Hacking -- what it is, and what it isn't. Hardly a week goes by that a client doesn't tell me, in a panic, that they've been hacked *. Usually, all that happened was someone got their phone number or SSAN from another online resource. Make no mistake, though; there are tens of thousands of people trying to learn how to get into your site, your database, or both. On TV, it looks easy: the computer geek on Law-and-Order sits down, tries the wife's first name, the dog's name, the child's birthday, and presto! No one reading this is so phlegmatic as to use a name or a birthday as a password, are you? Let's see a show of hands. Uh-oh! In the real world, hacking into a website is much more difficult (sometimes completely impossible), often requiring considerably more code-level knowledge of an operating system than most would-be hackers have. There are several types of attacks:
- Dictionary attacks: the hacker uses a program to throw hundreds of thousands of dictionary words and proper names at a login page (also called a "brute force attack"). Still using your dog's name? Yikes!
- Port sniffing: the hacker points a program at your URL to probe for ports left open, through which he can access a service, or inject a worm. Windows is especially susceptible to this.
- Network sniffing: if you are using an unencrypted wireless network at home, and connecting to your server by Telnet or Windows Terminal, you just gave your password to everybody on your block.
- DoS (Denial of Service): more often used to target large businesses. The hacker gains control of several servers, and causes all of them to send an endless stream of HTTP requests to one URL. That webserver is overloaded and shuts down, possibly exposing a security hole in the process.
- CSS (Cross-site scripting): actually the easiest. There are many free 3rd party programs available for webmasters to use on their sites, like guestbooks, bulletin boards, image- and music-managers, database frontends, etc. Some of them have security holes, meaning that they can be tricked into executing a command that was not intended by the programmer. As soon as someone discovers, by trial-and-error, that one of these is exploitable, it is posted on hacker websites around the world. Then the fun starts. Thousands of "script-kiddies" (amateur hackers) download any of dozens of free "rootkits" (programs that will create for the hacker a new user identity with root access, if he can get it on your server), run a Google search for sites using that exploitable program, and go to one of those sites. Insert some code into a query string, trick the program into uploading the rootkit, and the server is his. Want to send out 1,000,000 untraceable spam emails? That's how they can do it.
- SQL-injection: too complex to discuss here, but similar to the above; tricking a database into dumping data for the hacker.
- Buffer overrun attacks: the hacker passes a very long, complex URL to your website, aimed at an executable program in the operating system with a known exploit. The lengthy parameters overwhelm the target program's internal stack, causing it to respond in a way not intended by the programmer. Depend on your SysAdmin to keep your OS up to date.