If you did not know, October is Cybersecurity Awareness Month. In this blog post, I will give some tips that will keep you secure and safe while navigating the internet.
Choosing the Perfect Password!
The National Institute of Standards and Technology, or NIST recommends that you choose a password that is at least eight characters long. If the password is generated by machine and is random, six characters is recommended. Do not use pet names, the names of your children. One exception is that you create a passphrase for example, you might create a password like: Tomlovesplayingbaseball#5. Do not re-use passwords on other sites. Let’s say that “site A” was breached and their user database was leaked. Hackers will try the login information from “site A” on different sites like “site B“.
To remember a password maybe think of a password like, “forearsf,gon45“. To remember the password think “forever a Red Sox fan, go number 45. Don’t make your password easily guessable, such as using a password similar to !qwerty$. All those letters are close together on the keyboard, hence they are easily guessable. Also do not swap out similar letters out for example replacing “a” with “@” or “s” with “$”. Hackers know this trick and might try it.
Choosing a Password for Your Wi-Fi.
Choosing a secure password for your Wi-Fi is very important. If you use a insecure password such as your phone number, there is a chance that it could cracked by a hacker. If a hacker has unauthorized access to your Wi-Fi then they could possibly intercept traffic and steal your password or anything vulnerable. Your Wi-Fi is the door inside your network, choosing a secure password is very important. One way to protect your network is create a guest Wi-Fi for anyone that comes into your house. This way your network is segregated from any guests, where malware could spread inside your network.
If you work at home, you might want to create an another Wi-Fi network for when your working, especially if you work with sensitive information. Please do not use the same passwords that you use for your guest Wi-Fi, non work network and your work network. If you are a nerd like me, you might want to mess with live malware for Malware analysis. I would highly suggest you set up a separate network that is NOT connected to the internet or any other parts of your network.
Also make sure that your router is updated. If you borrow the router from your internet service provider maybe look into upgrading the router every couple of years. Also most routers come with default passwords and usernames, I would at least change the password to your router. Once again pick a secure password that is at least eight characters long.
Be Careful what you Post on Social Media.
Be careful with posts that ask you to comment the birth of your children, the name of your hometown, or any other personal information. Think before you click. This information could be used by scammers or phishers to gather information about you. This information could also be used to attempt to try hack your password. They might even scrape your profile and make a wordlist of all the personal information found on your social.
Sometimes with social media, hackers will post on Facebook that there was a major car accident, while tagging a bunch of people. In the comments of the post they might post a URL that seems to be related to the car accident. But after visiting the site, it will show the login page of Facebook. Do not enter your password or even click the links. It is a phishing page, which if you enter you password, the scam will keep spreading by hacking Facebook accounts who enter their Facebook login information.
How to have good OPSEC!
OPSEC stands for Operational Security. It’s goal is to limit one’s digital footprint on the Internet. Before posting on social media, think “Do I want this information to be on the internet, potentially forever ?” Be careful on sites like reddit.com and where and what information you post.
Have two different accounts one where you might post some information about yourself and another where you keep personal information limited. Create different emails for different types of sites. Do not use your name in the username, try to keep everything segregated. On Discord, you can link your Spotify, Stream, and other sites. Anyone can see this information and could use it to find more information about you. Also, use different passwords for each account you make.
Be careful of when you post pictures, they can be reversed search to find your other accounts. Be careful of posting pictures of your location, objects in the background could be used to identify where you live or where you are vacationing. Did you know that images could have the Geo coordinates of the location where the image was taken? Well, it’s true. Phones and cameras could have the geolocation of where the picture was taken. This can be disabled on your phone by going to the settings. Some sites can be used to remove metadata. Word documents and Excel files also have metadata, they could have the username of the user who created the file, the operating system used to create the document, and also the time and creation date, and how long the person worked on the file. If you care about your privacy, you can strip all the metadata from the file before sending the file. Some sites like Discord will automatically strip metadata but I would strip it yourself if you are really worried about it.
