Hardening Internet and Phone against Hacking

Rigo

Rigo

Active Member
Reaction score
177
Location
Australia
Just declined a job about installing some protection software for hardening the internet and the phone against hacking.
For the internet I guess it would it would be activating the firewall on the gateway as well as on the internet security package + strong passwords.
Hardening a phone against hacking I've got no idea about a software that would do that.
Note I wasn't given any idea how the hacking occurred. Whether exploited from the leaks in the news recently?
 
And there may, in actuality, have been no hacking (at least as I define it).

I recently had someone with an iPhone that suddenly had her Calendar packed with appointments that said things like, "Your data is entirely exposed, click {insert sketchy URL here}," that could not be deleted. I don't know how, exactly, she became subscribed to this calendar (not hers) that did not allow the appointments to be touched, but I do not think it was by some miracle of something sneaking in, unbidden, and subscribing her. It was way more likely to have been some social engineering where she opened the door herself. That's not hacking, that's the end user doing something stupid (which she realized, but at least she had the presence of mind to never activate any of the links).

A great deal of what end users call "hacking" isn't hacking, it's them falling for social engineering and inviting things in. Not that this isn't a problem, but it's not one that can be fixed with any sort of security software. The end user is the first and last line of defense, and in most instances if just a second or two is taken to think before acting, the worst will never occur to begin with.
 
Sad thing is, I believe we have ourselves, as an industry, to blame for that as much as anything else. There is a reflexive statement, "You've been hacked," from IT pros far too often when that is absolutely, positively not what has happened.

To me, hacking is strictly the cyber equivalent of breaking and entering. No direct end user involvement exists in a true hack, it's a break-in via surreptitious electronic means. Most attack surfaces don't come from true hacks. In fact, relatively few do.

The vast majority of computer infections (and I count smartphones) are the result of direct user action that puts the infection on "by invitation."

We haven't done a good job, at all, of emphasizing that it is social engineering, in all its guises, that is the primary mechanism of attack and infection. And the more we call it hacking ourselves, or allow that term to be used incorrectly, the more misconceptions grow. One of the biggest among those is that there is some magic silver cyber-bullet that can protect you rather than you having to take primary responsibility for protecting yourself. All security suites are, for the most part if not entirely, reactive. Those who've developed even minimal saavy in interacting with cyberspace virtually never see them have to handle anything.
 
britechguy said:
A great deal of what end users call "hacking" isn't hacking, it's them falling for social engineering and inviting things in.
Click to expand...

Sharing address books is another great vector.

In the end there is no cookie cutter approach. But the closest you can get is addressing PEBCAK as well as IDtenT faults.

I tell customers to question everything, especially emails directly addressed to them and phone calls. If you aren't expecting it then it's fraud. Only their customers and vendors, like me, will be contacting them unsolicited. Even then question anything involving the movement of money in any form or fashion.
 
Markverhyden said:
I tell customers to question everything, especially emails directly addressed to them and phone calls. If you aren't expecting it then it's fraud.
Click to expand...

We'll have to agree on the second, and agree to disagree on the first. I get all kinds of legitimate emails from my credit card companies, but, and this is a but that I teach my clients, I don't click through on any link in those messages. If it is legitimate, you're going to get the same notice when you log in to the specific account on the issuer's site, which is what I always tell people to do and do myself. If it's not there when you do log in on your card issuer's site, it's an immediate block in email and phishing report to the card issuing company.

The only instance where any service provider will call you about "something sensitive" is if you have initiated contact first and requested a call. And even then, there will always be a specific identifier supplied to you when you make the request that the person calling will produce, unbidden, at the outset of the call.
 
britechguy said:
To me, hacking is strictly the cyber equivalent of breaking and entering. No direct end user involvement exists in a true hack, it's a break-in via surreptitious electronic means. Most attack surfaces don't come from true hacks. In fact, relatively few do.

The vast majority of computer infections (and I count smartphones) are the result of direct user action that puts the infection on "by invitation."

We haven't done a good job, at all, of emphasizing that it is social engineering, in all its guises, that is the primary mechanism of attack and infection. And the more we call it hacking ourselves, or allow that term to be used incorrectly, the more misconceptions grow. One of the biggest among those is that there is some magic silver cyber-bullet that can protect you rather than you having to take primary responsibility for protecting yourself. All security suites are, for the most part if not entirely, reactive. Those who've developed even minimal saavy in interacting with cyberspace virtually never see them have to handle anything.
Click to expand...
That's exactly what I was trying to explain to the lady but she was adamant that it was real hacking and the matter had been referred to the police who advised her to have her systems hardened and protected. She was looking for someone who could do that confidently for her. That's where I gave up.
I can help someone understand how things normally can happen but we need to be prepared to accept responsibility.
There again I only know a tiny fraction of what's going out there so couldn't be totally confident there mightn't be some magic bullet someone's come up with to help protect idiots from themselves.
From what I know to hack a phone requires either social engineering or access from leaked data. For routers and internet facing computers there are tools for a determined person to help go through these especially when badly configured.
Looks like the consensus supports my impression.
Thanks folks
 
Rigo said:
That's exactly what I was trying to explain to the lady but she was adamant that it was real hacking and the matter had been referred to the police who advised her to have her systems hardened and protected.
Click to expand...

