Hack Proof Yourself!: The essential guide for securing your digital world
By Dan Weis
()
About this ebook
Dan Weis
Hi, I'm Dan Weis. I'm an Ethical Hacker (what the industry refer to as a Penetration Tester), a security specialist, public speaker and author. I've been in the I.T industry for over 24 years and was one of the first people in the world to become a Certified Ethical Hacker. I current lead a team of Cyber Security experts, leading Red and Blue Teams on Offensive and Defensive Cyber Operations to proactively assess company and government networks to increase their security posture and not become the next "headline". I love being able to educate people on the risks around Cyber Security and privacy and helping people to protect themselves and their families in today's connected world which is why I'm often asked to present at conferences and events on the Darknet, Hacking and cyber security. I have a number of published resources including books, magazine articles, newspaper and TV appearances, online posts and youtube videos, and i'm an active participant in a variety of renowned security and industry programs.
Related to Hack Proof Yourself!
Related ebooks
Tor and the Deep Web Rating: 0 out of 5 stars0 ratingsHacked Again Rating: 5 out of 5 stars5/5Digital Cop: A Digital Cop's Guide to Cyber Security Rating: 0 out of 5 stars0 ratingsHow to Hack a Human: Cybersecurity for the Mind Rating: 0 out of 5 stars0 ratingsCompsec: For the Home User Rating: 0 out of 5 stars0 ratingsThe Darknet Superpack Rating: 0 out of 5 stars0 ratingsHacking the Hacker: Learn From the Experts Who Take Down Hackers Rating: 3 out of 5 stars3/5Computer Hacking: The Crash Course Guide to Learning Computer Hacking Fast & How to Hack for Beginners Rating: 0 out of 5 stars0 ratingsHacking into Hackers’ Head: A step towards creating CyberSecurity awareness Rating: 5 out of 5 stars5/5The Core of Hacking Rating: 0 out of 5 stars0 ratingsHampering the Human Hacker and the Threat of Social Engineering Rating: 0 out of 5 stars0 ratingsNo Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing Rating: 4 out of 5 stars4/5Darknet Rating: 4 out of 5 stars4/5Social Media Scams Rating: 0 out of 5 stars0 ratingsThe Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsUNHACKABLE : Your Online Security Playbook: Recreating Cyber Security in an Unsecure World Rating: 0 out of 5 stars0 ratingsProtect Your Personal Information Rating: 0 out of 5 stars0 ratingsSoftware Security For You Rating: 0 out of 5 stars0 ratingsHacked: The Ultimate Guidence Rating: 5 out of 5 stars5/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Hacking Rating: 3 out of 5 stars3/5Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails Rating: 4 out of 5 stars4/5What is the Dark Web?: The truth about the hidden part of the internet Rating: 4 out of 5 stars4/5#HACKED: 10 Practical Cybersecurity Tips to Help Protect Personal or Business Inform Rating: 0 out of 5 stars0 ratingsMy Data My Privacy My Choice: A Step-by-step Guide to Secure your Personal Data and Reclaim your Online Privacy! Rating: 0 out of 5 stars0 ratingsOnline Safety: Scams, SPAM, Viruses and Clouds Rating: 0 out of 5 stars0 ratingsCyber Curiosity: A Beginner's Guide to Cybersecurity Rating: 0 out of 5 stars0 ratingsCybersecurity: The Hacker Proof Guide To Cybersecurity, Internet Safety, Cybercrime, & Preventing Attacks Rating: 0 out of 5 stars0 ratingsZero to Hacking: Zero Series, #1 Rating: 0 out of 5 stars0 ratingsHow To Recognize And Avoid Internet Scam Rating: 0 out of 5 stars0 ratings
Internet & Web For You
The Mega Box: The Ultimate Guide to the Best Free Resources on the Internet Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5The Digital Marketing Handbook: A Step-By-Step Guide to Creating Websites That Sell Rating: 5 out of 5 stars5/5The Logo Brainstorm Book: A Comprehensive Guide for Exploring Design Directions Rating: 4 out of 5 stars4/5Six Figure Blogging In 3 Months Rating: 4 out of 5 stars4/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5The $1,000,000 Web Designer Guide: A Practical Guide for Wealth and Freedom as an Online Freelancer Rating: 5 out of 5 stars5/5SEO For Dummies Rating: 4 out of 5 stars4/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Create Something Awesome: How Creators are Profiting from Their Passion in the Creator Economy Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization <<Extended>> Commonwealth of Virginia Rating: 0 out of 5 stars0 ratingsCoding For Dummies Rating: 5 out of 5 stars5/5How to Disappear and Live Off the Grid: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsWireless Hacking 101 Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5The Beginner's Affiliate Marketing Blueprint Rating: 4 out of 5 stars4/5Python QuickStart Guide: The Simplified Beginner's Guide to Python Programming Using Hands-On Projects and Real-World Applications Rating: 0 out of 5 stars0 ratingsSocial Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5How To Start A Podcast Rating: 4 out of 5 stars4/5Six Figure Blogging Blueprint Rating: 5 out of 5 stars5/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5How To Start A Profitable Authority Blog In Under One Hour Rating: 5 out of 5 stars5/5
Reviews for Hack Proof Yourself!
