Alleen beschikbaar in het Engels
Blog post 30 November 2019, by Ena Kurtović, Security Analyst at Secura
Alleen beschikbaar in het Engels
Blog post 30 November 2019, by Ena Kurtović, Security Analyst at Secura
You have read them too many times, you know them all by heart. Then why, year after year, are we having the same known issues abused? Applying the above list, according to the experts, should protect us from majority of those attacks right?
Well yes, if you actually apply them. But same as I haven't back then, you probably also do not today. And the reason for that is simple - I did not exactly understand what I was protecting myself from, therefore it seemed not so important to skip that 1 step. Or a couple. Or just leave them for later.
Today on National Computer Security Day 2019, from the perspective of an ethical hacker, I will try to explain what are you exactly protecting yourself from. And I will do so by answering the number 1 question that arises each time I mention my profession outside the work environment:
Can you hack into my Facebook account?
Yes, yes I can…
I always take a short break before I continue the sentence, just to observe the shimmer in their eye.
...with enough time and motivation, you can hack anything. But why would I put such effort into it?
But how would you do it if you really wanted to?
There is no magic green code that I send over a black terminal screen that will grant me access to your social media accounts, but there is an infinite number of ways for me to try. I will simplify as much as I can, and after describing each attack, I will refer to that tip that would've prevented it, or at least made it as difficult as possible for the attacker.
So let's start at the beginning.
Facebook runs on servers. As a user you need devices, for example a phone and a PC to connect to those servers, and those devices are connected to a WiFi network. In order to interact with the server, you must supply your credentials - username and password, and then all Facebook data is sent and retrieved through those connections.
How many entry points do you see so far? Will I attack your phone? The computer? Facebook server? Maybe the communications between them? Perhaps the WiFi network is a good idea, could I start there? I could also attack you directly to get your credentials - as we all know humans are quite prone to error. There is an infinity of combinations already, and we haven't even begun.
I would begin with choosing an attack vector that requires least effort, so definitely I am not going for Facebook servers. As you may realize at this point, "Tips to keep you safe online" was a case of foreshadowing, as exactly those points protect you from attacks against the weakest links.
Let's now imagine a scenario where I have enough motivation and time to hack into your Facebook account.
I would start by gathering as much information as I can about you. I would check all your social media accounts, learn about your interests and hobbies, inspect your company and professional network by checking i.e. your LinkedIn profile. I would also learn about where you go out, and then repeat the whole process for information about your close friends, family, even colleagues.
I will use this information later to craft more specific attacks.
If you restricted information on your social media profiles, not allowing them to be open for public, not bragging about going out at bar XXX each Thursday with Bob, Alice and your brother Mark to watch games of your favorite basketball club Green Tiger... If it only wasn't so annoying to go through all those settings, I would've not had much to work with. But guess what, now I also know that next Saturday you RSVP'd "attending" to a BBQ event at the local park. I am now armed with enough information to proceed with my plan.
I sit down and craft an email. I register a domain that sounds legitimate, for example XXX-bar-awards.com. My mail would invite you for a game next Thursday, and if you immediately RSVP via a link, you would get free drink vouchers at the bar. The link would lead to a fake Facebook login form, and I would be waiting and hoping to harvest your credentials.
If it sounds too good - it is probably not true. If it makes you "act immediately", the intention is to not give you time to think about it. Do not trust unknown webshops, free video streaming sites, adds claiming to sell unreasonably cheap things, or emails blackmailing you into sending them money or personal information. Google search is your friend, verify the authenticity of the source and search for valid user feedback online.
Unfortunately for me, you know the bartenders, and you call right away to ask if your friends can also get free drinks, and the bartender, oblivious to what is going on, just tells you there is no such event and probably their colleagues are pulling a prank.
Since plan A failed, I have to try something else. Next Saturday, I am at the park setting up a WiFi network called "Park Free WiFi". This network is obviously open, as I hope to get you or at least some of your friends to connect to it. What can I do with that? Well, I can intercept and inspect the traffic, or I can set up a "Hotspot Login Page" that asks for your Facebook credentials in order to obtain free WiFi. Would be an easy catch.
Open WiFi networks can be set up for harvesting information - again, ask yourself, why is this network free? If a factory is running a seemingly free service for the customer, most likely the customer is the product. Think about it! If you really need to connect to an open WiFi network, make sure you use a VPN. This will envelope your traffic, ensuring that it is protected from eavesdropping.
Unfortunately, my plan was not as successful as I hoped. Apparently everybody had a really good 4G package, so they didn't mind wasting their MBs on streaming music over those blasting speakers.
Since my day was wasted on waiting at the park, I decide to follow you home. No, I will not steal your phone or PC, hackers are too sophisticated for that. I will rather try to break into your WiFi network and see if I can sniff something useful. It was even easy to find your WiFi - GreenTiger4LiFe. I attempt to guess your WiFi password by performing a so-called dictionary attack. I supply a list of commonly used passwords, and systematically try them out, one by one. Hah! This time my attack was successful, and I am in the network!
If you use strong passwords, this attack will not work. And not only for your WiFi, but for any system. Millions of passwords from various systems and accounts of real people have leaked all over the world. Meaning - a combination of words and some numbers and symbols does not mean you have a strong password. Take a look at a well-known dictionary - rockyou.txt, and you will see what people think are strong passwords; bottom line is - if you can find it in a dictionary – it is not secure. Remember, there are thousands of dictionaries out there.
