Are all Hacks really Sophisticated?

“A sophisticated hack demolished security defences. With a shattered target a global technology giant.” – ABC, on the Sony hack.

“Gmail attack shows growing cybercrime sophistication.” – CNN, on recent Gmail attacks.

If recent news headlines are to be believed, all hacks are sophisticated. But is that really the case?

Let’s look at the recent Gmail attack. Last week it was reported that hundreds of Gmail accounts had been hacked, many of which belonged to government officials. This was done, no doubt, by sophisticated hackers using sophisticated methods. But was it really? When security analysts began investigating the incident, it was determined that all the accounts that had been compromised by “advanced spearphishing attacks.” That’s a delicate way of saying, “the bad guys tricked these people into handing over their passwords.”

“Phishing” is a lot like fishing (except the “f” has been replaced with “ph” — a long standing hacker tradition that dates back to “phreaking”. The “ph” stood for “phone”). When fishing, a fisherman casts out his line repeatedly, trying to hook a fish. Phishing the same concept, except the fisherman is a hacker, his line is e-mail, and the fish are you and me. Scummy scammers send out millions of e-mails a day (perhaps you’ve received one?), promising us millions of dollars if only we will give him our bank account information so he can deposit the cash there. What a nice guy! The key to this analogy is that neither the fisherman nor the hacker care which specific fish they catch. As long as they catch one, they’ll eat tonight.

Spearfishing is different. Spearfishers use sharpened sticks to target a single fish. Spearphishing is the same; hackers target specific individuals or groups with specialized attacks. Spearfishing attacks require at least some rudimentary knowledge about the target, but can be much more successful. Most people are more likely to respond to click on an e-mail attachment if it appears to have come from someone they know, or from the company they work for.

As you can probably deduce from my tone, these types of attacks are not particularly sophisticated.

Most of the hacks that expose internal user accounts — names, passwords, etc. — are done through SQL Injections. SQL Injections are attacks that trick the language that web servers use to talk to databases into returning more data than they should. (I explained them as simply as I could in this post.) But are SQL Injection attacks sophisticated? I guess it depends on who you ask.

Sometimes at work I am asked to perform security scans of websites. I do these scans using a COTS (Commercial Off The Shelf) program that we bought — one that you could buy, too. I probably shouldn’t say which one, but it’s on this list of the top 10 Web Vulnerability scanners. (Note that some of the scanners on that list are free.) I point my scanner at a website, tweak a few settings, and press “go”. Then I go down to Java City, the coffee shop located down the hallway from where I work, and order a skinny vanilla latte from Dee. I drink the latte, go back to my desk, and check the results. If the website was vulnerable to SQL injection attacks, the report tells me.

Doesn’t seem very sophisticated to me.

Look, nobody wants to see their company’s name associated with a headline that reads, “Careless Employee Clicks Fake Link, Sends E-Mail Password to Chinese Hackers”. We, the average members of society, would like to think that it would take hackers more than just banging away at a web server with some free software to retrieve our bank account password. The truth of the matter is, sometimes that’s all it takes. “Sophisticated” is just a term that helps security professionals save face.

Historically speaking, banks have pretty good security measures in place. Other websites, like entertainment websites, often don’t. In one of LulzSecurity’s recently romps through Sony’s servers, the group obtained and released a copy of Sony’s “Summer Restless Beauty Sweepstakes” users (LINK). The database contains thousands of e-mail addresses and passwords. Which brings me to my next point:

IF YOU ONLY LEARN ONE THING FROM ME, FOR THE LOVE OF GOD, DO NO USE THE SAME PASSWORD FOR DIFFERENT WEBSITES OR APPLICATIONS.

I’ve done it, you’ve done it, we’ve all done it, but we’ve got to stop doing it. If any of the people who entered that Sony contest used the same password for their e-mail, or Facebook, or MySpace, or whatever … the whole world has seen it. And if they used it on their bank accounts … oof!

There are sophisticated hacks out there. There are bad people out there who are working to crack the latest methods of encryption and launch attacks at secure government strongholds. Odds are, you’ll never encounter these guys. Instead, as an end user, you’ll most likely encounter phishing attacks, and you may be affected by the hacking of a service you use.

One final thought: just because an attack isn’t sophisticated doesn’t mean it’s not damaging. As anyone who has had their identity stolen can verify, it doesn’t matter much how it was stolen.