What You Should Know About Hackers and Hacking

in #hack8 years ago

Not all hackers are inherently bad. When used in mainstream media,  the word “hacker” is usually used in relation to cyber criminals. But, a  hacker can actually be anyone, regardless of their intentions, who  utilizes their knowledge of computer software and hardware to break down  and bypass security measures on a computer, device or network.

 Hacking itself is not an illegal activity unless the hacker is  compromising a system without the owner’s permission. Many companies and  government agencies actually employ hackers to help them secure their  systems.


 Hackers are generally categorized by type of metaphorical “hat” they  don: “white hat,” “grey hat,” and “black hat.” The terms come from old  spaghetti westerns, where the bad guy wears a black cowboy hat, and the  good guy wears a white hat. There are two main factors that determine  the type of hacker you’re dealing with: their motivations, and whether  or not they are breaking the law.  

1) Black Hat Hackers
Like all hackers, black hat hackers usually have extensive knowledge  about breaking into computer networks and bypassing security protocols.  They’re also responsible for writing malware, which is a method used to  gain access to these systems.

 Their primary motivation is usually for personal or financial gain,  but they can also be involved in cyber espionage, protests or perhaps  are just addicted to the thrill of cybercrime. Black hat hackers can  range from amateurs getting their feet wet by spreading malware, to  experienced hackers that aim to steal data, specifically financial  information, personal information and login credentials. Not only do  black hat hackers seek to steal data, they also seek to modify or  destroy data as well.   

2) Grey Hat Hackers
As in life, there are grey areas that are neither black nor white. Grey  hat hackers are a blend of both black hat and white hat activities.  Often, grey hat hackers will look for vulnerabilities in a system  without the owner’s permission or knowledge. If issues are found,  they’ll report them to the owner, sometimes requesting a small fee to  fix the issue. If the owner does not respond or comply, then sometimes  the hackers will post the newly found exploit online for the world to  see. 

These types of hackers are not inherently malicious with their  intentions; they’re just looking to get something out of their  discoveries for themselves. Usually, grey hat hackers will not exploit  the found vulnerabilities. However, this type of hacking is still  considered illegal because the hacker did not receive permission from  the owner prior to attempting to attack the system.   

3) White Hat Hackers
White hat hackers choose to use their powers for good rather than evil.  Also known as “ethical hackers,” white hat hackers can sometimes be paid  employees or contractors working for companies as security specialists  that attempt to find security holes via hacking.

 White hat hackers employ the same methods of hacking as black hats,  with one exception – they do it with permission from the owner of the  system first, which makes the process completely legal. White hat  hackers perform penetration testing, test in-place security systems and  perform vulnerability assessments for companies. There are even courses,  training, conferences and certifications for ethical hacking.   

            Hackers Live in the World of NETWORKING 

WHAT IS NETWORKING? Simply means the inter-connection of computer or  devices to share resources. We have various kinds of networking and  their protocols. 

BLUETOOTH
Bluetooth is a telecommunications industry specification that describes  how mobile phones, computers, and personal digital assistants (PDAs) can  be easily interconnected using a short-range wireless connection. It’s  one of the most commonly uses networking apps in the world. 

As Hackers we also use Bluetooth to gain unauthorized access to  people information. Know that one you done networking with somebody the  information in your devise is no longer secure.

One of the chipest hacking tools we use to hack Bluetooth phones is the  Bluetooth share app that we download and install in our phones. 

REASONS WHY YOU SHOULD TURN OFF YOUR BLUTOOTH DEVICE AFTER SHAREING RESOURCES: 

1) Battery Drain
Although Bluetooth is an energy-efficient technology, it does slowly  drain the battery of your cell phone or other mobile device. When  enabled, Bluetooth continually scans for signals, looking for new  devices to connect with, but using energy in the process. Check your  device’s settings and turn Bluetooth off when you’re not using it. 

