Information security is paramount in our digital world. Whether it is your work project or your personal life, nothing is insured against black-hat attacks. In this article, I will tell you about some of the common attack types so you can be prepared.
Most people think they need not bother about cyber attacks. Really, if you look at it, why would anyone bother cracking your bank account for whatever saving you might have when they could hack a bank, or say Pentagon?
In practice, it is a bit more complicated than that. While banks, no doubt, have quite a lot more money than your savings account, they are also notoriously hard to get into. Every bank has an army of cybersecurity specialists working day and night to protect their systems, and do not even get me started on Pentagon. The early days of the internet are long passed, and large organizations have figured it out.
Regular users, on the other hand, are not educated about cybersecurity. Yes, every one of them in isolation yields a negligible profit, but there are so many of us. It is much easier to work on tens of thousands of blissful internet users and even if only a hundred of them are actually hacked, it is already a win. In other words, contemporary hackers are focusing on quantity over quality.
Which is good news for us! Turns out, it is much easier to protect yourself from scaled attacks, if only you understand how they actually work.
Man-in-the-middle (MITM) attacks
These are some of the most common and easiest types of attacks. It is called man-in-the-middle because it is precisely how it works.
The basics of the MITM attacks are displayed on the diagram above. Under normal operation, Client talks to Server directly. If an attacker gains the ability to read and intercept network traffic between you and server, he becomes the man-in-the-middle.
With the ability to intercept and change the content you exchange with the server, the attacker can do many things. He can steal your password from any website you go to, inject custom HTML into webpages and, ultimately, gain control of your system.
Now you understand what MITM attacks are, but how is it even possible to intercept network traffic like this? Why do we have all that encryption stuff then?
Good news is, the encryption works (most of the time). MITM attacks are inefficient against protected protocols like HTTPS or FTPS. While it is very easy to decrypt and intercept HTTPS traffic, it is impossible to encrypt it back. To do so, you need access to a certificate, which is stored securely (hopefully) on the remote server. I think many of you are familiar with errors like this:
It explains itself perfectly. Such errors occur when network traffic is encrypted with a use of an illegal certificate. Whether it is outdated, or your system is misconfigured, or there is an actual attack going on, the browser will promptly let you know. If you see this error on a website that is not under active development, this must mean that your traffic is available openly to anyone.
Securing the browser
If you are using HTTP, the traffic is not encrypted at all. Anyone can openly read and modify it. That is why everyone is moving away from HTTP as fast as possible. This is where your first line of defence would be. To make sure you never access a website by HTTP, install the HTTPS Everywhere plugin:
This plugin was developed by the Electronic Frontier Foundation, a non-profit organization that aims to help people stay safe online. It will make sure you are accessing everything with HTTPS, making sure you do not go to the HTTP version by accident. If you are using a website that does not support HTTP, I would strongly reconsider using a resource that does not care at all about your privacy. You can get the plugin for Firefox or Chrome.
Securing the network
If your WiFi router is properly set up, MITM attacks will be very hard to perform on your local network. You are looking for 2 settings: the network encryption and ARP spoofing.
The encryption setting determines how the traffic between your machine and the router is encrypted. If it is using an outdated encryption suite, the attackers will be able to get in your network and listen on the traffic effortlessly. To check and change your setting, you need to log in to your router admin panel. Most often, the address and credentials will be written on a sticker on the router itself. If it is not there, consult the user’s manual for your specific router. Once you get to the admin panel, you are looking for the wireless security settings. Here how this page looks on my TP-Link C1900 router:
You need to find a page with these settings, and ensure you are using the last version of WPA encryption (WPA2-PSK at the time of writing). You also need to specify a secure enough password, and I will talk more on that later.
Securing the clients
If your WiFi and browser are protected, good job. The last thing you want to do is to check your root certificates. These are used by the system to check if encrypted (HTTPS) traffic is legitimate. An attacker can secretly install his own root certificate to your system and intercept HTTPS traffic without browsers detecting it.
For Windows users, there is an easy-to-use command line tool to list all third-party certificates. You can download it from here. Once downloaded, run this command in the folder:
.\sigcheck.exe -tv
After a second, it will give you a list of all certificates that are installed on your system by third-party. You need to carefully examine this list and make sure you know what these are and if you trust them. If in doubt, you can google its name and issuer for more info. If you believe any of these are suspicious, you can easily delete them. Press Win+R
and type certlm.msc
in the prompt. This window will pop up:
Navigating the folders on the left you will easily find the unwanted certificates and delete them with a right click. Be careful not to delete any actual legitimate certificates: it will render HTTPS completely unusable.
For macOS users, there is no easy tool available to list third-party certificates. What you can do, however, is open the Keychain tool and view them manually:
Using the left-hand side menu, you can effortlessly search for certificates and make sure you trust them.
