FalseFlags
Page 19
DDoS (Distributed Denial of Service). This type of cyberattack has become popular in recent years because it’s relatively easy to execute and its effects are obvious immediately. A DDoS attack means an attacker is using a number of computers to flood the target with data or requests for data. This causes the target—usually a website—to slow down or become unavailable. Attackers may also use the simpler Denial of Service (DoS) attack, which is launched from one computer.
Deep Web. This term and “Dark Web” or “Dark Net” are sometimes used interchangeably, though they shouldn’t be. The Deep Web is the part of the internet that is not indexed by search engines. That includes password-protected pages, paywalled sites, encrypted networks, and databases—lots of boring stuff.
DEF CON. One of the most famous hacking conferences in the US and the world, which started in 1992 and takes place every summer in Las Vegas.
Digital Certificate. A digital passport or stamp of approval that proves the identity of a person, website, or service on the internet. In more technical terms, a digital certificate proves that someone is in possession of a certain cryptographic key that, traditionally, can’t be forged. Some of the most common digital certificates are those of websites, which ensure your connection to them is properly encrypted. These get displayed on your browser as a green padlock.
Encryption. The process of scrambling data or messages to make them unreadable and secret. The opposite is decryption, the decoding of the message. Both encryption and decryption are functions of cryptography. Encryption is used by individuals as well as corporations and in digital security for consumer products.
End-to-end encryption. A particular type of encryption in which a message or data gets scrambled or encrypted on one end—for example, at your computer or phone—and gets decrypted on the other end—such as at someone else’s computer. The data are scrambled in a way that, at least in theory, only the sender and receiver—and no one else—can read it.
Evil maid attack. As the name probably suggests, an evil maid attack is a hack that requires physical access to a computer—the kind of access an evil maid might have while tidying his or her employer’s office, for example. By having physical access, a hacker can install software to track your use and gain a doorway even to encrypted information.
Exploit. An exploit is a way or process to take advantage of a bug or vulnerability in a computer or application. Not all bugs lead to exploits. Think of it this way: If your door was faulty, it could be simply that it makes a weird sound when you open it, or that its lock can be picked. Both are flaws but only one can help a burglar get in. The way the criminal picks the lock would be the exploit.
Forensics. On CSI, forensic investigations involve a series of methodical steps in order to establish what happened during a crime. When it comes to a hack, however, investigators are looking for digital fingerprints instead of physical ones. This process usually involves trying to retrieve messages or other information from a device—perhaps a phone, a desktop computer, or a server—used, or abused, by a suspected criminal.
GCHQ. The UK’s equivalent of the US National Security Agency. GCHQ, or Government Communications Headquarters, focuses on foreign intelligence, especially around terrorism threats and cybersecurity. It also investigates the digital child pornography trade. “As these adversaries work in secret, so too must GCHQ,” the organization says on its website. “We cannot reveal publicly everything that we do, but we remain fully accountable.”
Hacker. This term has become—wrongly—synonymous with someone who breaks into systems or hacks things illegally. Originally, hackers were simply tinkerers, or people who enjoyed “exploring the details of programmable systems and how to stretch their capabilities,” as the MIT New Hacker’s Dictionary puts it. Hackers can now be used to refer to both the good guys, also known as white-hat hackers, who play and tinker with systems with no malicious intent (and actually often with the intent of finding flaws so they can be fixed), and cybercriminals, or black-hat hackers, or “crackers.”
Hacktivist. A hacktivist uses his or her hacking skills for political ends. A hacktivist’s actions may be small, such as defacing the public website of a security agency or other government department, or large, such as stealing sensitive government information and distributing it to citizens. One often-cited example of a hacktivist group is Anonymous.
Hashing. Say you have a piece of text that should remain secret, like a password. You could store the text in a secret folder on your machine, but if anyone gained access to it you’d be in trouble. To keep the password a secret, you could also “hash” it with a program that executes a function resulting in garbled text representing the original information. This abstract representation is called a hash. Companies may store passwords or facial recognition data with hashes to improve their security.
HTTPS/SSL/TLS. Stands for “Hypertext Transfer Protocol,” with the “S” for “Secure.” The Hypertext Transfer Protocol (HTTP) is the basic framework that controls how data is transferred across the web, while HTTPS adds a layer of encryption that protects your connection to the most important sites in your daily browsing—your bank, your email provider, and social networks. HTTPS uses the protocols SSL and TLS not only to protect your connection but also to prove the identity of the site, so that when you type “https://gmail.com” you can be confident you’re really connecting to Google and not an imposter site.
Infosec. An abbreviation of Information Security. It’s the inside baseball term for what’s more commonly known as cybersecurity, a term that irks most people who prefer infosec.
Jailbreak. Circumventing the security of a device, like an iPhone or a PlayStation, to remove a manufacturer’s restrictions, generally with the goal to make it run software from non-official sources.
Keys. Modern cryptography uses digital “keys.” In the case of PGP encryption, a public key is used to encrypt, or “lock,” messages and a secret key is used to decrypt, or “unlock,” them. In other systems, there may be only one secret key that is shared by all parties. In either case, if an attacker gains control of the key that does the unlocking, they may have a good chance at gaining access to the contents of the message.
Local area network (LAN). A network of computing devices arranged to facilitate communications among the devices and with external-to-the-network devices.
Lulz. An internet-speak variation on “lol” (short for “laughing out loud”) employed regularly among the black-hat hacker set, typically to justify a hack or leak done at the expense of another person or entity. Sample use: y did i leak all contracts and employee info linked to Sketchy Company X? for the lulz.
MAC (Medium Access Control). An algorithm for identification of a wireless network. When used in reference to hardware (computers), it is the identifier of a specific computer used in telecommunications. MAC provides encryption possibilities and deals with channel contention by using control packets with RTS (Request To Send) and CTS (Clear To Send) designators.
Malware. Stands for “malicious software.” It simply refers to any kind of a malicious program or software, designed to damage or hack its target. Viruses, worms, Trojan horses, ransomware, spyware, adware, and more are malware.
Man-in-the-middle. A man-in-the-middle, or MitM, is a common attack in which someone surreptitiously puts themselves between two parties, impersonating them. This allows the malicious attacker to intercept and potentially alter their communication. With this type of attack, one can just passively listen in, relaying messages and data between the two parties, or even alter and manipulate the data flow.
Metadata. Metadata is simply data about data. If you were to send an email, for example, the text you type to your friend will be the content of the message, but the address you used to send it, the address you sent it to, and the time you sent it would all be metadata. This may sound innocuous, but with enough sources of metadata—for example, geolocation information from a photo posted to social media—it can be easy to piece togethe
r someone’s identity or location.
NIST. The National Institute of Standards and Technology is an arm of the US Department of Commerce dedicated to science and metrics that support industrial innovation. NIST is responsible for developing information security standards for use by the federal government, and therefore it’s often cited as an authority on which encryption methods are rigorous enough to use, given modern threats.
OpSec. OpSec is short for operational security, and it’s all about keeping information secret, online and off. Originally a military term, OpSec is a practice and in some ways a philosophy that begins with identifying what information needs to be kept secret, and whom you’re trying to keep it a secret from. “Good” OpSec will flow from there, and may include everything from passing messages on Post-Its instead of emails to using digital encryption. In other words: Loose tweets destroy fleets.
OTR. What do you do if you want to have an encrypted conversation, but it needs to happen fast? OTR, or Off-the-Record, is a protocol for encrypting instant messages end-to-end. Unlike PGP, which is generally used for email and so each conversant has one public and one private key in their possession, OTR uses a single temporary key for every conversation, which makes it more secure if an attacker hacks into your computer and gets ahold of the keys. OTR is also generally easier to use than PGP.
Password managers. Using the same, crummy password for all of your logins—from your bank account, to Seamless, to your Tinder profile—is a bad idea. All a hacker needs to do is get access to one account to break into them all. But memorizing a unique string of characters for every platform is daunting. Enter the password manager: software that keeps track of your various passwords for you, and can even autogenerate super complicated and long passwords for you. All you need to remember is your master password to log into the manager and access all your many different logins.
Penetration testing or pentesting. If you set up a security system for your home, or your office, or your factory, you’d want to be sure it was safe from attackers, right? One way to test a system’s security is to employ people—pentesters—to hack it purposely in order to identify weak points. Pentesting is related to red teaming, although it may be done in a more structured, less aggressive way.
PGP (Pretty Good Privacy). A method of encrypting data, generally emails, so that anyone intercepting them will only see garbled text. PGP uses asymmetric cryptography, which means that the person sending a message uses a “public” encryption key to scramble it, and the recipient uses a secret “private” key to decode it. Despite being more than two decades old, PGP is still a formidable method of encryption, although it can be notoriously difficult to use in practice, even for experienced users.
Phishing. Phishing is really more of a form of social engineering than hacking or cracking. In a phishing scheme, an attacker typically reaches out to a victim in order to extract specific information that can be used in a later attack. That may mean posing as customer support from Google, Facebook, or the victim’s cellphone carrier, for example, and asking the victim to click on a malicious link—or simply asking the victim to send back information, such as a password, in an email. Attackers usually blast out phishing attempts by the thousands, but sometimes employ more targeted attacks, known as spearphishing (see below).
Plaintext. Exactly what it sounds like—text that has not been garbled with encryption. This definition would be considered plaintext. You may also hear plaintext being referred to as “cleartext,” since it refers to text that is being kept out in the open, or “in the clear.” Companies with very poor security may store user passwords in plaintext, even if the folder they’re in is encrypted, just waiting for a hacker to steal.
