Internet criminals are armed with a growing repertoire of stealthy, often automated, tools. These threats require constant vigilance
In previous OWDT blogs, I’ve written about cyber security threats ranging from malware to cyberwar. Unfortunately, coordinated international action towards any major systemic fix–as with, for example, an ‘erasable Internet,’ is highly unlikely in the near or far future.
Whether you’re a business owner trying to protect confidential customer and proprietary information or a retiree who likes to surf the Internet, you need to add new, proven security measures as they become available to minimize your risk for identity theft, Ransomware, etc. –I say ‘minimize,’ because if even the most protected public/private security organizations are vulnerable to attack, so are we all. Though most of us are comparatively low priority cybercrime targets, Internet criminals are armed with a growing repertoire of stealthy, often automated, tools. These threats require constant vigilance.
A checklist of security measures
The basics revisited
- Change your email account passwords MORE frequently (every 3 months, e.g.)
When was the last time you changed your email account password? Most of us postpone this critical task far too long. Another critical issue: if you’re like the many folks who use the same password for their email and online banking accounts, you’re leaving yourself wide open to identity theft and/or someone draining your accounts.
- Develop a reliable system for creating new passwords The best strategy: Choose a sentence that is meaningful and easily remembered, such as, “I met my wife in San Antonio.”
Create at least three different passwords using this or a similar formula:
Use the first letter of each word, alternating upper and lower case and combine with some numbers (in this case, you could embed your wife’s birthday) resulting in–ImMw012274IsA. That could be for your email account.
Now, apply the same formula to create a second password that you use exclusively for your banking and other financial transactions.
Finally, create a third password for all your remaining accounts.
Email spear phishing
If you haven’t yet received emails from hackers impersonating one of your friends or business associates, consider yourself lucky.
How can I identify a phishing email?
- One quick giveaway that their email account is being phished: a subject line promoting a product or service (often well known and trusted), unlike anything they’ve forwarded to you in the past. Once you click on the link or attachment the hacker can then take over your digital device and steal personal and/or company data. Of course, even visiting a website can infect your computer with malware.
- Be alert to incorrect or unusual URLs (hover over the URL address to determine its actual source) that claim to be from friends, your bank or other reputable institution. Unless you’re completely confident the email is legitimate, don’t open it. Do not click any attachment OR ‘message body’ (it may be an infected image). Some of my friends have had their current and/or defunct email addresses hijacked 3-4 times. Contact the friend/institution and request confirmation that they sent you any questionable message.
- PLEASE do not let yourself get so distracted that you share your personal information online. You’ve heard it before, but your bank, etc., would not send you an email asking you to do this.
A convincing-looking site may pop up requesting your username and password
Cybercriminals have password hacking programs that run for hours, systematically testing millions of possible combinations to gain access to your private information and accounts. If you haven’t done so already, please apply the password creation formula outlined in Part I of this blog series. –Be especially careful NOT use the same password for soft targets (e.g., your online magazine subscriptions) and online banking or ISP/email access.
Additional security countermeasures
- Use a Safer Browser–Some web browsers are better than others are at blocking websites that often have malware links that have been embedded by criminals, often unbeknownst to their owners. To reduce risk, install all available updates to your browser. Better still, use a browser like Firefox that updates automatically. –According to research, Internet Explorer is the most vulnerable to this kind of attack. In the fall of this year, probably in October, Microsoft will launch Windows 10 with a completely new browser to replace Internet Explorer.
- Double Check the Website Address–Criminals can be waiting in ambush when you enter a typo in one of your vital account website addresses. A convincing-looking site may pop up requesting your username and password. —If you aren’t paying attention, your account will then be hijacked.
- Protect Your Router and other Devices–When you install any device, change the default password right away, especially the one for your Router. And make sure to download all firmware updates. More importantly, check to see if your router has WPA2 access, the most protected type of encryption. If it has only WPA basic protection–or less, consider buying a new router.
- Avoid Free Public Wi-Fi Networks–Legitimate public networks are vulnerable to outside attacks from hackers who can tap into the link between your computer and local network hub. This is especially the case for networks without passwords. It’s much safer to (1) use your own Wi-Fi ISP, (2) sign up for a VPN (Virtual Private Network), or (3) use a browser extension like HTTPS to encrypt your communications.
- Take Precautions with Free Apps–Download apps only from a legitimate provider like Apple’s App Store or Google Play. Before installing directly from a provider website (again, not recommended), check posted user feedback to see if there are any red flags.
- Think Twice Before Clicking a Sensational Link on FB or Other Site–A friend may have innocently posted an enticing video link on FB. When you open it, you are then asked to download a media player or take a survey of some kind. DON’T! This leaves you wide open to malware.
- Use Two-Factor Authentication When Possible–If you request it, FB, Google, Microsoft and Apple and other companies will provide you with a second layer of protection by arranging to send you a randomly generated code (sent to your smartphone) as you log in. Information about how to do this and which companies are providing it are available at org.
Next, I’ll discuss the new ‘hackers for hire’ threat and what to do if you are hacked.
The growing threat of hackers for hire
Hackerslist.com, the first website to list professional hackers for hire, was launched in November 2014. Their raison d’être is the belief that everyone, eventually, will want to hack something–and they want to make the process as easy for their clients as possible. According to a recent NYT article, the founders of the New Zealand-based site are concerned enough about legal ramifications not to go public. Whether this new enterprise will be successful is open to question, despite some initial favorable reviews from the ‘hacking community.’
Hiring individual hackers is nothing new. Hackers’ List is simply capitalizing on the groundswell of interest in routine, low-level hacking. Projects may include spying on a spouse to see if they’re cheating (by gaining access to a partner’s social media accounts), breaking into a competitor’s website to steal a list of their clients, ‘arranging’ to change a student’s university grade–to something as innocent as removing embarrassing pictures from a website. Services can cost from a few to thousands of dollars.
Surprisingly, some defend the legality of this kind of work; others claim, with good reason, that laws against it are hard to enforce. First strategies should include–
Hiring a professional hacker to test your website and social media pages for vulnerabilities, including those coming from potential insider threats. That is, if you have the money…
Using password managers and generators (e.g. LastPass) combined with two-factor authentication (requiring a uniquely generated code). In fact, this is freely available…
Why private browser settings aren’t so private
Unfortunately, private browser settings aren’t so private. The websites you visit in private browsing modes are invisible only to others using your computer (and there are ways to get around that), but not to your ISP or the websites you’re visiting. Even Firefox, known for having relatively secure browsing protection, records your history of SSL certificates, etc. Ultimately, your Internet Protocol (IP) address is visible when you surf the ‘above ground Internet’.
In fact, the NSA collection program works primarily by tracking IP addresses linked with others whose owners may believe may share terrorist goals. Remember that anything you download, including bookmarks during a private browsing session, remains on your computer and can be retrieved.
But there are ways to hide your ip address…
For those of you who are really serious about ramping up your privacy online, the Electronic Frontier Foundation is a good place to begin.
Tor, the ‘guts’ of the Hidden Internet, previously known as The Onion Router, is a network that allows you to surf the web anonymously by routing your traffic through a series of invisible computers/routers before connecting you with your intended destination. –Essentially, the only computer that knows the start and end points of a search or communication is yours. This means that nothing can be tied directly to your IP address. It’s so effective that even the NSA has trouble getting into the system.
In my next blog, I’ll share a list of options for those who, I’m hoping for legitimate reasons, want to communicate with a hidden IP address.