Press "Enter" to skip to content

The Hacker’s Arsenal: Interception

Hackers always have a load of tricks up their sleeves and will pull out all kinds of performance when the occasion calls for it. A hacker will be sure to equip themselves properly before taking on any target. In addition to the software tools and exploits, the hackers will also have skills and techniques that they will use to ensure that they have the means and ways of accessing the systems they would like to make use of.

If the hacker needs to access a file that is on a protected network, all their efforts will be dedicated to breaking into the network. Once they are on the network, they will not have to be worried about anything and accessing the files and getting off the network will be quite easy.

This became a reality with the recent attack on EA servers. Electronic Arts is a gaming giant that is dedicated to development of games such as FIFA 21, Battlefield and Star Wars games. Hackers managed to get into their network by intercepting the communication that took place within their own companies and using the credentials to re-authenticate into company applications.

black flat screen tv turned on displaying man in blue and red jersey shirt
Photo by Guglielmo Basile on Unsplash

What was done was a data replay attack which is a common type of cyberattack that hackers use when they need to get into a network or web application. EA lost 780 GB of game source code as well as the source code of their game engine. Probable uses of the source code will be the discovery of flaws and vulnerabilities in the application as well as the creation of game hacks and other shortcuts into the many game features.

The hackers managed to carry out this attack by making use of very common security habits that we have been known to keep. Bad security habits among employees is a common security weakness that hackers will not hesitate to take advantage of. What happened in this hack is that the browser cookies that had been used by the employees of the company were sold to the hackers who used them to access Slack servers that are used in the company.

This was made possible in the form of a data replay attack which fed the same password hash to the Slack server and allowed for the hackers to log in as employees of the company. Once the hackers were inside the company, they created their own virtual machine which allowed them to explore the vast treasure troves of data that EA possesses.

They also used the machine to copy the 780 GB of data to their own servers and later posted the information on hackers forums with a description of the data that was stolen. The hackers are still waiting for the highest bidder to purchase their stolen data and this has gone ahead to show the security vulnerabilities that are in most applications and organizations.

There are many weaknesses that hackers can make use of and anytime they are breaking into a system, they will look for the methods that will offer them the least resistance in getting in. They will also work on silent hacks that will not arouse any attention and even look like normal employees of the company accessing the usual application.

The hackers did pull off a good one with EA and managed to pose up as company employees and steal crucial and sensitive information used in the development of their games. Luckily, there was no player data that was stolen during the attack which means that you can still confidently log into your online game servers and keep track of your score and game progress. 

Data Replay Attacks

Whenever genuine users log into web applications and other information systems, they have to enter their passwords. The password does not get passed to the server in the same cleartext format but has to be converted into a hash for safer access. The hash is the salted form of the password and ensures that the password is safe while it is in transit.

The users of the application and the information systems will simply wait for a while for their credentials to be sent to the server before they can receive a response. However, what happens in between is not known to them and this is what the hacker will be taking advantage of when they are intercepting the data.

A hacker that is intercepting the traffic that is moving from the client to the server will be able to get the hash of the password even if it is in a salted form. In order to be the first to use the hash on the servers, the hacker will deliberately slow down the connection or delay the data transfer by rerouting the data passing on the network through their own servers.

man in white shirt using black laptop computer
Photo by Surface on Unsplash

When they do this, they will also pass on the password hash to the server that is responsible for the authentication. When the hash has been passed to the server, the hacker will receive the authentication token on your behalf and will use this to authenticate the rest of their communication with the server.

Data interception is the reason most passwords get stolen when they are in use. Whenever the hacker has an authentication token, they can maintain the session with the server for as long as possible to be able to carry out all the functions and tasks that they intend to on the servers. The client will not even be aware of the delay in the authentication and they will not notice the difference when they are finally logged into the site.

The first few trials might bring up an error message but the user will keep on trying which means that the server will give them a different authentication and session token. On the other hand, the hacker will already have access to the server and the connection will have been established with much ease.

They will be able to carry out transactions on behalf of the genuine client which includes changing account information, resetting the password and even carrying out transactions in case the user was accessing a banking application. The use of data replay attacks has been known to cause delays and errors in logging into web applications.

