Hacking

Noob to Cyberpunk

Easy Guide to Computer Hacking,Internet Security, Penetration Testing,Cracking, Sniffing, and Smart Phone

Vulnerabilities

By: Steve Ora

Legal notice This book is copyright (c) 2017 by SteveOra. All rights are reserved. This bookmay not be duplicated or copied, eitherin whole or in part, via any meansincluding any electronic form ofduplication such as recording ortranscription. The contents of this bookmay not be transmitted, stored in anyretrieval system, or copied in any othermanner regardless of whether use ispublic or private without express priorpermission of the publisher. This book provides information only.The author does not offer any specificadvice, including medical advice, nor

does the author suggest the reader or anyother person engage in any particularcourse of conduct in any specificsituation. This book is not intended to beused as a substitute for any professionaladvice, medical or of any other variety.The reader accepts sole responsibilityfor how he or she uses the informationcontained in this book. Under nocircumstances will the publisher or theauthor be held liable for damages of anykind arising either directly or indirectlyfrom any information contained in thisbook.

Table of Contents IntroductionChapter 1: The Story of HackingChapter 2: What A Hacker Needs To KnowChapter 3: The Different Types of HackingChapter 4: What Hackers WantChapter 5: A Hacker’s Favorite TargetsChapter 6: How To Protect YourselfAgainst HackersChapter 7: The Future of HackingChapter 8: The Most Famous Hacks inHistoryConclusion

Introduction Cybersecurity is just as important aslocking your doors at night or installinga burglar alarm. In fact, cybersecurity iseven more important, because with alittle skill and a thirst for trouble, aperson can steal your credit card numberand even your identity all withoutleaving their desk chair. If you have acomputer, smartphone, or anything withan Internet connection, cybersecurityshould matter to you. What are the threats? Who are these

shadowy figures trying to break into yourlife? They’re hackers, and they areextremely clever and patient. A goodhacker is an excellent problem-solver,they think outside-the-box, and theyknow everything there is to know aboutnetworks, hard drives, programming,and more. Thankfully, not all hackers arebad. Hackers are more often than not theones responsible for advances incybersecurity, because they know how tofind vulnerabilities in a system, and howto fix them. Unlike those who use theirskills to steal and sow chaos, the goodhackers want to keep the world safe andmore secure. Other hackers aren’t soeasy to define, since they sometimes

have confusing motives, and will oftenbreak the law to get what they want. This book explores all the angles ofhacking, from its birth at MIT in the1960’s to the future of biohacking andhacking in war. You’ll learn about whathackers tend to target, and mostimportantly, how to protect yourselfagainst “black hats,” or the malicioushackers. Defense strategies includewriting strong passwords, learning aboutdata encryption, and educating yourselfon the types of attacks hackers employ.Black hats thrive on ignorance, so bylearning more about potentialinsecurities on your computer, phone, or

router, you can prepare and protect allyour data.

Chapter 1: The Story ofHacking In simple terms, a hacker is a computerexpert. They have the necessary skills tobreak into computer networks andsystems using vulnerabilities. Thereason for hacking varies widelydepending on the particular hacker.When people hear “hacker,” theyimagine someone breaking into militarysystems to steal information, banks tosteal money, or even just to spread chaosfor laughs, but hacking began assomething with a very differentreputation.

From MIT to Legion of Doom Hacking began at MIT in the 1960’s. Inthe artificial intelligence labs,programmers spent countless hoursworking on old computers languages likeFORTRAN. These were the best of thebest, and needed to have limitlesscuriosity and brainstorming skills. Theseexperts were called “hackers,” and mostpeople had little to no idea of what“hackers” were actually doing. The firstreference to hacking as a negative termwas in 1963, when the MIT studentnewspaper ran a story about howhackers messed with Harvard’s phone

lines by getting into their PDP-1 (thedata processing computer) and runningup huge phone bills. Messing with the phone was known as“phone phreaking,” and it had beenaround since the 1950’s. Using hackerskills to mess with phones used to be theonly way to make waves, since mostpeople didn’t have computers and theyweren’t anything like they are today.There was also no Internet, so that waslimiting. In the 1970’s, a hacker named“Captain Crunch” discovered a way tomake long distance calls for free.Phreaks would study everything theycould to figure out how the phone

worked and what every click and beepmeant. They built blue boxes, whichwere electronic devices that madesounds identical to a telephoneoperator’s dialing console, so they couldroute their own calls and make long-distance calls, all for free!. Black boxeswould let a phreaker receive calls forfree. Blue boxes could also be used towiretap lines, which led to more than afew phreakers getting investigated by theFBI and going to prison. Once phone systems becamecomputerized, blue boxes were obsolete,but hackers were already going after thenew computers. They started to become

a real problem for the government. In1981, “Captain Zap,” the hacker tag ofIan Murphy, was the first hacker to beconvicted as a felon for breaking intoAT&T computers and changing theinternal clocks connected to meteredbilling rates. People who made calls lateat night to get late-night discounts wereinstead charged high fees instead of thediscounts they were used to. Two yearslater, a group called the 414s was raidedby the FBI and charged with breakinginto 60 computer systems, including theLos Alamos National Laboratory,earning them a spot on Newsweek withthe headline, “Beware: Hackers AtPlay.”

Undeterred by potential legalconsequences, the legendary hackergroups Legion of Doom and ChaosComputer Club were founded in 1984.More computer break-ins continued,including corporate and governmentcomputers, and in 1986, Congresspassed the Computer Fraud and AbuseAct, which made it illegal to hack intocomputer systems. Kevin Metnick The most famous hacker of the 1990’sand possibly ever was Kevin Mitnick.At 16, in 1979, he broke into his first

computer system. He ended up copyingthe Digital Equipment Corporation’ssoftware and was caught. In 1988, hewas sentenced to 12 months in prisonand three years supervised release. Justas his supervised release was coming toa close, he hacked into Pacific Bellvoice mail computers and became afugitive. For the next two and half years, he brokeinto dozens of computers, cloned cellphones, and copied software from fortyof the United States’ largest cell phoneand computer companies. He was caughtin 1995 and pled guilty to all charges.He ended up serving jail time for 5

years. Law enforcements officials wereso wary of him that he had to spend 8months in solitary because they believedhe would somehow be able to hack froma prison payphone and communicate tothe computer in charge of nuclearweapons by whistling. Metnick currently leads a group ofcybersecurity experts known as theGlobal Ghost Team. They test thesecurity of governments andcorporations, and boast a 100% successrate, which means they have broken intoevery system they’re assigned. Metnickis also a best-selling author and speaker.

ILOVEYOU One infamous form of hacking is the useof a computer worm. A worm is astandalone computer program that copiesitself to spread to other computers, like abiological virus. Computer worms makea computer “sick” by messing up filesand slowing down the network. TheILOVEYOU worm spread to millions ofcomputers within hours of its release,because when opened, it would senditself to every contact in the victim’semail address book. The worm causedbetween $5-8 billion, and destroying it$15 billion. It was eventually traced tothe Philippines and because there were

no laws against writing malware (whichis just software with malicious intent),the architects of the worm werereleased. What’s interesting about this worm isthat it combined social engineering withsophisticated programming. Because thesubject line of the infected email read“ILOVEYOU,” people were confidentthat the message was from someone theyknew. The worm preyed on people’strust and desire for connection. It provesthat the best hacks target emotions. Hackers in popular culture

