Cybersecurity For My Mom

Thinking about cybersecurity for the non-cyber folks among us

Teri Radichel
Cloud Security
38 min readJan 3, 2024

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Cybersecurity | Penetration Tests

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I was talking to my Mom this past month and she said she never understands anything I write. This post is one I’ve been thinking about since then, but I never had time to write it yet because I had to finish a pentest. Done! Phew.

So in this post I’m going to explain three things hopefully:

  • What I do and a non-technical explanation of how it works.
  • Why companies hire me to test their security.
  • What everyone can do to try to help themselves be more secure.

So first of all, for my Mom, this is what I do.

Penetration Testing! Otherwise known as pentesting.

What is a penetration test?

A penetration test simply means I try to hack into people’s web sites and find security problems and give them a report showing what’s wrong.

I also do different types of analysis and provide recommendations for re-architecting systems and networks (changing how they are built) to be more secure based on what I find, which is a bit above and beyond what some penetration testers do.

I basically want to help people fix security problems in their systems before they have a data breach so they can prevent one.

How do I do it?

Well, there are numerous things you can do to test a web application and a network for security problems, but the simplest thing I do is enter bad stuff into all the form fields and try to break the site. If I can find the right combination of things to enter into the web site form I can get the site to do my bidding.

For example, on my last penetration test, I was able to insert something bad into a field on a web form that caused a page to show me more data than it was supposed to. I then inserted malicious code into another field on the page and got back even more data I wasn’t supposed to get back!

Once I figured out that the site was vulnerable to this particular flaw, I could have gone on to reverse engineer the entire database and get everything out of it — including data I wasn’t supposed to see. That’s called SQL Injection because SQL is the language that databases typically use to query data in databases. You insert things into forms that make their way to the database and cause the database queries to spit out more information than they are supposed to be returning.

Mwa-ha-ha!

Another flaw I found involves inserting code into the website to get it to execute code I enter into the text boxes on the page. Websites shouldn’t do that and it can lead to very serious problems. This particular type of flaw is called cross site scripting or XSS.

Here’s what happens and why it matters.

When a developer writes a web page they are generally using two languages (among others): HTML and JavaScript. The pages a developer writes are supposed to only run the developer’s code — not mine!

If I can insert my own code (a combination of HTML and JavaScript) into the website and get it to execute, then I can make the page do anything I want that those languages can do.

That’s what happened in a recent attack on the British Airways web page. Attackers stole 380,000 credit cards using that type of flaw!

Attackers were able to insert code into the application that books airline tickets. You and I (when not authorized to be doing a penetration test which would be illegal) visit the web site. We enter normal things like our name and credit card number.

The attackers inserted their malicious code into the form text fields (or something else on the page) instead of the data a normal customer would enter. When the page executed, it ran not only what the developers had written, but also the code inserted by the attackers. In fact, it stored that code in the web page so that it ran when any customer visited that page and inserted their credit card. Then code would capture the credit card and send it to the attackers as well as let the normal order process. The customer never knew there was anything wrong — nor did British Airways for quite some time obviously.

The code injected by the attackers executed and copied the visitor credit cards as they booked their flights and sent them to the attacker. Yikes!

I also wrote code on my last test that would do something similar. When certain malicious code was entered into a web form, it would send data from the page back to my own server. So I can emulate these types of attacks.

Network attacks

Networking is a whole separate skill from building applications and there are many attacks that occur in networks that have nothing to do with the code application developers write. There are these things called “protocols” that define how two different devices on the network communicate with each other. Think of a protocol as a language for machines to talk to each other. The protocols define the rules for that language similar to how English has rules related to how you use verbs for past, present and future tense.

When you send a message across a network, such as an email to your sister, mother, or bank, that message is not sent in one big chunk. It is broken down into tiny pieces called “packets” to send it across the network more efficiently. When the packets reach their destination, they are pieced back together into your original message to deliver to the recipient. The same thing happens if you request a file or an web page from a server somewhere on the Internet.

There are a number of different ways attackers might try to break into networks or data flowing across the Internet.

  • They might try to stick things into the packets going across the network the same way I tried to stick things into the web form fields that make the systems do things they shouldn’t.
  • They can also eavesdrop on the data as it goes across the network if it is not encrypted.
  • They might try to route data traversing the Internet to the wrong destination by using tricks to influence the devices that route traffic to the intended destination.
  • They sneak data out of companies by inserting extra bits into the “protocols” where they shouldn’t be.
  • In addition, attackers try to find flaws in the network equipment that connects systems the same way I find them on web applications — by inserting malicious things into the software running those devices to try to make them do things they shouldn’t.

