Hacking is misunderstood. It can be cringe-worthy when the press, politicians, or movies speak of it. The term ‘hacked’ is way overused. You would be shocked to know that there is far less brute force ‘hacking’ going on because modern day encryption is so good. Most ‘hacking’ involves tricking people into giving up there personal information or clicking on something or an employee simply walking off with a lot of data and making it publicly available. Motives range from axes to grind, making people miserable, making a statement, whistle-blowing, or selling it.
A significant amount of ‘hacking’ is typically done by bad guys asking for someone’s username and password via an official looking email or fake website and that person unknowingly reveals it. That’s a bit of an oversimplification, but will suffice for now. It’s called ‘Social Engineering’ and it’s typically where bad guys pretend to be a trusted individual or business convincingly enough for you to give them your login information, or at least enough information where they can reset your password to something only they know, locking you out.
A second, less popular way is to take advantage of a security hole in an operating system, program, server, or website. The software security hole possibility is lessened by all those updates you see being constantly installed. Those updates can sometimes be problematic to the normal functioning of your computer due to the changes being made, but that’s for another article. We always recommend installing updates and dealing with any fallout later. As I type this, that fallout has been significant due to the unusual nature of security updates being issued.
Different kinds of hackers
- Black hat: People that break into accounts to steal information for profit or just being jerks about it.
- White hat: People that break into accounts to determine if systems are protected and report how it was done so changes can be made.
- Gray hat: Apparently these people have personal issues and don’t know which side they’re on.
The impression given by the press and in the movies is that everyone and everything can be ‘hacked’ at any time, easily. It’s just not true. If it were, email and banking online would be useless. Amazon would not exist. Today’s encryption is very good and ‘brute force’ attacks are increasingly difficult.
As this article is being created, politically related Twitter accounts are getting compromised. Also, a vulnerability in every computer built for the last 10 years is getting patched in order to close security holes found in central processing units (CPUs). The holes are named ‘Meltdown’ and ‘Spectre‘.
Cute, huh? Got a Transformers\James Bond vibe to them. It affects all computers, all manufacturers. Should you worry? No. It’s yet another security issue that will get patched, albeit an unusual one.
Windows computer users do not have to do anything. All Windows computers normally install patches automatically. You don’t have to do anything unless a problem develops due to the patch. That’s when we get a call.
How is ‘Hacking’ Done
Very few accounts are directly hacked out of the blue. The chance that someone will go to your email providers website, be it Yahoo, Gmail, Comcast, etc and guess your password is extremely remote. After a few tries, the account is typically locked out or you are forced to try again in a few hours or days.
We know of no proven instance where someone broke into a strangers email account purely by guessing the password. It’s always done using other techniques or information that was discovered about the owner of the account. Most of the time the password is never known and the break-in occurs by initiating a password reset.
There are a few ways for your information to be compromised.
- Social Engineering
- Fake Websites
- Exploiting a vulnerability
- Dropping the ball ( User Error)
You may hear from time to time some famous person’s email or files have been ‘hacked’. It’s not done by guessing a password, but most likely through something called ‘Social Engineering’. The bad people will send fake but official looking email using a technique known as ‘phishing’ spelled with a ‘p’. The hackers are ‘fishing’ for passwords with ‘bait’ – emails with fake information, attachments or links inside them. The emails state some fake nonsense such as claiming an issue has arisen and your Internet provider needs you to re-enter your email address and password. In fact, you are entering your email and password into a fake website.
Never, ever enter your username and password based on an email. Always go to the website of the service and enter it that way. Never after clicking on something in an email. Opening an email will rarely cause an issue. The problem begins when something INSIDE the email is clicked on, such as a link or attachment. Yes, your antivirus should stop things like this, but don’t count on it. There is nothing wrong with calling the person the email is supposed to be from and confirm they actually sent it.
Lately, a clever technique is being used where someone receives a very real looking email seemingly from a trusted source, customer or colleague asking them to click an attachment which needs your login and password to view. It’s all fake and what really happens is you send your password to the bad guys.
