INTRODUCTION: HACKING AND SOCIETY
Nearly ubiquitous in today’s online culture, “hacking” has generally reclaimed the benign spirit the word once held in the early days of electronics, throwing off the more nefarious meaning it held throughout the tail end of the twentieth century.1 The word “lifehacks”—a technique for accomplishing a familiar task more easily and efficiently2—was added to the Oxford dictionary in 2011, and embodies the culture of creative thinking and efficient problem solving that was pervasive in the origins of computer-based hacking.3
In the 1960s, students and researchers at Massachusetts Institute of Technology (MIT) gained the moniker of “hackers” as they developed technology that improved the operation of software and hardware in the early days of computers.4 Early hackers created “patches” to resolve various errors of code in programs and shared them.5 It was perceived as a challenge to dive into complicated programs and try to find creative solutions to the problems of the era.6 While the creative origins of hacking were positive, it is difficult to ignore the presence of malicious intents held by many in the modern hacking community.
Today’s malicious hackers seek something far different than greater operating system efficiencies. Instead, they seek to profit or gain notoriety by breaching personal or institutional systems. The original goals of hacking—to advance computing and networking for the challenge of it—fell to the wayside as some hackers searched for ways to illicitly gain from their skills.
In the modern world of hacking, some individual hackers organize to achieve their goals. Groups such as Anonymous, an online activist hacking group, attempt to reach the public and seek political influence through online attacks.7 Others, such as the Lizard Squad, seek notoriety by disrupting the online services of Microsoft and Sony to impact millions of users.8 While such online personas can benefit groups seeking publicity, many hacker groups keep a lower profile and instead seek personal profit through their actions.
The goals of hacking generally fall into one of three categories: (1) procuring information and access, (2) disrupting computer activity, or (3) permanently destroying data, software, or hardware in attacks. Two possible methods of attack are (1) taking advantage of coding vulnerabilities in software that have yet to be patched by developers, or (2) using less sophisticated methods of phishing to take valuable information from users. Defending against hacking attempts can be done in a number of ways that include: (1) preventing threats before they occur, (2) scanning computers with the intent to delete and remove threats, and (3) maintaining effective response protocol in the event of a breach to minimize the harm.
GOALS OF HACKING
Procurement of Information and Access
Hackers have a variety of goals, but the majority act at a localized level, trying to obtain personal data and information about individuals.9 Many consumers in the United States own numerous electronic devices, which store personal information such as addresses, credit card numbers, passwords, and even social security numbers. Malicious attacks on personal computers seek to gain access to sensitive or identifying information and benefit thieves. Criminals can then sell access to compromised credit cards on the “dark web”—websites hidden from general web browsers—for around $10 to $20 worth of virtual currency.10 Sophisticated hackers can automate and easily scale their attacks through a single program or “exploit kit” to infiltrate hundreds or thousands of vulnerable computers.11 These exploit kits can be sold or shared online to create widespread attacks on personal computers.12
On a larger scale, corporate data is also a particularly valuable source of information for hackers.13 Whether the goal of the hacker is corporate espionage or an attempt to gain leverage over a powerful business, there is a significant draw to infiltrating the much more complex security systems of large corporations with the chance of a large payoff. For example, by gaining access to the inner networks of a company like Equifax, hackers collected personal data from 143 million American consumers in a single attack.14 Another vein of corporate hacking is one that seeks to damage the reputation of a company—such as the 2014 breach of Sony that resulted in a public-relations nightmare.15 The leak revealed executive compensation and racially insensitive emails, all seemingly in response to the studio’s promotion of The Interview, a film based on the fictional assassination of the North Korean leader Kim Jong-un.16
Hackers may also take control of computer systems in order to ransom back that control to the rightful owners. Hackers can then capitalize on the importance of information to the company instead of being limited to the value of its information to the public.17 The overwhelming impact of “ransomware” was felt across the country in May 2017, when over 300,000 computers were infected by the WannaCry attack, which sought $300 per computer to restore normal access.18 In a more targeted attack, the recent 2017 hacks of HBO highlight an instance of hackers hoping to profit from extorting a high-profile media company by threatening to leak its popular series, Game of Thrones.19
