Cyber Security 101: Ways to Reduce a Hack
I am not a cyber security expert. These are the things I have incorporated from the guidance of my cyber security expert whom is highly regarded as one of the best. If you have expertise or additional knowledge in this area, please feel free to comment and share so we can all learn better ways.
Equifax, Yahoo, numerous banks, personal Bitcoin wallets, etc. Hacking is no longer a problem; it is a crisis. While it’s tough, almost impossible, to make your application “invulnerable” there are ways to exponentially minimize the chances you do get hacked. You can do this by “layering-up.”
To begin almost everything is hackable. To protect yourself you have to identify your threat model, consider the threat actors in play, and build an actionable plan to protect you from that threat model. It also helps to familiarize yourself with the various vulnerabilities and their associated exploits, and the probability of those exploits being used against you. Following twitter news and cyber security handles closely for active security vulnerabilities being exploited on cryptocurrency targets is a great start to better understand your potential adversaries.
As my cyber security expert explained it to me in its rudimentary form. Like any other criminal elements, there are different tiers. Your tier 1 attackers belong to organized crime groups and it usually isn’t worth it to them to attack your average person. These groups go after banks, the Equifax’s, and the Yahoo’s of the world. When they attack, when they expose themselves to getting caught, it has to be worth it for them. These hackers will invade a target and may stealthily wait months or years before they capitalize — the reason why these huge multibillion-dollar companies are getting hacked left and right and take so long to realize. Of course this article isn’t for those billion dollar organizations it’s for us, the end users. At our level, we are dealing with lower tier attackers on average.
The most valuable properties of these attacks are: speed and radius of impact. These are not targeted missile attacks, they are carpet bombs, comparatively. They are organized to have the most widespread impact possible to consume the weaker targets. Personal attacks notwithstanding; most hackers in this class do not care who their compromised winnings come from.
This is what the below will outline, making your personal systems take enough effort that the low tier hacker doesn’t want to bother with you. Think of it like the old saying of you not having to outrun the bear, but the guy next to you. Your security is the same at this point, you don’t have to become invulnerable, your security should just be tougher than everyone else around you.
So to start, you need to identify your threat model. Personal use, small business, or large organizations, each have a different threat.
Personal=purse stealers. Look for a weak/easy target, takes purse and runs.
Small business=extorted by local gangs. You may face a coordinated attacked, so you’ll need more layers, and either a fulltime cyber security expert or at least a periodic audit by one.
Large Organization=sophisticated organized crime groups or government organizations. You need cyber security experts, secure locations for servers, and a physical security team. At this level you become a target to international crime groups who have the money and the technology to infiltrate you and successfully use their network to sell off what they’ve stole. This is also the same level that governments put their cyber warriors to use with an unlimited amount of resources to hack you.
Hacking made simple: attackers identify vulnerabilities and exploit them to cause unintended consequences. Examples include:
· Identifying a vulnerability in a web browser and creating a malicious website to exploit the vulnerability.
· Identifying a vulnerability in a software package and writing an exploit to trigger and leverage the vulnerability.
· Noticing a web application doesn’t hash passwords, so a SQL injection vulnerability can lead to password recovery and escalation of privileges.
Vulnerabilities and exploits are traded on the dark web, right next to the credit card numbers and personally-identifiable information that they were used to confiscate.
The best browser to use hands down is Google Chrome. Think of it this way, while products like Google, Apple, and the like definitely have questionable policies on privacy, the reason why they are as popular as they are is because it takes effort and more importantly money to hack them. Speaking on Google specifically, they have and use the money it takes to hire the world’s best developers, coders, and yes, white-hat hackers (the good guys). It’s because they pay so well that they do so well.
In order to attack Google Chrome, an exploit can cost upwards of $300,000USD. . So to even have a shot at hacking someone using Google Chrome via their browser, you need to have at least $300k invested, something that the low tier hacker can’t afford. If they could, they’re likely not a low tier attacker
To make a comparison, most exploits used to attack Firefox, Safari and IE/Edge cost $30k-50k. If you care about browser security, you use Google Chrome.
New browsers like Brave, which Bitcoiners love, are unique and may one day be able to provide the necessary security it takes to protect ourselves in this dynamic landscape. Brave browser provides faster services by blocking ads and trackers and providing that anonymity that those in the crypto space enjoy. However, the only issue with newer browsers is that they haven’t been tested nearly as thoroughly. Think of it this way, people try to hack Google all of the time, daily. With hacks, it only takes one, and Google has shown they are up for the challenge. Newer browsers need time to show they are capable of being secure and champions like Chrome must fail before there is a need to switch.
I promise I’m not getting paid by them, though they should ha, but for the same reasons as the browser, G-suite, Google’s email application for businesses, is hands down the best email to have in regards to security. For those using, AOL, Hotmail, or Yahoo, for your emails, you may as well not even have a password. All of them are outdated, yet I still see people using them, for business. With G-suite, unlike regular Gmail, their service comes with customer support you can call or email and get a timely response — also the kind of support that doesn’t take kindly to hackers getting into their customers private data especially by attempting to hack their infrastructure. I believe I pay $5 monthly for each G-suite email, that can also be linked to your website, while still using their customer support services.
ProtonMail is another service worth looking at. They provide free encrypted, private emails. However, again, they are relatively new in a space in which it hasn’t been known or yet beneficial for the best hackers to try to exploit.
· You want an email service that offers around the clock support.
· Permanently empty deleted message folders that contain secure, personal, or confidential information, which a hacker can access if they get into your primary account.
3. Two Factor Authentication (2FA)
Two Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand — such as a physical token. Using a username and password together with a piece of information that only the user knows makes it harder for potential intruders to gain access and steal that person’s personal data or identity.
Many people disregard 2FA because they don’t fully understand it, or want to keep track of more passwords and information. Utilizing 2FA is no longer an option. It provides another necessary layer that discourages hackers.
2FA apps are better than using sms text because your phone can be hijacked. It’s crazy because of how new the technology is and the early majority hasn’t even adopted it, but 2FA sms text is already obsolete. That means the rampant large-scale organizations and businesses starting to use it now (talking to you U.S. military) are already using an outdated method.
Best apps for 2FA are Duo Mobile, Google Authenticator, and Authy. The latter two are more popular and because of this prone to more attacks, from a social engineering standpoint. I have seen emails of hackers reaching out to Authy, phishing for pin numbers, not knowing Duo even exists. I’ve found using a combination of all three of these has worked since unless a hacker actually has your phone, they won’t know which one has been utilized, adding another layer and more time for them to effectively get through to your systems, and that extra time is important after you realize you have been compromised and are working to resolve it.
How can a hacker get into your phone? They will call the carrier company.
With just your phone number and a little bit of what’s called “social engineering” in which a hacker doesn’t necessarily need technical knowledge, but just enough information to convince a customer service rep that they are you, a hacker can break into all your personal and business accounts. This includes, email, bank accounts, bitcoin wallets, social media accounts, etc.
It starts by getting some readily available information about you like maybe address, phone number, birthday or last four of your Social Security Number and giving some combination of them and a plausible story to your carrier’s customer service rep who then lets them into your account where they then proceed to have your phone number forwarded to their phone or “ported” to another carrier and the hacker’s device.
The hacker can then access any of the above-mentioned accounts by clicking “forgot the password” and resets the password by getting a code texted to your phone number, which is now directing all its messages to their device. Once they get into your account, they will immediately change all password and backup password settings, such as in this article, and completely lock you out.
Set your phone settings (or call service provider) to only allow any changes to your cell phone plan in person, at the store. This isn’t invulnerable — someone already impersonated a wealthy Bitcoin trader by going to numerous cell phone stores and social engineering a hack, but that’s a lot harder and takes more time to do than the aforementioned.
4. 1 Password
Passwords are like keys and they say the same one should never open two things. However we all know how tough it is to remember all of them. Introducing,1password.
1pass allows you to securely store as many passwords, documents, credit cards, etc. as you want, without exposing it to a 3rd party. You can use it on your cell phone, desktop, or as an extension, each of which is not only secure to the device its on, but also secured from the company itself. You have the option of private and shared folders in which you can decide what’s available to just you or also to your family and team. Using 1pass you can pass or change passwords and sensitive documents and allow others access, again without exposing it to a 3rd party.
They also have a password generator tool that will not only create unique passwords for you, but also saved them when you add the service as an extension to your browser. For chrome you just need to install the 1password browser extension and you’re all set. Plans start at $3 a month.
NEVER text or email anything about passwords especially the password itself.
Frequently change passwords (hassle free with 1pass).
Different passwords for everything.
Don’t stay signed in to anything, always log out.
Don’t use the browser extension to save any password; there is no need and it’s safer when you can save it directly to the 1password extension in your browser.