Once relatively unknown to society atlarge, hacking has become increasinglyintriguing even to people who don’tknow anything about computers. Movieslike WarGames from 1983, Hackersfrom 1995, and Blackhat in 2015 haveexplored different ways that hackersinfluence the world. With TV shows likeMr. Robot, hacker culture has become itsown subgenre. Is the way hackers areportrayed in media accurate at all?Sometimes. Mr. Robot in particular has been praisedfor its attention to detail and the realityof the hacker world. The creator SamEsmail took the time to learn about

hacker psychology. The story of Elliot, acyber security employee, finding his wayinto a group of white-hat hackers whotake down child pornographers and otherunsavory members of society, capturesthe shared loneliness Esmail saw inhacker culture. There’s a desire toconnect, but it’s all over a computer.Real interactions can be scary, andwhile that certainly doesn’t describeevery hacker, social anxieties do seem tobe common among hackers. Mr. Robot also cares a lot aboutaccuracy. In a lot of movies and TVshows, a hacker jumps on a computer,slams a few keys on a keyboard, and

suddenly has access to a fleet of securitycameras, but that’s not how hackingactually works. Esmail pays closeattention to the actual process of howhacking works, which involves uniqueand out-of-the-box solutions. He alsoinsists on using real computer screensduring filming, instead of relying ongreen screens and adding the screens inlater. The most recent major media foray intohacking can be found in the ChrisHemsworth movie Blackhat. It failedmiserably at the box office, despite anexciting premise: a Hong Kong nuclearpower plant is targeted by a black hat

hacker. Using a remote access tool, hethreatens to cause a nuclear disaster. It isdiscovered that this is just one attack;there’s a bigger plan going on, andmysterious black hat hacker is behind itall. Chris Hemsworth, a former hacker,is brought in to stop him. One problem with the movie is that it’salmost too accurate. Most people don’tunderstand how hacking works, and themovie didn’t take the time to explainvery much about the process. While thattranslated into low ticket sales, hackersloved the film. An early screening withabout 200 security specialists fromGoogle, Tesla, Apple, and elsewhere

was met with very positive reviews. Ashacking goes more mainstream andpeople begin to understand it more,movies and TV are likely to step up theirdepictions of hackers and their craft. Why hacking matters After the ILOVEYOU incident, thePhilippines did create new laws. Whatthis shows is that hackers are alwaysahead of their time. Their activitiesresult in laws being passed, becausebefore, no one could have imaginedwhat was possible with computers and alittle knowledge. They also expose thecracks in the systems, the weaknesses,

the vulnerabilities. A lot of hackers dowhat they do because they want tobenefit society and make systems moresecure and more private. These areissues that are on the forefront ofsociety’s mind as we become more andmore reliant on technology to keep ussafe. So, how exactly do hackers do all thesethings? What kind of skills do they have?Chapter 2 will get into the more nittygritty terms and talents necessary to calloneself a “hacker.”

Chapter 2: What A HackerNeeds To Know Ever since computers and the Internetwere created, hackers have been aheadof the game. Their motives andtechniques may vary, but they all needcertain skills to find success in thehacker world, whether it’s as a criminalor as a crime-fighter. There are fourtraits all hackers share: creativity, theability to problem-solve, computerskills, and patience. Let’s break thoseskills down and explore what they allentail:

Creativity Hackers are very different than what youmight think a typical “computer nerd” islike. While the stereotypical computernerd is often painted as rigid and onlyinterested in wires and buttons, hackersare actually extremely creative andartistic. They don’t stick inside the box,and many times, they aren’t even outsidethe box. They create an entirely newbox, and then keep going beyond. As wementioned in the previous chapter,governments have had to create respondto hackers with laws because before, noone had any idea what was coming.Abstract, norm-challenging creative

thinking is very important for a hacker. To stretch that part of the brain, hackersare constantly consuming and learning.They usually read a lot, especiallyscience fiction and other literaturefocusing on unknowns and uncertainties,and they like challenging games, whetherit’s on a computer or a board. Differentlanguages are also often interesting tohackers, which is an important piece ofcommunicating with hackers around theworld. Of course, there are no ruleswhen it comes to what a hacker ispassionate about. One hacker might lovephotography and Photoshop, whileanother might be interested in something

totally different. That’s the thing withcreativity: it has endless forms. Problem-solving The basic premise of hacking ismanipulation of “stuff,” like computercode, in new and unique ways. Sincehackers are essentially creating a new“box,” there is no instruction manual.They are going to be tweaking andbuilding and rebuilding all the time. The“problem” they are working on has noset solution, so they have to keep playingaround with it until they find what theybelieve is the best answer. When oneway doesn’t work, a hacker has to pause

and analyze what happened and how tobe better next time. To be a good problem-solver, a hackerneeds to know where to go for help. Thatmeans talking to other hackers andknowing a good resource from a badone. Since essentially all of hacking isproblem-solving, a hacker has to lovethe process. It is exciting for them toface a new challenge and think up waysto attack it. They aren’t just excitedabout the final result, they love eachpiece of it, and putting them all together(or taking them all apart) block by block. Computer skills

This is obvious. To be a good hacker,one has to know about computers andeverything computer-related, whetherit’s the Internet or a physical unit. Thereare four main areas a hacker will need toknow inside-and-out:

Programming Operating systemsWebsite hackingNetworking

Programming

Programming provides an extremelyvaluable foundation for hacking.

Nearly all hackers start out asprogrammers. As a programmer, youknow how to write, analyze, anddissect code. You can write programsfrom scratch and edit existing ones todo what you want. To program, youuse computer languages, and there area lot to choose from. The majorlanguages to know are HTML,JavaScript, C, C ++, Python, andPHP.

HTML is the standard for web pageand web app creation. Any HTMLwebsite page with stuff like text andimages is written in HTML. You cansee a web page’s HTML source code

using any browser by hittingCTRL+U.

JavaScript is different than Java, andused to create online quizzes, polls,and perform other dynamic tasks.Most browsers use Javascript, likeSafari and Firefox. JavaScript andHTML often go in the same file.

The C computer language is one ofthe oldest and most widely-used. Thebenefit of using it is because of itsage; there’s a lot of source codeavailable. C++ is an extension of thecode. If you had to choose to notlearn a code, the C code is not as

useful as the others.

Python is a text-based language thatGoogle, Wikipedia, and Youtube alluse. It’s also one of the bestlanguages for beginners to startlearning, it isn’t overly complicated.PHP is an open source scriptinglanguage that’s used primarily by theInternet for stuff like login pages,dynamic images. Interestingly, PHPitself is written in C.

Operating Systems

An operating system is necessary forany computer to run anything. It’s like

the computer’s skeleton, and housesall the programs, central processingunit, and more. Example of operatingsystems include Windows, Apple,and Linux. When it comes to hacking,an OS needs to fulfill differentrequirements than for just theeveryday user. A hacker will knowwhich is best for what purpose.Ideally, a hacker will be familiarwith a variety of operating systems.

Internet hackers today like Linux,because it’s considered the“operating system of the Internet.”There’s millions of code lines writtenfor Linux and the code is very

versatile, which means it can be usedfor a lot of different projects,including hacking. It’s also open-source, which is a must for hackers.If something isn’t open-source, itmeans it can’t be edited. Otherbenefits include stronger security,compatibility with the mostprogramming languages, and a lot oftools for hackers were createdespecially for Linux.

Website hacking

The third computer skill necessaryfor hackers is website hacking. Inrecent times, hackers love getting into

web applications for any number ofreasons, including getting privateinformation, vandalizing a website,or shutting it down completely.Hacking a website, especially onewith high traffic, is a good way toaccess valuable data, which is whythis skill has become so common.

Networking

Understanding how computernetworks work is crucial for ahacker. A computer network is anyset of computers connected to shareresources. That’s why when a hackeraccesses a network, they get access

to all the computers within thatnetwork. There is not one type ofnetwork, which is why hackers needto understand all of them. They havenames like PAN, LAN, DHCP, NAT,DNS, and so on. A PAN is a personalarea network, which usually justmeans one computer, like yourdesktop computer at home. Officesusually use LAN - local area network- and consist of a few computers alllinked to a few printers and theInternet.

Some other aspects of networkinghackers will need to know andunderstand in practice include

routers, switches, IP addresses, andso on.

Patience The last skill a hacker should possess ispatience. All of the computerprogramming work, problem-solving,and abstract thinking is hard work, andtakes a lot of time. Hacking is notalways a fast process, especially whenyou’re just getting started, so beingpatient is necessary for the process to beeffective at all. It takes time to build upthe skills to be a really good hacker whocan work very quickly, and not everyonecan be a hacking prodigy like Kevin

Metnick. If the hat fits Who has these kinds of skills and whatdo they do with them? Are all hackersbad? What defines an “ethical” hacker?The next chapter will explore what itmeans to be a white, black, or gray hathacker.