Setting Up Multi Factor Authentication
Multi-factor authentication also known as MFA is the process that requires two or more different methods for authentication. For example, if after entering the correct password into the site Facebook, then you receive a text to your phone number with random letters and numbers, that is MFA. Note that SMS MFA is not safe. Sometimes hackers will social engineer a person’s mobile carrier rep into swapping out your SIM card for one under the control of the hacker. This attack is called SIM swapping. After the hacker swaps out your SIM card for theirs then all the text messages will be sent to the hacker’s phone, thus allowing them to access your accounts even if SMS MFA is enabled. Usually, hackers will do this attack on banking sites or cryptocurrency exchanges.
Fear not, there are solutions!
Earlier we talked about how SMS MFA is not safe, this paragraph will talk about other ways we can secure our accounts. The first method cost around $50 dollars. There is a device called YubiKey. After entering your password, and instead of receiving the code via SMS or email, you plug this device in the USB port and it will authenticate for you. A hacker might have your password but without the physical device the hacker will not be able to login into your account. I personally use this device in all my emails, banking and other important accounts. There are different ways that the YubiKey can achieve this. There are different types of the YubiKey that has different functions like one for mobile devices, one that uses also uses your fingerprint and one that uses NFC. The YubiKey site also lists sites that the device can be used at.
There are also non-hardware solutions such as Google Auth, you can download Google Auth on Android or Apple devices. The site you are using should have instructions on how to set it up. This is a software-based authenticator that was created by Google. Google Auth app uses a time-based one-time password which means you have a short amount of time to enter the code before the code changes. The app also uses an HMAC-based one-time password which also expires after a short amount of time.
After logging on you will open the app find the site and enter the 6-digit code into the site. You will not be able to log in without doing this. Also, make sure to save your keys when setting up Google Authenticator. If you change devices and lose the key you will need to get a new key and might lose access to the site. There are other options if you do not trust Google such as Microsoft Authenticator and Authy.
Be wary of repeated MFA notifications, there is such thing as a fatigue attack, in which the attacker will repeatedly send MFA notifications to your email or phone. You get a message saying “Do you accept the new login”. The hacker will keep sending these notifications until you accept them. But once you accept it, the hacker will be able to log into your account.
Password Managers
A password manager is good because when using one you only have to remember one password, the password to access the Password manager. A password manager is used to store your passwords. I use KeeWeb. KeeWeb supports YubiKey authentication, looks modern, and even has a secure password generator. Another option is KeePass, I believe KeePass even has YubiKey support as well and can generate random passwords. Password managers are awesome because you only have to remember one password, I would make this password secure because if a hacker has it and has access to your computer, they will have access to all your accounts. BitWarden is another good password manager. Make sure you back up the password key file if you choose that option. Maybe even write down the password on a piece of paper and put it in your safe. This way if you forget your password to the password manager you will not lose access. I would not write the password in a text file or save it on your computer unencrypted.
Using VPNs when connecting to Public Wi-Fi.
When connecting to public Wi-Fi, use a VPN to encrypt your traffic. This prevents a malicious actor from intercepting your traffic and protects your privacy. There are many different VPNs that you can use. Paid VPNs will most likely be more reliable and have better networking speeds. VPN stands for virtual private network. Did you know you can get someone’s approximate location by their IP address? Well they can, it might not be completely accurate but it will most likely be close. If you are browsing the web, you might not want the site to know your IP or Internet Protocol Address, you would use a VPN.
Even in 2024, some countries censor the internet, a VPN could be used to bypass the censorship, VPNs can even be used to prevent ISPs, or Internet Service Providers from tracking your online activities. They might be anti-guns and could block all of their customers from accessing pro-guns sites. A VPN could be used to bypass that restriction. I highly doubt that ISP will do that but they could if they were really Anti Guns.
