How Hackers Take Down Websites

Rob Olson breaks into websites for a living. But don’t call the cops; he’s a good guy. Olson — who is also a senior lecturer in the Department of Computing Security at the Rochester Institute of Technology in Rochester, New York, and technical director of the University’s Eaton Cybersecurity lab — is a white-hat hacker. Or, as he puts it, a bit less dramatically, an expert in offensive security. That means he hacks businesses’ websites, at their request, to expose security weaknesses. Then he tells his clients how they can fix the problems he exploited to get in.

It’s a much-needed service because someone, somewhere, is always trying to get into websites. Pretty much all sites are under more or less constant attack. Olson calls this continual barrage of login attempts “a sort of background radiation.” 

Methods and Motives

Methods and motives for attacks vary, as do the levels of sophistication of the perpetrators, or adversaries, as they are called in the cybersecurity trade. The adversary behind a website attack might be working for an intelligence agency or the military of a nation-state. Or it might be a high schooler who downloaded a free program from the Internet, says Olson.

More on Hackers:

Until recently, the most common website attacks were denial of service (DoS) attacks, according to monitoring maintained by OWASP (Open Web Application Security Project), an organization working to improve software security. These attacks are popular in part because they’re easy — or at least easy for people who know how to do this sort of thing. They amount to sending more traffic to a website than it can handle, thereby causing it to crash. Distributed denial of service (DDoS) attacks are just bigger, slightly more sophisticated versions of DoS. With DDoS, multiple computers are used in a coordinated fashion to send enormous amounts of traffic to a site, overwhelming its ability to process it. Olson explains that these attacks aren’t intended to damage the site or steal data. Often they’re a form of protest. They were common in the 2010–2012 era, he says, when “hacktivism” was big. 

SQL (structured query language) injection attacks are also common. This method of bringing down a website is slightly more sophisticated than DDoS attacks. These attacks take advantage of the fact that programming is difficult, and people make mistakes. Or sometimes, software developers take calculated risks to save time or make the product user-friendly. For whatever reason, these security vulnerabilities allow attackers to send queries to a site’s database that trick the software into allowing them entry.

The OWASP top-ten list now has Broken Access Control in the number-one spot. In this scenario, attackers get into a website by exploiting the difficulty programmers have in ensuring that the web application doesn’t allow access to the wrong user. According to OWASP, once in, the attacker can do loads of damage, sometimes even take over site administration.

 High Tech Cons

All this may sound like a frantic arms race between software developers and the bad guys. But it’s not exactly that, says Olson. Cybersecurity experts have a pretty good grasp on best practices, he says. The real challenge isn’t developing new protections; it’s educating people about the ones we already have. “I’ve never met anyone who really wants to do less security,” he says. “When people know best practices, they tend to do them. They just don’t understand what they need to be doing.”

That’s a problem for software developers and website owners. But fortunately for the rest of us, best practices are fairly easy to implement: keep your software up to date; use strong passwords or use a password manager; don’t download software without paying for it. (As Olson points out, no one is offering free copies of Windows out of the goodness of their heart.)

For most of us, our greatest security vulnerability is the same thing it was long before the computer age: naiveté. Those emails trying to get your login info? Olson calls this “technological con artistry.” It’s not really that different from the scams people have been running since the serpent tricked Eve into tasting the apple. We’re just seeing the tech-era version now.

“The biggest thing that most people need to know about cybersecurity,” says Olson, “is that chances are very good no one’s going to target you. Most of us are not that interesting. Unless you’re a really high-value target, no one’s going to be spending a lot of resources on getting into, let’s say, your personal bank account. Use a little common sense, and you should be fine.”