So you have pretty much what @Markverhyden described in post #5.

By the way, I want to make clear that I wasn't trying to imply that you did not know what I had said, but so many people who think they've "been hacked" don't, and at least some of them have the lightbulb go off when walked through what's likely.

There are also those in an irrational frenzy afterward, and everything you're saying makes me think irrational frenzy. The cops really don't know a darned thing about this unless it so happens to be a unit that specializes in cyber crime. I'd be very willing to guess that's not who she dealt with, and it's very convenient to pass the buck when you have no idea what to do.

Consider yourself to be very lucky (and astute, which has nothing to do with luck) in having been sufficiently circumspect and declining as you did.
 
To be clear...

Social Engineering IS hacking. And there are services available that train companies on how to deal with it. It's yet another security offering.
 
Sky-Knight said:
Social Engineering IS hacking.
Click to expand...

If you're willing to accept an incredibly broad definition, sure. I'm not. There is nothing new about scamming, and we don't consider phone scams to be hacking. Social engineering is no different than a phone scam except for venue.

It's useless to have a definition of hacking that broad.
 
  • Like
Reactions: GTP
britechguy said:
It's useless to have a definition of hacking that broad
Click to expand...
I subscribe to that.
Hacking from my understand is using tools and procedures to access something without insider help. If the user follows instructions and gives access then it's like opening your door to the burglar and inviting inside then complaining that you've been violated.
Well 🤔
 
  • Like
Reactions: GTP
britechguy said:
Consider yourself to be very lucky
Click to expand...
When someone specify that they're looking for someone to "confidently" do a job for them based on their description of the problem that's a red flag for me.
I seldom know what I'm going to be doing on a system until I can assess myself its responses to my inputs.
When I'm expected to fix a computer problem like replacing a flat tyre, I walk away. Someone once said: "you don't need every one who enquires about your services to be a client" ~ although a lot of time I wished I heeded the advice in the pursuit of a challenge 😢
 
Rigo said:
Looks like a well suited definition for marketing/commercial purposes. Is it technically correct?
Click to expand...
Well he is one of the best known computer hackers in the past. He talks about social engineering and how business cant be trapped into releasing confidential information, rather than hack the system one hacks the individual.

Just look at all the info people put up on Social Media, is like looking in a dumpster bin.
 
Last edited:
frase said:
He talks about social engineering and how business cant be trapped into releasing confidential information, rather than hack the system one hacks the individual.
Click to expand...

Which is convenient marketing spin, but stretches the definition of "hack" beyond all recognition.

Social engineering is a huge, massively huge, security threat. Calling it "hacking the individual" rather than what it is, scamming, is not helpful. The term social engineering is even a way of cleaning up the idea of scamming. It takes a simple and straightforward concept and cloaks in terminology that's harder to understand, but it's still vastly superior to calling it hacking.

Not every attack surface involves hacking. Not even close.
 
Well what else do you want to define or call it then? You misunderstood my point, gleaming information from say a CEO is a term called "Whaling" this is a form of social engineering not "Spamming". It is more higher level than someone from India or wherever pretending to be from a Telco ripping of lil ol Gran.
 
Last edited:
frase said:
Well what else do you want to define or call it then?
Click to expand...
Scamming, conning, seducing... = social engineering
I think of hackers as having a higher technical proficiency to enable them to go beyond the obstacle using their technical knowledge.
Social engineering scammers on the other end need someone to open the door for them so they can use tools , complex or not to do their thing.
Might be wrong but that's how I thought of it.
Thinking about the Nigerian scammers on dating sites or wanting to share amazing inheritances, now crypto currencies are the way to go to get into gullible and greedy people's wallets.
 
  • Like
Reactions: GTP
That is totally different, hackers use the method of social engineering a lot. Hackers need someone to have an open door as well, via security holes and penetration of systems. They dont bother with small residential - that is the difference in what you speak of with these nigerian and Telco scams.

Though the biggest threat of all is the end user - if one is there to open the door is that not easier than breaking in?

Tools can be purchased via the Dark & Deep web nowadays so makes no difference on expertise. It is how to cover your tracks on the way out is where expertise and knowledge come into effect.
 
You must log in or register to reply here.

Similar threads

HCHTech
Narrowing down a internet issue
Replies
5
Views
1K
YeOldeStonecat
YeOldeStonecat
HCHTech
Comcast Business Service - What am I looking at?
Replies
4
Views
980
Markverhyden
Markverhyden
thecomputerguy
Adding EDR to my stack and how to sell it.
Replies
6
Views
1K
Sky-Knight
Sky-Knight
britechguy
Microsoft Defender - "Threat Detected" and then, later, it seems to change its mind . . .
Replies
12
Views
2K
britechguy
britechguy
Rigo
Flaky browsers especially on new tabs
2
Replies
26
Views
4K
GTP
GTP
Back
Top