07/06/2023

A little History: What Hacking and Model Train Sets Have in Common

What Hacking and Model Train Sets Have in Common Techblog

What is hacking?

Let us preface the answer to this question by making clear that not every hacker is a criminal.

According to public perception, “hacking” and related terms often have a distinctly negative connotation. Terms such as “hack” or “hack job” are often used to describe either incompetent people with no proper formal training in a given field of work (“This guy is a complete hack!”) or to describe substandard work (“This is not a repair – this was a complete hack job!”). When used in connection with computers, the general public often associates hacking with gaining unauthorized access to computer systems, personal accounts, and computer networks or abusing digital devices – mostly either for financial gain or to cause damage. Given the media coverage, one might be forgiven to think that hackers always act in bad faith.

But you would be hard pressed to find any piece of legislation that mentions “hacking”. And hackers do not necessarily act in bad faith – the opposite is often closer to the truth. So what makes a hacker? Based on our definition of hacking, a hacker is someone who uses their technical skills and knowledge to tackle a specific problem or challenge. This does not even necessarily require the involvement of computers.

Many also think that “hacker” refers to some self-taught whiz kid or a computer programmer gone rogue. Hackers are indeed often skilled at modifying computer hardware or software so it can be used in ways outside the original developers' intent. When hackers break into a computer network or system, it is called security hacking. Although hackers are usually labelled in the media as cyber criminals bent on stealing data and causing all kinds of other digital damage, the correct term for that form of illegal hacking is cracking.

Hacking across history

A historical hack

The first hack that comes close remarkably to our modern definition goes back to 1903. And the reaction to it would not look out of place today, 120 years later.  Are you surprised?

Here is what happened: In 1903, the Italian electrical engineer and inventor Guglielmo Marconi, was all set to demonstrate his recently invented wireless transmission system in England. Marconi had claimed that his wireless transmission was „secure and private“. But a rival inventor and magician named Nevil Maskelyne (1863-1924) went on to prove him wrong. As Marconi got ready to start his demonstration, a transmission across England via morse code, Maskelyne was the one who intruded in the signal with his own morse code which was received by Marconis equipment. His messages contained a few choice words directed at Marconi. This rogue transmission was decried as “scientific hooliganism” by physicist John A. Fleming, who was to receive Marconis messages. But it was too late – Maskelyne had publicly exposed a serious flaw in Marconis technology (which Marconi was aware of), and Marconi was decidedly not happy about it. Maskelyne found himself at the receiving end of harsh public verbal abuse by people like Fleming, to which Maskelyne just responded that “Abuse is no argument” and he would rather focus on the facts.

It is tempting to look back on this event and say “We have come a long way since then”. But that would not be entirely true. The very same exchange could realistically have taken place on Twitter last week, between a security researcher and a developer who refuses to patch a critical vulnerability - and nobody would find it out of place.

Hacking becomes (kind of) formalized

Members of the Tech Model Railroad Club at MIT (Massachusetts Institute of Technology) were the first to use the term "hacking" in a technological context. After World War II, these students started using the word „hack“ to denote an innovative (and sometimes unorthodox) solution to a technical problem. This can be considered the first “formal” definition of the term which still applies today.

Flash forward to the early 1960s, when computers started to become more accessible to academic facilities. This was in the days of the Apollo program by NASA, where the Instrumentation Lab at MIT was tasked with developing the computer hard- and software that would land people on the moon, much to the surprise and dismay of established companies like IBM. In fact, the contract to develop the computer systems for Apollo was one of the first contracts awarded in the entire program. Curious club members who entered this new technological field brought the terminology with them. Ever since, “hacking” has been very closely associated with computing.

But it was not until the early 1980s that hacking as a widely recognized phenomenon took off. For the first time, computers were available and affordable to the general public. Almost anyone could buy a computer and experiment with hacking from that time onwards. And experiment they certainly did. Hacking came in various forms – from purely fun to challenge the mind, to the mildly annoying to the downright criminal. This was also during the Cold War, so computer espionage was of course a topic that made its fair share of headlines.
Many of the world's most dangerous hackers of recent years draw inspiration from these early pioneers.
By 1986, criminal hacking had become so widespread in the US that the Computer Fraud and Abuse Act (CFAA) was passed. This was the world's first law against cybercrime.

