by D S Kane
Jailbreak. Circumventing the security of a device, like an iPhone or a PlayStation, to remove a manufacturer’s restrictions, generally with the goal to make it run software from non-official sources.
Keys. Modern cryptography uses digital “keys.” In the case of PGP encryption, a public key is used to encrypt, or “lock,” messages and a secret key is used to decrypt, or “unlock,” them. In other systems, there may be only one secret key that is shared by all parties. In either case, if an attacker gains control of the key that does the unlocking, they may have a good chance at gaining access to the contents of the message.
Local area network (LAN). A network of computing devices arranged to facilitate communications among the devices and with external-to-the-network devices.
Lulz. An internet-speak variation on “lol” (short for “laughing out loud”) employed regularly among the black-hat hacker set, typically to justify a hack or leak done at the expense of another person or entity. Sample use: y did i leak all contracts and employee info linked to Sketchy Company X? for the lulz
MAC (Medium Access Control). An algorithm for identification of a wireless network. When used in reference to hardware (computers), it is the identifier of a specific computer used in telecommunications. MAC provides encryption possibilities and deals with channel contention by using control packets with RTS (Request To Send) and CTS (Clear To Send) designators.
Malware. Stands for “malicious software.” It simply refers to any kind of a malicious program or software, designed to damage or hack its target. Viruses, worms, Trojan horses, ransomware, spyware, adware, and more are malware.
Man-in-the-middle. A man-in-the-middle, or MitM, is a common attack in which someone surreptitiously puts themselves between two parties, impersonating them. This allows the malicious attacker to intercept and potentially alter their communication. With this type of attack, one can just passively listen in, relaying messages and data between the two parties, or even alter and manipulate the data flow.
Metadata. Metadata is simply data about data. If you were to send an email, for example, the text you type to your friend will be the content of the message, but the address you used to send it, the address you sent it to, and the time you sent it would all be metadata. This may sound innocuous, but with enough sources of metadata—for example, geolocation information from a photo posted to social media—it can be easy to piece together someone’s identity or location.
NIST. The National Institute of Standards and Technology is an arm of the US Department of Commerce dedicated to science and metrics that support industrial innovation. NIST is responsible for developing information security standards for use by the federal government, and therefore it’s often cited as an authority on which encryption methods are rigorous enough to use, given modern threats.
OpSec. OpSec is short for “operational security,” and it’s all about keeping information secret, online and off. Originally a military term, OpSec is a practice and in some ways a philosophy that begins with identifying what information needs to be kept secret, and whom you’re trying to keep it a secret from. “Good” OpSec will flow from there, and may include everything from passing messages on Post-Its instead of emails to using digital encryption. In other words: Loose tweets destroy fleets.
OTR. What do you do if you want to have an encrypted conversation, but it needs to happen fast? OTR, or Off-the-Record, is a protocol for encrypting instant messages end-to-end. Unlike PGP, which is generally used for email and so each conversant has one public and one private key in their possession, OTR uses a single temporary key for every conversation, which makes it more secure if an attacker hacks into your computer and gets ahold of the keys. OTR is also generally easier to use than PGP.
Password managers. Using the same, crummy password for all of your logins—from your bank account, to Seamless, to your Tinder profile—is a bad idea. All a hacker needs to do is get access to one account to break into them all. But memorizing a unique string of characters for every platform is daunting. Enter the password manager: software that keeps track of your various passwords for you, and can even autogenerate super complicated and long passwords for you. All you need to remember is your master password to log into the manager and access all your many different logins.
Penetration testing or pentesting. If you set up a security system for your home, or your office, or your factory, you’d want to be sure it was safe from attackers, right? One way to test a system’s security is to employ people—pentesters—to hack it purposely in order to identify weak points. Pentesting is related to red teaming, although it may be done in a more structured, less aggressive way.
PGP (Pretty Good Privacy). A method of encrypting data, generally emails, so that anyone intercepting them will only see garbled text. PGP uses asymmetric cryptography, which means that the person sending a message uses a “public” encryption key to scramble it, and the recipient uses a secret “private” key to decode it. Despite being more than two decades old, PGP is still a formidable method of encryption, although it can be notoriously difficult to use in practice, even for experienced users.
Phishing. Phishing is really more of a form of social engineering than hacking or cracking. In a phishing scheme, an attacker typically reaches out to a victim in order to extract specific information that can be used in a later attack. That may mean posing as customer support from Google, Facebook, or the victim’s cellphone carrier, for example, and asking the victim to click on a malicious link—or simply asking the victim to send back information, such as a password, in an email. Attackers usually blast out phishing attempts by the thousands, but sometimes employ more targeted attacks, known as spearphishing (see below).
Plaintext. Exactly what it sounds like—text that has not been garbled with encryption. This definition would be considered plaintext. You may also hear plaintext being referred to as “cleartext,” since it refers to text that is being kept out in the open, or “in the clear.” Companies with very poor security may store user passwords in plaintext, even if the folder they’re in is encrypted, just waiting for a hacker to steal.
