Hacking:
Understanding It All
John Williams
INF 103: Computer Literacy
Thomas Hennefer
June 14, 2010

Abstract
As technology has grown, so has the dependence of society on its role in everyday life. Like many things, this dependence on technology comes at a risk. Hacking is the risk that members of society must face. Hackers can find any information they wish to acquire, which puts information, such as finances and personal, at great risk. In order to understand how to prevent hacking, one must first understand what is at risk to be hacked and the way in which the act is done.

Technology has become a constant part of every day life. People now manage their bank accounts, pay bills, deal with highly confidential information, and even personal information online. All these aspects of technology in daily life are a temptation to others throughout the internet. Those who find themselves tempted perform the task of hacking, which leaves others and their personal information vulnerable. This paper will discuss society’s reliance of technology in all aspects of life; thereby, leaving personal information vulnerable. Also being discussed will be information hackers find tempting, the steps that some take to hack into systems allowing them access to normally unavailable information and the steps that can be used to help prevent hacking from occurring.
Method
In the task of preventing hackers from gaining access to information that could be harmful to the individual, you must first understand what information is at risk and how hackers perform the task of hacking. In order to do this, I had to research what systems/files are at risk to be hacked and the way in which hackers perform the task of hacking. By assessing these factors, one can find the programs and actions they can take that can help protect their personal information.
Results
Vulnerability As technology had advanced, people rely on the internet to make things easier for themselves in their daily life. Everything that is electronically controlled is at risk of being hacked. Systems which can be hacked include but are not limited to: modern automobiles, bank accounts, airline systems, social networks, and even electronic voting. Surprisingly, anything electronic can be hacked, including modern automobiles. Modern automobiles are now using computer systems to monitor everything for the vehicle. This monitoring by the computer in the car can mean a lot of trouble for someone if their system becomes hacked. This puts the driver of the vehicle at great risk, being that the hacker will be able to control such functions as the brakes, engine, lights, and locks (Hall, 2010). In the event of the vehicle being hacked, the driver will be able to do nothing about the functions being controlled by the hacker.
As technology has improved, people are able to make their lives easier when concerning finances. ATMs, online banking, and bill pay are all ways in which a hacker can gain access to any financial information. Helmbreck (2010) shows results of a study done on the hacking of businesses and what the bank did as a result. * Attack Rate: 55% of businesses reported they were hit with fraud in the last year; 58% of the fraud involved online banking activities * Detection Rate: 80% of banks didn’t manage to catch the fraud before the money was moved * Loss Recovery: 87% of the time, the money was long gone and the bank couldn’t get it back * Loss reimbursement: 57% of companies that had their accounts targeted were not fully compensated by their banks; more than a quarter of the victims (25%) got no compensation at all for their losses * Customer churn: These losses and the banks’ actions both before and after the attacks caused 40% of businesses targeted to switch banks after the fact, and * Transparency: 24% of businesses said their banks didn’t provide a policy that explained the bank’s responsibilities regarding security and protection of accounts; 39% of customer businesses didn’t even know if their bank had such a policy (Helmbreck, 2010). From this study, the security of financial information of an individual is something that both the account holder and banks, themselves, need to improve. The hacking of airline systems is a huge problem. With the increase in the need for travel, airlines have become an important and necessary mode of transportation. Seeing as airlines are the quickest mode of transportation now available, millions of people rely on it. This puts millions of people at risk everyday. The article by Sarangi (2009) states that by hacking into airline systems, millions of people’s personal information becomes vulnerable. Hackers to airline systems can also temper with flight schedules (Sarangi, 2009). The article by Sarangi (2009) makes an example by stating that by someone checking their email while waiting to catch their flight using the airline’s WIFI, puts them at risk of virtually handing their information to a hacker if the security of the airline system is weak (Sarangi, 2009). This would allow the hacker to do many things including the example given by Sarangi (2009) in which a threat email is sent and the actual culprit (the hacker) is undetected and the innocent is punished. This is only one example of the many things which could happen due to inadequate security in airline systems. Social networks are becoming ever important in mass-managing social affairs. Although the hacking of a social network account does not seem threatening at first, one must think about the mass of personal information included in such networks as MySpace, Twitter, and Face book. Thought to be a safe place in which to communicate with others, people often include a lot of information that may aid hackers. The information provided through these websites may aid hackers in hacking email addresses and bank accounts. Depending on how much a person relies on technology, this flaunt of information could possibly ruin their life. “In 2006, electronic voting machines accounted for 41 percent of the tallied U.S. votes. Fifty percent were cast on paper, and 9 percent "other," including New York's lever machines” (University, 2008). As evident in the previous statement, electronic voting accounts for a major percent of votes conducted; therefore, by hacking electronic voting machines, elections can be changed (University, 2008). The article by the project conducted by Rice University (2008) is about a project assigned to a computer science class. Although the professor states that this particular project is not exactly like what would happen in reality, he states that it is a good example of what could happen (University, 2008). The project consisted of two phases: * Phase 1: “The teams pretend to be unscrupulous programmers at a voting machine company. Their task: Make subtle changes to the machines' software -- changes that will alter the election's outcome but that cannot be detected by election officials” (University, 2008). * Phase 2: “The teams are told to play the part of the election's software regulators. Their task is to certify the code submitted by another team in the first phase of the class” (University, 2008).
