As nowadays we use the Internet for everything, cyber-attacks are a common occurrence. What types of common attacks exist? How we can defend ourselves from them?
Let’s make our internet experience safer in our daily #FromZeroToHacker challenge.
Table of contents |
Introduction |
What have I learnt today? |
Stats |
Resources |
Introduction to Common cyber attacks
Using the internet is something common nowadays. This makes it imperative that we understand and can protect ourselves against common attacks used by attackers to target people online, and ways to prevent their success.
What have I learnt today?
Common attacks – Social engineering
What is social engineering?
Social engineering is the term used to describe any cyber attack having a human (instead of a computer) as the target. We can brute-force a password, sure, but we can also ask a person for their password under some pretext.
If you want to lose faith in humanity, and/or have a laugh, you can see this video from the DEFCON23 where, as I have explained on my Mastodon account:
A journalist asks at DEFCON if they can hack him. Spoiler: They did.
- One woman spoofed his phone and called his phone and internet provider, pretending to be his wife, changing his passwords and adding her name to his account, blocking him.
- Another guy clones his blog and sends a mail pretending to be Squarespace warning him about a bug, with a link to his (cloned) Squarespace. It is the same blog, but a series of pop-ups that will “guide” him to fix the problem. He got the journalist’s phone number, card number and social security number. He also infected his laptop, taking more data and screenshots every 2 minutes.
Other forms of social engineering
Charismatic hackers calling your phone company and stealing your possession of your account is just one form of social engineering, but there are many others. Dropping infected USB devices on a car park hoping they use them in a company’s PC, leaving a charging cable on a public socket that contains malicious software with a keylogger, etc. The possibilities are nearly endless.
Staying safe from social engineering attacks
It is very tricky to stay safe from social engineering, but there are measures we can take to protect ourselves a bit:
- Set up multiple forms of authentication.
- Never plug external media (USB, DVDs or CDs if you still have a reader in 2023, etc) into a computer with sensible data.
- Insist on proof of identity when a stranger calls or messages you claiming to work for a company whose services you use.
Common attacks – Social engineering: Phishing
Overview
Phishing is one of the most common cyber attack types employed by scammers and bad actors. Phishing is the initial attack vector used to gain access to a company’s infrastructure before performing further attacks.
What is phishing?
Phishing is a sub-section of social engineering where a scammer tricks a victim into opening a malicious webpage by sending them a text message, email, etc.
Phishing messages usually deploy psychological trickery and normally involve getting a victim to click on a link to a web application owned by the attacker where the victim is prompted to enter sensitive information, under the cover of urgency, a problem they need to solve, etc.. Imagine that someone clones your website and sends an email to you, telling you that their database has been breached and they need confirmation of your username and password.
There are three primary types of phishing attacks:
- General Phishing: A simple, mass phishing attack which doesn’t target anyone in particular, but is aimed at a large group (All Amazon or eBay users).
- Spear phishing: More targeted than general phishing, spearphishing aims for an individual or small group. They are better crafted than general phishing.
- Whaling: More specific than spear phishing, whaling targets high-value individuals (the CEO of a company).
An example of a general phishing scenario is when you receive an email from “Amazon” where they inform you of an expensive purchase you did. You get a link to view your purchase history and, while the text on the email says https://amazon.co.uk
, if you hover your cursor pointer over the link, you can read that points to https://am4zon.co.uk
. When you enter your credentials to cancel the expensive purchase, you are pwned mate.
- The attacker sends out a malicious phishing email campaign.
- Prospective victims receive the emails.
- The victims enter their credentials into the attacker’s fake web page.
- The web page stores the credentials or sends them directly to the attacker.
- The attacker uses the credentials to access the site, thus taking over the victims’ accounts.
Identifying Phishing attacks
Many generic phishing attacks are easy-to-spot, as they have poor grammar and don’t address the victim by their name. But other more specific instances are very hard to spot.
If you are not addressed by your name by a company that should know it, suspect.
If the email has loads of poor grammar (like this website or even worse), suspect.
Hover over any link to compare the name of the link with the real link. “Check your latest purchase at “Amazon” should point to https://amazon.co.uk
, not https://amason.co.uk
.
Check if you are prone to be targeted by phishing by doing this test. If you get a score of 15 or less, you should worry.
Staying safe from Phishing attacks
There are a few things you can and should do to keep you safe from phishing attacks:
- Delete unknown or untrusted emails without opening them.
- Never open attachments from untrusted emails.
- Do not click on embedded links in emails or messages. Instead, navigate to the real website.
- Always make sure that your device and antivirus software are up-to-date.
- Avoid making your personal information public.
And sorry about the last link.
Common attacks – Social engineering: Malware and Ransomware
Overview
Malware (MALicious softWARE) is any software designed to perform malicious actions on behalf of the attacker. This malware can be used to steal information, cause damage, or execute arbitrary commands in the infected system.
They can take your passwords from you, use a keylogger to log all you type (yeah, they can see that your type in Incognito mode!) or even take a screenshot from your webcam every minute. Very scary stuff.
Ransomware
Ransomware is used to infect as many systems as possible, encrypting the data and holding it to ransom until the victims pay, and your data is returned. If you get them on a good day. There is no certainty that they’ll give you back your data.
Usually, Ransom are spread by exploiting known vulnerabilities in commonly installed software (For example, Windows). The goal of ransomware is to infect as many systems as possible, making the data inaccessible by encrypting it until the victim pays.
The image above is from the infamous Wannacry ransomware.
