How I Got Your Password – Part 2

Did you know that the easiest way for me to get your password is just to ask for it? This is one way that cyber-criminals can get one of your passwords. In  our last post we focused on password cracking.  Today we will look at all the other ways that an clever attacker can compromise your password.

  • Social Engineering – Sometimes the easiest way to get password information is just to ask for it.  Social engineering is a type of con game with computer or network compromise as the goal. While the majority of social engineering exploits rely on a phishing emails, there are other approach vectors.  Social engineering can happen in-person, over the phone, or by text or email.  There may be some sort of impersonation attempt, such as a phone call from someone claiming to be from your company’s IT department, or a service tech from your ISP, or a tech from “Microsoft.”  Defending against social engineering requires training staff what to look for, and a level of skepticism or suspicion whenever someone starts asking for passwords or other personal information.
  • Phishing – Phishing is a type of social engineering exploit that starts with an email with either a link or an attachment.
    • Attachments – Email attachments usually will contain some sort of self executing code or software that runs when you open the attachment.  Typically this will be something like a remote access Trojan Horse (RAT), a keylogger, or credential stealing banking malware.  The best defense is to resist opening unexpected attachments, and verify the content with the sender before opening.  Or check out the attachment in VirusTotal.
    • Links – Links in phishing emails usually open a browser window and connect to a specially crafted web page called a “landing page.”  Landing pages are often hosted on hijacked legitimate websites.  These pages usually have a fake login screen for capturing your user and password information, or may have a longer web form for gathering more information.  Often these pages will also surreptitiously download a RAT or keylogger too.  To defend against malicious links avoid clicking without checking the link out first using the hover technique or by checking the link at VirusTotal.
  • Spearphishing – is a more targeted form of phishing that may be targeting a specific individual or members of a single organization.  The emails are generally crafted using research information gathered earlier to create messages that are very believable.  These emails may appear to come from co-workers, supervisors, or known vendors or customers.  Confirming emails with the sender is your best defense.
  • Keylogging – A keylogger is a malware program that gathers your keystrokes, all the information you type during the day, including web addresses you visit, and user IDs and passwords you use to login.  This information is sent back to the attacker once a day, and the text file will be searched for useful information.  Using a good up-to-date anti-malware product is the best way to keep this sort of software from installing on your computer.

In the next post, we will look at the current recommended standards for creating a secure password, and policy recommendations from the National Institute of Standards and Technology (NIST).

A special thanks to Panda Security for inspiring the content of this series and providing us with the infographics used in this series.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.