Some of the devices that manage the flow of data over the Internet are called routers, switches, firewalls, load balancers, DNS servers, VPNs, or other types of security appliances. All those different types of systems can be hacked, along with the website applications themselves. Maybe you heard some of those terms before, maybe not.

But all those things are the devices that transfer your data from your machine where you connect and type something into a Google search engine and allow the query to get to the Google servers and for the results to get back to you.

All those things can be attacked too and I’ve worked on setting up and building some of those things for companies. And learned how to attack them in classes. 😁 So I understand how they work and do some of that too on penetration tests.

Social engineering attacks

Social engineering is the process of trying to trick people into doing or thinking something to get them to do what an attacker wants. It can be as simple as trying to get you to give an attacker your code from your phone so they can log into your bank account to try to influence an entire country to vote for a certain candidate.

There are many forms of social engineering and I do this very rarely on penetration tests. That and physically trying to break into buildings which some people test are not really something I do.

The most I’ve done in terms of social engineering is to send a message in a support app to try to get the support team to click a link. Here’s the scenario:

I did a pentest for a friend with a company in Germany and he gave me an email address that looked like his. He liked to drink beer. I made a joke in a message coming from his email about how this problem was so complicated he needed someone to buy him a beer and ask them to take a look. The link was clearly sketchy (at least in English!) and went to my website where I could harvest information from the request to my web server. (It worked.)

That type of attack where an attacker pretends to be a CEO actually has a name — business executive compromise or BEC.

Attackers impersonate CEOs to get employees to send large wire transfers to the wrong bank account and have cost companies millions of dollars. It’s also a big problem when dealing with wire transfers in real estate or other types of transactions. I’ll give you some tips at the bottom to help avoid being fooled by fake messages of any kind.

Why people hire me

The British Airways breach resulted in the largest fine up to that point from the European Union due to a new law called the General Data Protection Act (GDPR).

More and more states and countries are creating laws to ensure companies take proper steps to secure their websites. In fact, the SEC in the US recently enacted a new law that may hold executives at companies accountable if they do not properly secure their systems. There are many regulations companies have to deal with in regards to cybersecurity laws and many fines they may have to pay and also they may face large payouts from lawsuits if they have a breach.

That’s why those companies hire people like me to test their web sites.

Some are required by law to get a penetration test every year. That’s why I often get a lot of calls at the end of the year — sometimes more than I can handle — because people are facing deadlines.

And that’s why I wish that people would not wait until the end of the year. Everyone is busy at that time. It’s exhausting. But I help as many people as I can. If companies need a pentest, it’s best to it earlier in the year. Also, the less busy companies are, the higher the quality of penetration test they will receive. January is usually pretty slow for me in terms of penetration tests though I get other types of work in January to make up for it.

Some companies perform penetration tests to avoid the huge fees associated with data breach itself, lawsuits, and the people they have to hire to help them deal with the breach. They also want to avoid the lost revenue and company value associated with a breach. Some of them hire me so they don’t face the bad press associated with a data breach or loss of customers. Some simply want to do the right thing.

Unfortunately, some customers call me after a data breach, to confirm that the changes they made will prevent a future breach. That is unfortunate but I am happy to help in any case.

How I help customers fix security problems

I can’t find every single problem on a penetration test. No one can do that. Attackers have months and years to study and attack a site. However, I run tools to try to speed up the process and find as many flaws as I can as quickly as possible.

I can usually find enough problems to show companies how to fix any similar problems on their site very efficiently — even if I didn’t list every single instance of that flaw in my report. I can help them eliminate the most basic flaws pretty quickly. As time allows, I can dig deeper to reverse engineer and find more complex flaws that would be possible but more difficult for attackers to exploit.

For example, in the case of SQL injection, a single change to how the development team writes their database queries can stop almost all SQL injection attacks. For each different type of attack I try to provide similar guidance — not simply how to fix that one individual flaw.

I can also help companies improve over time. Some companies have hired me repeatedly year after year. Since I have a better understanding of their system after the first test, I can do more to help them improve their systems on the next test.

Since I understand not only application security but network security, encryption (scrambling the data so it can’t be read), and how cloud platforms work, I can also recommend changes to the underlying infrastructure on which applications run. Those changes can provide a lot of protection compared to individual changes to a single web page.

What I do not do

I do NOT help people deal with all the things you have to do immediately after a data breach when one occurs, like finding the attack in your network, eliminating it, restoring systems, dealing with the press, legal issues, and reporting the data breach to the appropriate authorities. People think of me when someone has a breach and say, “Oh! Maybe you can help them.”

