Cybersecurity starts with you the individual, at home is your personal cybersecurity, and at work is called cybersecurity. This is a way of describing your computer security and internet security.
Establish good behavior to protect your selves from massive campaigns of harvesting your sensitive data. Cybersecurity is an ongoing topic that needs a refresh every several months because the methods of compromising your online security are always evolving. In hindsight, this information can be used to circumvent some of the methods that can be used to protect you from social engineering.
Succinctly a list of methods on enhancing our personal cybersecurity:
- The communication methods, the urgency of the wording is meant to startle us and take action without thinking of the bigger picture
- Scrutinize cell phone text messages and Phone calls from your bank or credit cards, these also come come from the Fake FBI or who knows what other governmental or fake collection agency
- Scrutinize your email spelling and the websites’ link spelling and email attachments
- Social sites, be aware that what you post there someone might be able to see
- Change your Wi-Fi password from time to time
- Create strong passwords
- The answers to security questions make sure they are not general public knowledge or can be deduced from the internet, and social sites
- Do not use the same password for sensitive services like Wi-Fi, email and bank accounts
- Have tiered passwords, no one cares if an intruder hacks Netflix and streams from their account, but they will weep if that same password would allow the same intruder to appropriate a hefty sum from their bank account
- With any subscription, think of the tier-ing system, you can use the same password for Netflix and Hulu and such similar accounts to make it easier for your memorization
- Sit and plan the password strategy draw the tiers and organize the accounts on a map to make it easy
- Get double verification, which gets you prompted for a code sent to your mobile phone
- Get a backup email and keep it only for passwords resets and the password should be different from all your other passwords
- Obviously use a password protected Wi-Fi, and use at least WPA2 encryption
- Verify the browser https:// and locket every time you sign in on ANY website
- Save your pictures and personal data on a local external drive, and maybe keep it in a fire proof safe or case
- Use sandboxing with virtual machines and sandboxie when experimenting or surfing the web
- Get deluge as a torrent downloader, the rest have adware
- Verify file signatures when downloading files
- Use the portable version of software you need and sandbox that too with sandboxie or virtualBox
- Software to use for internet and computer security: Microsoft EMET, SandBoxie, Antivirus, Time Freeze, VirtualBox, and a malware scanner, The Computer Manual rescue CD
- Every few months read about cyber security, internet security and computer security
- Don’t piss off the wrong people if you have an online voice
Good Behaviors to establish for online protection
Always keep your personal email password very complicated and only for your email, never use it for any other websites. Try to segregate your passwords in between websites. You should have your passwords tiered.
A good startegy is something like this:
- Scrutinize cell phone text messages and Phone calls from your bank or credit cards
- Actively scrutinize your email and email attachments, spelling of the message and links
- Email passwords, unique, difficult and different than any other online and or offline account
- Online Banking passwords are to be difficult as well but completely different than your email password
- Then subscription based services I.E. (Netflix, Hulu) for online streaming can use the same password or not
- Memorize your passwords and tier them based on the service, don’t have them written down everywhere
The wording and tonality and word spelling, also spelling of a similar but fake website in a bogus link.
Usually all forms of communication email, phone calls and text messages to name a few, have a professional tone to them. The fake ones have an excessive urgent tone, designed to panic us and to determine us to take action without even suspecting that we are being deceived. (Hook Line and Sinker)
Emails and Email attachments
Massive online campaigns are one of the major ways to tricking people into clicking the wrong links or downloading the wrong attachment (check the spelling of the email wording, tone, and the spelling to detect fake links). These are ways of spamming and spreading emails to your contact list or harvesting passwords and usernames. It is imperative that we always do our due diligence of being present and not allowing our second nature do the reading of an email which might be well designed to mislead us into believing that our bank, credit card or a friend, has sent the email to us. If we are misled then the action of clicking a bad link or downloading a bad attachment would have compromised our personal cybersecurity.
A few things to know about your bank or credit card company. They will always address you by your name or first name. If they provide feedback information about your accounts usually the emails are succinct and they provide you with the last 4 digits of the account in question no action is required on your part. Always make sure you verify your last four digits, and the spelling, before taking action on downloading any attachments or clicking links.
Vague emails with bad spelling where you are cannot see your name or your last 4 digits of your account, with bogus links to a webpage without the https:// header will try to compromise your personal cybersecurity. These tactics evolve and become more sophisticated constantly. In addition as technology and services become cheaper, they become more accessible to be employed in misleading you.
