Welcome to the deep dive. Today we're getting into something that, well, it touches almost everything in our hyper connected lives. There's that ts Eliot quote, where's the knowledge we have lost? In information? It feels especially fitting now, doesn't it? When access to info shapes so much?
It really does. And you think about how fast information is growing, Yeah, doubling what was it every seventy three days by twenty twenty. That prediction the sheer amount of data we create, well, it just creates more targets, more security risks.
Exactly, which brings us straight to today's deep dive. Hacking. Now, when you hear hacking, most people probably jump straight to the illegal stuff, right, the negative side.
That's sort of movie version.
Yeah, but it's interesting. The word originally meant something more like ingenuity, making tech do more than you thought.
It could, pushing the boundaries, right.
But today yeah, mostly we mean gaining unauthorized access digital networks devices, usually over the Internet.
So our mission here is to kind of peel back the layers on this whole world. We want to look at it. How hacking evolved, I mean, its origins are pretty surprising, and who the hackers actually are, what tools they're using, and the threats, the really serious threats to individuals like you listening to businesses, even national security.
And we'll also get into that tricky debate. Is hacking ever justified. There's a whole gray area there, definitely.
And finally, what's being done to fight back. The goal is to give you a solid understanding, you know, without drowning you in technical jargon.
Okay, let's dive in because the history, like you said, it's not what most people probably think, not at all.
So fundamentally, hacking is about getting access you shouldn't have or doing more than you're allowed to within a system, often by finding weaknesses vulnerabilities nobody else knows about it.
But it's not always just about code and computers. Is that there's a big human element.
Oh, absolutely huge. That's social engineering. It's basically using social skills psychology to trick people, get them to give up without realizing it.
Like looking over someone's shoulder for a password that's simple.
Yeah, shoulder surfing, that's one way, Or crafting clever emails, fake websites, you click something and boom, your computers infected. They play on trust or fear or curiosity.
And this idea, this exploiting systems, It goes way way back right.
The very first sort of proto hack. Yeah, nineteen thirties Polish mathematicians Marian Radjuski and his team they cracked the Nazi Enigma.
Machine, the messaging machine.
Exactly, which operated with programming codes, kind of like early computers. And that breakthrough it let the British decode German messages in World War Two. Huge historical impact.
Wow. So the core concept is almost a century old. But the word.
Hacker that came later late nineteen fifties mit the tech model Railroad Club believe it or.
Not, where Rose.
They had this mainframe computer and these students found ways to get unauthorized access, usually with paper punch cards, just to get more time on it to develop software. It wasn't malicious, It was about you know, figuring things out, pushing limits for fund So it started pretty innocently.
When did it turn more sinister?
The big shift was really the Internet going mainstream the nineties. That's when hacking, just mushroomed, became this massive global issue.
How big are we talking?
Well, think about this. By two eleven, the FBI's Internet Crime Complaints Center, they were getting twenty five thousand complaints a month.
Wow.
Yeah, and the damages billions every year, theft fixing systems lost time. Yeah, it became a serious economic drain.
So who are these people doing the hacking? It's not just one.
Type, right, definitely not. You've still got the hobbyists like Brian Harvey Berkeley described, and the people who just love computers, live and breathe them, want to make them do anything for them. It's still about the challenge, the knowledge.
Okay, the original spirit kind of sort of.
But then you have the ones making headlines. Yeah, the black hat hackers. It's bad guys pretty much like villains and old Westerns, hence the name. They're hacking for illegal money, stealing it, or just to cause chaos, break things.
And because of the black hats, you need the white hats.
These are the good guys. The security professionals. Companies hire them to hack their systems, find the weak spots and fix them before the black hats do. Ethical hacking makes sense.
Is there anything in between?
Yeah, the gray hats they're not out to steal, but they're not strictly defensive either. I think researchers, maybe hobbyists trying to improve things, sometimes bending the rules a bit.
And then there's another category entirely.
Activists, right, These are political or social activists. They target governments, good corporations, not usually for money, but as a form of protest, to make a statement, push for change. Groups like anonymous lulled sec. Those are classic examples.
Okay, so a whole range of players. What about their tools? How do they actually break in?
It's a mix sophisticated software, yes, but also exploiting simple human mistakes, like we talked about with social engineering malware. Malicious software is a huge part of it.
Like viruses.
Viruses are one type. Yeah. A really common tool, especially for getting initial access, is.
The trojan, like the trojan horse.
Exactly the same idea. It looks like something harmless, maybe a useful program or file. You download it, run it, and it secretly opens the back door for the hacker, lets them hide their tracks, download more nasty.
Stuff, and they can just buy these things.
Some develop their own, but yeah, you can actually buy trojans and other malware toolkits on underground forums. Its whole economy scary.
