Hack Proof Yourself!: The essential guide for securing your digital world

By Dan Weis

We live in a digital age where everyone needs to be cyber security aware, and understand the cyber security basics to stay safe online. Hack Proof Yourself! gives you all the information you need to keep yourself and your family secure in today's digital world. This book provides practical to the point guidance and step-by-step instructions on how to stay safe and secure and identify the various types of scams that turn individuals into victims of cyber crime. A must for anyone who has an online presence in today's connected world.

• Language: English
• Publisher: Tablo Publishing
• Release date: Jul 30, 2019
• ISBN: 9781925993691

Dan Weis

Hi, I'm Dan Weis. I'm an Ethical Hacker (what the industry refer to as a Penetration Tester), a security specialist, public speaker and author. I've been in the I.T industry for over 24 years and was one of the first people in the world to become a Certified Ethical Hacker. I current lead a team of Cyber Security experts, leading Red and Blue Teams on Offensive and Defensive Cyber Operations to proactively assess company and government networks to increase their security posture and not become the next "headline". I love being able to educate people on the risks around Cyber Security and privacy and helping people to protect themselves and their families in today's connected world which is why I'm often asked to present at conferences and events on the Darknet, Hacking and cyber security. I have a number of published resources including books, magazine articles, newspaper and TV appearances, online posts and youtube videos, and i'm an active participant in a variety of renowned security and industry programs.

Book preview

The Need for Cyber Security

I often get asked the question from individuals and businesses, why would I be targeted? What do I have that they could possibly want?

Although there are many reasons for Cyber Security from Extortion to payback to kids experimenting, cyber-criminal gangs, state sponsored and others, it usually comes down to two overall reasons; you have information and you have money or access to money. These two reasons are the prime motivations for attackers and why businesses and people are hacked every minute of every day. It’s an easy pay day for attackers as most people are not educated (or educated enough) on cyber security and online risks.

The other problem we have is growth, the Technology space has come so far in a such a short amount of time and people still haven’t grasped the basic security concepts. Now because of this growth, we now have a unique set of challenges, and it also means that Regardless of your job, Age, Race or country we now all need to be I.T Savvy

Let’s put the digital world in perspective.

Our digital world

A great report [1] is put out each year from Hootsuite [2] and we are social [3] which gives us a large amount of great information on our digital world. Here’s some important information to note from their 2019 report.

There are 5.11 billion unique mobile users in the world today (2019), This is up 100 million from the past year.

There are 4.88 billion internet users in 2019, an increase of 366 million versus January 2018.

There are 3.48 billion social media users in 2019, with the worldwide total growing by 288 million since 2018.

3.26 billion people use social media on mobile devices as at January 2019, up by 297 million new users compared to 2018

There are 4.38 Billion active internet users in the world which is 57% of the total world’s population.

2018 saw over 5 Billion breached records exposed [4]

Scams are ever increasing and scammers are making serious cash, in one Health Care Fraud Scam [5] in the US, scammers made over 2 Billion dollars in this one scam alone, similar massive amounts are lost in most countries, for example Scammers targeting Australians managed to scam $489 million from victims in 2018[6]

It’s no wonder that cybercrime continues to grow massively every year, with so much potential for success, it’s a lucrative space for attackers.

The Techie stuff

So this book is designed for the everyday person right, so why is the section about techie stuff? It’s important that you understand the different types of attacks that attackers use, to steal your identity, your data, personal information and of course money so you can protect against these techniques and attacks. Remember the Quote by Sun Tzu from the Art of War, If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Terms

It’s important that you familiarize yourself with the following security related terms. These terms will be referenced numerous times throughout the course of this book.

Phishing / Spear Phishing

Phishing are those dodgy emails that you get that claim there has been some sort of unauthorized transaction(s) on your account, or some kind of unusual activity and to click some link to verify your details, or that your FedEx, UPS or postal service package has been delayed and to open the email to see what’s going on, we have all seen these types of emails before.

The goal of Phishing is generally to harvest data (usually usernames and passwords) or to infect you with malware.

Here are some recent examples:

Bank of America:

Apple / iTunes:

Bank Notifications:

Common indicators include:

Sender is unknown or you are not expecting an email from the person.

Similar sounding domain names, eBay-secure.com, paypol.com etc.

Incentive based surveys, prizes

Missing Logos, Spelling and/or grammatical mistakes

Generic greetings

Links with alternate URL’s, such as shorteners (tinyurl, bit.ly etc.)