Well, I can help them assess their system for any remaining security flaws besides the one that caused the breach. But I don’t do all the things that companies need to do after a breach occurs per regulations and to investigate what happened and restore systems to a working state.

I know people who specialize in that — some of whom who have worked in the CIA, NSA, etc. and can refer you to them. That is called forensics or incident response. I am certified in incident response but there is just too much to do in cybersecurity to do it all so I refer to people who specialize in and focus on incident response.

There are many different types of jobs in security and I explain them in the video on this page. If you know any kids (or adults!) that want to work in cybersecurity this might help.

I do not do what are called “audits” which to me involve way too much paperwork for my liking and not as many data breach prevention recommendations as my reports in most cases, but they must be completed by some companies.

Internal audits are a method of evaluating company security by comparing what the company is doing compared to their internal policies. A company may write a policy that says “we are going to do yada yada yada.” That’s great, but are they really doing it? Someone should check. That’s one of the things auditors do. Hopefully they are recommending policy improvements at the same time.

Other types of audits need to be completed for legal or compliance reasons which I explain in the above video. Compliance means you are following certain laws, regulations, or industry standards.

Auditors follow certain methods to write reports and to me they are repetitive, long, and wordy. I know this because I’ve read how to perform audits (like a common one called SOC2) and helped as a “subject matter expert” on an audit — once. I was very grateful for the opportunity and made a lot of money but I didn’t particularly enjoy it, to be honest so I don’t do that anymore.

I like to get to the point — what is wrong with the system. How can you fix it? I try to answer both questions in my reports, which is not always the case with an audit. They are checking off items on a list usually. They also generally are not very technical.

Why am I qualified to do this work?

My mom is like who is this kid now who used to ride horses on the military reservation by our house that came back home too late one night, causing us to call search and rescue? And the one who almost ran the tractor into the house, destroying her and her sister’s ten speed bikes? Who used to sit on the old-fashioned hay rake following her dad driving the tractor — lining up the hay in the back field so we could load it onto the truck and into the barn.

Where did this kid from a small town that didn’t even have a McDonald’s or any other name brand growing up get into this field and how is she qualified to do any of this?

Well my Mom already knows some of that. I wrote about it here:

and here:

And she was one of the reasons I work in cybersecurity today.

But the reason I can do what I do, in part, is because I started out building the systems I now attack. So I understand how they work. In order to fix the systems I inherited — some of which were very complicated — I had to reverse engineer them to understand how to change them to add new functionality.

Reverse engineering existing systems is much harder than building new systems from the ground up.

Understanding how to reverse engineer systems helps me quickly understand systems and how I might attack them. To be a good hacker you need to be able to reverse engineer things to figure out how they work. It also helps to understand how different types of systems work and integrate, like e-commerce web sites that have to send transactions to other companies to process your credit card.

I helped a company selling wedding invitations and birth announcements grow from a garage operation making $5,000 per month to a multi-million company that sold off to one of the biggest wedding announcement companies in the country because they were eating into their profit margins. I pretty much single handedly rebuilt the site when it was failing after the initial guys I hired wrote it.

Then I helped it grow using what is called search engine optimization (SEO) which are ways to program the site so it shows up higher in Google and other (now mostly non-existent or unused) search engine results. What that means is when you type in “wedding invitations” the site I supported came up in the top three sites. In many related searches, the web page would be the top site. That led to the company making a lot of money.

I hosted that website myself in a data center. What that means is I bought and put together servers and hired a few people along the way to help me set up those servers in what is called a “rack” in a data center. A rack is simply a shelf where you can store computers.

The “data center” is a space in a building that has rows and rows of computers in “racks.” The company I rented the space from (Internap) would set up all the physical networking (the wires and boxes that connected my server to the Internet) so I didn’t have to do that. The data center was very high tech — you would have to put your hand on a handprint reader to get in through a little box where you had to stand before you could enter.

Cool, but getting up in the middle of the night to go to the data center to reboot a failing server, not so much. Neither was having servers go down when you were on an airplane.

Over time I shifted doing those things myself to other companies. I’ve written about that in other blog posts. But essentially now, a lot of companies run their software on what is called a “cloud” platform. That means someone else runs all the hardware and networking — the physical things you need to build a web application. The customers write their code and store the related files “in the cloud” where they execute.

But the cloud platforms do more than just run servers. They provide code that helps automate a lot of the things companies need to deploy so they can build new applications more quickly.

Almost every web site you visit these days runs “in the cloud.”

I specialize in testing systems that run on cloud platforms now — and especially a platform called AWS.

There are three major cloud platforms: AWS, Azure, and GCP. AWS is the oldest and at this point, still the most popular.

AWS is run by Amazon.

Azure is run by Microsoft.

