Hackers LOVE Social Media Posts

Suppose I asked you to provide this list of information on social media:

  1. Your Name
  2. Your pet’s names
  3. Your kid’s names and ages
  4. Where your kids go to school
  5. Where you went to school
  6. When your birthday is
  7. When your family member birthdays are
  8. Your gender
  9. Your family member genders
  10. Your race
  11. Your family member’s race
  12. Type of car you drive
  13. Type of car your spouse drives
  14. When you are on vacation
  15. Where you like to go when on vacation
  16. Where your kids catch the bus
  17. When your kids catch the bus
  18. What you like to buy
  19. What shows you like
  20. What books you like
  21. Who your friends are
  22. What type of political views you have
  23. What your house looks like inside
  24. What valuables you have in your house
  25. How old are you and each member of your home
  26. Your approximate household income
  27. Where you work
  28. Where your spouse works
  29. What music you like

Would you give it to me?  Or would you think me up to no good?  Sadly you have most likely given it away already or are in the process drip by drip.  Social Media can be a treasure trove of information for marketers but also hackers and other perps.  Let’s map the number above to actions you might take.

Unless you are up to no good, you probably set up an account using your real name. (1)  You probably also provided your birth date when you setup your account.  This is one piece needed for identity theft.

Let’s say that you post out photos of yourself (8,10).  Suppose a few were from when you are on vacation and you were smart enough to NOT post them until you returned home so as to not advertise you absence.  The GPS coordinates of each shot are imbedded in the photos so the perp knows each place you were while on vacation and when. (14, 15)

Your kids look so cute getting on the bus so you post a photo.  Again, the GPS information is in the photo so the perp knows the where and the when of waiting on a bus.  They can probably infer when they arrive from other posts you make. (16, 17)  From the time of arrival and the bus stop the perp can lookup bus routes and determine which school your kids go to.

You mention your car or post a photo of it while you are driving.  (12)  Eventually you post a shot of the front of you home and by elimination the perp can figure out which is your spouse’s car.

You are careful and never post your kid’s photos online but your family member’s aren’t and post photos of your whole family and then link the photo to you. (9, 11)

Post any photos taken inside your house?  Did you check what is showing in the background in the other room? (23, 24)  Did you post birthday photos of each child? (3, 25)  Don’t forget the pet, they are so cute! (2)

What do you post or share? (22)

Chat with friends from your high school or join a high school group? (5, 21)

Like to click on ads? (18)

From what you like to buy and photos inside your house and your cars and the house itself, your income can be inferred. (26)

To help people decide if they want to connect with you, you can display your favorite movies and books in your profile and even your favorite music. (19, 20, 29)

Every talk about your job or your spouse’s? (27, 28)

The hacker can now figure out how to answer your security questions and get your password.  The robber can now know when you aren’t home and if you have anything worth stealing and even where it is in your home.  The molester even knows how and when to get to your children.

Think you are safe because you only share with friends?  Think again.  Anything marketing firms can purchase, hacker and other perps can also purchase or steal.  I’m sure, you can come up with additional information not on this list that you have disclosed.  Don’t feel badly.  We have all done it.  Just think in the future what the information you provide might be used for.

Passwords

Think your password is a good one?  We’ll see in this post.

Dictionary Attack

Lots of people use dictionary words for their password.  An example might be “nebraska” or “hamburger”.  These are easy for a computer to guess by running through the words in a dictionary and trying each rapidly as a password until a match is found.

Brute Force

Brute force is just that.  Think of it as instead of picking the lock, we smash through the door.  This is done by trying all possible passwords until a match is found.   Obviously the longer the password and the greater the possible characters to pick from, the harder it is to guess.  This is why a password that uses uppercase and lowercase letters and numbers and special characters is so hard to guess.

Guessing

This is the use of cleverness in guessing the password.  Lots of times people use their birth date or their children’s birth date or their address as all or part of their password.   Even pet names are used. Or their social security number or part of it and so on.  This makes some passwords easy to guess.