0 ratings0 reviews
Book preview
Hack Proof Yourself! - Dan Weis
The Need for Cyber Security
I often get asked the question from individuals and businesses, why would I be targeted? What do I have that they could possibly want?
Although there are many reasons for Cyber Security from Extortion to payback to kids experimenting, cyber-criminal gangs, state sponsored and others, it usually comes down to two overall reasons; you have information and you have money or access to money. These two reasons are the prime motivations for attackers and why businesses and people are hacked every minute of every day. It’s an easy pay day for attackers as most people are not educated (or educated enough) on cyber security and online risks.
The other problem we have is growth, the Technology space has come so far in a such a short amount of time and people still haven’t grasped the basic security concepts. Now because of this growth, we now have a unique set of challenges, and it also means that Regardless of your job, Age, Race or country we now all need to be I.T Savvy
Let’s put the digital world in perspective.
Our digital world
A great report [1] is put out each year from Hootsuite [2] and we are social [3] which gives us a large amount of great information on our digital world. Here’s some important information to note from their 2019 report.
There are 5.11 billion unique mobile users in the world today (2019), This is up 100 million from the past year.
There are 4.88 billion internet users in 2019, an increase of 366 million versus January 2018.
There are 3.48 billion social media users in 2019, with the worldwide total growing by 288 million since 2018.
3.26 billion people use social media on mobile devices as at January 2019, up by 297 million new users compared to 2018
There are 4.38 Billion active internet users in the world which is 57% of the total world’s population.
2018 saw over 5 Billion breached records exposed [4]
Scams are ever increasing and scammers are making serious cash, in one Health Care Fraud Scam [5] in the US, scammers made over 2 Billion dollars in this one scam alone, similar massive amounts are lost in most countries, for example Scammers targeting Australians managed to scam $489 million from victims in 2018[6]
It’s no wonder that cybercrime continues to grow massively every year, with so much potential for success, it’s a lucrative space for attackers.
The Techie stuff
So this book is designed for the everyday person right, so why is the section about techie stuff? It’s important that you understand the different types of attacks that attackers use, to steal your identity, your data, personal information and of course money so you can protect against these techniques and attacks. Remember the Quote by Sun Tzu from the Art of War, If you know the enemy and know yourself, you need not fear the result of a hundred battles
.
Terms
It’s important that you familiarize yourself with the following security related terms. These terms will be referenced numerous times throughout the course of this book.
Phishing / Spear Phishing
Phishing are those dodgy emails that you get that claim there has been some sort of unauthorized transaction(s) on your account, or some kind of unusual activity and to click some link to verify your details, or that your FedEx, UPS or postal service package has been delayed and to open the email to see what’s going on, we have all seen these types of emails before.
The goal of Phishing is generally to harvest data (usually usernames and passwords) or to infect you with malware.
Here are some recent examples:
Bank of America:
Apple / iTunes:
Bank Notifications:
Common indicators include:
Sender is unknown or you are not expecting an email from the person.
Similar sounding domain names, eBay-secure.com, paypol.com etc.
Incentive based surveys, prizes
Missing Logos, Spelling and/or grammatical mistakes
Generic greetings
Links with alternate URL’s, such as shorteners (tinyurl, bit.ly etc.)
We will discuss these tactics and more in detail in the Think before you click Chapter.
There are a number of reasons why these attacks continue to work:
The human element, sometimes the person knows it looks ‘dodgy’ but will continue anyway out of curiosity or confusion.