The hackers listen to the connection and steal the password, giving it to the server before the client does, which makes it possible for them to access the accounts instead of the genuine clients. The data replay attacks are also very effective since the password hash is the genuine one that was sent from the client application and the server will not even suspect it in any way. 

The replay of data attacks has also been notoriously used to hack into secure WiFi networks. As long as there are a number of users who are on the network and have already authenticated themselves with the network, the hacker can easily get onto the network. All they will need is to sniff the hash of the password that has been used to connect to the network.

A number of data packets passing over the wireless network will be enough to provide the hash password. Once the hacker has got the password hash for the wireless network, they will take the time to convert this into a plaintext password which can then be used to access the wireless network. This means that a hacker can easily get into a wireless network even when it is password protected provided there are a number of authenticated users on the network.

The traffic that is generated on the wireless network by these users will be used to determine the password that is being used on the network. The hacker will then use the password to log into the network like any other ordinary user and you will not even be able to notice a thing. 

No matter how well you have secured your wireless networks, hackers will always be able to replay the data that has been passing between the client and the wireless router to establish a connection. The hacker might even decide to re-establish a connection to the wireless network using a series of acknowledge and synchronize requests.

These will make use of stale data and if your communication protocols are not keen on the timestamp of the requests, it will be very hard to detect that the hacker is using a series of conversations that have already been used to authenticate with the server. The replay attack attempts to repeat a conversation that had already taken place between the client and the server with the aim of getting the server to send a fresh token to the hacker.

The data replay attacks are usually very successful as they have been designed to make use of data that is still familiar to the server and therefore considered to be legal data. The sequence of requests will be repeated and the hacker might sometimes make a few modifications to the headers of the requests to ensure that the server does not notice the difference.

Once this is done, the server will be able to re-enable the session and even send a fresh authentication token to the hacker. The hacker, with a fresh session, will be able to pick up from where the previous user had left off and even conduct their own transactions under the disguise of the user whose data was used in the data replay attacks. 

Cookie Attacks

A cookie was one of the components that was used in the recent hack on EA servers. The employees at the company had been using their browsers to access various company resources and applications. The first hacker was able to get a snapshot of the browser cache and steal the cookies. While the cookies were still very hot and fresh, they were sold to the second hacker for $10 and used to replay back the data to the server.

pile of Oreo cookies
Photo by Anna Tukhfatullina Food Photographer/Stylist on Unsplash

The server, believing it to be the same browser that had been logged in in the previous session, did not even bother to ask for a password and this means that all the services that the user had logged into on their browser were accessible without a password owing to the state of the cookies. 

The cookies were transplanted from the employee’s browser to the hackers browser and user to initiate the attack which saw the source code of many EA games and their game engine get stolen. When your cookies get stolen, they can be used to restore access and authentication to many of the web services that you had been using.

If you had logged into web applications and got your cookies stolen, the hacker will be able to reconstruct your browsing history and use this to resume your browsing activity. They will visit the websites that you recently visited and they will not be asked to authorize themselves to the applications. As such, they will be able to gain access to your web applications without much struggle.

Your cookies are a valuable resource whenever you are using the internet and they should be preserved as such. They keep the state of your current internet usage as well as the connections that you have authorized on your browser. When your cookies are not safe, the hackers can easily steal them and use them to connect to the many websites that you had initially accessed.

With the use of your cookies, the hackers will be able to make use of the many services that you had been using. When you have your cookies safe from the hackers, your online activity will be safe and secure. However, poor security practices can lead to the theft of your cookies by the hackers who will then use these to re-access the many websites that you had initially visited.

Whenever you are on the internet, ensure that you only log into the websites that you need to use. Logging out can also be recommended if you are not sure about the state of your security. The sensitive websites that you connect to on your browser should also be logged out of when you end your internet usage sessions.

Logging out will reflect on the state of the cookies and anyone that tries to get back to the servers using your cookies will be asked to provide a password. As such, your information will be safe and the web services that you have accessed will not be reachable from the hacker’s computer.  

Stolen cookies can be used for all kinds of purposes by hackers and when you keep your internet sessions and connections protected, you will be able to lower the chances of your cookies getting stolen. When you have a firewall in place, the hackers will not be able to access your computer to steal your browser cookies.

