Social engineering
Convincing people to do things not in their interests has become quite the artform, so don’t be fooled. Click here for puppies…
There are all kinds of devious ways that unscrupulous scammers will use to get hold of unsuspecting marks’ data – whether it’s tricking them to install ransomware or some other kind of malware such as a keylogger, or having them visit a booby-trapped website and enter valuable credentials. Most people nowadays know better than to reply to an email purporting to come from a Nigerian prince who needs some help organising a wire transfer for his considerable inheritance. Indeed, most scammers no longer bother with these kinds of ruses; their game has been considerably upped.
They may play on local events, especially natural disasters. They may also send targeted email based on public information harvested from the target’s social media accounts. For this reason you should be awfully careful about what information you broadcast publicly about yourself. Knowing your interests, location or even those of your friends is enough to gain a data-mining foothold. WannaCry and others like it exploited an unpatched vulnerability in Windows to spread, but this is comparatively rare. Most ransomware, and indeed most unauthorised access to computers, is installed by unwitting users being schemed and duped.
Fraudsters will send email from domains that at a glance look legitimate or direct you to counterfeit websites at such domains. It’s incredibly easy to cosmetically clone an entire website with open source spidering tools which have legitimate uses. Widgets and search facilities are harder to reproduce, but if you can dupe victims into thinking the site is real long enough for them to enter their username and password then you’ve already won. People tend to drop their guard considerably if they feel they are communicating with a friend, so contact lists from plundered email clients are valuable too. Social media accounts then become like gold for scammers.
We’d rather you didn’t use Facebook and such, but if you do, it offers a few ways you can secure your account. In particular, you can nominate a person or persons that you trust so that, in the event you get hacked, they will be able to trigger a password reset for you. You’ll find these and other options in the Security and Login section of Facebook’s settings.
You may have already witnessed hijacked accounts sending messages of the form “Help, I’m trapped in Timbuktu. Please send money”, which are easy enough to sniff out. But with a little imagination and a little knowledge about the victim – and if you have access to their social media you’ll have plenty at your disposal – a much more convincing con can be crafted. Concerned parents, particularly those that aren’t too tech-savvy, will readily part with cash if they think their children are in some sort of danger.
Human beings aren’t really designed
to remember passwords or indeed come up with secure ones, so it should come as no surprise that password-reset mechanisms or forgeries thereof are popular means for hijacking accounts. If you search your email address on Troy Hunt’s https://haveibeenpwned. com website, you may well find it has appeared on one of the many lists of breached credentials that are now forever in the public domain.
This doesn’t mean that email address is compromised, just that an account associated with it has been published –
possibly something insignificant and maybe even something that has since been secured. For obvious reasons, the actual credentials aren’t listed, so you can’t check their validity. But doing a thorough password audit is never a bad idea. If a password you used on a forum 12 years ago that’s similar to any you use today is in any way traced to a different account, that account is at risk.
It’s a painful process, going through all the places where you may have signed up, resetting passwords or cancelling accounts as appropriate. But it might just save your identity, or prevent your contacts getting phished, or something else beneficent. Rather than trying to remember a bunch of secure and different passwords, it’s much more sensible to use a password manager. That way you just need to remember a single strong password, and have the password manager generate (and remember) hard-to-crack, gibberish passwords for all the sites you use. There are plenty of cross-platform solutions that work through browser extensions and mobile apps, but there’s a few that actually support desktop Linux too. Our favourite is KeePassXC (https://keepassxc.org), which is a fork of the largely unmaintained KeePassX (which itself was a fork of the Windowscentric KeePass). You can install an older (but still good) version straight from the Ubuntu repos with
$ sudo apt install keepassxc or use a snap to get a newer version with
$ sudo snap install keepassxc Then fire it up from the Applications menu and click ‘Create new database’. The default encryption and storage options are fine for normal humans, but feel free to turn everything up to 11. The next screen is the most important: it’s where you must decide your master passphrase. Choose wisely, and consider writing it down somewhere and keeping it somewhere safe, but not somewhere it’s likely to get stolen. Choose a location for your password database, and consider backing up this file (and all your important files) regularly. Now add your many, many freshly secured passwords. You can sort them into groups, and install the KeePassXC browser extension for Firefox.
A MATTER OF FACTOR
Many services now offer two-factor authentication (2FA), where besides a password some other token is required. Often this second factor is an SMS message, but there are problems with this. For one, a determined attacker may have the means to carry out a SIM-swap attack, whereby mobile network staff are socially engineered (or bribed or blackmailed) into porting the victim’s phone number to an
attacker’s sim.
Mobile malware is becoming more and more prevalent (don’t sideload apps you don’t trust!) and if the victim’s phone has fallen victim to such then their SMS messages will all be up for grabs. The SS7 protocol that connects cellular networks has long been a source of concern for the security conscious. Once you have access to any cellular network – whether that’s internally through a rogue employee or externally by some devious hackery – it’s actually possible to access any other network and intercept or reroute messages as befits your whim. So using SMS as a second factor is certainly stronger than using no second factor at all, but other factors should be used for critical services.
Hardware tokens and security keys are becoming much more widely supported as a second factor for popular services. The Challenge-Response card readers required by some forms of internet banking are an example; they add credence to the notion that it is the account holder trying to make a given transaction by proving that whoever is doing so has their card and PIN number. Unfortunately, these devices tend to spend most of their time getting lost or running out of battery at the most inopportune moments.
That’s the problem with real-world security: it has to take into account all the silly mistakes real world humans are so good at. Stay safe!