December 17, 2025 • 20 mins
An extensive guide to computer hacking for beginners, detailing various types of hackers, including Black Hat, White Hat, and Grey Hat practitioners. It thoroughly explains the most popular hacking technique, social engineering, outlining different forms such as Phishing, Impersonation, Vishing, and Smishing, which exploit human vulnerabilities. Furthermore, the text introduces common hacking tools and password cracking techniques like SQL Injection and Brute Force attacks. Finally, the guide covers specific areas of hacking, offering tutorials for smartphone, Facebook, website, wireless, and IP address hacking, sometimes including preventative measures alongside the instructions for malicious activities.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cyber_security_summary
Get the Book now from Amazon:
https://www.amazon.com/Dr-Sandra-William-Ph-D/dp/B08VLR937S?&linkCode=ll1&tag=cvthunderx-20&linkId=fb52206535c926803001e50423be0732&language=en_US&ref_=as_li_ss_tl
Discover our free courses in tech and cybersecurity, Start learning today:
https://linktr.ee/cybercode_academy
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cyber_security_summary
Get the Book now from Amazon:
https://www.amazon.com/Dr-Sandra-William-Ph-D/dp/B08VLR937S?&linkCode=ll1&tag=cvthunderx-20&linkId=fb52206535c926803001e50423be0732&language=en_US&ref_=as_li_ss_tl
Discover our free courses in tech and cybersecurity, Start learning today:
https://linktr.ee/cybercode_academy
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome back to the deep dive. Today we are taking
aim at something pretty central to modern life but often
really misunderstood, computer hacking. Yeah, definitely forget the cliches, you know,
the dark rooms, green tech's flashing. We want to get
into the real mindset, the methods, and maybe most importantly,
what you can actually do to protect yourself exactly.
Speaker 2 (00:21):
And I think our mission here for you listening is
to move past this idea that hacking is always some
super complex code breaking thing. Okay, Often hacking just means
well using skills cleverly to find weak spots, and overwhelmingly
those weak spots they're.
Speaker 1 (00:39):
Human human vulnerabilities.
Speaker 2 (00:41):
That's it. Technology is moving so fast, but the biggest
threats to your privacy they're often exploiting basic trust, not
some futuristic AI.
Speaker 1 (00:49):
Okay, let's unpack that. Because hacker itself is such a
loaded term, we probably need to define who we're actually
talking about first, maybe based on like their intention the
old hat analogy.
Speaker 2 (00:58):
Vercise, it's a good shorthand basically, have three relationships to
the system you're interacting with. First, the black hats the
bad guys. Yeah, pretty much, they're looking for malicious unauthorized entry.
Their goal is you know, theft, damage, messing with data.
They're criminals, plain and simple, no permission involved.
Speaker 1 (01:17):
Right. Then you've got the opposite, the white hats, ethical
hackers exactly.
Speaker 2 (01:22):
They're the defenders, often hired by big companies think Facebook, Microsoft, Google,
places like that. They're authorized to attack the system, but
their job is purely to find those weaknesses and help
fix them before the black hats can get there. Essential
security work.
Speaker 1 (01:38):
So protectors basically, right. And the third type, the gray hats.
They sound a bit ambiguous, they really are. They operate
in this murky middle ground. They might exploit a system,
find a vulnerability without permission, okay, but maybe not with
purely evil intent. Often they'll tell the owner, hey, you've
got a hole here, But sometimes sometimes they might ask
for a small fee like a bug bounty. They set
(01:59):
themselves to fix it, which puts them in a tricky
ethical spot. Yeah, definitely a gray area. Okay, So we
have these different players. But here's what blew my mind
from the sources. When you look at how attacks actually
happened today, it's rarely the super technical stuff. It's mostly
about people. Social engineering that is.
Speaker 2 (02:20):
The absolute key takeaway here, it's staggering, really technical flaws.
They account for maybe what three percent of successful attacks?
Speaker 1 (02:28):
Only three percent?
Speaker 2 (02:29):
Yeah, the other ninety seven percent purely based on social
engineer ninety seven.
Speaker 1 (02:34):
Wow, So the whole game has shifted. It's not about
breaking the code, it's about breaking the person exploiting our psychology,
you got it, our instinct to help, maybe our fear
of authority or just getting rushed into doing something without thinking.
Speaker 2 (02:47):
That's the target now, much more than the software itself.
Speaker 1 (02:50):
And within that huge ninety seven percent, there's one technique
that stands out.
Speaker 2 (02:54):
Oh yeah, the undisputed king is fishing. The stats suggests
something like ninety one percent, nine out of ten data
breaches start with a phishing attempt.
Speaker 1 (03:02):
Hishing. This is the classic email scam, right, trying to
lure you into clicking a bad link or giving up
your log in details.
Speaker 2 (03:08):
That's the basics of it. Yeah, but what makes them
work isn't just the email itself, it's the psychology. How
So they deliberately create this sense of urgency or maybe
a threat or fear. Yeah, they want to trigger an
emotional reaction, so you act fast before your logical brain
cakes in. Ah, think about that US Tax Day scam
back in twenty eighteen, emails claiming to be from the
(03:31):
IRS demanding tax details immediately. They used fear of the IRS,
the deadline pressure.
Speaker 1 (03:37):
To make people panic and handover info exactly.
Speaker 2 (03:40):
And they often use those weird shortened links or links
that look legit but actually redirect you to a fake
site built just to steal your credentials.
Speaker 1 (03:47):
Okay, so that's manipulating fear. What about impersonation? How does
that work psychologically?
Speaker 2 (03:51):
Impersonation plays on our respect for authority really, or maybe
just our tendency to do what we're told by someone
who sounds like they're.
Speaker 1 (03:59):
In charge, boss or IT support.
Speaker 2 (04:01):
Precisely, criminals pose as an IT executive, a manager and auditor,
someone whose request you probably wouldn't question immediately. It takes
more setup for the attacker, sure, but the success rate
can be really high. We saw attacks like this jump
almost four hundred percent of one year because people just comply.
Speaker 1 (04:20):
Wow, that's a huge increase. And it's not just email, right,
We also need to think about vishing and smashing voice
and text.
Speaker 2 (04:30):
Absolutely, these often fly under the radar of traditional email filters. Phishing,
that's voice fishing happens over the phone. The attacker calls up,
tries to get credentials, or sometimes they're more aggressive. They
might try to talk you into running a script on
your computer or visiting a compromise website while you're on
the call, and they're harder to a tract, much harder,
no obvious digital trail like an email header. Remember that
(04:50):
massive IRS fishing scam ran for years twenty twelve to
twenty sixteen.
Speaker 1 (04:54):
I do remember hearing about that.
Speaker 2 (04:56):
Costs victims hundreds of millions, all because people believe they
were talking to a real IRS agent demanding immediate payment.
That fear factor.
Speaker 1 (05:04):
Again, and smishing is the text message version.
Speaker 2 (05:07):
Correct SMS fishing. They get numbers from breaches, web crawling,
sometimes just random generators.
Speaker 1 (05:13):
And what kind of tricks do they use in texts?
Speaker 2 (05:15):
All sorts my promise, fake coupons or discounts, playing on greed,
or they'll poses your bank, you know, urgent click here
to reactivate your card, or your online account expires today,
log in here to renew. Texts feel immediate personal, so
people react quickly.
Speaker 1 (05:34):
It all comes back to that psychological manipulation. Okay, so
let's say they see they trick us that ninety seven
percent chance? What tools are they actually using them? What's
in their like digital toolkit? Once they have that initial access.
Speaker 2 (05:45):
Right the toolkit, it can get specialized, but the concepts
are often quite straightforward. Take keyloggers, for.
Speaker 1 (05:51):
Instance, teloggers the blog your keys.
Speaker 2 (05:53):
Exactly that They record every single key stor it you make,
user names, passwords, credit card numbers, private messages, everything.
Speaker 1 (05:59):
How do they work?
Speaker 2 (06:00):
Well? Think of your operating system having this thing called
an API. It's like a messenger carrying instructions. A keylogger
basically attaches itself to that messenger and copies down everything
you type before it even gets processed properly, usually arrives
hidden inside some malware.
Speaker 1 (06:16):
Nasty. And what about root kits? That sounds even worse.
Speaker 2 (06:19):
Yeah, the name is pretty menacing, isn't it. A rootkit
is basically a collection of software tools designed to give
an attacker deep remote access and control over your system.
And crucially, it hides itself really well from detection.
Speaker 1 (06:33):
So it's like a hidden back.
Speaker 2 (06:34):
Door kind of. Yeah. If the key lagger is spying
on your typing, the root kit is like a secret
agent living in your computer, giving the hacker full control
to steel files, install more bad stuff, or even crash
the whole system. And again they almost always get installed
through those initial social engineering tricks.
Speaker 1 (06:51):
It's interesting that one tool you mentioned, the vulnerability scanner,
is used by both sides, black hats and white hats.
Speaker 2 (06:57):
Yeah, it's purely a tool like a hammer. White hats
use scanners to find security holes so they can fix
them quickly. Black hats use the exact same scanners to
look for those same weaknesses, but obviously they want to
exploit them. It's like checking the doors and windows before breakin.
Speaker 1 (07:12):
Right. Okay, let's talk passwords. We hear password cracking all
the time. Can we break down the main ways they
actually do. Yeah?
Speaker 2 (07:19):
Sure. Think of them mostly as automated guessing games. The
most famous is probably the brute force attack.
Speaker 1 (07:25):
That's just trying everything.
Speaker 2 (07:27):
Pretty much. Automated software just systematically tries every possible combination
of letters, numbers, symbols abcaaab AC one two three one
A one B, just keeps going until it hits the
right one.
Speaker 1 (07:41):
Must take ages for complex passwords.
Speaker 2 (07:43):
They can, Yeah, that's why password complexity helps. Then you've
got a variation called the dictionary attack.
Speaker 1 (07:48):
Using dictionary words exactly.
Speaker 2 (07:49):
Uses huge lists of common words, phrases, names, maybe common
modifications like adding what twenty three at the end shockingly
effective because well, so many people use simple words or
perle patterns.
Speaker 1 (08:01):
Okay, that makes sense. And the third one reverse brute force.
How's that different?
Speaker 2 (08:05):
So instead of trying many passwords against one username, reverse
brute force takes one really common, leaked or weak password
like password one, two three or maybe spring twenty twenty
four and tries it against thousands or millions of different usernames.
Speaker 1 (08:21):
Ah, playing the odds that someone used that specific weak
password exactly.
Speaker 2 (08:26):
They know a certain percentage of people will always use
the easiest option. The defense against all three really is
a strong unique password, ideally long random, maybe multi word
makes sense.
Speaker 1 (08:38):
Let's shift two attacks specifically targeting websites. What's in SQL
injection sounds technical?
Speaker 2 (08:43):
It is a bit technical, but the concept isn't too bad.
Imagine a website search box or the lug in form.
Those boxes need to talk to the website's database behind
the scenes using a language called SQL. Okay, if the
website code isn't careful about checking what you type into
that box, an attacker could actually type in malicious sequel
commands instead us a.
Speaker 1 (09:00):
Search term and trick the database.
Speaker 2 (09:02):
Yeah, basically trick the database into doing something it shouldn't,
like revealing all the usernames and passwords stored inside or
customer data. It's exploiting a loophole in how the website
handles user input.
Speaker 1 (09:13):
Gotcha and the other big web attach DIDO distributed denial of.
Speaker 2 (09:18):
Service that one's maybe easier to picture. It's basically just
a massive overwhelming traffic jam created on purpose.
Speaker 1 (09:25):
Traffic jam.
Speaker 2 (09:26):
Yeah. The attacker uses a network of compromised computers, sometimes
thousands or millions of them, called a botnet, to flood
the target website or network with so much junk traffic
that legitimate users can't get through. The whole service is
grind to a halt, becomes unusable.
Speaker 1 (09:42):
Overwhelmed by noise. Okay, let's move to some specific case studies.
The sources talk about something called session hijacking using cross
site scripting or EXSS. Can you break that down simply?
Speaker 2 (09:53):
Okay?
Speaker 1 (09:53):
Sure?
Speaker 2 (09:54):
Think about when you log into your bank account online,
you navigate around check balances, make transfers. You don't want
to type your password on every single page.
Speaker 1 (10:01):
Right right, there would be annoying.
Speaker 2 (10:02):
Exactly. That convenience comes from something called a session ID.
Once you log in, the website gives your browser a
temporary token, like a digital hall pass. This little piece
of data, often stored in something called a cookie, proves
to the website that you're already logged in for that session.
Speaker 1 (10:19):
Okay, so the hacker wants my hall.
Speaker 2 (10:20):
Pass precisely now. XSS. Cross site scripting happens when a
website doesn't properly clean up the input fields, maybe a
comment section, a user profile, somewhere users can type stuff.
An attacker injects a small piece of malicious code, usually JavaScript,
into that field, and then what then? An unsuspecting user,
(10:42):
maybe even someone with high privileges like a site administrator,
visits that page. The malicious script runs silently in their
browser and steals their session id that hall pass.
Speaker 1 (10:51):
Oh wow.
Speaker 2 (10:52):
The hacker then takes that stolen session ID and uses
a tool to basically stick it into their own browsers
request to the website. The website sees the valid hall
pass and things the hackers the administrator to get logged in,
effectively impersonating the victim without ever needing the password.
Speaker 1 (11:07):
So they're logged in without actually logging in. That's sneaky,
very and.
Speaker 2 (11:11):
That's why website security involves constantly checking and cleaning user input,
encrypting those section cookies, setting them to expire quickly, all
that stuff.
Speaker 1 (11:20):
Right. There was also that incredible story about Instagram. A
researcher found a way to potentially hijack any account and
got paid for it.
Speaker 2 (11:30):
Yeah, that was Laxman Maia. He got a thirty thousand
dollars bug bounty from Facebook for finding and responsibly reporting it.
Speaker 1 (11:37):
It was clever.
Speaker 2 (11:38):
He targeted the password reset.
Speaker 1 (11:40):
Feature, the one that sends a code to your phone exactly.
Speaker 2 (11:42):
You get a six digit code via SMS or email. Right,
But the trick is that code usually expires pretty quickly,
maybe ten minutes, and Instagram, like most services, has rate
limiting in place.
Speaker 1 (11:54):
Meaning you can't just guess codes endlessly.
Speaker 2 (11:57):
Right. They block you after a certain number of failed
attempts from the same place, the same IP address. Yeah,
but Mathia figured out a way around the rate limit.
He realized he could send a huge number of simultaneous guesses,
but crucially, he sent them from many, many different IP addresses,
all at once, constantly rotating them. The system's rate limiting
wasn't sophisticated enough to catch that distributed attack.
Speaker 1 (12:18):
So he could just flood it with guesses from everywhere
pretty much.
Speaker 2 (12:22):
He calculated he'd need about five thousand different IP addresses
to have enough guesses to reliably crack the six digit
code within that ten minute window.
Speaker 1 (12:30):
Five thousand ips.
Speaker 2 (12:32):
That sounds expensive, you'd think so, but here's the kicker.
He estimated he could rent those five thousand ips from
cloud computing providers for only about one hundred and fifty
US dollars.
Speaker 1 (12:43):
Wow, only one hundred and fifty bucks to potentially take
over any Instagram account. That's sobering.
Speaker 2 (12:48):
It really shows the economics of these things and why
finding and fixing these flaws is so critical and why
responsible disclosure like he did is so important.
Speaker 1 (12:57):
Absolutely, And speaking of mobile, let's touch on smartphones Pacific attacks.
The sources mentioned they have a high success rate.
Speaker 2 (13:03):
They do. Yeah, the mobile threat landscape is a bit different.
You know. For regular computers, hackers might use rit's remote
administration tools things like nanocore or dark comet to get
a control. Okay, for smartphones, especially Android, you have similar
tools like androad or droi jack. They can be really effective.
But phones also have that unique SMS channel that computers don't.
Speaker 1 (13:24):
Right. You mentioned vishing and smishing, But are there other SMS.
Speaker 2 (13:29):
Attacks, Yes, some quite alarming ones. There's something called the
midnight rate. A simple SMS can be crafted to silently
trigger actions on the phone, like opening the browser to
a malicious site, retrieving devised info like its unique ID number,
or even pushing malware onto the.
Speaker 1 (13:46):
Device, all from one text message.
Speaker 2 (13:47):
Potentially, Yes, and then there's the control message attack. This
is even scarier. Certain types of control messages, if exploited,
could potentially change core phone settings without you knowing, things
like disablings security features, maybe unchecking SSL so your encrypted
connections aren't actually encrypted anymore, or, in a worst case scenario,
(14:08):
pushing a remote wipe command to erase everything on the phone.
Erase everything, Yes, and imagine if that wipe command could
then be forwarded to everyone in the hacked phone's contact list.
The potential for damage spreads rapidly.
Speaker 1 (14:22):
That's terrifying. Okay, let's shift to our final section. This
is something a lot of people worry about IP addresses.
If someone online gets your IP address, should you panic?
Are they in your system, right.
Speaker 2 (14:34):
This causes a lot of anxiety. Let's be really clear.
An IP address by itself is just a number. It's
like your house's street address, but for.
Speaker 1 (14:41):
The Internet, your Internet provider gives it to you exactly.
Speaker 2 (14:44):
It's assigned by your ISP, and it's necessary for your
computer or phone to send and receive data online. Just
knowing someone's ipaddress is generally normal. It happens constantly during
web browsing, gaming, emailing. It's not inherently illegal or dangerous.
Speaker 1 (14:57):
So the danger isn't the IP itself.
Speaker 2 (15:00):
No, the danger only comes if someone uses that IP
address to actually try and attack or violate your device
or network. That act is illegal, But simply knowing the
number doesn't grant them automatic access. Think of it like
knowing someone's home address doesn't mean you can walk through
their locked front door.
Speaker 1 (15:18):
Okay, that helps clarify, But how do hackers actually track
an IP address if they want to target someone specifically?
Speaker 2 (15:25):
Well, the most reliable way to silently get someone's IP
is to trick them into sending traffic directly to you
or to something you control. A common method involves setting
up a simple, free website. You upload a small script,
often called an IP finder or logger. Then you give
the target a specific link to that website, maybe disguised
as a link to an image or an interesting article.
Speaker 1 (15:46):
And when they click it.
Speaker 2 (15:47):
When they click the link, their browser connects to your
website to load the content. Your script then automatically logs
their IP address, often along with their browser type and
operating system details, all silently in the background.
Speaker 1 (15:59):
Okay, so now the hacker has my IP knows I
use Firefox on Windows for example. What can they realistically
do with just that information? What's the actual threat level?
Speaker 2 (16:10):
This is important for many, let's say, less skilled or
amateur hackers getting that info the IP the browser is
often just used for.
Speaker 1 (16:19):
Scare tactics, just to frighten people.
Speaker 2 (16:21):
Yeah, they'll message you saying I have your IP, I
know you're using Chrome, I'm hacking you, hoping you'll panic,
maybe even try to extort money from you. In reality,
they might not have any deeper access at.
Speaker 1 (16:32):
All, so it can be a bluff. What about finding
my location?
Speaker 2 (16:36):
Geolocation from an IP address is not precise. It gives
an approximate location, usually narrowed down to your city or region,
maybe a few square kilometers in urban areas, maybe dozens
in rural areas. It points to the general areas served
by your ISP's equipment, not your specific house. Only your
ISP or law enforcement with a warrant can link that
IP to your exact physical address.
Speaker 1 (16:57):
Okay, so they don't instantly know where I live. A
skilled hacker use the IP to actually get in.
Speaker 2 (17:02):
That's where the complexity comes in. A skilled attacker could
use your IP address as a starting point. They would
likely try to scan your internet router, the box connecting
your home network to the Internet, looking for open ports
or known vulnerabilities.
Speaker 1 (17:17):
How would they do that.
Speaker 2 (17:18):
They try to figure out the make and model of
your router, the software version it's running, and then check
databases of known exploits for that specific hardware or software.
Or if they find an administrative login page for the
router exposed to the Internet, they might try a brute
force or dictionary attack against the router's password itself.
Speaker 1 (17:35):
But that sounds difficult and time consuming.
Speaker 2 (17:38):
It absolutely is. It's a long, complex process, not instant
access by any means. Most home routers have basic security features.
Default passwords should always be changed, and keeping firmware updated
helps close known vulnerabilities.
Speaker 1 (17:52):
So what's the simplest defense If I'm worried someone has
my IP?
Speaker 2 (17:56):
Often the easiest thing is just to reboot your router.
For most home Internet connections, this will cause your ISP
to assign you a new public IP address. The old
one becomes useless to the attacker.
Speaker 1 (18:07):
A simple reboot, okay. And for more robust protection.
Speaker 2 (18:10):
For genuine anonymity and security against IP tracking and some
types of scanning, using a reputable VPN virtual private network
is a good step, or for higher security using something
like the TR network. These services mask your real IP
address by routing your traffic through their servers.
Speaker 1 (18:27):
First makes sense VPNs and TR for masking.
Speaker 2 (18:30):
Okay. So if we kind of pull all these threads together,
what does it all mean? I think the big picture
is that no single piece of software, no machine, can
give you one hundred percent guaranteed security, especially in a
world where technology keeps changing so fast. Awareness, being diligent,
staying informed, these are just essential now, particularly when as
(18:52):
we saw, ninety seven percent of attacks are aimed squarely
at our basic human instincts and reflexes.
Speaker 1 (18:57):
That really is the most critical takeaway, isn't It's less
about fighting off some super genius coder in a basement. Often, Yeah,
and more about recognizing and resisting that social exploitation using strong,
unique passwords, not falling for those urgent fear based requests,
being skeptical, that's your first and best line of defense.
Speaker 2 (19:15):
Absolutely, and supporting things like responsible disclosure like the Instagram
researcher did is vital too. That helps everyone become safer
by getting flaws fixed before they're widely abused.
Speaker 1 (19:24):
Definitely. Okay, let's wrap up with a final thought for you,
our listener, to take away and maybe mull over. Given
that the overwhelming majority of successful attacks, that huge ninety
seven percent statistic rely not on technical wizardry, but on
exploiting basic human psychology, our instinct to help our deference
to authority. What's one small daily habit you could change,
(19:46):
starting right now, to make yourself less exploitable. Think about
that immediate reaction you have when you get an urgent
email or call from someone claimed to be your boss
or the bank or IT support. Could you build in
just a tiny pause, maybe a five second verification delay,
before you automatically click or comply? How might that change
things
Welcome back to the deep dive. Today we are taking
aim at something pretty central to modern life but often
really misunderstood, computer hacking. Yeah, definitely forget the cliches, you know,
the dark rooms, green tech's flashing. We want to get
into the real mindset, the methods, and maybe most importantly,
what you can actually do to protect yourself exactly.
Speaker 2 (00:21):
And I think our mission here for you listening is
to move past this idea that hacking is always some
super complex code breaking thing. Okay, Often hacking just means
well using skills cleverly to find weak spots, and overwhelmingly
those weak spots they're.
Speaker 1 (00:39):
Human human vulnerabilities.
Speaker 2 (00:41):
That's it. Technology is moving so fast, but the biggest
threats to your privacy they're often exploiting basic trust, not
some futuristic AI.
Speaker 1 (00:49):
Okay, let's unpack that. Because hacker itself is such a
loaded term, we probably need to define who we're actually
talking about first, maybe based on like their intention the
old hat analogy.
Speaker 2 (00:58):
Vercise, it's a good shorthand basically, have three relationships to
the system you're interacting with. First, the black hats the
bad guys. Yeah, pretty much, they're looking for malicious unauthorized entry.
Their goal is you know, theft, damage, messing with data.
They're criminals, plain and simple, no permission involved.
Speaker 1 (01:17):
Right. Then you've got the opposite, the white hats, ethical
hackers exactly.
Speaker 2 (01:22):
They're the defenders, often hired by big companies think Facebook, Microsoft, Google,
places like that. They're authorized to attack the system, but
their job is purely to find those weaknesses and help
fix them before the black hats can get there. Essential
security work.
Speaker 1 (01:38):
So protectors basically, right. And the third type, the gray hats.
They sound a bit ambiguous, they really are. They operate
in this murky middle ground. They might exploit a system,
find a vulnerability without permission, okay, but maybe not with
purely evil intent. Often they'll tell the owner, hey, you've
got a hole here, But sometimes sometimes they might ask
for a small fee like a bug bounty. They set
(01:59):
themselves to fix it, which puts them in a tricky
ethical spot. Yeah, definitely a gray area. Okay, So we
have these different players. But here's what blew my mind
from the sources. When you look at how attacks actually
happened today, it's rarely the super technical stuff. It's mostly
about people. Social engineering that is.
Speaker 2 (02:20):
The absolute key takeaway here, it's staggering, really technical flaws.
They account for maybe what three percent of successful attacks?
Speaker 1 (02:28):
Only three percent?
Speaker 2 (02:29):
Yeah, the other ninety seven percent purely based on social
engineer ninety seven.
Speaker 1 (02:34):
Wow, So the whole game has shifted. It's not about
breaking the code, it's about breaking the person exploiting our psychology,
you got it, our instinct to help, maybe our fear
of authority or just getting rushed into doing something without thinking.
Speaker 2 (02:47):
That's the target now, much more than the software itself.
Speaker 1 (02:50):
And within that huge ninety seven percent, there's one technique
that stands out.
Speaker 2 (02:54):
Oh yeah, the undisputed king is fishing. The stats suggests
something like ninety one percent, nine out of ten data
breaches start with a phishing attempt.
Speaker 1 (03:02):
Hishing. This is the classic email scam, right, trying to
lure you into clicking a bad link or giving up
your log in details.
Speaker 2 (03:08):
That's the basics of it. Yeah, but what makes them
work isn't just the email itself, it's the psychology. How
So they deliberately create this sense of urgency or maybe
a threat or fear. Yeah, they want to trigger an
emotional reaction, so you act fast before your logical brain
cakes in. Ah, think about that US Tax Day scam
back in twenty eighteen, emails claiming to be from the
(03:31):
IRS demanding tax details immediately. They used fear of the IRS,
the deadline pressure.
Speaker 1 (03:37):
To make people panic and handover info exactly.
Speaker 2 (03:40):
And they often use those weird shortened links or links
that look legit but actually redirect you to a fake
site built just to steal your credentials.
Speaker 1 (03:47):
Okay, so that's manipulating fear. What about impersonation? How does
that work psychologically?
Speaker 2 (03:51):
Impersonation plays on our respect for authority really, or maybe
just our tendency to do what we're told by someone
who sounds like they're.
Speaker 1 (03:59):
In charge, boss or IT support.
Speaker 2 (04:01):
Precisely, criminals pose as an IT executive, a manager and auditor,
someone whose request you probably wouldn't question immediately. It takes
more setup for the attacker, sure, but the success rate
can be really high. We saw attacks like this jump
almost four hundred percent of one year because people just comply.
Speaker 1 (04:20):
Wow, that's a huge increase. And it's not just email, right,
We also need to think about vishing and smashing voice
and text.
Speaker 2 (04:30):
Absolutely, these often fly under the radar of traditional email filters. Phishing,
that's voice fishing happens over the phone. The attacker calls up,
tries to get credentials, or sometimes they're more aggressive. They
might try to talk you into running a script on
your computer or visiting a compromise website while you're on
the call, and they're harder to a tract, much harder,
no obvious digital trail like an email header. Remember that
(04:50):
massive IRS fishing scam ran for years twenty twelve to
twenty sixteen.
Speaker 1 (04:54):
I do remember hearing about that.
Speaker 2 (04:56):
Costs victims hundreds of millions, all because people believe they
were talking to a real IRS agent demanding immediate payment.
That fear factor.
Speaker 1 (05:04):
Again, and smishing is the text message version.
Speaker 2 (05:07):
Correct SMS fishing. They get numbers from breaches, web crawling,
sometimes just random generators.
Speaker 1 (05:13):
And what kind of tricks do they use in texts?
Speaker 2 (05:15):
All sorts my promise, fake coupons or discounts, playing on greed,
or they'll poses your bank, you know, urgent click here
to reactivate your card, or your online account expires today,
log in here to renew. Texts feel immediate personal, so
people react quickly.
Speaker 1 (05:34):
It all comes back to that psychological manipulation. Okay, so
let's say they see they trick us that ninety seven
percent chance? What tools are they actually using them? What's
in their like digital toolkit? Once they have that initial access.
Speaker 2 (05:45):
Right the toolkit, it can get specialized, but the concepts
are often quite straightforward. Take keyloggers, for.
Speaker 1 (05:51):
Instance, teloggers the blog your keys.
Speaker 2 (05:53):
Exactly that They record every single key stor it you make,
user names, passwords, credit card numbers, private messages, everything.
Speaker 1 (05:59):
How do they work?
Speaker 2 (06:00):
Well? Think of your operating system having this thing called
an API. It's like a messenger carrying instructions. A keylogger
basically attaches itself to that messenger and copies down everything
you type before it even gets processed properly, usually arrives
hidden inside some malware.
Speaker 1 (06:16):
Nasty. And what about root kits? That sounds even worse.
Speaker 2 (06:19):
Yeah, the name is pretty menacing, isn't it. A rootkit
is basically a collection of software tools designed to give
an attacker deep remote access and control over your system.
And crucially, it hides itself really well from detection.
Speaker 1 (06:33):
So it's like a hidden back.
Speaker 2 (06:34):
Door kind of. Yeah. If the key lagger is spying
on your typing, the root kit is like a secret
agent living in your computer, giving the hacker full control
to steel files, install more bad stuff, or even crash
the whole system. And again they almost always get installed
through those initial social engineering tricks.