Pwned. “Pwned” (pronounced “pawned”) is computer nerd jargon (or “leetspeak”) for the verb “own.” In the video game world, a player that beat another player can say that he pwned him. Among hackers, the term has a similar meaning, only instead of beating someone in a game, a hacker that has gained access to another user’s computer can say that he pwned him. For example, the website “Have I Been Pwned?” will tell you if your online accounts have been compromised in the past.
Rainbow table. A rainbow table is a complex technique that allows hackers to simplify the process of guessing what passwords hide behind a “hash” (see above).
Ransomware. Ransomware is a type of malware that locks your computer and won’t let you access your files. You’ll see a message that tells you how much the ransom is and where to send payment, usually requested in bitcoin, in order to get your files back. This is a good racket for hackers, which is why many consider it now an “epidemic,” as people typically are willing to pay a few hundred bucks in order to recover their machine. It’s not just individuals, either. In early 2016, the Hollywood Presbyterian Medical Center in Los Angeles paid around $17,000 after being hit by a ransomware attack.
RAT. “RAT” stands for “Remote Access Tool” or “Remote Access Trojan.” RATs are really scary when used as malware. An attacker who successfully installs a RAT on your computer can gain full control of your machine. There is also a legitimate business in RATs for people who want to access their office computer from home, and so on. The worst part about RATs? Many malicious ones are available in the internet’s underground for sale or even for free, so attackers can be pretty unskilled and still use this sophisticated tool.
Red team. To ensure the security of their computer systems and to suss out any unknown vulnerabilities, companies may hire hackers who organize into a “red team” in order to run oppositional attacks against the system and attempt to completely take it over. In these cases, being hacked is a good thing because organizations may fix vulnerabilities before someone who’s not on their payroll does. Red teaming is a general concept that is employed across many sectors, including military strategy.
Root. In most computers, “root” is the common name given to the most fundamental (and thus most powerful) level of access in the system, or is the name for the account that has those privileges. That means the “root” can install applications, and delete and create files. If a hacker “gains root,” they can do whatever they want on the computer or system they compromised. This is the holy grail of hacking.
Rootkit. A rootkit is a particular type of malware that lives deep in your system and is activated each time you boot it up, even before your operating system starts. This makes rootkits hard to detect, persistent, and able to capture practically all data on the infected computer.
Salting. When protecting passwords or text, “hashing” (see above) is a fundamental process that turns the plaintext into garbled text. To make hashing even more effective, companies or individuals can add an extra series of random bytes, known as a “salt,” to the password before the hashing process. This adds an extra layer of protection.
Script kiddies. This is a derisive term for someone who has a little bit of computer savvy and who’s only able to use off-the-shelf software to do things like knock websites offline or sniff passwords over an unprotected WiFi access point. This is basically a term to discredit someone who claims to be a skilled hacker.
Shodan. It’s been called “hacker’s Google,” and a “terrifying” search engine. Think of it as a Google, but for connected devices rather than websites. Using Shodan you can find unprotected webcams, baby monitors, printers, medical devices, gas pumps, and even wind turbines. While that sounds terrifying, Shodan’s value is precisely that it helps researchers find these devices and alert their owners so they can secure them.
Side channel attack. Your computer’s hardware is always emitting a steady stream of barely perceptible electrical signals. A side-channel attack seeks to identify patterns in these signals in order to find out what kind of computations the machine is doing. For example, a hacker “listening in” to your hard drive whirring away while generating a secret encryption key may be able to reconstruct that key, effectively stealing it, without your knowledge.
Signature. Anot
her function of PGP, besides encrypting messages, is the ability to “sign” messages with your secret encryption key. Since this key is only known to one person and is stored on their own computer and nowhere else, cryptographic signatures are supposed to verify that the person who you think you’re talking to actually is that person. This is a good way to prove that you really are who you claim to be on the internet.
Sniffing. Sniffing is a way of intercepting data sent over a network without being detected, using special sniffer software. Once the data is collected, a hacker can sift through it to get useful information, like passwords. It’s considered a particularly dangerous hack because it’s hard to detect and can be performed from inside or outside a network.
Social engineering. Not all hacks are carried out by staring at a Matrix-like screen of green text. Sometimes, gaining entry to a secure system is as easy as placing a phone call or sending an email and pretending to be somebody else—namely, somebody who regularly has access to said system but forgot their password that day. Phishing (see above) attacks include aspects of social engineering, because they involve convincing somebody of an email sender’s legitimacy before anything else.
Spearphishing. Phishing and spearphishing are often used interchangeably, but the latter is a more tailored, targeted form of phishing (see above), where hackers try to trick victims into clicking on malicious links or attachments pretending to be a close acquaintance, rather than a more generic sender, such as a social network or corporation. When done well, spearphishing can be extremely effective and powerful. As a noted security expert says, “give a man a 0day [zero-day] and he’ll have access for a day, teach a man to phish and he’ll have access for life.”
Spoofing. Hackers can trick people into falling for a phishing attack (see above) by forging their email address, for example, making it look like the address of someone the target knows. That’s spoofing. It can also be used in telephone scams, or to create a fake website address.