The most powerful players in cyber-security are governments, who seek to procure intelligence for their national security. Many nations with active cyber programs have massive budgets and identifiable intelligence interests and often draw blame for serious hacking attacks.20 While it is nearly impossible to determine the precise origin of a hack, forensic analysis often can point to potential locations of origin based on factors such as the language of the keyboard used to write the code.21 Governments such as Russia, China, and North Korea are often put in the spotlight when trying to attribute blame following a leak, but sophisticated players can attempt to mask their involvement by deliberately using servers in another country.22
Disruption of Service
Some hacker groups are more likely to pursue disruption of service instead of going to the lengths of infiltrating a network for personal data. The barrier to launch a disruptive attack is much lower than that of persistent intrusion and data collection. For example, a common disruptive attack, a Distributed Denial of Service (DDoS), overwhelms targeted networks with traffic from infected computers.23 A network of infected computers, commonly referred to as a “botnet,” can cost as little as $150 per week and can be used to overwhelm a target, making the victim service unavailable for normal access.24
Alternatively, hacker groups may seek to promote political agendas by defacing a website’s visual appearance by altering the underlying code. By defacing a website through this form of online graffiti, hackers can tarnish reputations of companies or attempt to gain a platform to distribute their ideas.25 These attacks often utilize “SQL injection,” taking advantage of the code used to communicate with servers (SQL) to gain access to administrative accounts that hackers can then use to manipulate a page.26 While these attacks are generally viewed as harmless and can generally be resolved quickly and easily, they may cover up other nefarious actions on the part of a hacker such as uploading malware to a breached server.27
While disruptive and intrusive attacks undoubtedly result in headaches and financial loss for those impacted, attacks aimed at destruction pose the most serious threats to businesses. In 2013, over 30,000 computers in South Korea found their hard drives completely wiped following a coordinated attack on the financial and broadcasting sectors of the country.28 These attacks were estimated to cost South Korea over $600,000,000 in economic damage and were likely perpetrated by combative nations.29
The destructive impact of cyber-attacks extends beyond the memory and software of computer systems; the hardware of the infected computers may also be impacted. In 2010, Iran’s Natanz nuclear facility was compromised by the Stuxnet virus.30 Stuxnet destroyed 984 uranium-enriching centrifuges and the plant’s operational efficiency was reduced by 30%.31 While countries may benefit from acquiring data and information from their targets, destructive cyber warfare is increasingly becoming an avenue to gain power on a global stage.
METHODS OF ATTACKS
Exploiting Software Vulnerabilities
With the standardization of tools to prevent cyberattacks, hackers have developed methods to circumvent traditional protections and to exploit software vulnerabilities. The impact of software vulnerabilities can best be seen through “zero-day” exploits. The zero-day refers to attacks on software generally made before a developer is aware of the exploit—the developer has “zero days” to respond to the vulnerability.32 For example, in 2013, Oracle’s Java went through a series of recurring zero-days as the developer continuously pushed out patches trying to resolve software vulnerabilities being exploited by malware exploit kits such as BlackHole.33 Especially after an exploit is announced, unpatched software is vulnerable to attacks; even effective responses by developers are regularly undermined by unresponsive clients and users, who may not expeditiously install patches. On average, discovered zero-day vulnerabilities are estimated to persist for ten months as users continue to use outdated software and remain at risk for further infection.34
While potential software vulnerabilities are one avenue for access, hackers also manipulate users to unintentionally grant access to personal networks. Users are often described as the weakest link in the chain, and hackers have identified unknowing users as easy targets for gaining access to computers. This technique, known as “phishing” is used by hackers to manipulate users into unintentionally granting access to the user’s accounts.35 Often crude, phishing attempts may be distributed through links in an otherwise innocuous email in an attempt to convince a user to divulge private information such as usernames, passwords, data, or social security numbers.36 More sophisticated methods may involve directing users to a link which installs malware directly onto a computer, subverting traditional firewall protections.37
Highly sophisticated methods of phishing—“spear phishing”— target specific users or businesses to gain high-level access to their company’s particular networks.38 Spear phishing often targets specific individuals and relies on the appearance of legitimacy to carry out attacks. These attacks often involve “spoofing” an email to make it appear as if it comes from a trusted colleague and are usually presented in a manner that an average user will believe is legitimate.39 Following this mold, sophisticated hackers have successfully posed as CEOs using convincing emails to entice lower-level employees to respond with sensitive information.40
Regardless of the means hackers use to penetrate the defenses of a computer or network to gain illicit access, vulnerabilities will continue to persist so long as software can be exploited and humans can be misled. Nevertheless, systematic prevention methods are important as a first line of defense.
