As a private investigator, I worked in the physical world of fraud and theft. My work revolved around documents, interviews and going to physical locations to see if everything added up. Hacking, though, seemed like a different universe. I read about it at every opportunity, but the techniques were removed because I lacked the technical understanding to differentiate one scheme from another. And when I say scheme, I really mean scheme. Just like offline fraud, common scams are used most of the time.
This post will be an on-going one that I’ll update as I learn more. The goal is to meld my old-school journalism chops (write for an eighth grader) with the tech chops I’m picking up.
Sql Injection: A malicious piece of code is written and then inserted into a website form such as a username, phone number or similar input field. If the site administrator doesn’t have adequate protection against this, the code (upon being submitted) can do such things as delete an entire database. The SQL injection technique is used 80% of the time when data breeches occur at retailers.
Cross-Site Scripting: Also known as XSS, malicious code is inserted into a web site form in a similar manner as Sql injection. But instead of attacking a database, the code hijacks a browser session. This allows a hacker to redirect users to malicious sites and/or impersonate users elsewhere on the web. Facebook and Twitter have both been exploited by XSS.
Dictionary Attack: Hackers armed with a username bombard the password input with every possible word in the dictionary along with numbers. (There are known databases full of these values and they’re called rainbow tables.) It’s a huge, slow undertaking, but even succeeding 10% of the time can net the hacker a big return. Once they have access to a user account — whether it’s an email account or Amazon account — the hacker has free reign to reset passwords for bank accounts and a ton of other things. An 18-year-old hacker used a dictionary attack on a Twitter tech support employee’s account to gain access to 33 celebrity accounts including Miley Cyrus.