2) Poor Security
Virtually every network technology has some security built into it to  prevent hackers from accessing your data without your permission.  However, Bluetooth security is weak compared to WiFi and other wireless  data standards. A determined attacker can, for example, gain access to  your wireless device through a Bluetooth connection, although he or she  would have to be nearby for the attempt to work. 

3) Slow Data
All wireless technologies have limits on how fast they can transmit  data; generally, faster connections mean higher energy consumption.  Because Bluetooth is intended to be very energy-efficient, it sends data  relatively slowly. The Bluetooth 4.0 Low Energy standard, at 26  megabits per second, is much faster than Bluetooth used to offer and  suitable for occasional syncing and small backup operations. However,  Bluetooth is not a substitute for faster technologies such as Wi-Fi and  USB. 

Bluetooth Tips
Disabling Bluetooth when you aren’t using it improves security, as the  connection can’t be hacked if it’s off. Another option to consider  disabling is Bluetooth’s discoverability feature; it sends  identification signals to all devices within range, essentially inviting  a connection. Remove Bluetooth connection settings on devices paired  with accessories that may have been stolen to prevent thieves from  gaining access to your PC or smartphone. Use firewall and anti-virus  programs for PCs and other devices to keep hackers at bay.   

HOW TO STOP HACKER FROM HACKING YOU 

1  Be suspicious of emails
Cale Guthrie WeissmanClick “Show original” to find the source of the  email. A lot of cyberattacks are launched through simple malicious email  campaigns. Email is a wonderful communication platform because you can  sending anything to anyone, but that means it can be a huge security  risk. Phishing, for example, sends victims seemingly innocuous emails  that will lead victims to fake websites asking to update their personal  information. 

The best way to avoid being scammed by phony emails is to just make  sure the sender is who you think it is. Check their email address to see  if they match with the website you think it’s from. To be extra  cautious you can check the IP address of the sender. 

You can do this by finding the source information from the email and  looking for the IP address that follows the line “Received: from.” You  can then Google the IP address to learn the email’s source. (Here is a  good primer on finding email IP addresses.) 

2. Check link locations
Unknown messages contain links to unknown sites. Surfing to a mysterious  website can bring about unintended consequences. For one, it could  mimic a site you know and trust and help you fall prey to a phishing  scam. Or, it may be unsecure or infected with malware. 

If you are tempted to click on one of these links, you better know  exactly where it’s taking you. The best way is to copy and paste the  link location into a new browser to see what site is on the other side.  If it’s a shortened link, you can use tools like URL X-ray that figure  out the real destination before you click it.
Also, encrypted sites are the safest ones to visit. You know they are  safe when you see HTTPS in the URL and the lock icon on your browser. 

3. Never open attachments (unless you’re really sure)
A good rule to follow is never open attachments unless you are 120% sure  of where they came from. One of the easiest ways for hackers to  download malicious code onto victim computers is by sending emails with  virus-laden files. 

A frequent way companies get hacked is by one unsuspecting employee  downloading malicious software that infiltrates the entire network. The  most dangerous file types are Word, PDFs, and .EXEs. 

4. Use two-factor authentication
As bigger companies get hacked, the likelihood that your password is  leaked increases. Once hackers get passwords, they try to figure out  which personal accounts they can access with the data they stole.
Two-factor authentication — which requires users to not only enter a  password but to also confirm entry with another item like a code texted  to a phone — is a good way to stop attackers who have stolen passwords.  More companies are making it standard for logging in. 

Slack, for example, instituted two-step authentication once it owned  up to a recent data breach. This meant that if hackers did steal Slack  user data, the hackers would still most likely not be able to get into a  user’s account unless they had another personal item that belonged to  the user, like a phone. If two-factor authentication is an option for  your accounts, it’s wise to choose it. (Business Insider/Julie Bort) 

5. Use advanced passwords
This may be the most obvious yet overlooked tip. A strong password  includes uppercase, lowercase, numbers, punctuation, and gibberish.  Don’t make the password a personal reference, and don’t store a list in a  saved file. 