Through the example given above as a class project, it is hard to imagine the limit to which the process of hacking can and will stop. When dealing with elections and other governmental issues, this information poses the question of what is actually how it should be and what is the result of someone’s tampering?
Hacking
An article by Catie (2010) lists the steps to hacking. At the end of the webpage, it is stated that the misuse of this information could be a local or federal crime and the website is for informational purposes only. 1. Learn a programming language. You shouldn't limit yourself to any particular language. C is the language the systems are built in, it teaches you what's very important in hacking: how the memory really works. Python or Ruby are modern, powerful scripting languages, that can be used to automatize various tasks; Perl is a good choice in this field as well. PHP is worth learning only because it's what newbies use to "hack" poorly written web-applications (forums, blogs etc). Bash scripting is a must, that's how you can easily manipulate most servers - writing one-line scripts, which will do most of the job. Finally, you can't do much without knowledge of ASM - you *can't* exploit a program if you don't know that. 2. Use a *nix terminal for commands. Cygwin will help emulate this for Windows users. DOS is worthless in this area. The tools in this article can be found for Windows based machines. Nmap particularly, uses WinPCap to run on Windows and does not require Cygwin. However, Nmap works poorly on Windows systems due to the lack of raw sockets. You should also consider using Linux or BSD, which are both more flexible, more reliable, and more secure. Most Linux distributions come with many useful tools pre-installed. 3. Try securing your machine first. Make sure you fully understood all common techniques, including the way to protect yourself. Start with basics - found a server which has site about racism, homophobia or other bad activities? Try to hack it, any way you can. Yet again, don't change the site, just make it yours. 4. Know your target. The process of gathering information about your target is known as 'enumeration'. Can you reach the remote system? You can use the ping utility (which is included in most operating systems) to see if the target is 'alive', however, you can not always trust the results of the ping utility, as it relies on the ICMP protocol, which can be easily shut off by paranoid system administrators. 5. Determine the operating system (OS). This is important because how can you gain access to a system if you don't know what the system is? This step involves running a scan of the ports. Try pOf, or nmap to run a port scan. This will show you the ports that are open on the machine, the OS, and can even tell you what type of firewall or router they are using so you can plan a course of action. You can activate OS detection in nmap by using the -O switch. 6. Find some path or open port in the system. Common ports such as FTP (21) and HTTP (80) are often well protected, and possibly only vulnerable to exploits yet to be discovered. Try other TCP and UDP ports that may have been forgotten, such as Telnet and various UDP ports left open for LAN gaming. An open port 22 is usually evidence of an SSH (secure shell) service running on the target, which can sometimes be brute forced. 7. Crack the password or authentication process. There are several methods for cracking a password, including brute force. Using brute force on a password is an effort to try every possible password contained within a pre-defined dictionary of brute force software. Users are often discouraged from using weak passwords, so brute force may take a lot of time. These days there are major improvements in brute-force techniques. Most hashing algorithms are found weak, and you can significally improve the cracking speed by exploiting these weaknesses (like you can cut the MD5 algorithm in 1/4, which will give huge speed boost). Also new techniques use graphic card like the processor - and it's thousands times faster. You may try using Rainbow Tables for fastest password cracking. Notice that password cracking is good technique only if you already got the hash of password. Trying every possible password while logging to remote machine is not a good idea, as it's easily detected by intrusion detection systems, pollute system logs and may take years to complete. It's often much easier to find other way into system, than cracking password. 