If you’ve followed this series on information security so far (Part 1 and
Part 2), you should have a feel for which points in the communication process leave you exposed, and what kinds of tools cover them.
Since category 1 threats are predominantly passive (letting you come to them) you can use them for practice at shoring up weaknesses. You know exactly what these adversaries are after, and you can take the time to set up your defenses just so before you put them to the test.
Starting with category 2, you have to be on your A-game. These enemies don’t wait for you to be ready, and they command a bigger and more varied arsenal. Fortunately, from here on out, this series will apply to exponentially less of you.
A large majority of people worry about falling victim to category 2 attackers, which generally can be categorized as black hat hackers of some sort. However, the fact is that fears of getting hacked are mostly misplaced.
three-quarters of Americans are concerned they will be hacked, and polling shows that
most people view hacking attacks as the greatest threat to social stability.
In reality, though,
only 36 percent of Americans have reported being hacked at least once.
Clearly some people are at risk — so how do you know if you are one of them? Like conventional criminals, criminal hackers choose easy and lucrative targets.
A few targets fit this profile. One group in the crosshairs is made up of companies that have data on millions of users, such as private sector entities with a Web presence. Why go after data one user at a time when it’s already collected in one place?
Criminal hackers also like to hunt small organizations that have modest capital but weak information security. Ransomware, which is rampant against these targets, is particularly devastating because they often don’t have the technical staff to recover, and many resort to paying the ransom.
As with analog crime, highly influential public figures like celebrities and politicians are beset by criminal hackers as well.
Those who classify themselves as “regular people” are overall less likely to face attacks from category 2, but exceptions exist. Even for those who avoid the spotlight, wealthier individuals are sought out by black hats, for obvious reasons.
Cryptocurrency wallet owners are also a favorite mark, since a number of them hastily opened a wallet during the cryptocurrency gold rush, with security as an afterthought.
It’s not just money that black hats may be after — they seek out highly sensitive information too. Journalists, business leaders, politicians and military personnel, among others, find themselves subject to category 2 threats because the information they hold can have a dramatic influence on the distribution of power and material resources.
Information security personnel themselves also can be assailed by black hats, as these professionals may enjoy access to individuals or organizations like the above. If you administer the systems that business titans or politicians operate on, compromising you is just as good as compromising those figures directly.
What unites all these potential victims is that they have data that is conspicuously valuable to certain motivated interests. If you fit any of these target profiles, take heed.
Black Hat Black Ops (and Their Loadouts)
Who exactly is gunning for these targets? Category 2 encompasses a spectrum of actors.
The archetypal lone hacker is represented here, though actors in this category have diverse motivations.
The solitary black hat may want to cause mischief and gain notoriety by compromising a high-profile victim. A lone attacker might look to make an easy buck stealing fiat currency or cryptocurrency.
There is also a subset of hacker armies-of-one interested in specialized information because they operate in circles where it is coveted. For instance, a hacktivist would be motivated to compromise an ideological opponent to undermine the latter’s political activity.
As with most things, hackers can accomplish more in a group than they can on their own. Many black hat crews share the foregoing objectives loners have, but they may take on more complex operations. Some black hat teams carry out corporate espionage, such as stealing trade secrets.
Additionally, a group of malicious hackers could act to sabotage a criminal or journalistic investigation, an undertaking that is usually auxiliary to other nefarious activities. Malicious hacking squads could mobilize at the behest or inspiration of nation-states, aligning goals as a proxy or affinity group.
The techniques these adversaries employ are as wide-ranging as their goals, and usually blended in any given operation. However, it helps to become familiar with basic enemy tradecraft.
Like any good enemy, category 2 adversaries attack the gaps in your armor, the biggest of which is passwords. There are a few ways hackers crack passwords. The first is brute force guessing. This involves running a program that rapidly guesses multiple potential passwords to see if anything works. By default, these programs try the most common passwords, but savvy targets may avoid this pitfall.
To get around this, attackers will gather open source intelligence (OSINT) on their target, checking things like social media profiles or public records, to get an idea for the keywords the target’s password might contain. Once these are identified, the attacker configures cracking software to mix these keywords into the guessed passwords.
