Hank: You hear about this all the time: A big bank was hacked, Tumblr was hacked, the infidelity website Ashley Madison was hacked and now everybody knows who was cheating on each other. But there’s a lot more to it, and it’s a lot less flashy than what you see in the movies. Hacking isn’t about typing in a few magic words with one hand on one keyboard and the other hand on another keyboard. Or like, two people using the same keyboard at once.

Hacking is difficult, and it usually takes careful planning and a fair amount of time. Stopping malicious hackers can be even more challenging. But some people dedicate a lot of time and energy to doing just that.

[SciShow intro plays]

Hacking is when an unauthorized person gets into a computer system. A hacker breaks in, and then suddenly they have access to information they aren’t supposed to have. You hear people say their Facebook or Twitter was hacked, but that’s not exactly the same thing we’re talking about here.

When someone’s personal Facebook account is hacked, that’s usually because the hacker found out their password. It can be devastating, but it’s not on the same level as breaking into a company’s whole infrastructure and stealing a billion passwords. Thankfully, these large-scale attacks are much harder to do.

But they do still happen — in December, for example, Yahoo announced that they had been hacked back in 2013 and just realized that more than a billion accounts had been compromised with personal data like answers to security questions and passwords. That’s why companies have to be really vigilant to protect against hackers. Once a hacker gets in, they have a few choices: they can gather information, they can cause some damage to the computer system, or they can do nothing at all, and just tell the company about the security risk.

And that’s the difference between the three major types of computer hackers: There are black hats, hackers who are basically the bad guys, they hack into systems to get information or otherwise cause damage. Which is very illegal, by the way. There are also white hats, hackers who are either breaking into their own systems or are hired to break into other people’s systems — not to cause damage, but to test out vulnerabilities that can then be fixed.

And then there are grey hats, hackers who, as the name would suggest, sort of walk the line between black and white hat hacking. They don’t actively seek to cause damage, but they still do things that are illegal or considered unethical — like, they might break into a system without being hired to do that. They wouldn’t steal any information, and they’d tell the company afterward, but they might publish the vulnerability online in the meantime.

But whether you’re a black hat, a white hat, or a grey hat, the techniques used in hacking are largely the same. If you’re a white hat testing a system for vulnerabilities, you have to know how to do all the same things a black hat hacker would do. It’s like Defense Against the Dark Arts in Harry Potter — you have to know what the dark side is doing if you’re going to be able to defend yourself against it.

One of the main things white hats do is called a penetration test, or pen test for short. You test a system for vulnerabilities, then fix any that you find, instead of causing damage like a black hat would. This is a pretty standard procedure, so looking at the steps is a great way to explore some of the basic principles of hacking.

Usually, the first step in a pen test is reconnaissance, or recon, while you gather data about the target to figure out the best way to hack into their system. For example, if you were a black hat, it would help to know what kinds of operating systems the target’s computers are running so that you could launch an attack that’s tailored to those operating systems. So if you’re a white hat, you’ll want to know what data you can access so you can figure out what vulnerabilities need to be fixed.

There are two different types of recon: passive and active. Passive recon is where a hacker gathers information without actually interacting with any of the target’s computer systems. There are lots of different ways to do passive recon: you can look for information that’s already out there, like files that are publicly available on a website.

Or a black hat might even try to steal old hard drives the target threw away. Passive recon strategies can take a while, but when a black hat uses them, they’re also difficult for companies to detect and fight — because there is nothing fishy to detect. The hacker isn’t touching the company’s systems, so there’s no warning that an attack is being planned.

The best a company can do is try to make sure that they don’t leave any clues lying around by destroying as much unneeded data as possible, even if it seems harmless. It also helps if you don’t just toss old hard drives into the dumpster out back. Active recon, on the other hand, is when a hacker tries to learn valuable information about a company by interacting directly with the company’s systems.

Hackers can get information more quickly this way, but it’s also easier to detect. That’s because companies can track things like which computers are communicating with their servers — the more central computers that provide data to other computers. If they notice a strange machine on their network, or suspicious commands being sent, they can take action — like by blocking the address sending those commands.

