Doing my daily research for this blog, I stumbled upon an interesting looking article by PC World about seven of the top tactics that hackers use to get data off of your computer. Many of us think about hackers as people aggressively attacking systems, like medieval soldiers attempting to breach castle walls. However, as was learned by the hacker Kevin Mitnick, sometimes it’s a whole lot easier to just call up your target and ask them for their password!
The PC World article listed seven ways that hackers essentially get you to hand over the information they need to get access to all of your important data. So many articles and posts talk about what you can do to your equipment to make it safer, while other articles remind you that it’s all nonsense. The real trick is knowing when NOT to be the guy whose only question when Kevin Mitnick asks for secure source code from Motorola is “[w]hat version do you want?”
So for you and your clients’ security, here are PC World’s 7 Top Tactics Hackers Use:
Photo credit: Wikipedia
1) Fake wireless access points.
With the right basic software, any computer can become a wireless access point (“WAP”), connected to a legit WiFi network. A hacker may sit outside a coffee shop and name their fake WAP “Starbucks Wireless Network.” Or go to the airport and use the name “Atlanta Airport Free Wireless.” You connect your computer, and all the unprotected data sent back and forth via the WiFi connection is saved right on the hacker’s computer. According to PC World, “[y]ou’d be surprised how much data, even passwords, are still sent [over WiFi] in clear text.”
More ingenious hackers have even begun requesting that anyone who tries to access the WiFi through the fake connection actually set up a new access account. I wonder how many times you plug in the same username, email address, and password every time you set up a new online account. Armed with your most commonly used username and password, the hacker can now begin trying to use your credentials on popular sites. Think iTunes, Amazon.com, Facebook.
Lesson: Never trust public wireless access points. Make sure to protect confidential information using a VPN connection. Oh, and do the unthinkable: don’t recycle the same username and password for every account!
Photo credit: Yuba College Public Space
2) Cookie theft!
This one sounds as awful as it is. Guess what folks, those cookies that make the internet so much easier to use by remembering your logon information at all the sites you go to can be stolen. EVEN ENCRYPTED cookies can be stolen! There is even a browser add-on that will allow a hacker to take over your session entirely with one click of the button.
Lesson: Connect to websites that use secure development techniques (web developers are always told how to fix their stuff after major cookie attacks, so here’s hoping the one who designed your site listened) and the latest crypto cipher. Your https site should be using the latest crypto, “including TLS Version 1.2.”
3) File name tricks.
Early versions of this hack, which is as old as hacking, by the way, simply used a file name that was likely to get someone to click on it. PC World’s example: “AnnaKournikovaNudePics.Zip.exe.” Most operating systems usually hide “well known” file extensions, so “nudepics.GIF.exe” would become “nudepics.GIF.” (Some may suggest that the strange file extension shouldn’t have been the first hint that the file wasn’t kosher. But I’m here to educate and inform, not judge.)
The most sophisticated versions being used now include using Unicode characters that actually affect the file name that a user is presented. “BillOReillybirthdaypicsavi.exe” actually gets displayed as “BillOReillybirthdaypics.avi” using the code known as the Right to Left Override.
Lesson: Whenever possible, make sure you know the real COMPLETE name of any file before you double click.
Photo credit: roberthuffstutter
4) Location, Location, Location.
Ever run a search program on your hard drive? Even when indexed, it takes a little time. That’s why many operating systems are programmed to look in common files first when you execute common programs. When you opened Solitaire, the system would look in the most common files first. So if a hacker placed malware in a file titled “solitaire.exe,” and then placed that file in a temporary folder, it would be the first version of Solitaire that came up.
Most systems have addressed this flaw, but due to wanting to remain backwards-compatible, the flaw still exists in some Microsoft systems.
Lesson: Use an OS that uses an absolute directory and folder path, and make sure that your computer looks for files in default system areas first.
5) Host file redirect.
There’s a file that you probably never knew about, in your systems file: a DNS-related file named “Hosts.” When DNS has a problem, the Hosts file can help by link a typed-in domain name to the corresponding IP address. Basically, it means that when you type in Yahoo.com, the Hosts file stores what address your site really goes to.
One of the most common ways this hack is utilized is by rerouting the user to a site that looks almost identical to an existing site, that contains malicious code that further infects your system.
Lesson: If you’re constantly being maliciously redirected, take a look in your Hosts file.
6) Waterhole attacks.
Waterhole attacks, named for their methodology, take advantage of the fact that their targets often meet or work at a particular physical or virtual location.The hacker then “poisons” that location to achieve malicious objectives. For example, a hacker may set up a fake WAP (see number 1) at a coffee shop frequented by one company’s employees. By collecting data from a number of targets, the hacker attempts to get as many company credentials as possible. (Another trick is to modify a frequently visited website.)
Several major companies, including Apple, Facebook and Microsoft, became victims of waterhole attacks this year through popular application development websites visited by their employees. The compromised workstations were then used to access the companies’ internal networks.
Lesson: Make sure your employees know that popular sites, a.k.a. “watering holes,” are prime targets for hackers.
Photo credit: quinn.anya
7) Bait and switch.
Sometimes I feel like the term “bait and switch” gets a really bad rap because of all the behaviors it gets attached to. But I digress. Bait and switch hacking involves running malicious content while the user thinks they’re running something standard. One example would be ad space that is purchased by a hacker, but the hacker replaces the link that the seller looked at originally with a malicious link.
PC World cites an excellent example: free software downloads, like a counter that goes at the bottom of a website, that contain a provision in their terms of service that the program is free as long as the original link remains on the user’s site. So the user leaves the link alone. Usually, all that is contained is a small logo or something innocuous, until the free widget has been installed on thousands of computers. That’s when the original programmer switches the harmless logo to a more malicious link, such as a harmful JavaScript re-direct.
Lesson: Beware of using a link to ANY content not under your direct control, because it can be switched at a moment’s notice, without your consent!
Remember…
PC World said it best: “When a hacker modifies your system in a stealthy way, it isn’t your system anymore – it belongs to the hackers.” Also, remember that new hacks are designed to resist initial forensic investigations. Now you know, and knowing is half the battle. The other half is having a really good IT guy.
Related articles
Pingback: Best New Apps for Lawyers - December 2013 - The Cyber Advocate()