We will discuss these tactics and more in detail in the Think before you click Chapter.

There are a number of reasons why these attacks continue to work:

The human element, sometimes the person knows it looks ‘dodgy’ but will continue anyway out of curiosity or confusion.

People have a natural desire to be helpful (and curious)

The person may be distracted, tired and it only takes one slip of concentration to be successful, think exhaustion from a newborn baby as an example.

The user is lacking in cyber security awareness

The user is expecting a package or similar and mistakes the Phish for a real email

Fear, a classic social engineering tactic is to utilise fear to invoke an immediate response without thinking like a Speed Camera fine notification, email from the CEO etc.

Each day Phishing emails get more sophisticated and harder to spot, which is why it is important for you to stay abreast of the latest techniques utilised and the types of campaigns and leverage services like the US Scams and Frauds Website:

https://www.usa.gov/scams-and-frauds

And country specific scam websites like scamwatch:

https://www.scamwatch.gov.au/

Spear Phishing is similar to Phishing, the difference being that Spear Phishing is more targeted and tailored to the target, such as performing reconnaissance and staging the attack to one person, rather than emailing the same email to say 1000 people

Malware

Malware stands for Malicious Software. In the past we had computer viruses, everyone knows what a computer virus is, but computer viruses, they don’t exist anymore, malware exists in its place, and it’s exactly that; malicious software designed to perform some sort of malicious action, like taking data from a machine, taking control of a machine or another activity. There is a myriad of different types of malware, from ransomware, through to trojans, worms, I will not cover each individual type in this book, as there are a tonne of resources out there on malware if you would like to know more.

Here’s an example of Ransomware Malware, a piece of malware designed to encrypt all the files on your machine and lock you out of the machine until you pay a fee in bitcoins to recover your data.

Social Engineering

All attacks that target individuals and businesses leverage some form of Social Engineering, which makes it the most important term to learn.

Social engineering is otherwise known as the art of deception. It's basically where an attacker will convince someone to do something, to click on a link, to open an attachment or to give out some other sensitive information, basically to influence a person to take action that may or may not be in their best interest.

Social Engineering has been around for a very long time, it’s easy to orchestrate and continues to work time and time again.

Unfortunately, there is no computer system on Earth that does not rely on people, and Social Engineering completely bypasses all information controls and goes directly after the weakest link, of course being humans.

Social Engineers use a bunch of different techniques to convince people to do what they want, this includes performing reconnaissance, doing your recon to find out everything you can on your target from their daily schedules through to their internet presence, address, even the name of their dog.

Once the recon is complete they will craft their attack using various kinds of exploits.

Steve Riley has one of the oldest and best presentations out there on Defending Layer 8 [1] and I highly recommend it. Steve identifies the following types of ‘exploits’ which I can confirm work great for us on security engagements all the time, and I’ve incorporated his presentation into my training for testers and ethical hackers. The exploits can be found below:

Diffusion of responsibility

If targets can be made to believe that they are not solely responsible for their actions, they are more likely to grant the social engineer's request. The social engineer may drop names of other employees involved in the decision-making process, or claim another employee of higher status has authorized the action.

The veryimportantperson says you won’t bear any responsibility…

Chance for ingratiation

If targets believe compliance with the request enhances their chances of receiving a benefit in return, the chances of success are greater. This includes gaining advantage over a competitor, getting in good with management, or giving assistance to an unknown, yet sultry sounding female (although often it’s a computer modulated male's voice) over the phone.

"Look at what you might get out of this!’

Trust relationships

Often times, the social engineer expends time developing a trust relationship with the intended victim, then exploits that trust. Following a series of small interactions with the target that were positive in nature, the social engineer moves in for the big strike. Chances are the request will be granted.

He’s a good guy, I think I can trust him

Moral duty

Encouraging the target to act out of a sense of moral duty or moral outrage enhances the chances for success. This exploit requires the social engineer to gather information on the target, and the organization. If the target believes that there is a wrong that compliance will mitigate and can be made to believe that detection is unlikely, chances of success are increased.

You must help me! Aren’t you so mad about this?

Guilt

Most individuals attempt to avoid feeling guilt if possible. Social engineers are often masters of psychodrama, creating situations and scenarios designed to tug at heartstrings, manipulate empathy, and create sympathy. If granting the request will lead to avoidance of guilty feelings, or that not granting the requested information will lead to significant problems for the requestor, these are often enough to weigh the balance in favour of compliance with the request.

What, you don’t want to help me?

