Computer Security Concepts That a Software Engineer must Know

Photo (by FLY:D) on (Unsplash)

If you are a software engineer, or someone who has a specialization in the IT field you would have definitely met some one who asked you “Can you hack this facebook account?”. Our human nature is to peep into others business that does not concern us. This is also true in the Software industry, the systems that we build may be attacked for various different reasons. If the system that we created is to be attacked it would result in the loss of reputation, loss of profits, leakage of sensitive data as well as loss of customer trust in the long run. So even if you are a software engineer, it is a must for you to have a basic understanding in computer security.

In computer science there are mainly two different types of security concern. One is technical hacking and the other is non technical hacking. In this article I will talk about one of the no tech hacking that is Social Engineering and password protection for technical hacking.

Social Engineering

Social Engineering Life Cycle
  1. Investigation : In this step the attacker will select a victim, do background study on them and will choose an attack method.
  2. Hook : In this step attacker will approach the target and start to tell their lies.
  3. Play : In this step they will expand their hook and get the required information they need by telling lies and getting their attention.
  4. Closing : In this step they will stop their interaction with the victim and choose a new target.

Now lets look at a simple example.

John is an employee at company X. John’s bank account number has been leaked to one of the worker whose name is Doe. Now Doe tries to enter his account through online with the forgot password option. There were two security questions in that. First Date’s name? and Favorite fictional character. Now what Doe does is he casually talks with John and gets to know him normally, asking these questions during their normal conversations. Poor John without knowing Doe’s true intentions just leaks them without knowing. Now John’s account is empty as a hole.

The above is just an example of one of the scenarios that a social engineer might employ to get what they want. They can come in form of phone calls impersonating as another person. For example calling and saying that they are a lead developer that needs the login credentials as he forget them. Or through Emails that asks personal information. They can simply wear your company’s clothes and easily gain access to sites simply talking their way past. One can easily offer a sweet reward to sway their victims to their side as well. Remember the Walls of Troy wasn’t breached by a strong force instead it was breached because of tricking the guards.

Now lets take a look into the different types of social engineering attacks.

Baiting

Scareware

Pretexting

Phishing

Social Engineering Prevention

✔Companies should also have awareness meetings with their employees as well as board members to discuss about latest online fraudulent techniques.

✔Incident management should always need to take social engineering into consideration and prepare, if such incident does happen.

✔ Users should never insert unknown peripherals into their system.

✔ Should always verify the email before clicking on the links provided in the email.

✔ Keep their antivirus software up to date.

Now that we talked about social engineering lets go to the technical side. Even though I call this technical its something almost everyone of us use everyday which is passwords.

Password Protection

And almost all of us prefer to use the same password for all our accounts. This is not a safe behavior, if one account password gets leaked every other account (online bank account)that uses the same password will be in jeopardy. So the best practice is to set different passwords for each account. Our human nature doesn’t allow it as we are known to forget stuff easily. The best solution for this is to use a password manager. And organizations should impose policies to change the password after a specific time frame.

There are ways to protect the passwords even if they are hacked. Developers should make proper ways to store a password. By storing passwords as plain text without any changes will make it easy for hackers to steal the data. So it best the developers employ options to change the way that they store passwords. For this they have two options.

  1. Encrypting the Password.
  2. Hashing the password.

Now lets briefly take a look at these two options.

Encrypting the password

  1. Plain Text : The original text which is the password in this instance.
  2. Encryption Key : The secret key that is used for the encryption.
  3. Encryption Algorithm : The algorithm that is used with the encryption key to change the plain text.
  4. Cypher Text : This is the cypher text which is created from changing the plain text with the help of the encryption key.

Encryption process has various different algorithms and processes that I am not going to go through in this article. The most important thing about this process is that it does not change the data type or the files size after encryption is done.

If an attacker is to get their hands on the encrypted password they maybe able to decrypt the password if they run the encryption algorithm with the key.

Hashing the password

abxcqr2547#2 - >SALTING -> abxcqr2547#2SALT 

Salting is the process of adding a word to the original password and then hashing it. The value that is added is called the salt. Each password will get different salts as it is normally randomly generated. So at the end the password will be hashed with the salted value.

Note: While hashing it is best not to have collisions(Equal hashes). So salting also takes care of that problem by changing the initial word.

References

https://searchsecurity.techtarget.com/definition/encryption#:~:text=Encryption%20is%20the%20method%20by,encrypted%20data%20is%20called%20ciphertext.

https://www.educative.io/edpresso/what-is-hashing#:~:text=Hashing%20is%20the%20process%20of,value%20or%20simply%2C%20a%20hash.

Associate Software Engineer at Virtusa