preface

Speaking of network-based attacks, we may think of SQL injection, SSRF, CSRF these more common because of software vulnerabilities caused by the attack, but the network is far more than that. This article will introduce some common network security problems and attack methods, improve the security of the Internet and confidentiality awareness, to help you identify common network information leakage, network failure and the stage of occurrence.

The security of information system refers to integrity, confidentiality, availability and non-repudiation.

The corresponding means of attack are wiretapping, tampering, forgery, replay, denial and denial of service.

For a common front end test, type www.baidu.com in the browser address bar and press Enter. What happens? Let’s also follow this train of thought and talk about security on the network.

DNS and name resolution

To find the corresponding server, you first need to know its IP address. This process is called name resolution. For a traditional browser, it usually goes directly to the operating system for queries.

When connecting to the network, the gateway assigns a DNS address to the operating system, which is called the local Name Server (LDNS). The system performs DNS queries based on IP-UDP through port 53. So a DNS packet also has IP and UDP contents. The complete DNS packet looks like this:

If a name server cannot answer our query, it will choose to perform recursive query or iterative query depending on the RD flag bit of the request and whether it supports recursive query. LDNS is usually recursive, that is, it will help us get the final result and return it to us. The root name server, root name server, and so on are usually iterative, as shown below:

DNS is a protocol based on trust relationship. All information on a path is transmitted in plain text without any protection or verification, resulting in many problems.

Attacks against DNS

If our local name server (usually provided by the carrier) is not trusted, it can tell us any wrong server address. For example, before the domestic network governance is not strict, often appear when we visit some websites, jump to the advertising navigation page of some operators…

DNS hijacking is called DNS hijacking (= temporarily taking control of something) by sending back bogus IP addresses, causing browsers to request content from the wrong server.

LDNS is an internal ghost, so you can manually set a trusted LDNS in the router or Windows Settings. In the past, if you used to surf the Internet a lot, you might change your DNS address to 114.114.114.114 or 8.8.8.8 to alleviate this problem, and you can also access some websites that could not be opened otherwise.

But later on, it didn’t help much.

Even with 8.8.8.8 set, when we visit Google or some other web site, we still can’t access it. Or you get a certificate error and the certificate points to Facebook; Or simply time out and cannot be opened. Is this still a DNS problem?

We’re throughnslookupHow could it be so fast to access Google’s server? Is it right next to us? Further anti – check its corresponding domain name, this this this, see its binding of these domain names, how to think are a few illegal websites. Why is that? I changed the LDNS address to 8.8.8.8 Google DNS, why does it return its own server address?

8.8.8.8 is Anycast, but Google should not have servers in China, 10ms response speed is questionable.

DNS is in clear text, even if there is no ghost, and worse: virtually everyone on the link knows that you are visiting the site, they can directly see your IP address, port, domain name to query, etc.

Reviewing our DNS Packet, limited by THE DNS protocol, the host considers that it has received a DNS response as long as it receives the same response as the requested Query ID, and it cannot verify whether the response is really returned from the corresponding server. In plaintext DNS Query, everyone on the link has the ability to see your Query ID. They can directly return arbitrary results to you before your Query server returns. This is called DNS responder.

According to the above analysis and the method mentioned in the article, no matter how your LDNS is set up, someone can answer a random or incorrect address based on the content of your query.

Of course, there are many other attacks, such as cache poisoning, denial of service (DoS)…

Thus, against our definition of security, the plaintext DNS protocol is at risk of eavesdropping, tampering, forgery, and denial of service.

Alleviating DNS attacks

How to solve the problem of DNS?

DNSSEC (Domain Name System Security Extensions) solves the problem of DNS tampering and forgery. It makes sure that the DNS response is from an authoritative server by signing it. Although people on the path can see the request and response, the forged response does not have the signature of the corresponding server. Once tampered, the original signature is invalid. The attacker can see, but can’t touch.

DNSSEC requires authoritative DNS servers to be enabled and set up, and all DNS servers on the link to be supported to build a chain of trust. Furthermore, it requires the recursive name server to validate the response, a mechanism that makes little sense if the recursive name server, LDNS, is itself a ghost.

