Why cybercriminals don’t ‘hack the mainframe’ anymore
In 2022, digital security is more important than ever
August 31, 2022
Over the past 30 years, the world has become increasingly dependent upon technology. In particular, the pandemic lockdown forced people to switch to virtual life almost exclusively. In an era where we spend over a third of our lives using our devices, the security of our digital devices affects us more than ever before.
Some cyberattacks merely steal account credentials or banking information. Others are so effective that they can destroy global infrastructure or cripple governments in minutes. But cybersecurity is a rapidly-evolving field: just as hackers use increasingly powerful hardware for brute-forcing and discover new vulnerabilities they can exploit, researchers design more advanced cryptographic algorithms and defense mechanisms against them. This digital arms race has forced attackers to explore creative new ways of breaking into their targets, some of which don’t involve computers at all.
In the early days of computing, digital security was virtually nonexistent. The Advanced Research Projects Agency Network (ARPANET) was a precursor to the internet developed in the late 1960s, but it rarely encrypted traffic because only trusted universities and research institutions had access to it. Throughout the 1970s and early 1980s, popular operating systems such as Unix could not detect malicious programs at all and allowed viruses like Creeper to spread freely throughout the ARPANET. Moreover, password logins were merely an afterthought to prevent logging into the wrong account than an actual security feature.
“In the original Unix operating system, the administrative username was ‘root’ and the default password was ‘root,’” Computer Science Department Chair Dr. Eric Nelson said. “Guess what people never changed.”
Even in systems that administrators tried to make secure, attackers could often exploit various practical vulnerabilities. Early operating systems used relatively new implementations of critical security features, so hackers could occasionally bypass security protocols simply by searching for bugs.
“It turns out the way that the password implementation was done [in an early version of Unix] is that the user entry was adjacent in memory to where the comparison password was,” Dr. Nelson said. “That meant if the user typed in the same eight character string twice, it would overwrite the comparison password and would let you in regardless of what the password actually was. So you could type in ‘1234567812345678,’ and you’re in.”
At the time, these flaws weren’t problematic because most networks were not open to the public and very few people used computers to manage sensitive information. Even Creeper was created for research purposes rather than malice: its only effect was displaying the message “I’M THE CREEPER. CATCH ME IF YOU CAN!” on the screen, and Creeper’s creator later designed the Reaper antivirus to clean infected systems.
ARPANET was discontinued in 1991 as private telecommunications companies developed the full-fledged internet to grant everyone access to a unified global network. As the internet grew throughout the 1990s and early 2000s, computers became integral parts of the daily lives of millions of people, as they had access to users’ emails, banking credentials, social media accounts and identifying information.
Hollywood often depicts how hackers can read emails, steal passwords and infiltrate private networks with just a few masterful keystrokes. In the early 1990s, this could very well have been possible: since most internet connections were unencrypted and antivirus software was extremely limited, even rudimentary cyberattacks could quickly steal private information. For instance, a man-in-the-middle (MITM) attack gives criminals full control over a user’s internet connection and only requires the attacker to have control over a physical cable connecting the victim’s device to the internet. The attacker simply reads the raw signal from the wire to intercept the victim’s internet traffic before forwarding the data to the intended destination. Websites and email continue to work normally in a properly executed MITM, which makes it nearly impossible for the victim to tell they are being hacked. Even today, MITM attacks make it possible to hack almost anyone using an unencrypted connection on public Wi-Fi.
By the early 2000s, however, the creation of Transport Layer Security (TLS) encryption led to the development of new secure replacements for existing protocols. Over time, HTTP websites switched to HTTPS, and SMTP email providers added support for SMTPS. These TLS-backed protocols are designed such that even someone who can manipulate all the data sent through the connection is unable to read or change the actual messages. In other words, the content of HTTPS connections cannot be intercepted at any time: only the source and target public IP addresses remain visible. Today, TLS usage is so widespread that attackers can no longer employ basic attacks like MITM that were possible in the 1990s: everything from large banks like Wells Fargo to popular video games like Minecraft employs a virtually uncrackable encryption scheme. Nonetheless, many modern tech companies prey on users’ fears of 1990s hackers and promote their products with security theater, which gives consumers a false impression of improved safety. In recent years, the most egregious examples of fake cybersecurity have been virtual private networks.
If you’ve ever seen an advertisement for a virtual private network (VPN), it might have claimed that VPNs protect your connection from hackers on public networks. In reality, VPNs are unnecessary for security unless you are using a partially-unencrypted service such as a torrent. VPNs effectively route a user’s internet traffic through an encrypted channel to the VPN provider. Since the majority of web traffic already runs on end-to-end encrypted protocols such as HTTPS, a VPN will have no practical impact on security other than hiding your IP address from the website or service you are using. VPNs also prevent your internet service provider from seeing which websites you are connected to, but the ISP will still know you are using a VPN. Nonetheless, VPNs still offer one valid use-case: bypassing ISP and geolocation restrictions.
“A VPN changes your point of connection to the internet,” HarkerCTF President Jacob Huang (12) said. “It can provide access to things that are inaccessible in your region; for example, if there’s an anime that’s only available in Japan, I can essentially connect to a VPN server in Japan to watch the anime from the U.S.”
Although VPNs are more useful for hiding your location than protecting your digital identity, other popular cybersecurity solutions such as password managers actually do reduce your chances of being hacked.
Each time you create an account on a new website, you must not only trust that the website will not use your credentials for malicious purposes, but also hope that they have properly followed all the necessary cybersecurity protocols. Even for expert programmers, it is difficult to create a system without any security vulnerabilities. For example, a standard practice for websites is to “hash and salt” the passwords of each user, a process similar to encryption except that it cannot be reversed. Hashing and salting prevents an attacker who breaches a website’s internal database from recovering the original password for each user.