You may get a phone call where the person is pretending to be a trusted source such as your bank or tech support from a known company such as Microsoft. They will talk about ‘issues’ they detected with your Internet activity and they must remote into your computer to fix it. They may demand that you tell them your username, password, or personal information of some sort for the ‘issues’ to be resolved. You may get a call stating that suspicious activity has been detected emanating from your computer and they need to log into it and fix it.
NEVER NEVER NEVER talk to anyone on the phone stating that they are from XYZ and they need peronal information or need to get into your computer to fix something. They’ll claim they are monitoring your activity and discovered viruses, hacking, or some such nonsense. No one is monitoring your computer activity unless you are doing something illegal and law enforcement would not call you informing you of that fact. They’ll bust down your door.
Just hang up. If you are unsure, still hang up and call us. We have seen or heard of this a hundred times. It’s remarkable how pervasive and convincing these people can be. The victim will get a call out of the blue. They are unprepared. The person on the other end will claim they have detected that your computer is sending out viruses and needs to be fixed.
The bad guys convince the victim to allow them to remote into the computer or give up personal information. If they remote in, the bad guy then throws up screens ‘confirming’ the infection when, in fact, it’s just technical screens that no one understands. One common screen is showing a utility called ‘MSCONFIG’. It shows some programs running and some not. They will claim that’s a problem even though it’s completely normal.
The bad guy pretends to do a bunch of stuff and charge hundreds or thousands of dollars for their ‘service’. It’s all crap, if we may be so blunt.
- There is no infection.
- There is no service work done.
- There is no lifetime guarantee.
- There is no warranty.
- They will charge hundreds of dollars for software that’s normally free.
Although it’s unnerving, to date we have not had an instance where bad guys that have remoted in have stolen identity information. It’s just crooks trying to trick you into sending money. If money was sent, call your credit card company or bank and stop payment immediately.
We had one instance recently where we were told that bank accounts were truly compromised, but in that case we suspect the victim completely gave up all their personal information to the extreme, including offering up passwords to their banking information. Most people, if it gets to that point, grow suspicious enough to stop.
We have had people call us while the crooks are currently logged into their computer asking what they should do. Our response is to shut it down immediately. If you no longer have control of the computer, pull the power plug from the computer box, not just the monitor.
After an incident, we typically see changes made to the computers including:
- Remote access software installed.
- A password that was set up that only they know.
- Junk or useless software installed.
- Receipts of some kind.
- Perhaps some phone number constantly being shown on the taskbar.
We perform a normal service which removes such things and typically brings everything back to normal.
This has become extremely popular. The idea is to show a website that looks like a security alert indicating your computer has been compromised and you should call the number listed. After calling the number, all the things outlined in ‘Social Engineering’ start to take place.
The only difference is that YOU made the call TO the bad guys, not the bad guys calling you out of the blue.
So, how do you end up at these sites?
Improperly typing website addresses, malicious or fake advertisements, fake links or fake search results. If you wanted to go to ‘itunes.com’ but the ‘e’ and the ‘n’ are transposed instead, it used to send you to a site that looks like this:
We added the “Fake!” words. You will see only whats behind. These sites go active and are shutdown often. Two other mis-types that would send you to fake websites were:
- accuweather.com ( Add an extra ‘a’ in ‘weather’ )
- youtube.com ( If an extra ‘u’ after the ‘you’ part )
They no longer send you to fake websites but are re-routed elsewhere.
Evil doers purchase these mis-typed website names knowing that some will throw in typos. You end up with scary messages and a background voice saying all is lost unless you call the number listed.
These sites are, in fact, just fake websites made to look like something bad. You may not be able to exit out and they’ll run forever. In that case, reboot the computer. When you go back to the Internet your browser may ask if you want to return to the website you were previously looking at. You DO NOT want to do that or you may end up back at the same fake website.
Your antivirus may sometimes prevent you from seeing these kinds of sites, sometimes not. These sites appear and disappear so quickly the antivirus companies have a hard time keeping up.
You can end up at these websites if you click on an advertisement you see on a web page pretending to be something it’s not. You can end up at these websites by clicking on search results that pretend to be one thing but are actually fake.
For example, you search for ‘Ford Mustang’ and click on one of the links listed in the results. However, instead of sending you to the link listed, you see the fake site. Any type of search site or social network such as Facebook or Twitter is fertile territory for fake links leading to who knows where. Ignore all of them and don’t freak out when you see something like this. It’s more annoying than dangerous.
Always remember, if you see one of these sites, it’s fake. There is nothing wrong with your computer. It’s just a fake message made to look serious. Do not do anything in response to these websites other than reboot your computer and go on with your day.
Exploiting a vulnerability
These are troublesome because there is little you can do to stop it. Fortunately they are rare enough where you shouldn’t lose sleep over it. Often times, in order to take advantage of a vulnerability, the user must still do SOMETHING to initiate the exploit such as clicking a link in an email, clicking attachments, downloading a file, responding to fake websites as described previously, etc. Even though the vulnerability exists, the user typically must do something to make it work.
Security holes reveal themselves several different ways.
- There a holes that become known the day they are taken advantage of, called a ‘Zero Day’ exploit, meaning no one knew until today. Very rare.
- When a security patch is sent out, the bad guys may study that patch to find out what it’s fixing and see if it can be used to break into computers before all the computers get patched.
- Researchers will find a security hole and notify the vendor of the software that this exists and it should be patched. This is what happened most recently with the ‘Meltdown’ and ‘Spectre‘ vulnerability. The researchers were good enough not to reveal their findings for some time in order to give manufacturers time to respond.
Dropping the ball ( Human Error )
- Posting your passwords on a post-it note hanging from your computer.
- Keeping a password list in your wallet or purse and losing them.
- Using the same or similar password for everything. Using ‘secret1’, ‘secret2’, etc is not the best because once they get one password, they can guess the next.
- Using ‘password’ or 12345678 for a password. There are stories about people using these types of passwords but in the thousands of systems we’ve worked on, we have seen 12345678 one time.
- Entering your password into a fake website based on an email, fake website, or phone call as outlined above.
Breaking into email accounts “the back way”
I mentioned that very few intrusions are done through the front door, meaning going to a login page and guessing the password outright. Stealing the password over wireless is quickly becoming less common due to much better encryption techniques. Public WIFI is still a bit sketchy, so I would not be doing banking on one if at all possible.
Initiating a password reset is more common. If I know your email address, for example, I can try to reset the password. Maybe a bad guy gets lucky and the account is protected using secret questions. The questions are asked and with some basic research, they can be answered. The password is then reset to something only they know. Check out password management for more on this issue.
But, that still isn’t the back way. The bad guys may still try ‘Social Engineering’ tricks, but they don’t do it on your account, they do it with a company account. Yes, the company that manages your email or banking or whatever. They go right to the source and try and trick the employee’s of the company into giving up information they can use. Sometimes it works.
Breaking into accounts at the company
The following example is a bit simplified, but it’s still valid. It’s somewhat filled with techno-babble, but we offer it here for those who might be interested. Skip if you wish.
Imagine a company website that you have an account with. That website has the names of all the top brass with their email addresses listed prominently in the ‘About’ page. The bad guys study who’s who and start to plan. They will pretend to be one of the top people and email another person in the company asking for information. They are trying to get something they can use to get at the servers.
Company A has the following individuals:
- Jim Anderson – CEO
- Jan Wilson – CFO (Chief Financial Officer)
- Joe Jones – Worker Bee
Jim Anderson, CEO, sends an email to Jane Wilson asking for her password to the finance table because he needs to check on a few things and his password isn’t working. Jane dutifully gives it to him. The problem is, of course, Jim never sent that request. The bad guys pretended to be Jim.
The bad guys may now have a way in. They stay quiet and don’t ask Jane for anything more to avoid suspicion. Well, it turns out Jane has Administrator rights to the server, specifically the database.