Types of Hackers

Hacking is primarily about boundless creativity, fearless innovation and the guts to deviate from standard ways of thinking.  The Chaos Computer Club, the largest hacker association in Europe, defines hacking as the “creative, practical and disrespectful use of technology”. Unfortunately, not all hackers settle for hacking for hacking's sake.

Based on the legality of their activities, hackers can be divided into three broad groups.

Black hat hackers

The black hat hacker appears most often in the media: the masked cybercriminal who deftly breaks into a computer system to steal or modify data, or perform other illegal acts. When a black hat hacker discovers a weakness in software, he or she exploits the flaw for criminal purposes. The hacker may write an exploit. That is a piece of software that exploits a weakness to penetrate a computer system and spread malware. The hacker may also offer the discovery for sale on the dark web. Sometimes black hat hackers even try to force (or bribe) others to do the work for them. This is called an insider threat. In August 2020, a hacker offered a Tesla employee $1 million to secretly install ransomware at the company's mega-factory in the US state of Nevada. Fortunately, the employee reported this to the FBI and the hacker was arrested.

White hat hackers and ethical hackers

Unlike black hat hackers, white hat hackers conduct their activities openly. White hat hackers are the antipodes of black hat hackers. Companies often hire white hat hackers to deliberately attack their systems and software to discover vulnerabilities or security problems. This is called a penetration test. This allows companies to beef up their security before a black hat hacker can penetrate. It is therefore said that white hat hackers engage in ethical hacking.Some white hat hackers work internally at large organisations, while others operate as freelancers or self-employed workers. Furthermore, ethical hackers may also expose employees to phishing to test how resilient an organisation is to real attacks and to identify areas requiring additional cybersecurity training.
They also report vulnerabilities in a certain application to the vendor or developer of the affected application, sometimes “pro bono”, sometimes for a bug bounty which is paid out to any researcher who uncovers a critical flaw.

Grey hat hackers

Grey hat hackers move in the grey - hence the name - area between black and white. Unlike white hat hackers, they are not altruists, but neither are they exclusively engaged in criminal activities. Grey hat hackers usually hack first and only then ask for permission. Ethical hackers, on the other hand, ask for approval beforehand. Many grey hat hackers first scan a company's systems or software looking for security problems. Only when they have found one do they offer a solution. For a fee, of course. Other grey hat hackers use hacking as a means of activism. They make vulnerabilities public, so that the company in question is forced by public pressure to fix the problem. After a grey hat hacker discovered a security problem at Facebook in 2013 and was then repeatedly rebuffed by the company, he decided to take Mark Zuckerberg by storm by using the leak to post a notification on the CEO's timeline.

Although the activities of grey hat hackers can lead to positive results, hacking without permission is still illegal. In some cases, hackers publicly disclosed a flaw which was subsequently fixed, only to then be sued by the organization in question (or harassed by authorities at their behest). This “shoot the messenger” approach is widely regarded as an unwise move, because once an organization is known for taking legal action against researchers who disclose a weakness, they will receive no more such notifications in the future – or far fewer. Such news travels very fast within the security community and is impossible to keep under wraps. Instead, researchers might either turn to the authorities themselves to expose gross negligence and privacy violations – or they “just sit back and enjoy the fireworks”.

Hacking tools: How do hackers work?

Most of the time hacking is a technical thing but hackers can also use social engineering to trick the user into clicking on a malicious attachment or providing personal data. Besides social engineering and malvertising, common hacking techniques include: botnets, DDoS, ransomware and other malware. Living of the land tools are also frequently used. If you would like an overview of the tool chest of a hacker, there is no comprehensive one. But there are a few tools – commercial as well as open source -  that are used by hackers at both ends of the spectrum, such as nmap, mimikatz, Ghidra, burp, Cain&Abel, Purple Knight or Metasploit. Each tool has a specialized use and hackers usually put together their own tool kits.

We already wrote about that in a former article.

From script kiddies to organized cybercrime

Unfortunately hacking has evolved from teenage mischief into a billion- bone growth business, whose  votaries have established a felonious structure that develops and sells turnkey hacking tools to would- be crooks with lower sophisticated specialized skills ( known as “ script-kiddies ”). 

You can say that hackers try to break into computers and networks for any of the following five reasons. 