GCP (Google Cloud Platform) is run by Google.

I’ve worked on and taught classes about all three, but AWS is my favorite — and last year I was designated as one of the first five “AWS Security Heroes.”

I research and write about AWS almost daily for people who are using it and want their systems to be more secure. Because I know the ins and outs of AWS really well I can help customers secure systems running on it with more precision. I use it daily.

The other thing I have done in the past is written code in so many different languages and worked as a contractor at or for so many different companies that I understand how a lot of different technologies work and businesses operate — from very small to very large.

I even worked for venture capitalists for a while — the people who invest in new technology and start up companies — advising them on potential investments. I also traveled to Brazil and Copenhagen to help a company I worked for evaluate potential investments.

Having run everything from mail servers to database servers to e-commerce websites to performing very complicated integration of different types of systems that send data between different companies helps me quickly grasp how things work — and how I might break it. 😁

The other thing that I got to do fortunately, early in my career, was work with a telecommunications and networking team for an oil company. Since then, I have also worked for a company that essentially built and sold firewalls (security appliances but at the end of the day — firewalls) that help protect networks. That’s where I got some of my networking experience, along with operating systems in data centers and later working on the Capital One cloud team deploying and supporting networking for cloud-hosted applications.

My mom already knows but for anyone else who is trying to get into security or just curious, I have 13 cybersecurity certifications, a master of software engineering and a master of cybersecurity engineering. I’m not sure if that influences people to hire me or not.

The other thing is, I’m on the faculty of IANS Research with some of the top cybersecurity people in the industry. Anyone remotely involved in security has heard some of the names in the faculty list. Some of these people are in those books I recommended reading above. One of them got a copy of and reviewed Hunter Biden’s laptop and wrote about it for a major publication.

You also may have seen some of them on the nightly news talking about data breaches. That’s not really my thing so you won’t see me on the nightly news but I have spoken at conferences all over the world. You might catch me speaking at an event hosted by IANS. I don’t travel as much as I used to these days — a personal choice.

Companies sign up for a subscription with IANS so they can ask these people, including me, questions. I have answered questions for some of the largest companies government organizations in the US as well as international government organizations through IANS Research.

Anyone interested in learning more about IANS or my penetration testing services can contact me on LinkedIn for more information:

https://linkedin.com/in/teriradichel

OK, so what can I do to be more secure?

Sometimes when you know all these details about cybersecurity it can be mind-boggling to try to tell someone like your Mom, your Grandmother, non-technical friends, or nieces or nephews what they can do to be more secure.

First of all, you can’t do much about the companies who are not investing in securing their systems and data except vote with your wallet. If a company is repeatedly having data breaches and you see their name in the news all the time, shop somewhere else.

T-Mobile has repeatedly been in the news for having their customer’s phone sim cards swapped, for example. What that means is that someone goes into the store and tricks the clerk in the store into selling them a phone and putting someone else’s phone number on it. Once the attacker does that, the person with the stolen phone number can use it to get into accounts that require entering a code from a your phone number to get in. As a result of having so many problems with that, new regulations are coming out for mobile phone providers to help secure people’s accounts.

That’s why I recommend a Yubikey, a device I’ll describe below, over getting codes on your phone when possible. 😊

Microsoft has far and away had the most incidents of the top three cloud providers and had a massive data breach last year. Yet their stock is up and people seem to be ignoring this fact, which I don’t understand. Mind you, I think Microsoft has some excellent security researchers and is doing some good things in security. I have a few shares.

But I don’t understand how and why they have so many outages and people continue to flock to the platform. One person in the US government called them on it but really companies need to do better. I do see some of the appeal of their cloud platform, but when your system is down, it’s not doing you any good. The amount of data stolen in a recent breach is egregious. Recently the CEO, Satya Nadella, said they are going to focus more on security but we’ve heard this over the years from CEOs. We’ll see how things improve.

Another example would be Android versus iPhone. If you dig into the details, at the time of this writing, Android phones are far less secure. And people don’t understand that the closed Apples store, which some are fighting against, is part of the reason for this increased security.

In addition, Apple devices all use hardware created and distributed by Apple. Android devices use hardware from a myriad of sources — and hardware security flaws are becoming more and more prevalent. Do you know where the hardware was manufactured, tested, and who might know about any vulnerabilities in your Android phone? You’ll need to dig into the manufacturing and testing process and who is involved for your specific make and model since that varies depending on who provided you the phone.

One other thing you should be aware of if you invest in cryptocurrency you are investing in criminal activity. It’s not all bad, but it largely supports criminal organizations. Do you know anyone who is actively selling and purchasing things with cryptocurrency? Probably not, unless you are a criminal yourself. Investing is not the same as buying and selling a pizza in bitcoins.

