December 30, 2018
Common Sense Security Strategies
December 30, 2018
Common Sense Security Strategies in the Digital World
You've been Hacked! Pwned! Account Compromised. Bank account emptied. Credit cards were stolen and sold on the dark web. Facebook account hacked, now inappropriate messages or videos sent to your friends and family members. New accounts and credit cards opened in your name. Or worse, you're on a vacation and suddenly your credit card is declined or you're in the airport and your flight is canceled. Maybe you're traveling through an airport and someone skims your credit card and starts making transactions while you're in the air. What would you do? How long would it take you to respond? How many times have you received a phone call that says you have to pay some portion of a bitcoin (BTC), or a webcam video of you doing something inappropriate is going to be sent to all your contacts.
These are just a few of the scenarios that can and do happen in our increasingly connected world. With the Samsung Pay and Apple Pay, mobile payments that can be performed with your cell phone, Apple Watch, or Android Wear watch and the increasing number of Mobile devices and Internet of Things (IoT) devices security is paramount for everyone no matter what your career field or socioeconomic status. The purpose of this article is to give you some common sense tips to protect yourself and also give you the ability to help your friends and family stay safe online as well.
Part 1: Facebook:
As of the time of writing this article, Facebook has approximately 2.23 Billion users worldwide and that means that even if you are not on Facebook, many of your friends might be. So you don't have a Facebook account you say so you're not at risk? Well, that's not exactly true because of a trend called cybersquatting...That means that someone can claim your Facebook name and effectively pose as you simply by creating an account in your name even if you don't have a Facebook account. Or maybe you don't check Facebook that often. It's also plausible that someone might make a Facebook account that is similar to yours and people in your network or friends of your friends might send you a friend request thinking that it's you. Additionally, you absolutely should go into your Facebook account and view your profile as someone else sees it to make sure you're not sharing information with people you don't want to. If you've seen the news recently, hackers were able to exploit a vulnerability in the supposedly secure tokens that allow you to view your profile as one of your friends.
Part 2: Email
Seems like email used to be so innocent; it was the way you shared funny pictures, images, cat videos. But now email is one of the main catalysts by which hackers launch attacks against unsuspecting users. It doesn't matter if you're a VIP, bank executive, hedge fund manager...Everyone is at risk including small and medium-sized businesses. Hackers usually don't go after the harder targets that use industry standard security and follow best practices. They go after regular people that may not be able to afford to hire an INFOSEC or cybersecurity professional to protect their networks.
No longer will the emails come with obvious misspellings, poor grammar, and outlandish requests. Now, the spam email of 2018 is well crafted, looks legitimate, and may very well appear to come from someone you know. Attackers can craft emails that look exactly like they come from your bank, employer, and even credit monitoring agencies. Bottom line, don't click on links sent to you in an email, copy and paste them into a web browser. Don't open attachments from people you don't know, or even maybe people that you do know and are claiming they are trying to be helpful. They may even use threatening tactics and say something like law enforcement is going to issue a warrant for your arrest if you don't respond. The IRS and US Government will never contact you and threaten you via email with warrants or imprisonment, they will just garnish your wages and tax returns direclty. You should be aware of whether your email address has been compromised using sites like haveibeenpwned.com and other data breach sites.
Part 3: Passwords and Password vaults
There are three kinds of users in this world: 1. Those that use the same password for everything 2. Those that write their passwords down so they won't forget, and 3. Those that use password vaults/generators. Passwords are the last line of defense when it comes to security and often the first thing that bad guys go after. Commonly referred to as creds, the usernames and passwords are what hackers seek to exfiltrate from the networks and systems they go after. Passwords should be changed at a minimum every 90 days and should be a complex pattern of letters, numbers, and special characters that are not easily guessed or cracked. No dictionary words allowed or any of the potential answers to your secret questions.
It doesn't matter really the password service you use, just use one. Whether it's LastPass, Dashlane, KeePass, or Apple's built-in password manager. Every password in the wild is another chance for a bad guy to exploit.
Part 4: Location, Google Maps, Waze,
This should not come as a surprise.....Google, Apple, Facebook, Banks are tracking you everywhere you go. Every purchase you make, every location you visit, every bank transaction or mobile deposit. Many of these services require your location information. It doesn't matter if you turn off location, every time you open an app, that lets the app you are using to tell the server where you are. This information is very valuable to companies that sell your information to advertisers. Some people say "I don't have anything valuable or anything to hide." Well, what about the patterns established by you traveling to visit family members, parents, grandparents, kids, grandkids, etc. You can't be everywhere and police your entire social circle and bad guys will capitalize on these patterns. Some key tips: Vary your route, be a hard target, read the small print when choosing which apps you use to navigate. If they require excessive permissions on your device, don't use them. There are countless groups out there that would love nothing more than to gain access to your information and use it as part of a botnet, crypto mining scheme, etc.
Part 5: App downloads
Third party app stores are the primary way that ransomware and crypto miners are spread in the wild. Even Amazon's own app store requires you to allow apps from unknown sources if you don't have an Amazon-branded device. Bottom line, don't use app stores you don't know and us security software if possible (though that doesn't provide much protection). Mobile apps are special in that each app runs code on a mobile device and can be reverse engineered/exploited by anyone with enough time and effort. Mobile apps are usually digitally signed by Apple and Google, but that is easily faked. Mobile apps live in an operating environment that is full of security vulnerabilities and exploits and many of them cannot be fixed because they are controlled by the carriers or equipment manufacturers. Carriers like T-Mobile, Verizon, AT&T and Sprint, many of which don't have an interest in fixing the vulnerabilities because they are more interested in getting you to buy a new phone every year or every other year. Because data plans are at a premium, carriers can charge ridiculous amounts of money for data and wireless hotspot plans. With the introduction of 5G service, this will only amplify the speed at which attackers can serve up exploits to mobile users. Apple is notorious for convincing users to upgrade to new devices because of some new feature or operating system version and eventually, devices will no longer run the latest and greatest Operating System (anyone still remember the iPod touch?)
Part 6: Two Factor Authentication (2FA) and Multi-Factor Authentication (MFA)
In 2018 this is an absolute must. If you are simply relying on usernames and passwords for authentication, you are setting yourself up for failure. Now, I get it, there are those that will say it's too much of an inconvenience to turn on 2FA because it requires you to get a code from your phone or use one of your pre-shared keys, but not using 2FA is not smart in this day and age. There are too many options like Google Authenticator and Authy that allow code generation of QR codes or one-time-pads (OTP) that will make it that much harder for bad guys to attack your accounts/information. Don't get me wrong, 2FA by itself is no silver bullet because there is malware specifically created to capture 2FA messages sent from a server to a mobile device. But it's another layer in the defense in depth security strategy that people need to be aware of an addition to their repertoire.
Be a hard target, don't do the easy thing. The more awareness you have about how hackers go after your information, the better equipped you'll be to protect your friends and family. Don't be a statistic, be an arbiter and protector of information. I hope this article helps you and your friends and family protect themselves and as always if you have questions or concerns, message me and let me help you.
The post was originally written and posted on my blog.