On Monday, March 13 at approximately 10:30 AM CST, I will be appearing on KFUO Radio’s Faith and Family program to discuss home computer security with host Andy Bates. Here’s the scariest question he’s planning to ask: How easily can someone hack my home computer and steal personal information?
Someone asked me that question at work once, except it was about a work computer. I whipped out a copy of a book about Metasploit, flipped to page 137, and started reading. My point was that I could teach this guy how. He didn’t take it well, so I don’t recommend doing that.
My point that I could teach this guy how to do it still stands, though. And I think I could teach Andy how too.
How hacking works
A hack really isn’t anything more than malicious software embedded someplace it doesn’t belong. Sometimes it’s someplace software really doesn’t belong, like in the middle of a video, or a resume. It works by triggering flaws that exist in other software, to trick that other software into running that software.
Now, if your software is up to date, it doesn’t have those flaws. So you’re immune. That malicious software doesn’t work right, and the hacker doesn’t get anywhere.
I’m oversimplifying just a bit, but as long as you’re not fighting off Russian spooks who know about flaws the software manufacturers haven’t discovered yet themselves, these principles work.
How easily can someone hack my home computer?
I’m going to start with a disclaimer. I would never, ever do this. If I did, among other things, Qualys would fire me immediately, and I would lose my CISSP, and I’d never work in this industry again. It would be about as dumb as me robbing a bank.
I need to know how to do this well enough to explain it to other people and answer questions like this. This is hypothetical.
So if I had it in for Andy Bates and really wanted to get into his computer, I’d have to do about five things.
- Find Andy’s home e-mail address
- Find the name of someone Andy knows and trusts
- Create an e-mail attachment containing a hacking tool that connects his computer to mine
- Send Andy a message that sounds like it came from that second person, asking him to take a look at the file I sent
The third step is easier than it sounds. That book that got me in trouble at work a few years ago outlines all of the steps in order. It’s on page 137. For someone who’s never done this before, there’s some prep work involved, but it’s a viable weekend project.
Finding the name of someone Andy knows and trusts was easy. It took me less than 30 seconds to find Andy on Facebook and get the names of two people we both know. Two minutes later, I had a plausible story running in my head. Sound unrealistic? If you really have it in for someone, there probably are some people you both know.
Finding his home e-mail address is the hardest part, by far. But I could always just get someone else to ask him for it. It might not work. But it might.
If I guess right about what vulnerable software he has on his computer, once he opens up that e-mail attachment, I’ll have a command prompt window from his computer on my screen. From there, I’d be able to see all his files and take anything that looked interesting.
Andy would never know. And if I followed the instructions correctly, his antivirus software would never fire, at least not until it was too late.
The book I mentioned is meant for good guys who break into corporate networks and then tell people how they got in, a la the old Robert Redford movie Sneakers. But the tactics work for bad guys too.
How easily can someone hack a random home computer?
So what if I don’t care about getting onto Andy’s computer, and just want to get on someone else’s computer?
That’s even easier. All that would take is picking a web site that gets a moderate amount of traffic. Buy an advertisement on that site. What it advertises doesn’t matter. Plant the same code from the previous example into the ad. Once enough windows pop up on your computer from other people’s computers, cancel the ad.
Why steal information when you can sell it back to the owner?
Actual theft of digital information isn’t actually all that profitable these days. The market is flooded. It’s much more profitable to get onto someone’s computer, encrypt their files, then charge $250 for a password to give back access to their computer. It’s all automated, and you pay in untraceable digital currency. The odds of ever finding the perpetrator and recovering your money are nearly zero. Someone can make thousands of dollars a day doing this.
Fake hack attacks
There’s a lot of fake ransomware and fake hacking too. If you get a warning on your computer that you have to call an 800 number, just shut your computer down and restart it. It’s not a bad idea to scan your computer for viruses after you restart, just to be on the safe side. But if you were actually infected, the message wouldn’t look like this. Nobody deletes your files immediately. There’s no money in that. It’s far more profitable to give you 30 days to decide you want your files back, and raise the price as the deadline approaches.
I go toe to toe with these guys when this happens, but I don’t recommend most people engage them. I can recognize their scare tactics and call their bluff. But to a layperson, their arguments may sound convincing. I’d rather you just restart your computer if this happens.
And a word about webcams
There’s one more thing I want to mention. If your computer has a webcam, especially if it’s a laptop and especially you happen to be female, put a piece of tape or a webcam cover over the webcam. There’s a subculture of people who spy on others through webcams. It happened to former Miss Teen USA Cassidy Wolf, but it happens to ordinary people too.
Keeping everything up to date certainly helps, but the low-tech trick of covering your webcam is the most effective thing to do about this problem.
Previously unknown flaws
Last week, Wikileaks claimed it got its hands on a stash of CIA hacking tools. Government agencies, both foreign and domestic, often know about flaws in software that the software publisher doesn’t know about yet.
These exist, but they don’t get used frequently. The more these things fly around, the more likely it is that a security researcher will discover them. They’re the digital equivalent of nuclear weapons. The stuff everyone knows about works well enough, because so many people don’t update their software.
Ethical security researchers are studying these leaks in an effort to identify the tools. Wikileaks promised to work with software developers to fix these flaws, but some components of these tools were present in the leaked documents. This means Wikileaks doesn’t really have the capability to do what they promised. The ethical security researchers who are studying the disclosure will work with software developers, which will mean it’s even more important to keep our computers up to date in coming months. The bad guys are studying these leaks too.