Wednesday 21 October 2015

Boost your security using hacker tricks

Boost your security using hacker tricks

Protect yourself from cybercriminals by using their own tools to fight them. Robert Irvine explains the best free and legal ways to turn the tables on the bad guys


TEST THE STRENGTH OF YOUR PASSWORD


It’s a common misconception that websites store their users’ login details in plain text, which would mean that when passwords are stolen in a security breach, the hackers have instant access to your account. In fact, any site that cares about security will convert your sign-up password into a string of characters called a hash, which it stores in its database. When you sign into the site, it generates a hash of the password you type and compares it to the hash in its database; if the hashes match, then you’ll be logged in. Sadly, hashes don’t provide a failsafe means of protecting your account, because hackers can generate huge lists of every possible combination of password, generate hashes for each one and then use the resulting database to crack the code.

Make sure your hash can’t be cracked


The best way to foil the hackers is to come up with the strongest password – and therefore the most ‘uncrackable’ hash – possible, and we don’t just mean using a mixture of numbers and letters (we’re sure you know that one already!). To find out whether your password can be easily ‘unhashed’, type it into a secure online hash generator such as QuickHash.com (https://quickhash.com), select an algorithim with which to hash it (SHA-256, SHA-512 and Whirlpool are among the most secure) and click the button to generate your hash.

Copy the string of characters to CrackStation (https://crackstation.net), which uses a massive database containing billions of hashes to try to crack passwords with the same hashes (you may need to complete a CAPTCHA first). If it succeeds, it will highlight the resulting hash and the password in green, and you’ll know that your login is weak and can easily be cracked. If it fails, both will be highlighted in red and you can be fairly confident that you’re using a strong password.

For example, if we type in the most commonly used password of 2014 – yes, it’s Protect yourself from cybercriminals by using their own tools to fight them. Robert Irvine explains the best free and legal ways to turn the tables on the bad guys still 123456 – into QuickHash.com, and then copy the hash into CrackStation, it instantly comes up green and throws the weedy password back at us. In contrast, a combination of upper and lowercase letters, numbers and symbols is likely to leave it baffled.

Why your hash should always be salted


Naturally, many hackers have access to much more powerful tools with even larger databases than CrackStation’s, so this doesn’t mean your password can’t be cracked. This is why many websites use a process called ‘salting’ for additional security. This adds a random string of characters to the password before it’s hashed, so the resulting hash is unique every time. Many big companies that have been hacked, including Adobe and LinkedIn, were heavily criticised for not salting their hashes and have changed their security measures accordingly. 

CHECK WHETHER YOUR ACCOUNT HAS BEEN HACKED


Hackers love to boast about their exploits, but the companies they attack aren’t always as forthcoming about security breaches and sometimes don’t tell users their details have been compromised for days, weeks or even months. If you’re worried that one of your accounts has been hacked and your email address and password stolen, there are several tools that can tell you. This information is particularly important if you use the same login for more than one website (we all do it!). Our favourite is Have I Been Pwned (haveibeenpwned.com), which claims to have details of more than 222 million accounts from the leaked databases of 54 ‘pwned’ websites (‘pwned’ means ‘gained ownership of’).

Enter your email address or username to see if they’ve been compromised – this may sound risky in itself, but Have I Been Pwned is adamant that it doesn’t store any passwords or log any user data. We were annoyed to find that our email address was one of the 153 million included in the Adobe security breach in November 2013.

If your account has been ‘pwned’, you’re advised to change your password pronto, not just on the hacked service but on any others that use the login. To stay informed of future hacks, you can receive notifications when your email address appears in a leaked database.

Find out when (but not where) you were hacked


BreachAlarm (breachalarm.com) – formerly Shouldichangemypassword.com, works in a different way to Have I Been Pwned. It tells you when your password was compromised but not where, until you upgrade to the paid-for version of its Email Watchdog service, which costs from $10 (£6.50) per year. If you stick with the free option, it will still track one email address and notify you immediately if it appears in a breach.

If you’re not convinced about the trustworthiness of these sites, you might prefer PwnedList (pwnedlist.com), which lets you look up a hash of your email address rather than the plain-text version. Again, this tells you when rather than where your account was hacked, which might not sound like much use but at least prevents other hackers from knowing the exact details and using the information to their advantage. It also means you’ll know to change your password.

SHARE SENSITIVE FILES SECURELY ONLINE


Most web users know that BitTorrent is an effective means of sending files directly to other people without anyone else knowing, which is why it’s used by many hackers to share content illegally. But last year, hackers from the Hackito Ergo Sum community thoroughly analysed the security and privacy of the official BitTorrent Sync tool (getsync.com) and found several vulnerabilities in the service. Their conclusion was: “do not use for sensitive data” (you can read the full results of their tests at bit.ly/hackito382).

So what should you use instead, if you want to prevent third parties from intercepting your private data? The Hackito Ergo Sum hackers recommend a free tool called Syncthing which, despite being open-source, is “preferable to BitTorrent Sync”. Available for Windows, Linux and Mac OS X, Syncthing stores files securely on your computer, rather than a central server, and encrypts them when sent to other people by using TLS (Transport Layer Security) “to prevent any eavesdropper from ever gaining access to your data”. It lets you share as many folders as you need and doesn’t reveal your IP address; instead, your computer is identified by a unique ID that you give to the intended recipient of your data and that no-one else will ever know. You can find a guide to getting started with Syncthing at bit.ly/syncthing382.

Don’t let your BitTorrent client be exploited


In August this year, researchers found that several popular BitTorrent clients, including uTorrent and Vuze, contained flaws that could make them vulnerable for use in Distributed Reflective Denial of Service (DRDoS) attacks. The hackers could source bandwidth from BitTorrent ‘peers’ to flood the sites they were targeting with 50 to 120 times more data, and bring them down without detection. For this reason, it’s essential to update your BitTorrent software to the latest version, to patch the vulnerability, or you risk being exploited by hackers. We wouldn’t recommend using uTorrent, anyway, because of the rubbish it now comes bundled with. Deluge (deluge-torrent.org) is a safer alternative and has a similar, simple interface.