đ°Common Sense Security Strategies in the Digital Worldđ°
Youâve been Hacked! Pwned! Account Compromised. Bank account emptied. Credit cards were stolen and sold on the dark web. Facebook account hacked, now inappropriate messages or videos sent to your friends and family members. New accounts and credit cards opened in your name. Or worse, youâre on a vacation and suddenly your credit card is declined or youâre in the airport and your flight is canceled. Maybe youâre traveling through an airport and someone skims your credit card and starts making transactions while youâre in the air. What would you do? How long would it take you to respond? How many times have you received a phone call that says you have to pay some portion of a bitcoin (BTC), or a webcam video of you doing something inappropriate is going to be sent to all your contacts.
These are just a few of the scenarios that can and do happen in our increasingly connected world. With the Samsung Pay and Apple Pay, mobile payments that can be performed with your cell phone, Apple Watch, or Android Wear watch and the increasing number of Mobile devices and Internet of Things (IoT) devices security is paramount for everyone no matter what your career field or socioeconomic status. The purpose of this article is to give you some common sense tips to protect yourself and also give you the ability to help your friends and family stay safe online as well.
#tricks
#hacks
đ°Part 1: Facebook:đ°
As of the time of writing this article, Facebook has approximately 2.23 Billion users worldwide and that means that even if you are not on Facebook, many of your friends might be. So you donât have a Facebook account you say so youâre not at risk? Well, thatâs not exactly true because of a trend called cybersquattingâŠThat means that someone can claim your Facebook name and effectively pose as you simply by creating an account in your name even if you donât have a Facebook account. Or maybe you donât check Facebook that often. Itâs also plausible that someone might make a Facebook account that is similar to yours and people in your network or friends of your friends might send you a friend request thinking that itâs you. Additionally, you absolutely should go into your Facebook account and view your profile as someone else sees it to make sure youâre not sharing information with people you donât want to. If youâve seen the news recently, hackers were able to exploit a vulnerability in the supposedly secure tokens that allow you to view your profile as one of your friends.
đ°Part 2: Emailđ°
Seems like email used to be so innocent; it was the way you shared funny pictures, images, cat videos. But now email is one of the main catalysts by which hackers launch attacks against unsuspecting users. It doesnât matter if youâre a VIP, bank executive, hedge fund managerâŠEveryone is at risk including small and medium-sized businesses. Hackers usually donât go after the harder targets that use industry standard security and follow best practices. They go after regular people that may not be able to afford to hire an INFOSEC or cybersecurity professional to protect their networks.
No longer will the emails come with obvious misspellings, poor grammar, and outlandish requests. Now, the spam email of 2018 is well crafted, looks legitimate, and may very well appear to come from someone you know. Attackers can craft emails that look exactly like they come from your bank, employer, and even credit monitoring agencies. Bottom line, donât click on links sent to you in an email, copy and paste them into a web browser. Donât open attachments from people you donât know, or even maybe people that you do know and are claiming they are trying to be helpful. They may even use threatening tactics and say something like law enforcement is going to issue a warrant for your arrest if you donât respond. The IRS and US Government will never contact you and threaten you via email with warrants or imprisonment, they will just garnish your wages and tax returns direclty. You should be aware of whether your email address has been compromised using sites like haveibeenpwned.com and other data breach sites.
đ°Part 3: Passwords and Password vaultsđ°
There are three kinds of users in this world: 1. Those that use the same password for everything 2. Those that write their passwords down so they wonât forget, and 3. Those that use password vaults/generators. Passwords are the last line of defense when it comes to security and often the first thing that bad guys go after. Commonly referred to as creds, the usernames and passwords are what hackers seek to exfiltrate from the networks and systems they go after. Passwords should be changed at a minimum every 90 days and should be a complex pattern of letters, numbers, and special characters that are not easily guessed or cracked. No dictionary words allowed or any of the potential answers to your secret questions.
It doesnât matter really the password service you use, just use one. Whether itâs LastPass, Dashlane, KeePass, or Appleâs built-in password manager. Every password in the wild is another chance for a bad guy to exploit.
đ°Part 4: Location, Google Maps, Waze,đ°
This should not come as a surpriseâŠ..Google, Apple, Facebook, Banks are tracking you everywhere you go. Every purchase you make, every location you visit, every bank transaction or mobile deposit. Many of these services require your location information. It doesnât matter if you turn off location, every time you op
en an app, that lets the app you are using to tell the server where you are. This information is very valuable to companies that sell your information to advertisers. Some people say âI donât have anything valuable or anything to hide.â Well, what about the patterns established by you traveling to visit family members, parents, grandparents, kids, grandkids, etc. You canât be everywhere and police your entire social circle and bad guys will capitalize on these patterns. Some key tips: Vary your route, be a hard target, read the small print when choosing which apps you use to navigate. If they require excessive permissions on your device, donât use them. There are countless groups out there that would love nothing more than to gain access to your information and use it as part of a botnet, crypto mining scheme, etc.
đ°Part 5: App downloadsđ°
Third party app stores are the primary way that ransomware and crypto miners are spread in the wild. Even Amazonâs own app store requires you to allow apps from unknown sources if you donât have an Amazon-branded device. Bottom line, donât use app stores you donât know and us security software if possible (though that doesnât provide much protection). Mobile apps are special in that each app runs code on a mobile device and can be reverse engineered/exploited by anyone with enough time and effort. Mobile apps are usually digitally signed by Apple and Google, but that is easily faked. Mobile apps live in an operating environment that is full of security vulnerabilities and exploits and many of them cannot be fixed because they are controlled by the carriers or equipment manufacturers. Carriers like T-Mobile, Verizon, AT&T and Sprint, many of which donât have an interest in fixing the vulnerabilities because they are more interested in getting you to buy a new phone every year or every other year. Because data plans are at a premium, carriers can charge ridiculous amounts of money for data and wireless hotspot plans. With the introduction of 5G service, this will only amplify the speed at which attackers can serve up exploits to mobile users. Apple is notorious for convincing users to upgrade to new devices because of some new feature or operating system version and eventually, devices will no longer run the latest and greatest Operating System (anyone still remember the iPod touch?)
đ°Part 6: Two Factor Authentication (2FA) and Multi-Factor Authentication (MFA)đ°
In 2018 this is an absolute must. If you are simply relying on usernames and passwords for authentication, you are setting yourself up for failure. Now, I get it, there are those that will say itâs too much of an inconvenience to turn on 2FA because it requires you to get a code from your phone or use one of your pre-shared keys, but not using 2FA is not smart in this day and age. There are too many options like Google Authenticator and Authy that allow code generation of QR codes or one-time-pads (OTP) that will make it that much harder for bad guys to attack your accounts/information. Donât get me wrong, 2FA by itself is no silver bullet because there is malware specifically created to capture 2FA messages sent from a server to a mobile device. But itâs another layer in the defense in depth security strategy that people need to be aware of an addition to their repertoire.