METHODS OF DEFENSE
The information security (IS) industry revolves around developing software to protect networks from attacks and managing the risk of future harmful developments.41 There is no one-size-fits-all solution that protects every computer, and future vulnerabilities are inevitable.42 IS teams use every method suitable to their businesses, but many companies cannot afford to implement every defensive method available and create tailored protection for their own devices. Careful planning is necessary to maximize the effectiveness of a business’ defense.
Methods that prevent access are some of the most effective ways to secure networks. Modern computer firewalls provide relatively reliable sources of protection from outside traffic that may be dangerous to a computer system. Modern computers have firewalls that prevent outside sources from establishing direct connections with a computer without express permissions and are one of the most important security tools available.43 By blocking unwanted access to a computer, firewalls ensure that hackers have a more difficult time penetrating a system’s defenses.
The incident at NBC also demonstrates shortcomings in another popular security tool: blacklisting. Blacklisting compiles a comprehensive list of malicious websites that users will be unable to access due to security risks present on the sites themselves. This task is effectively impossible when new websites are created by the minute, and even a trusted website may be safe one day and malicious the next.
Whitelisting—creating lists of trusted, rather than malicious, sites45—may be more effective at keeping out unwanted intruders, but may also be operationally impossible for companies with thousands of computers requiring access to a variety of websites and applications.46 An alternative to compiling a personal whitelist may be to trust a security firm to generate a comprehensive whitelist, but this moves the security concern upstream and away from the computer’s owner. There can also be larger detrimental impacts if a security firm itself is hacked. For example, in 2013, Bit9’s—a whitelisting security firm—was compromised by malware within its own network.47 The intrusion resulted in malicious applications being granted access to Bit9’s clients, creating significant risks for users that relied upon its security services.48
Although it may seem regressive in the modern era of the “Internet of Things,” where increasingly every device is connected and communicating, one of the most effective protections is disconnecting sensitive computers from the Internet.49 With no Internet access, this method effectively removes the risk of phishing attempts via email and the risk of software vulnerabilities being exploited via the Internet. However, with many protective patches distributed via the Internet, systems wholly disconnected—“air-gapped”—may be particularly susceptible to long-standing and well-known vulnerabilities.50 The Stuxnet virus was delivered to an air-gapped Iranian facility on a USB thumb to a computer disconnected from the Internet.51 Designing an infrastructure for protection must balance the necessity of Internet access with maintaining adequate protection for computer devices.
Anti-virus (AV) services protect computer networks by scanning devices for known malicious applications and those that have distinct signatures similar to existing malware.52 While still an important component in a protection service, AV software is unable to protect users from the unknown.53 Sophisticated hackers can utilize their knowledge of existing and prominent AV providers to test their malware before distribution to ensure it will not be caught by existing filters.54 When the New York Times was targeted by Chinese hackers in 2013, its AV provider, was unable to fend off the intrusion due to the customized malware designed to defeat its services.55 Although many users view AV as their shield for protection on the Internet, it has never been and can never be a permanent security solution in its current form.
Maintaining Response Protocol
Many companies inevitably realize their current protections will be inadequate against future waves of hackers. The largest data breach in history was disclosed in 2016 when Yahoo! admitted that all 3 billion of its accounts were compromised.56 Then, in 2017, Equifax disclosed a breach that impacted the credit information of 143 million Americans.57 When large, sophisticated software businesses and security firms can be breached, effective response protocols are necessary to minimize and contain the effects of unwanted access.
Communication is key to ensure the safety of computer networks everywhere. AV services rely upon maintaining effective lists of malicious applications and must be informed when new malware is discovered in order to protect existing customers.58 Many malware exploits take advantage of zero-day software vulnerabilities, and developers must know when a breach has occurred to determine an effective patch. Communication to end users is equally important because many are not as sophisticated and are unlikely to know when they should disable a vulnerable application plugin or update their software.
The U.S. government is equally limited in its ability to prevent cyberattacks and create regulatory solutions to existing problems. Many actions of cyber criminals are already illegal, and detection is a limiting factor in prevention. The government is often limited to disclosing only suspected perpetrators. Furthermore, its responses are often limited to patching and resolving existing vulnerabilities. While regulations require public companies with sensitive information—such as banks—to comply with certain minimum security standards, constantly evolving attacks show that mere compliance is not enough.59 Cybersecurity is a growing and complicated field that will take both technological and political forces to influence change and protect computer systems from malicious attacks in the future.