After being recommended the show Mr. Robot, and having a friend get hacked, I was inspired to write this article. Many Movies and TV shows that display hacking are impractical, Mr. Robot really demonstrates the ‘art’ of hacking and most hacks are viable. More importantly the show also demonstrates how powerful Social Engineering can be, and is used as the main method of hacking throughout the show. How ever it is still fictional so the process might be shown to be simpler or shortened. This article’s intention is to create awareness of the more popular hacking methods, the ones that will most benefit you and how to protect yourself from them.
“A secure computer is one that is turned off. Clever, but false: the pretexter simply talks someone into going into the office and turning the computer on…” -Kevin D. Mitnick.
Social Engineering is the greatest asset a hacker has, due to today’s software security improvements, thus you must be wary of this. A social engineer will often impersonate someone to get the information required from you, such as claiming to be a bank representative. They do not necessarily always go after the ‘golden ticket’ such as your password or security code, that would be too suspicious. They might simply ask for your birthday, pets name, address, etc., to extract what they are looking for, or use that information to brute-force (more on that below) their way in. I recently had a friend call me and ask if they should get this security program for their Mac, since apparently an “Apple Representative” told them they have been hacked. It turns out it was just a pop-up, which could not be closed (easily), and this person had called the number thinking it was really Apple. They gave the attacker access to control their computer, and after some ‘tests’ they told them they have been hacked and need this security program that would cost $350. The hacker did not need to ‘hack’ their way in, the user simply opened the door and welcomed them in, and almost even paid them to do so.
This method of hacking uses websites, applications, or some form of electronic communication to deceive you into thinking it is trustworthy. An example of this would be the attacker replicating a web page, where it would ask you to log-in to your bank, but instead the information you inputed into the text boxes, i.e. username and password, are sent to the attacker. Now they may leave you stranded on an empty page, or they could even forward you to the appropriate page, and all would seem normal. All though many web hosting sites will automatically remove any phishing sites, it is still possible for it to happen. If you are feeling suspicious, always check the URL, most importantly the host name (www.MyBank.com). If you open a link and it directs you to www.MyBank.corn, www.MyBonk.com, or www.my.bank.com, for example or even MyHackPage.com but it looks identical to MyBank.com, you most likely have landed on a phishing site.
Brute Force is the method of trial and error, trying different passwords to get into your account. All though most if not all websites have some sort of security for this, such as after 3 failed attempts your account is locked, with the correct information this won’t be an issue. The attacker can manually enter the different passwords, or create a script/program that does the work for them. They can pass in a dictionary with words and numbers that will be used to try and guess your password. This dictionary could contain all the English words, which can take a good amount of time, but the dictionary can be shortened to specific information, information they perhaps initially got by using Social Engineering, which makes the process much quicker. For this it is really important to not use personal information in your password, and if you can remember your answers not selecting obvious ones for your security questions. Your password would be even stronger if you do not use an English word entirely by using a random set of characters, or my suggestion, a word from a different language spelt out in english, making it easier to remember.
With all that being said, these tips will help you more when you are directly being attacked, compared to when an entire company, MyBank, has been breached. For this your best bet is to use different passwords for different accounts, or change all your passwords when you hear of such an event, all though it may be too late.