Speaker 1 (06:51):
It's interesting that one tool you mentioned, the vulnerability scanner,
is used by both sides, black hats and white hats.
Speaker 2 (06:57):
Yeah, it's purely a tool like a hammer. White hats
use scanners to find security holes so they can fix
them quickly. Black hats use the exact same scanners to
look for those same weaknesses, but obviously they want to
exploit them. It's like checking the doors and windows before breakin.
Speaker 1 (07:12):
Right. Okay, let's talk passwords. We hear password cracking all
the time. Can we break down the main ways they
actually do. Yeah?
Speaker 2 (07:19):
Sure. Think of them mostly as automated guessing games. The
most famous is probably the brute force attack.
Speaker 1 (07:25):
That's just trying everything.
Speaker 2 (07:27):
Pretty much. Automated software just systematically tries every possible combination
of letters, numbers, symbols abcaaab AC one two three one
A one B, just keeps going until it hits the
right one.
Speaker 1 (07:41):
Must take ages for complex passwords.
Speaker 2 (07:43):
They can, Yeah, that's why password complexity helps. Then you've
got a variation called the dictionary attack.
Speaker 1 (07:48):
Using dictionary words exactly.
Speaker 2 (07:49):
Uses huge lists of common words, phrases, names, maybe common
modifications like adding what twenty three at the end shockingly
effective because well, so many people use simple words or
perle patterns.
Speaker 1 (08:01):
Okay, that makes sense. And the third one reverse brute force.
How's that different?
Speaker 2 (08:05):
So instead of trying many passwords against one username, reverse
brute force takes one really common, leaked or weak password
like password one, two three or maybe spring twenty twenty
four and tries it against thousands or millions of different usernames.
Speaker 1 (08:21):
Ah, playing the odds that someone used that specific weak
password exactly.
Speaker 2 (08:26):
They know a certain percentage of people will always use
the easiest option. The defense against all three really is
a strong unique password, ideally long random, maybe multi word
makes sense.
Speaker 1 (08:38):
Let's shift two attacks specifically targeting websites. What's in SQL
injection sounds technical?
Speaker 2 (08:43):
It is a bit technical, but the concept isn't too bad.
Imagine a website search box or the lug in form.
Those boxes need to talk to the website's database behind
the scenes using a language called SQL. Okay, if the
website code isn't careful about checking what you type into
that box, an attacker could actually type in malicious sequel
commands instead us a.
Speaker 1 (09:00):
Search term and trick the database.
Speaker 2 (09:02):
Yeah, basically trick the database into doing something it shouldn't,
like revealing all the usernames and passwords stored inside or
customer data. It's exploiting a loophole in how the website
handles user input.
Speaker 1 (09:13):
Gotcha and the other big web attach DIDO distributed denial of.
Speaker 2 (09:18):
Service that one's maybe easier to picture. It's basically just
a massive overwhelming traffic jam created on purpose.
Speaker 1 (09:25):
Traffic jam.
Speaker 2 (09:26):
Yeah. The attacker uses a network of compromised computers, sometimes
thousands or millions of them, called a botnet, to flood
the target website or network with so much junk traffic
that legitimate users can't get through. The whole service is
grind to a halt, becomes unusable.
Speaker 1 (09:42):
Overwhelmed by noise. Okay, let's move to some specific case studies.
The sources talk about something called session hijacking using cross
site scripting or EXSS. Can you break that down simply?
Speaker 2 (09:53):
Okay?
Speaker 1 (09:53):
Sure?
Speaker 2 (09:54):
Think about when you log into your bank account online,
you navigate around check balances, make transfers. You don't want
to type your password on every single page.
Speaker 1 (10:01):
Right right, there would be annoying.
Speaker 2 (10:02):
Exactly. That convenience comes from something called a session ID.
Once you log in, the website gives your browser a
temporary token, like a digital hall pass. This little piece
of data, often stored in something called a cookie, proves
to the website that you're already logged in for that session.
Speaker 1 (10:19):
Okay, so the hacker wants my hall.
Speaker 2 (10:20):
Pass precisely now. XSS. Cross site scripting happens when a
website doesn't properly clean up the input fields, maybe a
comment section, a user profile, somewhere users can type stuff.
An attacker injects a small piece of malicious code, usually JavaScript,
into that field, and then what then? An unsuspecting user,
(10:42):
maybe even someone with high privileges like a site administrator,
visits that page. The malicious script runs silently in their
browser and steals their session id that hall pass.
Speaker 1 (10:51):
Oh wow.
Speaker 2 (10:52):
The hacker then takes that stolen session ID and uses
a tool to basically stick it into their own browsers
request to the website. The website sees the valid hall
pass and things the hackers the administrator to get logged in,
effectively impersonating the victim without ever needing the password.
Speaker 1 (11:07):
So they're logged in without actually logging in. That's sneaky,
very and.
Speaker 2 (11:11):
That's why website security involves constantly checking and cleaning user input,
encrypting those section cookies, setting them to expire quickly, all
that stuff.
Speaker 1 (11:20):
Right. There was also that incredible story about Instagram. A
researcher found a way to potentially hijack any account and
got paid for it.
Speaker 2 (11:30):
Yeah, that was Laxman Maia. He got a thirty thousand
dollars bug bounty from Facebook for finding and responsibly reporting it.
Speaker 1 (11:37):
It was clever.
Speaker 2 (11:38):
He targeted the password reset.
Speaker 1 (11:40):
Feature, the one that sends a code to your phone exactly.
Speaker 2 (11:42):
You get a six digit code via SMS or email. Right,
But the trick is that code usually expires pretty quickly,
maybe ten minutes, and Instagram, like most services, has rate
limiting in place.
Speaker 1 (11:54):
Meaning you can't just guess codes endlessly.
Speaker 2 (11:57):
Right. They block you after a certain number of failed
attempts from the same place, the same IP address. Yeah,
but Mathia figured out a way around the rate limit.
He realized he could send a huge number of simultaneous guesses,
but crucially, he sent them from many, many different IP addresses,
all at once, constantly rotating them. The system's rate limiting
wasn't sophisticated enough to catch that distributed attack.
Speaker 1 (12:18):
So he could just flood it with guesses from everywhere
pretty much.
Speaker 2 (12:22):
He calculated he'd need about five thousand different IP addresses
to have enough guesses to reliably crack the six digit
code within that ten minute window.
Speaker 1 (12:30):
Five thousand ips.
Speaker 2 (12:32):
That sounds expensive, you'd think so, but here's the kicker.
He estimated he could rent those five thousand ips from
cloud computing providers for only about one hundred and fifty
US dollars.
Speaker 1 (12:43):
Wow, only one hundred and fifty bucks to potentially take
over any Instagram account. That's sobering.
Speaker 2 (12:48):
It really shows the economics of these things and why
finding and fixing these flaws is so critical and why
responsible disclosure like he did is so important.
Speaker 1 (12:57):
Absolutely, And speaking of mobile, let's touch on smartphones Pacific attacks.
The sources mentioned they have a high success rate.
Speaker 2 (13:03):
They do. Yeah, the mobile threat landscape is a bit different.
You know. For regular computers, hackers might use rit's remote
administration tools things like nanocore or dark comet to get
a control. Okay, for smartphones, especially Android, you have similar
tools like androad or droi jack. They can be really effective.
But phones also have that unique SMS channel that computers don't.
Speaker 1 (13:24):
Right. You mentioned vishing and smishing, But are there other SMS.
Speaker 2 (13:29):
Attacks, Yes, some quite alarming ones. There's something called the
midnight rate. A simple SMS can be crafted to silently
trigger actions on the phone, like opening the browser to
a malicious site, retrieving devised info like its unique ID number,
or even pushing malware onto the.
Speaker 1 (13:46):
Device, all from one text message.
Speaker 2 (13:47):
Potentially, Yes, and then there's the control message attack. This
is even scarier. Certain types of control messages, if exploited,
could potentially change core phone settings without you knowing, things
like disablings security features, maybe unchecking SSL so your encrypted
connections aren't actually encrypted anymore, or, in a worst case scenario,
(14:08):
pushing a remote wipe command to erase everything on the phone.
Erase everything, Yes, and imagine if that wipe command could
then be forwarded to everyone in the hacked phone's contact list.
The potential for damage spreads rapidly.
Speaker 1 (14:22):
That's terrifying. Okay, let's shift to our final section. This
is something a lot of people worry about IP addresses.
If someone online gets your IP address, should you panic?
Are they in your system, right.
Speaker 2 (14:34):
This causes a lot of anxiety. Let's be really clear.
An IP address by itself is just a number. It's
like your house's street address, but for.
Speaker 1 (14:41):
The Internet, your Internet provider gives it to you exactly.
Speaker 2 (14:44):
It's assigned by your ISP, and it's necessary for your
computer or phone to send and receive data online. Just
knowing someone's ipaddress is generally normal. It happens constantly during
web browsing, gaming, emailing. It's not inherently illegal or dangerous.
Speaker 1 (14:57):
So the danger isn't the IP itself.
Speaker 2 (15:00):
No, the danger only comes if someone uses that IP
address to actually try and attack or violate your device
or network. That act is illegal, But simply knowing the
number doesn't grant them automatic access. Think of it like
knowing someone's home address doesn't mean you can walk through
their locked front door.
Speaker 1 (15:18):
Okay, that helps clarify, But how do hackers actually track
an IP address if they want to target someone specifically?
Speaker 2 (15:25):
Well, the most reliable way to silently get someone's IP
is to trick them into sending traffic directly to you
or to something you control. A common method involves setting
up a simple, free website. You upload a small script,
often called an IP finder or logger. Then you give
the target a specific link to that website, maybe disguised
as a link to an image or an interesting article.
Speaker 1 (15:46):
And when they click it.
Speaker 2 (15:47):
When they click the link, their browser connects to your
website to load the content. Your script then automatically logs
their IP address, often along with their browser type and
operating system details, all silently in the background.
Speaker 1 (15:59):
Okay, so now the hacker has my IP knows I
use Firefox on Windows for example. What can they realistically
do with just that information? What's the actual threat level?
Speaker 2 (16:10):
This is important for many, let's say, less skilled or
amateur hackers getting that info the IP the browser is
often just used for.
Speaker 1 (16:19):
Scare tactics, just to frighten people.
Speaker 2 (16:21):
Yeah, they'll message you saying I have your IP, I
know you're using Chrome, I'm hacking you, hoping you'll panic,
maybe even try to extort money from you. In reality,
they might not have any deeper access at.
Speaker 1 (16:32):
All, so it can be a bluff. What about finding
my location?
Speaker 2 (16:36):
Geolocation from an IP address is not precise. It gives
an approximate location, usually narrowed down to your city or region,
maybe a few square kilometers in urban areas, maybe dozens
in rural areas. It points to the general areas served
by your ISP's equipment, not your specific house. Only your
ISP or law enforcement with a warrant can link that
IP to your exact physical address.
Speaker 1 (16:57):
Okay, so they don't instantly know where I live. A
skilled hacker use the IP to actually get in.
Speaker 2 (17:02):
That's where the complexity comes in. A skilled attacker could
use your IP address as a starting point. They would
likely try to scan your internet router, the box connecting
your home network to the Internet, looking for open ports
or known vulnerabilities.
Speaker 1 (17:17):
How would they do that.
Speaker 2 (17:18):
They try to figure out the make and model of
your router, the software version it's running, and then check
databases of known exploits for that specific hardware or software.
Or if they find an administrative login page for the
router exposed to the Internet, they might try a brute
force or dictionary attack against the router's password itself.
Speaker 1 (17:35):
But that sounds difficult and time consuming.
Speaker 2 (17:38):
It absolutely is. It's a long, complex process, not instant
access by any means. Most home routers have basic security features.
Default passwords should always be changed, and keeping firmware updated
helps close known vulnerabilities.
Speaker 1 (17:52):
So what's the simplest defense If I'm worried someone has
my IP?