Additionally, other software applications such as browser guards and antivirus software can ensure that your cookies are kept safe and secure by protecting them from illegal access. All incoming connections to your computer will be scanned and vetted thoroughly before they can be allowed to connect. The firewall will also be able to protect your cookies from getting stolen by keeping track of the illegal and unwanted connections that hackers might be trying to make to your computer. 

Cookie attacks are usually used to access email applications and there is a lot of information that lies within your cookies that the hackers can make use of. When the hackers analyze your cookies, they will be able to get the hashed passwords that you have been using to access the various websites that you have visited. With this information, they can easily establish a connection with these web applications and use the hashed password to authenticate themselves.

As such, the hacker will easily access your online life including email and online storage services by simply stealing your browser cookies and using them in another similar browser to replay the attack and trick the servers into continuing the connection from where you had left off.

The hackers will be able to read your emails and access your online storage when they have your cookies and it is important that you secure all your internet use. All your online activity should be kept safe and secure by the use of a firewall and other programs that are used to prevent hackers from getting access to your computer or network. 

Whenever you access web services that you consider to be sensitive, you should also log out once you are done with these services. Logging out will reset the authentication details on your browser cookies which will also ensure that you are able to keep your connection to these services secure. The use of cookie attacks will not be successful if you have already been logged out from the web applications and web services that you had been used to.

As such, the hacker will not find any use for your cookie and they will not be able to hack your online life. It is important that you are cautious when you are using the internet not to leave anything that might be used to access your browsing activity. Be careful and organized about your internet use so as not to leave any traces or gaping doors that hackers will use to get past your defences and steal your information.

Man-in-the-middle Attacks

A man-in-the-middle attack is a hacking attack where the hacker intercepts the connection that is being made between the client and the online servers. By intercepting the connection, the hacker can replay back the data in an effort to find a means of getting into the loop. The hacker will use their servers to pipe traffic between the two machines in the connection without revealing their identity.

man wearing sunglasses using MacBook
Photo by NeONBRAND on Unsplash

They will be like a router or a switch on the network but they will have access to all the data that is being passed on the network. A man in the middle attack is usually used to steal the information that is being shared between two machines. It can also be used by the hacker to set up a phishing attack which is used to pose as the genuine server and steal information from the client.

When the hacker is carrying out the man in the middle attack, they can make use of tokens between the two machines to pose as the server. The hacker will then use these tokens to take over the communication from the server; stealing details from the unsuspecting client and relaying it through a longer route to the server.

The hacker will be able to see what the current client is passing to the server and what the connection is doing. With this in place, the hacker will be able to see all that is taking place and moving over the network but they will not be detected. The hackers will keep their identity hidden but will still be on the network.

A man in the middle attack can also be used to steal the passwords that are being used to authenticate to the server. Even when the passwords have been hashed and encrypted, the hacker will still be able to use them in the same encrypted form.

Through the use of a data replay attack, the hacker will send the data back to the server in the same encrypted form that it was in and get authenticated. Interception is one of the main methods that are being used by modern hackers to steal credentials and authentication information for many of the services that the clients access.

When your connection to your online banking application has been intercepted by the hacker, the hacker will be able to get a hash of your banking password. This can later be used to access the same online banking application which will put your information and money at risk. The hacker will even try to revive the session that you had been in to be able to continue with your online interaction with the bank application. 

Hackers also make use of man in the middle attacks to pose as the server and steal the passwords directly from the clients. Usually, the hackers try to delay the network transmissions so that they can modify the data packets before passing them to the client and the server.

With a delay in the network connection, the hacker will be able to add and remove critical information from the network traffic. The editing of the packets will ensure that the hacker does not make their presence known to any of the parties that are taking place in the communication and the session will proceed as if the hacker is not in the middle at all.

The hacker editing themselves out of the picture will mean that the other parties will not be aware of the hacker and they will get to carry out their usual transactions with much ease. 

These types of attacks are usually very hard to defend from as the hacker tries as much as they can to keep themselves away from the radar. They will hide their presence by modifying the traffic and delay the traffic deliberately to be able to make these changes.

The hacker will make their computer appear as part of the network and the communication between the legitimate parties will go on without any problems. However, the hacker will be streaming the data live over the connection and seeing everything that is taking place in the conversation between the server and the client.