How could that be? Why would Jane or any employee have Administrator rights to the server and not just the tech support people. Well, because it’s simpler that way. Grant everyone Administrator rights and avoid the hassle of permissions for this and that. Companies that can’t afford to employ a technician onsite, or even ones that can, oftentimes go the easy route and grant full access to everyone.
They go straight to the database and see tables. Lots of tables full of information. They find a users table and see the following:
If the passwords are saved in ‘plain text’ like Jim’s, it’s game over. They have all the user passwords with little effort. The bad guys can now call up the widgets.com website and login with employee and customer passwords just like the real people would. Customers have zero control over this. It’s very poor design.
However, if the database was set up to save passwords in encrypted form, they would see text like Jane and Joe. This takes more work to break. The bad guys collect all the encrypted passwords stored in the password column and run a program that will ‘reverse guess’ the password using commonly used password lists freely available on the Internet.
I won’t bore you with the details except to say that this is where you want unique, long, random character passwords. 11 characters or more and you should be good. There is not enough time to break a password like that, giving you plenty of time to simply change your password.
However, some passwords will be surely be decrypted and can then be used to log in. If that users same email address and password is used to log into other services and companies, the bad guys now have access to accounts for those companies as well.
Techniques such as these are used to retrieve massive amounts of user information at once. Again, bad guys don’t get millions of account passwords by guessing individual accounts. They gain access using company accounts using phishing or security holes, which then grant them access to the crown jewels – the database.
What to do, in no particular order
- 11 random character passwords. If you need to remember the password, using 3 random words divided with special characters.
- Passwords do not have to be all random text, but throw in a few special characters between words, misspell words, etc.
- Use unique passwords for each site. If one of your accounts is compromised for any reason, at least the others are still safe.
- WRITE IT DOWN. You will forget all our passwords. See this article for password management details and tips.
- When asked to provide answers to secret questions, it’s perfectly okay to answer them with lies or nonsense. An example would be – ‘What was the make and model of your first car?’. A hacker would try Ford, Chevy, etc. For that question, use ‘waterplant’ or something nonsensical. It’s okay to lie. The problem with lying, as with all lies, is you must remember the lie – meaning WRITE IT DOWN!. Don’t answer this question using ‘Chevy’ even though your first car was a Ford. The hackers can still logically guess that. Answer it with something nonsensical or better yet, use random text.
- If you get an email asking you to enter password information, ignore it no matter how legit it looks. If there is a question, go directly to the website and log in yourself or contact the sender of the email.
- Crooks will email you a message in such a way that it appears to come from your Internet provider, a friend, family member, or trusted source and ask you to enter your email address and password to ‘confirm your account’ or some such nonsense. The recipient dutifully enters their login and now it’s been officially sent to the evil-doers. Your account has now been hacked, unless you have two factor authentication enabled.
- Enabling two factor authentication is highly recommended to avoid accidentally giving your email password to bad actors. It can also aid in password recovery. Two factor authentication means that with every login, a code is sent to your phone that you must acknowledge in order to access your email. Since only you have access to the phone, even if someone knows your email AND password, they won’t have access to your phone and cannot acknowledge the code. By default, this is not enabled and must be activated. For an example in Gmail, check out our Email-palooza article.
- There is something called a password manager. This is a service that can be used to create secure passwords, save the passwords, and enter them when you are at your normal login prompts. Commonly used ones are:
- Most people don’t use password managers and rely on good old paper. Password managers can come in handy in the event you have to remember a lot of password for your day to day work. You only have to remember one “master” password. I still strongly recommend documenting all information associated with an account.
- Some programs will let you assign a password to the documents themselves. For example, Microsoft Word and Excel allow you to assign a password to a file. When the file is opened, you must enter a password to view it. This can come in handy when saving documents on flash drives, something that can be easily lost. Secret information, such as a listing of passwords, can be entered into a Word Document and password protected. Yes, you read that right. Using a password to protect a document full of passwords. When does the madness end!?
- Whatever system you use, write down the password on old fashioned paper. You may save your passwords to a computer file, but if the hard drive fails, your password document goes with it. PRINT THE PASSWORD list after each change and hide it somewhere.
You’ll thank yourself later.