Welcome to the basics of some common hacking tactics, an overview of how they work, and what can be done to defend against them.
Brute Force Attacks
One of the oldest hacking tactics is the brute force attack. This involves the hacker testing different username and password combinations until one works. While this can be technically be done manually, the sheer number of possible combinations is generally too time intensive to be realistic. Therefore, hackers usually employ some form of software to randomly generate passwords, and possibly usernames as well if they don't already have one.
Countermeasures
From the user's perspective, the best way to defend against a Brute Force Attack is to simply have a password that is difficult to guess. Most password generation software will try more common passwords first, such as variations of the word "password", common words with random numbers at the start or end, words with certain letters replaced with look-alike numbers, etc., so the more random your password is the less likely it is that such a program could quickly guess it.
Most organizations nowadays employ a variety of methods that make Brute Force Attacks difficult or even impossible, such as password encryption algorithms, two-factor identification methods, or simply locking access to the login page for a few minutes after too many failed login attempts.
Denial of Service Attacks
These attacks come in two main varieties: DoS/DDoS attacks, and DNS attacks. Both serve to do the same thing: flood a target server with so many dummy requests that it's unable to process legitimate ones, effectively taking it offline.
The DoS attack is the most basic form of this: a hacker simply sends rapid-fire requests from their own computer, often making use of a program to streamline the process. This version might slow down a server, but only until network security is able to identify the attack - after that all they need to do is block the hacker's IP address to stop it. The more advanced DDoS attack gets around this by recruiting a large number of "zombie" PCs with different IP addresses to assist. This is usually done by distributing some form of malware to as many different unsuspecting devices as possible, so that the hacker can activate them all at the same time to conduct the attack.
While a DNS attack has the same goal of taking a server down by flooding it with dummy requests, its methodology is a little different. This attack works by spoofing DNS servers, which are what turn internet domain names into IP addresses, by redirecting DNS queries intended for other servers to the target server. After this, the hacker will typically rapidly send queries intended to generate large replies to the DNS server, effectively getting the server to do their dirty work for them. While this method can also make use of "zombie" PCs to increase effectiveness, the fact that the query responses are much larger than the code the hacker is sending effectively means that fewer computers are needed to reach the critical mass necessary to down a server.
Countermeasures
Though it is difficult to outright prevent these sorts of attacks, there are a few ways that a company can make them less effective. Firstly, the more bandwidth they have available to them, the harder a hacker needs to work to reach the critical mass of dummy requests needed to down the servers. Moving to the cloud is a good start, as the cloud typically has more bandwidth and stronger security than private networks. For DNS attacks specifically, using Domain Name System Security Extensions (DNSSEC) adds another layer of security for interactions with DNS server to ensure that no malicious redirections have occurred. Beyond these options, al companies can really do is monitor their network traffic for evidence of these attacks and have a plan of action for what to do if one occurs to ensure a swift response.
Injection Attacks
These attacks involve tricking websites into executing code they did not intend to or modifying the execution of existing code in critical ways. The most common forms are SQL Injection, which targets server side code, and XSS attacks, which target client side code.
XSS attacks involve the hacker exploiting vulnerabilities to inject their own script into a webpage which will later be executed by a victim's browser when they load that page. This can be done to steal data, install viruses, add phishing ads to the webpage, and more. For instance, they might record the login info of victims, or recruit a victim's computer as a "zombie" for a future DDoS attack.
SQL attacks, on the other hand, involve strategically entering data into input boxes in order to trick a SQL query into doing what the hacker wants. To illustrate how this works, we will use a simplified example taken from this YouTube video from channel NetworkChuck:
Say we are logging in to a website that utilizes databases to store its data. We might be given an input box for Username and another for Password. Once we enter these and click the Login button, the system might be running a query that looks something like this:
SELECT * FROM users WHERE username='userNameInput' AND password='passwordInput'
Thus, if we inputted "George" as the username and "password123" as the password, the query would look like this:
SELECT * FROM users WHERE username='George' AND password='password123'
With this query, if the username and password don't both match with data from the users table, no value would be returned and the login would fail, but if there was a user "George" whose password was "password123" the query would find it and successfully log in. Well, what if a hacker wanted to log in to George's account, but didn't know their password? Since this hacker knows how SQL queries operate and how certain characters can affect them, and either knows or can guess at what SQL query is being run after the inputs are received, they might instead use the following input for the username field: George'--. Now, the query that is run looks like this:
SELECT * FROM users WHERE username='George'-- 'AND password='password123'
So what's going on with that query? Well, '--' is the SQL code indicating a comment; essentially it means "ignore everything on this line after this", which means that the "AND password='password123'" line isn't being executed at all, allowing the hacker to login with just a username! And auto-logging in isn't even the worst thing a hacker could do with this exploit. A clever hacker can use it to obtain any sensitive data they want from the database, or even to delete critical information!
Countermeasures
Luckily, there are ways to prevent these sorts of attacks, though not all websites employ them. Firewalls, for instance, can be utilized to prevent XSS attacks by constantly patching the website. As for SQL Injection attacks, the most straightforward countermeasure is to "sanitize" the user input. This essentially means preventing user input from affecting queries by, for example, preventing certain characters (like ' for instance) from being read from user input, escaping user input before entering it into queries, or even constructing the code that executes the query in such a way as to prevent user inputs from being misinterpreted as code.
I hope that this has been an enlightening overview of some of the more common forms of attack that hackers can employ. Remember: use firewalls/antiviruses/anti-malware programs, keep your software up to date, and be careful what you click on!
Top comments (0)