Detecting the attacks is also next to impossible and the reason interception is one of the most powerful tricks and methods in the hacker’s arsenal. The hacker will be able to sustain a spying connection on you with this type of attack and can even modify the information that you send or receive for their own gain. 

Preventing Data Replay Attacks

The main reason replay attacks are so successful is the fact that the data has already been encrypted. The hacker that has intercepted the message will only have to resend it in the form it is in. protecting yourself from data replay attacks should involve the use of an encryption scheme that makes use of completely random keys.

computer coding screengrab
Photo by Markus Spiske on Unsplash

The randomness of the keys will make the encryption a lot powerful as each random message will be encrypted in a different way. The code will only be valid for a single transaction and will expire after use. Once the session key has changed, the data will be useless even if it has been encrypted which will make the sessions safer for the client and the server.

Timestamps can also be used on the messages to prevent the data replay attacks. By determining when the packets are sent and received, it will be easier to detect an abnormal delay in the passing of the information. Whenever the packets take longer than a given duration, they will not be accepted at the receiving end and will have to be sent again.

The use of timestamps reduces the likelihood of data replay attacks by ensuring that the hacker does not delay the connection. Establishing time-out for all the messages that are being sent on a connection can also help with making the connection a lot more secure. The hacker will not be able to use packets that have already expired and any packets that take longer than a given duration will not be accepted which will render them useless to the hacker. 

A better security approach in the client-server communication will also make the data replay attack less effective. If the client and the server have already established parameters for an individual session, the data will not be replayed to any of the parties successfully and the hacker will not be able to intercept the connection and modify any of the information that is being passed between the two parties.

Whenever the communication protocols have been improved, the encryption will be a lot more powerful and it will make use of more factors than simple randomization to keep the session secure. For instance, using the timestamp in the establishment of an encryption protocol can prevent the hacker from delaying the packets to replay to the server. 

Preventing Cookie Replay Attacks

In the recent hack on EA servers, a valid cookie was stolen from the EA employees and used to impersonate them. The hackers were able to perform malicious activities using the stolen cookies since they were still valid.

The hackers had free reign of the servers that they were accessing using the cookies which means that they were able to create accounts, spin up virtual machines and move a massive 780GB over Electronic Art networks. This kind of attack can be prevented when the server is able to easily determine that the cookie that is being used to authenticate a session is invalid.

After a session has exceeded a predefined period, it should be declared unusable for authenticating into the server. The lifespan of sessions that are authorized by the cookies should also be as short as possible to ensure that they expire faster which locks out the hackers. 

Session data should also be encrypted to prevent the cookie replay attacks from taking place. In case the server has detected that the same cookie is being used on multiple clients, it should be able to stop the connection and require authentication from both clients. The server is charged with detecting the cookie replay attacks as it can easily detect when there is a slight change in the structure of the cookie such as the timestamp of the device from which the user is accessing the server. 

Cookie protection policies can be configured on the web servers to ensure that any cookie replay attack that is attempted does not become successful. The policy should specify what should be done in the event that a cookie has been detected from multiple devices as well as how the cookies should be secured. With these measures in place, the hackers will not be able to steal cookies in XSS attacks or using malware and using them to reconnect to the web servers that the client had been connected to while they were online. 

A sudden change in the IP address of the device from which a cookie is being sent to the server should also trigger the mitigation processes for a cookie replay attack. The different IP address will be a sign that the hackers have stolen the cookie and have reused the same information for the new session. Stolen cookies can also be used to reverse engineer the passwords to many of the services that are accessed by the clients. 

Preventing Man-in-the-Middle Attacks

Hackers usually make use of rogue access points to trick a connecting device to join its domain. The hacker will access the network and add their router as one of the devices on the network. They will also ensure that their network device has a stronger signal. As such, the devices will reroute their data through the router which will allow the hacker to see all that is passing through the network. 

ARP spoofing is also used by the hacker to pose as any of the parties that are involved in a connection. The hacker will be able to respond to requests that it is not authorized to when it has the MAC and IP addresses of the server that the client is trying to communicate with. When the hacker has posed as the server, they will be able to receive information from the client and they can even steal authentication information from the client.