Good and Bad Passwords

A good password is one that is hard to guess.  Without going into the math behind the permutations, suffice it to say, longer is harder to crack.  The more variety in characters, the harder as well.  For example, if each character of your password can only be lower case letters, then in America there would be 26 possible values for each character.  If you add capital letters, this goes to 52.  Add in numbers 0-9 and the possibilities are 62.  Add in special characters like: & * ( ) and the number of possible characters for each position in your password goes to 84.  This is why many places require you use an uppercase letter, a number and at least one special character in your password.

People often forget that their user name functions in a similar way to that of their password as most must be guessed.  Common user names are ‘admin’, the first initial and last name, the last name and first initial,, and guessable email addresses.

Smart Password Usage

Let’s assume your login/password is compromised, meaning a bad actor has it.  Did you use the same password for all your accounts?  Uh-oh, now they will run around trying it on all sorts of accounts where you might have left a credit card on file.  Bad Actor: “Let’s try Amazon and see if they have an account there with an active credit card, summer is coming up and I need some outdoor gear.”

Solutions

  • 1) Use one password for all accounts that don’t have an associated credit card.
  • 2) Use a different password for each account with a credit card so, in case one is compromised, all aren’t.
  • 3) Use a strong password on the accounts with a credit card.
  • 4) Unless you use an account everyday to make purchases, consider not attaching a credit card and instead enter it at checkout.

Password Do’s and Don’ts

These are some rules to help you discover your passwords that are difficult for a hacker to determine:

  • Don’t use a family name / birthday as a password.
  • Don’t use the family pet name as a password.
  • Don’t use your banking PIN as a password.
  • Don’t use a password so complex that you have to keep it on a yellow sticky note on your screen.
  • Don’t use a dictionary word as your password.
  • Do use a password wallet like RoboFormTM.
  • Don’t share passwords.  If you must, change it afterwards.
  • Do change your password at least every 6 months or if you suspect or are notified of trouble with your account or a beach at the place where your account is.
  • Do use a password phrase you can remember like: snow7beach14!  Where your age is NOT 7 or 14.
  • Use a long password of at least 12 characters if you can.  (The one just above is 13 characters in length.)
  • If possible, don’t pick a user id associated with your name, address and so on.  Remember the user id works just like your password in that is too must be guessed.

RoboForm is a trademark of Siber Systems.

 

Football and Hacking

Think football.  The hackers are the other team.  The one wanting your data or to do damage to you.    They have different plays they run such as: denial of service (DDos) attacks, phishing / spear phishing, malware, social engineering, software / hardware flaws and/or insider threat.

You or your team (the home team, the good guys) need to stop the offensive or the bad guys win.  These are the things that can be done to prevent a cyber security breach.  They include: training/education, policies, law enforcement agreements, information sharing, threat intelligence, hardware/software, current patches and techniques to improve security, encrypted data and hard drives and phones, and counter intelligence.  Many of these will be covered in future posts. The reason defense is so hard is that the bad guys need to find a single opening while you have to defend hundreds or thousands of points in your network.

After an successful attack (post game), these are the things that must be addressed: forensics, legal, insurance (hopefully purchased before the attack), damage assessment, and target cleanup/validation.  In addition, one must examine policies and defenses to figure out what went wrong and how to do a better job next time.

 

 

The Hacker’s Objectives

There are reasons why people hack computer powered devices.  There are many but they all boil down to data.  Steal Data! Change data! Destroy data!  Render the device useless for accessing data.

A hacker’s motivations vary widely.  They range from idle curiosity to criminal intent. Perhaps they want to just brag that they can do it, proving one’s cyber manhood (or womanhood). Perhaps they were paid by a nation state for political and military benefit. Maybe they were hired as an industrial spy for competitive and personal gain.  The objective can be simple as proving that the hacker could “log in” or complex as in stealing information for years without being noticed in someone’s network.  Most of the time, the motivation has nothing to do with you personally, except that your data was valuable enough to merit the risk.

