It never ceases to amaze me the awe in which media, the general public and the security naÏve within the computer profession regard hackers, specifically those people who criminally break into computer systems, creating even more computer misfits.
Everyone has a desire to standout from the crowd and the sensationalism of hacking provides a vehicle for it. Sadly, learning how to hack is extremely easy.
I prefer to explain hacking at a macro level. There's no need for the average computer professional to go much deeper than that anyway, as the hackers know little more themselves.
Computer hacking is the exploitation of vulnerabilities to get access/privileges you wouldn't otherwise have. Denial-of-service attacks are also versions of hacking. These flaws exist because of errors made by the vendor, administrator or user.
Vulnerabilities built into the system can be in hardware, but 99%+ of the time they're software bugs. I don't think anyone would argue that all software has bugs; some can be exploited to elevate privileges and cause information leakage or system crashes. These bugs include buffer overflows, the type of vulnerability that enabled Blaster, Slammer and other major worm-like attacks.
The first way to break into a computer is by exploiting bugs built into the software. If you want to break into a specific computer, use a vulnerability scanner to see what type of software is being used on the system and search the Internet for appropriate hacks. There are many sites that will not only provide vulnerability details, but will provide exploit tools as well. More frequently, a hacker will find a tool on the Internet and run it against a random IP range, hoping for success.
The second way to break into a computer is by taking advantage of system configurations. Examples of configuration vulnerabilities are poor or no passwords, weak directory permissions, unnecessary programs/services running on systems and poor user controls.
While many people want to blame vendors for security flaws, a Defense Information Systems Agency (DISA) briefing I recently attended stated that at least 70% of successful hacks result from configuration errors. Again, hacker sites distribute the information on how to identify and exploit configuration errors. Again, no underlying understanding of the technical issues is required.
Users or administrators could have fixed the remaining 30% of hacks that resulted from software design flaws prior to the attacks, but patching wasn't performed in a timely manner. I know that there are potential functional/business reasons for why the patches weren't applied; however, I would guess that in many cases, there was no intent to apply them. Studies by both CERT and DISA indicate that 97% to 99% of all successful computer hacks were completely preventable, even taking into account reasonable delays for applying patches.
Again, this implies that the success of the hackers is more a failure of administration efforts, rather than the result of any genius. It's true that a bad guy has to be right just once, while the administrators and users have to be right 100% of the time. However, I believe that basic system hardening and maintenance procedures can be simplified.
Instead of worrying about SMTP, FTP, SNMP, IMAPD, etc., an administrator could focus on hardening a system properly on installation. Regular use of a vulnerability scanner would check for any newly introduced vulnerabilities that result from modifications by users or freshly discovered software bugs. Just as hackers can go to a Web site for information and attack tools without understanding the underlying technical issues, administrators and users can go to vendor Web sites to get the fixes.
All software has bugs, whether it's an operating system, Web server, Web browser, word processor, etc. Any program can have vulnerabilities that can compromise an entire system.
Because of the willingness of enough people to provide information and tools to attack systems, there's no real genius involved in the mere act of breaking into a computer system. On the bright side, users and administrators don't have to be geniuses to protect their systems.
About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.