If you are a software engineer, or someone who has a specialization in the IT field you would have definitely met some one who asked you “Can you hack this facebook account?”. Our human nature is to peep into others business that does not concern us. This is also true in the Software industry, the systems that we build may be attacked for various different reasons. If the system that we created is to be attacked it would result in the loss of reputation, loss of profits, leakage of sensitive data as well as loss of customer trust in the long run. So even if you are a software engineer, it is a must for you to have a basic understanding in computer security.
In computer science there are mainly two different types of security concern. One is technical hacking and the other is non technical hacking. In this article I will talk about one of the no tech hacking that is Social Engineering and password protection for technical hacking.
First lets take a look into the hacking that doesn't involve our computers but our brain. We humans don’t act like animals depending on our instincts. Instead we are smart creatures. We make decisions on our day to day life according to our emotions. These emotions can be fear, courage, happiness and even a need to help others. Social Engineers are people that are able to take advantage of these emotions and steal information easily. Look at this diagram below.
- Investigation : In this step the attacker will select a victim, do background study on them and will choose an attack method.
- Hook : In this step attacker will approach the target and start to tell their lies.
- Play : In this step they will expand their hook and get the required information they need by telling lies and getting their attention.
- Closing : In this step they will stop their interaction with the victim and choose a new target.
Now lets look at a simple example.
John is an employee at company X. John’s bank account number has been leaked to one of the worker whose name is Doe. Now Doe tries to enter his account through online with the forgot password option. There were two security questions in that. First Date’s name? and Favorite fictional character. Now what Doe does is he casually talks with John and gets to know him normally, asking these questions during their normal conversations. Poor John without knowing Doe’s true intentions just leaks them without knowing. Now John’s account is empty as a hole.
The above is just an example of one of the scenarios that a social engineer might employ to get what they want. They can come in form of phone calls impersonating as another person. For example calling and saying that they are a lead developer that needs the login credentials as he forget them. Or through Emails that asks personal information. They can simply wear your company’s clothes and easily gain access to sites simply talking their way past. One can easily offer a sweet reward to sway their victims to their side as well. Remember the Walls of Troy wasn’t breached by a strong force instead it was breached because of tricking the guards.
Now lets take a look into the different types of social engineering attacks.
Like the name implies attackers try to lure the victim into a trap through physical or non physical means. In this type of attack the attacker might leave malicious items such as pen drive or a cd with a label that might interest the victims. For example a logo of a company. Once the victim insert such things into their machine the malware will spread. Baiting can also happen through tempting ads and offer that come in websites as well as email. When clicking such things the victims will get the virus onto their systems.
For this attack, attackers will send messages to victim’s computer system with messages that their system maybe at risk. Attackers will create headers for website saying system is in danger and ask to install a program as well as sending emails with emergency message. And asking the victim to click the link for a specific service that the victim may need.
In pretexting the attackers will act to know victim and talk with them in order to create trust and through lies and deceptions they will get the information that they need. The example that I had given at the beginning of this article is an example of pretexting attack. This attack type is the most difficult to avoid as this is not something that we can easily find out and we cant look at every person with doubtful eyes as well.
Phishing is one of the most widely used social engineering attack types. In this attack victim’s will normally get a mail saying something like “your account is going to expire soon, please update it” . This types of mails are send in bulk and can be detected by the email system. There is another type of phishing attack called spear phishing, in this attack the mail is specifically made for that victim. These types of attack may include the victim’s name, job and other information that are specific to them.
Social Engineering Prevention
✔ The only way to protect from social engineering isn’t CCTV cameras or hard to penetrate systems but training the human mind. So workers should be trained to be aware of malicious activities and properly trained to know the worth of their entry and login credentials.
✔Companies should also have awareness meetings with their employees as well as board members to discuss about latest online fraudulent techniques.
✔Incident management should always need to take social engineering into consideration and prepare, if such incident does happen.
✔ Users should never insert unknown peripherals into their system.
✔ Should always verify the email before clicking on the links provided in the email.
✔ Keep their antivirus software up to date.
Now that we talked about social engineering lets go to the technical side. Even though I call this technical its something almost everyone of us use everyday which is passwords.
We discussed a bit about no tech hacking but now lets go to the technical side a little. Almost all the applications that we use require some sort of user credentials to uniquely identify a user and protect each users data confidentially. So setting up a strong password should be important for our accounts. But our human brain is uniquely designed. It is not easy for us to remember long set of characters that does not give a specific meaning, what I mean is the password. We can check that the most used passwords in the world currently are abcd123, password, 1234abcd. These types of password can be easily hacked with brute force attacks and also using an important persons name, birthdays as passwords will make your account easily hackable.
And almost all of us prefer to use the same password for all our accounts. This is not a safe behavior, if one account password gets leaked every other account (online bank account)that uses the same password will be in jeopardy. So the best practice is to set different passwords for each account. Our human nature doesn’t allow it as we are known to forget stuff easily. The best solution for this is to use a password manager. And organizations should impose policies to change the password after a specific time frame.
There are ways to protect the passwords even if they are hacked. Developers should make proper ways to store a password. By storing passwords as plain text without any changes will make it easy for hackers to steal the data. So it best the developers employ options to change the way that they store passwords. For this they have two options.
- Encrypting the Password.
- Hashing the password.
Now lets briefly take a look at these two options.
Encrypting the password
Encryption is the process of changing the data from the original one. So even if the attacker gets the data they would not be able to find out the original meaning of that. In encryption there are 4 components.
- Plain Text : The original text which is the password in this instance.
- Encryption Key : The secret key that is used for the encryption.
- Encryption Algorithm : The algorithm that is used with the encryption key to change the plain text.
- Cypher Text : This is the cypher text which is created from changing the plain text with the help of the encryption key.
Encryption process has various different algorithms and processes that I am not going to go through in this article. The most important thing about this process is that it does not change the data type or the files size after encryption is done.
If an attacker is to get their hands on the encrypted password they maybe able to decrypt the password if they run the encryption algorithm with the key.
Hashing the password
Hashing is a mathematical algorithm that converts the input value into a different output and also change the size of the output as well. In our case every single passwords will get exactly the same output size (Different values but same size). Now you might be wondering what is the use as it almost same as encryption. But the point is even if the hacker is able to get the hashing algorithm they will not be able to get the original value with that. If hackers try to brute force their way by doing different algorithms they still won’t succeed as hashing does another secret trick called salting.
abxcqr2547#2 - >SALTING -> abxcqr2547#2SALT
Salting is the process of adding a word to the original password and then hashing it. The value that is added is called the salt. Each password will get different salts as it is normally randomly generated. So at the end the password will be hashed with the salted value.
Note: While hashing it is best not to have collisions(Equal hashes). So salting also takes care of that problem by changing the initial word.
What is Social Engineering | Attack Techniques & Prevention Methods | Imperva
Social engineering is the term used for a broad range of malicious activities accomplished through human interactions…