Why You Weren’t Hacked

Why You Weren’t Hacked

I spend a lot of time in this blog talking about writing and indulging in my geekyness. I’d like to devote some time to the other reason this website was established. In college, I devoted my last two years to the study of technological security. There’s a deep dark underbelly of the Internet, much like you can find in any real city. In fact, the Internet’s underbelly isn’t all that hard to stumble into. Many people are exposed to the edges of it on a daily basis (just look at all the emails your spam filter catches or misses). Protecting oneself from internet theft is one of the most important skills a person can have, and that skill can only be gained through education. Unfortunately, despite our predilection towards allowing the Internet to seep deeper into every aspect of our culture, we don’t teach a class on this in school.

Recently, I’ve noticed a rash of spam messages on both Facebook and Twitter, usually followed by a message along the lines of My account was hacked! I’ve changed my password!. The spam doesn’t bother me too much; everyone makes mistakes now and then. It’s the response that gets under my skin. That might make me sound like a horrible person, but it goes back to the education I mentioned before. This statement shows a lack of understanding of fundamental Internet security. The only way to prevent this kind of ‘hacking’ is to learn what’s really happening.

Note my use of quotations when I say hacking. The first thing people need to understand about these ‘hacks’ is that they weren’t hacked.

If a spam link appears on your facebook to a video, diet page, ect, you were not hacked. If a strange DM including a dangerous link is sent to everyone you follow on Twitter, you were not hacked.

Aside from illegal downloading, hacking is the primary evil of the internet. Everyone understands that it’s bad, and so are the people who do it. Hacking allows people access to accounts and information they shouldn’t otherwise be privy too. So every time something goes wrong on the Internet, every time something seems out of place, we blame it on the hackers.

People need to understand that real hacking takes a great deal of time and effort. A hacker can’t just type your name into the facebook login screen and magically grant themselves access to your account. It’s true they could use a brute-force attack to ‘guess’ your password, but brute-forcing can take HOURS, even with an automated program doing the work. Hacking into a person’s account isn’t something a hacker can do on a whim. It takes hours of research and preparation to carry out that kind of attack. Hackers are extremely patient people, they scout their targets for months, sometimes years, before they make a strike. And when they do, they do so in stealth. Unless a hacker owns up to hacking you, you’re unlikely to ever know they were there. Hacker Croll, the man who hacked Twitter via an employee’s gmail account, first spent months building a profile on his target and searching for a weak spot he could exploit to gain access to sensitive information. Hacker Croll also had a purpose for spending so much time working up to his attack; he wanted to prove a point about companies using insecure business practices and bring the danger to their attention.

Most instances of real hacking are against either a large corporations, such as the twitter incident, or celebrities. Such as the case of Sarah Palin’s email address being hacked via the use of wikipedia to look up the answers to her security questions (which is a whole other blog entry, let me tell you). When it comes to hackers, the stakes always have to be high; the payoff has to be worth all that time and effort. So why would a hacker waste the man hours involved in getting into Joe Schmoe’s facebook account when he, or she, stands to gain nothing from it?

The answer is simply that they wouldn’t.

When a rogue link appears on a person’s account, it has nothing to do with hacking. No one forced their way into the account and put it there. Instead, people are experiencing “Phishing” (pronounced Fishing). While Phishing can be grouped with ‘hacking’ when discussing network security, it’s actually a scam. Most spam emails are attempts at Phishing, though a good enough spam filter will catch most of these emails. Phishing is a lot like those people who call you trying to steal your credit card number. In simplest terms, Phishing is an attempt to make you give up personal information by directing you to a link or website which looks trustworthy and asking you to enter information which seems reasonable for the service depicted on the website. But instead of logging you in to a service, the information is recorded to a file for later use. Phishers use this method to steal things like passwords to banking sites and credit card information.

Is it as bad and evil as hacking? Sure it is. But it’s much easier to protect yourself against. In the case of a hacker, you have to know someone’s trying to break into your account to stop them. Changing your password is a good way to prevent a hacker from regaining access to your information, though it won’t stop them if they’re determined. In the case of Phishing, changing your password doesn’t affect the outcome. You can fall prey to Phishing over and over if you don’t understand how it works.

Phishing relies on user input. In some cases, a spam bot can replicate messages to all the contacts in your address book, or write itself onto your Facebook wall, as soon as you click the link. But all the methods which work to prevent Phishing will stop bots as well. First and foremost: NEVER click on a link which leads to an unfamiliar website. Twitter can make this particularly difficult because it obscures link destinations by shortening links posted by users. In most other situations, however, including facebook and email, hovering the cursor over the link without clicking will indicate your true destination. For instance, the link below says paypal.com, but mousing over it will reveal ‘http://megancutler.net’, the main page of my website:

www.paypal.com

Anyone can make this kind of fake link. It takes about two seconds in a WYSIWYG (what you see is what you get) editor like the one provided by WordPress with which I’m writing this entry.

Never trust that an email link leads to your bank website or any other web service with which you share sensitive information. Instead, access the website directly (preferably using HTTPS instead of HTTP), or call your bank to see if they were trying to contact you. Remember that your bank and other legitimate web services will NEVER ask for your password, or other personal data, via email.

If you realize you’ve given your password to a Phisher, changing it right away is the appropriate course of action. However, it won’t solve the problem unless you learn to spot phishing scams so that you don’t give out the new password. In the case of a bot link, changing your password wouldn’t make a difference; the damage is done and the bot can only act if you click on the link. Simply not clicking the link is protection enough.

The best way to protect yourself from rogue links is to use a virus scanner with an active scan. AVG is particularly good for this. If you allow the virus scanner to work while you browse the web, it will prevent you from visiting dangerous websites and block threats before they can access your computer. If you use Firefox, Web of Trust is another good tool to help you identify dangerous links. The community can rate websites by reputation. If you see a green circle beside a link, you know it’s safe. If you see a red circle, you should avoid the website as it may be dangerous. If you see a yellow circle, you can decide whether or not you wish to trust it.

And if you see any messages like the one I mentioned before, you may want to explain the difference between Hacking and Phishing. After all, knowledge is the only way to break the cycle.

6 Replies to “Why You Weren’t Hacked”

    1. I don’t think it’s a lack of sophistication ;) There really should be classes for this sort of thing. I became aware of most of this stuff during my IT classes in College, but most people are never exposed it until it’s too late.

  1. I think people say “I was hacked” because it sounds better than “I clicked on a link I shouldn’t have.” It makes the victim seem less stupid.

    1. haha :) certainly true! The people that really drive me nuts are the ones that get all up in arms when you try to explain how things work to them. You can change your password a million times, but if you keep clicking on bad links, it’ll never do you any good.

  2. I totally agree that people need to be better educated. Why is it that we live in a world where the internet pervades every corner of our lives yet there’s no class for general knowledge being taught to our children that are of an age where computer/internet use is commonplace or even necessary? Doesn’t make any sense. Even worse is that they are learning it on their own or by a generation that knows even less than they do. Internet basics should be mandatory in grade 4-5 so they can protect not only themselves but anyone else in the home who happens to be using the computer that is exposed to the internets. I would totally teach that class!

    1. I totally agree! We were taught how to use a library in high school, including how to use internet databases to search for information and articles. It only makes sense that we be educated as to how to protect ourselves on the internet. Worse, it seems that credit card scammers are now using some of the same methods over the phone and banking on people’s inability to understand technology to steal their credit card information. Someone called me and tried to tell me that my computer was malfunctioning. Luckily I knew enough to call bullshit.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.