Chapter 3: The DifferentTypes of Hacking You know that all hackers share the samegeneral skill set, but what they do whattheir talents can vary greatly. Somehackers work for legitimate companiesas security experts, while others arecybercriminals. Another group blurs theline between “good” and “bad.” Thekinds of attacks hackers engage in arejust as diverse, from cracking passwordsto planting malware on popularwebsites. Let’s start with the three kindsof hackers: white, black, and gray hat.

The three hacker hats

White hats

White hat hacking is ethical hackingor hacking with permission fromwhoever owns the program ornetwork. White hats are computersecurity experts hired by companiesto break into their systems and findvulnerabilities before the bad hackerscan. The budget for white hacking hasgrown significantly in the last fiveyears, because companies are awareof the costs of an attack. Somecompanies have their own in-househackers, like Google, who they pay

up to $20,000 for finding a bug,while others hire freelancers orfirms. Kevin Metnick now identifiesas a white hat. The process whitehackers use to find bugs andweaknesses is known as “penetrationtesting.” Their methods are identicalto what a black hat, or illegal hacker,would use, but the intent iscompletely different. White hats gettheir name from old Westerns, wheregood guys always wore white hats.

Black hats

Black hat hackers (or “crackers”) arethe “bad” guys and labeled as

criminals. They use their computerskills to steal personal information,passwords, credit card numbers, andmore. Their motive is usually money,creating chaos, or revealing secrets.They often sell their programs andmethods to other hackers. If you hearabout a big hacking attack on thenews, odds are it’s been performedby a black hat.

Gray hats

Gray hat hackers don’t fit into the“good” or “bad” category easily.They may break laws or walk the lineon what most people consider

“ethical,” but their intent is not asclearly malicious as black hats. Oftentimes a gray hat might break into asystem without asking, but then offerto patch the vulnerability for a fee.They won’t exploit the weaknessesthey find or let other hackers in on it.Gray hats frequently work forgovernment agencies like the militaryor intelligence agencies, who mightuse what the hackers teach them tocollect information on citizens, mostlikely in the interest of nationalsecurity. Whether or not this is ethicalis not set in stone, thus, the “gray”moniker.

Types of hacker attacks Whether a hacker is white, black, orgray hat, they might use the same types ofhacker attacks. The list of potentialattacks is lengthy, so the ones below arejust a sampling of the most commonones.

Password cracking

Most of the accounts that hackers areinterested in use a password forauthentication, so cracking yourpasswords is one of the mostcommon attacks. There are two majormethods that crackers use: guessing,

and brute-force attacks. Withguessing, a hacker tries the mostcommonly-used passwords first, like“password,” “1234,” your pet’sname, your spouse’s name, yourbirthday, and so on. Info like yourpet’s and spouse’s name can be easilyfound on social media accounts andsince most people don’t use all thesecurity features offered, completestrangers can easily recover that info.

The other method is the brute-forceattack, which is when the hackersystematically checks every possiblepassword combination and tries itout. A dictionary attack will go

through words in the dictionary or runthrough the most common passwordsfor you. The shorter the password is,the faster it is to crack. Reversebrute-force attacks are when a hackerhas one password they know iscorrect or a very common password,and they run it against multipleusernames or files to see what sticks.Hackers will use software for theirbrute-force attacks, like Cain andAbel, Aircrack-ng, and John theRipper.

Now, this only works on downloadedfiles, because online accounts likeGmail limit the number of times you

can enter an incorrect password. Theweb service even bans IP addressescompletely if it detects too manyincorrect password attempts. Once anencrypted file is downloaded,however, a hacker can try as manypasswords as they want. If a hackeris working on cracking a strongpassword, they need qualityhardware, or it will take forever todecrypt. The hacker hardware ofchoice are several graphics cardsrunning at once.

Man in the middle

A “man in the middle” attack, or

MiTM, is when a hacker spies onyour Internet activity to get privateinformation. It gets its name from thefact that when a person connects to aserver or other device, the hackersqueezes in the middle to see whatyou’re up to. They do this bypretending to be a trusted party, likeFacebook or your bank. Usingmalware, the hacker will get into aperson’s browser and put on theirdisguise. While in the middle, theirdisguise is a counterfeit site intowhich the victim types their info,which the hacker can see. The hackerthen transmits the info to the real site,and gets in using your information.

For example, the hacker couldcommit financial fraud by pretendingto be a banking website. By hijackingthe victim’s information, they nowhave the power to actually alter banktransactions without the victimknowing. This kind of attack, one with a fakebrowser, is called a man-in-the-browser attack. There are four otherforms of MiTM attacks: WiFieavesdropping, man-in-the-mobile,man-in-the-phone, and man-in-the-cloud. WiFi eavesdropping is when ahacker jumps on a WiFi connection,usually an open, public one such as

Starbucks. They do this by creatingan “evil twin,” the jargon for a fakeWiFi node, and wait for someone toconnect to it.

Man-in-the-mobile is used to catch amobile device’s SMS traffic, whichincludes text messages. The hackerwill use their software to scan thedevice, like a smartphone, forauthentication codes and passwordssent by banks and other entities. Thisallows the hacker to begin pretendingto be that entity.

Man-in-the-app man seem relativelyharmless, but a lot of apps use credit

card information, and most apps havereally bad security. Man-in-the-cloudis also an extremely dangerous attack,because of how reliant we arebecoming on the cloud. Anotherconcern people have is that as moreand more devices become “smart,”hackers will be able to hack into justabout anything, whether it’s a TV or acar. Anything with basic operatingsystems and an Internet connectioncan be hacked, and most companiesdon’t bother to put in top-of-the-linesecurity because they assume no onewill want to hack a smartthermometer. That is an unwiseassumption.

Denial of service

A DoS attack is when a hacker floodsa website with so much traffic that itoverloads and fails. This is done bythe hacker sending authenticationrequests to the site using fake returnaddresses. When the server tries tofill the request, it won’t be able to, soit waits a bit before ending theconnection. When it closes, thehacker sends more fake requests, andthe website gets flooded.

A typical DoS attack is done with onecomputer, but DDoS - distributed

denial of service - is more intense. Ahacker will use their one computer,but then use multiple IP addressesacross two+ networks to send fakerequests. This makes it harder for aserver to pick on the fact that it’sbeing attacked because it looks a lotmore real.

Common victims of denial-of-serviceattacks include banks and credit cardprocessors. The first example of aDoS took down the Internet in the LasVegas Strip in 1997 during Defcon,and in the next year, that code wasused to attack companies like eTradeand Sprint. Sometimes hackers will

use permanent denial-of-service(PDoS), which damages servers sobadly it needs to be replacedcompletely.

Packet sniffing

Packet sniffers are not exclusive tohackers. When a packet sniffer isinstalled on a computer, it can accessall the “packets” sent through thenetwork the computer is on. For most,they are devices used by networkadmins to monitor network data,network backups, maintenance, andsecurity. However, if a hacker isusing a packet sniffer, they intercept

network info, like passwords, emails,visited websites, and so on. Whentons of credit card numbers get stolenat once, odds are the hacker used apacket sniffer. Like a dog sniffingaround a neighbor’s property, apacket sniffer spies on a network’sactivity.

How do sniffers work? It’s a piece ofsoftware that hackers install and hidein a network, like little spy cameras.The sniffers catch inbound andoutbound network traffic. If thenetwork is wired, what a sniffer canget depends on how the network isset up, while if the network is

wireless, it can only catch one thingat a time. Once the sniffer has caughta piece of data, it analyzes andtranslates it for the hacker to read.Because packet sniffers are easy tohide, it’s a favorite tool for hackers.

When a hacker is going after awireless network, they have twosniffer mode options: monitor andpromiscuous. With monitor, they justget access to incoming data, andthey’re very hard to find. However,hackers tend to actually prefer thepromiscuous mode, because it letsthem see everything, incoming andoutgoing. The downside is that this

means the sniffer is sending data outinto the network, it’s basicallyleaving footprints, so the hacker canget caught more easily.

