Though death and taxes always have been a part of the human experience, hackers now have become yet another unavoidable fact of modern life in this century.
Unfortunately, such cyber threats have become so abundant that you can almost guarantee that you’ll come under their crosshairs at some point. Just ask the CEO of LifeLock, Todd Davis, the guy who openly displayed his own Social Security number on his company ad campaigns – daring hackers to try and use it. Yep, he got hacked, too.
But does that mean we are all at the mercy of such keyboard thuggery? Well, it’s really a numbers game: If you at least mind a few common safe practices, then you will greatly reduce your chances of becoming a victim through simply presenting them with fewer vulnerabilities. If you can make yourself a harder target in comparison to the masses who are extremely vulnerable, then chances are that hackers will pass you by.
Here are a few hacker tactics – and how you can outsmart them.
By far, the most common tactic in the hacker toolbox is what is known as “phishing.” Essentially, phishing is when a hacker sends you some type of communication via email, SMS, or social media message, and embedded in the link, image or text of that communication is a sneaky way to deceive you into revealing your personal data.
Some highly invasive attacks will even include a line of code in the message itself, which extracts your IP address, MAC address, location information, etc. Most attacks, however, will simply include a link to a legitimate looking website of a well-known institution, such as Google or a government website, and then the fake site prompts you to disclose your personal and security information. These attacks are almost always mass-targeted, which means that they send a message to thousands in hopes of duping a handful.
First off, the easiest way to ward off a phishing attack is to simply use your common sense. Don’t click on suspicious-looking links! Reputable companies and institutions have policies that will never allow them to ask you for personal information via electronic means. Unless you sign in to their official website with your login credentials, you should never be prompted to disclose any private data. Also, if you have received a suspicious email or SMS from a company or institution, then you should certainly contact the Federal Trade Commission via their phishing reporting website. Lastly, it may be worth calling the company directly. If you get a questionable email from, say, DirectTV and you are a customer, then call the official DirectTV phone number and ask the company if the email is legit. Most likely, it is a scam.
2. Password attacks
Hackers also may attempt to gain access to your WiFi and/or devices by cracking your password. While it’s almost impossible for them to mass-target individuals (unless they’re running a rather ambitious phishing campaign), it’s not entirely difficult to precision-target nearby routers within broadcast range. In fact, through using WiFi antenna amplifiers, they can even snatch your WiFi signal from hundreds of yards away — and if they gain access to your router, then they can gain access to the devices connected to it. Essentially, they will use one or both types of these two particular password cracking attacks …
Dictionary attack — They connect to the router, and then drill it with potential passwords through battering the system with a giant list of possible terms and numbers (called a dictionary). Penetration takes from 30 minutes to two hours, depending on the size of their dictionary and difficulty of the password.
Brute force attack — This type of attack essentially slams the router by running it through a gauntlet of character combinations. While this method is nowhere near as precise or expedient as a dictionary attack, virtually any password can be cracked with this method if given enough time. These attacks can take anywhere from five hours to a few days, requiring unbroken and undisturbed access to the router for the duration of the attack. If the router is reset, then the attack must be restarted, creating a logistical attack obstacle.
Basically, the rule of thumb here is to observe safe password creation practices. It’s important to keep your passwords long, using a variety of letters, numbers, cases and symbols. I would also recommend using products like 1Password, which automatically generates extremely strong passwords that can be unlocked with a master key password of your choosing. This also protects against other types of more sophisticated password cracking attacks that might be deployed against your online/offline accounts.
3. MIM (Man-In-the-Middle)
A man-in-the-middle attack (MIM) can be extremely devastating, as there is no end to just how much private data that can be extracted. MIMs can even result in a hacker being able to take control of your device. In order to launch an MIM, the attacker must place themselves between you and the website you have accessed. In some cases, the MIM is conducted between the Internet service provider (ISP) and the company website. Or, if you’re a private target, the attacker may place themselves between you and your router or ISP. After cutting in, they simply observe the personal data being exchanged, hijacking it in transit.
First, this is an extremely sophisticated attack, meaning that a high level of skill is required in order to pull it off. Also, due to the nature of the attack, the target must be precisely selected in the event that an MIM is launched against a private individual. However, if you believe that you may be the victim of an MIM attack, then it’s important to report this to the Department of Justice by going to the official DOJ website: Reporting Computer, Internet-Related, or Intellectual Property Crime.
There are a few other ways to protect against MIM attacks, especially if you believe you may find yourself on the receiving end of one. After assessing your target value, you might find it prudent either to install a firewall program or even purchase a firewall box, which keeps hackers from exploiting ports of entry into your system. You also may want to use email/messaging services that specifically provide end-to-end encryption for your sensitive communications. I recommend using the Swiss-based service Protonmail for this.
One More Thing…
Last, be sure that every time you provide sensitive data, such as credit card numbers and security information (i.e. making online purchases), then you always should check to make sure that the website’s payment/login portal shows “https://”. This is called a secure socket layer, which acts as a protective conduit between you and the site. Doing so would add just one more defense against all the hacker tactics mentioned above, as this makes sniffing data extremely difficult.
What tips would you add? Share your suggestions in the section below: