Joseph Steinberg - Cybersecurity For Dummies

Criminals can steal passwords many different ways. Two common methods include

Thefts of password databases: If a criminal steals a password database from an online store, anyone whose password appears in the database is at risk of having their password compromised. (If the store properly encrypted its passwords, it may take time for the criminal to perform what is known as a hash attack, but nonetheless, passwords — especially those that are likely to be tested early on — may still be at risk. To date, stealing passwords is the most common way that passwords are undermined.

Social engineering attacks: Social engineering attacks are attacks in which a criminal tricks people into doing something they would not have done had they realized that the person making the request was tricking them in some way. One example of stealing a password via social engineering is when a criminal pretends to be a member of the target’s tech support department and tells the target that the target must reset a particular password to a particular value to have the associated account tested as is needed after the recovery from some breach, and the target obeys. (For more information, see the earlier section on phishing.)

Credential attacks: Credential attacks are attacks that seek to gain entry into a system by entering, without authorization, a valid username and password combination (or other authentication information as needed). These attacks fall into four primary categories: Brute force: Criminals use automated tools that try all possible passwords until they hit the correct one. Dictionary attacks: Criminals use automated tools to feed every word in the dictionary to a site until they hit the correct one. Calculated attacks: Criminals leverage information about a target to guess the target’s password. Criminals may, for example, try someone’s mother’s maiden name because they can easily garner it for many people by looking at the most common last names of their Facebook friends or from posts on social media. (A Facebook post of “Happy Mother’s Day to my wonderful mother!” that includes a user tag to a woman with a different last name than the user is a good giveaway.) Blended attacks: Some attacks leverage a mix of the preceding techniques — for example, utilizing a list of common last names, or performing a brute force attack technology that dramatically improves its efficiency by leveraging knowledge about how users often form passwords.

Malware: If crooks manage to get malware onto someone’s device, it may capture passwords. (For more details, see the section on malware, earlier in this chapter.)

Network sniffing: If users transmit their password to a site without proper encryption while using a public Wi-Fi network, a criminal using the same network may be able to see that password in transit — as can potentially other criminals connected to networks along the path from the user to the site in question.

Credential stuffing: In credential stuffing, someone attempts to log in to one site using usernames and passwords combinations stolen from another site.

Maintaining computer systems is no trivial matter. Software vendors often release updates, many of which may impact other programs running on a machine. Yet, some patches are absolutely critical to be installed in a timely fashion because they fix bugs in software — bugs that may introduce exploitable security vulnerabilities. The conflict between security and following proper maintenance procedures is a never-ending battle — and security doesn’t often win.

As a result, the vast majority of computers aren’t kept up to date. Even people who do enable automatic updates on their devices may not be up to date — both because checks for updates are done periodically, not every second of every day, and because not all software offers automatic updating. Furthermore, sometimes updates to one piece of software introduce vulnerabilities into another piece of software running on the same device.

If you listen to the news during a report of a major cyberbreach, you’ll frequently hear commentators referring to advanced attacks. While some cyberattacks are clearly more complex than others and require greater technical prowess to launch, no specific, objective definition of an advanced attack exists. That said, from a subjective perspective, you may consider any attack that requires a significant investment in research and development to be successfully executed to be advanced. Of course, the definition of significant investment is also subjective. In some cases, R&D expenditures are so high and attacks are so sophisticated that there is near universal agreement that an attack was advanced. Some experts consider any zero-day attack to be advanced, but others disagree.

Advanced attacks may be opportunistic, targeted, or a combination of both.

Opportunistic attacks are attacks aimed at as many possible targets as possible in order to find some that are susceptible to the attack that was launched. The attacker doesn’t have a list of predefined targets — the attacker’s targets are effectively any and all reachable systems that are vulnerable to the launched attack. These attacks are similar to someone firing a massive shotgun in an area with many targets in the hope that one or more pellets will hit a target that it can penetrate.

Targeted attacks are attacks that target a specific party and typically involve utilizing a series of attack techniques until one eventually succeeds in penetrating into the target. Additional attacks may be launched subsequently in order to move around within the target’s systems.

The goal of most opportunistic attacks is usually to make money — which is why the attackers don’t care whose systems they breach; money is the same regardless of whose systems are breached in order to make it.

Furthermore, in many cases, opportunistic attackers may not care about hiding the fact that a breach occurred — especially after they’ve had time to monetize the breach, for example, by selling lists of passwords or credit card numbers that they stole.

While not all opportunistic attacks are advanced, some certainly are. Opportunistic attacks are quite different than targeted attacks.

When it comes to targeted attacks, successfully breaching any systems not on the target list isn’t considered even a minor success.

For example, if a Russian operative is assigned the mission to hack into the Democratic and Republican parties’ email systems and steal copies of all the email on the parties’ email servers, the mission is going to be deemed a success only if the operative achieves those exact aims. If the operative manages to steal $1 million from an online bank using the same hacking techniques that were directed at the targets, it will not change a failure to breach the intended targets into even a small success. Likewise, if the goal of an attacker launching a targeted attack is to take down the website of a former employer the attacker had issues with, taking down other websites doesn’t accomplish anything in the attacker’s mind.

Because such attackers need to breach their targets no matter how well defended those parties may be, targeted attacks often utilize advanced attack methods — for example, exploiting vulnerabilities not known to the public or to the vendors who would need to fix them.

As you may surmise, advanced targeted attacks are typically carried out by parties with much greater technical prowess than those who carry out opportunistic attacks. Often, but not always, the goal of targeted attacks is to steal data undetected or to inflict serious damage — not to make money. After all, if one’s goal is to make money, why expend resources targeting a well-defended site? Take an opportunistic approach and go after the most poorly defended, relevant sites.