Social engineering Social engineering sounds technological,but it’s actually just a fancy word forplain ol’ manipulation. It’s used by conmen to sell people on bogus products upto the highest levels of government toconvince citizens to vote on policiesagainst their best interest. Socialengineering relies on emotions like fear,sympathy, curiosity, and greed. It’sessentially the oldest form of “hacking,”

and modern hackers utilize it constantly. Why? Well, it’s way easier to get into acomputer network and all that juicyinformation when someone just gives ityou. If a hacker can convince somebodyto give them access, they’re going to gothat route. If they can get the victim todownload a hacking program on theirown, that’s way easier than trying toinstall it sneakily. There are severaltactics that hackers use:

The technical support scam

A hacker will send someone a pop upin bright letters, usually through a

browser, that tells the victim they’reinfected and have to download aprogram to get rid of the virus. If theperson downloads it, they’ve justdownloaded malware that the hackerwill use to get their personalinformation.

Phishing

The original phishing scam is theNigerian prince story, where peoplegot an email saying that a Nigerianprince needed a sum of money and ifsomeone sent it, they would get alarger cut later on. Other classicsinclude the fake “You won our big

sweepstakes!” message, which somany people fall for even if they’venever entered said sweepstakes.Since these oldies are so familiar,hackers will get creative by carefullycomposing messages to look likethey’re from official sources, like amedical provider or bank. Hackingtargets are more likely to believe themessage is from the real deal, andhand over personal data.

Clickbait

These are the articles withheadlines like:

“Can you believe what thisgirl’s stepdad caught her doing?”

“Extremely graphic video of asnake eating a lion!”

A lot of these articles do link towebsites, but hackers will often hidemalware in clickbait of their own,because they know people’s morbidcuriosity about violence and sex oftenoverrides their common sense.You’ve probably seen this happen alot on Facebook: your “friend” postsa weird-looking video on all of theircontacts’ walls. If you click on thevideo, the same thing happens to you.To get rid of it, you have to changeyour password and then remove thepost.

Pretexting

In pretexting attacks, a hacker has tohave a little patience and build trustwith their target. They will invent afake scenario that convinces thetarget they’re legit, and then exploitthat trust to get information. Oneexample: a hacker pretends to be amodeling agent and gets women tosend them nude photos or give themaccess to their private photos. Thisactually happens a lot. AnonIB, anonline message board, hosts theseimages, while sites that hackers useto trick women have trouble tracking

the culprits down.

Social networking attacks

These attacks are exclusive to socialnetworking sites like Facebook andInstagram. A hacker will pretend tobe someone you know and send you amessage with something mean-spirited, like, “Omg, is this your newprofile picture?” There’s a link, andwhen you click on it to see whatpicture your “friend” is talking about,you infect yourself with malware.This attack works because it targetspeople’s self-esteem.

Watering hole attacks

You know how sites like Facebookmonitor your browsing history, sowhen you look up an item on Amazonand then go to Facebook, that sameitem has suddenly appeared in an adon your side bar? Hackers use thissame technology to track yourbrowsing habits, and they find yourmost frequently-visited websites,where they plant their malware.Because it’s a website you go to alot, you are more inclined to trustanything that appears on it.

Ransomware

Hackers extort their targets by takingfiles and then contacting you to saythat if you don’t pay them, you don’tget the files back. If you have yourfiles backed up, this isn’t a problem.However, a lot of hackers go furtherand pretend to be an authority, likethe FBI, and say that the files theyfound point to illegal activity, likechild pornography. It doesn’t matter iftheir target isn’t actually guilty ofanything, the threat is scary enough,so the target pays the hackers todelete the files on the hacker’s end.It’s a fairly common problem; onecloud-backup service reported that

more than 5,000 people needed helpin a 2-month period, with one victimlosing access to 14 years’ worth offiles.

What do they want? What exactly do hackers want from theirtargets when they engage in attacks? Ifyour answer was “money,” you wouldpartly right, but hackers are actuallyafter several things when they hack. Thenext chapter will list all the reasons whysomeone might engage in hacking.

Chapter 4: What HackersWant For a lot of hackers, they want tochallenge themselves and just see whatthey can do. White hat hacking is greatfor this, because it’s a legal way tostretch that hacking muscle withouthurting anyone. However, gray or blackhat hackers have specific targets they’reafter, and they want specific things,including money, personal records,personal accounts, or even truth. Money

Many hackers just want some green, andwill hack directly into financial accountslike banks. The best hackers have to bevery careful with credit card numbers;they can’t just start spending. Othermoney-driven accounts like Paypal arealso frequently hacked, and thecredentials are sold. An account with$500+ sells for just $6.43 on the web’sblack market, so to actually make aliving, a hacker would need to steal awhole bunch. One of the largest financialhacks took down Mt. Gox, which usedBitcoin in its exchange. It had to file forbankruptcy after over $460 million wasstolen by hackers. Bitcoin was anespecially clever target because the

transaction system is open-source andonce a hacker figures out how to edit thechain, that money is gone and the victimcan’t get it back, like with traditionalbanks. Health care records In recent years, health care providershave been a prime target for black hathackers. Blue Cross Blue Shield had anattack where 10 million had theirpersonal info stolen, including socialsecurity numbers. The reason hackerslike health care records is that they getjust as much info as they would with acredit card, but unlike with straight-up

financial fraud, there is no “cancel”button. While a credit card can becancelled and quickly replaced,healthcare record info can be used overand over again. A hacker could sell ahealthcare record for 10-20x more than acredit card number. Phone numbers What could a hacker possibly do with aphone number? It’s what the numberunlocks that’s interesting to hackers.Phone numbers are unique, and rarelychange. By typing a number into Google,odds are a hacker will be able to findthe owner’s social media accounts and

more information about them. Hackerscan then use that information to crackpasswords or employ social-engineeringattacks to gain access to a bigger booty. Social media accounts Social media accounts like Facebookare a treasure trove of information forhackers. They can use what they find tocrack passwords, answer securityquestions, and more. Even informationlike your latest purchases can helphackers track your online activity andlaunch personalized, effective attacksagainst you. Also, since more websitesare letting users link their Facebook or

Twitter, so once a hacker has control ofyour Facebook, they potentially havecontrol of your other accounts, whereeven more data and potentially money isstored. Netflix and gaming accounts Netflix accounts aren’t hacked becausesomeone wants to watch movies for free.They’re part of a “deep web” economy,where credentials are bought and sold. ANetflix account can sell for 25 cents, andthere’s probably about 300,000 stolenaccounts floating around at any randomtime. With the personal info stored in aNetflix account, a hacker can get access

to a credit card number. Any paid-service account is of interest to hackers.That goes for gaming accounts, too. In2011, Playstation was breached, and 77million accounts were compromised. Your identity Hackers used to be focused primarily oncorporations and networks, but now,they’re going after individuals more.54% of hacking attacks are identitythefts. This is because hackers areadopting longer-term techniques.Hacking just for money or actual use ofan account is a short-term endeavor,because they get caught pretty quickly.

However, stealing someone’s entireidentity gives them a longer leash, sothey can actually open new accounts foran income or use your identity to hidecriminal activity. Hacktivism Not all hackers are in it for the money.We are in the age of “hacktivism,” wherehackers use their skills to draw attentionto a social or political issue. This canlook like taking over a popular websiteand publishing ideas, or shutting down asite completely using DoS. The most famous hacktivist group is

Anonymous, which was founded in2003. They broke the Steubenville rapecover-up, target ISIS and KKK twitteraccounts, and in February 2017, theytook down 10,000 pornographicwebsites that depicted children. WikiLeaks, founded in 2006 by thecontroversial Julian Assange, claims tobe devoted to exposing corruption. Itpublishes classified documents, likeHillary Clinton’s emails. WikiLeaks iscriticized for its silence on Russia andexposure of people who could sufferdirect harm from the leaks, such asAfghan civilians working as US militaryinformants.

What a hacker loves So, that’s what hackers are looking forwhen they’re burrowing around serversand networks. However, they havefavorite places to go to, and by knowingwhat hackers tend to gravitate towards,you can protect yourself moreeffectively. The next chapter goes over ahacker’s preferred targets and computerprograms, and the kinds of attacks theywill employ.

