The Golden Age of Hacking

abr0589_hi

How many passwords do you have?   How many have more than 8 characters and include a number, a capital letter, and a non-alphanumeric symbol and are changed every 30 days?

Me too.

We may be the weakest link.  Or we may just be one of the weak links.  Before digitization, it wasn’t called hacking to break a code, or pick the lock on a safe, but it was the analog equivalent.  With digitization and computers came the stone age of true hacking and with the internet and its ubiquitous connectivity and data, has come the golden age of hacking.  Through history, however, it has always been about finding the weakest link and cracking it.  Human routines and weaknesses have been a criminal’s Plan A for ages.  Away from home at work. Break-In time. Same child walking home pattern.  Kidnap time.  Same restaurant for capo meetings, ambush time.  Same payroll delivery train.  Robbery time.  Digitization and the internet have created a global playing field with over 3 billion people online.

Banks introduced computers for processing in the 1960’s.  A creative hacker in the early 1970’s exploited George C. White’s patented magnetic machine readable print on checks, you know, those computer looking numbers at the bottom of the check identifying the bank and the account.  This budding hacker knew that the way it worked was if the machine could read the numbers, it went straight through to the computer.  If the machine could not read the numbers, it went to exception processing for a human to input the account number manually.  Our hacker ordered a large volume of deposit slips that had his account magnetically coded at the bottom, tore them out, and slipped them randomly into the pile of deposit slip blanks on the counters of the bank’s branches.  Lo and behold, a number of the counter deposits submitted were sent to his account. Of course, this was not hundreds of millions of dollars, but it also was over 40 years ago.

Another early hack was interesting because nobody really lost money, but the hacker made money.  Let me explain.  When a financial institution’s computers calculate interest due, the calculation is carried out to many decimal points even though our currency is limited to cents.  This means that on each calculation of interest due, there is a tag amount that is less than a full cent.  There are two choices of what to do with these “tag ends”; truncate (cut off after the cents ignoring what was left) or round (rounding up or down based on whether the tag end is less than or greater than $0.005.  This creative hacker determined nobody would miss these “tag ends” and added programming to have them aggregated and deposited to his account.  You might say, “this is peanuts” and you would be correct.  But if this was a financial institution with, say, 10 million credit accounts and the average “tag end” was $0.0025, this would be $25,000 each monthly billing cycle.  Better than the early 1970’s deposit slip hacker, but not up to the standards today of the recent Bangladesh Central Bank hack or The DAO exploit at over $100 million.

The golden age of hacking will not abate.  It cannot.  We have transitioned to a digital online world with all its benefits of information, entertainment, communications, convenience, networking, etc. There is no going back and digital security is a different game than analog security, and, as always, the weakest link is human limitations.

My bicycle lock has a 4-digit code.  That’s 10,000 possible combinations to steal my bicycle.  At 2 seconds per try, that would take about 5 1/2 hours to get the bike.  That is enough protection in the physical world.  Now imagine that there was a bike chain and app to unlock your bicycle with your phone that also had the ability to locate your bike.  Being available online, imagine a hacker developing a program to search for a lock with a specific 4-digit code and the location of the bike.  Or a program to run through the possible combinations standing next to a bike in seconds.  The 4-digit code is not strong enough for this and has become a weak link in the chain of security whereas it was just fine before.

You might say, “My iPhone has a 4 digit code to unlock it.  Is it safe?”  It is safe because you only get a limited number of tries before it shuts down for a while.  So it’s not possible to go through the 10,000 possibilities.  This was the whole dispute the FBI had with Apple wanting them to develop the ability to do unlimited tries and do them by machine (sore fingers!).

We are now surrounded by a complex and growing web of connections of which few of us understand the security behind, but which we still use every day.  The growing capabilities of this network of connections are also what creates the challenges to securing it.  And with the pace of innovation and new capabilities, it will only increase.

