By Anthony Passalacqua, Risk Management Representative
Every week, there seems to be a new story of an organization being hacked and their data compromised, resulting in lost income, reputation, and customers. Target, JPMorgan, Chase, Sony Pictures, T-Mobile/Experian, and Anthem are just a few examples of companies whose names are forever linked with cyber crime.
It got me wondering: Just how easy is it to hack into a computer or a network?
I thought I would conduct my own experiment. One Saturday, I tried to hack my own personal computer while measuring the time and costs it took to do so. To learn how to go about becoming a hacker, I went to one of my favorite resources: YouTube. I easily found and watched a “how to” guide to hacking personal computers.1 Shortly after watching the video, I went around my house to collect what I would need to conduct my experiment and found two recordable CDs and a 16 GB flash drive.
Password reset program
First, I decided to start with something easy by downloading a password-reset program. A password-reset program is a tool used by system administrators or computer owners to recover a lost password. However, the program is often used by hackers to gain access to unencrypted hard drives.
I am going to be honest, I have a very slow Internet connection by today’s standards and it took about 1.5 hours for me download the program onto a CD. Most people could have downloaded the program in less than 5 minutes with the new data streaming speeds that are now available.
When my download was complete, I rebooted my computer and launched the password-reset program on my computer. I then followed the step-by-step instructions from the YouTube video and, within minutes, successfully deleted my password.
I logged on to the computer and was immediately blasted with alerts and warnings telling me that my computer had been hacked and to call customer service. I ran a quick anti-virus program, and my computer was returned to normal. I reset my password and decided to try something a little more involved—a brute force attack.
Brute force attacks and “rainbow tables”
A brute force attack (also known as brute force cracking) is pretty much what it’s name suggests—an application program that attempts all possible password combinations to crack a computer’s password or data encryption standard keys. TechTarget, an online technology marketing company, describes this trial and error method as “infallible, although time-consuming.”2
I decided this time to download a password cracking program called Ophcrack while I went out to run some errands; after all, it was going to take another 1.5 hours to download. I came back about 2 hours later and found that the program had been successfully burned to a CD. I ran the program, and it identified all of my computer’s accounts. However, it didn’t provide me with any account passwords.
Why? Because I didn’t include a “rainbow table.” At this point, I began to learn about rainbow tables and their importance to the password cracking process. A rainbow table is a tool often used by hackers to crunch through huge amounts of hashes in very little time. On the Ophcrack website, I found the tab to download rainbow tables. There are different tables to use, and each one is separated out by operating systems, language, length of password, and type of characters. Just seeing the variety of options and methods available to me, I started to realize that cracking a password is something of an art. The more information you have about the computer or account you are trying to crack allows you to make the best hypothesis necessary to speed up the process.
Launching the attack
I began to test my theory and downloaded my first rainbow table—one that corresponded with both the name of my wife’s computer’s operating system and with the low complexity of the current password (“password123”). I reran the program, and within 5 minutes it gave me passwords to both my operating system and my wife’s accounts. Believe it or not, I received absolutely no notification that my wife’s computer was hacked when I logged in. Since I was using my wife’s credentials, I also found that I had total access to her accounts—social media, Amazon.com, you name it.
I then changed the password to an even longer and more complex one and downloaded an additional, corresponding rainbow table with more complex characters. I discovered that the more complex the password, the longer it takes to break it. For example, it took only 5 minutes for the first table to crack the initial password and about 30 minutes for the second table.
I decided to run the experiment one last time with a third rainbow table and a new, stronger password with additional characters not covered in the downloaded tables. I reran all three rainbow tables which took about 2 hours, at which point my password was still not found. I realized that my password no longer fit the parameters of the rainbow table and therefore could not be cracked.
Strong passwords
One of the biggest lessons of this exercise was the importance of a strong password to ensure your computer and accounts are safe. Many users don’t put a lot of effort into creating a strong password. They often cut corners because they are working quickly or want something easy to remember. But they often wind up creating shorter, weaker passwords that requires less time and resources for hackers to crack. One of the key features I noticed in this process was that using special characters in passwords (%, #, &, @) made it significantly more difficult for the programs to crack the passwords. This was especially obvious when compared to the relative ease of cracking passwords made up entirely of dictionary words and numbers. You should stay away from using any word found in a dictionary when creating a password. Dictionary words are a known variable to password cracking programs and hackers.
Another key discovery: if you can create a strong password that exceeds 8 characters and uses special characters, then most rainbow tables would not find the password. Another factor to consider is that if you are using an older computer or system, your encryption may be outdated and is more vulnerable to being hacked. If you are unsure if your password is strong or not, please review one of our previous blog posts on passwords.
Lessons learned — and how TMLT can help you stay safe
It only cost me $10.48 to hack my computer. I was able to find a 50 pack of CD-Rs for $5.49 (about 11 cents apiece) and a 16 GB flash drive to store my rainbow tables for $4.99 with the back to school sales. So, for about the cost of a fast food meal and roughly 6 hours of computer time, I was able to reset my password and hack into my computer.
It was an eye-opening journey to see just how easy and affordable it is to access private, sensitive information found on a hacked computer. It also reinforced to me the importance of strong cyber security which includes keeping my computer updated with the most current patches as well as reassessing my operating systems every few years. I plan on remaining vigilant in safeguarding my computer and its contents going forward.
To help you keep your computer and network safe, TMLT’s Product Development & Consulting Services Department offers a range of cyber security services, such as risk assessments, security training for you or your staff; and such resources as our TMLT Privacy and Security Toolkit. More information is found online.
You may also view or download the TMLT Slideshare presentation, “What every physician needs to know: cyber security best practices” with quick tips and advice on maintaining your software, managing your passwords, guarding against malware, and more.
If you are curious about a technological subject or have any questions, comments, or ideas for a future blog story, please let me know.
Anthony Passalacqua can be reached at apassalacqua@tmlt.org.
Resources
1. Gordon, W. How to Break Into a Windows PC (and Prevent It from Happening to You), Lifehacker website. Accessed August 24, 2015. (This video is also found on YouTube.)
2. Brute force cracking definition. TechTarget website. Accessed October 12, 2015.