Chapter 5: A Hacker’sFavorite Targets Just about anything with WiFi can behacked, but what do hackers really liketo target? They love small businessesand Big Oil. They also like apps outsideof the official store and Adobe Flash.What vulnerabilities exist on the averagesmartphone or on a coffee shop’sInternet connection? This chapter goesover what happens when you connect toa public WiFi hotspot, how yoursmartphone is insecure, and how ahacker can get into your home router.

Small businesses Since 2015, hackers have loved smallbusinesses. Over half of all phishingscams target small businesses. Why? Forone, a lot of small businesses havebegun to add technologies like Ipadcheckouts and Internet connections totheir business models to attractcustomers. However, they don’t have thefunds or knowledge to make thosetechnologies really secure. Another reason why hackers go aftersmall businesses is that they areinterested in a bigger fish. Smallbusinesses may have access to larger

corporations and suppliers, which willresult in a bigger payday for hackers. If ahacker can get a small business to fallfor an email with malware, a hacker hasthe opportunity to infect and break intosomething really big. Oil, mining, and gas companies In 2015, a study by the world’s largestcybersecurity firm revealed that 43% ofglobal oil, mining, and gas companieshad been attacked at least once duringthe year. Only governments are attackedmore, making it clear that hackers havesomething to gain from targeting Big Oil.American companies have a big security

flaw: their infrastructure is connected tothe Internet. This was done to makepower more reliable, but it leaves thedoor vulnerable to black hats who wantto cause blackouts or even oil spills. Third-party apps There are a lot of apps designed to boosta person’s productivity and help themorganize their lives, but these usefultools are a favorite target of hackers.The reason why is that a lot of theseapps require personal info to work, likeconnection to email accounts and so on.If a hacker gets into one of these cloud-based apps, they potentially have access

to a lot of personal and corporate datathat they can store, steal, or delete.Hackers also like creating fakeproductivity apps, which made up 31%of all malware apps on Android in 2016. Another malware app that hackers use isa fake Netflix app. It was available inthird-party app stores. Once a userdownloaded the app and clicked on the“Netflix” icon, it disappeared. A remoteAccess Trojan, or RAT, was installed,giving the hacker the ability to copyfiles, steal your texts, see your contacts,take pictures, and even activate thephone’s microphone so they caneavesdrop on you. A hacker could also

delete any antivirus programs you mighthave. Installing the legit Netflix app isn’t hard,you just have to go the Google Playstore. However, for those who want towatch porn on their gadget, there is noofficial app for that. PornHub does havean official app you can get outside of thestore, but hackers are taking advantageand creating their own malware apps.When you install the fake app, it has youcheck for viruses, but it’s actuallyinstalling ransomware. It then locks yourphone and demands $100 in Bitcoin. A hacker’s favorite programs

People like loading up their computerswith fun and useful programs, but not allof these programs are secure. Hackershave favorites because of a program’sinherent insecurity. One of the bestprograms for hackers and worst foreveryone else is the Adobe Flash plugin.Over and over again, Adobe Flash hasranked as the worst program in terms ofsecurity. Facebook has even bannedFlash-based ads, and Apple has neverallowed Flash on its devices. Still, it’sone of the Internet’s most used systems,so it will be a long time before it goesaway for good.

For Windows users, Apple’s Quicktimeprogram has become a big enoughproblem that the Department ofHomeland Security is telling people touninstall it immediately. Though it israrely used nowadays, it’s still includedin installations of iTunes. It has two bigvulnerabilities, and Apple is no longerproviding security updates, making itirresistible to hackers. Computer company Lenovo alsoinadvertently installed a major securitythreat on many of its computers in 2015.Superfish is an advertising softwareprogram that sticks ads into web pages.Hackers are able to tweak the program,

which authenticates HTTPS pages, intoauthenticating their fake websites.Lenovo has since stopped puttingSuperfish on their computers. What happens when you use publicWiFi hotspots Right off the bat, a public WiFI spotmight be dangerous because it could befake. Creating fake network connectionsis something hackers can do, and onceyou join it, you’ve just exposed all yourpersonal info to the hacker. Even if thehotspot is legit, it’s still risky. This isbecause public hotspots are usuallyunencrypted, which means anyone

connected to the same network as youcan see all your network traffic,including what websites you’re visiting.They can even see when you visit anencrypted site, like a bank website,though they won’t see exactly whatyou’re doing. What exactly could a hacker see? Theycould see the web pages you’re visiting.With a wireless network analyzerinstalled on a laptop, a hacker will getsent a whole bunch of packets they cansearch for HTML code. The networkanalyzer will transform the data into areadable form, so the hacker literallysees what you saw - all the web pages

you were visiting. Even morefrightening, that same tool could capturetext messages sent on a connectedsmartphone as well as emails. Theycould see your login credentials, andthen just configure their account so theyget sent your emails. With just an app and unsecure WiFI, ahacker could break into your Gmail,Yahoo, Facebook, and LinkedIn. The appDroidSheep searches for unsecurelogins, allowing a hacker to access thesite if someone is still logged in. Withthis lack of protection, a hacker doesn’tneed your login - the door is wide open.

Another vulnerability with hotspots isFTP, which stands for File TransferProtocol. If you use an FTP server toupload, download, and share files, andthen connect to an insecure hotspot, ahacker can easily grab them and yourFTP login credentials. Cracking a smartphone Pretty much everyone has some kind ofsmartphone nowadays, so you wouldimagine that the creators have securedthem well. Unfortunately, there are still alot of vulnerabilities on mostsmartphones. The first one is that thepassword and authentication systems

aren’t great. A lot of devices don’t havepasswords enabled at all, at leastbeyond the initial unlocking of thephone, and even that would be prettyeasy for a hacker to crack. Most phoneowners also fail to use a two-factorauthentication, which would be like apassword and also a fingerprint scan, orphysical object, like ID card. If they areusing a security feature, it’s usually justa static password. The app store can be a dragon’s den ofmalware. Disguised as a game or utility,malware lurks in every corner, andbecause it’s on the store, phone userstend to automatically trust it. Once they

install it, their phone is officiallyinfected. So far, the past two vulnerabilities canbe handled by the phone owner, and theycan secure their phone themselves, butthere are two big problems that phonecreators need to address. Number one,mobile devices do not come pre-installed with security software. Thereare no protections against malware orother hacking attacks. It’s notresponsible for phone creators to giveconsumers a device that’s so easilyhackable with no tools built in for theirsecurity.

Operating systems are also disturbinglyineffective against modern hackers.Security fixes that do come out take along time, and in the case of Android, avulnerability was actually built right intothe system itself. Android had a mediaplayback tool called Stagefright. Whensent a video text message infected withmalware, Android’s Stagefright wouldautomatically reduce the lag time inorder to process the video. That slowingdown let hackers squeeze in and gaincontrol of the phone. In the first quarterafter Android was released withStagefright, 99% of the malware attackswere targeting Android.

Hackers and your home router The router you use at your home isresponsible for broadcasting a privatewireless Internet signal, but the routersare actually very easy to hack. Thirteenof the most popular routers like Netgearare hackable by anyone with some basicknowledge and LAN access. There arethree types of attacks that hackers like touse:

Trivial attacks

These attacks can be performedwithout access to credentials orinteracting with an actual person. A

hacker could work with LAN accessand not need your login informationor get you to open a corrupted file ormalware.

Unauthenticated attacks

For this attack, a hacker does needthe victim to perform some task forthem, like following a malicious link.They don’t need login credentials,though.

Authenticated attacks

These are the hacks that do needlogin credentials, though a hacker canjust piggyback on the victim if

they’ve used their default credentials,or if they’re logged into an activesession.

Since the security flaw is built into therouters, there isn’t much you as aconsumer can do. It doesn’t matter howmuch security you’ve installed on yourcomputer; the router is totallyindependent from all that. It’s the routercreators that need to get their heads inthe game. Unfortunately, they haven’tbeen doing their jobs very well. In 2012,hackers got into 4.5 million modems inBrazil because of outdated software.Using that vulnerability, the hackers gotthe modem’s admin password, had

victims use fake banking websites, andthen stole their bank account info. What can you do to protect yourself fromhacking attacks like this? The nextchapter hits on every vulnerabilitywe’ve discussed so far, and tells youwhat you can do. From creating strongerpasswords to installing encryptionsoftware, you can significantly reduceyour chances of being hacked.

