The way that Hollywood portrays the art of computer hacking is always entertaining. Especially if you come from an actual software development background like myself.
In many Hollywood fantasies, a computer hacker is this digital omnipotent wizard in front of a keyboard.
One of my favorite hacker movies is Swordfish, starring John Travolta and Hugh Jackman.
Hugh Jackman plays a down on his luck computer hacker/activist, who got in trouble with the law, and is forbidden from even TOUCHING a computer, lest he go straight back to prison.
He lives this hardscrabble existence in a trailer park until he is recruited by a charismatic but shadowy criminal figure played by John Travolta, who wants to recruit Jackman to hack into a secret black fund DEA that has swelled in size from its original $400 million dollars in 1986, to over $9.5 billion at the time Jackman is recruited.
Travolta wants to test out Jackman’s hacking capabilities by placing a laptop in front of him and challenging him to break into a Department of Defense computer in less than 60 seconds. He’s given further “encouragement” with one of Travolta’s goons putting a gun to his head.
Jackman furiously starts pounding on the keyboard at superhuman speeds, and we the audience, see a cacophony of digital code fly down the screen.
If there’s one thing that always happens in a movie when you see someone typing on a keyboard, it’s that it ALWAYS makes a noise when the keys are pressed down. I guarantee you if my keyboard at work made noises every time I typed on it, I’d smash it against the wall quicker than John Belushi smashed that guy’s guitar in “Animal House”.
Somehow after 60 seconds, Jackman successfully cracks the username and password from a supposedly highly secure DOD computer database.
Later on in the movie, when he needs to create a computer virus to break into the electronic bank vault containing the $9.5 billion dollars, we see the entire process as a set of montage scenes.
He lights a cigarette, we hear grungy techno music start thumping in the background, and Jackman starts hacking together a “worm” program that will infiltrate the bank system.
On the screen, we see Jackman pounding away on his keyboard and we see these hilarious looking, what can only be described as digital lincoln logs, get slowly put together, until the final result is something that looks like a giant digital tinker toy cube?
I never fail to laugh at just how ridonkulous computer hacking and programming get portrayed on the silver screen.
Of course I can understand the reason why.
Real computer hacking and programming is someone sitting quietly in front of a keyboard and monitor and using mostly a plain text editor to enter TEXT based source code on the screen.
There’s nothing magical or sexy about it. And I guarantee you that a software program NEVER EVER EVER works the first time you run it.
It’s a process of trial and error, fixing runtime bugs along the way.
If you were forced to watch an actual hacker or programmer do their job, you’d probably rather watch paint dry.
Which is pretty much why Hollywood gussies up the act of computer hacking so much in movies. Jazzing up hacking scenes involves lots of fun and fast computer animation.
But just because hacking gets glorified and exaggerated in movies, doesn’t mean the threat isn’t real.
We’ve already seen countless stories in the news about giant data breaches. 40 million shoppers at Target that used a debit or credit card, had their credit card accounts compromised by hackers.
Sony experienced a similar data breach not long ago where customer credit cards were compromised. I personally experienced a data breach as a contractor employee for the Department of Energy.
What Software Developers Need to Know About Cybersecurity
I recently had to take some mandatory employee training on the subject of cybersecurity.
It was geared specifically for software developers.
Why?
The unfortunate truth is we software developers often build our applications with security as an afterthought.
And the hackers who are out to do harm KNOW THIS. And they take advantage of this in a myriad of ways.
The cybersecurity training I recently took focused on several key security concepts that hackers use to infiltrate digital systems.
Particularly around web applications.
Why web applications?
For the very same reason why the internet has taken the world by storm and created a new digital revolution.
Internet applications and database systems are particularly vulnerable to hacking due to the nature of the internet itself.
In a nutshell, the internet is a global worldwide network of computers all interconnected to each other.
It has transformed and enriched our lives in many ways, and allows people to communicate to each other at speeds unthinkable even 50 years ago.
But it’s also a two edged sword. It allows hackers with nefarious intentions to penetrate computer systems they shouldn’t be in, for financial or criminal purposes.
Most of the time, hackers do what they do for financial gains. Banks and financial institutions are prime targets, but basically any computer system that contains sensitive data like credit card accounts or personal identification information are also valuable targets of opportunity.
It’s also much more lucrative and easier to be a cyber criminal than the old days when bank robbers had to physically rob a bank and risk the danger of armed security guards, cops and federal agents ready to swoop down on them at the earliest opportunity.