1) Interconnectivity: we want our devices to communicate, update, backup, and do all things that require connectivity.  This means we increasingly live on the digital web, not the analog world with its physical privacy and security. And it means that most of our data is stored in “central” entities to which all of our devices can then link to provide instant access everywhere.

2) Line speed: We all want as much line speed as we can afford.  Hackers did not operate well with 56.6K baud dial-up modems.

3) Diversity of devices: computers, cell phones, tablets, watches, and many more coming with the Internet of Things.

4) Population on the network: over 3 billion at last count with many different cultures, ethics, desires, etc.  There are no effective boundaries.  We have 3 billion neighbors potentially connected to us in the same cloud.

5) Value of information on the network: not just email or websites to browse anymore; bank accounts, credit cards, personal information, schedules, etc.

6) Complexity: as functionality, innovation and interconnectivity increase, so does complexity of the software.  There are myriads of file types and new software being released every day.  Apple recently released a security update with iOS 9.3.3 to fix an ability to grab your Mac or iPhone passwords with one text message.

Here’s a brief summary on Fortune: http://fortune.com/2016/07/20/apple-security-bug-password-steal-text/

It’s a race with another form of thousand flowers blooming around the castle wall mentioned in my recent book “Digital Siege, why young entrepreneurs are winning.”

In general WE are the weakest link.  We all want passwords we can remember.  We want to use the same password…. because we can remember it.  This is human weakness.  The saving grace is that most of us are not worthy of the effort for an individual attack.  Not that you shouldn’t change your passwords regularly and have “strong” ones, but the likelihood of you or me being worth a targeted attack are pretty slim.

Small changes have been introduced that significantly improve the security while not requiring blockchain type password “keys”.  A couple of examples are: 1) verifying that your “device” was previously used for that site; 2) texting a security code to a linked cell phone for authentication; 3) checking the IP address or asking for billing zip code input.  These require the digital thief to have more information than might be readily available to them for a transaction at the moment, but these safeguards are no real obstacle for experienced hackers.

At the other end of the extreme, who would have believed the weakest link in the recent The DAO exploit was the recursive send pattern to effectively drain the “money”.  I’m not a technologist, but it seems very similar to a check kiting scheme in days of yore; withdrawing funds before accounts are updated.  If you want to have an explanation of how the code was exploited line by line see Phil Daian’s article in http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/.

Online complexity, managed by humans, with a connected world trying to find the weakest link and exploit it.  Some would respond that the protection should have been that the program was open source and just hadn’t been out long enough before going to production.  But then, why did “Heartbleed” happen?

The golden age of hacking is just getting started.  Just compare how many potential new hackers are joining the network each week compared with new mainframe developers.  Not to mention there are already 3+ billion people online.

So where are we headed in this, the golden age of hacking?

The only limit will be the creativity of the hackers anywhere in the world to exploit the weakest link.  Of course, there will continue to be a focus on software that we use every day for our network of cloud services and communications, but this will expand exponentially as we add new apps, more complexity, functionality, devices, etc.  There are already emerging new exploitation techniques such as high-jacking a critical website for ransom.  Imagine that “micro high-jacking” emerges.  Let say your digital wallet or even Facebook account is high-jacked and you are required to make a payment of 1 Bitcoin to “unlock” it.  How much trouble would you go through to involve the authorities and reporting to chase the perpetrators?  Or would you just pay?

The growth of the use of cryptocurrency for other than speculation by techies may well be driven by its anonymous use as a micro-crime payment mechanism.  No money laundering or tax evasion required.

Protection money (a la the mafia) may emerge with a stronger arm than Symantec’s cancellation policies.

What about adding micro amounts to regular monthly bills (cellphone bills, credit card, cable, etc.) that do not raise attention and get paid without notice?

What would some brilliant criminal mind with extensive technical skills think up to use the information available now online for exploitation and financial gain?  There is virtually (!) no limit.

We are in the golden age of hacking and WE are the weakest link.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s