Chapter 6: How To ProtectYourself Against Hackers Are you worried that your tech stuff isinsecure? You know all the ways that ahacker can spy and steal important andpersonal information, but how do youkeep it safe? This chapter goes over howto write stronger passwords, how toguard against sniffers, and ransomware,how to keep safe on public Wi-Fi, andhow to protect your home router. Passwords Cracking passwords is the classic

hacker move. They don’t need a lot offancy technology or computers toperform this attack, so just about anybeginner hacker can try and get you thisway. The best way to protect yourself isto create a really strong password. Hereare some tips:

Use a combo of symbols, upperand lowercase, and numbers

Using a mixed password makes itmuch harder for a hacker to crack it.An 8-character password withsymbols, numbers, andupper/lowercase letters is has 30,000more combinations than an 8-

character password that just useslowercase letters. A hacker couldtake the time to use software to runthrough every combination, butthey’re more likely to skip you andmove onto someone who wasn’t assmart with their password.

Use a password that doesn’t haveanything to do with your personalinfo

Hackers will look at social mediaaccounts for information like yourspouse’s name, pets, and so on,because so many people use piecesof personal info for their passwords.

It’s way better to write a passwordthat’s completely random andunrelated to your life. If your name isJimmy and you were born in 1977, apassword like “jimmy1977” will bevery easy for a hacker to guess.

Use a different password for

important accounts

Instead of using one password foryour email, bank, and other importantaccounts, create a unique one foreach of them. That way, even if ahacker gets into one account, theydon’t automatically get into all ofthem.

Use unique answers for your

security passwords

If you forget your password, mostwebsites will have you answer asecurity question before sending youa link to recover it. Make that answeras unique as a password by addingnumbers or symbols. If the question is“What was your first pet’s name,”don’t just have the answer be,“Muffin.” Make it “MuffiN#5,” orsomething else really random that ahacker wouldn’t be able to figure outby looking at your social mediaaccounts.

Make sure your password key is

safe

If you have a bunch of passwords,you probably have them written downsomewhere, but you will need to hidethat key. Don’t leave physical notesaround your computer, and if you dohave the key on your computer, youwant to hide it in a file that isn’tobviously important. You can alsouse a password manager, though doyour research, because those can behacked, too.

Add 2-step verification

This is arguably the best thing youcan do for your personal security. Itrequires that you put in yourusername, password, and haveaccess to your phone, so unless thehacker somehow has all three, theyaren’t able to get into your account.

Brute-force attacks A common attack against passwords isbrute-force attacks. There are four waysyou can protect yourself:

Keep encrypted data safe

Once a hacker has actually copiedyour data, they can run as many brute-force attacks as they want. The keythen is to prevent them from gettingthe data in the first place. Keep itencrypted, and keep it hidden. Don’thave a folder labeled “Important,”“Private,” or “Passwords” just sittingout in the open, and definitely don’tlabel files so obviously.

Make sure website logins limit

password attempts

Just about every login site does this,so it isn’t as big of a deal anymore.Still, just make sure all the sites you

use have this feature.

Use long, secure passwords

We discussed this in the sectionabove, so just know that goodpasswords are essential to preventingbrute-force attacks. You want to makethe hacking work as difficult aspossible, so a hacker loses interestand goes after an easier target.

Use strong encryption

algorithms

Encryption algorithms are utilitiesthat basically turn your data into a

jumbled code. Without the passcode,a hacker can’t read the data. Thealgorithms have names like TripleDES, RSA, and Blowfish. AES isconsidered one of the best today,provided that use 256-bit keys, asopposed to 128-bit. The 128-bit iseasier for hackers to brute-force,while 256 takes a lot more time andcomputing power to crack.

Sniffers To protect yourself against packetsniffers, you can install a tool that willlet you know if someone on yournetwork is using a sniffer. Called

Antisniff, it can detect if someone isusing a sniffer’s promiscuous mode tocapture all your traffic. You can also useencryption, so even though the sniffer isgetting all the information, it’sunreadable. If the hacker tries to modifyanything to make it readable, the processcan cause errors and will alert you thatsomeone is trying to decrypt the data. Social engineering The most obvious defense against socialengineering attacks is to use your brain.Be very skeptical of anything that comesyour way, whether it’s a clickbait-likearticle, an IT alert, or “once in a

lifetime” offer. Do a little research onthe source. Try and trace them to see ifthey’re legitimate. If your friend postssomething out of character, it’s probablynot them. To reduce the number of socialengineering attacks, install securityprograms that will block malware andviruses. Be sure the programs areeffective, and don’t get more than youneed. Every software hasvulnerabilities, so even though they aremeant to keep you secure, having toomany programs comes with risks. Clear out cookies on a regular basis,

which is a little file that gets stored onyour computer when you visit a website,so the company of the website can tracktheir consumers. Lock down yourFacebook and other social mediaaccounts using the privacy settings, sohackers aren’t able to find info on youthey can use in phishing scams or otherattacks. Ransomware The best defense against ransomware isto keep your data backed up, so ifhackers do get your files, you have othercopies to rely on. Backing up to thecloud is best, because hackers can get

into your backup systems as well, if theybreak into your desktop and then into thenetwork server. If you do choose to backup on a storage device that’s not thecloud, you want it to be offline, and notconnected to a hackable desktop system.An external hard drive should beconnected to the computer when you’reputting on the data, and thendisconnected right away.

Don’t open suspiciousemails/links

One way that hackers installransomware is by getting victims toopen a malicious email or link.

Another attack is called“malvertising,” which is when ahacker infects an ad email, so youbelieve you’re opening an email fromThe New York Times, but it’sransomware. The easiest way toavoid the ransomware is to simplynot open suspicious emails or links.To avoid those malverts, ad blockerscan help. If companies are havingtrouble with employees accidentallyinstalling ransomware, IT trainingcan make a big difference. Onecompany that does securityawareness training said 15.9% ofemployees used to click onransomware, but with training, it

dropped to 1.2%.

Limiting apps and permissions

Ransomware is a computerapplication, so by “whitelisting” onlylegitimate apps that you expresslyapprove, you can stop ransomwarefrom getting installed on yourcomputer. A computer admin can dothis by scanning the computer,approving the legitimate apps, andthen configuring the computer to stopall over files from installing.

You can also limit permissions, soinstead of having all the files on one

server, the admin can break theworkplace in smaller groups. Thatway, if one server gets attacked andlocked by ransomware, not all theservers or files are compromised. Bydividing up the files among a lot ofservers, it makes hackers work a lotharder to get a satisfying number offiles to hold hostage.

Disconnect to prevent spread

What should you do if someone onthe server does install ransomware?Disconnect. Disconnect the infectedsystems right away from the networkat large, and disable any Bluetooth

and WiFi on all the machines to stopthe spread of the ransomware. It’slike cutting off a gangrenous limbbefore the infection spreads to therest of the body. Once the rest of thesystem is safe, you can conduct an“autopsy” on what was infected, andfigure out what to do next.

Keeping safe with public WiFi It’s very common to become a victim ofman-in-the-middle attacks when you’reout in public, like at a coffee shop. Evenif it has a password, that doesn’t meanit’s safe, because everyone in the coffeeshop is on the same network, and people

often share passwords on review siteslike Yelp. The first thing to do is makeabsolutely sure you aren’t connecting toa fake connection. Ask the coffee shopwhat their network is called. Once you’re on a shared network, makesure the websites you’re visiting areencrypted. Getting a browser extensionlike HTTPS Everywhere will send youto the encrypted version of any webpage, if it’s available. With encryptedsites, a hacker will only be able to seewhere you are, but not what you’redoing, so login credentials are safe. Another good idea is to pay for a VPN

connection. VPNs, or Virtual PrivateNetworks, are personal, privateconnections used to link to a publicInternet connection. It shields you fromviewers of the public connection. Forthe best security, you want a VPN evenwhen you’re visiting encrypted sites,because the VPN will hide the youractivity and the names of the sites you’revisiting. All a hacker will see is thatsomeone is using a VPN connection. Protecting your home router Securing a home router should primarilybe the company’s job, but since theyhaven’t been doing it, there are ways you

can protect yourself. The first thing to dois change your router’s administrationpassword and username. It’s easy for ahacker to find the default credentials, soas soon as you get a router, change them.If a router doesn’t come with a default,add your own. You should also disablethe remote administration, so a hackercan’t get control of the router fromanother computer. Once you’ve changed the credentials,you want to make the network name hardto guess. The name is called the SSID,and it will probably be somethingsimple, like the manufacturer’s name.You want to change the SSID to

something completely random andunique, so the hacker can’t guessanything about the router. The last two things that keep your routersafe are updated firmware and a goodencryption. Check the router’s advancedsettings to make sure the firmware iscurrent. If it isn’t, hackers could exploitwhat insecurities they know exist in oldfirmware. You should also use WPA2encryption, which encrypts all theinformation the router transmits. Go tothe advanced settings and enable theWPA2. What’s next in the hacker world?

