You may think that hackers are excessively clever people who are coming up with improbable hacks around elaborate security systems, and some are, but most rely on a few old tricks that have been around for years.
I am going to look at 5 common hacks that are used so that you can
become aware of them, as knowledge is the first line of defense. I will
then give you some actionable advice on what you can do to defend
against these common hacking techniques.
Common hacks 1: Bait and switch
There have been countless ‘bait and switch’ scams over the years. I’m
talking “years” as in over the last century. Things haven’t changed much
in the computer age as bait and switch style hacks are still used.
Commonly, they’ll buy legitimate advertising space on websites. The
hacker will switch the link contained within the ad from the approved
one to a malicious one, or they’ll code the legitimate website to take
the user to a malicious site. Clever hackers will give away something
free, like a website counter, and allow thousands of websites to use it -
and then switch it out for something like a nice fat JavaScript
redirect.
How to defend: Given the large variety of bait
and switch hacks out there, it’s difficult to give advice on them. The
first point is to make sure that you understand that anything you don’t
control can be manipulated. If it isn’t your web counter, someone can
exploit it. If you didn’t find the website yourself, the ad can direct
you somewhere you don’t want to be. These can be defended against by
simply going to trusted resources for your web counters, or doing your
own search for the content within the ad.
Common hacks 2: Cookie theft
Cookie theft,
also known as session hijacking, enables people to assume your online
identity on popular websites. This allows them to log into your
accounts, taking over your social media accounts, as well as making
purchases in your name.
To make matters even worse, there’s even a program called Firesheep that
allows people to do this with a few clicks while using another trick
we’ll talk about next, the fake wireless access point. All it takes is a
few clicks, and they’ll take over your identity.
How to Defend: Try to always use websites that
have secure development techniques and the latest cryptography. A tool
that can help you do this while using Google Chrome is called KB SSL Enforcer.
The KB SSL Enforcer plug-in forces your browser to go to the most secure
version of websites. This will be the one that starts with HTTPS, with the ‘s’ being ‘secure’ and referring to TSL cryptography.
It is not 100% protection, but it does make things more difficult. If
hacking you is a challenge, hackers are more likely to move on to
someone who hasn’t read this list!
Common hacks 3: Fake Wireless Access Points
Everyone loves free wifi, including hackers. How this hack works is a
hacker will set themselves up in a public location, a coffee shop,
restaurant, airport, or public library as examples. They’ll establish a fake wireless access point (WAP) of their own and name it something that makes it sound official: “McDonalds Free WiFi” or “Laguardia Free Connection.”
Those who are looking to make a quick connection, for free, will then
establish a connection to these WAPs. There are two ways that a hacker
can steal information. The first is that they can set it up so that you
have to enter a username and password to connect. Most people use a
common username and password for these quick “set it up and forget it”
accounts. Hackers will then take that information and use it to try to
log into your Twitter, Facebook, Amazon, iTunes and other popular
accounts. This is one example of online identity theft.
The other way that a fake WAP will work is by the hackers just sifting
through the information that is going through the connection and taking
whatever isn’t protected or encrypted.
How to defend: First, ask the proprietors of the
establishment what the correct name is for their WiFi. That’s the easy
one. Next, be sure to always use a unique password and login for public
WiFi. It may be a pain, but it’s your best form of online protection.
To protect against those who sift through and steal information that
isn’t encrypted, use a personal VPN to encrypt all of your
communication. You can read more about top VPN services over on the blog I work for.
Common hacks 4: False file names
This work by tricking people into clicking on files that look enticing,
like BeyonceNipSlip.avi, but are actually files full of malicious code
when opened.
One of the most famous examples of this right now is one known as the
Unicode character switch. It fools computers into displaying a file that
is actually BeyonceNipSlip.exe (an executable file that can tell your computer to do things) as the less harmful looking BeyonceNipSlip.avi (.avi being a video file).
You then open it thinking you’re going to see a video of a small slice
of heaven (sorry, clearly Beyonce biased), and instead get a computer
full of something bad.
How to defend: This is one of those instances
where you have to do your homework. If someone is sending you a file, be
sure that you know what the full name is with the extension. If you
don’t know who is sending you the file...don’t open it! If you have a
virus scanner which allows you to scan individual files before opening
them, put it to work.
Common hacks 5: Wateringhole attacks
Watering hole attacks can
be related to point 3, but with more focus and malice. Hackers will
scope out a common place where employees of their target company hang
out for drinks, dinner, or even online social platforms - a ‘watering
hole.’
These employees are often more relaxed about their security, but since
they’re with co-workers they’re still prone to discussing business
matters. The hackers will then either install fake WAPs in the physical
location that they gather to get company credentials, or they’ll install
harmful JavaScript redirects into the online places that these people
visit.
The hackers will then use the login details or compromised workstations
to gain access to the inner workings of a company. Notable wateringhole
attacks have happened to Apple, Microsoft, and Facebook.
How to defend: Making it known to your employees
is the first step. They can not use their same credentials on their
workstation and on these types of sites, or in these locations. Like it
or not, in today’s digital world, your employees have to act as if
they’re always at work.
0 comments: