Online Safety Basics

esper

New member
Hi! I’m a Security Engineer with several years of penetration testing and ethical hacking experience. I thought it was neat that we have an entire category dedicated to computers and security. I couldn’t help but notice there’s plenty of information on Crypto but a lack of information regarding online security and privacy, so I thought I would take it upon myself to write up a short and sweet guide to staying safe and protecting your ass(ets) online.


Knowledge is Power

When assessing your personal online security, start by asking the following questions:
  • What do I want to protect?
  • Who do I want to protect it from?
  • How likely is it that I’ll need to protect it?
  • How bad are the consequences if I fail?
  • How much trouble am I willing to go through to try to prevent potential consequences?
Once you answer these questions you can better assess your digital security needs in order to create your security plan.


Passwords

If you’re like most people, chances are your password is something along the lines of “qwerty123”, “hunter1965”, “P@ssword”, etc. If not, forgive me for assuming.
I’m just going to give it to you straight: using modern computing methods most of your passwords can be cracked by professional tools in a matter of minutes. Additionally, most people recycle 2-3 passwords for ALL of their online accounts. If your Gmail gets compromised, chances are your bank account, insurance, social media and porn subscriptions will as well.

So what can you do?

Get a Password Manager. These are programs specifically designed to help you keep your passwords safe and unique for every single service that you use. Simply set one complex master password and you’ll never have to remember another “Aa12345” or “rushFan1970” again. These programs allow you to generate random, complex strings of characters such as “vg*K^3cK7pQnvfzP7J^S%BF8” and save them in a vault so that they can be easily copied/pasted during login.
The best in the industry is 1Password but if you don’t want to spend money then LastPass is pretty great as well.


VPN

Picture this: you’re sitting in a coffee shop, surfing the internet when you get a text that your friend has sent you the money they owe you via direct deposit. Excited that you can finally afford your $12 latte you log into your online banking and make sure the deposit has landed. You order your latte and head home. Two days later you log back into your banking to see that your account has now been drained on lotto tickets and something called “Deluxe 24h Massage”. You’ve fallen victim to something called a Man-in-the-Middle attack. While you were fretting about whether to order soy or almond milk in your coffee, somebody was using a tool such as wireshark to capture all traffic on the shop’s wifi and steal your login credentials.
So how do you stop this?

First, think long and hard before you ever use public wifi. Coffee shops frighten me and don’t even get me started on airports. Secondly, use a VPN. Think of this as a condom for your internet traffic. It allows you to browse as normal without allowing your traffic to leak into places it shouldn’t be. VPNs are often not free but many offer free trials. ExpressVPN seems to be the most popular nowadays. Do some research to find the right one for you.

***Disclaimer: Just as condoms are only 99% effective, a VPN doesn’t mean your connection is 100% impenetrable. Many VPN companies still sell browsing data to other companies as well as the government. Act accordingly.


Apps

Be mindful of every app you install. Each time you install a new game or tool on your device, it will ask you for permissions to your phone’s features or data, like your contacts, photos, camera, or even the phone dialer itself. A single rogue app can punch a huge hole in your privacy. This also extends to browser extensions on your laptop. I personally used an app called “hoverzoom” for years when I was younger. Recently I attended a security conference at which a malware researcher proved that the same extension was being used for mr-robot-level corporate espionage.

As a simple rule remember: if an app is free, you’re paying for it in some other way.


Social Media

Yikes ok. this is a big one with only one rule: be smart.
There are so many different risks associated with social media that it’s impossible to go in depth on them all. Law enforcement, identity theft, cyberstalking, the list goes on… I can only give you a few basic tips:
  • Never EVER post about your vacations until you arrive back home.
  • Photographs often contain tons of metadata including the time and location in which they were taken.
  • Even with an anonymous account, your IP address and information may be logged at registration.
  • Keep in mind that, while you can control what you post, you cannot control your friends and family from leaking your information.

"I have over 4,000 emails, pictures, addresses, SNS. People just submitted it. I don’t know why. They “trust me”. Dumb fucks."
- Mark Zuckerberg @ 19 years old


Phishing

Phishing is one of the easiest forms of cyber attack for a criminal to carry out, but one which can provide them with everything they need to infiltrate every aspect of your personal and working life.

Usually carried out over email, social media, messaging services and apps - a basic phishing attack attempts to trick the target into doing what the attacker wants. That might be handing over passwords to make it easier to hack a company, or altering bank details so that payments go directly to the attacker’s account.

Identifying advanced phishing campaigns can be tricky, fortunately most of them still rely on some form of subdomain spoofing. I’ll do my best to explain:

Say you have received an email regarding your bank account. You click on a link which brings you to a login page. The first thing you should do is check the url you’ve been directed to.

yourbank.accountpasswordreset.com - this domain does not belong to the bank. It belongs to accountpasswordreset.com and is 100% a phishing domain. The portion of the URL that comes directly before the .com/.ca/.whatever prefix is the actual website. Anything that comes before that is inconsequential.

accountpasswordreset.yourbank.com - this could be a legitimate bank site, however, through an attack known as a subdomain takeover, it could still belong to an attacker.

In any case, the only course of action is to log into the service through the same URL you normally use and not through the link you have received.

Check out Taureau's post on phishing and email spoofing for some more great information


Browsing

Browsing is usually at the heart of what most people do. But just as you're looking out at the world, there's also a lot of things trying to look in. Ad networks will track you from site to site, your internet provider will log which pages you visit, and hackers will try to target you.

Without getting too into the weeds, no browser is perfect, but some are better than others.

When it comes to the gold standard of privacy, consider using Tor. It's like a regular browser with privacy benefits, and it's often used by the privacy conscious, such as reporters and activists.



Remember: The Weakest Link

The old adage that “a chain is only as strong as its weakest link” applies to security too. The best door lock in the world is of no use if you have cheap window latches.
 
Top