So, how can people on the link not see what we are querying, or even know that we are querying DNS, so as to avoid eavesdropping and answering DNS queries? The TCP/IP layer can’t do that. We can do that at the application layer. DoH (DNS over HTTPS) or DoT (DNS over TLS) can solve this problem. Because the basic principle is the same as HTTPS, its more secure principle, and the attacks against it, will be continued in the section on HTTP and HTTPS.

DoH requires us to actively enable it on the client side. DoH(or DoT) is now supported by major browsers (e.g., Chrome, Edge) and the latest operating systems (e.g., Windows 11, Mac).

After DNSSEC and DoH, the ghost problems on the link are solved one by one. DNS queries can’t be seen, touched, or even known that we are using DNS, which is much safer for us.

Let’s review with three images (source:www.3key.company/encrypted_d…

DNS: Visible, tangible

DNSSEC: Visible, invisible, but invalid if ISP DNS is inside

DoH: Cannot be seen or touched. It needs to be combined with DNSSEC to ensure safety

DNS has more than just A records (IPv4) and AAAA records (IPv6)! It will also store some special information, such as MX records for mail server, TXT records for storing all kinds of public authentication data, such as HTTPS certificate used to verify domain name ownership, storage service discovery data… So DNS security is very important.

But assuming you’re a top hacker and don’t want anyone to find out where you are, that’s not enough. Security requires non-repudiation, and you need to deny doing anything at all times. If the DoH server is on its guard, it can still know who we are and what websites we are visiting…

Finding a better and more trustworthy DoH server is fine, but geeks like to be technically assured of it. One way, for example, is through a proxy server. If we always query through a trusted agent. That way, the DNS server can’t see who we are. According to this basic principle, ODoH(Oblivious DNS over HTTPS) to take the problem one step further.

The Proxy should be a decentralized, randomly selected server, otherwise the Proxy and target server might collude and this operation would be completely meaningless.

At present, most global CDNS are implemented through GeoDNS, that is, authoritative name servers return the IP address of the nearest machine room by requesting the region of the source. In China, if you use the DoH provided by foreign countries or query DNS by proxy, you will often get the machine room in foreign countries with very poor routing, which slows down the access speed of all websites. It is equivalent to sacrificing efficiency for security.

  • You can consider foreign DNS proxy + domestic DoH
  • Or choose a different DoH server for Chinese and foreign websites

Implementation principle of Geo-based DNS

As you can see from DNS, the early protocols of the Internet were basically based on trust, and the better Internet is trying to turn those old protocols based on trust into new protocols that are technically secure.

Of course, none of these scenarios solves a worse situation: a top-level name server or top-level domain name server is not trusted.

While this hasn’t happened yet, top-level name server outages do happen. There are some people on the Internet who imagine and work to resolve this contradiction between authority and decentralization: Handshake Name resolution system. To see how it solves this problem, check it out here: handshake.org/.

Network layer and IP protocol

Last time we talked about the mole and other attackers, how did they get the information we sent to the target server? So we’re going to talk about how packages are routed in links. When we get the IP address of a server correctly, we are far from done. We only solve the problem of who it is. There is still a long way to go from the IP to the corresponding server.

We’ll continue to work out why it is, where it is and how to find it.

Routing strategy

Ever wonder why my IP address is A and its IP address is B? If I change my IP address to it, will I become it and receive all the packages that should be sent to it?

Because IP addresses are uniformly held, assigned and tracked by RIRs(Regional Internet Registries), who holds which IP addresses should be known and traceable. If all ISPs and IP Transit providers faithfully verify that their broadcast IP address belongs to them, that the IP address of the forwarding party really belongs to the other party, and that the IP address of the broadcasting party really belongs to the other party, Then they both have the ability to detect errors and refuse to trust. So, normally it doesn’t.

The resource holder with the corresponding IP address segment needs to associate the IP address with a specific AS(Autonomous System) (AS can own the IP address or authorize other AS to broadcast the IP address). It broadcasts in a certain area and eventually connects to the global network through BGP. This is my authorization when I request to license the IP address segment to Quadranet(AS8100) broadcast.

After an IP address is broadcast in an area, we can use certain routing protocols, such as ARP, OSPF, and BGP to find and communicate with it.

When you (192.168.1.100) visit a website (45.45.212.100), one possible path is:

Your computer (192.168.1.100) – ARP => your router (192.168.1.1/23.226.130.100) – Network Address Translation (NAT), ARP, RIP or OSPF => ISP route (23.226.130.2) -> OSPF or IBGP => AS boundary (23.226.128.1) – BGP => Target AS gateway (45.45.128.1) -> OSPF and ARP => Peer server (45.45.212.100)

Attacks on network links

At present, communication on the network is based on IP protocol. The plaintext transmits the original IP address and the destination IP address without any encryption or verification mechanism.

If there’s a mole on this path, say, an ISP router.

If it wants to hijack your access to a website, just change the destination of your IP layer header, change the source of your return packet header, do a malicious “NAT”, and you’re unknowingly accessing another server.

Or if it wants to censor your visits without your knowledge, it’s easy to keep track of which sites you visit each day and block access to certain sites.

Even if there is no inside-out, all the neighbors in the path (in the sense of network) can abuse the corresponding protocol and declare themselves to be the server of the other party by means (such as ARP spoofing, OSPF spoofing, BGP hijacking, etc.). Or it has the address segment 104.193.88.0/24 (OSPF/IBGP/EBGP) of the peer server. If a router or authoritative router has a loophole in its authentication mechanism and is tricked, it can easily hijack network traffic by forwarding all packets from the corresponding IP address or network segment to the attacker.

Among these protocols, BGP has the greatest impact. It often causes network packages destined for one area to be sent to another area, causing Internet failure or even interruption in the whole area. Incorrect routing also happens on BGP, and each time it has a significant impact on the global Internet in the corresponding area. This is called BGP Incidents, which can be divided into BGP Hijacking, BGP Leak and IP address spoofing.

What are Routing Incidents? (Part 4)

CloudFlare also describes a (possible) cryptocurrency attack via BGP hijacking:

BGP leaks and cryptocurrencies

The attacker uses BGP to declare that he owns the IP address segment of Amazon DNS and hijacks DNS resolution. When a user visits a cryptocurrency site, a malicious site is returned to steal the user’s Cookies/account passwords.

In China, Github and JD.com were attacked by middlemen.

Unfortunately, all protocols at the network layer are based on trust. We can’t solve any security problems at this layer other than transferring data as best we can, and we believe what the network layer says. The only way to alleviate this problem is to resort to the application layer, using proxies or VPNS.

At present, most of the IP addresses we access are Intranet addresses, and some even need multi-layer translation through NAT to the public network. This causes a public IPv4 address to be shared by users in one or more zones.

When IPv6 came out, many people were not optimistic about it, because each person and each website uses an independent IP, so that operators can accurately locate who is visiting what website according to IP packet. Is it true?

HTTP and HTTPS

After DNS resolution and routing, we are now going to establish a connection with the server, whether it is the one we want or not. In browsers, the most common protocols are HTTP and HTTPS.

Attacks against HTTP

The Hypertext Transfer Protocol (HTTP) establishes a connection through TCP, and transmits all content, including the requested domain name, path, request content, and response content, in plain text. And everything you can think of, and there is no way to verify the identity of the responding server.

Clear? Lack of validation mechanism? Then the mole will be here again. Based on the knowledge of routing policies above, it is easy for them to eavesdrop, tamper with, forge, replay, and deny service. In the early days of the Internet, operators could insert small ads on pages (though DNS hijacking was most common), or the connection could be reset when searching for certain keywords.

In the era without HTTPS, when registering or logging in to some websites and transferring passwords, in order to prevent eavesdropping, the common method is that the back end returns an RSA public key to the front end. The front end encrypts the password sent by its own request through the public key, and the back end decrypts the password with the private key to improve security to some extent.

The mobile version of Weibo, for example, now returns Pubkey, but it is no longer used to encrypt passwords.