8. Get super user (root) privileges. Try to get root privileges if targeting a *nix machine, or administrator privileges if taking Windows systems. Most information that will be of vital interest is protected and you need a certain level of authentication to get it. To see all the files on a computer you need super user privileges. This is a user account that is given the same privileges as the "root" user in Linux and BSD operating systems. For routers this is the "admin" account by default (unless it has been changed), for Windows, this is the Administrator account, etc. Just because you have gained access to a connection doesn't mean you can access everything. Only a super user, the administrator account, or the root account can do this. 9. Use various tricks. Often to gain super user status you have use tactics such as creating a "buffer overflow", which is basically causing the memory to dump and allowing you to inject a code or perform a task at a higher level then you're normally authorized. In unix-like systems this will happen if the bugged software has setuid bit set, so program will be executed as different user (superuser for example). Only writing or finding an insecure program that you can execute on their machine will allow you to do this. 10. Create a backdoor. Once you have gained full control over a machine, it's best to make sure you can come back again. This can be done by 'backdooring' an important system service, such as the SSH server. However your backdoor may be removed upon the next system upgrade - really experienced hackers would backdoor the compiler itself, so every compiled software would be a potential way to come back. 11. Cover your tracks. Never ever let the administrator know that the system is compromised. Do not change the website (if any), do not create more files than you really need. Do not create any additional users. Act as fast as possible. If you patched a server like SSHD, make sure it has your secret password hard-coded. If someone tries to login with this password, server should let him in, but shouldn't tell syslog about it (Catie, 2010).

Through exploring the steps in which a hacker uses, it makes understanding the process more important in helping to prevent the event from occurring. Prevention Hacking is a problem that can never be fully prevented, but there are certain steps that can be taken that will help ensure that the safety of information that is put on the computer and on the web. Because prevention of hacking is virtually an impossible task, Remy Na states some very basic tools that can be used to help ensure that a hacker has a hard time with hacking a system if these measures are taken. The first precaution Remy Na uses is to avoid advertisements that seem untrue or unreal; by viewing these advertisements, the sites contain “viruses, spyware, or other malicious software programs that install on your system and make it vulnerable to hacking” (Na). Remy Na explores anti-virus program. Anti-virus programs help ensure that there are no trojans, viruses or worms that would weaken security and allow easy access for hackers. Remy Na suggests scanning all emails for viruses and avoiding emails from unknown senders. Remy Na states that a competent firewall is essential in maintaining internet security. Remy Na suggests unplugging the internet connection when not online when using high speed internet. If not unplugged, this is an invitation to invade the system. Remy Na also states that regular updates can be very beneficial in ensuring the security of the internet. By following these steps and using common sense, providing safer internet security is easier.
Discussion
In order to prevent hacking, the process and steps that hackers use and the programs, files, or systems that appeal to hackers must be understood. In understanding all aspects of hacking, prevention is easier and the methods better understood. Although technology has come a long way, when concerned with the security of the internet and the information put on it, there is a long way to go in order to have a safe place in which to store and share information.

References
Catie. (2010, June 9). How to Hack. Retrieved June 11, 2010, from wikiHow: http://www.wikihow.com/Hack
Hall, K. (2010, May 18). Modern automobiles are super vulnerable to hacking, researchers say. Retrieved June 11, 2010, from Dvice: http://dvice.com/archives/2010/05/modern-automobi.php
Helmbreck, V. (2010, March 29). Biz bank accounts hacked at ‘unprecedented’ rates. Retrieved June 11, 2010, from Finance Tech News: http://www.financetechnews.com/biz-bank-account-hacking-rates-unprecedented/
Na, R. (n.d.). How to Avoid Hacking, and Prevent Internet Secuirity Problems. Retrieved June 11, 2010, from Articlebase: http://www.articlesbase.com/security- articles/how-to-avoid-hacking-and-prevent-internet-security-problems- 720927.html
Sarangi, D. P. (2009, December 23). Airlines system vulnerable to hackers at BIAL. Retrieved June 11, 2010, from BangaloreMirror: http://www.bangaloremirror.com/index.aspx?page=article&sectid=1&contentid=2 00912232009122302030019231da5603
University, R. (2008, October 8). Hack-a-Vote: Students Learn How Vulnerable Electronic Voting Really Is. Retrieved June 11, 2010, from ScienceDaily: http://www.sciencedaily.com/releases/2008/10/081007102851.htm