Why hack?

There are lots of different reasons:

  • Governments hack other governments to find out what other countries are doing. Perhaps they can use the information in trade negotiations or for military purposes
  • Governments can also hack local or foreign companies because they want the company secrets: to make their own products that are better in some way, or because they want information about some of the company's customers (eg their location, photos, private documents)
  • Criminal gangs like to make money. Bank robberies in the old days used to involve going to a bank branch with guns. Now you can steal money from a bank with computers from the comfort of your own home. Stealing money from personal or company bank accounts, credit card information, top-up vouchers is also easy if you have the right tools and know how. They also like to copy data and sell it to others who might be interested: competitors, for blackmail, or sexy pictures on porn sites. Ransomware is software that encrypts all the files on your computer. You have to pay the gang money to get all your data back.
  • "Religious" groups have strong opinions about who should be allowed to do what. If they don't like you, they may try to deface or disable your systems to make your work harder. They might steal your data to find out what you are doing so they can stop you. They might steal your money so you can't carry on. Or they might put monitoring software on your devices so they can see what you are doing any time they want
  • Individuals hack for many reasons: they are bored, they like to see stuff burn, they have something to prove or want to be famous, they don't like you for some reason. Or sometimes they are just exploring: they are curious and like to know how stuff works by seeing how stuff breaks. You are just the unlucky person who got in the way. A few people like to build up collections of hacked devices (botnets) and use them for mining crypto currency or making denial of service attacks. They make money by renting their botnet out to other people.

It is like a cloud of mosquitoes outside your tent when you are camping. There are thousands all tapping and bumping to find the smallest gap so they can wiggle in and feed on you. No matter how good the rest of your tent is, if there is one tiny gap, that is enough.

Hackers often use automated tools to find these holes: when a new hole is found, it will be quickly added to a toolkit that knows about many similar holes. This is used to scan large parts of the internet to see what they can find. It can sometimes be a race, with different groups competing to hack the same piece of software or hardware so they can use it for their own purposes.

How do they get in?

Software is complicated. There are layers and layers of components that must all work together. What looks simple on the outside can be made from hundreds of pieces each built by different people, and usually relies on a complicated collection of other systems to make it go. New versions are released all the time. It is easy to make a mistake, and it is hard to keep up with the pace of change.

A security hole in a piece of software or hardware is called Vulnerability. It may be very obvious, or it may stay hidden for years until someone finds it. People have developed tools to help them find vulnerabilities. There are thousands found every year.

If the Good Guys find a vulnerability they will tell the owner of the software and give them time to fix it. This is called Responsible Disclosure. Often they will build a Proof of Concept: a small example that shows where the hole is and how to use it. Most companies will quickly fix the problem and release a patch or software upgrade to protect their users. They may pay a Bounty or cash reward to the person who found it.

Sadly there are lots of people who want to buy vulnerabilities for their own purposes: they pay a lot of money for a hole they can use themselves without telling anyone else. An Exploit is a tool for using a vulnerability in a way that allows you do to something that should not be possible. Sometimes exploits are Chained together: you use one to make a tiny hole, the next you put in that hole to make it wider, the next to insert something that should not be there, the next to give you full access to the system so you can do whatever you want.

A Zero Day is an exploit that is being actively used to hack people or systems. The manufacture or supplier is not yet aware of it or has not released a fix. You may not know you were hacked for months or years if someone quietly and carefully uses a Zero Day exploit to get access to your systems. They can stay quiet and look around, copy your data or watch what you are doing for as long as they like.

How do I stay safe from hackers?

A few simple things will help a lot

  • Use a long strong unique password for every different thing you log in to. Use a Password Wallet to store them all, and have a good (but easy to type and memorable) password for that. Never tell anyone else your password for anything: don't email it or allow anyone else to use it.
  • Turn on two factor authentication for all services that support it. Avoid SMS / TXT versions because hackers can swap your SIM or get in to the mobile network to steal your code. Use App based two factor.
  • Keep software up to date. All of it. Not just your phone and laptop. Your wifi router, the modem from your internet service provider, printers, anything connected to the network.
  • When you get a new device, read the manual. Harden each device by changing default passwords, turn off unneeded features. Google for security tips for your laptop, phone, smart watch.
  • Avoid IoT devices like internet connected fridges, door bells, cameras, baby monitors, smart TVs.... They are often poorly designed and rarely updated. An easy entry point for hackers. If you know a bit about network security you can make these safer to use by isolating them on their own subnet and preventing them from accessing the internet
  • Avoid phishing. Don't click links or open emailed documents unless you trust the source and were expecting them. If unsure, upload the file to Google Drive and view it there

Back

Learn to Hack for a list of ways to learn more about ethical hacking.