In fact, if there is a mole on the link, targeting you or some services, this is not very helpful. Although it looks secure, eavesdropping is almost as difficult as tampering in the eyes of an attacker. If it can monitor your request, it can also tamper with the public key the server gave you and replace it with its own public key, allowing you to encrypt your password to an attacker without knowing it.

(So the U shield or ActiveX controls of early online banking were still useful.)

Fortunately, we now have HTTPS in widespread use.

Attacks against HTTPS and mitigation methods

HTTPS uses TLS to prevent eavesdropping, tampering, forgery, replay, and denial at the application Layer. HTTPS principles are also often examined in front end interviews. A quick recap:

From segmentfault.com/a/119000002… TLS 1.3 encryption is quite different

Note that HTTPS security is established at the application layer. The underlying TCP and UDP protocols disclose information such as the original IP address, destination IP address, and protocol used.

Man-in-the-middle attacks caused by trust certificate or SECRET leakage

HTTPS is secure enough in most cases, however, there are still plenty of ways to break into it. For example, the server may leak the certificate private key for various reasons. Alternatively, the client installs an untrusted certificate or a man-in-the-middle attack caused by malware that shares a pre-shared key.

For example, if You install Bifrost and trust the certificates it provides, Bifrost can decrypt our HTTPS requests.

Or after SSLKEYLOGFILE is exported, HTTPS sessions during this period can be decrypted (see key log for TLS 1. 3).

There are also hidden, complex reasons why HTTPS is no longer secure.

The authority issues the certificate incorrectly or is attacked

The scariest thing is that the authority issues the certificate unduly. If an authority issues a certificate without validation, or deliberately issues the wrong certificate for any purpose, it can make HTTPS all over the world less secure. What’s more, it actually happened… As a result, there is currently no trusted Root CA in China. If that happens, the hope is that the browser and operating system will react quickly and remove the trust corresponding to the root certificate.

However, at present, browsers require certificates to comply with Certificate Transparency to be trusted. Many organizations will monitor the issuance and use of certificates for website owners and monitoring organizations to discover the CA of these unauthorized certificates. In addition, TLS is Perfect Forward Secrecy, so even if the documents are stolen or the key is leaked one day, it cannot decrypt or forge a conversation that has taken place before.

If an authority or intermediary is attacked, resulting in the leakage of private keys, etc., websites that use certificates already issued by the authority are no longer secure. Currently, the browser can use the Online Certificate Status Protocol (OCSP) to check whether a Certificate is normal or revoked.

Degrade to HTTP degrade attacks

Man-in-the-middle attacks against HTTPS usually occur before a connection is established, because once an HTTPS connection is established, all communication between the client and server is encrypted, making it difficult to operate. Therefore, the most common approach is for an attacker to discover that you are trying to establish an HTTPS connection, directly intercept the request, and fake the server to return that it does not support HTTPS, please use HTTP.

We are not helpless against such attacks. HSTS(HTTP Strict Transport Security) can alleviate this problem to some extent. If a web site never uses HTTP, it can force the browser to use HTTPS and remember it for a while by setting HTTP headers.

Strict-Transport-Security: max-age=<expire-time>
Copy the code

According to the standard, web sites configured with HSTS should have no way to continue using HTTP connections. If HTTPS fails and the browser fails without the option to proceed to XXX, the site is configured with HSTS.

But Chrome also has a backdoor that allows you to override this warning by typing thisisunsafe on the same page.

However, the first request of HSTS is HTTP and can still be hijacked. Browsers usually write down some domain names to force HSTS to be enabled, but this is not enough. Therefore, some people have proposed better implementations such as HSTS based on DNS.

A degrade attack that degrades to a lower version of a security suite or encryption mode

And HTTPS is not inherently secure. Currently, the commonly used encryption method is TLS 1.3, while SSL 3.0, TLS 1.0, 1.1 used before have their own vulnerabilities and corresponding cracking methods. As a result, attackers can intercept negotiation requests with HSTS in effect, fake servers to return only lower-version HTTPS suites, and force browsers to degrade and decrypt them, which are not covered by current HSTS.