Delivery methods
There are various ways that an attacker can use to infect a target with malware: Social engineering, phishing attacks, etc. They can also send a file compiled as .exe, which is suspicious, but also .pdf, .ps1 (PowerShell script), .bat (Batch script), .hta (an HTML application) or a .js (JavaScript script).
Staying safe
Things we can do to try to stay on the safe side of ransomware:
- Always accept updates and patches as soon as you can.
- Never click on suspicious links, especially in emails.
- Always be on the lookout for people trying to get you to download or run files.
- Never plug unknown devices into important computers. Or at all.
- Always back up important data.
- Make sure that your antivirus software is always up-to-date and activated.
Common attacks – Social engineering: Passwords and Authentication
Overview
Passwords are an integral part of most authentication systems. Unfortunately, it is still too easy to create and use an insecure password. Even with robust passwords, we need to take other actions to keep us safe, such as not writing or storing the password in unsafe places.
What makes a strong password?
Ideally, you should use long passwords, mixing letters, numbers and symbols. Try to not use words, especially in English. Hello1234 is a bad password, He591llo! is a better one. w41=V1)S7KIJGPN,dII>cHEh>FRVQsj3M^]CB is a better one.
What makes a weak password?
Well…just the opposite. Any password that could easily be guessed by someone who knows you relatively well is a bad idea. Short passwords that use your name or somebody in your family, the age you were born, etc is a really bad idea. Cindy1994 is not a good one, to be honest.
Also, don’t reuse passwords. If someone learns your password, they will try it on everything: Twitter, Gmail, Facebook, etc.
Exposed passwords
Sometimes a service gets hacked and its database exposed. Even if you have a good password and they used a secure hashing algorithm, your password may be safe, but not your email address or username.
You can check if your email has been exposed using Have I been pwned?. Type your email and see if it has been exposed. If it is the case, change the password right now on the services that have been exposed.
Staying safe: Multi-Factor authentication and Password managers
Overview
Besides improving our passwords, being aware of everything, etc we can do extra steps to enhance our security, such as using password managers and multi-factor authentication.
Multi-factor authentication
Multi-Factor Authentication (MFA) is used to describe any authentication process where you need more than one thing to log in. For example, we log in, then we get asked for a six-digit code sent to our phone, that expires in 2 minutes.
We should always activate multi-factor authentication where available.
Password Managers and Generating Strong Passwords
The ideal case would be using secure passwords, long and hard to guess. But it is hard to memorise a 50-digit password with letters, symbols and numbers.
But a password manager can.
Password managers provide a safe space to store our passwords (in something called “vaults”) that are encrypted, stored locally or on an online service. We only need to remember a single master password.
The most used password managers are:
1Password
LastPass
KeePass
Bitwarden
Staying safe: Public network safety
The problem
We use the Internet almost every hour. If not at our job, to talk with our friends, watch cat videos or Googling how to spell something.
Because of that, most public spaces are equipped with public WiFi. But a public WiFi can be dangerous too.
While it handy, public Wifi gives an attacker opportunities to attack other users’ devices or intercept and record traffic to steal sensitive information. An attacker can set up a network on their laptop with the same name, and monitor the traffic of everyone who connects. This is referred as a Man-in-the-middle attack.
The solutions
The ideal solution is simply not connecting to untrusted networks. But it is not always feasible.
Virtual Private Networks (VPN) encrypt all traffic leaving and entering your machine and it is a good option whether you use public WiFi or not.
Website Connection Security
All websites should now only serve information using an encrypted connection. This prevents an attacker from reading or modifying your web traffic if they intercept it. The encrypted connection used to create HTTPS (Hyper Text Transfer Protocol Secure) is referred to TLS (Transport Layer Security), and it is represented as a padlock to the left of the search bar:
If you access a website without the padlock symbol, never enter sensitive information. Never.
Staying safe: Backups
Overview
Everything is prone to fail and nothing is 100% secure. Because of that, you need to back up your information to protect your data. From critical data of a company or your weekend at Corfu with your nan, data should be backed up, in case the worst comes to pass.
The Golden 3,2,1 Rule
The 3, 2, 1 rule specifies that:
- Keep at least THREE up-to-date copies of your data (including the original)
- Use at least TWO different storage mediums (A cloud backup, hard drive, USB devices…)
- At least ONE backup should be stored “off-site”.
How frequently should you back up your data? Depends on the sensitivity.
A multi-billion euro corporation should do it a few times a day, while your “Weekend with the boys!” photos don’t have the same urgency.
Updates and patches
Software updates
Updates add new features, but also fix bugs and improve the security of a product.
When a vulnerability is discovered, developers release special updates called patches that aim to fix that problem. This vulnerability, if not patched, can be used against you by malicious entities, so be sure to update everything as soon as you can.
Antivirus updates
The same thing goes for antivirus.
Your antivirus uses a local database of known exploit signatures that should be kept up-to-date. That signature is used to identify the software as malicious, so if you don’t update your antivirus, your antivirus won’t recognize new viruses and you’ll be vulnerable to them.
As a rule of thumb, update everything as soon as you can. Yeah, even Windows updates that force you to reboot.
Summary
Things we learned today:
- How important and what security awareness is.
- Data and account security.
- How to check if we have been part of a cyber breach.
- Cyber threat actors.
Stats
From 66.768th to 66.072th.
Here is also the Skill Matrix:
Resources
Random room
Other resources
Video: DEFCON23
Wannacry ransomware
Have I been pwned?
Man-in-the-middle