As examples, the objectives may include:

  • Denial of data access (blocking someone from access their storage device)
  • Intellectual Property (IP) theft (such as the top secret formula for a soft drink)
  • Inflicting loss of reputation through exposure of sensitive information (revealing a political candidate’s tax returns)
  • Loss of trust (such as in a bank, or credit card institution)
  • Extortion: Payment of a ransom to get one’s data access restored or to keep sensitive data from becoming public.
  • Kinetic, i.e. to have something happen in the real world such as shutting off a power grid, controlling a patient drug infusion device, or controlling an airplane.
  • Data diddling (changing) to remove trust in the data.
  • Blackmail such as threatening to release stolen videos unless…

 

Glossary of Cyber Security Terms

Cyber security uses lots of words that you may be unfamiliar with.  To help with blog posts, refer to this list, which will be added to from time to time.  As you read the blog posts, you will see these terms in use.

Access – to be able to utilize a portion of a device and ask it to perform actions on your behalf related most often to data.

Access Control / Access Control List (ACL) – in terms of users of devices, this is a list of what they can access on the device.

Actor State – a nation involved in hacking activities.

Adware – software that displays unwanted ads.

Air Gap – a system that can’t be reached via the Internet or the corporate network or otherwise is said to be “air gapped” from the rest of the network.

Application – a program or programs who functions together to provide a service to the user.

APT – Advanced Persistent Threat – a bad actor with sophisticated levels of expertise and large resources to allow it to achieve its objectives using multiple attack vectors.

Attacker – another name for hacker or it could be a group of hackers or even a nation-state.

Attack Surface – this is the amount of exposure to attack in a system (with system being a computer or a network or a network and one to many computers.)

Backdoor – a means of access to a device that bypasses the normal security mechanisms.

Bad Actor – not a person with poor acting skills.  Rather someone who is attempting to perpetrate “bad” upon your cyber systems.

Biometrics – identity based on fingerprints, iris scans or other body uniqueness used in place of or in addition to passwords.

Bitcoin – a method of payment on the Dark Web.

Black Hat Hacker – a hacker who finds and then exploits computer system weaknesses and does not notify anyone but rather keeps the information for their or their organization’s use.

Blue Team – a group of cyber security experts who are defending a system.  Blue teams are often played against red teams in an effort to tighten security.

Bot – a compromised computer attached to the Internet used remote control to perform activities directed at other computers on the Internet.

Botnet – a network of bot’s often used for DDos attacks.

Breach – can be applied to a network or any device on the network and mean when the bad actor has penetrated that device/network and accesses data contained therein or compromises the function of said device or causes a kinetic side effect.

Container – a way to package up an application and all its dependencies.  Generally not as secure as using virtual servers.

Cryptography – the use of mathematical techniques to provide confidentiality, data integrity, entity authentication and data origin authentication.

Cyber – a word derived from cybernetics and refers to anything related to computers.

Cyber Security – software, configuration, actions, policies, training, and preparation taken to secure one’s cyberspace.

Cyberspace – various networks used in information technology infrastructure that includes devices, the Internet, and data.  It can also be defined as an electronic medium in which communications take place on the Internet.

Cyber Warfare – actions taken by actor states to breach the defenses (cyber security) of the cyberspace of their opposition.  Russia has used this recently in conjunction with regular warfare and hence the term “hybrid warfare”.   Another name for this, in some instances, is ‘Cyber Terrorism’.

Dark Web – sites on the Internet that hide their identity and IP addresses using encryption.  These sites are not accessible from the standard search engines.  Used by hackers and others for nefarious purposes.

Data Diddling – altering some of the contents of data to make the data untrustworthy.

DDos Attack – distributed denial of service attack.  This type of attack is done by sending valid requests to the server in such numbers that the responses overwhelm the server and it does not have enough horsepower (CPU cycles) to respond to legitimate requests.  This renders the server as though it were offline or ineffective.