These are several common degradation attacks against HTTPS.

Other drawbacks of HTTPS

Let’s say we take into account all the previous security solutions and go to Google: with Cloudflare DoH, nobody can stop me from getting Google’s IP address; With Google’s latest IPv6 address, no one knows it’s Google from the IP address; With HTTPS, no one knows who I’m connecting to or what I’m accessing, and now the people on the link don’t know, right?

🙈 but I found, or not on Google….

That’s because SNI(Server Name Indication), a widely used HTTPS extension, has the fatal problem of giving away the domain Name you’re trying to access. Multiple servers can be deployed on one IP address, but HTTPS requires a certificate with the correct domain name to work. Before establishing a connection with you, the server needs to know the domain name you want to access and provide the HTTPS certificate of the corresponding domain name.

Your browser sends the domain name to the server in clear text so that the server can decide which certificate to use.

This creates an opportunity for insidious and other attackers to compromise HTTPS confidentiality. Furthermore, an attacker can use this information to associate a domain name with an IP address, heuristically knowing the subsequent domain name corresponding to that IP address.

The good news is that TLS 1.3 can be addressed using the ESNI(Encryped SNI) extension. ESNI relies on DNS, DNS relies on DNSSEC and DoH, which in turn relies on TLS… Security is weak and mutually reinforcing. If any link goes wrong, no matter how safe the other links are, it is useless.

CloudFlare provides a detection service that helps you verify that your browser is secure.

The browser

Using these techniques, we have established a trusted channel with the target server and can officially start communication.

But… What if it’s a bad guy?

Attacks that exploit browser vulnerabilities

In the IE era, there is often a strange link in the case of the virus. Even if the current Chrome has a better security mechanism, it is inevitable that under certain conditions, there are some loopholes for malicious use. For example, clicking a link on wechat can launch an application or perform certain commands…

Once the browser vulnerability is exploited, it usually leads to the whole system being breached, affecting a larger range, and of course, it is correspondingly difficult to exploit.

An attack that exploits Web standards vulnerabilities

When Web standards are not perfect, old browsers may also have many cross-domain problems. Attackers can use various means to cross-domain access and steal cookies. Modern browsers try to keep us as safe as possible, but there are all sorts of weird ways to attack, and there’s no way to protect against them… Let’s take some known examples:

DNS rebinding attack

Generally, when a user sends a request to a different domain, the browser considers that the request violates the same Origin policy and uses Preflight to check whether the request is reasonable or intercepts the request to ensure security.

Assume that A user is browsing website A. Atacker (IP: 192.0.0.1) and website B. Victim (192.0.0.2) has A /get_password interface. In normal cases, A cannot request this resource from B. However, if A changes its DNS resolution to 192.0.0.2, it can easily access B’s resources by accessing A.atacker /get_password without violating the same origin policy.

In reality, most websites have Host Check and do not have the same HTTPS certificate as A, so the possibility of successful attack is relatively small. It is usually used to detect and attack Intranet devices, such as Intranet routers, intelligent devices, and Internet of Things devices.

Browsers have also come up with some ideas to address these issues, such as DNS Pinning.

An attack based on cross-network cache poisoning

The browser caches some resources based on the server’s cache control and then reads them directly on subsequent access. This usually doesn’t matter when you’re on an external network, but if you’re connected to public wifi, that’s not the case.

If you have a router at home, it is accessed via my-awesome-Router.com and loads a /jquery.js user interface. Generally, Intranet devices cannot provide HTTPS certificates; otherwise, serious security problems may occur.

Usually in restaurants or shopping malls, we need to open a login page to connect to the public wifi. After logging in, we can access the Internet. But if the hotspot is malicious, when you open its login screen, it can jump to any domain, such as my-awesome-Router.com, for login, and then cache resources under that domain, such as /jquery.js.

When you go home and log into your router administration interface, an attacker has the ability to take control of your entire Intranet device without your knowledge.