Criminals use cryptocurrency for money laundering, which was likely its primary intended initial purpose. Money laundering is a way to hide the use of money stolen via criminal activity.

People can argue about it all day long but it’s just a fact. My mantra for years has been: crypto is for criminals.

If you invest in crypto you are investing in and supporting criminal activity.

Why do you think when an organization attacks a company or something like a hospital they ask for some form of cryptocurrency instead of a currency controlled by a government? Because then the government can’t stop them from getting the money and it makes it harder to stop where it goes.

For a concrete example, a hospital in my town, Savannah, was shut down by ransomware. That means attackers infiltrated their systems, performed attacks like the ones I described above, and prevented the hospital from accessing their own systems and data. Then they demanded a ransom. They wanted to be paid in cryptocurrency.

Don’t think data breaches affect you? In the case of the hospital breach, the hospital could not access it’s records so it could not accept patients or process appointments. Other systems used to evaluate patients were also likely down.

They did the same thing to a large oil pipeline near me that caused a spike in your gas prices that did not go down for months afterwards. In some places the gas prices still have not recovered hardly at all since that breach and even here in Georgia the prices are not as low as they were at the time of the breach, to be but they are getting closer.

You will understand that inflation was not the only reason your gas prices rose, if you were paying attention. There was a clear spike after this breach and after the breach was resolved the prices did not go down even though gas was once again, flowing normally.

Cryptocurrencies support this activity.

There is a criminal organization that holds and controls one of the largest stockpiles of cryptocurrency in the world and if they buy or sell they can influence the price. Cryptocurrency allowed people in Russia to avoid sanctions. By using cryptocurrency they could avoid banking institutions that were not allowed to move their money due to international sanctions.

Cryptocurrency is not all bad. But cryptocurrency facilitates crime. Some people argue that US dollars or anything else has the same problem. Yes it does. But those other forms of currency are regulated. That means when the governments that control them want to stop a crime they can sieze assets or prevent transactions in those currencies. Not so with cryptocurrency due to its distributed nature of processing transactions.

The plain and simple truth is: if you invest in cryptocurrency, you are investing in criminal organizations. One way or another.

So those are a few places where you can shop with your wallet, if they apply to you.

Always enable the option to enter a second factor when you log in

One of the absolute best things you can do to protect your accounts is to always use a second factor when you login.

For example, when you log into your bank account, it texts you a code which you have to enter to log into the website. Enable that whenever it is an option. It may seem like a pain, but dealing with trying to get all your money back is likely more of a pain.

If you are feeling more technical, you can use a Yubikey on some websites and that’s even harder for attackers to get past if they are trying to access your site. I know most people won’t want to bother, but just letting you know, this is the best option and I use them.

I only order them directly from the company:

If you order phones or hardware and get it off eBay or even Amazon, there’s a chance it’s already compromised by the time you get it. Even with cell phones I’m only getting them in person now.

I ordered some online recently and one got “lost” in Tennessee and when I got it, the box had clearly been opened. I’m not sure if someone tampered with the phone because I didn’t keep it. I had already reported that it never came, had received a new one, and returned the one in the box with missing packaging. Also, it took me three months to get my money back from AT&T for returning that phone. Be careful where you buy electronics.

Tricksters are posting fake information online to fool you or make you angry — avoid their traps

This is not a political post. I am only here to try to protect you from people who like to harm you and entire countries online.

One of the unfortunate things is that people on one side or the other constantly says everything is “fake” makes it really hard to know what is true and who to believe. I can’t give a concrete answer for everything that is true or false but people wouldn’t believe me anyway.

But I can tell you what attackers are doing and how you can combat it so you can make well-informed decisions.

When you hear something that sounds scary or raises your ire, don’t immediately react to it. Research it to see if it is true or not. When you research, beware of sketchy, no-name sources posting information. Also be very skeptical of any form of advertising. And be aware that people starting arguments with you online might not even be actual humans!

I had this happen recently on my LinkedIn account. Someone started posting negative comments about something I posted. I replied. I got responses that were slightly tangential and eventually illogical. I am not sure, but I don’t think it was even a real person. Although this person had cybersecurity certifications plastered all over their LinkedIn account, no one with any real experience in cybersecurity would be saying the things that person was saying. Also the responses got more and more off topic and illogical as they continued. After a few replies, I simply told the person if they want to learn cybersecurity they can read my blog, deleted all their posts and blocked them.