Most importantly, don’t use the same password for multiple accounts.  There are some great tools like LastPass and 1Password that securely  store passwords. Also, it’s crucial to change passwords frequently —  especially for vulnerable accounts like email and banking.   

PASSWORD USAGE Passwords are simpler and cheaper than other, more secure forms of  authentication like special key cards, fingerprint ID machines, and  retinal scanners. They provide a simple, direct means of protecting a  system or account. For the sake of this article, we’ll define a  ‘password’ as a word, a phrase, or combination of miscellaneous  characters that authenticates the identity of the user. Passwords are  generally used in combination with some form of identification, such as a  username, account number, or e-mail address. While a username  establishes the identity of the user for the computer or system, the  password, which is known only to the authorized user, authenticates that  the user is who he or she claims to be. This means that their function  is to “prove to the system that you are who you say you are” (Russell). 

Password Cracking
While passwords are a vital component of system security, they can be  cracked or broken relatively easily. Password cracking is the process of  figuring out or breaking passwords in order to gain unauthorized  entrance to a system or account. It is much easier than most users would  think. (The difference between cracking and hacking is that codes are  cracked, machines are hacked.) Passwords can be cracked in a variety of  different ways. The most simple is the use of a word list or dictionary  program to break the password by brute force. These programs compare  lists of words or character combination against password until they find  a match. If cracking codes seems like science fiction, search “password  cracker” on Packetstorm or Passwordportal.net. There are also numerous  password cracking tools available that any average person can use. (For  more information on password cracking tools, please see the  SecurityFocus article Password Crackers – Ensuring the Security of Your  Password.)


Another easy way for potential intruders to nab passwords is through  social engineering: physically nabbing the password off a Post-It from  under someone’s keyboard or through imitating an IT engineer and asking  over the phone. Many users create passwords that can be guessed by  learning a minimal amount of information about the person whose password  is being sought. (For more information on social engineering please see  the SecurityFocus series Social Engineering Fundamentals) A more  technical way of learning passwords is through sniffers, which look at  the raw data transmitted across the net and decipher its contents. “A  sniffer can read every keystroke sent out from your machine, including  passwords” (University of Michigan). It’s possible that someone out  there has at least one of your passwords right now. 

How To Choose Good Passwords
Now that we have established the importance of passwords and some of the  ways in which they may be vulnerable to cracking, we can discuss ways  of creating good, strong passwords. In creating strong, effective  passwords it is often helpful to keep in mind some of the methods by  which they may be cracked, so let’s begin with what NOT to do when  choosing passwords. 

No Dictionary Words, Proper Nouns, or Foreign Words


As has already been mentioned, password cracking tools are very  effective at processing large quantities of letter and number  combinations until a match for the password is found, as such users  should avoid using conventional words as passwords. By the same token,  they should also avoid regular words with numbers tacked onto the end  and conventional words that are simply written backwards, such as  ‘nimda’. While these may prove to be difficult for people to figure out,  they are no match for the brute force attacks of password cracking  tools. 

No Personal Information


One of the frustrating things about passwords is that they need to be  easy for users to remember. Naturally, this leads many users to  incorporate personal information into their passwords. However, as is  discussed in the Social Engineering Fundamentals, it is alarmingly easy  for hackers to obtain personal information about prospective targets. As  such, it is strongly recommended that users not include such  information in their passwords. This means that the password should not  include anything remotely related to the user’s name, nickname, or the  name of a family member or pet. Also, the password should not contain  any easily recognizable numbers like phone numbers or addresses or other  information that someone could guess by picking up your mail. 