Of course, for non-HTTPS sites, such as a corporate Intranet page that does not have HTTPS (HTTPS does not share the CACHE with HTTP and cannot write to the HTTPS cache if an attacker is unable to crack HTTPS), it can also inject scripts into the corresponding page in this way. Attacks the Intranet with the help of security vulnerabilities.

Bypass attack based on information collection

There are also many bypass attacks on specific websites that leak information.

What do you do if you want to visit sites that you don’t want to be found? Privacy mode? Open a new user? Using a proxy? Unfortunately, none of this works. Some browser features can reveal your unique characteristics and ultimately determine which websites you visit. This technique is called browser fingerprinting.

FingerprintJS, for example, makes it easy to tell if you’re in private mode and determine your identity (and the horror of the site is that it’s largely useless against known anti-fingerprinting methods).

There are also ways to track using techniques called supercookies. For example, the browser usually caches favicons, so it can determine who you are and track your visit history by generating different Favicons for different visitors. Alternatively, the browser will cache HSTS…

Some test sites for related technologies

  • amiunique.org/fp
  • fingerprintjs.com/github/
  • audiofingerprint.openwpm.com/
  • supercookie.me/
  • Mp.weixin.qq.com/s/gFCGM7ANO…

Weakest Link: You

The weakest link in the security system is people. The most successful attack on the Internet is brute force. As long as your IP address is visible on the public network, thousands of scanners will try all kinds of password combinations every day, exploiting vulnerabilities in all kinds of common software to break into your system.

Once your system or you have been breached, then all network security measures are useless. Common reasons for being attacked:

  • Connected to some malicious public Wifi, hijacked, bugged, or poisoned

  • Some malware was installed and a virus file was executed

  • Use SOFTWARE such as FRP to expose ports to the public network, use weak passwords, disable firewalls, and open common ports

  • Using software with security vulnerabilities, such as Redis, JAVA Apache Log4j, and not updated in time

  • Social engineering

    • Being tricked into clicking on a link with a virus, installing malware, or normal software with vulnerabilities
    • Being tricked actively divulges your password or credentials, such as phishing, intimidation, or self-xSS

Physical attack before network link

If your physical location is known to the attacker, it can do even more.

For example, fake base stations. Put a stronger signal in your vicinity of the pseudo base station, it is easy to trick your mobile phone into joining its network, this is against 2G network attack, WLAN has the same attack way?

Toilets and stairwells in our work area have poor signal of Bytedance Inc. If someone wants to attack Bytedance, can he also place a device with stronger signal, also called Bytedance Inc, in these places to trick your computer and mobile phone into connecting to its router and get your credentials? And carry out more attacks? The attack is called Evil Twin, and you can read more about it on Google.

Of course, the Intranet of our work area uses Wifi security in the way of WPA2 Enterprise + certificate. This is unlikely to succeed under WPA2’s secure approach, because authentication between the device and router is not through a password, but through some way of proving that you have credentials to access the corresponding network, just like SSH. However, WPA with less security or routers without passwords can be easily attacked by Evil Twin.

conclusion

What information can be leaked in different ways and layers, and what are the unsafe factors?

  • TCP/UDP/IP:

    • For carriers: the precise location of your broadband/cell phone signal and who you are.
    • Hijacking or contaminating everyone on the link: your IP address and location, modifying requests and responses, social engineering attacks to block or monitor your access.
    • Mitigation: VPN and Proxy

  • DNS:

    • To everyone on the link: websites visited, answering, tampering, intercepting returned IP addresses to block or monitor your access.
    • Mitigation: DNSSEC vs. DoH

  • HTTP:

    • To everyone on the link: the entire url, credentials, requests, content you access, arbitrarily eavesdrop, tamper with, forge, replay.
    • Mitigation: HTTPS

  • HTTPS:

    • It comes with functions to prevent eavesdropping, tampering, forgery, replay (except TLS 1.3 zero-RTT), and client cert
    • For everyone on the link: using THE HTTPS protocol, (using SNI or TLS < 1.2) the domain name of the target website.
    • Mitigation: TLS 1.3 + ESNI + disable zero-RTT.