Mobile phones SMS and phone call scamming campaigns
With smartphone we can access our bank and do a lot on the go. However a bogus SMS text with a link sent to a mobile phone can be a very effective way of compromising your personal cybersecurity. SMS messages sent on a massive scale are sent and redirect your mobile phone browser to a fake website. If you try to log in then your account logon credentials are captured and added to a database. In order to prevent that, is better to use the app provided by your bank or credit card as well as double identification, password and SMS text with a code.
Sometimes they use fake governmental agencies to try to probe you for data. Always ask for the badge number or their code. Phone calls could come from fake collection agencies. Ask for their website and their affiliation with credit card companies and such. There are some of us or many who might have some credit card debts, which would make the communication seem more legitimate, and remember that some of these scammers might gain access to the same data as the legitimate company, thus making us an easier pray. This can also be applied as credit card debt reduction communications. Make sure you verify them, don’t give them your email, they should already have it, because your bank has it. So if you’re on the go have them spell your email out to you if you need to have later communication with them. If you believe they are legitimate, always check their website.
In addition if you receive phone calls from your bank, make sure they do not make you to authenticate yourself with full account numbers, passwords and social security information. They called you to alarm you of a security breach, they know your information, so they will inform you of a breach and they will tell you will receive a bank card in a number of days. If you are unsure if that is your bank who is actually calling you. Hang up and call them back. Then you can start the process of authentication, but remember you placed the call to the proper number. When they call you they already know they are speaking with you, so they should not ask about your sensitive data, or if your bank calls you they will only ask for the last 4 digits of your social or account.
Social Web sites
Social sites have marketing packages to sell to marketers to do analysis on the data collected. This analysis is used to better anticipate the consumer market or any other market for that matter. This is a warning is not a research paper on what measures are social sites taking that this data doesn’t fall in the wrong hands. Just be aware that data can always leak in the wrong hands, and if an algorithm picks you up, then they will attempt to compromise your cyber security.
Social networks can be used to track sensitive information about you which later can be used for answering the security questions for resetting your passwords thus gaining access to your email or bank account. These groups have a lot of resources at their disposal and they are very smart. They work in teams and they out-think the problems posed by the current strategies in place for your online security. That’s their job, and maybe on a daily basis. They have people specialized on specific tasks only, this way they optimize and get better workflows and results.
Your wireless network password has to be unique and strong. Try not to keep it personal like birthdays and such. Identical Wi-Fi and email password makes the intruder’s job twice easier to access other accounts. With a TLS stripper while on your Wi-Fi, he can force your computer to feed you, your email website unsecured by https://, that is why it is important for you to always check when your login into a bank or your online email if the https:// and the locked are present.
Wi-Fi hacking, how to? Simple.
Big data outages from huge banks or retail shops can be used to create password lists. These lists are already online, and with such lists a power user will compromise your Wi-Fi password, the rest is quite easy. One person cannot guess another person’s password but the collective mind is exponentially more efficient and more creative. In addition, there are services online for hacking Wi-Fi passwords or other passwords or encryption hashes, many of them are cheap. In addition a normal video card can do around 50 000 hashes per second with hashcat, whereas a CPU it can do up to 500 per second, so a two million password list will take more or less a day. If your password is contained in the list then your Wi-Fi security can be infiltrated.
Don’t even think about not having your Wi-Fi password protected, it takes literally one day for someone to hack your email trough access to your Wi-Fi. Then from there your bank account and such many other accounts, because most of them are connected to your email account. All you have to do is try to log in into your email account.
Use Deluge torrent downloader for torrents, all others are terrible.
When you download anything from torrents or the internet make sure the file is actually the file you were promised. Usually organizations or individuals sharing files include an MD5 or SHA1 key on the website from which you are downloading the files you need. There is gp4win software which can verify the signatures for these files, and then you can compare them with what’s online. Therefore if someone “a man in the middle” would hack the website and alter the file, then those signatures will change. A caveat here, small blogs usually might have small downloads hosted on the same website with their hashed security keys. That is a way of getting two birds with one stone. An intruder could change the files contents and change the key posted on a website as well. Larger sites have the keys posted on the site but the actual download is hosted elsewhere, making the intruder’s job a twice more difficult. Do always check the files signatures before installing or running the files you downloaded from the internet. In addition you can sandbox the file or the installer until you can figure out if the file or installer are safe.
