Security is one of the biggest concerns of anyone running an online business or any person who is constantly using the internet. Attackers or rather hackers are the reason why we should be more careful online or at any time with our electronic devices.
There are several categories of attackers that we should be aware of.
The first category is the accidental discovery category. This is an ordinary user who stumbles across a functional mistake and gains access to privileged information or functionality. An example is when you unknowingly click on “remember me”, when logging in to an account on a shared computer. An attacker will find your account logged in and access all the information available in your account.
When using public or shared computers or other devices, we should also make sure that we do not allow the browsers to remember usernames and passwords. This information can easily fall in wrong hands and can course a lot of harm.
Other types of attackers include:
- Curious attackers, who notice vulnerability and decide to pursue it further.
- Motivated attackers who are normally disgruntled staff members with inside knowledge.
- Script kiddies who seek to compromise or deface applications for collateral gain,
- Automated Malware which are programs or scripts, searching for known vulnerabilities, and then report them back to a central collection site.
- The organized crime category which is criminals seeking high stake payouts, such as cracking e-commerce or corporate banking applications, for financial gain.
So how does hacking work?
One of the easiest methods used by attackers is cross-site scripting (XSS). This is injecting client-side script into Web pages viewed by other users. It does not require the attacker to actively break into the hosting server in order to course harm. Scripts are injected on dynamic websites with input fields like comment boxes in blogs. The primary defense mechanism against XSS is contextual output encoding or escaping.
Attackers also use the social engineering method. This refers to psychological manipulation of people into performing actions or divulging confidential information. It is often one of many steps in a more complex fraud scheme. All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called “bugs in the human hardware,” are exploited in various combinations to create attack techniques. Some of the attack techniques include:
Pretexting: This is the act of creating and using an invented scenario to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
Phishing: The phisher sends an e-mail that appears to come from a legitimate business or a bank, requesting “verification” of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate with company logos and content and has a form requesting everything from a home address to an ATM card’s PIN.
Other examples include baiting, Trojan horses, and all other virus and worm infections which are aimed at collecting information from your computer and sending it to some remote server. They can also be engineered to provide loop holes through which a hacker can use to break into your system. Protection against these attacks simply calls for more awareness that they exist, be more careful about what we click on or download and always have antivirus software installed.
Motivated and organized crime attackers can use many other methods to break into systems. For instance, there are many ways in which one can bypass the windows login screen without entering the password. It is therefore very risky to leave all your accounts logged in, and assume that you will be protected by logging out of windows.
A motivated attacker or an organized crime attacker can also install key logging software on a computer. Key loggers record everything typed into the computer, including all the sensitive information and passwords. One of the most effective methods to use against key loggers, especially if you are using a public computer is by NOT typing in your password but copy and past it from a removable media. This means that if you are going to log into your account at a cyber café, carry a flash containing a document with your password in it!
There is also a technique called session cookie stealing, which can only be implemented by expert hackers. This happens when people are sharing a local area network. The free WiFi networks that we log into in hotels and restaurants are local area networks. Session cookies can only be stolen as long as you are logged in. As soon as you log out, you lock out the thief as well.
My word of advice is, DO NOT use public local area networks to log into very sensitive accounts. If you must, log out as soon as possible to avoid giving session cookie thieves enough time to steel your information.