The hacker can even steal the session tokens from the client when they have spoofed their IP and MAC address and this information will be used to establish a connection with the actual server and establish a session that will be then used to find out what the client had been doing on the site. They will be able to continue the session on behalf of the client which also means that many transactions will be carried out on the client’s behalf when the hacker has the necessary session tokens required to connect and authenticate. 

Man-in-the-middle-attacks can be prevented by ensuring that the network endpoints have been encrypted. All the access points should be encrypted using strong protection to ensure that all the data that is passing on them is safe and secure. When there is a weak network, the hacker can easily hack into the network and add their devices to the network thus luring more devices to make their connection using their network device.

Router login credentials should also be made stronger in an effort to ensure that man-in-the-middle-attacks are not made on your network. When your router cannot be easily accessed by hackers, they will not be able to intercept the data passing over the network which will make your connections more secure. 

Using a virtual private network or a VPN is also one of the ways in which you can prevent man-in-the-middle attacks. With a VPN, you will be able to establish an encrypted tunnel between your device and the web applications to which you are connecting. When you do this, all the data that you pass between your computer and the servers will be encrypted and invisible to all the other parties on the network. Even the hacker will not be able to find out what information you are passing over the network when you are using a VPN. 

person using macbook pro on white table
Photo by Dan Nelson on Unsplash

Enforcing HTTPS for all your communications will also be used to prevent man-in-the-middle attacks. The attacker will not be able to make use of any of the data that they have intercepted when you have an encrypted protocol passing the data over the network.

There are browser plugins that you can install to ensure that HTTPS is always used for your internet connections. You can also make changes to your browser settings to ensure that HTTPS is being used for all the connections. With HTTPS, the hacker will not even be able to find out what you are passing to the server.

Public encryption key exchanges are also useful for ensuring that the hacker cannot intercept the data that you are sharing with a server. When one of the elements that are being used to create the encrypted information is in the public, it will be easier to detect the man in the middle.

The public information will easily change when there is another party that is intercepting the connection. This will cause the information to change and detecting the hacker will be a lot easier when you are using better encryption protocols. 

Importance of Preventing Interception Attacks by Hackers

Whenever hackers intercept your data on a network, there is so much they can be able to achieve. For instance, they can access the websites that you have been logged into without providing any credentials when they replay the data that you have been using in your connection. Additionally, the hackers will also use the interception to find out what kind of data you are sharing with the server.

Even without stealing any information or modifying the packets that are passing in the network, the hacker will still be able to listen in on your conversations when you are online. Packet injections attacks are also known to be used in phishing attacks and replace the website that is being fed back to the device that is accessing the website. 

It is important that interception is detected early before the hacker carries out any significant damage to the communication. When you have powerful encryption on your network, you will also be able to keep the hacker in the dark regarding the information that is being passed between your device and the servers that you are communicating with. VPN will ensure that your entire connection is encrypted and safe from all the parties in between. 

Conclusion

Data replay attacks, cookie replay attacks, session replays and man-in-the-middle attacks are all possible attacks that the hacker can carry out when they intercept a connection. When the hacker is able to take over your connection, they will be able to access so much of the information that you share with the servers.

The information is inclusive of authentication information which means that the hackers will be able to authenticate into web applications and websites whenever you are using them on the internet. With the use of data replay, hackers have been able to revive sessions that you had already finished using and as such, the hackers are able to continue with the session. The session will be extended when they have revived it meaning that they will be able to do a lot more in the same amount of time.

The recent EA hack presents one real-world example where a cookie replay attack was used to take over a company application and steal a massive amount of data from the game developer’s servers. The hackers are now looking to sell the data and this is all because browser cookies were used to authenticate into Slack servers in the company network.

Hackers are getting better and interception is proving to be one of the main ways in which they are able to break into systems and reuse authentication information. With the use of VPN, stronger encryption mechanisms and timestamps to verify session information, your use of the internet will be a lot safer and you will also be able to detect when the hacker is simply playing back the data that has been used on the network to coerce administrative devices to authenticate with them.

Hackers can cause a lot of damage when they are able to intercept connections on a network. For this reason, it is important that you keep your network safe and secure at all times. A secure network will prevent the hacker from intercepting the connection and sniffing your data while you interact with websites and web applications on the internet.