Instead of installing software into your computer try to use the portable version. This way the software is not blended with the rest of the operating system maintaining it much responsive. Use 7zip, universal extractor and innounp.exe to extract the software application from its installer. Some newer applications offer already the portable version.
A key logger is a piece of software that tracks all your key strokes, saves them or when possible sends them to the designer of the key logger. A key logger sometimes is used as a parental control so parents could have an idea what their children are doing online. However it can be used for malicious things as well or targeted attacks. A key logger can be a physical device attached to your computer or a piece of software blended in with another file which you downloaded from the internet or as an email attachment.
Denial of service And Man in the middle attack
Usually this method floods the services with a large amount of requests that they cannot keep up with the legitimate requests. It can be used as a precursor to a MITM “man in the middle attack”.
Man in the middle attack is a hacking tactic designed to capture sensitive information of any kind which can be useful to the intruder’s end. One example would be to have someone find you Wi-Fi password then using special tools to track your moves and capture sensitive data like password and usernames from you. But first they have to crack your Wi-Fi password. If they manage that then the rest becomes easier especially if they live next to you.
Safe Web Browsers and Computer Security
Always check your browser’s address bar to contain the https:// and the locket when you’re using online banking or any online account that requires a username and password.
Use a firewall, an antivirus, Microsoft EMET, Time Freeze, Sandboxie and virtualBox.
The article on http://www.thecomputermanual.com/identity-theft-credit-report-credit-monitoring/ suggests to use virtual box as a sandbox for safety, the term Sandboxing, wasn’t a mature technique at the time.
Sandboxie enables sandboxing without the extra layers of a virtual machine hosted in Virtualbox, is like Windows inside Windows. However to be completely safe Virtual box is the much safer option but more demanding on resources and patience. I bet that there are people working to circumvent Sandboxie.
Many programs have their own sandboxes to protect the rest of the operating system from a possible exploit. Adobe Reader is perhaps the most used software in the world. PDF files are notorious for being the gateway trough which anyone can gain access to an unsuspecting user’s computer. Presently Adobe reader comes with its own sandbox. But rest assured there are people already working on exploiting the sandbox itself. Java is another very popular technology heavily targeted for compromising your Computer Security.
Safe browsers come with their own sandboxes to limit the exposure of the operating systems to attacks. Another way is to use computer state freeze software like Time Freeze. This would allow the computer to be restored to the previous state when rebooted. This can reverse any damage incurred during any type of attack on the local computer only. If an online account is compromised then most of these tools are useless. But they are good at preventing.
Special software for protection:
Antivirus is effective at detecting bad downloads or attachments – However the antivirus and the firewall are not very effective when you have clicked on a bad link that forward you to load a website designed to run code on your web browser and compromise your entire Operating System (Windows, MacOS). When that happens basically you are a sitting duck and you might also not be aware of that fact. But if you are, just refresh the entire Operating System, or scan your computer with The Computer Manual Rescue Disk and others. In this instance a more effective method of prevention is Having EMET installed as well as sandboxie.
Microsoft EMET is designed to stop certain attacks like the one mentioned above, and a few other types. Remember EMET is not infallible, but it helps quite a lot.
Sandboxie usually isolates the entire application from the rest of the operating system. In this manner if that application is compromised all you have to do is close it. Whatever the script was designed to do to the Operating System it cannot because it completely isolated, in let’s say a bubble.
Time Freeze restores your entire Operating System to a previous state. So in a way is like sandboxie but instead of sandboxing only the application, it sandboxes the entire operating system. Time Freeze needs a little configuration and some planning. When it’s active all the changes after restart will be reverted to the period when it wasn’t active. So if you had it active for a month and you made a lot of changes, then those are possibly lost when you restart your computer, so pay attention on how you use it.
Virtual box with another windows installed in a virtual machine is quite a good method of sandboxing. You can play around and take snapshots and revert that operating system to a previous state. In this manner your main or hosting operating system is completely isolated from anything if all the work you do is through a virtual machine.
These are most of effective methods of hardening your personal cybersecurity.
In hindsight some of the information here can be used at compromising your cybersecurity. These methods of circumventing the scammers, can and will be used by them to be prepared for your defenses. So be alert to your internet security and computer security. And you can see that there are many variations trough which someone or something can compromise your cybersecurity. It is the manner in which all these methods are combined that makes them very effective and elusive at the same time to your online and offline security.