Vectors of Attacks: Know thy Enemy
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”-Sun Tzu, The Art of War
In war, Intelligence is always the most crucial piece, the foundation of strategy in both offense and defense maneuvers, strategies and tactics. This is true both in a war between nations as it is in a war between two individuals, or any other potential variables. War is the natural state of human beings. We continuously wage a war. War against ourselves, war against nature to survive. From the moment we are born, we struggle, even if to be able to take our very first breath of air outside the placenta of our mother. Existence itself is war. Why should it be different between you defending your intelligence, your personal information you store on your devices, and hackers, blackhats and other bad actors like scammers, corporations and let us be honest here, the government.
In our short series of articles dedicated to Android security and anonymity, we have learned many things about our own logistics, defensive maneuvers and strategies to defend our crucial intelligence. However, knowing only ourselves, not our enemy, we remain quite vulnerable indeed, as our idea of the threat we are facing remains quite vague indeed. This is why this article will be detailing a number of vectors of digital attacks against you and your devices, and how they work.
I must make a point here that I will not describe specific details on how certain attacks work, as this is beyond the scope of this article. Our goal here is to learn to defend ourselves, not go on the offensive. Not yet anyway. In the future I may make “red team” types of articles if only for the sake of talking the other side of this small passion of mine. But I digress. The point is that if you think I will teach you how to perform say an SQL Injection by giving specific lines of code or teach you how to write a malware, this isn’t that kind of article. We will be learning here only how these vectors of attack work in enough details to be able to spot vulnerabilities or give us a fighting chance if we become the target of such an attack.
On that note, let us begin.
SQL Injections
I am starting with this subject as while it will likely never be a direct threat against your specific devices, it will illustrate the inherent danger presented by hackers and putting too much information, like our credit card number or our address on the ‘net.
So, what is an SQL Injection? Well, to put it simply, it is a method to hack into a database from a website or an application that requires a user input. What do I mean by this? Well, lets take your bank account for example. I guess most of you verify and make payments via your bank’s application or web portal. To log in, you are either inputting a username or your debit/credit card number, along with a password. This is the user input that we are talking about here.
See, instead of writing the username or the password, we can enter a very short line of code for example that will let us return, for example, the username and passwords stored within said bank’s database of all its users.We can then take our time accessing all these accounts one by one to steal their Social Security Number, irl IDs, siphon their bank accounts, etc. The world’s your oyster at this point.
Now, this is such a glaring vulnerability you would think most websites, let alone financial institutions like banks and unions would have this kind of vulnerability long patched. Well, The Open Worldwide Application Security Project (OWASP) to this day considers SQL Injection as the third most prevalent type of attacks against any systems included. Banks, Federal Agencies, Hospital (with your medical data), Insurance Companies, are all victims of SQl Injection attacks to this day. In 2022, 1162 different SQL Injection types were classified as a CVE (Common Vulnerabilities and Exposures).
And considering the only two types of attacks or vulnerabilities that are outclassing SQL Injections are either Broken-Access Control and Cryptographic Failures, you should be frankly appalled by how little defenses many institutions have against this type of attacks. And of those, the most egregious targets are governmental websites, bank websites and hospital databases.
Now, if you understood just how bad the SQL Injection problem is (it sends shivers down my spine personally whenever I dare think about it), then you will understand why I am being so extreme on hammering in your heads, dear readers, the importance of anonymity and security. The only saving grace is that this kind of attacks usually won’t be able to target your device directly. It does open up a myriad of vectors of attack on your devices, for sure, but at least it won’t really be able to target the device directly. We’ll take the win where we can.
So how do we defend against SQL Injections. Well, if we are a company, we make sure to implement anti injections measures on our website, hence the importance of not negligibly disregard your cyber security budget. As private individuals? Well, we can’t, as we are at the mercy of them entities who own these databases. The only thing we can do is hope and pray they have a good cyber security team that are taking proactive steps against SQL Injections, and mitigate as much as possible the information we give these entities. Which is why I am so fiercely against Electronic ID and against the digitization of currency, with various government efforts to remove cash and only use digital-only methods of payment. For one, I don’t trust these entities enough to not fudge us over by turning this into a weapon of control, but also because this opens too large a vector of attack against us. Make of that what you will.
