Author: Matt Irving
Certs: PMP, Security+, Network+, A+, Project+, Cloud+
Languages: PHP, Python, JS, HTML, CSS, SQL
The internet has become so integrated into our lives that we canít imagine functioning without it. The company Google, has become a verb, seemingly overnight. Iím actually surprised there are still librarians around. Nothing is without its fault though, and the internet is no different. Itís chock-full of criminals waiting to steal your money, identity and worse. To remain safe online, itís important to exercise the same caution you would when entering any physical dwelling. Be mindful of your surroundings and keep your valuables out of sight!
The first step to securely browsing is to be mindful of your surroundings. Just as you would be apprehensive of walking into a shady looking building, a creepy looking website should give you just as much pause. Now, how does one spot a shady website? Start at the top of your browser and locate the URL (uniform resource locator). This is where you find the name of the site youíre viewing.
There are a couple parts of this address to pay attention to:
Most e-commerce sites (sites you shop on) use the https protocol. So, if you ever encounter an e-commerce site that doesnítÖrun away! Having that extra Ďsí in the protocol means the site owner went through the trouble of obtaining an SSL (secure socket layer) certificate. This encrypts all activity on the site youíre on, which is vitally important considering the type of information most users are entering. You can easily discern if a site has an SSL certificate as your browser will display a lock icon on the left of the URL.
Just because you see the lock icon, doesnít mean youíre out of the woods yet. Pay close attention to the spelling within the URL. Some of the savvier cyber thugs create copies of popular websites and use domains that are only slightly different than the original. For example, you may encounter a site named bank0fmine.com, which looks dangerously similar to bankofmine.com. When you enter your username and password into bank0fmine.com, you can consider your account compromised as that login information has been sent to a hacker.
A couple of other things to look out for are misspellings, strange sentence structure and odd images. Most decent companies will run their content through a spell checker before posting anything. If you find multiple typos on a companyís website, itís possible you’re looking at fake. Also, be on the look out for odd sentence structure. Some cyber criminals are based in countries where English is not the primary spoken language. To get around the language barrier, some cyber criminals use translation software and very poor translators tend to spit out poor English! In addition to the malformed text, distorted images can be the result of a cyber criminal attempting to copy images found on their target siteís pages.
You should also refrain from using simple, easy to guess passwords for your logins to various sites. I know it can be extremely frustrating to keep track of multiple passwords (hackers are also aware of this fact!). They actually count on you using short, dictionary words as passwords. Nothing makes a hacker happier than a simple password.
Common ways cyber criminals steal passwords are through social engineering and brute force attacks. The latter of which is quite simple in principal. The hacker simply runs a program with every possible combination of letters and numbers. They also employ what’s known as a “rainbow table” (not as nice as it sounds) to assist in cracking encryption. Since the brute force program iterates through every single possible combination, starting with dictionary words, your password will eventually be discovered.
To prevent this, use a non-dictionary word, over 12 characters that contains symbols and other characters. By the time the brute force software iterations crack a complex password, the user will be long dead (probably). Social engineering is a bit harder to prevent as it preys upon the weakest link in any network, the end user (YOU!…and me). Social engineering involves obtaining information from a user for purposes of uncovering valuable data from them like passwords and email addresses.
A popular social engineering attack is known as phishing.
FUN FACT: When the attack targets high ranking officials or company executives, it’s known as whaling.
This attack involves sending emails to potentials victims. The messages are sent with a friendly or sometimes threatening subject header. No matter the tone of the header or message, the content is designed to illicit a knee jerk emotional response from the reader. Cyber criminals do not want you to have time to think through what you are being asked.
The infamous “Nigerian Prince Scam” was a phishing attack that scammed people out of thousands of dollars. The email informed the reader that the sender was a wealthy Nigerian prince in need of a small loan and if the reader gave the prince the money, they would be paid back tenfold. As odd as this may sound, a great deal of people complied and sent tons of money to this “prince” only to find out they had been scammed days later. He was definitely no Prince Charming.
More subtle approaches to social engineering include:
Always apply the same level of scrutiny to any place you spend your money or expose sensitive data. Try to avoid websites that have any of the characteristics I mentioned above, and you should fine. Just listen to your gut, apply a little situational awareness coupled with the techniques you learned here, and those cyber thugs will have to look elsewhere for data to steal (or get a real jobÖreally the best outcome).