Pablo Villanueva
Blog personal

Ethical Hacking

ETHICAL HACKING

  1. INTRODUCTION
    1. Security Concepts
    2. Technological threat
  2. SOCIAL ENGINEERING
    1. Concept
    2. Where do the attacks appear?
    3. How are we vulnerable?
    4. Why is social engineering so effective?
    5. Profile of a Social Engineer
    6. How does a Social Engineer work?
    7. Forms of attack
      1. Computerized
      2. Human
      3. Combined
    8. Impact generated by a social engineering attack
    9. Possible infection identifiers
    10. Attack examples
  3. SAFE ENVIRONMENT
    1. Advanced passwords
    2. Examples of passwords
    3. Most Common Security Errors
    4. Most important points

1-INTRODUCTION

  1. Security

According the dictionary; security is the quality of safety, where safety is free and clear of danger.

In our case can say Computer Security is: The standard of free of danger or in other words, a group of actions whose objective is protect the information and Computer Systems against any risk or actions to put on danger the security of our Systems.

  • Technological Threat

Any action that endangers our information.

On the Internet we can communicate easily and almost instantaneously with people who may be are on the other side of the planet, and unless we know that person in real life, we can hardly know with certainty if that person is a doctor, dentist, plumber, carpenter, teacher, painter, architect, lawyer, veterinarian, or maybe he is a usurper, delinquent, swindler, thief, looter, kidnapper, scammer …

This is why, just like in the real life, on the Internet we can follow the same advice that we apply in daily life:

  • Do not talk to strangers
    • That means if you do not know who is in the other side of the computer is better to reserve your words.
  • Do not accept gifts from strangers
    • Again, if you do not know the person to send you a file, keep away and move the file to the trash can
  • Never reveal personal information
    • Example if you are walking in the street and somebody ask you for your credit card number, do you give it to him?

So, if we translate those advices into the technological world we could say:

  • Do not install unknown or dubious software
  • Do not open files that we do not know

If we look at these simple rules, we can avoid being victims of many internet dangers.

2-SOCIAL ENGINEERING

  1. Concept

In Computer Science, Social Engineering is the art of obtaining information of any kind through the manipulation of legitimate users. It is a technique used by researchers, criminals, or computer criminals to extract data, access or privileges in computer systems that allow them to perform an act that harms or simply to expose the victim compromising their confidential information.

It is a skill that the attacker uses consciously and many times planned to obtain information from third parties.

Social engineering depends on the fact that people are not aware of their valuable information and are careless in keeping it secure.

The principle on which social engineering is based is that: “In any system, the human factor is the weakest link“.

  • Where the attacks are
  • Online: Browsing in the Internet is an easy way to receive attacks, either by e-mail, browsing unknown pages or social networks (Twitter, Facebook, Hi5, Instagram …)
  • Phone: Request information, usually by imitating a legitimate user of telephone companies or banking institutions
  • Face to face: Personal approach, trying to find out sensitive information
  • Why are we vulnerable?
  • Our nature to trust easily
  • Unknown topic for us
  • Lack of security policies
  • We have information accessible or in sight
  • Unsecured Information Transfer
  • Why is it so effective?
  • There is no computer program or electronic equipment that can defend us from this attack
  • Security policies can be strong as a “steel chain” but its weakest link is the human factor
  • There is no method to ensure 100% defense against this attack
  • Human error is the easiest to commit
  • Profile of a social engineer

The qualities that a social engineer must possess to excel in this discipline can be several, from his ability to relate to his peers to what are his ambitions, knowledge in the area of computer science, his appearance of innocence, his credibility and his degree of curiosity.

  • Some of the most important features include the following:
  • Ability to socialize easily
  • Skill in speaking
  • Skill in the art of persuasion
  • Sound convincing
  • Pretend to be harmless
  • Maintain a low profile
  • Always smile
  • Comfortable voice tone
  • How does a social engineer work?

– Investigate the victim

                The first step is research about the victim, find what the victim like, the music, favorite band, food, clothes, shoes, video games, also the websites that the victim visits regularly, social networks, email address, all the information es useful.

– Develop an attack plan

                Once the attacker has enough information, they try to develop an attack using the information obtained previously, and use different techniques depending of the information he wants to obtain.

– Get sensitive information

                Finally depends of the kind of attacker what happen next, I mean if the attacker has bad intentions is really sure than us information go to be public or be use to comet crimes or maybe be used pretending be us in one cybercrime, or the attacker use our credit card number to buy things online or maybe use our internet connection to make others attacks.

  • Forms of attack

There are different basic forms of attack models:

  1. Computerized

Once the computer equipment became accessible to most of us, the range of possibilities, methods and techniques to control and manipulate them, was growing rapidly, and at the same time the ways of stealing information increased.

A computer virus is not created by itself, it is created by someone with special knowledge and skills with the objective of stealing information and damaging the computer system.

In any action that endangers our information, and is applied in computer software, such as viruses, worms, Trojans, among others:

  1. Trojan

It allows a person to access the infected computer or collect data and send it over the Internet to a stranger.

Trojan horses seek to steal confidential user data, such as passwords.

  • Time bomb

They are programmed to activate at certain times. The most popular is the virus called “Friday the 13th”.

  • Hijackers (Kidnapped).

They are programs or scripts that “hijack” Internet browsers, mainly Internet Explorer.

Install toolbars in the browser and can prevent access to certain pages.

  • Boot Virus (Auto Boot)

The virus is activated when the computer is turned on and the operating system is loaded

  • Worm Virus

The virus is programmed so that it only multiplies itself, filling the garbage memory.

  • Zombie Machine

It occurs when the computer was infected and is being controlled by third parties. You can use internal commands that give commands to the computer to infect others in your network.

  • Keylogger

Key capture, screen and browser history. They hide and send the information obtained to the creator.

  • Polymorphic viruses

They are viruses that change constantly, that is, they modify their internal code and because of this, each virus is different from the previous one, making it difficult to detect and eliminate it.

  1. Human

Gather sensitive information interacting with people, based on attacks of trust, fear and the nature of human beings to help.

  • Posing as an internal or external character and requesting information
  • Making false calls from supposed internal staff
  • Impersonating a bank operator, telephone or mail company
  • Listening to other people’s conversations
  • Viewing photos, videos, audios, writings, documents, cell phones
  • Talk more in social gatherings where intoxicating drinks are consumed
  • Trying to take an important position
  1. Combined “Fishing” (Go fishing)

One of the ways in which computer-based social engineering can be presented is called “Fishing.” This term is assigned because it consists in sending false requests to the victim, where they are asked for their basic data and each time they go up in volume, requesting more and more important data, thus achieving the objective, or at the best of In cases the victim recognizes the attack and forgets the matter.

We can find these false requests in:

  • False internet pages
  • Facebook
  • Twitter
  • YouTube
  • Hotmail
  • Gmail
  • Post of alleged banks requesting our data
  • Recover email password or social network
  • Portable devices
  • USB
  • SMS
  • Impact that generates a social engineering attack
  • Stealing information of a confidential nature
  • Exhibit the institution and colleagues
  • Risk our own security
  • Identity theft
  • Loss of personal information
  • Economic loss
  • Loss of privacy
  • Damage to irreparable computer equipment

It is important to maintain a state of control within an institution, in order to keep information, secure within our facilities, to avoid information leakage maintaining a solid state of trust, understanding that no partner is presenting a risk of information theft.

  1. Indicators of possible infection and examples of attack

Identifying if we have a computer virus can become confusing, the diverse activities that are carried out in a computer can get to confuse the answers with a virus and many times we let it pass.

