reconnaissance

SecurityTrails Blog · Sep 13 · SecurityTrails team

How web software gets hacked — a history of its biggest exploits, and what may be coming in the future

When the Internet was created in the 1960s, it was envisioned as a revolutionary computer network reserved for a couple thousand researchers. There were many resources used in creating this fast and reliable network, and the security measures its developers took into consideration were mostly aimed towards preventing military threats and potential high-power intruders.

In those times, the Internet was conceived as a utopia. No one suspected that its users, the very people for which it was made, would turn against each other.

It seems one could blame the Internet’s founders for not implementing enough security measures, but the reality is that we still don’t have all of those appropriate measures today, and we had even less of them in the ‘60s.

If you’re interested in expanding your knowledge, take a look at our previous posts on how to prevent DNS attacks and best security practices for preventing SSH attacks.

History of web exploiting

In 1957, the world was introduced to “phreaking.” A blind seven-year-old boy named Joe “Joybubbles” Engressia with absolute pitch (a rare auditory phenomenon described as the ability to identify or re-create a given musical note without reference tone) managed to interfere with AT&T’s automated telephone systems.

In the ‘80s, being a hacker meant that you belonged to an exclusive group. We had Chaos Computer Club in Germany and Legion of Doom in the USA, both still widely respected hacker groups.

Then, the term “hacker” was introduced in the ’60s at MIT’s artificial intelligence labs, referring to a specialized group of individuals working and programming in FORTRAN.  

The '70s saw a number of phreaking attempts. One notable case involved a friend of Joe Joybubbles dubbed “Captain Crunch,” who devised a way to make free long-distance calls.

In the ‘80s, being a hacker meant that you belonged to an exclusive group. We had Chaos Computer Club in Germany and Legion of Doom in the USA, both still widely respected hacker groups.

How web software gets hacked

Ian Murphy, aka “Captain Zip,” became the first person ever arrested and convicted on charges of a cyber crime, after hacking AT&T’s computers and changing their internal clocks.

On November 2, 1988, Robert Tappan Morris released the worm that came to be known as "the Morris worm.” This was one of the first worms to infect computers connected to the Internet, a historic, if infamous, event. This was the first exploit to shake up the Internet community by affecting users on a large scale, as the community at that time was itself not that large. As a result, the event gained significant media coverage.

Along with being an important decade for hacking, the ‘90s were a crucial era for computer security, when numerous patches were released to fix bugs found in Windows operating systems.

The 1990s were an important decade for hackers and their image, when Operation Sundevil was introduced. This crackdown, conducted by Secret Service agents, investigated and arrested people linked to credit card theft and telephone fraud. The operation largely dismantled the hacker community, owing to the fact that many members of hacker groups reported each other to obtain immunity.

In the same decade, a Russian hacker group orchestrated an attack on Citibank, taking $10 million which was later transferred by Russian leader Vladimir Levin to banks across the world.

Kevin Mitnick was arrested after attempted IP spoofing on network security expert Tsutomu Shimomura, which leads to a bit of...

Fun Trivia

After this attack and in reference to the hacking-related prank calls Tsutomu Shimomura received, “My kung fu is stronger than yours” became a popular catchphrase.

All throughout the ‘90s, hackers were able to work around the newly emerging World Wide Web, and have attacked and hacked websites belonging to the United States Department of Justice, United States Air Force, CIA, and U.S. Air Force base computers in Guam.  

Along with being an important decade for hacking, the ‘90s were a crucial era for computer security, when numerous patches were released to fix bugs found in Windows operating systems.

The 2000s introduced new, creative and sophisticated ways of hacking.

Another important step for the hacker community, and the entire world, was taken in 2003, when the decentralized online group Anonymous was founded.

At the beginning of the millennium, the “ILOVEYOU” worm managed to infect millions of computers, making it one of the most damaging worms known to this day.

And at this time, attacks targeted at DNS began.

Another important step for the hacker community, and the entire world, was taken in 2003, when the decentralized online group Anonymous was founded.

Throughout the years, hacking has taken a new form in worms designed for destruction of data, transferring from user to user by email. The “Melissa” worm was one of the first to work this way, by sending itself in email during the spring of 1999.

We also saw phishing attacks at the Office of the Secretary of Defense which included stealing sensitive U.S. defense information, attacks on The Pentagon and servers belonging to the Church of Scientology. These exploits resulted in confidential information being spread across the Internet.

Many of the world’s most famous websites and social media platforms have been hacked and private information belonging to millions of people has been compromised. Fortunately, efforts to create and use unbreakable security measures have been introduced to everyone using the Internet.

