So, what is hacking really?
Is it an all encompasing word that should be used when ‘bad stuff’ happens? No
Is it a phrase that is often over-used to promote one’s own ego? Yes
Is it something that is catastrophic and unrecoverable from? That depends on what was done.

Hacking, in the true and pure form is simply modification. It’s not even always ‘unwanted’ modification, it’s just modification. For example, for many of my clients, I “hack” VBulletin to get what they want done. Now, is that a ‘bad’ thing? Not at all.

Usually, I’d turn to the dictionary for a reference on what ‘hacking’ is, but in this case it’d be worthless, because Websters, and online dictionaries don’t have a clue what it is (or if they do they’re hiding it;)) .

There are a few forms of hacking, many evidenced by some sort of ‘credit’ being given to the hacker.

1. Code Injection
   Code injection is simply inserting X code in X application, in order to get it to do something you don’t want it to do (or something it wasn’t designed to do). This is typically done by some sort of a ’script’. A great example of this is phpbb, which is known for it’s “code injection” hacks over the years. Typically these are run by teenagers who just want to get famous at someone else’s expense (if they’re even teenagers), hence the term ’script kiddies’ was adopted.

   The best way to avoid this kind of attack is to use your own code, or keep your code up to date. Developers frequently release updates, and no mattter HOW modified your code is, you should always get it updated, ALWAYS!

2. SQL Injection
   SQL injection involves the attacker gaining access to your web page, and ‘injecting’ certain code into the database itself. This is a very messy hack, and very complicated to remove in many cases. In many cases, the website is often restored to a much earlier backup state, or the website is started ‘from scratch’.

   How to avoid ’sql injection’? Two things come to mind here:
   Firstly, keep your website code up to date. This is a critical issue and without keeping your website up to date, you’re going to go through this quite constantly.
   Secondly, make sure that you are using proper code. SQL injections are focused on certain codebases because they’re easier to exploit. PHPBB and the nuke products (phpnuke, cpgnuke, etc) come to mind, as they’re easily manipulatable, and have very minimal security.

3. Website Manipulation
   Website manipulation relies on individuals being able to actually get things into the website. For example, let’s say your server is running a ‘file upload’  service, and that service doesn’t secure the directories properly. Well, of course, you’re going to run into issues with manipulation there, and of course, that’s going to be exploited.

   Ways to avoid “website manipulation”? Never, EVER give anyone write permission to your website’s subdirectories. There ARE secure alternatives to this (storing things OUTSIDE of the webroot is a perfect example of that) that don’t actually require full insecure permissions. The idea is to keep things random, and to keep things stored PROPERLY, not in a 777 (a+xrw) directory just inside of your webroot named downloads, attachments, or some other hysterical garbage!

4. System Manipulation
   This is the most complicated of them all, and usually by this point you’re screwed, quite literally.
   If a hacker has gotten into your system, you’re going to need to be reloaded, from the ground up. Forget anything you had on the system, it’s all lost, it’s all gone. Oh, sure, you MIGHT (note:might) be able to recover the system, but it will NEVER be trustworthy again!

Now, there are a lot of schools on ‘hacking’, and a lot of things that can come from it.  Some consider hacking ‘ethical’, some don’t . Personally, I say it’s all about choice. The only thing that all humans should live by is one very simple statement (and it applies here as well)

Do No Harm

An even MORE appropriate statement? Something we ALL should have been taught growing up

If it’s not yours, don’t touch it

I don’t care if you’re testing something on something, as long as it belongs to you and you’re fully aware of what CAN happen. The second you tread on someone else’s territory and website is the SECOND you violate that rule, and the SECOND you deserve any and all reprocussions you’re going to get, legal, and non.

Next week? The benefits of PROPER, ETHICAL hacking. Until then, keep checking back, as I might just post something sooner!

Tom