Identification

The more the target is able to identify with the social engineer, the more likely the request is to be granted. The social engineer will attempt to build a connection with the target based on intelligence gathered prior to, or during, the contact. Glibness is another trait social engineers excel at, and use to enhance compliance.

You and I are really two of a kind, huh?

Desire to be helpful

Social engineers rely on people's desire to be helpful to others. Exploits include asking someone to hold a door, or with help logging on to an account. Social engineers are also aware that many individuals have poor refusal skills, and rely on a lack of assertiveness to gather information.

Would you help me here, please?

Cooperation

The less conflict with the target the better. The social engineer usually acts as the voice of reason, logic, and patience. Pulling rank, barking orders, getting angry, and being annoying rarely works to gain compliance. That is not to say that these ploys aren't resorted to as a last-ditch attempt to break unyielding resistance.

Let’s work together. We can do so much.

Fear

This is normally the final stand. A social engineer will use fear to try and coerce the target. This can be threatening, and usually happens due to failure of cooperation from the mark or for the inexperienced or frustration at a lack of success from the mark.

Don’t you know who I am? If you don’t help me I’m going to make sure you get fired!...

These ‘Exploits’ are leveraged in all Social Engineering attacks, such as Vishing, Phishing and Smishing which we will talk about in the next section.

Success of an attack depends upon a number of factors including:

Type of person and position - Are they customer facing such as a service desk person or receptionist? if so they are more likely to help.

Busyness – Similar to above, is their objective to move on to the next call or to the next task.

Male or Female – On average I find that we have a 40% better success rate using Females for social engineering attacks than males. Females are naturally more trusted, it’s built into our human instinct.

How Social they are – It is typical on engagements to find that people who have a large social media presence and are very public, are more likely to respond to social media requests and emails containing pictures for example. A lot of the time, these types of individuals are needing to have that attention.

Education – How Tech savvy is the user and how aware are they to social Engineering attacks and do they have a heightened level of suspicion.

There are a stack of great resources out there that I would recommend you read if you want to learn more about Social Engineering, such as Social Engineering: The art of Human Hacking by Chris Hadnagy[2].

Smishing

Smishing is a combination of SMS and Phishing. This is where an attacker will use the Social Engineering tactics above but in the form of an SMS. The goal is to convince the target to click on a link which usually takes the target to a site for them to enter credentials or to infect their device with malware.

Here’s some examples of recent Smishing I have received:

Vishing

Similar to the above, Vishing is a combination of Voice and Phishing. This is where an attacker will use the Social Engineering tactics above but in the form of a Phone call.

Some common techniques you may have encountered includes, imitation of a helpdesk, for example an attacker masquerading as Microsoft support to gain access to a victim’s PC.

Another scenario often encountered, is an attacker pretending to be from a government body such as the Taxation Office or from the police (or another law enforcement body) stating they have incurred a speeding fine and advising the target to make a payment.

Vishing yields a large amount of success for us on engagements.

Here are some real-life examples where we have used of Vishing on engagements

Passwords provided by reception

In one engagement I was performing an assessment for a large Internet Marketing and Research Company. They had 2 wireless networks, a Guest network and a Corporate network. Obviously, I was after the passwords for one or both of those networks. So I called up the receptionist, this is how it played out:

Reception: Hello Company X, Jane Speaking.

Attacker: Hi Jane, this is John from Company XYZ. I’m currently working with Bill in Sales. (of course I didn’t know bill from a bar of soap, I got bills details off LinkedIn)

Attacker: Bill told me I should contact you to get hold of the wireless passwords, so that I can setup for a presentation that I’m doing for you guys on Friday.

Reception: Oh sure John, no worries, which password were you after, the guest or the corporate network?

Attacker: (Time to play Stupid) I’m pretty sure Bill said it was the corporate password that I needed

Reception: Sure no worries, I tell you what John, why don’t I email you the passwords for both the networks and you can work out which one you want to use?

Attacker: That sounds great. My email address is johnsmith@gmail.com thanks!

The receptionist shortly sent the passwords through, and I instantly had access to their environment, thanks very much.

Accounts providing access to a network

In another engagement I was performing a vishing assessment on a large utilities company. I targeted one of the account payable staff for the organisation . The campaign employed a scenario of chasing up an outstanding invoice for a fake electrical services company Called JS Electrical.

I setup a website hosting a malicious invoice, see below. This invoice contained malware designed to grant me access into their network. Note: I’ve blacked out any sensitive information to protect the client.

I also generated an email at the ready to send to my victim:

Here’s how