Decryption – the opposite of encryption.  The use of the encryption key and the encrypted data to extract the original, unencrypted data.

Defense in Depth – multiple layers of defense to make penetration of a system very difficult.

DMZ – Demilitarized Zone – think of this as a network and components between a trusted network and one that is untrusted to protect the trusted network.

DNS (Domain Name System) Servers – translate from a domain name such as ‘mysite.com’ to the IP address of the server the site is on, such as 192.112.34.34.

Encryption – converting data into a form that is not decipherable.  How good the encryption is determines if it can be decrypted by the wrong person or not.

Exfiltration – a military term applied to data meaning its removal from the system by an attacker.   This indicates that it is one thing to attack and system and get in and another to get the data found off the system.

External PEN Test – penetration testing done from outside the system and without a login.  This attempts to mimic an attacker to see if the system is easy to breach.

Firewall – a group of components (hardware and/or software) that form a barrier between two networks or between a network and a device.

Hacker – one who attempts to circumvent a computer or network’s security.  They can be good or bad, see also Black Hat Hacker and White Hat Hacker.
Honeypot – a server with nothing of value used to measure the types of attacks used.

Incident – something has happened but we aren’t sure so it is called an incident until we determine a breach has occurred.

Incident Response Plan – a written plan of what an organization needs to do in the case of an incident or breach.

Information Assurance – the practice of managing risks related to information.

Insider Threat – the theft of information, sabotage, or theft of credentials by someone who has access to the client’s system.

Internal PEN Test – pen testing from inside using a valid login to see what hacking can be done using the login.

Intrusion Detection – the act of detecting when a computer, server or network has been entered by software not belonging there.

IP Address – the address of your device on the Internet.  The old address standard was IPv4 which has been upgraded to IPv6 because the world was running out of addresses and the expected avalanche of addresses needed for IoT devices.

ISP – Internet Service Provider – one of many companies who provide access to the Internet.   Some example are, but not limited to, Time Warner Cable, AT&T, Google, and Verizon.

Keylogger – software that logs all your keystrokes to a file and then exfiltrates that file to another computer.  A good way to steal logins and passwords.

Layered Defense – see Defense in Depth.

Login or Log In – the action of identifying yourself to the system in a manner that it knows who you are and then allows you to take actions upon it based on its ACL settings for you.

Malware – software that compromises the operation of device or network by performing an unauthorized function.

Malware Signature – a group of bytes of code, a portion of the malware program, that is unique to that malware and becomes its “signature”.

NIST – National Institute of Standards and Technology and keeper of the cyber security standards for FISMA, the government information security standard.

NIST Cyber Security Framework – published in 2014, this framework is short in length (less than 40 pages) and is an attempt to take an organization from where they are in cyber security to the next level.

Password – a unique token known only to you and the computer you are attempting to gain access to.

PEN Testing – penetration testing or simulated attacks on the system to gain entry.

Penetration – gaining entry to a system.

Phishing – the sending of many emails to people, hoping to snag someone who opens the email and clicks on the link or runs the attachment to compromise their system.

Polymorphic Malware – malware that can modify its own signature while running.

Ransomware – software that encrypts a computer or a database and then demands a ransom be paid, often in bitcoins, so that the decryption key is given to the victim.

Red Team – a group of cyber security specialists who are attacking just like the bad guys to test defenses.

Revenge Porn – when text or photos shared (see Sexting below) are released to the general public, using digital means, as a means of revenge.

Risk – the potential for an unwanted outcome to occur.

Risk Management –  management of risk through controlling it to an acceptable level.  There is always a tradeoff between risk and cost of the risk mitigation efforts.

Root Kit – software tools with administrator privileges installed on a device designed to maintain its presence and avoid detection while still being able to function.

Security Hole – this could apply to an application, a server, a workstation, or a network.  It is something not right that could allow a hacker to penetrate the system.

