Life Online Makes Hacking a Real Threat to Private Information

Published Apr 13, 2017 by Ray Musumba in Information Security


Life Online Makes Hacking a Real Threat to Private Information

In today's online and vastly interconnected world, your risk of getting hacked increases with each keystroke.

On my commute today, the gentleman next to me asked if I was in college because he noticed the textbooks I had with me. We got some small talk going and he asked what program I was in. Right after I told him I was studying IT he said, "I hear you guys are very dangerous and can withdraw money from banks." I must have mentally pointed out at least five fallacious ideas in his statement, but simply laughed and told him he was thinking of hackers. More specifically, black hat hackers. To me, the conversation I had with the gentleman was a reflection of the misconceptions about who hackers are, how they do it, and their motivations. So who exactly is a hacker? And why does the thought of getting hacked make people uneasy?

A hacker is a person who gains unauthorized access to a computer system using any combination of tools and techniques to illegally access private or confidential information.

Motivating factors for hackers vary greatly, but financial gain (which the gentleman next to me was insinuating) is a top contender. It is also important to understand that there are different kinds of hackers, that is, black hat hackers – the bad guys, white hat hackers – the good guys, widely known as ethical hackers, and grey hat hackers, who fall in-between the two. This post focuses on black hat hackers, some of the methods they may employ to hack unsuspecting victims, and how you can protect yourself against hacking.

1. Phishing

You've probably seen the spam messages that your mailbox has filtered for you, and you've seen the weird looking links in them; that's one avenue for phishing scams. Phishing will usually involve fake websites, emails, and phone calls (key word: FAKE) which are designed to steal your personal information and are usually financially motivated. Microsoft goes into a bit more detail on how to recognize a phishing scam. You should make sure to carefully inspect the emails sent to you; check the sender, their email address, subject, and the message body, and don't click on any link that looks "phishy". Phishing scams will usually stick out like a sore thumb, but other times they will be engineered to near perfection so it might take a keen eye to spot.

2. Dictionary Attack

This technique is used to break into a password-protected system (such as a computer or a website) by exhausting all the possible words in the dictionary (hence the name) to obtain your password. You might be thinking "Who uses a dictionary word as a password?", but the truth would shock your jaw to the floor. Most people don't like to have too many passwords to remember, and certainly not complex ones. It's human nature. The result; simple, easy-to-guess passwords which are a recipe for sloppy information security, which consequently leaves you exposed to hacking. Mitigate the risk by employing best security practices such as using complex passwords and passphrases, combining uppercase and lowercase letters (and throwing in some special characters and numbers) in your passwords, frequently changing and rotating your passwords, not writing them down, and using different passwords on different websites, among others.

3. Eavesdropping

As the name suggests this involves a hacker sitting in between you and the server or machine you're communicating with and secretly listening in on your "conversation" using a tool that captures data packets (the data that is sent over a network) such as Wireshark. One way to get ahead of hackers who uses this technique is to use strong encryption. What that does is to make it difficult for an unauthorized person to see the information you're transmitting over a network by turning it into a block of code that does not make sense. If you visit a website requiring you to enter sensitive information such as login credentials and credit card details, ensure that the website's link starts with "https://", signifying that the information being exchanged is encrypted. And while it is possible for a hacker to bypass encryption, it offers reasonable assurance that the information they steal will no longer be useful by the time get it.

4. Social Engineering

This is perhaps one of the most common yet overlooked ways to get hacked, especially in Kenya, where users are tricked into revealing personal information that may be used for malicious activities. If you've never imagined that a person's brain could get hacked, you may be exposed. In the age of mobile and internet banking, there have been numerous cases reported about fraudulent and unauthorized transactions because users told a "representative" their PIN or password on a phone call. Security Education, Training and Awareness (SETA) programs are one way to combat social engineering; people need to stay informed on how to protect their privacy in an online world.

5. Malware

From the name, malware simply means malicious software and is deliberately planted in a computer system by hackers using a number of techniques, from the more passive phishing scams to the more active methods that see you knowingly download software but unknowingly install malware bundled with it. It's important to understand that malware takes many forms, but we won't delve into the details. All you need to know is that they're bad... really bad! Their intent may vary from the simple annoyance – such as opening popup ads in your browser, to secretly stealing your personal information – by logging what you type on your keyboard and transmitting to the hacker. The risk can be mitigated through a number of ways, from simply installing an antivirus program and keeping its signatures up to date, to downloading software only from trusted sources such as the vendor's websites.

While the information security discussion can run deep, this information will hopefully guide you in staying one step ahead and securing your private information. I encourage further reading on the concepts discussed, as this information is not only for tech-savvy individuals. Don't wait until you're a victim of an attack. Feel free to share your opinions and experiences below.

By Ray Musumba
Forensic & Cyber Risk Advisor

Next: Information Security Data Protection: Securing Your Personal Information in the Digit…