Monday, February 25, 2013

What's the big deal about hacking?

I've written before on how to protect your digital life from malware and identity theft, but never on why shady types might target you in the first place. There are a variety of reasons, but with a few less common exceptions they generally boil down to money.

When I started out in the systems administration / hacking world a couple of decades ago - and even when I first moved into information security as a profession nearly 15 years ago - the dominant incentive was the ego trip: what can I get away with? Truth be told, that's the original (and to many, myself included, the "real") meaning of hacking: take something and make it do what I want, rather than necessarily what the creator intended. That culture has nothing to do with malicious use of computers - see automotive performance shops, or the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a Maker, or a tinkerer, or a modder - or an engineer.

Hacking in its purest form is perfectly legitimate. Where it becomes illegal is when I stop tinkering with things I own, and begin tinkering with something you own, without your permission (or, according to the US Copyright Office, if I tinker with certain digital devices even though I own them, a gross misinterpretation of the US constitution, but I digress...).

The first Internet worm was in fact an experiment gone awry. The Morris Worm was designed to gauge the size of the Internet, but due to a bug in its code, spread beyond its intended target, causing victim computers to crash. Other early malware were intended as pranks, or to gain the author notoriety. But over time, the impetus has become economic. Malware, crimeware, spyware, and the likes are a huge business – a business that according to a 2010 FBI estimate is now more lucrative in the US than drug trade.

So why are you targeted?
  1. Direct financial gain - steal your credit cards, bank accounts and credentials. If a criminal has your credit card or bank info, and the right supporting information, they can quite easily take what you have worked hard to earn.
  2. Indirect financial gain - display advertisements, or redirect your browsing to a web site they control. Panda Security wrote of a concept they dubbed the Long Tail: malware authors don’t need to generate huge revenue from each piece of malware; rather, they can make money if only a tiny percentage of their advertisements work, so long as they have enough ads.
  3. Take control of your computer, and use it for financial gain (by sending spam, or by including it in a "botnet for hire" that could be used for any purpose of the attacker's choosing). A twist on this is so-called “ransomware” – disable your computer until you pay a ransom to be given back control.
  4. An area growing in visibility (though in reality it has been around for ages) is stealing valuable intellectual property. As an individual that might not mean much, but as an employee or business owner, intellectual secrets may be the source of all your income, and of far greater value than cash.
I've written before on some basic steps to reduce the risk of becoming a victim. Install the latest software patches; use a firewall to keep bad stuff from coming in; use a web filter to keep from getting to bad stuff; use an antivirus program to deal with the bad stuff that will (not might) get through, and don't use the same password for multiple accounts of value (bank, email). Those steps aren't a guarantee that you will never be hacked, but as in the physical world, unless there is a specific target of high value to an attacker, they will generally go after the easy prey.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen