What You Should Know About Hackers and Hacking
Not all hackers are inherently bad. When used in mainstream media, the word “hacker” is usually used in relation to cyber criminals. But, a hacker can actually be anyone, regardless of their intentions, who utilizes their knowledge of computer software and hardware to break down and bypass security measures on a computer, device or network.
Hacking itself is not an illegal activity unless the hacker is compromising a system without the owner’s permission. Many companies and government agencies actually employ hackers to help them secure their systems.
Hackers are generally categorized by type of metaphorical “hat” they don: “white hat,” “grey hat,” and “black hat.” The terms come from old spaghetti westerns, where the bad guy wears a black cowboy hat, and the good guy wears a white hat. There are two main factors that determine the type of hacker you’re dealing with: their motivations, and whether or not they are breaking the law.
1) Black Hat Hackers
Like all hackers, black hat hackers usually have extensive knowledge about breaking into computer networks and bypassing security protocols. They’re also responsible for writing malware, which is a method used to gain access to these systems.
Their primary motivation is usually for personal or financial gain, but they can also be involved in cyber espionage, protests or perhaps are just addicted to the thrill of cybercrime. Black hat hackers can range from amateurs getting their feet wet by spreading malware, to experienced hackers that aim to steal data, specifically financial information, personal information and login credentials. Not only do black hat hackers seek to steal data, they also seek to modify or destroy data as well.
2) Grey Hat Hackers
As in life, there are grey areas that are neither black nor white. Grey hat hackers are a blend of both black hat and white hat activities. Often, grey hat hackers will look for vulnerabilities in a system without the owner’s permission or knowledge. If issues are found, they’ll report them to the owner, sometimes requesting a small fee to fix the issue. If the owner does not respond or comply, then sometimes the hackers will post the newly found exploit online for the world to see.
These types of hackers are not inherently malicious with their intentions; they’re just looking to get something out of their discoveries for themselves. Usually, grey hat hackers will not exploit the found vulnerabilities. However, this type of hacking is still considered illegal because the hacker did not receive permission from the owner prior to attempting to attack the system.
3) White Hat Hackers
White hat hackers choose to use their powers for good rather than evil. Also known as “ethical hackers,” white hat hackers can sometimes be paid employees or contractors working for companies as security specialists that attempt to find security holes via hacking.
White hat hackers employ the same methods of hacking as black hats, with one exception – they do it with permission from the owner of the system first, which makes the process completely legal. White hat hackers perform penetration testing, test in-place security systems and perform vulnerability assessments for companies. There are even courses, training, conferences and certifications for ethical hacking.
Hackers Live in the World of NETWORKING
WHAT IS NETWORKING? Simply means the inter-connection of computer or devices to share resources. We have various kinds of networking and their protocols.
BLUETOOTH
Bluetooth is a telecommunications industry specification that describes how mobile phones, computers, and personal digital assistants (PDAs) can be easily interconnected using a short-range wireless connection. It’s one of the most commonly uses networking apps in the world.
As Hackers we also use Bluetooth to gain unauthorized access to people information. Know that one you done networking with somebody the information in your devise is no longer secure.
One of the chipest hacking tools we use to hack Bluetooth phones is the Bluetooth share app that we download and install in our phones.
REASONS WHY YOU SHOULD TURN OFF YOUR BLUTOOTH DEVICE AFTER SHAREING RESOURCES:
1) Battery Drain
Although Bluetooth is an energy-efficient technology, it does slowly drain the battery of your cell phone or other mobile device. When enabled, Bluetooth continually scans for signals, looking for new devices to connect with, but using energy in the process. Check your device’s settings and turn Bluetooth off when you’re not using it.
2) Poor Security
Virtually every network technology has some security built into it to prevent hackers from accessing your data without your permission. However, Bluetooth security is weak compared to WiFi and other wireless data standards. A determined attacker can, for example, gain access to your wireless device through a Bluetooth connection, although he or she would have to be nearby for the attempt to work.
3) Slow Data
All wireless technologies have limits on how fast they can transmit data; generally, faster connections mean higher energy consumption. Because Bluetooth is intended to be very energy-efficient, it sends data relatively slowly. The Bluetooth 4.0 Low Energy standard, at 26 megabits per second, is much faster than Bluetooth used to offer and suitable for occasional syncing and small backup operations. However, Bluetooth is not a substitute for faster technologies such as Wi-Fi and USB.
Bluetooth Tips
Disabling Bluetooth when you aren’t using it improves security, as the connection can’t be hacked if it’s off. Another option to consider disabling is Bluetooth’s discoverability feature; it sends identification signals to all devices within range, essentially inviting a connection. Remove Bluetooth connection settings on devices paired with accessories that may have been stolen to prevent thieves from gaining access to your PC or smartphone. Use firewall and anti-virus programs for PCs and other devices to keep hackers at bay.
HOW TO STOP HACKER FROM HACKING YOU
1 Be suspicious of emails
Cale Guthrie WeissmanClick “Show original” to find the source of the email. A lot of cyberattacks are launched through simple malicious email campaigns. Email is a wonderful communication platform because you can sending anything to anyone, but that means it can be a huge security risk. Phishing, for example, sends victims seemingly innocuous emails that will lead victims to fake websites asking to update their personal information.
The best way to avoid being scammed by phony emails is to just make sure the sender is who you think it is. Check their email address to see if they match with the website you think it’s from. To be extra cautious you can check the IP address of the sender.
You can do this by finding the source information from the email and looking for the IP address that follows the line “Received: from.” You can then Google the IP address to learn the email’s source. (Here is a good primer on finding email IP addresses.)
2. Check link locations
Unknown messages contain links to unknown sites. Surfing to a mysterious website can bring about unintended consequences. For one, it could mimic a site you know and trust and help you fall prey to a phishing scam. Or, it may be unsecure or infected with malware.
If you are tempted to click on one of these links, you better know exactly where it’s taking you. The best way is to copy and paste the link location into a new browser to see what site is on the other side. If it’s a shortened link, you can use tools like URL X-ray that figure out the real destination before you click it.
Also, encrypted sites are the safest ones to visit. You know they are safe when you see HTTPS in the URL and the lock icon on your browser.
3. Never open attachments (unless you’re really sure)
A good rule to follow is never open attachments unless you are 120% sure of where they came from. One of the easiest ways for hackers to download malicious code onto victim computers is by sending emails with virus-laden files.
A frequent way companies get hacked is by one unsuspecting employee downloading malicious software that infiltrates the entire network. The most dangerous file types are Word, PDFs, and .EXEs.
4. Use two-factor authentication
As bigger companies get hacked, the likelihood that your password is leaked increases. Once hackers get passwords, they try to figure out which personal accounts they can access with the data they stole.
Two-factor authentication — which requires users to not only enter a password but to also confirm entry with another item like a code texted to a phone — is a good way to stop attackers who have stolen passwords. More companies are making it standard for logging in.
Slack, for example, instituted two-step authentication once it owned up to a recent data breach. This meant that if hackers did steal Slack user data, the hackers would still most likely not be able to get into a user’s account unless they had another personal item that belonged to the user, like a phone. If two-factor authentication is an option for your accounts, it’s wise to choose it. (Business Insider/Julie Bort)
5. Use advanced passwords
This may be the most obvious yet overlooked tip. A strong password includes uppercase, lowercase, numbers, punctuation, and gibberish. Don’t make the password a personal reference, and don’t store a list in a saved file.
Most importantly, don’t use the same password for multiple accounts. There are some great tools like LastPass and 1Password that securely store passwords. Also, it’s crucial to change passwords frequently — especially for vulnerable accounts like email and banking.
PASSWORD USAGE Passwords are simpler and cheaper than other, more secure forms of authentication like special key cards, fingerprint ID machines, and retinal scanners. They provide a simple, direct means of protecting a system or account. For the sake of this article, we’ll define a ‘password’ as a word, a phrase, or combination of miscellaneous characters that authenticates the identity of the user. Passwords are generally used in combination with some form of identification, such as a username, account number, or e-mail address. While a username establishes the identity of the user for the computer or system, the password, which is known only to the authorized user, authenticates that the user is who he or she claims to be. This means that their function is to “prove to the system that you are who you say you are” (Russell).
Password Cracking
While passwords are a vital component of system security, they can be cracked or broken relatively easily. Password cracking is the process of figuring out or breaking passwords in order to gain unauthorized entrance to a system or account. It is much easier than most users would think. (The difference between cracking and hacking is that codes are cracked, machines are hacked.) Passwords can be cracked in a variety of different ways. The most simple is the use of a word list or dictionary program to break the password by brute force. These programs compare lists of words or character combination against password until they find a match. If cracking codes seems like science fiction, search “password cracker” on Packetstorm or Passwordportal.net. There are also numerous password cracking tools available that any average person can use. (For more information on password cracking tools, please see the SecurityFocus article Password Crackers – Ensuring the Security of Your Password.)
Another easy way for potential intruders to nab passwords is through social engineering: physically nabbing the password off a Post-It from under someone’s keyboard or through imitating an IT engineer and asking over the phone. Many users create passwords that can be guessed by learning a minimal amount of information about the person whose password is being sought. (For more information on social engineering please see the SecurityFocus series Social Engineering Fundamentals) A more technical way of learning passwords is through sniffers, which look at the raw data transmitted across the net and decipher its contents. “A sniffer can read every keystroke sent out from your machine, including passwords” (University of Michigan). It’s possible that someone out there has at least one of your passwords right now.
How To Choose Good Passwords
Now that we have established the importance of passwords and some of the ways in which they may be vulnerable to cracking, we can discuss ways of creating good, strong passwords. In creating strong, effective passwords it is often helpful to keep in mind some of the methods by which they may be cracked, so let’s begin with what NOT to do when choosing passwords.
No Dictionary Words, Proper Nouns, or Foreign Words
As has already been mentioned, password cracking tools are very effective at processing large quantities of letter and number combinations until a match for the password is found, as such users should avoid using conventional words as passwords. By the same token, they should also avoid regular words with numbers tacked onto the end and conventional words that are simply written backwards, such as ‘nimda’. While these may prove to be difficult for people to figure out, they are no match for the brute force attacks of password cracking tools.
No Personal Information
One of the frustrating things about passwords is that they need to be easy for users to remember. Naturally, this leads many users to incorporate personal information into their passwords. However, as is discussed in the Social Engineering Fundamentals, it is alarmingly easy for hackers to obtain personal information about prospective targets. As such, it is strongly recommended that users not include such information in their passwords. This means that the password should not include anything remotely related to the user’s name, nickname, or the name of a family member or pet. Also, the password should not contain any easily recognizable numbers like phone numbers or addresses or other information that someone could guess by picking up your mail.
Length, Width and Depth
A strong, effective password requires a necessary degree of complexity. Three factors can help users to develop this complexity: length, width & depth. Length means that the longer a password, the more difficult it is to crack. Simply put, longer is better. Probability dictates that the longer a password the more difficult it will be to crack. It is generally recommended that passwords be between six and nine characters. Greater length is acceptable, as long as the operating system allows for it and the user can remember the password. However, shorter passwords should be avoided. Width is a way of describing the different types of characters that are used. Don’t just consider the alphabet. There are also numbers and special characters like ‘%’, and in most operating systems, upper and lower case letters are also known as different characters. Windows, for example, is not always case sensitive. (This means it doesn’t know the difference between ‘A’ and ‘a’.) Some operating systems allow control characters, alt characters, and spaces to be used in passwords. As a general rule the following character sets should all be included in every password:
- uppercase letters such as A, B, C;
- lowercase letters such as a, b,c;
- numerals such as 1, 2, 3;
- special characters such as $, ?, &; and
- alt characters such as µ, £, Æ. (Cliff)
Depth refers to choosing a password with a challenging meaning – something not easily guessable. Stop thinking in terms of passwords and start thinking in terms of phrases. “A good password is easy to remember, but hard to guess.” (Armstrong) The purpose of a mnemonic phrase is to allow the creation of a complex password that will not need to be written down. Examples of a mnemonic phrase may include a phrase spelled phonetically, such as ‘ImuKat!’ (instead of ‘I’m a cat!’) or the first letters of a memorable phrase such as ‘qbfjold*’ = “quick brown fox jumped over lazy dog.”
What may be most effective is for users to choose a phrase that is has personal meaning (for easy recollection), to take the initials of each of the words in that phrase, and to convert some of those letters into other characters (substituting the number ‘3’ for the letter ‘e’ is a common example). For more examples, see the University of Michigan’s Password Security Guide. Extra Protection
All of the good password cracking programs include foreign words, backwards words, etc. And the easiest way to steal a password is by asking for it, so it’s simpler to never give it away.
OUR RECOMMENDATION TO ORGANIZATIONS
Tips for Organizations and Network Administrators
Managers and administrators can enhance the security of their networks by setting strong password policies. Password requirements should be built into organizational security policies. Network administrators should institute by regular changes/updates of passwords. They should also regularly remind users of how easy it is for hackers to get their passwords through social engineering and online attacks. New users should be taught about good password practices. Providing intranet resources on network security and password security can also be helpful. Finally, the organization’s password policy should be integrated into the security policy, and all readers should be made to read the policy and sign-off on it.
Systems administrators should implement safeguards to ensure that people on their systems are using adequately strong passwords. They should set password expiration dates on all programs being run on the organization’s systems. Keep a password history to prevent reuse, and lock of accounts after 3-5 password attempts. Keep the number of people in the organization who have these passwords as small as possible. The organization should also use newer versions of OSs that have more secure password files and authentication protocols. Keep your individual account passwords updated as well. Finally, when installing new systems, make sure default passwords are changed immediately.
HTTPS VS HTTP
Use HTTPS instead of HTTP whenever possible. Websites that have an https:// before the website name, add an extra security layer called SSL by encrypting your browser. It is recommended to use https:// whenever possible especially when performing banking or financial transactions online. In other words, communications sent over regular HTTP connections are in plain text and can be read by intruders that break into the connection between your browser and the website.
With HTTPS, all communication is securely encrypted. Due to SSL (Secure Socket Layer), an intruder cannot decrypt data that passes between you and a website. Don’t use security questions when you forget your password. Most companies ask customers to answer “security questions” when registering for an online account. When a user forgets their password, they are asked to answer a few security questions. The problem with this is approach is that many users answer easy questions like favourite food, mother’s maiden name, city of birth or favourite sport. Hackers have a reasonably good chance of guessing the right answer by monitoring your social activity. Google recommends having an alternative email address or an SMS option, instead of providing answers to security questions. Verifying a password by answering security questions should be a last resort.