Don’t Be A Victim

There are a lot of bad people in the world. They live all over the globe and they are hard at work using the internet to try to break in to your virtual world. They use high-powered computers with specialized software to probe for weaknesses in your internet facing applications. They work out of sweatshops in Africa and Asia as well as government funded facilities in Iran, Russia, China and North Korea. They work 24 hours a day, seven days a week, 365 days a year.

In his book, The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime, author Scott Augenbaum provides some simple and straightforward ways you can keep yourself, your family, and your business safe from those who would do you harm. Read on to learn why this applies to your home and work life.

In the 1990’s hackers were often teens breaking in to servers for kicks. They would replace a web page with a meme just to prove a point or make a political statement. Corporate espionage moved from people stealing paper documents to theft of computer drives. As we approached the turn of the new millennium, the internet became widely used in both homes and business. The world became more connected and the bad guys devised new, clever ways to act out. Today, organized crime and nation states use cyber attacks (malware, ransomware, etc…) to raise money to fund all types of illegal activity, including international terrorism. The funding has become larger than some countries’ GDP.

Cybercrime is on the increase internationally, and it’s up to you to protect yourself and your business. But how?

Passwords

Do you use passwords to protect yourself? Probably. But do you use effective passwords? On list after list found online, the number one and number two passwords for several years running are ‘123456’ and ‘password’, respectively. You may as well not even have a password if you use one of these!

Change your passwords to make them more difficult to crack. No, really… change your passwords! Did you buy a thermostat or a light bulb for your smart home and leave the default password un-changed? More critical, is the default password still in use on the HVAC system your company uses? Who cares? Nobody can do anything harmful by hacking in to a thermostat, can they? Think again… the now infamous Target breach in 2013 occurred because the HVAC system was insecure. The bad guys gained access and used that poorly secured system to pivot to other systems, finally landing on their point of sale system, exposing over 40 million customer’s credit cards and costing Target over $300M, not to mention the brand impact. The simple lesson here is to make sure you are not using the default password on any computer, website or smart device over which you have control.

Passwords should be hard to guess, but usability and security go hand-in-hand. If your password is too hard to remember, you will write it down (and keep it under your keyboard?). In that case, anyone with physical access to your work area has your password. That is kind of like keeping the key to your back door under the potted plant on the front step. If you use the same password on many sites, even a strong one, a compromise at one site exposes all your logins. Think about the passwords you use everyday…would you be ok giving your email and most used password to a bad guy and saying, “Hey, use these to try and access any of my accounts”? Terrifying!

The time has come that everyone needs to rely on a password manager to create and remember strong, unique passwords for every website. A quick online search will return dozens of choices. They all work similarly. Choose the right one to meet your needs, but read the reviews. Nearly all of these tools include a built-in random password generator. A click or two and ‘#2a&+AY8nrPu7HU@js^’ is your new password. The tools auto-fill in your trusted devices so you never have to type this mess in manually. Personally, I have over 400 passwords in my password manager and I don’t know what any of them are! The better solutions are heavily encrypted and allow automatic and manual back ups to keep you from losing access yourself.

Unfortunately, passwords alone are no longer enough to keep the bad guys out of your accounts. There is software available on the web that works to guess your password(s), and quickly too. These tools initiate a brute-force attack. A brute-force attack uses a set of predefined values–a dictionary of passwords–to attack a target and analyze the response until it succeeds, with little to no human intervention. They just keep trying different combinations until it works. These attacks can take several minutes to several hours or several years depending on the system used and length of password. Do yourself a favor and make your password long, at least 16 characters. This is where the password managers excel. You can easily create and manage hundreds of super-strength passwords and never have to actually type them in! The bad guys are not going to spend years trying to crack your password. The Pentagon, maybe, but getting into your iTunes is likely not worth that much effort. Not interested in random 16-character passwords? Try a passphrase, like ‘PredatorsStanleyCupChamps2019!’ That’s pretty easy to remember! (and fun to type)

Multi-factor authentication (a.k.a two-factor authentication/two-step authentication)

This is a simple, but extremely effective way to eliminate the possibility that a brute-force attack can be successful. Think of it as something you know (your password) and something you have (access to your email or smartphone) You have probably used multi-factor authentication before. If you bank online, it is likely that your bank sends you text or an email after you enter your password to confirm that it is you that is trying to access your online account (something you know). That ‘confirmation’ text or email is a second ‘factor’ that proves you are who you say you are when logging in to their system. By requiring a second form of identification (something you have), multi-factor authentication decreases the probability that an attacker can impersonate you and gain access to your accounts or other sensitive resources. Even if a bad guy gains access to your password, he won’t have the second factor required to authenticate. He is locked out and your account is secure. Enabling multi-factor authentication on every account that accommodates it is likely the single most effective way to prevent fraudulent access to your online accounts. Call and ask your providers if they offer multi-factor authentication; it could save you a lot of money.

Phishing

“Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information (PII), banking and credit card details, and passwords.” phishing.org

The bad guys send emails that look legitimate, but the intention is to trick you into entering your personal information or login/passwords so they can use that information to serve themselves, not you. A few years ago, these phony emails were easy to spot. Today, they have become so sophisticated that it is at times impossible to detect without examining the email header information. The rule of thumb these days is that you should never click on a link in any email. If your bank sends you a message that has a link in it, go to the bank website from your browser and verify it is legitimate. Once logged in through a session that you initiated, you can try the link in the email.  If you are asked to login in a second time, it is possible the link is bogus and a phishing attack.

  • Check the spelling of all URLs in email links before you click. homedepot.com and horndepot.co look a lot alike in the tiny text displayed in the browser url bar.
  • Watch for URL redirects, where you're sent to a site with an identical design as the intended site.
  • If you receive an email from a sender you recognize but it seems suspicious, contact that source with a new message rather than replying.
  • Don't post personal data, like your birthday, vacation plans, etc… on social media.

Lying

I am not advocating that you lie, except under one circumstance–when you answer those security questions required to sign in to some sites. This is perhaps my favorite tip from Scott’s book. Your mother’s maiden name? Well, that is usually pretty easy to find online. If somebody has studied your online profile, they can probably figure out where you went to high school, what year you graduated, what you name your pets and your favorite vacation spot. Lie. Your mother’s maiden name can be Peanut Butter. Your first car can be Maytag. Your first dog? Free Willy. Make these answers something that nobody could ever glean from your online profile. If you choose this path of deceit, be prepared, you will either have to be consistent (mom is always peanut butter) or better, rely on your password manager to keep track of your deception.

Nobody is interested in me–I have nothing to offer.

Oh, yes you do! Information about you has value on the dark web. No matter how boring or uninteresting a target you think you are, somewhere, somebody is willing to pay to know more about you. There is some system somewhere where info about you can be leveraged for nefarious purposes. Whether it is to break into your social security account or expose a flaw in the software on a thermostat, bad guys are working around the clock to target you. Don’t be the next cyber victim.