So what is a strong password?
Something that is meaningful exclusively to you is a good place to start. For example, NGGYuNGLYDNGTaaHY is a pretty strong password.
But how can I remember that?
Easily! Take the Rick Roll chorus, take every first letter and make the consonants capital. Never Gonna Give You up, Never Gonna Let You Down... Now you can apply this to your own passwords, use a song or a quote, or any string of words that only you can remember - you get the idea. And try to make it at least 12 characters long.
Why 12 characters if I just use random letters?
Because the second attack I would perform would be a brute-force attack. This is an attack that sends all combinations of letters, numbers and symbols, and increases in character length as it iterates through them. As you can imagine, this process can take quite long as the number of characters increases. 12 is a good number to make this attack unfeasible to attempt to brute-force, simple as that.
Since you used a password that was found in the one of the dictionaries that I supplied, I have successfully gained access to your home WiFi network. I will run a scanner to see if there are any devices connected that I can further use for my plan. I discover a PC running Windows 7. This makes me thrilled, as I know that there are so many vulnerabilities in that system that I can exploit!
This one is very simple. The longer the software you use exists, the more vulnerabilities are discovered in it. For reference, at the time of writing, Windows 7 had 1283 known vulnerabilities in the CVE database. These vulnerabilities are publicly available, and anybody can utilize that knowledge. It is extremely important to update your systems and software to the latest versions as soon as they are available, because in most cases these updates also contain security patches. See also the blog post of my colleagues about a serious vulnerability in Microsoft Windows (CVE-2019-1424) and the risks from the PulseVPN vulnerability, also known as CVE-2019-1151.
Finally, I attack the Windows machine, plant a keylogger, and I wait for you to enter your Facebook credentials. Not long after, indeed you access your profile using the PC, and I jump with joy because I have what I need: Username: firstname.lastname@example.org and password TigersRock!!123.
I run home victorious, planning to take my time and discover your deepest secrets. Finally I sit down and start up my laptop, navigate to the Facebook page, enter your credentials, and hit the login button. Little do I know…
If you have two-factor authentication enabled, even if an attacker gets their hands on your username and password, they would not be able to log in as they are missing that third piece of information. This extra layer of security is extremely effective, whether it is a code sent to your phone, an email confirmation, or a hardware token, if it is provided – make sure you use it!
Again, disappointment struck hard. But I am not giving up, the next thing I will try is planting a modified application on your phone. I have to figure out a way to make you install it, because, obviously, I cannot just upload it to the official app stores. So I would either try another social engineering attack, for example, luring you to a fake website of your favorite mobile game, and providing a “Download update” link.
Only trust official application stores when using your phone. Applications that make it to those stores go through tedious processes and checks, and (except for certain exceptions that managed to sneak malicious ones) can be trusted on your systems. Make sure you give them only necessary permissions tho! Third-party software can contain malicious code that ends up your device if you are not careful or unaware. The same practice applies to other devices, piratized and third-party software downloaded on your PC can contain malware. When installing software, purchase and download it only from official websites.
Another successful attack! My .apk file is being downloaded on your phone as we speak. If you allow third-party app installation, I have a backdoor on your phone and I can get all that I need!
Antivirus software today is pretty smart. It does not only check against fingerprints of known malware, but also performs application code and behaviour inspection even on apps that it encounters for the first time. Antiviruses are able to notice anomalies in this behaviour and alert users. The success of the previous attack will rely on the lack of AV software on the device. Did I hit the jackpot?
Now let’s move away from the proof-of-concept Facebook account hack, and talk about real life.
What advice do you skip? Would you get your account hacked if you were my target? And I do not mean only Facebook, think of all the online accounts you have and all the possible ways to attack them. Remember, this was a simplified scenario. In real life, systems are far more complex, there are more devices than just a phone and a PC, basically anything with a connection can be used against you.
But no need to panic. There are slim chances that a hacker will target you specifically. As you now realize, a person needs a lot of motivation, time and effort to do so, and unless you are somebody of interest, such as a politician or a celebrity, you probably don’t need to worry too much. What rather happens is that your email has been harvested along with tens of thousands of others, because the mailing list of a webshop you receive newsletters from has leaked in a security breach. Hackers use these mailing lists to send thousands, millions of emails, asking for Bitcoins, targeting payment card data, credentials, etc. They count on that 1 person out of a 100 to click on that link, believe the blackmail and send bitcoins, connect to that open WiFi… It is profit for them only if they target masses.
With 10% effort you can protect yourself from 90% of the threats. That 10% effort is exactly what is listed in the “Expert tips to keep you safe online". On the other hand, 90% effort would be needed to try to protect yourself from the remaining 10% of threats. At this point, I usually get asked one final question:
So, how can I be 100% protected?
The answer is – you can’t, there is no such thing as a bulletproof system. This actually works in our favour, because if 100% secure systems were invented, we would soon be out of business. What can be done is try to come as close as possible to that 100%, and that is exactly what we at Secura do, what we dedicated our lives to.
If you are a part of a company, and all companies deal with sensitive information or assets they wish to protect, maybe you should consider trying to cover the 10% as much as possible, and we will gladly offer our help.
But always keep one thing in mind: When defending, we have to cover everything a hacker can think of; when attacking, a hacker only needs to exploit one thing that we didn’t.
Apply the top security tips and tricks in order to protect yourself from 90% of threats online.
If wish to get closer to a 100%, hire experts.