Journalists and media organizations are increasingly being targeted by hackers. This is why it’s essential to have an understanding of how hackers can break into your accounts and your system and what you can do to protect yourself. Tips from security expert Amir Alsbih.
How easy is for hackers to get access to your computer?
The key difference between the past and now is that in the past, there were many more highly critical and easy to exploit vulnerabilities in applications but few people had the skills to exploit them. Today, modern software has fewer highly critical vulnerabilities but many people are able to exploit them because all the tools and exploits are being shared in the internet and have become so easy to use. Exploiting a known vulnerability these days is as simple as clicking a mouse button and doesn’t not require any kind of IT knowledge. By using toolkits such as Armitage, the Metasploit framework or the Browser Exploitation Framework (BeEF), someone without computer skills can automatically compromise the security of computer systems via a graphical user interface. This gives them the ability, after automatically hacking the system, to browse the files and do many other things. So compromising the security of computer systems these days has become much easier than years ago.
How does hacking normally happen?
When a security patch is released, a hacker can figure out what the security issue is by analyzing the changes that have been made to the patch. This is called reverse engineering. Then the hacker has a small period of time between when the patch is released and when the update is installed on a particular system. This timeframe can be hours, days and or even months depending on the system administration. The attack can happen one of two ways. Actively if the computer system is running any services that are exposed to the internet like an ssh-, email- or webserver. Or passively by infecting a website with malware (malicious software) or running a malicious website that will compromise the computer system when the user visits the site.
Another popular hacking method is the use of social engineering. In that case, an attacker manipulates people directly, via phone or phishing email into performing actions that compromise the computer’s security (read here for more information about this). Today, these techniques are often combined with easy-to-use tools like the Social Engineer Toolkit. Another common method is using brute force attacks to crack passwords.
What do hackers normally do once they have hacked into a system or account?
It depends on the hackers’ goals. The days are gone where hackers broke into systems just for the fame. Today, hacking has become a big business. Estimates about the size of the cybercrime market vary between $100 billion to $1 trillion. Fraud makes up a large part of this and includes stolen credit card numbers, hacked PayPal accounts, blackmailing companies by threatening them with Denial of Service attacks against their business infrastructure or the theft of intellectual property and other sensitive information like blueprints, plans, research and technical details that can transformed directly or indirectly to money.
Then there are other kinds of attacks where are designed to deliberately spread misinformation or their own message. There are numerous example of hackers breaking into Twitter accounts or hijacking websites and replacing the content with their own statements.
What can users do to protect themselves against hacker attacks?
There is no way to guarantee full safety. It is all about finding a compromise between usability and security. Here are some tips.
- Automatically install security updates for your operating system and software such as your browser, document readers, media-players and add-ons like Adobe Flash, or other supporting software like Java. This minimizes the risk of being compromised via a known vulnerability.
- Use a secure unique password for every online account. You can memorize your passwords with passphrases.
- Use anti-virus software that has an automatic signature update at least once a day.
- Turn on the built-in personal firewall on the operating system or at least use a router that blocks all external initiated connections (from the internet) that are not initiated from the internal network (LAN).
- Do not open emails and attachments sent from people you don’t know.
- Do not follow any email links asking for personal information to be entered in a website. If you are unsure whether an email is legitimate, call your bank or service provider and ask them. Don’t use any number given in the email to do this, rather Google the number for yourself.
- Never tell anyone your passwords.
- Do not log in into services via HTTP, but rather use HTTPS for encrypted communication. Do not log into your emails via an insecure internet connection such as an open WLAN without using a form of network encryption like Transport Layer Security (TLS) or HTTPS. Otherwise someone can easily eavesdrop on your internet traffic and steal your passwords.
Will these measures be enough?
It’s always a balance between usability and security. There is nothing like total security and it always depends on who your enemy is. If you are protecting against a ‘script kiddie’ (an unskilled hacker) with no real computer knowledge, then these measures will help you defend yourself. If you are trying keep out a government agency which has access to unknown vulnerabilities, so-called “zero-day exploits” as well as unlimited money, technical equipment and time then you have no chance of defending yourself.
Dr Amir Alsbih is the Chief Information Security Officer at the Haufe Group and directs the Internal Audit department. His responsibilities include both technical and organizational aspects of information security, including risk and safety analysis, security clearances for projects, the development of information security management systems, penetration testing, forensics and incident management. Amir Alsbih also teaches applied information security and digital forensics at the University of Freiburg.
The post originally was written for the DW Akademie.