Why everything is hackable
Modern and post-modern hacking is either criminal or simply show off vandalism. Most hacks can be done by subverting exploits, small flaws in programming code, which malicious attackers may use to alter the programs previous behavior. Through writing new malicious code in a flawed program, hackers are able to change the programs supposed function and even shut down certain functions.
Stealing data with the help of program isn’t an exception in the world of hacking. For instance, in 2016 cyber crooks nearly got away with stealing $81m from the central bank of Bangladesh. Another example is the August 2016 leak of some hacking tools used by the NSA, which got spread all across the internet by a hacker group called the Shadow Brokers.
Other public hacks were the flood of Dyn (an internet infrastructure company), which was done by using a program called Mirai, which made many Twitter and Reddit users unable to log in to their accounts or simply use the web page, and the hacking of the Democratic National Committee’s e-mail servers, where embarrassing footage of some candidates got sent around to influence the outcome of the presidential election.
The internet was first used by academics to share research data, a reason why internet security wasn’t always a huge concern. In 1970 internet pioneer Vint Cerf talked about building encryption into programs right from the beginning. Despite his many efforts, America’s spies blocked the idea, because they saw cryptography as a weapon for nation states.
Rather the being secure from the beginning on, the internet now always needs additional half a million line software just for data encryption. Every year weaknesses in software for things like credit cards can be found.
The amount of programming, or the size of a specific program, can be estimated in lines. The operating system Linux clocks in at around 20.3m lines, which is small compared to Windows’ estimated 50m lines and Google’s 2bn lines. To make a program work properly with the use of source code, one needs to make source code lines interact.
Hackers only have to find one mistake to exploit parts of a program.
Hackers may also use innocent looking programs or emails to retrieve data from their victims. An email asking for a password or personal information may look innocent and legitimate, although the email might only be a written set of hidden instructions to retrieve the victims data
Firms that are unaware of possible software faults aren’t uncommon. They assemble lots of different small component that gets manufactured by other individual companies. In turn, the company that assembles the parts (car manufacturers for example) is unaware of the different production steps of all the different components.
An individual component company could potentially use flawed software that could malfunction later on.
In 2004, someone (still unknown) was capable of listening to upper echelon Greek government phone calls for months. The person was able to find a flaw in the kit that Ericsson supplied to Vodaphone, their network supplier. By subverting surveillance capabilities built into the kit, the person was able to do this.
Big companies that deal with such security issues are trying to get rid of those faults systematically, to effectively erase errors quickly. Independent bug-hunters are able to claim bounties from big firms through finding bugs for them. Microsoft also constantly wants users to upgrade for free for a certain period of time, just to get rid of old operating software issues.
Some program parts of CHERI singularly work as a sandbox program, a program which a hacker for example can enter, but not change to a certain boundary. This counts not only for one part of the program, but for many. Ironically, the riskiest computing programs usually run on very simple programs.
Operation software in things like insulin pumps, drones and car components don’t need much to properly do the job.
Because of the huge cyber-attack concern and the worldwide mutual recognition that one is not able to prevent such attacks, big companies most probably pay other companies for IT Security insurance. SentinelOne’s Jeremiah Grossmann estimates that the cyber-insurance market makes around $3-4bn a year and the market has an annual growth of 60%.
DE