As I wrote about in a recent post, life is too short to be arguing with people online all day long. But the thing is, there is this technology that is all the rage right now called generative AI. And what that does is tries to generate content — like images or blog posts or….responses on social media. It’s getting better and better all the time. So these responses and arguments on your feed might not even be real people. Don’t waste your time on that.

There are known misinformation campaigns instigated by foreign governments or bad actors trying to get you to think something that is in their favor. Even getting people to fight with each other is in their best interest.

And guess what.

Americans may have started it. I don’t know when it started exactly but there is evidence that the US government admitted to and apologized for the fact that Americans dropped pamphlets with propaganda in Afghanistan, trying to sway public opinion.

If you want to read about that and so many other interesting tidbits about the history of cybersecurity, privacy, and misinformation tactics — read or listen to these books I reviewed. I don’t have a lot of time for reading these days so I actually listened to a lot of them as audiobooks while walking the dog or doing other things.

I used to try to explain that these misinformation campaigns existed — internally and externally on all sides — but I gave up. It is up to each individual to do their own research.

The way to ensure you are not being fooled by a misinformation campaign is to verify what you read against multiple *credible* sources that are known for accurate reporting. The problem is that those trying to sway you might try to paint credible sources as not credible. So in my case, I read them all. I see how they line up and which ones are reporting facts versus using emotional messaging.

Here’s one tip if you’re looking for multiple sources of information. I mostly read news sources I follow on Twitter, Threads, and Mastodon.

I also search for specific topics that I am interested in in Google, and then click the News link.

Let’s say you are interested in data breaches — something I research almost daily. Enter that term and then click “News.”

In my case, for topics I research daily, I also limit the search to the past 24 hours like this:

When you hear something that sounds questionable — or makes you angry — research it first to see if it is true. One of the objectives of some social media campaigns was to create angst and make Americans (and people in other countries) angry and fight with each other. Some fake accounts on social media had millions of followers and focused on specific topics like racial issues, for example. Be aware and avoid being a victim to these emotional campaigns.

The other thing attackers are doing is trying to make people angry at successful companies so they will stop using them and move to competitor companies. If someone tells you company is going to raise the prices or is treating their employees badly — it may be true — or it may have a grain of truth to it. But there may be more to it than meets the eye.

One of the things that makes disinformation campaigns successful is that often they are partially true. People tend to think that because one aspect of what the message is true the rest must also be true. Don’t fall for that trap. Use critical thinking to distinguish between the parts that are true and the parts that may be misleading — and the parts that may be playing to your emotions and beliefs and telling you what you want to hear.

One of the things I found humorous in the political debates prior to the current ones was that a couple of the candidates were railing against Amazon while at the same time happily promoting their books that they were selling on the platform.

It seems to me that generally, companies, people, countries, and anything else in this world is not all bad or all good and painting great American companies as evil is generally not in the best interest of our country. Fix the things that are wrong but don’t throw the baby out with the bathwater, as the saying goes.

If the companies aren’t paying taxes and you think they should be — fix the laws those companies are following. Don’t blame the companies for not paying money they are not required by law to pay. That’s seems a bit illogical. Would you pay more taxes than you are required to pay by law? Why would anyone do that?

That’s just an example of how yes — possibly — Amazon should be paying more taxes (in some people’s opinions and I’m not here to argue about that). That part could be true and resonate with some people. However blaming the company and vilifying them when the laws should really be to blame is where the misinformation and misplaced anger comes in.

It’s tricky but try to sort out the truth from the twisting of narratives.

Attackers will contact you to try to fool you into doing something that harms yourself or others

One of the most prevalent ways in which attackers harm others is by tricking them into doing something. Some of the attacks I mentioned above where I can insert code into a web page to do something bad may involve me sending you a link to that site with malicious code in it.

I tell you something scary in the email like “Your bank account was hacked! Login right now and change your password.”

You are truly frighted by this thought so of course you immediately click the link and log in and change your password.

But guess what. Instead of securing your account, you just logged into an attacker website and gave them your password. Or maybe you even logged into the right site but the attacker inserted their code along the way which collected and sent your password back to their site.

The other thing the attacker might do is call you and tell a similar message. Oh no! You have to immediately fix this problem or else? I’m going to text you a code. Read it to me.

Well, the attacker may have gotten your password from many of the well-known data breaches online and is logging in as you and wants you to give them the code sent to your phone so they can log into your account. This is why I hate it when companies have a process that asks you to read back a code they text to you. How is someone supposed to know the difference?

In most cases, you should never, ever give the code to someone that permits them to access your account. The companies that have processes that make customers give the customer service person a code should stop doing that. But if you must give the customer service person a code, make sure you called them, and not the other way around.

How can you protect yourself from being tricked?