5. Virtual Private Network (VPN)
A VPN is typically a paid service that keeps your web browsing secure and private. VPNs can also get past regional restrictions for video or music streaming sites and help you evade government censorship restrictions, however for many the streaming drastically slows down.
A VPN acts as your primary server when you’re logged on, even if it isn’t. For example, when you’re computer connects to a VPN server, your web traffic passes back and forth through that server instead of the local one you normally use.
The VPN I use has servers in Japan, Germany, the UK, the U.S., France, Singapore, Malaysia, etc., almost everywhere. So when I log in and browse from a VPN in Germany, my web traffic passes through that server. Whatever I Google comes up in German or with German interests first. To the websites, they think I am in Germany.
In regards to hackers, this means they will have a harder time stealing your login credentials or redirecting you to fake sites. Your Internet service provider (ISP), or anyone else trying to spy on you, will also have a near impossible time figuring out which websites you’re visiting.
VPNs cannot make online connections completely anonymous, but they can increase privacy and security.
I would suggest doing your own due diligence, but the VPN I use (BolehVPN) has military grade encryption among its other features, adding another layer to the threat of a hacker. You can pay for plans with USD, Bitcoin, and a few other cryptos. At the time of this writing Boleh is $80 a year. Worth it.
Use a VPN online when the information matters.
6. Final thoughts
To protect yourself against a potential hacker you must have two things, separation of personal accounts and separation of privilege.
To separate personal accounts you should have two separate computers, one for business, banking, personal identifiable information, and one for browsing. Since we all know everyone can’t have two different computers, a work around is having two separate users on your computer. When I am just browsing on my Macbook Pro, I am logged into my computer under one username as well as my Google chrome browser. When I am conducting business or have confidential information to access, I log out of my user account, and log back in to my computer under a different username, also opening up my chrome browser under a different user name or none at all. Essentially I am now using a different computer on the same device.
This begins the separation of privilege. Your business accounts should have the highest level of trust to access, and your personal accounts should have a medium level of trust. For me to log in to a business account it may take me going through 5 different layers of protection. To log into my personal accounts, there may only be 3 different layers of protection.
It should have to be a “thing” to log into business or secure information; it should take effort on your end.
While in the military, that meant actually having the appropriate clearance, going into secure areas (sometimes offices within the building or entirely different buildings with better security), and logging in on a different computer, with a different set of login credentials. Unless you are lucky to have a secure computer in your office because of your rank or job, it is a “thing” to have to go log in. Logging into secure areas of your life or business should be handled with the same care and time.
Think of it this way, if you can instantaneously login to something, so can a hacker. It should take you at a minimum 5 minutes or so to log into your secure areas because each layer further discourages that same hacker, they have to be right to move forward, and it exposes them to the risk of getting caught.
In addition to all of this, get an identification monitoring service as well. I use https://www.identityguard.com/. I believe I pay about $20 or so a month, but they monitor everything. I recently received a parking ticket, LA I know, but by the time I got home and checked my email within a 1–2 hour span, Identityguard had notified me to log in because there was “activity detected.” They monitor my credit, credit cards, identity, bank accounts, and the like on normal web searches, the deep web, and the dark web. After the wannacry/ransomware attacks this year, and with Equifax and Yahoo, pretty much every American is at risk, I can’t stress how important these services are to have.
Back Up Devices (at least monthly).
Back Up Codes.
2 separate computers or users.
Have an entirely separate profile on your computer for business/accounts/banking.
Secure User →VPN →Secure browser →1password online →2FA Apps →Secure Email. One example, including 6 different layers of security.
Exercise, Exercise, Exercise!!!
It’s Friday at 3pm and you’re away from home…
YOU HAVE JUST BEEN HACKED!!!!
***This is how quick and unexpected it will happen***
Your cell phone isn’t receiving calls or text, as it was hijacked, you can’t log into your email, your bank account usernames no longer work either, your Apple ID has been compromised, your friends, family, and clients, are all receiving emails, calls, and text asking for money, in your name by the hacker, you just left the office for a coffee and you need to return, after work you have to pick up a loved one, and you just received an email sent to your backup address that your bank account password has been changed and that the account is also currently below $25.
WHAT DO YOU DO NEXT?!
Develop a game plan today. If you were hacked, if someone hijacked your phone, email, and pertinent accounts, how do you proceed to secure your information in a timely fashion? How at risk are you? How much do you lose? You have to already have this plan in place, because at this point it isn’t about IF you get hacked, it’s when.
Don’t forget to like, comment, and share to help others stay secure as well!