Table of Contents Hide
Today I am going to be talking about different types of computer attacks. Without forgetting to talk about Difference between Phishing and Whaling Attacks.
Now these are not necessarily things you should be worried about on a day to day basis. You know you’re not going to come across all of these very often and some of the more advanced ones.
We can talk about towards the end you really are not going to be concerned with book those are more like server side as inside attacks but they’re still useful to know about just out of interest seeing get a better idea and just have a general better sense of security and best practices.
Or you might just find it kind of interesting so let’s get into some of these you may have heard of some of these before so one of the most well known ones you probably already do know about it and if you don’t then this is definite want to pay attention.
This is an essential want know about. This is basically were a fake website is set up where you are tricked into entering your real password credentials into a fake website.
So lot times you can get an email for example, you might get a search result in google that is a fake result that links do what you think is amazon, or at amazon listing but it’s like amazon.
Something dot com where they add in little stuffed a trick you into thinking it without looking. And then eventually it looks like the real website they didn’t design it like that.
If you input again your credentials and then they have it. Obviously they can either use that logging credential to lie. Some times or maybe or things through your real amazon account.
Or they might just bundle up all the credentials they collect and sell them on the dark web. That a lot of times hackers will buy those databases of research through them. And try that same password the might be one database on several different website. Because they know a lot of people use the same logging.
So it’s definitely important this is why you want to check the URL for a links you’re clicking. Don’t click suspicious links. Even if they seem legitimate and then you type in your information and they get you.
Now to go further with the metaphor you could say that fishing is more of a wide net cast.
Spear Phishing Attacks
Which is where the hacker words hacker will specifically target a very small group of people or one individual person, and this is a lot harder to detect.
Because a lot of times they will if they’re targeting a specific company or specific civic or department within a company. They make handcraft the spam email or the scheme email that has a lot of relevant information.
Where it’s difficult to detect that it is a scam email because it may be very very similar to a lot of common emails that department may receive
Example of spear phishing.
In company they may get a request that is a sales request for a big order. They say oh can you log into this page where we want to pick place the order out on a you get the idea .
That completely wrong obviously but that’s an example where they may target a specific group of people. They made name that person by name they do a lot of research by the company they’re sending to. So it may come from a competitor’s email address or something similar to that you get the idea. Just makes it much more likely to increase the trust if they used terminology and things that the person of the victim or recognize.
It’s basically when an attacker goes towards a high profile target and like company, so they may go after executives like CEO that CTO (Chief Technology Officer) though go after high level individuals within organization.
It’s kind of like spear phishing it actually but just for a specific high value target and a simple reason for that is because if you get the login credentials or whatever for a powerful person within a company.
Obviously you can probably do a lot more damage if you are able to impersonate that person you might be able to get a lower ranking employee to now transfer bunch of money and say oh we got this big sale send the money to this person.
And the lower level employee will believe it because they don’t want to go against what the ceo says something like that. So wailing is basically just kind like spear phishing accept it doesn’t have to be collecting fake website credentials. It could be just targeting through any number of means like phone and email stuff like that.
Which is basically voice fishing. Instead of sending an email to send him to a fake website they may call up impersonate another employee. Impersonating a certain company, and say even oh we have a frauder and pretend to be a frauder.
You probably heard of these types of attacks that’s called voice fishing it’s another form of social engineering were basically it’s like confidence trick. Where they just talk the person into doing what they want. And in this form it just happens to be over the phone or it’s all there is that we’ve talked about so far.
A hacker breaks into a website server and downloads the databases of user and password. Usually the passwords will be hashed the kind of encrypted so it’s not like they’re stored in plain text. And the hacker will have to first be able to decrypt those passwords before it can actually use them to log in and try the web website.
Different ways that the hacker my passwords
Brute force attack.
They’ll do is compare the hash of a randomly generated or sequentially generated string of characters and numbers. And then compare it to the hash is that it downloads and when there’s a match then it knows that that person’s hash is actually the password.
So with brute force attack is literally trying every single possible combination. Though trying it on old passwords at once presumably or compare as many as possible. So they’ll start off with a than b than c than sit d then a b a c you get the idea and this will probably take a very long time so instead what a lot of hack.
Though have a little dictionary that will first may be try a time may be even millions of common passwords. And then try to unlock all the common passwords the people views that are very weak. Like literally password one is probably one of the first were are passwords that will be decrypted and then they will have the logins and passwords for every one who uses that weak password.
That is reason number one for you “don’t want to use a very common word or phrase for a password.” There’s also another way they could kind of combine a dictionary attack. with brute force attack so what they might do is take a dictionary attack and then kind of brute force it with additional characters.
Composition of a good password.
- Capital letters (ABC)
- Lower case (def)
- Special characters (.*?!_)
Especially because special characters are not really in the dictionary. It’s makes it way more time consuming for your password to be cracked so hopefully the hacker will kind of give up and say okay I have enough passwords.
Once they might go one by one and try to do all. The weak ones mostly okay now these decks type attacks. You probably don’t have to worry about these attacks. More types of attacks had happened towards servers and enterprise levels not individual people.
Denial of service attacks and distributed denial service attacks of DoS & DDoS
Denial of service attack.
Basically flood the server with so much data and so many requests that it essentially overloads the server. And it can’t respond to requests from real people. In this case the server will presumably be offline as long as the hacker sustains this attack.
Distributed denial service attacks.
The hacker will use what’s called a botnet which is basically a big group of zombie computers, or hacked servers. That has been collected ahead of time using a virus Example, Trojan where the hacker will have control A bunch of computers around the world.
They will all pile on to one individual server that the hacker wants to attack. This is a lot easier to sustain much larger attacks because now you’re not just limited by the one hackers band with. All the combined attack band with a all the computers that it has to these are very common actually.
This is basically when a website uses some kind of database and there is an input field for information it goes into that database. So a lot of times this type of database is sql that’s just the technology behind it.
Normally when you type in information into a field it’s gonna be entered into that database. It’s expecting to just have some information like your name OR address. Whatever but if the website is not configured properly. Then what a hacker will do is actually enter a command into the information input box. In the back and server processes that box it’s going to take that input and see the command and actually run the command.
Not just input the data and if this is possible there’s a lot of things that the hacker can do that are very malicious. One example of the command “drop table” which basically will delete the entire database. It could delete a ton of data. Basically destroyed the database because someone was able to enter in a command in that field. Supposed to be able to and speaking of incorrectly set of web sites.
Cross site scripting.
Basically say there is a comments section and obviously that’s expected just have people leaving comments. If there’s a very good article whatever instead of leaving a comment, if it’s not set up correctly.
An attacker could actually leave some kind of code in there. Codes like an html code or even a script will be run and the browser website and it sees that script going on. It doesn’t know that it’s just comments section.
It’s not supposed to be able to run a scripted. Or they does not specify a script in there it just runs all code on the website. Then it also runs that script in the comments section it could be malicious square it.
Because that script is actually stored on to that website permanently until the person realizes and deletes it
And this is a little bit different. You might not have realized that you can actually often on some website. It is well crafted soft skills examples that it will automatically input data into a browser.
Then sees that script on the website thinks it’s part of the website. Again and runs it and then you were taken advantage of because this script was kind of injected into the URL.
Very simple keep your browser and your computer up to date. Google who creates google chrome you know they know about these types of attacks.
They build and safeguards but if there was a new type of way they can exploit it. That is not in the most recent update. Some one might be able to fall victim to it until it is patched. Just keep your information up the and most this stuff you don’t have to worry about.