Length, Width and Depth


A strong, effective password requires a necessary degree of complexity.  Three factors can help users to develop this complexity: length, width  & depth. Length means that the longer a password, the more difficult  it is to crack. Simply put, longer is better. Probability dictates that  the longer a password the more difficult it will be to crack. It is  generally recommended that passwords be between six and nine characters.  Greater length is acceptable, as long as the operating system allows  for it and the user can remember the password. However, shorter  passwords should be avoided. Width is a way of describing the different types of characters that  are used. Don’t just consider the alphabet. There are also numbers and  special characters like ‘%’, and in most operating systems, upper and  lower case letters are also known as different characters. Windows, for  example, is not always case sensitive. (This means it doesn’t know the  difference between ‘A’ and ‘a’.) Some operating systems allow control  characters, alt characters, and spaces to be used in passwords. As a  general rule the following character sets should all be included in  every password:  

  • uppercase letters such as A, B, C;
  • lowercase letters such as a, b,c;
  • numerals such as 1, 2, 3;
  • special characters such as $, ?, &; and
  • alt characters such as µ, £, Æ. (Cliff)

Depth refers to choosing a password with a challenging meaning –  something not easily guessable. Stop thinking in terms of passwords and  start thinking in terms of phrases. “A good password is easy to  remember, but hard to guess.” (Armstrong) The purpose of a mnemonic  phrase is to allow the creation of a complex password that will not need  to be written down. Examples of a mnemonic phrase may include a phrase  spelled phonetically, such as ‘ImuKat!’ (instead of ‘I’m a cat!’) or the  first letters of a memorable phrase such as ‘qbfjold*’ = “quick brown  fox jumped over lazy dog.” 

What may be most effective is for users to choose a phrase that is  has personal meaning (for easy recollection), to take the initials of  each of the words in that phrase, and to convert some of those letters  into other characters (substituting the number ‘3’ for the letter ‘e’ is  a common example). For more examples, see the University of Michigan’s  Password Security Guide. Extra Protection
All of the good password cracking programs include foreign words,  backwards words, etc. And the easiest way to steal a password is by  asking for it, so it’s simpler to never give it away.  


OUR RECOMMENDATION TO ORGANIZATIONS 

Tips for Organizations and Network Administrators


Managers and administrators can enhance the security of their networks  by setting strong password policies. Password requirements should be  built into organizational security policies. Network administrators  should institute by regular changes/updates of passwords. They should  also regularly remind users of how easy it is for hackers to get their  passwords through social engineering and online attacks. New users  should be taught about good password practices. Providing intranet  resources on network security and password security can also be helpful.  Finally, the organization’s password policy should be integrated into  the security policy, and all readers should be made to read the policy  and sign-off on it. 

Systems administrators should implement safeguards to ensure that  people on their systems are using adequately strong passwords. They  should set password expiration dates on all programs being run on the  organization’s systems. Keep a password history to prevent reuse, and  lock of accounts after 3-5 password attempts. Keep the number of people  in the organization who have these passwords as small as possible. The  organization should also use newer versions of OSs that have more secure  password files and authentication protocols. Keep your individual  account passwords updated as well. Finally, when installing new systems,  make sure default passwords are changed immediately.   

HTTPS VS HTTP

 Use HTTPS instead of HTTP whenever possible. Websites that have an  https:// before the website name, add an extra security layer called SSL  by encrypting your browser. It is recommended to use https:// whenever  possible especially when performing banking or financial transactions  online. In other words, communications sent over regular HTTP  connections are in plain text and can be read by intruders that break  into the connection between your browser and the website. 

With HTTPS,  all communication is securely encrypted. Due to SSL (Secure Socket  Layer), an intruder cannot decrypt data that passes between you and a  website. Don’t use security questions when you forget your password. Most  companies ask customers to answer “security questions” when registering  for an online account. When a user forgets their password, they are  asked to answer a few security questions. The problem with this is  approach is that many users answer easy questions like favourite food,  mother’s maiden name, city of birth or favourite sport. Hackers have a  reasonably good chance of guessing the right answer by monitoring your  social activity. Google recommends having an alternative email address  or an SMS option, instead of providing answers to security questions.  Verifying a password by answering security questions should be a last  resort.