Pwned. “Pwned” (pronounced “pawned”) is computer nerd jargon (or “leetspeak”) for the verb “own.” In the video game world, a player that beat another player can say that he pwned him. Among hackers, the term has a similar meaning, only instead of beating someone in a game, a hacker that has gained access to another user’s computer can say that he pwned him. For example, the website “Have I Been Pwned?” will tell you if your online accounts have been compromised in the past.
Rainbow table. A rainbow table is a complex technique that allows hackers to simplify the process of guessing what passwords hide behind a “hash” (see above).
Ransomware. Ransomware is a type of malware that locks your computer and won’t let you access your files. You’ll see a message that tells you how much the ransom is and where to send payment, usually requested in bitcoin, in order to get your files back. This is a good racket for hackers, which is why many consider it now an “epidemic,” as people typically are willing to pay a few hundred bucks in order to recover their machine. It’s not just individuals, either. In early 2016, the Hollywood Presbyterian Medical Center in Los Angeles paid around $17,000 after being hit by a ransomware attack.
RAT.”RAT” stands for “Remote Access Tool” or “Remote Access Trojan.” RATs are really scary when used as malware. An attacker who successfully installs a RAT on your computer can gain full control of your machine. There is also a legitimate business in RATs for people who want to access their office computer from home, and so on. The worst part about RATs? Many malicious ones are available in the internet’s underground for sale or even for free, so attackers can be pretty unskilled and still use this sophisticated tool.
Red team. To ensure the security of their computer systems and to suss out any unknown vulnerabilities, companies may hire hackers who organize into a “red team” in order to run oppositional attacks against
the system and attempt to completely take it over. In these cases, being hacked is a good thing because organizations may fix vulnerabilities before someone who’s not on their payroll does. Red teaming is a general concept that is employed across many sectors, including military strategy.
Root. In most computers, “root” is the common name given to the most fundamental (and thus most powerful) level of access in the system, or is the name for the account that has those privileges. That means the “root” can install applications, and delete and create files. If a hacker “gains root,” they can do whatever they want on the computer or system they compromised. This is the holy grail of hacking.
Rootkit. A rootkit is a particular type of malware that lives deep in your system and is activated each time you boot it up, even before your operating system starts. This makes rootkits hard to detect, persistent, and able to capture practically all data on the infected computer.
Salting. When protecting passwords or text, “hashing” (see above) is a fundamental process that turns the plaintext into garbled text. To make hashing even more effective, companies or individuals can add an extra series of random bytes, known as a “salt,” to the password before the hashing process. This adds an extra layer of protection.
Script kiddies. This is a derisive term for someone who has a little bit of computer savvy and who’s only able to use off-the-shelf software to do things like knock websites offline or sniff passwords over an unprotected WiFi access point. This is basically a term to discredit someone who claims to be a skilled hacker.
Shodan. It’s been called “hacker’s Google,” and a “terrifying” search engine. Think of it as a Google, but for connected devices rather than websites. Using Shodan you can find unprotected webcams, baby monitors, printers, medical devices, gas pumps, and even wind turbines. While that’s sounds terrifying, Shodan’s value is precisely that it helps researchers find these devices and alert their owners so they can secure them.
Side channel attack. Your computer’s hardware is always emitting a steady stream of barely perceptible electrical signals. A side-channel attack seeks to identify patterns in these signals in order to find out what kind of computations the machine is doing. For example, a hacker “listening in” to your hard drive whirring away while generating a secret encryption key may be able to reconstruct that key, effectively stealing it, without your knowledge.
Signature. Another function of PGP, besides encrypting messages, is the ability to “sign” messages with your secret encryption key. Since this key is only known to one person and is stored on their own computer and nowhere else, cryptographic signatures are supposed to verify that the person who you think you’re talking to actually is that person. This is a good way to prove that you really are who you claim to be on the internet.
Sniffing. Sniffing is a way of intercepting data sent over a network without being detected, using special sniffer software. Once the data is collected, a hacker can sift through it to get useful information, like passwords. It’s considered a particularly dangerous hack because it’s hard to detect and can be performed from inside or outside a network.
Social engineering. Not all hacks are carried out by staring at a Matrix-like screen of green text. Sometimes, gaining entry to a secure system is as easy as placing a phone call or sending an email and pretending to be somebody else—namely, somebody who regularly has access to said system but forgot their password that day. Phishing (see above) attacks include aspects of social engineering, because they involve convincing somebody of an email sender’s legitimacy before anything else.
Spearphishing. Phishing and spearphishing are often used interchangeably, but the latter is a more tailored, targeted form of phishing (see above), where hackers try to trick victims into clicking on malicious links or attachments pretending to be a close acquaintance, rather than a more generic sender, such as a social network or corporation. When done well, spearphishing can be extremely effective and powerful. As a noted security expert says, “give a man a 0day [zero-day] and he’ll have access for a day, teach a man to phish and he’ll have access for life.”
Spoofing. Hackers can trick people into falling for a phishing attack (see above) by forging their email address, for example, making it look like the address of someone the target knows. That’s spoofing. It can also be used in telephone scams, or to create a fake website address.
