6 Simple Ways to Be Safe While Online
The Cyberworld is full of risk, on this post I would like to give you six technics that will help reduce your risk surface. The first recommendation on the list is the most important way to protect your accounts.
1. Use a Multifactor Authentication Tool
Multifactor authentication is the use of one or more factors to login into your account. The factors are something you have (Cellphone) something you know (Password/Secret). To access your account, the attacker not only needs to guess your account secret they would need to have access to your cellphone.
You have experienced this type of authentication technic when you login into your bank account and you receive a passcode in your phone or email. Another way to implement it is with the use of a key generator that creates a random number that changes in a predetermined set time cycle.
Free alternatives:
LastPass Multifactor – Key Generator Application
Google 2-Step Verification – Key Generator Application
2. Logoff From All Accessed Accounts
Log off after completing transactions on your account, leaving a session open is like leaving your garage door open. Most merchants and banks have session expiration cycles that prevent most session attacks. Therefore the risk is low, but remember, a boat only needs one unattended hole to sink.
Possible Attacks
Session Jacking – An attacker uses your session ID to impersonate you on the started session
Session Replay – An attacker replay your recorded messages
Man-in-the-middle attack – An attacker is between you and the service you are connecting to and can read and modify the messages
3. Use a Passphrase or Password Manager
The more characters the Password or Secret has harder it is to guess. Each character added to the passwords increases the number of possible words guesses needed to find the correct one. Not just the length of the password is essential, complexity and randomness are the other two important characteristics of a good password.
Thanks to all the security breaches, attackers have millions of passwords stored that can be used to guess a user’s password (Secret) in their toolbelt. The 8 character password standard was published in 2003, system’s processing power back then would have taken a lifetime to crack the password.
As a comparison, with the current’s processing power of a home computer, an 8 character password will take about 5 hours if no dictionary words have been used. If you think you are clever by using “P@$$w0rd” or “Be@ut1fu!!” as your password, you are greatly mistaking thinking this is going to be harder to guess.
All password cracking tools include the use of these types of substitutions on their guesses possibilities.
What is a Password Manager?
A password manager provides a solution to keep all your accounts passwords in one encrypted vault. This is very useful because you only need to remember one long complicated password instead of 10 different accounts passwords. Another benefit of using the password manager is that you can create random character passwords.
As humans, we can try to create random passwords but because our brains are wired to find patterns, this is almost impossible. Not only is difficult to create random passwords, remembering all these passwords is close to impossible.
What is Passphrase?
Is using a sentence like structure to create for the secret, (i.g. “I Hate using Passwords”) By using passphrases the number of possible matches multiplies, making it close to impossible for an attacker to guess your authorization credential.
Possible Attacks
Brute Force – Try all possible passwords using all possible combinations
Rainbow table – Uses obfuscated representations of possible passwords to compare until it finds a match
Dictionary – Uses all the words in the dictionary as possible guesses
Free Solutions:
4. Turn Wireless Signals Off When Not in Used
Leaving wireless signals running while not in use invites attackers to your devices, your mobile devices connections are trusted interactions that are constantly looking to reconnect. An attacker can use this feature to fool the device to connect to a fake (Evil Twin) access point by cloning a previously used access point’s name. Now the fake access point can watch everything your device transmits.
The auto connection feature is part of the convenience package for all mobile devices including laptops. When you connect to a public wireless access point do not select the “Connect automatically” option in your laptop to minimize your risk.
In many of the other mobile devices like phones and tablets this is not an option, therefore all you can do is to turn off “Wi-Fi” and “Bluetooth” when not in use.
5. Change Devices Default Passwords
Before going to market devices include a default user and passwords that are used by engineers for initial setup and/or testing. The problem is that many of us will connect the device to the network and do not change the default information.
Default login information is easy to find online, therefore anyone with bad intentions could access your device. Devices with the higher number this type of vulnerability are the Internet of Things (IoT); your smart TV, thermostats, baby monitor, etc.
Newer routers manufacturers and Internet Service Providers (ISP) have changed their antiquated procedures and are creating unique default passwords on their devices. The problem is that most of them are not using true randomization, therefore an attacker can use the patterns to create tables of possible passwords and use that for a brute force attack.
For examples of why changing default passwords are so important to listen to this podcast from Dark Net Diaries – Episode 13 Carna Botnet It will make it really clear for you.
Free Solutions:
6. Do Not Click on Suspicious Links and Read All Popups
The grand majority of successful breaches starts with a social engineering attack: a link or document sent over email or on a malicious website.
What makes this type of attack so successful is that many of these malicious links come from someone you know or a company you do business with. The other big factor is that the message or popup will try to create a type of urgency or fear. Therefore, your first steps should be to Stop and verify.
One way to prevent clicking the wrong link is by hovering (Moving the mouse pointer over the link “Without clicking” on it).
What if you get a link that looks like this: https://bit.ly/2HxKjec (That is called a short URL). Websites like https://unshorten.it/ will translate the short link to the original webpage.
Three steps that can help minimize your chances of becoming a victim are:
- Stop – Don’t rush thru
- Think – Is this really what it says it is?
- Click – After you verify then continue
In Conclusion
These 6 solutions are a simple way to protect your important information. Many other steps or defense tactics exist, but it all depends on what is important to you and your risk preferences.
If you want a personalized risk assessment, contact us at jose.cruz@jcdataservices.com