  • There is the typical financial gain like the theft of credit card  figures or defrauding banking systems. 
  • Burnishing or attacking people's or companies reputation motivates some hackers as they leave their mark on websites. This is also called “Defacement”.
  • Also there is industrial espionage, where one company's hackers seek to steal information on a contender's products and services to gain a business advantage. 
  • And of course entire nations engage in state-sponsored hacking to steal business and/ or  public intelligence, to destabilize the infrastructure or indeed to create disharmony and confusion within the society of their target country. 
  • And there is also the hacker who's politically or socially motivated. They usually try to further a cause, but lack financial motivation. These hacker-activists, or “hacktivists, ” strive to direct public attention to an issue by shining a very unflattering light on the target —  generally by making sensitive information public. The most known hacktivist groups, along with some of their more famous undertakings are AnonymousWikiLeaksand LulzSec. The problem with these kinds of hackers is that they use their hacking skills with some ‘Robin Hood’ kind of flair and that confuses a lot of people in thinking that their actions were/are always legitimate. Many address a legitimate issue through sometimes questionable ways. These hackers seem to make the whole hacking industry seem cool or sexy for all the wrong reasons. Which is a dangerous thing as it can make potentially well-meaning, but inexperienced people to cross a very thin line.

Is hacking illegal?

There is nothing wrong with hacking in and of itself. It is only when a hacker does not ask permission beforehand that the line between legal hobby and illegal cybercrime is crossed, or at least blurred. What white hat hackers do is fine. After all, employees and customers have given permission. However, if grey hat hackers go public with their findings, there may be legal consequences for them, even though they might have good intentions.
Of course, all activities of black hat hackers are illegal. If you have fallen victim to a black hat hacker, you can and should report this cybercrime to the relevant authorities in your country or region. This may help mitigate the damage caused, bring the hacker to justice and hopefully prevent further victims in the future.

New legislation?

Belgium has become the first (European) country to adopt a national and comprehensive safe harbor framework for ethical hackers, according to the country’s cybersecurity agency ‘The Centre for Cyber Security Belgium’. This agency, also called the CCB, has announced a policy that protects individuals or organizations from prosecution – contingent on certain “strict” conditions being met – when they report security vulnerabilities affecting any systems, applications or networks located in Belgium.

According to the procedure created in a national coordinated vulnerability disclosure policy (CVDP) the CCB – Belgium’s computer emergency response team (CSIRT) – can now receive reports on IT vulnerabilities that give security researchers some legal protection in case that the following conditions are met:

  • They must notify the owner of the vulnerable technology (eg. Website, software package, etc) as soon as possible and at the same time as the CCB
  • Behave without fraudulent intent or intention to harm
  • Act strictly in a proportionate way to demonstrate the existence of a vulnerability
  • They need to submit a vulnerability report to the CCB as soon as possible in a specific format
  • Information about the vulnerability and vulnerable systems may not be disclosed in the public without the CCB’s consent

But we must be careful and there are still a lot of questions to answer … And there are some nuances I think as well we need to look into. Can an ethical hacker perform a full-blown penetration test on a company that is unaware? Can an ethical hacker release a new 0-day on all Belgian IP addresses? It's a good thing the law is there and protects ethical hackers, but it's still not an out-of-jail card. An ethical hacker who finds an SQL Injection and then empties the entire database to show that he has found a bug is still punishable.

The framework is intended to protect ethical hackers who stumble upon a security issue accidentally if they want to report the problem. It is therefore not a safe conduct to scan the entire .be. And on top of that you don't get paid anything, so in terms of ROI this is volunteer work! … Well, you get a T-shirt when you report the security issue.

Elsewhere in the EU

A 2022 EU Agency for Cybersecurity (ENISA) report on national coordinated vulnerability disclosure (CVD) policies revealed that France, Lithuania and the Netherlands were also “undertaking CVD policy work and have implemented policy requirements”. Numerous other EU member states are developing or planning similar nationwide protections for hackers.

Image credits:
 

"Yellow & Brown Cardboard Box" by Gerhard Lipold / Pexels
"Grayscale Photo of a Young Man" by Kevin Bidwell / Pexels
Morse keyer image from Wikipedia, released unter CC-BY-SA 4-0
Header & Preview: G DATA CyberDefense, tbe​​​​​​​