If a website you use does not hash and salt passwords, your password on that site could easily be stolen by an attacker even if your personal computer and your internet connection are secure. This is why reusing the same password across several sites is dangerous: if even one of those sites is insecure, all of your accounts are at risk of being hacked.
Password managers solve this issue by generating unique, complex passwords for each website you use and encrypting them all with a single master password. Effectively, they allow you to use one password to access several sites, but even if one site is breached, your other accounts are still secure. This means that as long as your master password is strong, a password manager will dramatically improve the security of your online identity. Combined with two-factor authentication, which prevents hackers from gaining access to an account even after entering the password, a password manager makes it virtually impossible to be hacked online.
As the field of cybersecurity grows each year, it has become increasingly difficult for hackers to find and exploit vulnerable software. Indeed, modern computers are generally much harder to deceive than people. Therefore, many cybercriminals have switched to an alternative method of stealing sensitive information that does not involve hacking at all: social engineering. Although a computer system may be practically unhackable via traditional means, people can often be manipulated into giving up their private information or credentials. Social engineering manifests itself in a wide variety of attacks schemes; for example, phishing attacks involve creating a scam website that copies the design of a legitimate service. Once a user attempts to log into the fake website, the attacker can steal the entered credentials and use them to access the victim’s actual account. You can avoid phishing attacks by carefully checking the domain name you are connected to; phishing sites will often use domain names that are very similar to popular websites, a practice known as typosquatting.
Traditional hacks and social engineering typically target individual users or specific corporations. However, a new type of attack known as supply-chain poisoning has the potential to disrupt global technology access in a matter of hours. Much of the world’s software is built upon freely available, open-source code, and the security of those open-source projects automatically affects every app and website that uses them. Modern codebases typically depend upon several other projects to run, and each of those dependencies can have its own dependencies. The “dependency tree” that results often includes thousands of open-source projects that each must be completely secure to ensure the security of the final product.
If an attacker manages to steal an open-source developer’s credentials, they can publish new versions of the developer’s projects that include malicious code. This malware will now automatically infect every app that requires the latest version of one of the developer’s projects, even if that project only appears once in the entire dependency tree. However, hijacked projects are usually deleted by the registries that host them very quickly after developers see that malware is in the source code.
The most dangerous type of supply-chain attack involves a hacker finding exploits in incorrectly written code within existing open-source libraries. While most hackers report the vulnerabilities they find out of goodwill or to receive a bounty from the maintainers, others sell the exploits they find to cybercriminals on online black markets. The buyers can then use the exploits to attack any company or corporation that uses the vulnerable open-source code. Since these exploits are the result of incorrect code rather than malicious code, cybercriminals can often exploit them for years before they are patched, as was the case for the widely publicized Log4J arbitrary code execution vulnerability.
Open-source developer Feross Aboukhadijeh maintains several projects that garner over 500 million monthly downloads from programmers around the world. He recently founded Socket, a startup that specializes in defending customers from open-source supply-chain attacks.
“Socket analyzes open-source packages to determine how they behave and to detect signs of supply chain attacks,” Aboukhadijeh said.
“Every app that we use today and almost the entire Fortune 500 uses open-source components to build their software. In most apps, around 90% of the lines of code are coming from open source packages. And the remaining 10% is the part of the app that’s unique to that to that company and to that product. That’s why it’s really important to make sure that that 90% is secure.”
Aboukhadijeh argues that the rise of supply-chain cyberattacks in the past decade is directly linked to increasing dependence upon open-source code in the software industry.
“The way that people write software has changed a lot in recent years,” Aboukhadijeh said. “In the past, developers used to write more of the lines of code in their app themselves, and they only reached for a handful of open-source components. In today’s world, [even a basic] website usually includes thousands of dependencies from hundreds of different open-source contributors. So the number of people that you have to trust has gone up.”
When malicious code sneaks into open-source packages, the consequences tend to be disastrous. In April, an open-source developer added malware into node-ipc, a project he maintained that had over 100 million downloads and gained a million more each week.
“Earlier this year, there were a number of open-source maintainers that were upset by the Russian war in Ukraine,” Aboukhadijeh said. “They decided to take matters into their own hands and use their platform as an open-source maintainer to protest the war. [The node-ipc] maintainer added code into their project that would delete every file on your hard drive if you appeared to be a Russian user of their software. That was really disruptive, and it affected a lot of people that weren’t necessarily the intended targets.”
Although supply-chain attacks are likely here to stay, the future could hold even more devastating techniques that will undermine the foundation of modern digital security. Traditional computers use the “bit,” either a zero or a one, as the smallest unit of information. Quantum computers instead utilize “qubits” that remain in superposition of both zero and one until observed. Qubits make it possible to create fast quantum algorithms to perform a wide variety of numerical tasks that would take an astronomical amount of time on traditional computers.
Since many security protocols depend upon computational infeasibility, quantum computers could make it possible to quickly brute-force passwords and secret keys, rendering most modern encryption schemes useless in the process. The popular RSA encryption algorithm relies on the fact that it is currently computationally infeasible to compute the prime factors of a number with several hundreds of digits, but a sufficiently advanced quantum computer could do so in hours. While quantum technology is still in its infancy, it could eventually become so advanced that government agencies, major tech companies and criminal organizations with access to high-end quantum computers would be able to steal credentials and spy on private connections at will.
Computers have ushered in a new age of digital information access in which hackers have the potential to ruin lives and dismantle corporations faster than ever before. But cybersecurity researchers continue to discover new ways of defeating attackers each year. And as people learn more about the strategies they can use to protect themselves online, the digital world will become a safer place for everyone.