  • Fake e-mails and junk mail (such as strings or unknown presentations)
  • False pages (strange, different, badly ordered, different language)
  • No response is received when filling in the texts requested
  • Nothing happens when you click on “Send, Install, Download, Next or Accept”
  • They invade us with informal or incoherent requests
  • They claim our information as if it were theirs
  • Deceptive or ridiculous offers
  • Browsers display pages that we do not request
  • Anti-virus disabled
  • Sending mail without authorization
  • Toolbar options disappear
  • The password or password of our accounts has been changed
  • slow Internet
  • The computer displays error messages without any reason
  • Without authorization messages are sent via MSN to our contacts
  • Applications are frequently inhibited
  • Some pages of browsers stop working
  • You cannot browse the internet because the pages are blocked
  • Examples of attack

“Tools” bars.

Most free programs maintain a strong relationship with the largest virus providers, it does not mean that these programs directly install viruses, but they do contribute a lot to turning the user into a victim of an attack.

Installations risks

When making an installation, it is VERY IMPORTANT to read the instructions before clicking “Next” and “Yes I accept”.

In many of the facilities that we believe to be reliable, there are companies that pay to appear in these facilities in order to reach the victim faster.

Fake pages

Survey pretending to be directed by Google towards the user. We can notice that the page in which it is located does not belong to Google

Fake Twitter Portal, asks us to enter username and password because our session expired

When you click on the ads, a software is installed or you request credit card information or personal data, in exchange for the object “drawn”

Ads of false prizes. They try to trick the user into being infected by viruses or malicious objects, referring to attractive prizes.

Fake Facebook

Ads that simulate the colors and type of social networks, inviting us to reactivate our account or change our password.

Sometimes we are asked to re-enter our username and password for some reason such as “connection loss”, “verify that we really are us”, among others.

False virus alert and advertising.

Announcements where they invite us to participate in small defenseless contests, or they invite us to download icons for instant messaging.

They also produce fake antivirus windows, warning about possible threats and when clicking on the advertisement, malicious software installation is produced.

Easy money.

While we know that nobody gives money, on the internet is not the exception, nobody gives money for solving questions or surveys, the only thing we gain is that we are the one who give them our money.

Gifts

Fake gifts invite us to locate someone through a fake satellite service


AMBIENTE SEGURO

  1. Advanced passwords

These are the points for a secure password:

  • It has at least eight characters.
  • It does not contain the user name, the real name or the name of the company.
  • It does not contain a complete word.
  • It is significantly different from other previous passwords.
  • It is composed of characters from each of the following four categories:

Character category examples:

  • Uppercase letters: A, B, C … .X, Y, Z
  • Lowercase letters: a, b, c … .x, y, z
  • Numbers: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • Keyboard symbols and spaces: `~! @ # $% ^ & * () _ – + = {} [] \ | : “‘<>,.? /
  • Most common security errors

There are certain important points to avoid being vulnerable to a social engineering attack.

  • Passwords written on pasted paper
  • Sensitive information written on blackboards
  • Leave sensitive documents on the desk
  • Leave a calendar, personal agenda, telephone or to-do list
  • Leave a forgotten access card or access key or file
  • Leave papers in the printer
  • Leave open the windows with which you are working on the computer
  • Documents in the trash, printer or in the “Recycle bin” of the computer
  • Credentials or badges that indicate the name given or employee code
  • Connect unknown storage devices in the company
  • Most important points
  • Follow the security policies established in the unit
  • Have secure passwords that are renewed periodically
  • Carefully observe visitors entering the building beware of “curious people who want to know everything”
  • Remember that any type of information is valuable and should not be taken lightly
  • There are three most common means of information theft: internet, telephone and face to face
  • Once an attack attempt is detected, inform the corresponding personnel so they can follow up
  • Remember the vulnerabilities we have and strengthen them to avoid social engineering attacks
  • Attacks can be made to people not close to our area to infect the entire building if it is not protected as recommended
  • Be attentive to the information we receive and also the information we give
  • Viruses that infect computers are effective if the user allows it and these can be found in external devices (USB memory, cell phones, hard drives, etc.)