When you get something in email or a text message or if you get an alarming phone call, don’t immediately react. Take the time to think it through and how you can verify if it is legitimate.

Some things you can do to verify it if it is legitimate:

  • Ask for a number and hang up the phone. Don’t immediately call back the number you are given. Try to verify from a known, trusted website that the number is legitimate.
  • Don’t just search for the number in Google because attackers get fake pages high rankings in Google to trick people. You may search for “Bank of America customer support” and get a fake number. Instead, go to the bank website to get the number.
  • If you get an email or a text message with a link, don’t click the link in the email. Enter the URL (link) directly into browser.
  • Make sure the URL has https:// in front of it when you type it like this:
  • If the website only has http:// and not https:// in front it might be possible for an attacker to redirect you to the wrong site.
  • Monitor your accounts for suspicious activity. Login and verify the information you received or send a secure message on that web site. Alternatively, get a valid phone number from that web site and call the company and clarify whether or not any information you receive that sounds questionable is valid.
  • If you are working with a local organization, consider going in and talking to them about the issue. Speak to a manager if necessary. The company may have someone attacking their customers or have an flaw in their application that they are not aware of so talking to them in person may be your best option. Of course, that depends on the size of the company. Some companies only can help you on the phone for certain issues.
  • If it sounds like a scam, it probably is. My mom has a small business and often gets calls and emails about scammy business products. She calls to ask me and most of the time I tell her just to ignore them — for example claiming to be Google, who rarely calls unless someone is trying to sell you something. If someone calls claiming to be the IRS that is scary, but it too is often a scam. You can verify by calling the IRS directly.
  • Even if you get a legitimate looking document in email, it could be a scam. When you click on the document, you might actually get malware installed onto your system. If you ever get a document you are not expecting, contact the person who sent it to you and ask if they really sent it.

Be aware of a new thing attackers are doing to try to harm people after a data breach. They are trying to get money from the people whose data they stole directly. So in other words if you went to the doctor and had a procedure and they obtain that data, they may contact you and try to get you to give them money to not disclose the data.

Think about it. What is really the worst thing that could happen if that data is disclosed? Can you live with it? Don’t pay them. What you should do is capture all the data you can related to that incident (or any other cybersecurity problem that leads to harm to people or monetary loss) and report it to the proper authorities. I list some places where you can report cyber crimes in my book but one of the most important is the Internet Crime Center (https://www.ic3.gov).

There are also places where you can report fraud like the Department of Justice:

And the SEC:

You can submit a tip as a whistleblower here:

If you have a charge on your credit card that you don’t recognize, the first step is to call the vendor to ask about it. The second thing you can do if you feel that it is inaccurate and the vendor won’t reverse it is to go online at your bank and usually you can report that transaction as faudulent. The vendor has to provide paperwork to prove that you actually made that transaction. You can also call the fraud hotline at your bank.

There are many other places to report crimes. The key is to report the crime to the right organization, which may be your local law enforcement office or somewhere else depending on the nature and jurisdiction of the crime.

We have a local community meeting in Savannah where law enforcement officers show up to talk about neighborhood crimes in our part of the city. I used to have a neighbor in Seattle who was a retried police officer who would send crime reports to the neighbors in the area. Get involved at whatever level is appropriate and if you experience a crime on the Internet, phone, or in a financial transaction, report it to the appropriate place.

Protecting your data

It absolutely astounds me that banks, mortgage companies, real estate agencies, title companies, and health care institutions are still requesting you to send sensitive data in email. This is not secure on so many levels.

When a company asks you to do that, ask them if they have a secure alternative.

The secure alternative is not an FTP or file transfer site.

The secure alternative is a secure portal where you can upload your documents and only the people involved in the process can read it. It cannot be inadvertently forwarded to the wrong person from your email to someone else. It is encrypted in transit and at rest. It is not visible to the entire staff at the bank, only the person who is dealing with your specific request and needs that information.

I only deal with local banks for the most part where, if I have to submit documents, I can manually take the documents to the bank if they do not have a secure process for transfering the data. That’s because I have found the number of banks with truly secure processes to be nearly zero.

Ask your banks before you sign up for a loan if they have a secure portal for submitting documents or if they are going to ask you to email it. If they say the only way to get the documents to them is via email, I wouldn’t trust my money with that organization. Maybe a loan, but not a bank account.

Better yet, recommend to them that they should get me to perform a penetration test of their systems! If they need help setting up a secure online portal I can answer questions through IANS Research. I’ve used supposedly “secure” portals where I can tell in two seconds they are not without even doing anything.

