July 14, 2015

7 Things All Hackers Know to be True

1. There is no Such Thing as a Social Media “Friend” Everyone knows not to click “suspicious” links on the internet, but not everyone knows what these links are supposed to look like. In the past, you’d receive them in your email inbox under a subject heading that looked something like “dR_S.tR.@n.G.eLuv_H.e-rB.al M.@.g.IC”. These spam emails would invite you to “try the latest herbal weight loss solution” or to “Meet Kandy,” and it was pretty obvious that they were a scam. But phishing has come a long way since 2007. Now that link shortening on sites like Twitter and Facebook is so common, it is much easier to disguise a malicious link as something innocuous. It is also easy to manipulate the social aspect of these sites by sending malicious links in targeted private messages or by disguising them as news articles. As a general rule, it’s a good idea to copy your links into a text editor and examine them closely before actually keying them into your browser.

2. Even Google Isn’t Safe Google is great. It boasts one of the best email clients on the market and a search engine so popular that “just Google it” is now common terminology (unlike, say “Just Duck Duck Go it” or “Just Bing it”). That said, Google isn’t perfect, and you shouldn’t trust a link just because it surfaces during a Google search. You should also be careful with Google ads. Last September, a series of Google ads were infected with Zemot malware, and several users were infected by it. This is a strategy known as“malvertising” and it can be very nasty.  During a malvertising attack, a rogue ad directs your browser to a third-party webpage that exploits your computer for vulnerabilities associated with outdated browser plug-ins like Java, Flash Player, Adobe Reader, and Silverlight. If the attack is successful, the hackers install CryptoWall ransomware on your system, encrypting your hard drive and holding it hostage until you pay a certain sum in bitcoin. Malvertising attacks aren’t common, but they aren’t that uncommon, either. Companies like Google are good at addressing these kinds of issues quickly, but that doesn’t mean you should leave your security up to them. They won’t realize an ad has been infected until a certain number of users report the problem. Don’t let that user be you.

3. Your P@ssw0rd Sucks On average, roughly half a dozen email accounts are taken hostage every two or three minutes, mostly as a result of poor password protection. In the vast majority of cases, a breach occurs when someone uses the same password for a Gmail account as for some other, less secure account where the username is a Gmail address. It’s also possible for a hacker to simply guess a password using a dictionary attack, or to discover it via “brute force.” As a general rule, if a password can be found in the dictionary, it probably isn’t safe. Ditto passwords that perfunctorily switch Es to threes and Os to zeros, and then add funny punctuation. Even passwords Google deems “strong” can be guessed. The best solution is to use a password manager like LastPass or 1Password to generate and manage truly “random” passwords for all your accounts.

4. “Free Public Wi-Fi” isn’t as good as it sounds This seems obvious, but when you use free Wi-Fi at a coffee shop or in a hotel, you are probably not on a very secure network. Among hackers, this is well known. A recent article in Motherboard details how hackers at last year’s Defcon convention used the venue’s Wi-Fi to hack other guests at the hotel, curating a list of compromised email accounts, IP addresses, and passwords and beaming it onto the infamous “Wall of Sheep” for everyone at the conference to see. “It’s about shaming,” one participant explains, “we’re just doing it to show people how insecure their networks are.”

5. Cellphones can Be Hacked Last year, a hacker referred to as “Oleg Pliss” staged a series of iPhone hacks during which he compromised several Apple IDs and used the information to hijack a series of phones, lock them, and hold them for ransom. This kind of hack is a nightmare, especially if you use your iPhone to store email addresses, phone numbers, passwords, banking information, travel itineraries, and other potentially valuable information. Hackers can compromise iPhones by phishing your Apple ID, or by delivering malicious software to you over text message.  To date, Android is the most targeted mobile Operating System, accounting for more than 99% of mobile malware. This is because Google Play imposes fewer restrictions than Apple on the apps that users can buy and sell. While Android users benefit from a wider variety of apps than their Apple counterparts, they are at a higher risk of getting attacked.

6. Some People Won’t Even Do the Bare Minimum Services like Facebook, Twitter, and Gmail offer a feature known as two-factor authentication; but most people don’t bother to use it. Two factor authentication verifies a user’s identity using something a user knows (generally a password) and something a user has (generally a mobile phone). When you activate two-factor authentication on Facebook or Gmail, your login becomes a two-step process. First you enter your regular password, then a code is sent to your smartphone, and you enter that as well. Two factor authentication makes logging in much more secure, but it can be tedious. Just remember that hackers take advantage of those who opt out of this service.

7. You’re Responsible…But you’re not responsible When you sign up for services like Google or Facebook, you accept a certain amount of risk. You do this happily because the advantages that attend these services are so obviously worth it. Who would go back to using a physical address book when they have an iPhone with an internet connection? Why would anyone opt for an atlas over a Google map? Snail mail over email? You have everything to gain from “plugging into” the internet. But the more you rely on the cloud, the more you expose yourself to its vulnerabilities. This doesn’t mean that you will.