Offensive
Once you have secured your network, it might be beneficial to try to perform a MITM attack on it yourself, to make sure it does not work. 2 most common tools to do this are mitmproxy and Wireshark.
Wireshark is a comprehensive network administration tool that lets you view your network traffic packet-by-packet and see everything that is happening on your WiFi. The tool is really complex and its usage is out of the scope of this article, but if you are interested, here is an awesome tutorial on Wireshark.
Open ports attacks
By default, your local network should be inaccessible from the outer world. The way local networks are exposed to the internet is the use of port forwarding.
Every bit of server software listens on a specified port. For HTTP/HTTPS it is 80/443, SSH is 22, and so on. Every machine can open and close its ports as desired. But how does the router determine what ports should be forwarded to what machine from the internet?
Assume a simple home network with an HTTP server running on a PC and a CCTV server running on a DVR. The PC wants to listen on ports 80/443 and the DVR on 3777. The router, then, will have a port forwarding table which specifies what requests should be sent to what machines.
Why is port forwarding a security concern? Because you are opening your local network to the entire world and any system on the internet can try connecting to it. If a vulnerability emerged yesterday in Apache or Minecraft server, hackers can have entire botnets to scan the network for open ports running old software. And if an attacker gains access to a single machine on your local network, he just got keys to the rest of the devices.
So, if you are running any servers and enabled port forwarding on your router, it becomes your responsibility to keep the exposed software updated constantly. If you have a bunch of servers running and do not want to expose them all to the dangers of the outside world, consider setting up a VPN.
What if you are a regular internet user and do not run any servers on your local network? Are you safe then? Maybe.
While port forwarding requires setup and must be enabled first, there is another tool that most routers have on by default. I am talking about UPnP port forwarding. Instead of you entering port forwarding table manually, servers can directly ask the router to temporarily forward a port. Most often this used by torrent clients to make peer-to-peer connections.
Why is this unsafe? If an attacker gets a piece of malware on your computer (which happens very often) it can ask the router to open a certain port (remote desktop one, for example) without you even noticing. Thankfully, this option is easy to turn off. Look for UPnP Port forwarding setting on your router admin page. Here is how it looks on my TP-Link C1900 router:
Here are the instructions for DLink and Asus.
Offensive
Once you think your local network is secure enough, you can try scanning it for open ports to see if there any that you missed. Such tools are called port scanners and are freely available online. Firstly, you can go to this website and scan your ports from outside the internet. Once those are closed, you can use nmap
to scan ports on your local network.
To install nmap
, follow the official docs depending on your OS. Once installed, you can scan any machine on your local network like this:
$ nmap <IP ADDRESS HERE>
nmap
will let you know in the output if any ports are open on the IP address specified.
Password attacks
Last but not least, we have the basic password attacks. These can vary from mining data breaches from popular websites to basic bruteforce attacks.
Most likely, this is not your first year on the internet. Also, you probably have a lot of accounts on many different websites. Sometimes, these websites are hacked and passwords are leaked, or there was merely an accident that leaked those passwords. Regardless of the issue, some of your passwords are openly available on darknet databases.
This is not that big of an issue if you use different passwords for different accounts, but let’s be honest: do you? Even if they are different, they are commonly variations of one “base” password, and by procuring one of them, it is easy to get the rest.
So your first step would be to change the passwords on your accounts until you have different passwords for all of them. You may be wondering, how can I ever remember a bunch of strong, long passwords that look like HB*IOYuih345879(*09
? But you don’t have to.
The truth is, symbols and numbers are not what makes a password secure. Length is. If your password is a plain English sentence about 25 characters, it will be way more secure than F7@ga!oP. Computing speeds are catching up, and modern video cards can crack 8-character passwords with many symbols quite easily. So, these “secure” passwords are both insecure and hard to remember!
Instead, try to form long, memorable sentences as your passwords that are unique to you. Using this approach, you will be able to remember your passwords easily and make them almost impossible to crack.
Lastly, once you have your accounts secured, it may be beneficial to still know if one of the services you are using is breached, or if your email shows up in one of the leaks. Such services are available, both free and paid.
Firefox Monitor
If you are a Firefox user, you are already using this tool, and maybe even saw messages like these:
If you are not using Firefox, consider switching to it. If you strongly oppose using secure browsers, you can still use the tool freely from any browser on this website.
Password managers
Most password managers (1Pass, Keeper) will have this functionality as a paid addon. I do not want to be posting ads, so, if you are interested, look them up in search.
Closing notes
Thank you for reading my article on the basics of cyber self-defence, I hope you found it useful.
Resources
- Free Cybersecurity course on Coursera
- How Passwordless SSH login works
- Use Syncthing to create a cloud without a cloud