I wrote more about issues related to mortgage and real estate security here after my recent fiasco of trying to buy a house. Let’s just say that there’s a bank that’s serving American Armed Forces who are all about securing our nation that needs a serious security upgrade. I offered to help them after I found out they are an IANS client but they did not take me up on the offer, for reasons I can only speculate. :)

Keep your software on all your systems and devices up to date

Here’s what you can do right now to improve security across the board within your home network and on your devices.

  • Open up your phone and navigate to the place where you update the software. This will vary depending on what type of phone you have but Google provides general instructions here:
  • With iPhones the method will be consistent since one company provides both the hardware and the software:
  • Make sure your phone is up to date and that you have “automatic updates” turned on.
  • My husband almost makes a game of it to see how many of his apps need to be updated on his phone each day. He updates them right away. Make sure you keep those phone applications up to date.
  • For any software you run, make sure “automatic updates” is enabled. This includes things like your operating system (Windows or Mac) and your browser (like Google Chrome). You can search for that in the help section for your software or online on the website of the company that provides the software.
  • Login to your Apple TV or Roku or that box you got from your cable provider. Update the software and make sure auto updates are turned on.
  • Make sure you know all your passwords for your network devices. Did someone else install them for you? Make sure you can login. Change the password to something you know and don’t leave it what was set by the third party unless you trust that person. Definitely make sure it is not the default password. Make sure all the software on any network devices is up to date and set to auto-update.
  • On that last point, one of the most prevalent attacks is that home Internet user routers get attacked and used to attack other systems. The person that owns the home router doesn’t even realize this is happening. Many times rebooting the system will get rid of that malware. But it’s really important to make sure you are not using the default password and that the device software is up to date.
  • For any other software — on any device in your home that is connected to your network — login and make sure the software is up to date. That means your refrigerator, your iRobot, your laundry machines, fans, lightbulbs, Amazon echos and anything else that you connect to your network. If possible set them to auto update.

Avoid installing applications unless you are sure they are trusted

One of the biggest sources of malware getting onto systems occurs because people install things from sketchy sources. Do you really need that funny game or silly software? Is it worth the risk?

Here are some examples of how applications ended up infecting people’s systems and related that you may find interesting:

I think I may have malware on my system or I clicked something bad — what should I do?

In general, you should unplug your device or disconnected it from your network, reset it to the manufacture’s default, and restart from scratch it if you think it has been compromised.

At one point last year, my husband’s phone was acting funny. I could spent a lot of time trying to diagnose the problem but I told him to just reset it and start over. That fixed the problem.

Short of that here are a couple of other tricks you can try:

  • As stated above — update all software. Sometimes the vendor has a fix that will eliminate the security problem. But note that sometimes the malware will block the security update and even make it look like you have the latest version when you don’t.
  • If you clicked a link associated with a bank account or any other kind of account, change your password. Monitor your account for suspicious activity.
  • If you clicked a link on your phone, change the password from your computer and vice versa. Which ever device you clicked the bad link on may be compromised so use a separate device to change the password.
  • Your browser (like Safari, Internet Explorer, or Google Chrome) could be compromised. Closing and re-opening your browser completely will eliminate certain attacks that occur when you visit a malicious website.
  • Sometimes malware is in your operating system (Windows or Mac) and rebooting it will help. If the malware has gotten a temporary hold on your computer, reboot it.
  • If your network devices are compromised, sometimes you can reboot them as well.

In general, however, if you suspect your device is compromised, get it off the network and restore it. Also note that when one device is compromised it may have compromised other devices on your network and vice versa so in that case you may have to restore and reset other things on your network as well.

Feeling techy?

Here’s a pretty basic thing you can do if you are a bit techy to protect your devices. You can change these settings in almost anything you have running on your network, but unfortunately not all. This change points your system to servers that try to block malware when you make web requests.

And, although I’m pretty sure my mom will not be feeling this brave, you can do even more to learn about and secure your network here:

Well, I’m not sure how much my mom will be into this post but hopefully she and anyone else reading it can understand it. I tried!

Thanks for reading. 🩵

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author
: Cybersecurity Books
⭐️ Presentations
: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a
penetration test or security assessment
🔒 Schedule a
consulting call
🔒
Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

❤️ Sign Up my Medium Email List
❤️ Twitter:
@teriradichel
❤️ LinkedIn:
https://www.linkedin.com/in/teriradichel
❤️ Mastodon:
@teriradichel@infosec.exchange
❤️ Facebook:
2nd Sight Lab
❤️ YouTube:
@2ndsightlab

--

--

Teri Radichel
Cloud Security

CEO 2nd Sight Lab | Penetration Testing & Assessments | AWS Hero | Masters of Infosec & Software Engineering | GSE 240 etc | IANS | SANS Difference Makers Award