Network Security: Phishing & Password Cracking

    In today’s age of computers and the prevalence of their use in our daily lives - both personal and professionally - it is more important than ever to make sure we safeguard our data.

    In our ping command exercise, we used the requests to test the number of packets sent across a network. “Normally, ping requests are used to test the connectivity of two computers by measuring the round-trip time from when an ICMP echo request is sent to when an ICMP echo reply is received.” (imperva, n.d., n.p.) Ping commands can also be used to launch a Denial of Service attack by overloading the target network with request packets, which consumes bandwidth and slows the target network considerably.

    To launch the attack, the attacker needs to know the target’s IP address and needs to have access to more bandwidth than the target network. Distributed Denial of Service attacks through a botnet work better just a ping flood alone as it is coming from multiple computers across networks.

    External ping command attacks can be blocked by firewalls, but that will not keep internal attacks from happening. Networks can also implement protection to limit the size of ping requests and the rate at which they will be accepted. Dynamic IP addresses will also protect against ping attacks as the IP address will change frequently.

    "Phishing emails fraudulently ask users to provide sensitive account information by posing as legitimate companies." (Vahid, F., & Lysecky, S., 2019, 7.4) Often these emails or text messages appear to come from banking organizations asking the user to update their account info or claiming their account has been breached and asking them to log in and verify their info. Once they have this info, they can access banking info and empty accounts. Phishing emails may also have attachments or links that they ask the receiver to click on, and once clicked malware is installed on the receiver’s computer.

    Spam filters can keep a lot of phishing emails out of a primary inbox, but it won’t catch all of them. Using an MFA (multi-factor authentication), a.k.a. two-step verification, can cut down on risk if someone does gain access to an account. With an MFA, someone logging into an account must also provide a code that has been sent to the account holders’ mobile device. Using anti0virus software can also help spot known malware if it does get through.

    Phishing is dangerous, especially to our more vulnerable populations, like the elderly. It will often use some sort of threat to get the person to comply with the instructions, like jail time, deportation, account freezing, among others. Many a person has been tricked into losing their entire life’s savings via these phishing scams.

    Password cracking can cause immeasurable damage to both organizations and individuals as it opens them up to data loss/theft, data corruption, identity theft and many other issues. For someone who uses the same password for everything, the cracking of that password could mean the hacker now has access to their banking, credit cards, tax information, medical records, social media, email accounts and so much more.

    “Password cracking is the process of using an application program to identify an unknown or forgotten password to a computer or network resource. It can also be used to help a threat actor obtain unauthorized access to resources.” (Gillis, A.S., 2021, n.p.) The two most commonly used methods for password cracking are brute-force and dictionary attacks. Brute-force attacks use predetermined lengths of character combinations to keep trying until it finds the matching combination for the password. Dictionary searches use password dictionaries of commonly used phrases or combinations thereof. “Some password cracking programs may use hybrid attack methodologies where they search for combinations of dictionary entries and numbers or special characters.” (Gillis, A.S., 2021, n.p.)

    The best defense against password crackers is a secure password comprised of lower-case letters, upper-case letters, numbers, and symbols - the longer the better as can be seen in the included infographic (Supra, J.D., 2020, n.p.). Never write down or share your passwords as they can be stolen or reshared.

    As long as there are computers, there will be security concerns. And there are always unsavory people out there looking to take advantage of those who don’t know better. It’s important to pay attention to emails, texts, security updates, system updates, etc. to ensure you are doing all you can to protect yourself and your company from the dishonesty of the criminal element.


References:
Federal Trade Commission Consumer Advice (9/2022). How to Recognize and Avoid Phishing Scams. https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

Gillis, A. S. (5/2021). DEFINITION: Password cracking. TechTarget Security. https://www.techtarget.com/searchsecurity/definition/password-cracker.

imperva (n.d.). Ping flood (ICMP flood). https://www.imperva.com/learn/ddos/ping-icmp-flood/

Supra, J. (2020, February 12). How Long Will it Take to Crack Your Password?: Cybersecurity Trends. CloudNine. https://cloudnine.com/ediscoverydaily/electronic-discovery/how-long-will-it-take-to-crack-your-password-cybersecurity-trends/

Vahid, F., & Lysecky, S. (2019). Computing technology for all. zyBooks.