Inside the mind of Midnet Media.

Cyber Self-Defense

Every other week there’s a news story about a data breach where millions of people have had credit card numbers, social security numbers, email address or passwords leaked out onto the internet. As an example, between May and July 2017, Equifax had a data breach that according to the Federal Trade Commission exposed the “names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers” of somewhere around 143 million Americans. That’s about 50% of the population. So if the giant companies can’t keep your data safe, how can you possibly do it?

While you have no control over the data in their systems, there are a few simple steps you can take to keep unauthorized individuals out of your email, social media, banking, and other online accounts. These steps fall into two basic categories:

  1. Don’t get phished
  2. Be difficult to hack
Phishing vs. Hacking

Depending on who you ask, you’ll get different definitions, but in my opinion, phishing (pronounced “fishing”) is the act in which an attacker poses as a trustworthy individual or institution and tricks the victim into simply handing over their username and password. Hacking, on the other hand, is the act in which an attacker gains access to the victims accounts or data by guessing their password, exploiting security flaws, or otherwise breaking through the barriers in place. A simple analogy is that phishing is tricking someone into thinking that they’re the valet and stealing the car while hacking is picking the lock, breaking the window, or towing the car away to your chopshop.

So how can I avoid being phished?

Everywhere you go online now they want you to log in. Email, social media, online shopping, e-banking, and all sorts of other sites make you sign in before you can see your account, and you’ll usually see a page structured like this:

Login window to mail.midnetmedia.com

Login window at mail.midnetmedia.com

You’ve got a spot for a username and a spot for a password. That’s a simple site to build for someone with nefarious intentions. All they have to do is send you an email with a fake link (again, very easy, check out this link to https://www.gmail.com) and then you type your information in and that’s it, they know your login information.

This happens all the time. They might send you a message pretending to be Amazon saying your recent purchase failed and that you need to update your payment information. They might pretend to be Facebook and want you to login to approve a phony friend request.

There is, however, a way to tell if your link is legitimate. Let’s zoom in to the address bar.

Firefox URL bar with HTTPS connection

Firefox's address bar displays a green lock icon and the https:// protocol when connected securely.

Chrome URL bar with HTTPS connection

Chrome's address bar displays a green lock icon, the word "secure", and the https:// protocol when connected securely.

Safari URL bar with HTTPS connection

Safari's address bar displays a lock icon connected securely. Clicking on the URL also reveals the https:// protocol.

Your browser will tell you what site you’re logging into in the address bar at the top of the page. If the attacker’s email said it was going to Gmail and then goes somewhere else, your browser will always tell you the truth. Another thing to look for is if your browser shows the site as “http://” or “https://” That “s” stands for “secure” and means that whoever is running this site has an SSL certificate proving to your browser who they are. If your browser loads a site starting with “https://” and you recognize the web address, you can be pretty certain you’re at the real version of the site you’re logging into.

This is the most convincing way to phish, but there are others that are worth mentioning. The classic “Nigerian Prince” email is a 21st century version of an advance-fee scam where someone promises you large sums of money, all they need is your bank account information so they can deposit it. Another is the annual IRS phone scam that you’ll likely hear about as tax season approaches. If you’re concerned if something is a phishing attempt, your best bet is to attempt to verify the information, either through a phone call, or by going to the recommended site without clicking any links you were sent in the questionable emails.

And how can I avoid being hacked?

While in phishing attacks you can be more vigilant and skeptical of questionable sources, hacking attacks aren’t always detectable until it’s too late, so your best bet is to make yourself a more difficult target.

The first step to making yourself less of a target is having a good password. There are lots of different thoughts on how to make the strongest password, but there is some consensus on what makes the worst passwords. If you see your password on this list, we highly recommend changing it today.

To get an idea of how to make a strong password, it’s good practice to think about how passwords can be broken, which generally falls into two categories:

  1. Guessing personal information (birthdays, anniversaries, kids’ names, etc)
    Using significant dates and names as a password makes it very easy for you to remember your password, but it also drastically reduces the number of options an attacker has to go through to guess the correct password.
  2. Brute force trial-and-error
    Initially with brute force attacks, an attacker uses a computer to loop through all possible combinations of letters to break a password, and so security professionals recommended longer passwords made up of a few easy-to-remember words so the computers guessing would statistically have to go through trillions of trials before stumbling upon your password, but then attackers adapted to attempt combinations of words, making your 5-word password no better than a 5-letter password.

The strongest passwords of today all have a few things in common:

  • Length
  • Mixed case
  • Add numbers
  • Add symbols
  • Avoid personal information
  • Avoid reusing passwords

That last tip is a big one. Like we mentioned earlier, data breaches are just another part of 21st century life now, and part of that is your email address and passwords for those sites being exposed. If you log in with the same password across all your sites and your password is ever exposed, suddenly all your other accounts become vulnerable. Keeping a strong password unique to each account is the best way to keep all of your various accounts secure. If you’re worried about forgetting dozens of different passwords, fear not, here are a few password manager services that will help you keep all your accounts locked up tight.

The second step to making yourself less of a target is to make sure the only way to access your information is through the login page. You’ve likely seen these icons or messages on your computer or website

Windows, Mac, and Drupal Update Alerts

The update icons & alerts for Windows, Mac OS, and Drupal

Keeping your computers, websites, and other accounts consistently up-to-date is the best way to keep people from exploiting weaknesses in the programs that normally keep them out. Just this past September, Apple launched the newest iteration of their operating system, OS 10.13 “High Sierra”, and in November, it was found to have a major security flaw where anyone could log into the computer with the username “root” and no password. At that point, it doesn’t matter how strong, complex, or unique your password is, because attackers can just go around it.


Related Articles