Improper Credential Usage
This is a type of vulnerability that is extremely prevalent in mobile devices. One of the most explicit examples of such a vulnerability are hard coded credentials. What is a hard coded credential you might ask? Well, it is a situation where the password is embedded within the source code of an application for example. Meaning it is extremely easy for a hacker to get access to this password simply by pulling access to the source code. A hacker can also get access to said credentials via improper storage of said credentials.
This vector of attack is the single most prevalent vector of attack against mobile devices because it is extremely easy to get access to publicly available, automated tools that will systematically scan for such vulnerabilities against applications. It is a vulnerability most Script-kiddies are capable of exploiting. There are a few ways to defend against this form of attack.
Our main method is, on non-mobile devices, to open our browser’s page and verify if password is hardcoded in the page. On mobile devices, our best way is to limit this vector by limiting our applications to those who do not require credentials, or highly limit those who do. This kills in the egg that vector of attack almost completely. Just be aware that if you are not particularly code savvy for browser based verifications, you can always just not use irl identifiers unless strictly necessary.
Inadequate Supply Chain Security
This is a highly technical term to describe inserting a malware or malicious code within an application at the time of installation on a device. It is possibly one of the worst vectors of attacks because it is extremely difficult to detect, even for security professionals.Hackers achieve this by injecting or modifying the source code of an application you download to open backdoors within the system of your device, possibly denying you complete access to the device itself, stealing all your data in near impunity or watch your every actions on the device undetected.
The only methods of defense against this sort of attack is to always verify all your downloads with a signature, always, always use Open-Source applications as the kind of vulnerabilities that opens the door to these kinds of attacks can and are publicly available on the application’s repository and the various patches are carefully monitored.
In short, don’t download something you don’t know for certain is safe aight? Keep washing your hands and you shouldn’t contract a bad L33t infection.
Insecure Communications
Whenever you use an application, this app sends data through your ISP or carrier to the backend server of the app in question and vice-versa. This communication can be spied on by someone who has compromised your network or is listening down the line. Now, the good thing about this vector of attack is that you can just kill your carrier data and not use it, only plug in via an ethernet cable and not use Wi Fi at all, and make sure your ISP’s encryption protocols are up to date, along with those of your network, of which you should keep your rooter’s updated at all time.
Social Engineering
Here’s a trade secret, you, my friend, are considerably more vulnerable than your machine to hackers. A good observer can and will make notice of various exploitable things you say or do. Let me give you an example. You go to take the subway, and a post sign says “watch out for pickpockets”. The first thing that most people will do is put their hands where their wallets or phone is to make sure it is still securely where it should be.
Here is a fun fact, the subway security or the police most likely didn’t put that sign there, but the pickpockets themselves. And now, they know in which pocket your valuables are. The rest, frankly, is easy.
Here is another example, a digital one this time. Remember filling up that “which Harry Potter house would you be” survey? You tell an awful lot about yourself in this. And in so many other small games. The company behind it learns more information on you, and then resell that data for peanuts. Which hackers purchase too.
Now, there isn’t any miraculous method to get rid of the social engineering vulnerability inherent in humans except by ceasing to exist, or ceasing to be human at all. What we can do is mitigate our reactions as much as we humanly can to outside stimuli, be it in the subway where it says “watch for the pickpockets” as much as it is filling up that cute survey about which of these 20 dog pictures is your favorite. If something asks for a reaction from you, you are willingly giving more intelligence on yourself to would be attackers. I recommend reading Marcus Aurelius’s Meditations and slowly introduce a certain amount of stoicism in your life to reduce that attack vector if only by a bit.
Conclusion
These are but a very small sample of vectors of attacks. There are hundreds of thousands of them. We mentioned but five of them, even if they themselves encompass a lot of ground. And more vectors of attacks are being created and exploited against you every single day, every hour, every minute.
The best defense is to avoid becoming a target at all, as we can see that while we can defend against some of them, many are either impossible to completely fend off, or even mitigate. Some are firmly within our grasp, others are not.
This is why knowledge is your ally. Learn more about these potential vulnerabilities, formulate counterintelligence measures, be prepared to improvise, observe, watch, and take note of how the world works around you. This reality itself is a system ready to be hacked at any time, in an infinitely numerous methods of ways. The hackers are the government, demagogues, corporations, social engineers, cult leaders, sociopaths, narcissits and bad actors of any kind.
This is your reality. Defend it.
We will be watching.
The G.H05t
Related
Filed under: Uncategorized - @ July 18, 2024 6:50 am