What about worms?
I hear about those worms are really dangerous because they spread by themselves. A worm infects one computer, then it automatically scans the network and copies itself to other vulnerable machines.
So it replicates automatically.
Right, and it can take control of those infected computers, turning them into zombies. Zombies basically computers controlled remotely by the hacker without the owner knowing. When you get thousands or even millions of these zombies linked together, that's a botnet.
And what can they do with a botnet.
All sorts of things. Common use is a distributed denial of service attack a DDAs attack. The hacker tells all the zombies and the botnet to flood a target website or network with traffic all at once, overwhelming it. Exactly, it just can't handle the load and it shuts down. Russia used this against Estonia back in two thousand and seven, a big political cyber attack.
I remember hearing about that.
And remember the Configer worm. By twenty eleven, it had infected something like seven million computers worldwide, huge potential for damage.
What did it do?
Ironically, mostly sent spam, but it could have done much worse. Shows how versatile these botnets are.
Okay, so trojans worms, what.
Else you mentioned viruses. They can erase files, mess up your system, often spread through email attachments you shouldn't open. Then there's spyware. Spying software pretty much hides on your computer and watches what you do online, tracks websites you visit, logs keystrokes, maybe sometimes changes your settings, slows things down.
And besides malware, hackers use.
Tools like password crackers, programs that try millions of combinations to guest passwords, and sniffers, which intercept data traveling over a network. They can grab business secrets, credit card numbers, anything not properly encrypted.
It sounds incredibly technical.
A lot of it is, but again, never underestimate the human angle social engineering. Remember the Sarah Palin email hack in two thousand and eight. Vaguely a college student got in simply by resetting her password using public info, her birthday, zip code, where she met her husband, stuff you could find on Google.
Seriously, that's all it took.
Yep shows how basic information could be of vulnerability, and it gets worse. In twenty eleven, there was a report hackers put malware into online games. Games for preschoolers. No way, because toddlers can't read warning messages. They click yes to anything, so their parents' computers got infected, became part of botnets, and potentially gain hackers access to the parent's financial info.
That's incredibly low.
It really is. Shows how far some will go.
So let's talk about the fallout the costs. This must have a huge impact financially, impersonally, oh immense.
The global cost of cybercrime back in twenty ten, estimates were around three hundred and eighty eight billion dollars billion with a b YEP which get this was apparently more than the entire global trade in legal drugs at the time by about thirty five percent.
That's staggering, it is.
And you see big cases all the time. The US Secret Service just in twenty ten made arrests linked to over half a billion dollars in fraud.
And businesses are right in the firing line absolutely.
City Group twenty eleven hackers got in stole about two point seven million dollars from customer accounts through freak purchases, cash advances. Customers lost trust, left the bank.
And Sony had huge problems around then too, right.
Massive problems also twenty eleven their PlayStation network Sony Pictures hit hard cost them over one hundred and seventy seven million dollars. That's downtime fixing things, stock price drop, but also huge reputation damage. Personal data, credit card info for May, seventy million users got exposed.
Seventy million ouch.
Yeah, and that wasn't even the first really big one. KEJX companies TJ Max Marshals back in two thousand and six they lost forty million credit in debit card numbers cost them two hundred million dollars.
So these massive breaches aren't new.
Not at all. Even Google got targeted in twenty ten an attempt likely by the Chinese government, they said, to get into their source code systems, aiming for the Gmail accounts of human rights activists.
Did they succeed?
Google said no, they caught it, but it shows the risk. As Dave Dewol from McAfee said, just one breach can cause irreparable financial damage to reputation, stock price, customer confidence.
It sounds relentless. How common is this for businesses?
Depressingly common. A survey ending early twenty eleven found ninety percent of US businesses got hacked at least once in the previous year, and fifty nine percent got hacked twice.
Or more ninety percent.
Yeah. Stuart mccluar, also from McAfee, famously said something like, if you plug into the Internet without a good firewall, you could get hacked before the arrives, like under thirty minutes.
So it's basically constant.
Pretty much a constant threat.
Yeah, and what about individuals beyond the big data breaches?
Individuals are definitely targets too. Remember Christopher Cheney arrested in twenty eleven for hacking about fifty celebrities email cell phones. Scarlett Johansson's private photos got leaked because of him.
How did he do it?
Just piecing together clues from their social media public appearances, again using available information. And it's not just celebrities. A twenty ten poll found thirty percent of teens and young adults said their social media had been hacked. Anyone online is potentially vulnerable.
Okay, so it's hitting individuals, businesses, but it goes even higher, right, national security.
Absolutely, this is where it gets into cyber warfare, espionage. US Defense Secretary Leon Panetta warned about the next Pearl Harbor being a cyber attack crippling power grids, financial systems, government operations.