The second password-based attack method is taking advantage of previously breached accounts. Given that the average American has somewhere from
a few dozen to
more than a hundred online accounts — and a 2017 Pew Research poll shows that
nearly two-fifths of adults reuse identical or similar passwords — the odds are good that the password for a breached account can open another.
Worse, users who repurpose passwords are at the mercy of the most poorly protected service — if that site you made an account for that one time gets owned, a reused password can bring your online life crashing down.
Another favorite black hat tool is social engineering, which is the manipulation of
cognitive biases to deceive others. Social engineering is an entire discipline unto itself, but in a nutshell it involves abusing the natural human inclination to take people at their word.
For instance, if you’re in an organization large enough that working with practical strangers is commonplace, you might think nothing of someone claiming to be so-and-so from IT asking to verify your password. Malicious hackers pose as so-and-so all the time to dupe not only their targets but also the operators of services targets use.
To give a more concrete example, attackers commonly will contact a victim’s cell service provider, pose as the victim, and convince the provider to switch the victim’s SIM card to theirs, snaring the victim’s calls and texts. They then use this for further compromise. Hence, social engineering effects are as dangerous as they are simple.
If those means don’t cut it, black hats can resort to trojans. Like the stunt their namesake giant wooden horse pulled off with Greek soldiers, trojans are designed to appear legitimate to sneak in software exploits. In this sense, they have much in common with social engineering.
Trojans masquerade as innocuous software, files or URLs that the target is likely to seek out or accept blindly. Targets who want what appears to be offered often lower their guard.
Adversaries willing to put in more work may leverage unpatched vulnerabilities in the software their quarry has installed. If they’re top-tier, they may wield a zero-day vulnerability — one that the software’s developers aren’t yet aware of — but most attackers will exploit a vulnerability that already is known to exist, but users may not have patched.
Last (at least in this high-level overview), but not least in black hat tradecraft is the man-in-the-middle (MITM) attack. This is one of the more aggressive but more effective assaults that malicious hackers can carry out, because they literally get between their target’s device and all communication channels.
From this perch, they are in a position not only to read everything the user sends and receives, but also to modify transmissions in either direction. It is a position that is difficult to occupy, but that all black hats crave: They control everything that comes or goes from the device, and the user will never know.
How do adversaries bring off an MITM attack? Open networks are their best bet, since they leave communications visible to anyone. Black hats will go with password-protected networks in a pinch, too, especially networks that belong to their prey, since they usually are trivial to crack.
Attackers might take MITM attacks to the next level by compromising a device on your network. Under this model, they’ll gun for an always-on device the user doesn’t configure or monitor carefully, like a wireless router or Internet of Things appliance.
Once malicious hackers take over, they see much of what you’re doing on the network, and often can get between you and the Internet through tricks like ARP (Address Resolution Protocol) spoofing, which fools your computer into passing your Internet traffic through the infected device. The only way to spot something like this is to review your ARP table. Have you checked your ARP table recently? Exactly.
Hats Off to Security Tools
Daunting as this is, you are not helpless in confronting it.
Your best line of defense is to bolster your passwords with a password manager. This simple program creates an encrypted file with all your account passwords inside, and opens it only when a master password is entered. Each account is listed in the “vault” file with its corresponding password. When you want to unlock an account, you open the password vault and copy and paste the starred-out (but intact) password from its vault entry into the account’s password field.
Password managers confer immense benefits. With them, every password can be unique, preventing attackers from retrying passwords successfully. They also allow you to create highly random passwords for each account, obviating dictionary-driven brute force attacks. Because you only copy and paste the password, you don’t have to know what it is.
High-entropy passwords really are your only recourse with online accounts, since the service operator handles the rest. Password managers are just the most direct route to such passwords.
Another way to lock down your accounts is to use a 2FA key. To understand why, we need a crash course in authentication theory. Authentication is granting access to individuals by confirming their identities, proof of which takes one of three forms. Individuals can authenticate their dentities by producing something they know (e.g. a password), something they are (e.g. a biometric identifier), or something they have.
Traditionally, most people have protected each account with only one of these at a time, usually “something they know.” Two-factor authentication (2FA) is predicated on the idea that it is more secure to require two forms of authentication instead of one. Typically, 2FA takes the form of a “2FA key,” a physical dongle that must be present when you enter a password, to “double-check” your identity.