People have a natural desire to be helpful (and curious)
The person may be distracted, tired and it only takes one slip of concentration to be successful, think exhaustion from a newborn baby as an example.
The user is lacking in cyber security awareness
The user is expecting a package or similar and mistakes the Phish for a real email
Fear, a classic social engineering tactic is to utilise fear to invoke an immediate response without thinking like a Speed Camera fine notification, email from the CEO etc.
Each day Phishing emails get more sophisticated and harder to spot, which is why it is important for you to stay abreast of the latest techniques utilised and the types of campaigns and leverage services like the US Scams and Frauds Website:
https://www.usa.gov/scams-and-frauds
And country specific scam websites like scamwatch:
https://www.scamwatch.gov.au/
Spear Phishing is similar to Phishing, the difference being that Spear Phishing is more targeted and tailored to the target, such as performing reconnaissance and staging the attack to one person, rather than emailing the same email to say 1000 people
Malware
Malware stands for Malicious Software. In the past we had computer viruses, everyone knows what a computer virus is, but computer viruses, they don’t exist anymore, malware exists in its place, and it’s exactly that; malicious software designed to perform some sort of malicious action, like taking data from a machine, taking control of a machine or another activity. There is a myriad of different types of malware, from ransomware, through to trojans, worms, I will not cover each individual type in this book, as there are a tonne of resources out there on malware if you would like to know more.
Here’s an example of Ransomware Malware, a piece of malware designed to encrypt all the files on your machine and lock you out of the machine until you pay a fee in bitcoins to recover your data.
Social Engineering
All attacks that target individuals and businesses leverage some form of Social Engineering, which makes it the most important term to learn.
Social engineering is otherwise known as the art of deception
. It's basically where an attacker will convince someone to do something, to click on a link, to open an attachment or to give out some other sensitive information, basically to influence a person to take action that may or may not be in their best interest.
Social Engineering has been around for a very long time, it’s easy to orchestrate and continues to work time and time again.
Unfortunately, there is no computer system on Earth that does not rely on people, and Social Engineering completely bypasses all information controls and goes directly after the weakest link, of course being humans.
Social Engineers use a bunch of different techniques to convince people to do what they want, this includes performing reconnaissance, doing your recon to find out everything you can on your target from their daily schedules through to their internet presence, address, even the name of their dog.
Once the recon is complete they will craft their attack using various kinds of exploits
.
Steve Riley has one of the oldest and best presentations out there on Defending Layer 8 [1] and I highly recommend it. Steve identifies the following types of ‘exploits’ which I can confirm work great for us on security engagements all the time, and I’ve incorporated his presentation into my training for testers and ethical hackers. The exploits can be found below:
Diffusion of responsibility
If targets can be made to believe that they are not solely responsible for their actions, they are more likely to grant the social engineer's request. The social engineer may drop names of other employees involved in the decision-making process, or claim another employee of higher status has authorized the action.
The veryimportantperson says you won’t bear any responsibility…
Chance for ingratiation
If targets believe compliance with the request enhances their chances of receiving a benefit in return, the chances of success are greater. This includes gaining advantage over a competitor, getting in good with management, or giving assistance to an unknown, yet sultry sounding female (although often it’s a computer modulated male's voice) over the phone.
"Look at what you might get out of this!’
Trust relationships
Often times, the social engineer expends time developing a trust relationship with the intended victim, then exploits that trust. Following a series of small interactions with the target that were positive in nature, the social engineer moves in for the big strike. Chances are the request will be granted.
He’s a good guy, I think I can trust him
Moral duty
Encouraging the target to act out of a sense of moral duty or moral outrage enhances the chances for success. This exploit requires the social engineer to gather information on the target, and the organization. If the target believes that there is a wrong that compliance will mitigate and can be made to believe that detection is unlikely, chances of success are increased.
You must help me! Aren’t you so mad about this?
Guilt
Most individuals attempt to avoid feeling guilt if possible. Social engineers are often masters of psychodrama, creating situations and scenarios designed to tug at heartstrings, manipulate empathy, and create sympathy. If granting the request will lead to avoidance of guilty feelings, or that not granting the requested information will lead to significant problems for the requestor, these are often enough to weigh the balance in favour of compliance with the request.
What, you don’t want to help me?
Identification
The more the target is able to identify with the social engineer, the more likely the request is to be granted. The social engineer will attempt to build a connection with the target based on intelligence gathered prior to, or during, the contact. Glibness is another trait social engineers excel at, and use to enhance compliance.
