This article was published on April 16, 2016

We talked to an ethical hacker, here’s what we learned


We talked to an ethical hacker, here’s what we learned

Believe it or not, not all hackers are malicious.

Ethical hackers are experts hired to support organizations and governments and keep their systems secure. These ethical hackers provide expertise to protect citizens and regular people from malicious hackers. We recently sat down with one to learn more about the most effective tactics and strategies you can use to protect yourself from malicious hackers.

What do you think when people call you an ethical hacker?

I don’t know, really. It sounds very badass, but the term also implies that I am above the law and make my own rules. That’s not true. There are clear rules for what I can and cannot do, and it would be very unwise for me to break those rules. I could land in jail, and certainly lose my job.

What kind of hacking do you do? How did you get started with it?

My job is to find security holes in applications and report them to the developers along with suggestions on how to fix them. I got started during my teenage years by learning programming and reading articles on hacking.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

In my job, I carefully test applications for unexpected behavior. To be an ethical hacker, you need to have a very good knowledge of the software and protocols that are commonly used and know how they compile to machine code. Once I gain access to a system it’s usually over for me. I explain in detail how I got access, and what this access would allow me to do.

I have to think, ‘How can an attacker gain illegitimate access to a user account?’ I then use the same strategies that a hacker would use, and think very much like them. I can’t stop thinking about security when I browse the web. There are so many things that are being done wrong, and a lot of times the user is left to fend for themselves.

Which of my accounts would hackers try to break into, why, and how?

Most hackers are motivated by money. The most likely thing to be targeted is your internet banking account, credit card or other payment accounts. Recently, a type of malware known as “ransomware” appears to have taken a surge in popularity. Ransomware is a type of malware that encrypts your files, preventing you from accessing them until you pay the hackers to release your files.

ransomware

But, hackers might also be motivated politically or personally. Hacking can be a form of violence in an abusive relationship, or a way for people to get back at their boss.

What are the most common ways that people get hacked?

The most problematic scenario is when a hacker infects your computer with malware. After that happens, the victim will likely quickly lose control over their online accounts. Hackers get access to everything: your data, your communications, your finances. Everything.

There are many ways this could happen. The most common would be for you to visit a compromised website and inadvertently download malicious software. This can happen through widely known security holes in outdated versions of your browser, or PDF and flash plugins. That’s why it’s so important to always keep your computer updated.

Malware might also come bundled with other software, hidden in a pirated game, buried in a free VPN, or embedded in a file sharing app. I recommend people install software only from trusted sources, and verify this software when downloading it from third parties. In some sophisticated hacking cases the malware would be sent directly to the target in the form of an attachment, or stored in a USB stick lying around outside your house or office.

This might sound strange or obvious to some, but do not plug unknown random devices into your computer. Verify the source of your software whenever possible, especially if you have downloaded a torrent. If you can, run software on dedicated computers or inside virtual machines.

Once this malware is installed on your computer the effects can be huge. It can copy your cookies with which the attackers can access the services you are currently logged into. They can access your private pictures and read your passwords by just logging what you type. They can even access your webcam and take pictures or screenshots without you knowing it.

security

Often enough, the malware will simply encrypt your entire drive, and only give you the data back after you’ve paid a hefty ransom.

Your online accounts are also common targets for hackers. The most dangerous point of access is the email account that you use to sign up for services like Facebook. Most sites allow anybody to reset your password just by having access to this email address. The service then sends an email to your address with a link to set a new password. If hackers have access to that primary email they can easily get access to all your other services.

One way a hacker does that is to simply guess your password, which is successful especially if the service allows them to make millions of attempts per minute. Additionally, if you use a system to generate passwords (such as your pet’s name plus the name of the site plus your birth date), they can guess your system and deduce other passwords.

Again, there are also more targeted attacks in which the attacker sends you so-called phishing mail. It might look very legitimate and often has urgent-sounding content such as your bank telling you that you need to click an “accept” button to accept some money being transferred to you.

When you click on the link, instead of being directed to your bank’s website to log in, you’re sent to a site that looks identical to your bank’s site. Unfortunately, that site is controlled by a hacker. When you try logging in to that site, your login details are instantly sent to the hackers who later use it to take over your account.

group, hackers, hacking

Keeping your accounts secure should not give you a headache. There are two simple solutions – you can install a password manager and enable two-factor-authentication. Additionally, double check to see you are connecting to the correct site by typing in the site name directly in the browser bar, or use a previously saved bookmark. It’s also good to train yourself to look out for encryption too! (Lifehacker previously covered HTTPS Everywhere.)

If you do log in to your account on someone else’s computer, or on a public computer, make sure you log out, and NEVER log in to your email at the Airport free internet kiosk!

How does a person realize they’ve been hacked? And what should they do at that point?

If you suddenly get password reset emails or 2FA authentication codes that you haven’t requested you should immediately be on alert. Sites like Google and Facebook also allow you to review previous logins and deactivate sessions remotely, in case you forgot to log out somewhere (here are links for Google and Facebook respectively). Another obvious symptom of hacking is when your account starts spamming your contacts with strange emails.

If you think you’ve been hacked, err on the side of vigilance and change your passwords. Do it now and change as many as you can. Don’t use the same password twice, and use your password manager to generate secure passwords.

If you’re lost about where to start, your email password is likely the most important – once somebody compromises that, they can usually reset any other website’s password through the “forgot password” prompts.

This is extremely urgent and important. For instance, if someone gained access to your email account, they could have access to your Paypal account. They can purchase things online – anything illegal would be traced back to you. You might have to cover these purchases out of your own pocket.

mobile shopping online e-commerce

Once you’re sure nobody else is reading your mail, make a list of other important sites and change them all one by one.

It’s also never a bad time to check your computers for malware. Personally, if I couldn’t work out what I did wrong to get hacked, I’d assume it was malware and probably take the opportunity to erase my hard drive to be sure it’s gone (note: a small number of particularly persistent viruses can still remain in the BIOS). In the very worst case, start off with a fresh machine.

How can people minimize the likelihood of getting hacked?

This is by no means an exhaustive list, but here are some methods:

  • Never click on links in emails and enter data like your username or password into website. Instead, it’s better to type the URL manually or use a bookmark.
  • Use an ad blocker. Sometimes ad networks get hacked, allowing the hackers to install malware on your machine.(You can use something like AdBlock, which Lifehacker has covered before. Lifehacker has covered uBlock as well.)
  • Use a VPN when you use public WiFi. People do sometimes sit in coffee shops “sniffing” for personal data. Sometimes the router is itself infected with malware, recording every step its users make on its networks and sending it home. A VPN encrypts your data so that it’s exponentially harder for hackers to decrypt and read.
  • Don’t use pirated software. Pirated software frequently comes with malware. Pirates are not always benevolent people who volunteer their time so that you can get games and software for free. They are often criminals who make money by exposing their ‘customers’ to serious malware.
  • Turn off autoplay for CD-Roms (Windows, Mac) and USB sticks (Windows). When possible, avoid CDs and USBs, and use Dropbox, Google Drive, or some other similar service instead.
  • When you’re uploading files to Dropbox or Google Drive, encrypt the files and folders with PGP or Veracrypt. (Lifehacker covers file encryption here.)
  • If a site offers you two-factor authentication, make use of it.
  • If you travel frequently, as Lifehacker commenters suggest, try an app like Google Authenticator. This makes it significantly more difficult for an attacker to gain access to these accounts. For example, if you enable two-factor authentication in Gmail, an attacker would also need to steal your phone in order to log into your account on their machine.

Get the TNW newsletter

Get the most important tech news in your inbox each week.