We know what hackers are currently upto, but they’re always pushing theenvelope and transforming their world.What does the future of hacking hold?Should we all be scared to death, orconfident that the white hats will workjust as hard as the black hats to keepeveryone safe?

Chapter 7: The Future ofHacking Hackers are defined in part by theirability to see beyond what others say ispossible. In that way, they live in thefuture. That makes predicting their nextmoves tricky, but fascinating. If it can beimagined, hackers will try to make it areality. What are some new securityissues to be on the lookout for? Howwill hackers switch up their activities? The new plan of attack What’s next for black and gray hat

hackers? Experts are predicting that thefollowing attacks are likely to becomemore and more common:

Radio frequency ID thefts

RFID is used in a variety of ways,including as physical access keys, carkeys, and

inventory tracking at retailstores. They will eventually show up onin passports,

credit cards, and evenimplantable chips, so doctors canmonitor patients. Hackers

are going to be taking advantageof this. Right now, if a hacker wanted to

break intosomeone’s office and run off

with valuable equipment, he just needsto get close to

his target with a small cloner.This device can clone the signals thatcome from an

RFID chip, so when the hackerwalks up to his target’s locked officedoor, his cloner

activates the lock and it opensfor him. A hacker could also mess withthe data

associated with the chip, whichcould mean changing prices oninventory.

RFID-enabled devicemanufacturers are aware of theweaknesses, so the signals can

be encrypted. However, thesemore secure devices will be moreexpensive, and a lot

of companies are likely to leavetheir chips vulnerable.

ATM hardware hacks ATM attacks have skyrocketed,

and they are going to keep going up.What hackers

are doing is installing “blackboxes.” This means a hacker will go to aphysical ATM,

disconnect the cash dispenserfrom the ATM’s brain, and connect theirown

computer. By adding asmartphone connection, they can controlthe machine

remotely, as well. They are now incharge of the ATM, and will directthe ATM to release cash. The reallysneaky hackers are even able to foolthe machine into believing the ATM’sbrain is still hooked up to the cashdispenser, so it can take a long timebefore anyone catches on. Malware-targeting virtual machines

A virtual machine (VM) is anoperating system or piece of softwarethat acts like a computer, and isinstalled on a computer. It’s like a“guest” that has a “host,” which is themain computer. When malware is ona VM, it can’t see the host or attackit, so the attack is meaningless.However, new malware is able todiscern whether or not if they’rerunning on a VM, and can shut downso they aren’t discovered. This givesthe hacker more time to decide whatto do. Even more advanced malwareis expected to appear soon, and itwill able to escape the VM into thehost.

RAM scraping This type of attack is geared towardspayment systems, like cash registersand credit card terminals. The dataon these machines is encrypted,except for one very brief momentwhen the data is being stored in theRAM of the payment-processingserver, or point-of-sale server. That’swhen a tiny RAM scraper (a piece ofmalware less than 1MB) steps in,capturing the info before yourpurchase is even confirmed by theretail’s server.

A RAM scraper caused the Targetcredit-card number breach in 2013,where over 40 million credit cardnumbers were compromised. WhileRAM scraping as a concept is notnew, it’s being used for much biggerattacks that in the past, and hackersare getting better at it. The RAMscraper malware can be hidden verywell and encrypted, so antivirusscans and other security will miss itcompletely. Shadow/Stealth IT Shadow/Stealth IT describes anyinformation-technology system used

inside an organization withoutapproval, like an online messagingsystem, Skype, USB flash drives, andso on. It can also describe securitysolutions that originate outside the ITdepartment of a company. Theproblem is that when Shadow IT isemployed, important data is movedoutside of a safe space. Cloud appshave become an especially bigproblem because official IT andsecurity teams can’t control ormonitor them very well. Hackers willtake exploit people’s ignorance aboutShadow IT and take advantage of thewidespread insecurity on a largerscale.

Dark knight attacks Named after the movie and its plotpoint where all the cell phones inGotham are hacked to create a live 3-D feedback of everything happeningin the city, hackers are almostcertainly going to hack intosmartphones, gaming systems, andanything else they can. That wouldmean stuff with video cameras, GPS,microphones, and more. When theycombine this hacked equipment withother technologies like facialrecognition and the ability to pinpointa target’s location, hackers will

become way more sophisticated anddangerous.

How is society going to defend itselfagainst malicious hackers with newtools and techniques? DARPA - the U.S.Department of Defense’s researchbranch - has always been interested inimproving security. In August, 2016, theyheld a Cyber Grand Challenge to see ifcompetitors could create systems thatwould make a computer autonomous andable to defend itself against attacks. Thiswas in response to the fact that it takessoftware companies a year or more tofix security software flaws. Alwaysahead of the game, hackers are more than

ready to exploit the flaws before they’refixed. For the Cyber Grand Challenge,the goal was to write a cyber reasoningsoftware that would be capable offinding security flaws in a computer’sother programs and guard them againsthacking. The software would also ableto find flaws on competitors’ computers. This is just one defense that securityexperts are working on, and because awhite hat’s work is never done,companies are likely to keep funding andexpanding their cybersecuritydepartments. However, hacking isbecoming a much larger concern thanjust keeping individual and company

data private. Hacking is rapidlytransforming into a weapon of war. War games Fancy Bear, a hacking group that’s beenlinked to Russian military intelligence,has shown the world what is possiblewith hacking applied to war. InDecember, 2016, it was reported byCrowdstrike (an American cybersecuritycompany) that Fancy Bear wasdistributing a fake version of an Androidapp used for weapons targeting to tryand spy on the Ukrainian military. Theapp was infected with a spyware calledX-Agent, which is the same malware

used for the DNC hack. By using forumsfrequented by Ukrainian servicemembers, the group was able to get theirmalware installed. No one is sure how well the appworked, but if successful, the app wouldhave been able to access plans andfigure out the general area where a unitwas located. It specifically targeted D-30 Howitzers, and according toCrowdstrike, 80% of the Howitzerswere destroyed in the war. TheUkrainian military has denied the apphad anything to do with their losses, andthat the reported percentage wasincorrect. Regardless of what really

happened with the application of theapp, its creation signals a shift in what isknown as a “full-spectrum combat.” Warisn’t just about boots-on-the-ground; it’staking place in the digital world, aswell. The X-Agent app isn’t the only hack tohave targeted Ukraine. In 2015, hackerstook down power to 230,000 people.This time, Ukraine blamed Russiaexplicitly, but identifying the source of ahack like this is very difficult. Currently,cyberattacks are often not officially-sanctioned, so there’s no trail to follow,and hackers are really good at hiding.There are also no rules about cyberwar.

That’s a frightening thought, consideringRussian interference in the most recentUS election, the frequent use ofunmanned drones, and GPS scramblingagainst South Korea by North Korea. History tells us that if a country has thecapability to use a certain weaponagainst an opponent, it will. Training fora cyberwar has already been going on;since 2010, NATO has a program calledLocked Shields, where participantsperform exercises like attacking fictionalcountries or defending that fictionalcountry’s servers. Every year, the FBI,Department of Homeland Security, andthe U.S. Cyber Command hold Cyber

Guard, where participants have to dealwith a fictional power outage affectingmillions, a network outage that shutsdown the Los Angeles’ port, and agushing oil refinery. Hacking biology Hacking as a weapon is a pretty scaryprospect, but not all advances in hackinghave the potential to wage waves andend lives. Biology and hacking havebeen collaborating in really unique waysto improve life as we know it. Using thephilosophy of hacking and background ofbiology, biohacking is born.