Spyware. A specific type of malware of malicious software designed to spy, monitor, and potentially steal data from the target.
State actor. State actors are hackers or groups of hackers who are backed by a government, which may be the United States, Russia, or China. These hackers are often the most formidable, since they have the virtually unlimited legal and financial resources of a nation-state to back them up. Think, for example, of the NSA. Sometimes, however, state actors can also be a group of hackers who receive tacit (or at least hidden from the public) support from their governments, such as the Syrian Electronic Army.
Tails. “Tails” stands for “The Amnesic Incognito Live System.” If you’re really, really serious about digital security, this is the operating system endorsed by Edward Snowden. Tails is an amnesic system, which means your computer remembers nothing; it’s like a fresh machine every time you boot up. The software is free and open source. While it’s well-regarded, security flaws have been found.
Threat model. Imagine a game of chess. It’s your turn and you’re thinking about all the possible moves your opponent could make, as many turns ahead as you can. Have you left your queen unprotected? Is your king being worked into a corner checkmate? That kind of thinking is what security researchers do when designing a threat model. It’s a catch-all term used to describe the capabilities of the enemy you want to guard against, and your own vulnerabilities. Are you an activist attempting to guard against a state-sponsored hacking team? Your threat model better be pretty robust. Just shoring up the network at your log cabin in the middle of nowhere? Maybe not as much cause to worry.
Token. A small physical device that allows its owner to log in or authenticate into a service. Tokens serve as an extra layer of security on top of a password, for example. The idea is that even if the password or key gets stolen, the hacker would need the actual physical token to abuse it.
Tor. “Tor” is short for “The Onion Router.” Originally developed by the United States Naval Research Laboratory, it’s now used by bad guys (hackers, pedophiles) and good guys (activists, journalists) to anonymize their activities online. The basic idea is that there is a network of computers around the world—some operated by universities, some by individuals, some by the government—that will route your traffic in byzantine ways in order to disguise your true location. The Tor network is this collection of volunteer-run computers. The Tor Project is the nonprofit that maintains the Tor software. The Tor browser is the free piece of software that lets you use Tor. Tor hidden services are websites that can be accessed only through Tor.
Verification (dump). The process by which reporters and security researchers go through hacked data and make sure it’s legitimate. This process is important to make sure the data is authentic, and the claims of anonymous hackers are true, and not just an attempt to get some notoriety or make some money scamming people on the Dark Web.
Virus. A computer virus is a type of malware that typically is embedded and hidden in a program or file. Unlike a worm (see below), it needs human action to spread (such as a human forwarding a virus-infected attachment, or downloading a malicious program.) Viruses can infect computers and steal data, delete data, encrypt it, or mess with it in just about any other way.
VPN. “VPN” stands for “Virtual Private Network.” VPNs use encryption to create a private and secure channel to connect to the internet when you’re on a network you don’t trust (say a Starbucks, or an Airbnb WiFi). Think of a VPN as a tunnel from you to your destination, dug under the regular internet. VPNs allow employees to connect to their employer’s network remotely, and
also help regular people protect their connection. VPNs also allow users to bounce off servers in other parts of the world, allowing them to look like they’re connecting from there. This gives them the chance to circumvent censorship, such as China’s Great Firewall, or view Netflix’s US offerings while in Canada. There are endless VPNs, making it almost impossible to decide which ones are the best.
VPN, undetectable or anonymous. A VPN in and of itself is not necessarily anonymous. To be anonymous, it requires a set of architectural parameters and constant shifting of network nodes within the constraints of those parameters. The entire VPN must continuously deconstruct and reconstruct itself with new nodes. Also, the access node has to be part of that activity to make it appear that the access node is a different machine each time—as it generates a new IP address and corresponding false physical-location GPS data every so many seconds or minutes.
Vuln. Abbreviation for “vulnerability.” Another way to refer to bugs or software flaws that can be exploited by hackers.
Warez. Pronounced like the contraction for “where is” (“where’s”), warez refers to pirated software that’s typically distributed via technologies like BitTorrent and Usenet. Warez is sometimes laden with malware, taking advantage of people’s desire for free software.
White hat. A white-hat hacker is someone who hacks with the goal of fixing and protecting systems. As opposed to black-hat hackers (see above), instead of taking advantage of their hacks or the bugs they find to make money illegally, they alert the companies and even help them fix the problem.
WiFi. A wireless network
Worm. A specific type of malware that propagates and replicates itself automatically, spreading from computer to computer. The internet’s history is littered with worms, from the Morris worm, the first of its kind, and the famous Samy worm, which infected more than a million people on MySpace.
Zero-day. A zero-day or “0day” is a bug that’s unknown to the software vendor, or at least it is not patched yet. The name comes from the notion that there have been zero days between the discovery of the bug or flaw and the first attack taking advantage of it. Zero-days are the most prized bugs and exploits for hackers because a fix has yet to be deployed for them, so they’re almost guaranteed to work.
