April 5, 2020
How Can Your Website Get Hacked? – Part 1

How Can Your Website Get Hacked? – Part 1

– Hey! I’m Steve. – And I’m Shawn. – Welcome to Acro Media’s High Five. (techno music) – So Steve, what are we
gonna talk about today? – I think we’re gonna talk about hacking. – Hacking? – Yes, internet hacking specifically. – Internet hacking, not like… through books or something? – (laughs) No, and not with a machete or anything like that either. – Not hacking people up and burying their bodies in your backyard. – No, and not hacky sacking
as Jason thought it was. – Oh, okay. – So no, specifically hacking websites. – These notes are no good then. – No, you can go ahead
and delete that part. Oh sorry, erase it. This is not digitized,
we couldn’t afford that. So, why don’t you kinda start
us off a little bit with what is hacking? How does one get hacked? – Okay. I’ll give a little bit of an overview because there’s sort of two basic ways that your website can get hacked. One which is what actually would be more considered traditional hacking is that there’s actually a flaw in the way your site works that allows people to access it when they shouldn’t. There’s some sort of bug in the software and it lets people get at admin or it lets them change your data. It lets them get in there through an intrinsic flaw in the way everything is set up. The other way is someone just basically guesses your password. Which isn’t so much hacking but we’ll cover it under here because it’s a way that someone you don’t want to can get access to your site. So wanted to give a general overview that those are two basic ways that people can hack your site. – Got it. So you armed me with three pieces of knowledge for this episode. That we have passwords you can get through with brute force, we can get through social engineering, and through phishing. – Yes. – Not traditional fishing, not with a rod. – No. – But through internet phishing. – Yes technically fishing with a P-H. – Yes, you wrote it with an F so I was a little confused. – I got excited. – Okay, so why don’t you
start with brute force. So brute force is just trying many, many, many passwords as fast as you can just guessing. Just guessing “1111, 1112, 1113”. It’s not quite like that usually they have a list
of common passwords. They use what you just try is many of them as fast as you can to try and guess the right one. You don’t have a particular strategy, you’re using a big list of probably 100,000 common passwords that has been put together and you just hit them as fast as possible. It’s not that effective necessarily although it will get common passwords. If you have ones that are right on the top of the list. If your password is password. If your password is secret. If your password is 12345, you will probably get hacked that way. Usually that’s mitigated by you just limit the number
of password attempts that are available and you block someone. Trying to log in 1000
times is never legitimate. Trying to log in five
times is maybe legitimate. So that’s a fairly easy way to negate that one but that doesn’t always get done. – So about debit cards. Can you tell us how many digits you have on your debit card? – No, I’m not telling that to everyone. – How many digits you use? – Way more than you. – Okay. So if I use 4 digits and my password happens to be 1234, yours is a little bit
more complex than that. – Yes, although complexity, length is better than complexity of the password like picking 7483 is not really that much of a better password. – But length that also applies online does it not? Rather than more of a complex digit or sign or something like that? – Yeah. It’s been a
really big thing lately or not even lately in the last 10 years to say “Oh, use numbers,
use uppercase, lowercase, “use symbols.” That doesn’t help that much. It helps a bit. Having a longer password is much more important than having A really complicated six digit password is shittier than a simple
eight digit password. Adding a few more digits
makes your password way more complicated. As long as it’s not a simple word but if you just put three words together, way better password than eight confusing characters. And no one can remember underscore, dollar sign, capital T, four. It doesn’t mean anything but if you have a sentence that you can remember worth three or four random words, way more secure, way easier to remember. The whole using extra characters thing I guess comes from a time when you were limited
to maybe ten characters for your password because
of really old systems, this is like 10, 20 years ago. – So question, why is that a lot of sites nowadays when you go and create an account, why don’t they just let
you have longer passwords rather than requiring you
to have capitalization and symbols and all that? – I don’t know to be perfectly honest. It’s getting that way but usually honestly they’ll say “Please have at least six digits.” And actually the password
thing will let you use 120 character password. Nobody ever tries, normally because everyone’s been conditioned to use these short little
confusing passwords. So it’s often times available but for some reason that’s become sort of the standard “Oh, everyone knows
that’s a good password.” Wrong. That’s not true. Length makes it more complicated than complexity. Maybe if you have 30 characters and then you have 60, you make each digit twice as complicated to guess. But if you just add more digits, it’s way harder to guess
an additional digit than it is to guess a few more options in the same thing. – So I feel like we got off the wagon here a little bit. So let’s get back on it. Let’s talk about social engineering. Okay. This is actually the most common way to hack someone. Especially if someone’s trying to hack something specific. Brute force password and stuff often times will try to hit any site they can find. Social engineering is
