Understanding how hacking is done and what hacks you are vulnerable to goes a long way in helping you to stay safe from these attacks. We are sharing here leading privacy advocate Arthur Baxter’s explanation of hacking in the modern world, and a couple of hacking methods that sound incredible but can be thwarted with a few simple tools and tricks.
How Hackers Get Your Data
Arthur Baxter, Operations Network Analyst at top VPN company ExpressVPN, shares with us his take on how hacking really goes down. These days, there is a lot of security built up around computers, but there are also many ways to override this security because, well, we don’t like to relinquish control. Our instinct is also to continue to depend on people rather than machines to do the important tasks. Hackers have therefore moved away from attacking computers and toward going after the people who maintain control. This is a huge vulnerability because people are essentially weak.
Social engineering is becoming the preferred method of attack these days because it teaches hackers how to go after the top dogs – the humans. The world is not unacquainted with these types, who are known as scammers and con artists in the physical world. On the Internet, these guys want to gain access to your personal information so that they can launch scams or gain control of your online accounts. Sometimes, hackers work in groups to execute bigger attacks. There is a lot of research involved in social engineering attacks, so the first thing users can do is be careful to limit the amount of information available about them online.
With a little bit of basic information to go on, hackers can think of a reason to begin communicating with you. If they can convince you that they are a representative of one of your service providers, they can get more information out of you or even get you to download something that contains a virus or malware. These guys use a lot of tried and true social techniques for making people comfortable and to get more information. Users can protect themselves here by first making sure who they are communicating with, especially on the phone or in emails.
Surprisingly enough in this digital age, the best way to deliver a malicious payload is by USB or CD-ROM and not online. As a rule, it is better not to touch any unknown disk left lying around. Phishing, although a very old tactic, is also still very much alive because it is the best way to trick people into giving up their passwords. Whether by traditional email or via phone calls and personal encounters, it is important to remember to first verify who you are talking to so that you can keep your accounts and devices secure.
Finally, don’t get flustered by any urgent communications. Time-sensitive offers and matters that need your immediate attention are common ploys used by hackers to make you nervous and keep you from thinking clearly. Trust your security protocols and add security procedures to your own Internet activities to guide you through these sticky situations.
Man-In-The-Middle Attacks
Man-In-The-Middle, or MITM, attacks attempt to reroute traffic from the Domain Name System (DNS) operator that your computer communicates with when you enter a website into your browser. Users cannot know whether a DNS server is giving them the right IP address for the domain name they have typed in, so hackers can manipulate this to take users through a server that they control. They then sit there in the middle of the traffic, or run a piece of software there, to gather all the information that they need from your session with that website. You cannot know that they are there, and neither can the website that you are contacting.
Imagine that happening when you are shopping online with your credit card or entering a new password into your bank app or composing a very personal email. This danger is why we have the newer HTTPS that secures text exchanges over the Internet using SSL and TLS to encrypt your traffic and check that you are communicating with the right website.
But what happens when a hacker uses encryption to trick a website into thinking that a user is on a secure connection? This is where HTTP Strict Transport Security, or HSTS, comes in. Some users may not know or care enough about HTTPS to make sure that they use it, relying instead on their websites to protect them. Sites that use HSTS will verify that users are on HTTPS before allowing a connection. Users can be lazy, then they go and blame websites for being unsecured. Well, to make it easy for them, there is an Electronic Frontier Foundation browser extension called HTTPS Everywhere that tells your browser to use only HTTPS where available.
HTTPS sadly does not protect other types of sessions like messaging. MITM attacks can also be performed on chat apps and email. Users should make sure that their services are always protected by encryption if they want to stay safe from attackers. Again, verifying who you are talking to is the best defense.
Brute Force Attacks
Brute Force attacks are launched by hackers when they have no means of guessing a password other than trying every possible combination of characters. Many websites have employed the three strikes rule for password entries, which means that they get locked out after three incorrect tries. Not all services or devices do this, though. If your password is short, it could take a simple computer program only three hours to guess your code. Long passwords are your best bet to beat brute force attempts. Some websites also require passwords that use multiple characters and numbers. But again, not all do this. Adding numbers and special characters to your long password with both uppercase and lowercase letters will make it harder to crack and therefore more secure.
Surprisingly, one of the top security measures that we rely on to protect us – encryption – does not pose limits on password tries. Brute force attacks are therefore often launched to get encryption keys. Intercepted files can therefore be cracked, although it might take some time to do it. Attackers will not be turned off by this long wait because they know that there is no risk that you will find out that they are trying to crack your code.
We cannot yet use all 120,000 symbols, characters, and emojis that have been accepted into the Unicode set, but this is something to look forward to. Instead of having a passkey that is too long to remember, we could soon have a Unicode passkey that is just three characters long but that would take a computer twelve days to crack. Meantime, to make passcodes harder to crack, being random is key. We are all aware that long passwords made up of random strings are super hard to remember, but this is simply the price that we have to pay for security. Good thing there are password managers out there that can help us securely keep track of all those codes.