Speaker 2 (17:56):
Often the easiest thing is just to reboot your router.
For most home Internet connections, this will cause your ISP
to assign you a new public IP address. The old
one becomes useless to the attacker.
Speaker 1 (18:07):
A simple reboot, okay. And for more robust protection.
Speaker 2 (18:10):
For genuine anonymity and security against IP tracking and some
types of scanning, using a reputable VPN virtual private network
is a good step, or for higher security using something
like the TR network. These services mask your real IP
address by routing your traffic through their servers.
Speaker 1 (18:27):
First makes sense VPNs and TR for masking.
Speaker 2 (18:30):
Okay. So if we kind of pull all these threads together,
what does it all mean? I think the big picture
is that no single piece of software, no machine, can
give you one hundred percent guaranteed security, especially in a
world where technology keeps changing so fast. Awareness, being diligent,
staying informed, these are just essential now, particularly when as
(18:52):
we saw, ninety seven percent of attacks are aimed squarely
at our basic human instincts and reflexes.
Speaker 1 (18:57):
That really is the most critical takeaway, isn't It's less
about fighting off some super genius coder in a basement. Often, Yeah,
and more about recognizing and resisting that social exploitation using strong,
unique passwords, not falling for those urgent fear based requests,
being skeptical, that's your first and best line of defense.
Speaker 2 (19:15):
Absolutely, and supporting things like responsible disclosure like the Instagram
researcher did is vital too. That helps everyone become safer
by getting flaws fixed before they're widely abused.
Speaker 1 (19:24):
Definitely. Okay, let's wrap up with a final thought for you,
our listener, to take away and maybe mull over. Given
that the overwhelming majority of successful attacks, that huge ninety
seven percent statistic rely not on technical wizardry, but on
exploiting basic human psychology, our instinct to help our deference
to authority. What's one small daily habit you could change,
(19:46):
starting right now, to make yourself less exploitable. Think about
that immediate reaction you have when you get an urgent
email or call from someone claimed to be your boss
or the bank or IT support. Could you build in
just a tiny pause, maybe a five second verification delay,
before you automatically click or comply? How might that change
things
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Burden
The Burden is a documentary series that takes listeners into the hidden places where justice is done (and undone). It dives deep into the lives of heroes and villains. And it focuses a spotlight on those who triumph even when the odds are against them. Season 5 - The Burden: Death & Deceit in Alliance On April Fools Day 1999, 26-year-old Yvonne Layne was found murdered in her Alliance, Ohio home. David Thorne, her ex-boyfriend and father of one of her children, was instantly a suspect. Another young man admitted to the murder, and David breathed a sigh of relief, until the confessed murderer fingered David; “He paid me to do it.” David was sentenced to life without parole. Two decades later, Pulitzer winner and podcast host, Maggie Freleng (Bone Valley Season 3: Graves County, Wrongful Conviction, Suave) launched a “live” investigation into David's conviction alongside Jason Baldwin (himself wrongfully convicted as a member of the West Memphis Three). Maggie had come to believe that the entire investigation of David was botched by the tiny local police department, or worse, covered up the real killer. Was Maggie correct? Was David’s claim of innocence credible? In Death and Deceit in Alliance, Maggie recounts the case that launched her career, and ultimately, “broke” her.” The results will shock the listener and reduce Maggie to tears and self-doubt. This is not your typical wrongful conviction story. In fact, it turns the genre on its head. It asks the question: What if our champions are foolish? Season 4 - The Burden: Get the Money and Run “Trying to murder my father, this was the thing that put me on the path.” That’s Joe Loya and that path was bank robbery. Bank, bank, bank, bank, bank. In season 4 of The Burden: Get the Money and Run, we hear from Joe who was once the most prolific bank robber in Southern California, and beyond. He used disguises, body doubles, proxies. He leaped over counters, grabbed the money and ran. Even as the FBI was closing in. It was a showdown between a daring bank robber, and a patient FBI agent. Joe was no ordinary bank robber. He was bright, articulate, charismatic, and driven by a dark rage that he summoned up at will. In seven episodes, Joe tells all: the what, the how… and the why. Including why he tried to murder his father. Season 3 - The Burden: Avenger Miriam Lewin is one of Argentina’s leading journalists today. At 19 years old, she was kidnapped off the streets of Buenos Aires for her political activism and thrown into a concentration camp. Thousands of her fellow inmates were executed, tossed alive from a cargo plane into the ocean. Miriam, along with a handful of others, will survive the camp. Then as a journalist, she will wage a decades long campaign to bring her tormentors to justice. Avenger is about one woman’s triumphant battle against unbelievable odds to survive torture, claim justice for the crimes done against her and others like her, and change the future of her country. Season 2 - The Burden: Empire on Blood Empire on Blood is set in the Bronx, NY, in the early 90s, when two young drug dealers ruled an intersection known as “The Corner on Blood.” The boss, Calvin Buari, lived large. He and a protege swore they would build an empire on blood. Then the relationship frayed and the protege accused Calvin of a double homicide which he claimed he didn’t do. But did he? Award-winning journalist Steve Fishman spent seven years to answer that question. This is the story of one man’s last chance to overturn his life sentence. He may prevail, but someone’s gotta pay. The Burden: Empire on Blood is the director’s cut of the true crime classic which reached #1 on the charts when it was first released half a dozen years ago. Season 1 - The Burden In the 1990s, Detective Louis N. Scarcella was legendary. In a city overrun by violent crime, he cracked the toughest cases and put away the worst criminals. “The Hulk” was his nickname. Then the story changed. Scarcella ran into a group of convicted murderers who all say they are innocent. They turned themselves into jailhouse-lawyers and in prison founded a lway firm. When they realized Scarcella helped put many of them away, they set their sights on taking him down. And with the help of a NY Times reporter they have a chance. For years, Scarcella insisted he did nothing wrong. But that’s all he’d say. Until we tracked Scarcella to a sauna in a Russian bathhouse, where he started to talk..and talk and talk. “The guilty have gone free,” he whispered. And then agreed to take us into the belly of the beast. Welcome to The Burden.