With billions of web users, and more coming online every day, cyber-crime has been skyrocketing. You have heard of high-profile hacks and stolen data on a regular basis, and the frequency of attacks is unlikely to slow down anytime soon. Hackers are now using very sophisticated tools and thousands (if not millions) of hacked/infected computers to automatically probe computers like yours for potential vulnerabilities.
It is not a matter of “if”, but of “when” you will be the target of a security probe which may result in a data breach. Most likely, you have already been subjected to some level of attempted hacking in one form or another, and you did not even know about it. The important point is to be aware of the threat, and organize your data to (digitally) survive a hack. There are many common attack vectors, and here are some that you are very likely to bump into:
1/ Plain Old Deception: Phishing
It’s fair to say that although hacking has evolved, computer security has done so as an equally rapid pace. However, all hackers agree that the user is the ultimate weak link in the security apparatus. That is why deception is a favorite tool, which can come in many forms, the most dangerous of which is Phishing.
This is a term that is used to describe a deceptive practice which often consist in sending emails that seem to come from a legitimate source (your bank, email hosting company, official entity, etc…) with a message that will entice you to click on a link, install a software or log into a website using your login and password. Your login information will be stolen when you do so.
This is particularly dangerous because many people are fooled by the trustworthy appearance of the phishing message which seems to come from a trusted source. But it is actually very easy to impersonate an email sender because decades ago, the email protocol was not built with this level of threats in mind.
Once hackers have the information they seek, they can impersonate you, and steal further information or money. If successful, the information theft can be used for identity theft, in which hackers could even make a loan in your name.
When in doubt, it is preferable to go directly to your bank or other sites, without clicking on the email links. Don’t open files or install apps from sources you cannot identify with certitude.
2/ Brute-Force: Password Guessing
We know all well that passwords are not the most secure way to secure access to your online data and services, but they are convenient and the web is more or less built upon their usage.
The downside is that millions of people use very weak passwords because they are easy to remember (especially the worst passwords that should be avoided). Unfortunately, this leads to incredibly bad passwords that can be easily guessed by a robot that wants to break-in by attempting many log-ins using huge lists of commonly used passwords.
Once in, thieves can do further damage because it’s likely that the same person uses the same login in different websites, which could all fall like dominoes once the first password has been cracked.
To mitigate the risk, it’s preferable to choose a more complex password, and avoid using the same one of every site. It’s easier said than done, but there are password managers that can help with this process by having you remember a single master password. At Ubergizmo, we all have dozens, if not a couple of hundred passwords, so any tool that can help is welcome.
Some sites/services also offer a 2-factor authentication, which is similar to having a static large password and a dynamic smaller password that have to be combined every time you log-in. The smaller password is usually a 4-digit code that changes every minute or so, which means that if your main password is stolen, the thieves still need to break another layer of security.
3/ Web Browser Vulnerabilities
Sometimes, the hackers use a vulnerability in the web browser to execute malicious code, so even if the user is extremely careful, their computer could still be infected. Although browser vendors work very hard to provide secure software, security researchers often find new vulnerabilities in the millions of lines of code used to build the software. They even run contests and reward those who find code vulnerabilities with large sums of money.
Web browsers can also be fooled by attacks that come from a compromised server which will impersonate the identity of a legitimate web service. From there, the malware app can inject advertisement, redirect your web navigation to a specific page or send your key strokes (including login/passwords) or other information to a remote server for later use.
The ad injection is a mild annoyance, but some much more dangerous threats such as Ransomware, a form of hacking that “holds your data for ransom” by encrypting it and offering to sell you the decryption key.
If you fail to pay, all your data will remain encrypted forever, seriously. This is real and horribly efficient because there is no practical way to decrypt it, or even investigate how the attack happened in the first place.
Your best defense is to keep current file backups at all times and avoid payment, because 1/ it’s simply impossible to know if the malware will release the data 2/ you would be giving money to a criminal enterprise which will attack other people.
4/ USB Drive Attack Vector
But even if you don’t use the Internet, you are not safe from a hack. Since the dawn of computer viruses, digital storage medium have been used as a carrier for all kinds of malware. Yesterday it was floppy disks, today, it is USB drives.
Many operating systems execute code upon connecting a digital storage device, and this function can be used by thieves to execute malicious code on an infected medium. From there, it is possible for them to install key loggers (apps that record your keystrokes and passwords) or something like Stuxnet, a computer “worm” that will propagate, eat up resources and even execute additional malicious code.
Such a virus was able to take out Iranian centrifuges of the Iranian nuclear program, which were under severe computer security protocols. The hackers (allegedly US and Israeli spy agencies) were able to exploit a freshly discovered Windows operating system vulnerability before the Iranian computer administrators had updated their Windows.
The lack of software updates is one of the main attack entry for computer hacks because vulnerabilities are well-known and documented by the security research community.
With high-profile companies like Sony or even the U.S government being victims of hacks, the challenge is daunting for an average computer user. But you should take comfort in the fact that the kind of resources used to hack these entities won’t be applied to hacking a regular person because the potential gain would not justify it.
By being aware and educated about the main attack vectors, it is possible to drastically reduce the odds of being a victim of hacking. Most of it has to do with making it a little harder, so that the amount of work required for a hack would not be worth it.
What we know for sure, is that preventing hacking is much easier than recovering from it. I think that we can all agree on that.