  • Chrome:

    • To the websites you visit: what websites you visit, associated with who you are, what you are doing, location, according to the authorized access to video, sound, clipboard and other information.
    • Ease: differentiate browser access to untrusted sites, reduce authorization.

  • You and those who have physical contact with you:

    • To all: any information.

The Internet is not a lawless place. It is only a matter of time and cost to find you. What to do, what to do?

Could the highly anonymous Onion solve these problems? Can decentralized Web 3.0 solve these problems? These topics will have to be discussed for another time…

quiz

Q1: What if someone doesn’t want you to visit Google.com?

  • For most people, the DNS based hijack and responder approach is the most efficient and can be deployed on or off the link
  • Analyze HTTP packets and intercept or respond to HTTP users
  • For HTTPS users, SNI is used to analyze the target domain name and intercept the corresponding IP packet, and the mapping between IP and domain name is heuristically recorded
  • For ESNI users, IP packets are intercepted according to IP domain names

The latest trend in exit analysis…

In addition to the above methods, if it is a company equipment, there are more possibilities… Such as describing files or group policies

Q2: Currently, many proxy servers are implemented using HTTPS. Why don’t they use featureless, more secure encryption?

  • The absence of a feature is the biggest feature and can be easily identified as abnormal traffic and intercepted
  • Protocols intermingled with normal traffic are even less noticeable

Q3: Suppose a person pays great attention to network link security and there is no ghost in his network link, how can he be located?

  • Exploit the vulnerabilities of the other party’s software, such as QQ, wechat, browser, etc
  • Social engineering attacks

Q & A

What is social engineering

  • You, Tiktok, Credit, 400, plus Q, withdrawal
  • Hello, when the company issued the New Year 🧧 today, it found that your 💰 card was abnormal. Please click the link to update your pay card information in time.

Key features of social engineering:

The other party does not grasp some of your information, such as brushing douyin for a long time, or grasp part of the information, such as today’s company to send a red envelope, your salary card number, birthday, mobile phone number. There are ways to get more information. Basically, there are three basic methods:

Guess. The other person logs directly into your phone, SSO, and certain systems using your birthday, your initials, and various weak passwords.

Check your email, passwords and phone numbers for leaks here: haveibeenpwned.com/

Cheat. Through chat tools, phishing emails, phone calls, text messages, tricking you into giving it more information. Opening malicious websites and running viruses and trojans are also social engineering.

6 characteristics of cheating:

  • Pretending to be an authority: Hello, I am an official of Douyin. We have a part-time activity to make money by brushing Douyin.
  • Threat: Please confirm your bank card information before 12:00 on January 26, otherwise the red envelope will not be issued.
  • Consensus: people around you are doing it, such as your colleague Wang, 3 days on the withdrawal of 3000 yuan
  • Scarcity: You are our lucky customer. You can buy Douyin company for only 8000 yuan.
  • Urgent: we this activity can be left half a day, you do not buy we will be permanently reduced, the future can not use this price to buy.
  • Intimacy: I am working as an intern in the company. If I can’t sell my pen, I will be fired. Could you please help me sweep the code and make friends with me? Click on the link and it’ll only take you three minutes.

Non-interactive. Through public information collection (such as search engines, Qzone, weibo, forums), social work database, etc., the other party can obtain more information about your group relationship, room booking record and so on. Or through the network or physical attack methods mentioned above, such as hanging horses on commonly used websites, hacking routers, etc., and unwitting surveillance or attack.

❤️ Thank you

That is all the content of this sharing. I hope it will help you

Don’t forget to share, like and bookmark your favorite things.

Welcome to the public account ELab team harvest dachang good article ~

We are from the front end department of Bytedance, responsible for the front end development of all bytedance education products.

We focus on product quality improvement, development efficiency, creativity and cutting-edge technology and other aspects of precipitation and dissemination of professional knowledge and cases, to contribute experience value to the industry. Including but not limited to performance monitoring, component library, multi-terminal technology, Serverless, visual construction, audio and video, artificial intelligence, product design and marketing, etc.

Bytedance calibration/social recruitment internal promotion code: UCDW4MK

Post links: job.toutiao.com/s/Rb21Dk9