Everything is hackable; but it's okay.

09.10.18

Media, be it reputable news outlets, yellow press or the latest hollywood blockbuster, love hacking. Hacking however is infinitely nuanced and anything produced by individuals who fail to capture these nuances is in grave danger of perpetuating misinformation. Combine this with the fact that fearmongering sells and you have a reality where the majority of "hacking" news in non-tech publications (or maybe I should say non-infosec, but I would be too harsh on some tech blogs who do respectable work) is rubbish.

So while you have to ignore most of this fearmongering, you still have to follow the usual advice and not use 123456 or the same password in multiple services. The purpose of this guide is to help you navigate between these two extremes while remaining safe and most importantly, sane.

First let me get this out of the way. Even the words hacker and hacking have nuances and I'd advise not to use them except if you intimately understand them, as you might inadvertently enter social awkwardness. It's really hard to explain all the possible meanings in an article but lets say this: hacking does not always mean circumventing a digital security device. If you want a glimpse of these nuances the wikipedia article on hacker is a good start. Read the Jargon File for even more.

So is everything hackable?

Given enough resources and time, everything is. Heck, most cryptography is designed to be impractical to break, not impossible. Just as your home door isn't designed to withstand a military tank, a home thermostat isn't designed to withstand malware that his user specifically installed after plugging in a USB flash drive.

In order to simplify things and with a mild risk of oversimplifying them I will split the threats in three big categories.

Cyber warfare.

When you hear the word "cyber" it's usually safe to change the channel. It sounds good, but it doesn't really mean something concrete in information technology so it is usually used by media and other outlets in order to impress. Nevertheless I will use it here as a tribute to @GreatDismal@twitter.com

So, the first category of threats are like this. 100 people of various different professions are hired by a government or other organization with similar resources to specifically to target a certain something. Be it Iran's nuclear reactors, Hillary's emails or Sony Pictures' data it's quite safe to assume that probably nothing can protect you from this kind of attack, mostly because you really don't know what these people can do. They can, for starters, purchase unknown vulnerabilities (if you don't know what that means keep reading), but it's also possible that they can compromise certificate authorities*, telecoms* etc.

Certificate authorities are the companies/agencies you (or your browser and operating system specifically) trust to validate that the sites you visit are the sites that they say they are. This only has meaning for website using https://. If someone has a trusted certificate authority in his pocket he can create fake (phishing) websites that look like websites you usually visit and redirect you there. From that he can eavesdrop on all the information you exchange with that website including any passwords.

If on the other hand somebody has compromised your telephone company he can see all your non https traffic as well as metadata on what you visit. Even if you only give information to https websites, by knowing your habits it is easier to find a way to trick you into handing out a password or other info that can start a chain reaction of compromised accounts. For an example of this kind of chain reaction read @N's story

You can't protect adequately from these kinds of coordinated attacks unless you are paranoid and/or have similar resources. One can try to minimize the risks by using overlapping security techniques, repeated password prompts, multi factor authentication, biometrics etc. which tax his hardware and his efficiency, sometimes so much that users write passwords on post-its defeating the purpose of the whole system. The good news is you probably don't need to. It's extremely unlikely that someone would spend that kind of money to target an individual. It's almost as probable as burglars breaking and entering your house with a tank.

Targeted attacks

It's improbable you will be targeted by a military task force but it becomes more and more probable that you will be targeted personally, especially if you have any kind of celebrity status in however small a community, or if you are just lucky enough to have scored a two-letter username in a major social network.

To avoid these kinds of attacks you need to be vigilant, and even this is not always enough. You have to follow the best security practices at any given time and make sure to stay ahead of the curve. This does not slow down your day to day operations very much. The biggest and most significant services usually make sure to support newer security methods quite quickly. It also helps to stay informed with the latest breaches or vulnerabilities and take measures if any of them affect you.

As demonstrated in the @jb case, usually the weak link in the security of a company is a well meaning support representative. The security in the identification via personal info relies on the fact that it's difficult for an attacker to obtain the exact set of info requested each time. However a skilled attacker might direct the rep to use selective information that he has in his possession. Thus avoid any leak of information that is not exactly secret but might be asked by a bank or other organization for identity verification. Urge your friends/associates to treat this info as confidential and delete any emails that contain it.

I will not delve into specific security practices besides the very basics of

  1. Don't use the same password in multiple services
  2. Use large or complex passwords
  3. Don't store them in plain text in your computer

as best practices always change and what today is secure tomorrow might very well not be, and my intention for this guide is to be a (lasting) answer to the question "why do I have to follow best security practices" a bit more elaborate than "in order to avoid being hacked" which is, in fact, nonsense.

Spray and pray

The third kind of attacks are not targeted at all. Automated attacks on well known vulnerabilities or script kiddies who use pret-a-porter hack-tools to have fun with whoever is the least protected.

When a security hole is discovered in a piece of software, think of it like somebody learns that your front door has a weak bolt. Everybody with the same model door is vulnerable. The company may or may not offer a fix and some people might never learn that their door is affected. Burglars however will and might very well start trying on every house with this kind of door until they find one unfixed.

Security holes in software go like this: a hole is discovered, very few people know about it. They might sit on it and sell it to type 1 attackers (see above), just publish it on the internet for bragging rights, or notify the developer. The developer might or might not develop a fix and might or might not issue an update.

Sometimes it's out of the hands of the software author to give you updates. Google publishes Android source code, then Samsung and other vendors take it, modify it extensively and ship it to you in their phones. By that time the code has changed enough that there's work to be done before Google's updates can be applied. Whether Samsung chooses to do that work is another question.

These attackers make the minimum effort possible and almost always use automated tools. They just write a program that scans a forum for all users that ever posted anything and tries to log in with "password", "123456" or "qwerty", or send millions of emails and try to exploit a bug in adobe reader on windows xp that allows them to run a file on another person's computer if they download a specific pdf file.

So what value could your account on a forum have for a stranger? Yep, that's a question I myself had, and one that I learnt the answer the hard way years later. When I first became a member of maemo.org, an internet tablet community, I thought that nobody would want to impersonate a newbie joining a forum just to download stuff so I used my disposable forum password: 123456. But 2000 posts later someone hijacked my quite reputable, by now, account and posted weed ads below each one of my posts. Now I had to either write a program to clean them up or clean them up by hand. I believe there still are some of those ads below my old posts.

There are million other reasons why a malicious attacker would want access to your computer, from locking down your files in order to ask for ransom, take control of your webcam to watch you undress or just to use your computer to send spam or mine crypto. Another popular reason of attack is to make your computer a part of a network of millions of computers that try to download files from a specific server at the same time causing it to collapse, just as everybody turning on all the electrical appliances at the same time would cause a power outage.

It is quite simple to keep safe from these kinds of attacks: you just have to avoid being on the bottom of the stack, security-wise. In general follow best practices and keep your software updated. And just as you don't let strangers into your house, take extra care about what you run on your computer.

Conclusion

If you are not a politician, a celebrity or super-rich you probably need to do just a little bit extra to be quite safe. Government agents will probably still be able to compromise your security but they could knock on your door with a warrant too (or a swat team). If you are, go hire a security expert, follow their advice and try to learn from them, not just blindly push buttons. The best security is awareness and understanding and this article tries to help a bit with that.