You and I are really two of a kind, huh?
Desire to be helpful
Social engineers rely on people's desire to be helpful to others. Exploits include asking someone to hold a door, or with help logging on to an account. Social engineers are also aware that many individuals have poor refusal skills, and rely on a lack of assertiveness to gather information.
Would you help me here, please?
Cooperation
The less conflict with the target the better. The social engineer usually acts as the voice of reason, logic, and patience. Pulling rank, barking orders, getting angry, and being annoying rarely works to gain compliance. That is not to say that these ploys aren't resorted to as a last-ditch attempt to break unyielding resistance.
Let’s work together. We can do so much.
Fear
This is normally the final stand. A social engineer will use fear to try and coerce the target. This can be threatening, and usually happens due to failure of cooperation from the mark or for the inexperienced or frustration at a lack of success from the mark.
Don’t you know who I am? If you don’t help me I’m going to make sure you get fired!...
These ‘Exploits’ are leveraged in all Social Engineering attacks, such as Vishing, Phishing and Smishing which we will talk about in the next section.
Success of an attack depends upon a number of factors including:
Type of person and position - Are they customer facing such as a service desk person or receptionist? if so they are more likely to help.
Busyness – Similar to above, is their objective to move on to the next call or to the next task.
Male or Female – On average I find that we have a 40% better success rate using Females for social engineering attacks than males. Females are naturally more trusted, it’s built into our human instinct.
How Social they are – It is typical on engagements to find that people who have a large social media presence and are very public, are more likely to respond to social media requests and emails containing pictures for example. A lot of the time, these types of individuals are needing
to have that attention.
Education – How Tech savvy is the user and how aware are they to social Engineering attacks and do they have a heightened level of suspicion.
There are a stack of great resources out there that I would recommend you read if you want to learn more about Social Engineering, such as Social Engineering: The art of Human Hacking
by Chris Hadnagy[2].
Smishing
Smishing is a combination of SMS and Phishing. This is where an attacker will use the Social Engineering tactics above but in the form of an SMS. The goal is to convince the target to click on a link which usually takes the target to a site for them to enter credentials or to infect their device with malware.
Here’s some examples of recent Smishing I have received:
Vishing
Similar to the above, Vishing is a combination of Voice and Phishing. This is where an attacker will use the Social Engineering tactics above but in the form of a Phone call.
Some common techniques you may have encountered includes, imitation of a helpdesk, for example an attacker masquerading as Microsoft support to gain access to a victim’s PC.
Another scenario often encountered, is an attacker pretending to be from a government body such as the Taxation Office or from the police (or another law enforcement body) stating they have incurred a speeding fine and advising the target to make a payment.
Vishing yields a large amount of success for us on engagements.
Here are some real-life examples where we have used of Vishing on engagements
Passwords provided by reception
In one engagement I was performing an assessment for a large Internet Marketing and Research Company. They had 2 wireless networks, a Guest network and a Corporate network. Obviously, I was after the passwords for one or both of those networks. So I called up the receptionist, this is how it played out:
Reception: Hello Company X, Jane Speaking.
Attacker: Hi Jane, this is John from Company XYZ. I’m currently working with Bill in Sales
. (of course I didn’t know bill from a bar of soap, I got bills details off LinkedIn)
Attacker: Bill told me I should contact you to get hold of the wireless passwords, so that I can setup for a presentation that I’m doing for you guys on Friday.
Reception: Oh sure John, no worries, which password were you after, the guest or the corporate network?
Attacker: (Time to play Stupid) I’m pretty sure Bill said it was the corporate password that I needed
Reception: Sure no worries, I tell you what John, why don’t I email you the passwords for both the networks and you can work out which one you want to use?
Attacker: That sounds great. My email address is johnsmith@gmail.com thanks!
The receptionist shortly sent the passwords through, and I instantly had access to their environment, thanks very much.
Accounts providing access to a network
In another engagement I was performing a vishing assessment on a large utilities company. I targeted one of the account payable staff for the organisation . The campaign employed a scenario of chasing up an outstanding invoice for a fake electrical services company Called JS Electrical.
I setup a website hosting a malicious invoice, see below. This invoice contained malware designed to grant me access into their network. Note: I’ve blacked out any sensitive information to protect the client.
I also generated an email at the ready to send to my victim:
Here’s how