noel alanguilan

with a handful of government websites being hacked the a lot of people have been asking me, “is that really possible? can they really hack into the election system?” the short, practical answer is, “given time, a hacker can hack into anything. given time.”

let’s clarify something first. a website is like a billboard or a poster—it serves up information about whatever. its easily accessible to the general online public.and it can easily be defaced when no one is looking or if its not guarded. and if it does get defaced it doesn’t mean the person who did it was able to get into the company premises and steal whatever it is that’s in the safe.

hacking a website is not the same as hacking into a company’s internal network. a corporate website usually just contains information that the company wants the public to see. like i said, similar to a billboard or poster. hacking the website is equivalent to defacing the billboard. there is no real damage done or stolen from the internal network. it is highly unlikely that the internal network of a company is physically connected to its website. how do i know? its best practices—if it can be avoided, you do not connect the web server to the internal network. and if you do, you have to make sure that there’s at least one layer of security (essentially a firewall with a ridiculously long passphrase) between the web server and the internal network.

how could have the websites been hacked?
its a combination of several things which also includes luck but its mostly laziness on the part of the server administrators. they could have put a longer password and, if it is possible, change the username of the administrative account. and these things should be changed again every so often—six months with some of my servers. there are easily downloadable “tools” to help today’s script kiddies (noob hackers) get into a website. i do not take that for granted.

how hard is it to hack into a company’s network?
if the network has been setup properly, its pretty hard. you have to know and get through several things before you can get your hands into the good stuff.

first, you have to know the ip address of the door—commonly a firewall—to the internal network. most networks are connected to the internet in one way or another and this firewall has its own ip address. the problem is that there are over 4 billion ip addresses in use on the planet. pick one. the admins certainly wouldn’t publicize their ip address and even if that got leaked there are usually several more they can use.

now if by chance you do get their ip address, you have to know three more things—the port number, the administrative username and the password for that firewall. think of a port number as something like a mini door and there are more than 64 thousand of these mini doors in that address. you have to pick one to use. then there’s the username which can be anything and, of course, the password—which can be pretty long. it can even be a sentence complete with capitalization, spaces and punctuation.

if you get through the firewall, you can then proceed to the file or database server which you would need, of course, the administrative username and password. which, again, can be anything. and there are some who are paranoid enough to put another firewall between the first firewall and the database server.

so to recap, you would need the ip address, port number, the administrative username and password of the firewall, the internal ip address, the administrative username and password of the database/file server. and also the administrative username and password of a secondary firewall you may encounter. and you have to enter all of this data in a very limited amount of time.

best of luck to you.

so the answer is “if the system is setup properly, no, they can’t really hack into the election system.”

is there another way to get around all this security?
there actually is. you can try launching a phishing attack specifically targeting the system administrators and pray that they’ll fall for it. personally, i do not think the admins are stupid enough to fall for such an attack.

what can i do to be safe from such attacks?
for starters, don’t believe everything that gets sent to you via e-mail. and don’t click on that link that your friend sent to you without carefully inspecting it first. and try not to use internet explorer. please.