That's a terrifying thought.
It is, and FBI Director Robert Mueller called three it's the number one threat to the US in the future. US military's networks, they get probed something like six million times.
A day, six million daily. Who's doing it?
Often it's state sponsored actors. China has been frequently accused of systematic cyber spying against the US, targeting defense contractors,
stealing huge amounts of data. There were even reports of interference with US satellites back in two thousand and seven two thousand and eight, possibly linked to the Chinese military in Operation Aurora in two thousand and nine that hit Google, Adobe, others, trace back to emails with bad links, exploiting flaws, and Internet Explorer again widely suspected state involvement is just China. Oh No. North Korea in two thousand and nine took down websites for the US Treasury Secret Service FTC for
days using a botnet. Russia hit Georgia with cyber attacks in two thousand and nine, right before a military conflict, disrupting their defenses.
So cyber attacks are becoming part of actual warfare exactly.
They're integrated into military and political strategy now it's changing the nature of conflict.
Countries attacked each other directly like that.
We've seen things like a hacking skirmish between Israel and Saudi Arabia and twenty twelve hitting each other's stock exchanges, and reports claimed Israel's Masad hacked the Syrian officials computer back in two thousand and six to get nuclear intel. It shows the threat to critical infrastructure, power finance is very real. Crippling those could cripple a country.
And it's not just governments we need to worry about, right.
Director Mueler also warned about terrorist groups like Al Qaeda actively trying to get hacking skills, using the Internet for recruitment too. So the threat landscape is broad. Nations, criminals, terrorists, activists.
Okay, So what's being done? How do we fight back against all this?
Well, governments are definitely trying. The Obama administration brought in cybersecurity measures for businesses, things like forcing companies to report breaches to the SEC, having the NSA share intel with banks, and Congress proposed things like the Cybersecurity Act of twenty twelve, aiming to protect critical infrastructure, set security standards, and SISPA. The Cyber Intelligence Sharing and Protection Act, which was controversial.
Why controversial because it would let Internet companies and others monitor user info and share with the government. Privacy advocates like the Electronic Privacy Information Center were really worried. They argue that data collected for cybersecurity could end up being used for other investigations, infringing on privacy rights.
So there's a tension there, security versus privacy, a.
Huge tension, and some former top officials like Mike McConnell Richard Clark were saying the US was actually losing the cyber war, that defenses were woefully lacking. So it's a really complex ongoing debate, which.
Leads us into another really complex area. This idea of justification is hacking. Ever, Okay, that's where activism comes in, right exactly.
Hackavists often see themselves as performing a public service. They might say they're exposing security flaws that companies or governments ignore, or uncovering secret documents they think the public has a right to see. It's protest, basically digital protest.
Like George Harts, the guy who hacked the PlayStation three.
Right back in two thousand and nine, he wanted to bypass its limitations let people run other software on it. He shared how he did it online, called it a victory for consumers, said things like we build this world. We are not mindless consumers.
Did he get in trouble?
Sony sued him. Yeah, but Apple when he unlocked the iPhone back in two thousand and seven to work on other carriers, they actually didn't sue, though they patched the vulnerability later.
Interesting difference. What about groups like Anonymous?
They took it further. Loulsek and Anonymous had Operation Anti Security in twenty eleven. They hacked places like the CIA the US Senate, claiming they were exposing classified info to help the government fix their issues.
Helping by hacking.
That's bold, very Lulsek even put out a letter warning regular Internet users about weak security on Facebook, Gmail, Skype. Another group, goat see Security, hacked at and T's iPad network in twenty ten, affecting over one hundred thousand users just to show vulnerabilities. The framed it as a service to.
Customers, and it gets political too.
Right deeply. Anonymous went after the Syrian government in twenty eleven twenty twelve, hacked websites, emails, even leaked emails showing advice given to president aside for a big TV interview EW And in twenty twelve they hit Alabama state website to protest immigration laws. Releasing residents personal records direct political action.
But there have to be strong arguments against this.
Absolutely, Releasing government secrets could endanger soldiers or agents, shutting down websites, disrupts essential services. Add More, Mullen, when he was chairman of the Joint Chiefs, said WikiLeaks, which often published leaks from hackers, might end up with blood on their hands. And just the legality of it right, As one British editor, Paul Connolly put it bluntly, it is simply illegal to hack into phones.
That whole news of the world scandal in the UK really brought that home, didn't it.
Definitely A huge newspaper shut down in twenty eleven over allegations its reporters hacked hundreds of cell phones, crime victim, celebrities, politicians just to get scoops. One former editor even tried to justify it as part of the journalistic mission.
So how does the public see these hectivists? It seems divided, very divided.