Employing 2FA is common enough now that there are user-friendly options for 2FA keys. If you don’t have a physical 2FA key, you can set up multi-factor authentication (MFA) with your mobile device. Under this scheme, a login prompt requires a one-time PIN that is sent to your mobile device. Because you are assumed to be the sole bearer of your mobile device, it acts as a “something you have” second factor.
As social engineering exploits natural human tendencies, there is no single tool or cognitive heuristic that defeats it. What you can do, though, is practice a high level of skepticism. Scrutinize all the messages you receive. Before you respond to a message or comply with its directives, always perform some kind of sanity check that validates that the message is from the party it claims to be from.
The diagnostics will look different for each medium, but this check will involve confirming that it is from the correct address, rendered in the correct verbal or written tone, and exhibiting the correct behavior for the individual or role that the interlocutor supposedly represents.
Links are the most common delivery mechanism for social engineering exploits, so you always should treat them with care. As a general habit, whether or not you deem the sender legitimate, you should not click on links unless you are certain where they go.
You can figure that out by hovering the mouse over the link without clicking on it. Your browser will preview the ultimate destination in a mouseover in a lower corner of your browser window. Even better, if you don’t have to go where the link leads, just don’t. For links you need to access, navigate on your own by entering the URL or searching for it online.
While files are a less common vehicle for trojans, they are more destructive. With that in mind, be careful with the files you handle. One of the easiest ways to get hit with a trojan is to stream or download content from sketchy sources. I’m not here to give an antipiracy lecture, just to warn you of a prime avenue for attack. When you diverge from the official channels, you never truly know who is offering the file you seek, or what’s actually in it. Willingly interacting with it invites it into your system.
As with links, don’t handle files you don’t need to, especially from people you don’t trust. If handling files is unavoidable, run them through a malware scanner first. This no longer requires an antivirus scan, but can be accomplished with a quick scan by a Web-based service like
These web-based scanners serve as a meta-repository containing “signatures” of confirmed malware: When files are uploaded, they are checked against all signatures. Technically, this works only if the attack has been tried somewhere before. Unless you are an extremely high-value target (one of those a category 3 threat actor would hunt), your adversary almost certainly is recycling an attack on you.
This may be such common wisdom as to be trite, but it bears repeating: Always update your device immediately when an update becomes available. If possible, don’t use your device anywhere besides your home network until you update it. This reduces the chance that your still-vulnerable device will be exposed to attack.
Be mindful of your device’s security support cycles as well. This is the period of time during which its OS’ developers will write and deploy OS updates to your device.
For mobile devices, be especially vigilant, as support cycles tend to last for only three to five years from release date. Once your device is out of support, buy a new one. When you do, make sure to buy an unlocked device. Because it’s not under the sway of the carrier, it avoids suffering the carrier meddling that introduces delays between the OS developer and your device, ensuring you receive pristine updates right away.
Personal computers (i.e. desktops and laptops) also have a support cycle you should track, but it is usually longer. In many cases, it is functionally indefinite, but requires manual intervention to execute major version updates. When your hardware gets too old to support the latest operating system update, buy a new one. If this isn’t financially feasible, switch to a desktop Linux distribution.
For those of you who studied the previous entry in this series, the practice of using virtual private networks will be familiar. If you’re not sure what a VPN is, I recommend you
refer to Part 2 before continuing.
Along with frustrating your ISP, a VPN thwarts MITM attacks, because there is guaranteed to be at least one encrypted layer over your communication, even when you’re otherwise on exposed networks (e.g. open wireless networks).
There is a way to kick your VPN up a notch, though, which is by employing a transparent proxy device. This is a device with two radios — one to connect to your end-user device (e.g. a laptop), and one to connect to the network access point (AP).
This places a proxy device between you and your network to keep your end-user device one step removed from a potentially hostile network. The proxy device automatically connects to your VPN and forwards all your end-user device’s traffic through the VPN. To observers, your end-user device isn’t even on the network, because the AP can’t see it.
Where to Go Next
By now you’ve learned some pretty formidable defensive techniques that, if practiced skillfully, put you far ahead of the pack. Moreover, the mode of analysis that countering these threats necessitates equips you to assess new threats methodically.
Regarding category 3, this mindset will be pushed nearly beyond recognition. For now, take stock of what you have. When we meet again, we begin our descent into madness.