Another option is to use TOR. TOR stands for “The Onion Routing” network, tor bounces your connection around the world to nodes that forwards your traffic so that the IP is not tied to you. Tor websites have .onion instead of .com or org. But Tor can also be used to browser the internet, but since that TOR will bounce your request to nodes, the connection will most likely be painfully slow. Also some sites might automatically block you from visiting the site because you are using TOR. For example once I created a Reddit.com account while using TOR, after five minutes of owning the account, it was banned. Reddit refused to restate the account.
Here is a brief list of some VPNs:
- ProtonVPN
- NordVPN
- SurfShark
Spotting Phishing or Scam Emails
In the age of 2024, you can not determine if a email is a phishing or scam email based solely on bad grammar or spelling. Especially in the age of AI like ChatGpt. Hackers are relying on AI to write phishing emails. Let’s say you get an email that says that you bought a new laptop off Amazon. Only problem is that you did not and no one else but you use your Amazon’s account. Instead of clicking the URL in the email, create a new tab and type in Amazon.com in your browser. Then find out if someone really ordered a new laptop.
Sometimes phishing emails will pretend to be from someone important like your boss, the email might say that your boss is in a bind and that they want you to purchase some gift cards and send them to your boss. Hackers will often use urgency as a method of attempting to get you to click on a link, buy gift cards, or even download software. Another trick is using familiarity, in the example above they used the person’s boss’s name. This makes it look legit and plays with the urgency. Because if your boss or your boss’s boss says to do something, you probably should get it done quickly. Also before purchasing the gift cards, call your boss up and double-check that they wanted you to buy gift cards. If your boss says that they did not ask for gift cards, contact the IT department to scan your computer for malware and change your password. If you are at home on your personal computer run a full Antivirus scan on your computer.
Another trick a phisher or hacker might use is a include a Word document or pdf that when opened will pop up that says “enable macro” or “enable scripts”. If the document is malicious this could run malicious software. If you need to download and open a document that you received, “Protected View“. This will help keep you safe.
Before clicking on links, hover over the link and look at the preview, if it looks suspicious, Do not click the link, but copy and paste the link and use VirusTotal.com to search the link. Google owns VirusTotal.com, this site will tell you if the site is malicious and other information about the site. Only search the link if the link does not expose your email or any other personal information. The great thing about Virus Total is that it will let other security professionals have the ability to look at the link and find the information about it.
Look at domains names before clicking it. Here are some questions you should ask before clicking a link:
- Is the domain spelled right?
- Do I have an account with the company?
- Do you trust the site?
- Is it a shortened link?
Not only should you be wary about emails but if you get unsolicited private messages from someone you do not know, be careful and do not click any links. Confirm that you are really talking to the person in question by messaging them off the platform. Sometimes scammers will use the same profile picture or set up a mirror account and email friends asking for money, gift cards, and maybe even cryptocurrency.
The last little tip I am going to give is, if seems too good, it’s probably a scam. Nothing is ever free, you might have to sit through a meeting before getting a gift card. But no one in their right mind will give something out for free. Think before you click.
Keep Your Computer Updated
Keeping your computer updated is important, once a vulnerability is published usually within a day someone is already exploiting it. By keeping your computer updated you are protecting your computer. Also, update your Antivirus. On Windows, you can set your computer to update after hours so it does not interfere with your work or personal time. Microsoft releases security updates on the second Tuesday of every month. Sometimes even earlier if an important security vulnerability is found. Also, update your other software that you use as much as you can.
Be Wary of Emails that are current events related
Hackers will often use current events to try to get you to run malware on your machine or give you money. For example, if there was a recent hurricane named Sandy. Hackers might send out emails to unexpected people pretending to be a charity that helps victims of Hurricane Sandy by asking for a donation. But they will steal the money instead of donating the money. Or during the holidays they might send out Christmas-themed emails with malicious documents that when opened infect the person. Always be careful when opening documents from unknown or suspicious persons.
Leave a Reply