The ultimate target for hackers is the digital data of an application.
If a hacker can gain direct access to the back end database system of an application, it’s pretty much game over. Once the hacker has that data, they have access to potentially many millions of bank accounts or any other kind of profitable sensitive data that can be sold to the highest bidder.
But web applications usually are built in separate layers or “tiers”. You might have heard of the phrase “3 tier” or “n-tier” applications. It’s just a fancy way of saying an application is divided up into separate and distinct parts.
The visual part of an internet application, often referred to as the presentation layer or UI (user interface) layer, is built with the hypertext markup language (HTML).
There is usually a layer that sits between the visual layer and the back end database layer. It’s where all the business logic and rules live in an internet application.
Each of these layers is a potential infiltration point.
A hacker can literally hack into the underlying database system of a website with a relatively straightforward concept called “SQL Injection”.
Though the tech landscape is changing, most websites on the internet use a relational database system that can be manipulated and queried on via SQL, short for “structured query language”.
Most web applications use some sort of visual presentation layer for the end user to enter data, via their web browser.
Many websites have a login page where you need to enter a valid username and password to gain access into their system.
Because of the nature of SQL, you can literally piggyback additional SQL commands into a text input box like the one for the username and do something like this
username: ‘john’; DROP table CustomerLogins;
The username text input box is asking for your username. But with a semicolon, you can literally add other database commands. In the sample above, you can tell the database you wish to delete the database table that contains all of the active customer login ids stored in that particular database.
There are ways to mitigate these kinds of SQL injection attacks, but a software developer must proactively design their web applications to prevent these kinds of vulnerabilities.
Many modern web applications are designed with a microservice/REST API based architecture.
For instance, you can send an HTTP command to a web application, that looks something like this, to get all the active users of the application
http://www.somewebsite.com/users
When the web application receives this particular web address, it interprets this as a command to retrieve all the active users from whatever backend database system the web application is tied to.
But unless a software developer adds security around this API, literally any person on the internet who can connect to the website, can call any API from that system, whether they’re authorized to do so or not.
Again, every cybersecurity video I watched drove this point home. Security doesn’t come for free …. a software developer must consciously bake security into every major layer of an application.
This was just scratching the surface of security vulnerabilities that hackers take advantage of.
Even websites that require a login page where you must enter a valid username and password are vulnerable to hacking attacks.
One of the easiest hacks is literally guessing common passwords that many people (and I’m just as guilty as the next person of using simple passwords) like using.
Hackers often use password dictionaries, which are literally lists of common passwords that are often used by people, in order to gain access into a system. They can create automated scripts that read each password, line by line, and autocomplete each of the passwords into the website, until a successful password is found.
If passwords are stored as clear text in a database, all a hacker has to do is hack the database and they instantly have access to thousands, if not millions of passwords, if it’s a high traffic website.
Even if the password is encrypted, there are encrypted password dictionaries that hackers can use that operate much in the same way as unencrypted password dictionaries.
In order to mitigate this problem, a developer must add a randomized “salted hash” to the encrypted password, so enough randomness is introduced into the final encrypted password that an encrypted password dictionary will no longer work.
Hackers even take advantage of the network traffic a web application uses. If the data that travels over the internet, isn’t encrypted, it’s open to hackers, who can use network traffic sniffing tools to literally see the data traveling over the wire.
I’ve only scratched the surface of all the major kinds of security vulnerabilities that hackers exploit to gain access to valuable data and systems.
The rule of thumb for any kind of dynamic web application is to basically assume that any sort of user input from a web application can be a potential attack vector tool from a devious hacker. Like the famous X-Files show mantra, “Trust No One”.
Is there such a thing as an impenetrable, hacker-proof web application? If there is, I’ve never heard of it.
The goal of a web developer is to plug up all the major security vulnerabilities and exploits that are associated with web applications.
The hope and goal is to force hackers to spend an extraordinary amount of time and effort trying to bypass the security you bake into your application, to the point where they give up, because they know there are easier and more vulnerable systems out on the internet, and yours would simply take up too much time and effort on their part to continue trying to attack.
We, as software developers, have to assume there are devious and nefarious bad guys out there who are are just itching to get into your system and wreak havoc. It’s not the technology that is bad, it’s the people using technology for the wrong reasons that we must constantly fight against.
And it can be done, if security is the FIRST and not the LAST thing to consider in any sort of software application.
Ok, time to check my e-mail … oh cool! A chain letter request from the Bank of Nigeria!