Hacktivists were apparently responsible for almost sixty percent of all stolen data in twenty eleven. Businesses often see them as a bigger, more unpredictable threat than regular cyber criminals. But then you see anonymous topping Time magazines Most Influential People poll in twenty twelve, got way more votes than President Obama. It shows a real split in public opinion about their methods and motives.
Okay, so it's messy complicated. Given all this, this constant back and forth, can hackers actually be stopped? Is this fight winnable?
That's the million dollar question, isn't it. Secre Computing Corporation called it a cat and mouse game that's unlikely to end soon. Hackers are specialists, always innovating, finding new ways around security improvements.
Especially with these advanced persistent threats exactly apts.
These are long term, sophisticated attacks, often date sponsored or by very organized groups. They're patient, they adapt, They're incredibly hard to defend against completely.
The governments are trying to clamp down. You mentioned laws, right.
The US has the Computer Fraud and Abuse Act from way back in eighty six. China brought in laws in twenty eleven making even possessing hacking tools illegal with long prison sentences, and the US keeps proposing new laws funding research.
And law enforcement.
The FBI has dedicated cybercrime units. They've made some big busts, like the Rov group that stole millions from computers worldwide. They've also arrested members of anonymous in Luldzek for things like the stratfor hack using stolen credit cards.
And they sometimes turn hackers.
Yeah, that's a controversial tactic using hackers as informants. Hector Monseigor Sabu a leader in Luldzek. He became an FBI informant, helped them arrest others in exchange for leniency. It works sometimes, but raises ethical questions.
Is everyone on board with these government tactics?
Not entirely. Germany's highest court push back against police using spyware citing privacy. US email providers have fought against giving access to accounts without warrants. There's pushback on privacy grounds.
What about the tech industry itself? What are they doing?
They're definitely involved. Microsoft created its Digital Crimes Unit in twenty ten, lawyers investigators fighting cybercrime globally. They helped take down the Rustock botnet. Remember the one sending thirty billion spam emails a day, and the whole cybersecurity field is professionalizing. Huge demand for Certified Information Systems Security professionals CISSPs. They needed like two million more by twenty fourteen. The demand
is massive, plus developing defensive tools like honeypots. Honeypots yeah, basically decoy systems set up to lure attackers, trap their malware, and study their techniques.
Clever is their cooperation between companies.
Increasingly, Yes, financial giants like Morgan Stanley, Goldensachs partnering with universities like NYU to share threat data spot attacks. Earlier, the FCC push for an anti bought code of Conduct for Internet providers.
Collaboration is key, but there are still big gaps in defense.
Huge gaps. Estimate suggests only maybe twenty five percent of electronic data is properly secured, and forty percent of business leaders admit they just don't have the capability to detect or prevent cybercrime effectively.
Even chief technology officers.
Even among CTOs, only about fifty nine percent felt really confident they could fend off attacks. A big barrier's budget, especially for smaller businesses, and finding skilled security people is tough and expensive.
And we still make mistakes ourselves.
Oh yeah, user error is still a big factor. Microsoft figured about five percent of people don't handle their antivirus right, might even download malware despite warnings, and free antivirus often isn't as good as paid versions, leaving gaps.
So it feels like we're always playing.
Catch up pretty much. A Dloitte study found hackers developed new attacks much faster than defenders can create defenses. Perry Olsen at Intel basically said, compromises inevitable, Data loss is inevitable. What of do us? Is a shift in thinking, maybe perfect prevention isn't possible.
So focus on resilience bouncing back.
That seems to be the direction which leads to the absolute necessity of international cooperation. Hacking is global. Cyber criminals operate across borders. Law enforcement needs to work together share intelligence. We've seen successes when they do, even between countries that don't always get along.
Okay, so we've covered a lot of ground here from those early MIT hobbyists.
Just tinkering right, pushing boundaries.
It is an incredibly complex global threat affecting everyone, individuals, companies, nations, driven by money, politics, protest all sorts of motives and.
This constant arms race, this evolution of attacks and defenses, it really is a cat and mouse game.
And despite all the efforts, all the laws, the tech, it's clearly not over. Far from it.
No. Peter Sommer and Ian Brown put it well, Yeah, defense has to be about resilience. Prevention is crucial, yes, but you also need solid plans to recover quickly when not if an attack gets through. It accepts that compromise will happen.
That Intel quote really sticks. Compromise is inevitable. So that leaves us and you listening with a pretty big question to think about. Well, if some level of compromise in our digital lives is inevitable, how do we adapt. How do our ideas about trust about security need to change in this constantly shifting digital world. What's our personal responsibility in all this?
That's a deep one to ponder, definitely something to think about.
It is. Thanks for joining us on this deep dive.
Glad to be here. Until next time. Stay curious and maybe double check those passwords.
Good advice, Stay informed everyone,