So as a white hat, part of pen testing usually involves doing some sort of active recon yourself, to see if the protections you’ve set up can stop a black hat from learning too much. Usually, you start by looking for open connections, or ports. Each open port serves as a kind of link between a device and the internet, where data can be exchanged. And that can be dangerous, because a hacker can use an open port to send code that attacks a machine.

As a white hat, once you’ve found an open port, the next step might be to see if you can tell what kind of hardware is running the port, and what operating system it uses. Because that is exactly what a black hat would do.

If you find that a black hat could collect enough information to launch an attack, you might have to rethink the ports you have open, or find ways to stop machines from disclosing information about themselves. And for the most part, you’re going to want to keep as many ports closed as you can.

One of the ways to do that is by using a firewall, which is either a program or a whole device that’s designed to block unwanted access to a computer. Among other things, firewalls keep track of a computer’s ports and make sure that the only ports that are open are ones that need to be open. They’re like a computer’s security guard, making sure that all the right doors are locked. Now, once you’ve done some recon, you may want to move on to protecting against attacks that take advantage of your specific setup.

Basically, you take a list of the hardware and operating system versions you’re running and see if they have any known hacks. When people find ways to exploit an operating system or a piece of software, the exploit will usually be published online. Then, the company that makes the OS or software will try to patch the vulnerability.

But patches and updates won’t always be installed on your systems right away, so it’s important to see if you’re running older, vulnerable versions. Of course, a black hat could also come up with new exploits and use those. But that takes much more effort and skill, so protecting against known hacks can make it much less likely that you’ll be hacked.

Another part of the penetration test has to do with websites. For every website on the internet, there’s the part you’re supposed to be able to see. Like on YouTube, you can see different channel pages and video pages. And you can watch me do this with my hands.

But there’s also a whole administrative side to websites, with pages and files that you aren’t supposed to see. Those pages might store information the developer needs to run the site, or files that the public isn’t supposed to be able to access — like, databases of user names and addresses.

Ideally, you want those pages and files secured so that some random dude named Steve can’t access all of them just by just typing a certain URL. And the way to figure out if someone could get access to them is to do what a black hat would do: try different URLs and see if you end up finding pages or files that shouldn’t be publicly accessible. To do this, you can use crawlers — programs that automatically map out the site by visiting different links and directories.

You can also use programs that try the typical URLs where this kind of information might be stored. So pages like, yourwebsite.com/info, or /files, or whatever. If the crawler lands on an error page, that can be important too.

Companies need to make sure that the errors that come up don’t contain information that a hacker can use against them. If an error says that a certain page is private, for example, that tells a black hat that this page would be a great target if they do get into your system. So you’ll want to be careful about how much info shows up on your error pages.

Another part of the website test involves pages that use forms, like where you type in your shipping address, or fill out hundreds of questions for your OkCupid profile. If these forms aren’t set up properly, black hats can use them as a way to send malicious code into a system. Often, they can use this kind of code to collect information from any databases a company might be using, like to nab all the credit card numbers anyone’s ever submitted. So it’s important to make sure that a website checks its form inputs for anything that looks suspicious, and to test those protections by trying to break through them yourself.

There are often more steps to a penetration test, but those are the basics. Once the test is done, it’s time to go through the results and fix any vulnerabilities. Even then, a company’s systems might not be totally safe from all hacking attempts. Black hats are always thinking up more creative ways to break into systems, and when they have a specific target, like a government or other high-profile organization, white hats have to be constantly on the lookout for attacks. But as long as they keep track of possible security threats and stay one step ahead of the black hats, which apparently Yahoo is completely incapable of doing, they can put up a pretty strong defense.

Thank you for watching this episode of SciShow, which was brought to you by our patrons on Patreon. If you want to help support this show, you can give us your money and we will use it to make SciShow happen at patreon.com/SciShow. And if you just want to keep getting smarter with us you can go to youtube.com/SciShow and subscribe!