A Practical Defence against Computer HackingWill Mann
4th February 2019
I’m almost 100% certain that anyone reading this owns an internet-enabled device. This can be a phone in your pocket, a smartwatch on your wrist, a tablet in your backpack or a laptop sitting on your desk. Most devices nowadays have the potential to be ‘smartified’ or in other words access to the internet. For example, Samsung a while ago unveiled a new fridge, yes fridge, that has a screen on the door – which is used like a big tablet. It can keep track of items stored inside, know when food items are out-of-date or even order new groceries online, as well as doing any other thing a tablet could do (play games, watch movies etc.). But why, as a society, must we demand something of this nature? We don’t need a device of this calibre to store our food items, so why do we have it? Well the answer is plain and simple. We are living in an internet age, where everyday processes are either being updated or removed. No in between. One good example of this is the Uber taxi app, which is driving black cab drivers to strike as they are losing their traditional clientele to a new fancy app that makes life so much simpler.
Now with the new way of life comes a new way to destroy it. Yep, I’m talking about cybercrime. The process of committing something illegal, only this time you are behind a computer screen. The power of the internet allows these acts to be committed from anywhere with a connection online and the appropriate tools. This technology allows one to become anonymous online, so they can do and say as they please, hiding behind a fake account name or email address to ‘protect’ themselves. For the most part, this doesn’t work as the NSA and the staff at GCHQ are extremely good at tracking these people down, but for the cases where it does work, the hackers online are all but vulnerable. Therefore, what can we, as the victims in all this, can do to stop it?
So, before we begin, let’s get a sense of perspective here. The most likely targets that hackers would choose are large companies that store a lot of personal data, like Yahoo for example. In December 2016, Yahoo admitted that 3 years previously over 1 billion of their accounts had been hacked. Fortunately for them, they did not store users passwords in plain text or any form of banking/payment information. But they still gained access to users’ names, email addresses and phone numbers. Hackers, when they choose to attack large companies, are expecting the process to be quite challenging, as the cybersecurity budget of those businesses are quite substantial. Moreover, the reward they receive at the other end means that they can gain access to huge amounts of personal data, either banking information or contact details, which will earn them a large sum of money, as scamming organisations and other members on the ‘deep web’ will pay a fortune for this data.
This now leads the chain back to you and me. As I mentioned in my WellingTEN talk, the weakest element of the computer chain is the users. The users can give a hacker access to information or files that they shouldn’t have access to. Falling for techniques based on Social Engineering, people must be vigilant when browsing online, otherwise they could fall for these easy traps.
This leads me onto the purpose of this article. If I tried to list the many forms of defence required to defend a computer, I could be here until the end of my A-Levels. They all range in effectiveness, practicality and efficiency. But good news! Most of this already is handled by your computer/tablet/phone already. Each operating system on these devices have their own form of anti-virus, which I’m sure you can guess what the purpose of it is. These protect your devices from many forms of attack from different programs. But, unfortunately, like many products in the world, the market has a large range. Norton, AVG, MacAfee are some of the big names out there already, and they are all very good at defending your computer from attack, but at the other end of the spectrum exists some other less-effective software. Windows Defender for example, is not smart enough to defend your computer. It is predictable in its algorithms; therefore, many attacks can slip past unnoticed. Windows Defender comes preinstalled on all Windows computers, but a recommendation from me is to upgrade this ASAP. (N.B. School provided Surface operators, you have little to fear, Wellington already provides a very efficient anti-virus solution on all Surface devices)
For other devices, you are not as defenceless. Apple users, all Apple devices come preinstalled with their own proprietary anti-virus software. Their effectiveness is still not perfect, as if you have a good knowledge of the Macintosh or iDevice ecosystem, you can easily avoid the gaze of the anti-virus, making a hacker’s role quite easy if they know where to look. Recommendation: you may want to upgrade the Apple defence as well.
Now I can go on all day about what software you should invest in, but it won’t be effective against a Social Engineering attack, which is an attack against the user of a computer, exploiting the human element. The user is the weakest element of a computer’s defensive chain. No question about it. You could have spent millions on a state-of-the-art firewall, but this still won’t help you if your password is ‘Pa55w0rd’. Mistakes like these can cause major incidents. For example, in May 2017, the NHS and many other major companies around the work were all lock out of their files by the ransomware WannaCry, which was spread through scam email.
With social engineering hackers will try to impersonate you or extort you. The methods they would use to do this vary, but I’m going to address common ones. They can try piece together a profile about you based on what they can gather online. If they link your picture to your email to your hobbies, they can setup a fake profile of you, and if anything, illegal happens it will be traced back to you. Also, they could use this information for a dictionary attack. This is an attack that tries to guess your password to something by iterating over a list of words and interests of yours. This is seen in the TV show Mr Robot, and is factually accurate about the process. How many of you use a hobby of yours, your favourite pet, someone close to you or a combination of them all? The hacker’s program will work through these combinations until it finds a match. Also, how many of you have a password that they use for multiple accounts across the web? If the hacker has that one password, they can use it for the multiple accounts. If the answer is yes to either of the previous questions, I would recommend changing your passwords across your accounts to something less predictable. Less predictable = something longer, involving more numbers/symbols and something that is less linkable to you. If you are struggling to keep track of all these passwords, there are many password managing software around that will keep your passwords to hand, encrypted of course. Some examples are LastPass, 1Password and Dashlane. Better passwords = Safer online data. Also, remember to keep track of what data about you is online, as a lot of it is easy to find.
There is also one other common element of social engineering that we haven’t discovered yet, phishing. A phishing attack is very common around the internet and can be very successful if the targets aren’t aware of what happens online. False advertisements, fake emails and scam telephone calls are some approaches that they would make, using their little information they have about you to find out more. These attacks can happen very small scale, or on a much larger basis. For example, in the UK, our biggest phishing attack was 3 men who launch sophisticated attacks to access the accounts of bank customers in 14 different countries, stealing £59m. Moving across Europe, the CEO of plane part manufacturer FACC for 17 years, Waltar Stephan, fell for a phishing scam that cost the company around £39m. He was sacked by the board shortly after, because of his gullibility of this scam online. Facebook, Google and Apple have all lost collectively over $1bn due to fraud and scams in the recent years. I think the lesson to learn here is: with great power comes great online responsibility.
This isn’t just aimed large corporations or people earning a lot more than many of us today. It can be aimed at everyone. I’m sure, those of you who have Facebook, over the recent years there have been some scams going around, such as the “YouTube” links on messenger, which hijack your account and steal your personal data while spreading the message from your account. Or the links on your timeline saying “Look how cool this was: bit.ly/abc123’. Same principle here. In terms of emails, there is a similar concept, but instead they may add malware to your computer to hoover up data, or inject ads onto your computer, or even use your webcam/microphone – all to sell on to get a substantial sum of money.
In terms of a practical defence against phishing scams, the advice I would give is be vigilant in your travels online. If you receive a message or an email or a post on your timeline that you don’t trust, do not, DO NOT, click any links associated with it. No attachments, no giveaway links – even sometimes the Unsubscribe button. There are some programs that will act as a Spam Filter on your email inbox, and thankfully Wellington has one preinstalled by default on each of your respective Outlook accounts. But if you get one, delete the message as soon as possible, that way it won’t be a concern.
To conclude, if you plan on spending any time online, which I have no doubt that you will, be careful. Double check what you are signing up for, what links you click and what apps you download. There is potential everywhere online, so make sure to not be ignorant. I hope I have educated some of you about the dangers of computer hacking, and how for you it could be prevented.