How web software gets hacked

Biggest exploits

The Conficker Worm 2008

The Downadup program, also known as “The Conficker Worm,” first infected computers in 2008 and is still at large today. While it hasn’t caused any irrecoverable damage, the fact that infecting a computer with this worm can facilitate future malware attacks is frightening — it works by disabling antivirus software and can read credit-card numbers through keylogging that it later reports back to the hackers behind the attack.

Spamhaus 2013

Spamhaus was the world’s largest DDOS attack in history. At the center of the attack was a nonprofit service that blacklisted hackers and spammers reported by the users themselves. Using domain-name servers, attackers were able to send up to 300 gigabits per second of data — resulting in slowing down the Internet across the entire world.

Yahoo 2013 and 2014

Yahoo has publicly stated that they suffered two separate hacker attacks, one in 2013 and one in 2014, performed by two different hacker groups. The 2013 exploit affected all 3 billion users of Yahoo, as passwords and other valuable information were not as well-protected by the time the 2014 attack occurred. This more recent incident affected around 500 million users.

Home Depot 2014

This is one of the largest hacks ever to be aimed at a large corporation, with a password from store vendors exploited and used to retrieve information involving 56 million credit cards, making it the largest retail credit card attack in history. Hackers had monitored transactions that were made on Home Depot’s self-checkout machines, enabling them to collect credit card information from buyers.

eBay 2014

Names, addresses, dates of birth, and encrypted passwords were exploited during a 2014 attack on eBay. The company stated that hackers used employee credentials to gain access into their computer systems and sent emails to customers with a request to change their passwords. On the positive side, all financial information was stored separately, sparing it from being exploited.

JP Morgan Chase 2014

This attack aimed at the nation’s largest bank compromised the data of 76 million households and 7 million small businesses. Exploited information included user names, addresses, email addresses, and phone numbers, and although the bank claims that no account information was stolen and no transactions were made, the fact that hackers were able to gain access to 90 bank servers makes the prospect of fraudulent transactions seem much more plausible.

LinkedIn, MySpace, Tumblr 2016

While these three data breaches happened during the period from 2012 to 2013, the data was leaked in 2016. It is suspected that the same hacker, going by the name of ‘Peace,’ is behind all three exploits. The information was published when the hacker in question released the breached data for sale on the dark web. The exact number of accounts stolen remains unknown, but based on the data offered for sale sale, the number of accounts stolen from LinkedIn was 167 million, from MySpace 360 million and from Tumblr 65 million.

Cloudbleed 2017

This bug was discovered in the internet infrastructure of CloudFlare, a CDN and web security provider, came to be known as Cloudbleed. The exploit was said to have caused leakage of sensitive information belonging to users of the platform, information including HTTP and authentication cookies, but an even bigger problem was that the leaked sensitive data was already cached by search engines, making it available through search. Cloudflare worked with search engines to remove the cached data and the company has stated it is highly unlikely that the information was used maliciously, as most of the cached data was gibberish. Despite this reassurance, leaked sensitive data is always a high-risk situation. The consequences could have been much greater.

How web software gets hacked

Future of web exploiting

Technology has progressed through the years, and with it, the threat and sophistication of web exploiting. Hackers have made their own progress; finding holes in many, if not all, security systems, thus showing experts and developers how to make computing safer for everyone.

One thing is certain: the Internet has no future without hacking.

Today, there is rarely a mention of the word “hacker” in the media without a negative connotation attached to it. We can go so far as to say that there is a culture of fear linked to hackers, seen as a group of evil “geeks,” sitting in dark rooms at their computers and planning attacks on unsuspecting, everyday people, in nefarious schemes aimed at destroying the world. This is definitely an outdated view that can be traced back to the ‘60s, but regardless of such biases, people are slowly coming to terms with the high level of skill and knowledge hackers possess, and how they help the entire computer and network industry, to the benefit of making the everyday lives of people easier.

One thing is certain: the Internet has no future without hacking. Most experts agree that hackers will use the same techniques and will take advantage of the same vulnerabilities they have used in the past. And an important thing for businesses to know is that attention paid to their own internal systems, with the implementation of appropriate security measures, can prevent these attacks from happening.

The main concerns related to the future of web exploiting involve the cloud-based apps taking the world by storm, and the many grey and unmonitored areas they hold. Collectively, these uncontrolled, unwatched areas of a business’s network are called “Shadow IT” and can be expected to suffer great threat in years to come. Education involving the formulation of threat-prevention policies may be the first and very crucial step in securing business networks.

People might perceive hackers and their motivations as greedy or self-serving — exploiting data for profit, protesting on behalf of their own social groups — but we are, in fact, indebted to those same hackers for constantly showing us the weaknesses of our Internet.

Thanks to hackers, we’re able to work on our systems now and in the future to make them bulletproof.


If you wish to take a journey into a cyber security data treasure-trove, sign up at SecurityTrails and get your API!