I’ve been preaching the gospel of security for years. The response? Typically something like this *Glazed over eyes* ‘hmm,, wow,, hmm yeah,, um,, that’s interesting we should look into that’ or ‘Wow, your paranoid aren’t you’ or ‘Oh no one could figure out how to hack into our web application’ (that one is a particular favorite). The fact is this. Crackers (notice I did not say Hackers as a Hacker is ethical and a ‘Cracker’ just wants to ‘crack’ a system and cause trouble), are out there. Everywhere. And they are becoming more sophisticated. For a while it seemed that most Crackers were just looking for weaknesses. Any website, application or network that had gaping security holes were exploited. Just this past week 2 of my friends GMail accounts were hijacked and I received spam email from them. They took their laptops to an open wifi and checked their email and they were had. Even more interesting there are much more sophisticated techniques such as a group of Russian Hackers who developed a way to hack into an encrypted wifi network by obtaining the wifi key and brute force attacking the key using your Nvidia graphics card http://www.tomshardware.com/news/nvidia-gpu-wifi-hack,6483.html. This is also a technique that is taking over brute force password cracking by storm as you can tens of millions of tries per second. All of this sounds technical and hard to do, but the exact opposite is true. Its easy. Not for some technical guru but for anyone who is remotely interested in hacking. These days we have very sophisticated tools that have easy to use GUIs and lots of youtube tutorials on how to use them such as Cain & Abel by oxid.it which is a very powerful network hacking tool (among other things). Hey, these days you don’t even need to do anything more than press a button to hack someones website with tools such as Firesheep which uses session hijacking to allow an unauthorized user to appear as an authorized user. To top it all off the amount of hacking is increasing by an alarming rate. Recently we have Sony, CitiGroup and the CIA (just to name a few). Not all system cracks are more sophisticated though, some are just more of the same thing. CitiGroup for example. The crackers were able to get a list of account numbers and retrieve sensitive information simply by plugging in the account numbers in a string in the address bar of a browser. Obviously a company who decided not to take security seriously.
Easy Conclusion
Security isn’t an option. It never has been and the feeble excuses developers make to try and get out of doing the right thing are being stripped away. There is nothing left except to learn about security and implement it. And how do we implement security? By becoming hackers ourselves. We have to read what hackers are saying and get our hands dirty trying to hack systems. When we do, our eyes are opened to just how easy it is for a determined person to get into a system and then we are able to put up walls to stop it.
Am I paranoid? Well the word paranoid means someone who has undue fear of something that really doesn’t exist. Well, unless I missed it, I think that the evidence clearly shows that crackers most definitely do exist and they are very active and they can/will attack you at some point. The opposite of course is ‘Naive’ which means someone who has a very simple nature and a great lack of experience and judgement. Anyone who thinks that security isn’t paramount in application development or network/server administration and shouldn’t be given extra attention should have their head examined. We as developers cannot afford to have our heads stuck in the sand anymore. The crackers are simply not going away. They are growing in numbers and sophistication and so must we.