After three months of headlines from China to the White House and every geek haven in between, this week introduced the world to the cyber attack that may or may not be slowing down the entire Internet, followed by the digital assault on American Express. Yes, 2013 is already the year there were too many hacking incidents to keep track of, but "hacking" has also become a kind of catch-all for nefarious things done on a computer, and it's becoming increasingly difficult to tell apart global headline from personal headache. That kind of vagueness has left average Internet users wondering whether they could be exposed to the same threats as major companies and government systems — and has demonized "hackers" like Aaron Swartz, Matthew Keys, and Weev, who face(d) felonies and jail time for low level computer crimes. With more than a few different kinds of "hacks" dominating the news in just the last couple of weeks alone, it's about time somebody defined the hacking headlines once and for all.
Guccifer and the Personal E-Mail Hack
What It Looks Like: That hacker who goes by the name Guccifer — the one who has released alleged Benghazi emails from Hillary Clinton in addition to the much more entertaining George W. Bush paintings — isn't much of a computer mastermind. He's of a certain level of email lurker, the kind that Wired's Mat Honan thoroughly described in his own tale of becoming a hacking victim. Lurkers gain access to an email account and use that to get more information. Our emails contain lots of personal messages, of course, but they're also likely to link up in some form to all our other Internet accounts, including the important ones like online banking and credit card purchasing. The Guccifer style of attack, then, comes down to password guessing. Which, in turn, can lead to more personal information mined from password protected sites like Facebook. Anonymous has been known to use the email password grab to hijack the Twitter accounts of members of the Westboro Baptist Church.
Fear Factor: Low-Medium. Once someone does get inside an email account, it can be scary just how quickly everything else falls apart. But the technique isn't exactly computer science, and these types of hacks can be avoided — if you have a safe enough email provider. Indeed, email lurkers have publicly exposed security flaws inside some of the most popular inboxes in the world; Guccifer, for the most part, has gone after AOL, Yahoo, and Comcast accounts, which don't have very good security — it only take a few personal details to get an AOL user to fork over a password. Careful password habits like using two-step verification should help the average non-Bush user fend off these kinds of security breaches.
China and the Click-This-Link Hack
What It Looks Like: In an attempt to get us to download malware (software that can do various types of bad things to our computer), hackers often sneak in malicious links directed to places on the web that we really shouldn't be visiting. The link bait comes in many forms, from random links in an email (a.k.a. spear-phishing) to Twitter direct messages with somewhat obviously fishy but nonetheless alluring questions like "Are these photos really you?"
Fear Factor: Medium. A lot of different levels of hackers use the link-doom method, from those creeps trying to take over unsuspecting women's webcams to the secret unit apparently linked to the People's Liberation Army in China, which reportedly used very well concealed spear-phishing to get high level people inside various media outlets to download malware and use it for the purposes of international espionage at that drab looking building over there. For the average Twitter user, though, there are various ways to avoid downloading malware, even spear-phishing, which does a very good job at looking legitimate. But basically, don't click things that look fishy (or phishy), don't visit suspect forums, and don't buy suspect things. And make sure your computer's anti-malware program, scripts, and browsers are up to date.
Facebook & Apple and the Trendy 'Watering Hole' Method
What It Looks Like: This is another, more clandestine way to get people to download malware, and that was likely the type of hack (probably from China) that infiltrated the internal servers at Facebook, Apple, and possibly Twitter, as the companies reported, like dominoes, in February. This type of hack doesn't target an individual but a website that many individuals visit — you know, like when the people visit the watering hole. When trying to target Facebook's developers, for example, hackers planted "malicious code injected into the HTML of the site used an exploit in Oracle's Java plug-in," as AllThingsD's Mike Isaac explained.
Fear Factor: High. Once you visit an infected site, well, that's pretty much the end of the attack. That's the thing that trips up a lot of people writing about and spreading fears around hacking, and the Facebooks and Twitters of the world are pretty good at protecting their accounts when they get played. But if you're looking for a solution, a lot of people have suggested that getting rid of Java might help your situation, since a lot of malware exploits that code deployment platform. Then again, it might not really be that easy, since the malware spreads so fast and to such large sites.
North Korea & Iran and the DDoS Attack
What It Looks Like: Denial-of-service attacks have received a lot of attention this week because of the fight between Spamhaus and Cyberbunker, which resulted in the biggest ever DDoS attack ever. These rapid-fire attacks, which infect computers with malware to overwhelm and then shut down websites, were also responsible for the big bank attacks over the last few months, including Thursday's AmEx breach, which likely came from an Iranian hacker group called the Izz ad-Din al-Qassam Cyber Fighters. That South Korean hack the other day from North Korea was also likely of the DDoS variety. And denials of service are getting more powerful. The AmEx hack, for example, infected "infected powerful, commercial data centers with sophisticated malware and directed them to simultaneously fire at each bank, giving them the horsepower to inflict a huge attack," as The New York Times's Nicole Perlroth and David Sanger explain.
Fear Factor: Very High. While some have accused the Times of being sensationalist with its use of "cyber warfare," the DDoS attacks have become more and more powerful, which is cause for concern. There are ways to close certain holes on the web's DNS servers that could ease the flood of relatively tame denial-of-service attacks, but when it comes to national security the U.S. is no match for China's hackers, who are trying to take down some of America's most crucial infrastructure. President Obama acknowledged the threat in his State of the Union address and recently met with major business leaders about cyber attacks. In addition to clandestine efforts to fight back against China's cyber fighters, though, the White House is now looking at something like sanctions: The latest government funding bill would make it harder for Chinese companies to sell tech products to a few federal agencies, according to Politico, although that's only minorly comforting. But Obama has ordered cyber attacks on Iran, after the famous Stuxnet worm targeted U.S. computer infrastructure.
Aaron Swartz, Matthew Keys & Weev and "Unauthorized Access"
What It Looks Like: Nothing like a vague legal term to get the people talking. "Unauthorized access" can blanket pretty much any computer related crime, as federal investigators have made blatantly clear in the high-profile cases of three men facing lots of prison time for not a lot of hacking. In theory, "unauthorized access" means getting into a person or an organization's computer even though you're not supposed to — even though that's pretty much the point of hacking. But the term has been used very differently in accusing each of the three men: Swartz literally went inside an MIT server room and assigned himself IP addresses, Keys gave up some access to the content management system of the Los Angeles Times website, and it's not even clear what Weev accessed without authority. Many, many people, from inside the hacking community and out, have accused the government of using the "unauthorized access" charge to prove a point.
Fear Factor: Low. The scary part is how vague the definition of a not scary hacking act has become. Authorities and bigger organizations and businesses tend to fear these kinds of attacks more than individuals, because it's usually the individuals (or Anonymous) use the highly illegal tactics to make often mundane points of their own.
...and Physical Cable Hacks
What It Looks Like: Forget cyber hacks, people are still hacking actual Internet cable lines! In an attempt to take an entire continent offline, three scuba diving hackers have now gone straight to the source and literally cut the chords in Egypt.
Fear Factor: Medium. It's definitely the most effective way to take out an entire country or continent's Internet. But, it's pretty conspicuous and not very precise. You've got to be a pretty smart underwater hacker to be an effective one.
There are certainly other types of "hacks" out there, but this should help clarify things the next time you're facing three frightening headlines about technology in one newspaper. China isn't coming after your Netflix account. But you should still probably dump that stupid password, beef up your email and computer security, and avoid the MIT server room. And the North Koreans. Those guys are up to no good.