole in previous versions.
For example, let's say I found a way to trick Internet Explorer into silently running any arbitrary .exe program (Command Prompt, Power Shell, some other file of my choosing) and reported it to Microsoft. They would investigate the issue (probably based on my report), verify it, fix it, and schedule the patch to be released next Tuesday. If I'm a nice guy, I'll wait until the week after the patch is released to publicly announce that the vulnerability existed in the first place. So logically, you would have up to one week after Windows Update first notified you of this update to download and install it before any hacker in the world could use it to hack your computer. (Many computer researchers aren't nice enough to give you a week!)
Practice and theory rarely share common ground. Most of you reading this, if you opened Start > Control Panel > Small Icons or Large Icons > Windows Update, you would find several important (and perhaps some optional) updates waiting for you to install. Some of you will even see the ever-dreaded "Updates were installed: Never" which means every evil trick in the book will work on your machine.
Windows isn't the only thing that needs to be maintained. You should also take care to keep your browser (Mozilla Firefox, Internet Explorer, Apple Safari, Google Chrome) up to date, as well as all of the plugins you enabled (Java, Flash, QuickTime) and any other software you use everyday (Adobe Reader, for example).
The rest of you will probably say, "No, my computer is fully up-to-date. No negligence here!" And while you should applaud yourselves for being ahead of your peers, there are other forms of negligence you are probably guilty of that could lead to getting hacked.
Other forms of negligence, including:
- Using passwords that a computer hacker could guess without much time or effort
- Using the same password for multiple websites
- Clicking on advertisements, email attachments, etc. that you shouldn't ever trust
- Leaving your computer powered on, unencrypted, and unlocked when you walk away from it
- Trusting people you don't know with information, especially if it seems harmless
The absolute number one reason you will probably ever get hacked is quite simply that you are negligent. But you aren't alone: Many website developers, system administrators, and even other hackers are negligent too. We're all human, but being less negligent means incurring less risk.
"Nobody can ever hack me. My computer is a veritable fortress; I am invincible. A god amongst men!"—How many computer professionals sound to the people that hack them.
Even if you are meticulous with your updates, you will eventually make a mistake. And when that time comes, the biggest deciding factor in whether or not you get hacked is how arrogant you are. This is a critical factor for two reasons:
- Most hackers love to smash enormous egos, so you open yourself to challenges from more skillful attackers by being arrogant.
- Being arrogant means you over-estimate your defenses and under-estimate the capabilities of potential attackers.
Arrogance takes many forms. The best example of arrogance I've personally encountered was when someone told me, "I don't need to update my software, I have a web application firewall."
Being confident is good, arrogance is bad. What's the difference? A wise friend once told me, "Confidence is assessing and understanding the cards in your hand and the strategies you can employ with what you have. Arrogance is assuming that yours is the best hand at the table."
How Can I Be Safe Online?
If it wasn't obvious enough in the above section, I'll state it clearly here: The reason most people get hacked is their own fault. Either they were negligent and careless, or they were arrogant and eventually made a mistake. The cleverness of the hacker is not a significant factor in these cases. More often than not, computer intrusions are opportunistic; you are just a number. "Hey, 188.8.131.52 has outdated software that lets me execute remote PHP code," or, "Wow, their admin password is 'password'." Being proactive and eliminating negligent habits is the best defense you can have.
That isn't to say that there aren't skilled hackers out there in the world, perhaps working for a nation state, who might be willing to hack into your computer system. However, these people usually have a detailed understanding of cost and risk: Why waste a valuable 0day (software vulnerability that the software vendor has not patched and in many cases does not know about) on Ethel's Flower Shop (thus risking its discovery) without a good motive? If you aren't already a target, shutting your mouth and not being arrogant is the best way to stay out of their sights.
Someone might ask, "What about black-hats who hack websites to try to steal social security numbers and/or credit cards?" See the section above about negligence. "What about hacktivism?" If you're a skilled hacktivist's target, then either you are guilty of arrogance or you were a target to begin with; at which case, only being a skilled security professional can possibly (not definitely) save you from what's coming.
In closing, being informed and responsible while displaying basic humility and respect is more valuable to your security than any firewall or antivirus product. (You should still use them though.)
How Can I Better Understand Hackers?
If you have the time, you should consider learning the history (an article I may write another time); from Captain Crunch and the phone phreaks; to the early UNIX hacking days and the inception of hacker zines (2600, Phrack, et al.); to the GNU movement and the Free Software Foundation; to the legal battles over the export controls on cryptography in the 1990's; to the explosive rise and gradual decline of the Anti-Security Movement (a decentralized protest of security researchers who publicly disclosed exploit code instead of just a vulnerability advisory which led to the overpopulation of unskilled computer intruders called "Script Kiddies"); and to the history of Anonymous.
But if you don't have the time for such an endeavor, it would be great if you would at least consider to define the word "hacker" the way that I have: A hacker is any person who employs (especially technological) ingenuity to solve a problem. When programmers were outraged by the lack of a free alternative to UNIX, they pooled their skills and resources together and created GNU. When Dan Kaminsky was playing the news media to over-hype a story about what turned out to be a well-known DNS issue, a group of hackers broke into his computer system and exposed his secrets to the world, decrying his status as a trustworthy information security expert. In both cases, they were employing their technical skills to solve a preceived problem. Their approach is the only significant difference.
Hackers are people who solve problems, whether for good or bad. Common misconception is that hackers are only people who break into computers, but any idiot can download Backtrack and exploit another person's negligence for their own gain. Skilled programmers contest calling these people hackers (insisting on the label "crackers" instead), claiming correctly that the word originally meant, "A skilled programmer." However, language evolves. Like it or not, people will call computer intruders "hackers" for the rest of the foreseeable future. I only hope that people will read this article and realize the word means so much more than criminality, and hopefully come to see that many (if not most) computer criminals do not deserve the title; but many still do.