One of the most stunning examples ofthis marriage took place at MIT, whichis fitting, considering it is the home ofhacking. Using a language based onVerilog, a computer code used toprogram chips, biohackers transformedcode into a DNA sequence. It was theninjected into a cell, effectively turning itinto a biological computer. This hasenormous potential, because researchersshowed it’s possible to code a cell justlike you can code a computer program.That means coding a cell to releasecancer drugs when a tumor goes along.Other implications of biohacking includecreating algae biofuels, repairingdamaged cells, creating crops that can

grow in extremely-harsh environments,and fighting Alzheimer’s.

Chapter 8: The MostFamous Hacks in History This book has mentioned a few famoushacks in passing, so let’s explore someof them in more detail. Knowing aboutlarge hacks can teach you what’s at stakewhen it comes to cybersecurity, andwhat the best hackers are truly capableof. The Ashley Madison data breach AshleyMadison.com is designed formarried folk who want to have an affair.Privacy is obviously very important fora website like this. In 2015, a hacker

breached the site and threatened torelease the information unless thewebsite shut down. When it didn’t, thehacker released the identities and loginsfor 32 million accounts. Many of theaccounts used fake names, since userswanted to hide their real identities fromthe website, but the hackers alsoreleased seven years’ worth of creditcard information, revealing real names.One of the biggest reveals was thatclean-cut Josh Duggar, a reality TV starfrom TLC’s 19 and Counting, was amember of the site. The breach sparkeda media frenzy, several lawsuits, publicapologies, and at least one suicide.

John Brennan, CIA Director You would think the Director of the CIAwould know that cybersecurity should bea top priority, but John Brennan seemedto think a personal AOL account was justfine. The five main hackers - Britishteens known as Derp, Cracka, andCubed - and two American men wereinterested in finding evidence of aliens.They were able to use good ol’fashioned social engineering to get aVerizon worker to give them Brennan’spersonal information, which they used toreset his email password and take over.Though they didn’t find any interestingabout aliens, they did manage to find his

SF-86 application, which is required fortippy-top government securityclearances. This hack revealed just howwholly-unprepared government officialsare, which is terrifying considering theyhave the most need for security. Russia and the DNC This past election cycle was chaotic andunprecedented. Adding to the drama wasthe revelation that Russian hackers gotinto the DNC networks and JohnPodesta’s Gmail account. Besidesstealing information, the hackersreleased the data to the public, whoseimagination went wild with what they

found. One bizarre (and false) story wasthat emails showed that John Podestawas involved in satanic rituals thatinvolved consuming semen and otherbodily fluids. The motivation behind thehack was likely to interfere with theAmerican election, which resulted in theObama administration putting sanctionson Russia. The Yahoo breach In 2014, Yahoo’s security wascompromised, and hackers made offwith at least 500 million user accounts.It is the largest breach ever from a singlesite, but according to Yahoo, financial

information was not taken. Hackers werecaught trying to sell 200 millionaccounts, which would have includednames, phone numbers, emails, and soon. The hack once again confirmed thatYahoo is in trouble as a company, andhas not been quick enough with securityfor its users. The Saudi Aramco hack In 2012, on August 15, the employees ofthe oil company Saudi Aramco took theday off work to prepare for Lailat alQadr, a holy night for Islam. Whileeveryone was gone, a hacker withaccess to the computers, released a virus

that promptly deleted ¾ of all the dataacross 35,000 computers, and replacedthem with an American flag on fire. Thehacker group the Cutting Sword ofJustice said they were responsible andtheir attack was motivated by Aramco’ssupport of the Saudi royal family. Aramco’s IT staff quickly cut off all thesystems, unplugging all the offices fromthe Internet, which effectively shut downthe company. While the hack could have been muchworse, the office could no longer usecomputers, instead resorting to fax andtypewriters. The computers hadprovided payments to the gasoline

trucks, so after the hack, the truckscouldn’t be refilled. Aramco provided10% of the world’s oil, making thisbreach extremely significant. It ended uptaking 5 months before Aramco wascompletely online again. The IT teamended up just buying all new hard drivesinstead of trying to rebuild the old ones. Operation: Shady Rat This notorious series of hacks takingplace over five years began in 2006.Using remote access tools, themysterious hacker stole from at least 14countries and 70 public and privateorganizations, including the United

Nations, the International OlympicCommittee, and defense contractors.McAfee, the Internet security firm,discovered the hacks, but was unable tofigure out what was happening to thestolen data. Whoever has the data now isclearly smart enough to keep a low-profile, so it isn’t obvious that they areprivy to economical and governmentsecrets. Security experts suspect ahacker sponsored by China is the culprit,and that the People’s Republic of Chinais now in possession of all the stoleninformation. The Stuxnet worm

This worm attack is hard to pin down,because no one knows who wrote it orwhat its true purpose was. In 2010,inspectors noticed that centrifugesresponsible for enriching uranium gaswere dropping like flies at an Iranianplant. Five months later, security expertscalled in to fix computers in Iran foundmalicious files on one system. NamedStuxnet, it is likely the world’s firstdigital weapon. What this worm does is infect Windowscomputers, mostly by USB sticks toinclude machines not connected to theInternet, before spreading to othercomputers within a network. Stuxnet was

especially effective because it usedpatched vulnerabilities, knownvulnerabilities, and “zero-day exploits,”which are vulnerabilities that thecomputer’s administrators don’t knowabout. Instead of stealing information,the worm actually caused physicaldamage to a computer’s equipment. In2012, the worm deleted itself, as it wasdesigned to do. Because Stuxnet was targeting theIranian nuclear program, many havepointed to America and Israel, though noone has admitted anything. Anonymousofficials talking to The Washington Postsaid the worm was created during the

Bush administration, but there has beenno official confirmation. The CIA/Wikileaks hack It’s too recent to know just where thishack falls in terms of scale, but it’scertainly one of the more ironic breachesto occur. On Tuesday, March 7,WikiLeaks released a huge group ofsecret documents detailing CIA hackingtools such as malware, trojans, remotecontrol systems, weaponized zero-dayexploits, and so on. So far, it appears thefiles are legitimate, which is bad newsfor the CIA. It will certainly damagetheir public reputation, since the files

make it clear the CIA can spy on justabout anyone, even turning Samsungsmart TVs into listening devices andexploiting unpatched vulnerabilities inAndroid and iOS. Specific informationhas been redacted by WikiLeak.

Conclusion Beginning with phreakers in the 1950’sand ‘60’s and progressing to what wesee today, hacking has transformed oursociety, and not always for the better.All hackers have certain skills to besuccessful, including programmingabilities, a mind geared to problem-solving, and curiosity, but they fall intothree categories when it come to theirmotives. White hats work to protect andsecure, while black hats want to stealand destroy. Gray hats, a moremysterious group, often break the law intheir pursuit of something bigger, andusually work for governments.

This book detailed the kinds of attacksthese hackers can employ, from fake ITalerts to clickbait. Frequently, hackersuse social engineering to manipulatetheir targets into installing something thatgives the hacker access. What arehackers going after with these attacks?Money, health records, phone numbers,and other online accounts are allappealing to hackers for variousreasons. Famous hackers, like theAnonymous group, use their skills toshine light on corruption and bring downorganizations they see as destructive tosociety.Since hackers will go after just aboutanyone, it’s crucial that you keep your

devices and information safe. The bookcovered a variety of techniques,including how to use website encryptionwhen you’re on a public WiFi, writingstrong and unique passwords, andmaking sure your home router is assecure as possible. As the future ofhacking expands to more sophisticatedattacks and transforms into a weapon ofwar and a weapon against disease,security companies will have to adaptquickly. The most famous hacks inhistory reveal just how unpreparedmajor companies and even governmentsare. One can only hope that they catch upsoon.