Sexting – sharing of sexually provacative photos or text with another using digital means.

Spear Phishing – a highly target phishing campaign that is directed against a population as small as one person.  Much more research an effort goes into making this email seem real to the reader.

Spoofing –  a situation where a person or program or masquerades as another by falsifying data and gains their permissions or causes the attribution of their actions to be to the other person or program.

Spyware – software that enables spying upon the activities of a user or computer’s activities.  This is done by transmitting information from a computer without being detected.

SSL / TLS – protocols providing data encryption and authentication between a computer (server) and a user’s browser.  SSL has proven vulnerable and is being replaced by TLS.

System – a computer or a network or a network and one to many computers.

Threat – a circumstance or event that claims or has the potential to exploit vulnerabilities and to adversely impact an organization.

Threat Vector – the way the treat attempts to enter a system.  For example, the threat vector for a phishing campaign is initially email and then the malwares deposited on the system via opening a link or executing an attachment.

Trojan – another name for Trojan Horse, which is benign in appearance as in having a useful function but hides within itself another potentially malicious function.

TTP – tactics, techniques and procedures (sometimes tools, techniques, procedures).  It is the signature of the bad actor and their work can often be attributed to them by looking for their TTP.

Two Factor Authentication – the use of more than one medium to login.  For example, the regular login may trigger the sending of a pin to the user’s email or phone which must also be entered to finally login.

VPN – a temporary encrypted link over the Internet between two points which creates a private network of shared resources that are not accessible to the outside world.

Virus – a computer program that can infect a computer and then replicate itself and spread to other computers in a network usually through attachment to a document, program or email.

Virus Checker – a program that is installed on a workstation or server and protects against viruses by looking for their signature and then quarantining the file so it cannot run on the computer.

Vulnerability – a portion of a system that is weak and can be attacked.  This could be a piece of software with a bug in the software that allows attack, or a system whose patches have not been applied and so on.

White Hat Hacker – one of the good guys who hacks systems to find vulnerabilities and then let the owner of the vulnerability know so they can fix it.

Worm – a self-replicating, self-propagating program that uses a network to spread itself.

Zero Day Virus – a virus with a signature not yet recognized  by virus checkers.  Often used with spear phishing to gain access.

What is Cyber Security?

ch 1.jpg

Computer/data security is broadly divided into physical security and logical security. Physical security (sometimes referred to as just ‘security’) includes building and personnel security. Logical security is focused on the data, both in storage and in transit on the network, sometimes called cyber security.  Cyber comes from the word cybernetics which means the science of communications and automatic control systems.  The military uses ‘cyber’ to refer to computers or computer networking.

The perception is that cyber security is a relatively new field or one receiving added emphasis of late, due to media attention to hacking.  In reality, cyber security has existed for years. However, it previously received minimal funding and attention due to costs of cyber defense.  It also lacks visibility as you don’t see attacks that were deflected, nor do organizations want you to be aware of how many times they were attacked.

There are several sub-areas of cyber security, but not all experts classify cyber security the same way.  There is not, as of yet, an agreed upon division or taxonomy of the subject.  But, relax, this blog does NOT cover all these sub-areas and their sub-areas in detail, just enough highlights to make you an informed consumer, employee, or manager.

Cyber security tends to employ military terms like: defense in depth, target, attack, offensive, and defensive.   Tomorrow I will introduce you to a glossary of terms.

The decision of a hacker (or the hacker’s sponsor) to mount an attack is based on the perceived reward versus the risk, in other words, their ability to obtain data without negative consequence. Likewise, a defensive investment in cyber security is also about the value of the data versus the perceived risk of it being stolen, changed, or destroyed. As an example of low cost security, I used to have a great guard dog that was part wolf and very ferocious.  That problem was that my wife wanted the dog to accompany us on trips.  While we were out of town, to create the illusion of high risk, I would leave a two inch chewed-through bone on the front porch while I was gone.  It never failed to work.