[BreachExchange] What does it mean to be "hacked?"

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 10 18:38:47 EDT 2017


http://www.arktimes.com/ArkansasBlog/archives/2017/04/
07/what-does-it-mean-to-be-hacked

An Arkansas Representative recently falsely accused the Arkansas Times of
"hacking" (some people merely made comments critical of her on her public
Facebook page) so we thought we'd take this opportunity to educate and
inform. The term gets thrown around a lot, but what exactly is it?

Hacking is the breaking-and-entering of the digital world. Your digital
“home” may be your bank, your social profile, or your email account. The
techniques hackers use are sometimes basic and sometimes astoundingly
complex, but understanding either side of it requires some basic knowledge
of the internet in general.

Digital vocabulary


One of the most fundamental aspects of the internet is the humble IP
address. They typically look something like “192.145.422.12” and act just
like your home address. This number is the physical address of your
computer. Search Google for, “what’s my IP?” and you’ll immediately be able
to see yours.

IP addresses often change, though, and aren’t always a reliable way of
accessing another server or computer. We needed a system which would allow
us to remember friendly names like “Facebook.com” instead of a long series
of numbers. These friendly names are called domain names.

Domain names are what we typically type into the address bar. Google.com,
Facebook.com, Youtube.com – all domain names. The end result, however,
needs to be an IP address because that’s the actual, physical address of
the computer or server you’re trying to access.

The Domain Name System (DNS) provides the solution. When you type and
submit a domain name, it gets sent to your local DNS server where it’s used
to look up the correct and corresponding IP address. “ArkTimes.com” is much
easier to remember than “8.40.240.33.”

Your browser is the piece of software you’re using at the moment to read
this article. Internet Explorer, Firefox, Chrome, and Safari are all
browsers made by different companies, but they all do the same thing:
connect to an IP address, download files, and display them.

Types of hacking


Brute Force
This one’s simple. Think of brute force hacking like someone going
shoulder-first into your front door over and over until it gives. Using
computers, hackers are able to automate the guessing of passwords and
simple ones can be solved in minutes. The longer your password, the harder
it is for a computer to “crack” it. A good password will read more like a
sentence, which is why the term "passphrase" is becoming more common. An
example: Several100%FloatingBoats – it would take a computer trying 1000
times per second over 500 years to crack that passphrase.

Avoid brute force attacks by changing your password often and keeping your
passphrase long and complicated. Using passwords that read more like
sentences will help you remember them.

Distributed Denial of Service
Also known as DDOS, these attacks are typically run against large-scale
organizations or platforms. Imagine two people having a pleasant
conversation…now imagine hundreds of very loud and obnoxious strangers
running up and yelling in their faces. There’s no way a conversation could
take place. This is what happens during a DDOS attack. A hacker (or group
of hackers) targets a service like Xbox Live or Netflix and sends an
immense flood of web traffic to their servers, which slows down and often
cripples the platform. The Rio Olympics site sustained months of DDOS
attacks last year.

The term botnet refers to a network of hacked computers that are able to be
called into action by their hacker masters. If you’re on Windows XP and
don’t run anti-virus software, your computer is probably part of a botnet.
Hackers use these botnets in DDOS attacks so be sure and keep your computer
free from malware and viruses.

Phishing
As the name implies, hackers are baiting hooks and casting wide nets in
hopes of getting bank account info or even social accounts. The scam
typically starts with the hackers creating a fake login page for a popular
service. They’ll make this login page look identical to the original. Since
the hacker doesn’t have access to put their fake login page on the actual
domain name, they must get creative. In 2010, hackers targeted MySpace by
using the domain name rnyspace.com – note that in lowercase it looks
correct, but in all caps it is RNYspace.com. They are counting on people
not being able to tell the difference.

Phishing emails will typically ask for info that no real company would ask
for via email. You’ll see attempts at urgency (“your account will close in
24 hours if you don’t do this!”) and confusion (“$5,000 was just withdrawn
from your bank account”). These are attempts to shake your rationality and
wits so you give the hackers your username and password voluntarily.

It’s always advised to use a separate password per account. This way, if
you do get phished, the hackers will only have access to that one service
and can’t simply use your one password across other accounts.

Social Engineering
If you know enough about someone and have some charisma, it’s a
frustratingly simple process to navigate their various accounts. Hackers
using social engineering will learn as much as possible about you via your
public information and then simply call your bank claiming to be you. By
guessing some security questions and being nice to the customer service
rep, they’re able to gain access to your accounts without even touching a
computer.

Due diligence on the web


Here are some tips to help keep your digital life secure:

Use longer passphrases.
Modify your passphrase for each service you use (never have the same
password).
Consider a password keeper like DashLane or 1Password.
Keep your PC free from viruses and malware.
Never click a link from an email unless you’re 100 percent clear on where
it will take you.
Look at your address bar and make sure the domain matches what you’re
viewing.
Don’t give your personal info to customer service reps making in-bound
calls.
If it’s too good to be true, it’s probably not real.
Ignore offers of money via email.
Use two-factor authentication.

Online security starts with knowledge and education. We’ve all heard
someone say, “well I’m not good with computers,” but these days that’s like
saying you can’t read and write.

Computers and the internet are now an integral part of our society and
protecting your identity online is more important than ever. Change your
passwords, stay vigilant and sprinkle a healthy dose of distrust on anyone
wanting access to your accounts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170410/d9859626/attachment.html>


More information about the BreachExchange mailing list