The hacking scene has exploded into life this spring and summer, with more high-profile data breaches happening every week.
From Sony’s PlayStation Network to the CIA, sites that really should know better are being breached by one means or another.
The sad thing is that as long as these people who should know better continue to leave security holes that can easily be exploited – SQL injection, anyone? – then they will be.
Homebrew hacking is on the rise, thanks to the sheer volume of hacking tutorials available online
It’s loose-knit hacking groups such as Anonymous and LulzSec that are feeding the media frenzy, but they’re not the only ones taking advantage – the back-bedroom solo hacker is alive and well in 2011.
Online training
In fact, homebrew hacking is on the rise, thanks to the sheer volume of hacking tutorials available online.
It takes only a quick fiddle with Google, using pretty damn obvious search strings, to get all the hacking how-to videos and step-by-step tutorials to enable anyone to breach the security of any website that’s vulnerable to the exploits they cover.
Not only are the majority of these tutorials free, but they actually work. When the CPP Group conducted a controlled classroom experiment earlier this year, the results were conclusive.
A group of novice technology users were able to obtain the login details of their classmates using a man-in-the-middle attack to access the class network, after following a 14-minute tutorial on the internet.
This tutorial not only showed them what to do step by step, but it pointed them to which free hacking software to download.
I searched YouTube for “man in the middle hacking” videos and it returned more than 20,000 tutorials, including some that have been viewed hundreds of thousands of times.
When it comes to hacking Facebook you can find more than 5,000 videos that teach you how to do it, and Twitter isn’t far behind. Michael Lynch, an identity fraud expert from CPP, has called on the Government to “review access to these online hacking lessons” and “implement tighter regulation of internet hacking communities”.
Educational purposes only
The tutorials come with disclaimers that they’re not to be used for malicious purposes or to hack anything without permission, and claim they’re for educational purposes only.
This transparent get-out clause appears to satisfy not only YouTube and the ISPs that host the sites concerned, but even law-enforcement agencies.
The most common reason I’ve heard for not taking down these tutorials is a version of the “guns don’t kill people” argument, although perhaps an analogy using cars would be more UK-centric: a video that teaches you how to drive doesn’t turn you into a dangerous driver, but a video that teaches you how to do “doughnut” handbrake turns and points out the best roads for night racing might well do.
I’m not convinced this reasoning applies to hacking tutorials, because they all effectively demonstrate how easy it is for Joe Anybody to steal your data if you don’t protect it properly.
The real problem isn’t the wannabe hackers, but rather the insecurity of web-based resources
They’re equivalent to those “don’t drink and drive” ads that show not merely the drunk driver speeding, but the horrible consequences too. Regulating all hacker tutorials is impractical because any filter that catches the bad stuff would also catch the good guys.
What to do?
So what’s the solution? Well, script kiddies have been around forever and all that’s changed is the ease with which they can learn about how to use the available hacking tools.
The real problem isn’t the wannabe hackers, but rather the insecurity of web-based resources that contain common vulnerabilities waiting to be exploited.
The best advice I can give any online business is to make sure yours isn’t one of them. Audit your web-based application security, patch your systems and keep these script kiddies out along with the professional data thieves.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