the most successful way to hack a specific site. And basically what that means is… – Peer pressure. – There’s a few different ways you try to get a password from someone. You try to call up and you try to intimidate them. You pretend to be an angry customer or you pretend to be a supervisor from a different department and you demand that the password be reset. People will panic and
reset the password for you. Or you call in and you pretend to be a very confused customer and you just need help and people are really into helping you. Usually that’s their job, they’re a customer service person their job is to help you. So you call in you go
like “Oh, I’m very sorry “and I screwed up my password. “Can you please help me
it’s really important? “I’m gonna lose my job.” And you give a big sob story and then they just reset your password for you but it’s not your password. It’s someone’s password that you’re stealing. – I remember one that was
kinda going around too which was “Hey, your computer has virus, “let us help you get it off, etc.” – Yeah. Social engineering is any sort of way to con you into giving up your password. Some of the virus stuff
falls a little bit more into phishing, which we’ll get to in a bit but the social engineering way it doesn’t require any clever hacking. It literally requires calling someone up on the phone or just
sending them an email. You don’t need these fancy computer skills you mostly just need to be persuasive over the phone or in person or anything. There’s even for social engineering, they did a test. A security firm came into a corporation and they did a big lecture on password security and
don’t give your password to anyone and all this stuff and be careful of what
you use on the computer and everything. And then they went out
into the parking lot after the test and they dumped a bunch of flash drives with basically a test
hacking program on it and I think within an hour
after the presentation, 5 or 6 staff members had
picked up this USB key, plugged it into their work computer and gave the security company full access to the computers. It was just a test but ways like that are
way easier to hack things than finding this difficult security flaw and exploiting it. You just can dupe someone into stuff really easily. – So the last one being phishing. From what I understand with that is it’s some way in which you’re given maybe a link that’s maybe a false link to something, going to a royal bank as an example. You’re given maybe a royal bank, it’s a long URL that
maybe has something wrong with it or it’s a website that’s to look like another site. What else? – Yeah, it’ll be exactly that. It’s to try to get you to put in your information in a site that you believe is legitimate and it isn’t actually. And so banks and PayPal
are very common targets of that. You’ve probably all gotten an email that says “Oh, PayPal, log in here “to confirm your account information.” Or something. That’s a thing PayPal sends out. That’s someone else
that probably has a URL that looks kind of right. It’s paypal2.eu or something that seems kinda legit but a little weird at the same time and they will build a site to look exactly like PayPal and it’ll probably even redirect you to PayPal afterwards. They can be very sneaky so you’re on their site for only when you put your password in and then they pass you along. So you’re not actually aware anything’s gone wrong but they’ve skimmed your password during that time. And so a lot of that
will come through email and they’ll try to prompt you to log in through their bad link and that’s a very common way. Especially to get less tech-savvy people ’cause if you’re not paying attention to the URL very specifically. A quick tip on that just before we go off is never click on those
links in the email, if PayPal or someone sends you that link and you’re not sure if it’s true just actually go to PayPal. Open your browser and type Paypal.com and go in there because
you’ve done it right. That’s fine and if it
doesn’t have anything in there it was just a scam. If you’re unsure avoid the links in the emails. – Before we wrap up do you want to talk about maybe how hacking doesn’t work? – Yeah. – So it’s not exactly like if you had, you know, there’s a breach in the database. We’ve a got a keyboard here. I’m on one side, you’re on the other. We’re counter hacking the hacker. – Yeah, we’re just gonna
hack as fast as we can to out hack the hacker. – Yeah, zeroes and ones, the matrix coming down.
– None of that is true. You’re not even really gonna see a hack in progress or something like that. You might see hacking
attempts in progress, it’s not something that you counter by typing really fast. Most of the time you counter it with automated tools set up ahead of time. There’s this sort of myth too that anything can be hacked. That’s not really true. Anything could have a security flaw in it that could be discovered. That doesn’t mean it does or that anyone knows about it. You couldn’t just point at one website and be like “Hack that website.” You could try some
standard ways of hacking it but it might not work. If you keep your site up to date, you’ve done what you can and you are as immune to hacking as anyone else is. – So we merely scratched the surface on hacking today. We’ll probably have to
take about that later but for what we have today, do you want to maybe give a summary, a too long; didn’t read
of what we talked about. – Yeah, two ways of hacking, guessing your password and actually exposing a security flaw. And just have long passwords. That’s real simple. – Cool. Well if what we talked about today guys was interesting at all, please subscribe to our channel. We’re looking for more subscribers. We’re at like 50 or so, we could use a few more. And if you have a question or you want to make a comment please do so below. Anything you want to add? – Follow us on facebook and read our blog on acromedia.com. – Cool. Signing out. (techno music)

1 thought on “How Can Your Website Get Hacked? – Part 1

Leave a Reply

Your email address will not be published. Required fields are marked *