A brief history of hacking. A story from the head of information security Yandex

    Hello! My name is Anton Karpov, in Yandex, I lead the information security service. Recently, I had the task to tell schoolchildren - students of Yandex Small ShAD - about the profession of a security specialist. I decided that instead of the boring theory that can already be read in textbooks (and what can you tell in one lecture!), It’s better to tell the story of computer security. Based on the lecture, I prepared this short story.

    Say what you like, and information security for many is strongly associated with hackers. Therefore, I want to tell you today about hackers and their story. Nowadays, a hacker is understood as an attacker who does something illegal, breaks into some systems with material gain for himself. But this was not always the case.

    Let's go back half a century, in the 1960s, when computers gradually began to penetrate our lives. Hacking started back then, with attempts to use the technique for other purposes. For example, to run the game you wrote on it. In those days, the concept of a “hacker" is a very enthusiastic person trying to do something non-standard with the system. After all, access to computers was mainly among university employees, and there was not much processor time for each. You, literally, were allowed to work with a computer only a few hours a week, according to a strict schedule. But even in such conditions, people managed to make time for experiments. The hackers of that time were interested not only in solving some kind of computational task, they wanted to understand how the machine is arranged and works.

    In the 70s, hacking was finally formed as an attempt to "play" with the information system, bypassing its limitations. There was no Internet then, but there was already telephony. Therefore, a phenomenon such as phreaking appeared. The father of phreaking is John Draper, known as Captain Crunch. One day he found a gift in his Captain Crunch corn flakes - a whistle. Telephone lines at that time were analog and telephone sets communicated with each other through the exchange of tone signals. It turned out that the tone of the whistle discovered by Draper coincides with the tone used by the telephone equipment to transmit commands. Frickers (the so-called enthusiasts of "games" with automatic telephone exchanges) began to emulate a command system with whistles and dialed free calls from street phones to neighboring cities and states. The next step was the creation of a “blue box” - an apparatus that emulated all the same tone commands. He allowed not only to dial the necessary numbers, but also to use secret service lines. Having given a signal at a frequency of 2600 Hz, it was possible to transfer telephone systems into administrative mode and get through to numbers inaccessible to an ordinary person, for example, the White House. The entertainment continued until the end of the 80s, when the popular newspaper published a large article on the “blue box”, which attracted the attention of the police in the freekers. Many phreakers, including Draper himself, were arrested. Later, however, it was possible to figure out what they were doing all this not for the sake of money, but rather out of sports interest and pampering. At that time, the criminal code simply did not contain any articles relating to fraud with information systems,

    In the 80s, the word "hacker" first got a negative connotation. In the minds of people, the image of a hacker as a person who can do something illegal to make a profit has already begun to take shape. In 1983, on the cover of Newsweek, one of the founders of the hacker group "414s" appeared, which became famous thanks to a series of hacks of serious computer systems. Hackers also have their own magazines and other ways of exchanging information.

    In the same years, the authorities of Western countries began to formulate laws related to computer security. However, the scale, of course, cannot be compared with today. So, a lot of noise happened around the case of Kevin Poulsen, who, thanks to his phreaking skills, was the first to get on the air of the KIIS-FM radio station, which allowed him to win a Porsche car in the framework of the ongoing contest. Compared to modern attacks that allow millions of dollars to be discounted, this is just a trifle, but then this story caused a very great resonance.

    The nineties is an era of active development of the Internet, at the same time, a criminal connotation is finally assigned to hacking. During the nineties, one of the most famous hackers of the twentieth century was convicted twice - Kevin Mitnik, who hacked the internal network of the DEC company. Personal computers have already become relatively accessible to ordinary people, while no one really thought about security. A huge number of ready-made programs appeared with the help of which it was possible to crack user computers without having any serious technical skills and abilities. What is only the well-known winnuke program, which allowed sending Windows 95/98 to the blue screen by sending a single IP packet. In general, the nineties are considered the golden years of dark hackers: there are plenty of opportunities for fraud,

    Another distinguishing feature of the nineties is the huge number of Hollywood films “about hackers” as an illustration of the fact that hacking computer systems is gradually becoming a “commonplace curiosity” for the masses. Remember, almost every such film necessarily featured some kind of virus that blew up the monitors;). Maybe it was because of the film industry that users had the stereotype “security is viruses” in their heads, which, of course, helped many antivirus companies make their fortunes.

    In 2002, Bill Gates wrote a letter to his employees at Microsoft stating that the situation needed to be fixed and it was time to start developing software with an eye to safety. This initiative is called “Trustworthy computing”, and it is still developing. Starting with Windows Vista, this idea began to come true. The number of vulnerabilities in the operating system from Microsoft has noticeably decreased, and exploits for them are becoming less and less publicly available. Surprisingly it sounds, but in terms of security approach, the latest versions of Windows are much more reliable than other common operating systems. So, in OS X only recently began to appear mechanisms that make exploitation of vulnerabilities more difficult.

    Zero years of our century. Digital crime goes to a new level. Communication channels have become thicker, it has become easier to carry out massive DDoS attacks. No one is already hacking into computer systems just for fun, it's a multi-billion dollar business. Botnets are blooming: huge systems made up of millions of infected computers.

    Another characteristic feature of the last decade is the fact that the focus of the attacker has shifted to the user, to his personal computer. Systems are becoming more complex, a modern browser is no longer just a program that can render HTML, display text and images. This is a very complex mechanism, a full Internet window. Almost no one already uses individual messengers and email clients, all interaction with the Internet occurs through the browser. It is not surprising that one of the main methods of infection of users these days - drive-by-downloads - occurs just using a browser. Of course, in modern browsers, mechanisms to combat this have begun to appear, users are trying to warn that the visited site can be dangerous.

    Another major malware distribution channel is mobile devices. If in official application stores programs are somehow checked for malware, then from unofficial sources you can add almost anything to your device. And in general, the security of mobile devices is now a rather young and slightly messy industry, which is associated with the speed with which modern mobile platforms burst into our lives.

    Let's summarize what hacking is today and what we should expect in the near future. At the beginning of the 2000s, if any vulnerability was found in Windows, an exploit appeared almost immediately in free access, which allowed gaining control on the user computer. Then, the monetization of vulnerabilities was almost never thought of. Of course, there were programs that stole user data, diverted computers to botnets, but the vulnerabilities themselves leading to a computer being compromised were relatively easy to exploit, which meant writing an exploit. Over the past five years, finding a public exploit for a recently discovered vulnerability has become very difficult. Now it is a huge business. After all, write an exploit for a vulnerability in a system in which mechanisms like DEP and ASLR are implemented,

    Recent years have also shown that the security problems of the so-called “Internet of things” await us all. Computers with Internet access are now increasingly present in one form or another in a wide variety of household and medical devices, as well as cars. And the vulnerabilities in them are exactly the same as in ordinary computers. Research into hacking things we are familiar with is becoming a popular topic at the world's leading security conferences. Indeed, if attackers begin to take advantage of such vulnerabilities, this will pose a serious danger to the health and life of users. All the more important is the role of security specialist.

    Also popular now: