Wednesday, August 7, 2019 Updated at 10:25pm
2019 is an exciting year. Politics, unrest, and turbulent stock markets are just some of the volatile elements in the world. While there’s a lot you can’t control, there are quite a few things you can try to do to control your online data profiles to prevent getting hacked.
Here are some stats from some of the most recent biggest and noteworthy 2019 breaches on security:
- Baltimore, Maryland had a large scale ransomware attack in May 2019 that affected gov systems. (Wikipedia) It is interesting to note that cybersecurity insurance funding was recommended by the IT department before the hit but was not implemented due to finance costs. According to various sites such as Engadget the costs would be upwards of $18 million for affected systems which may include the ransomware costs.
- Also noteworthy Binance was hacked in May 2019 and affected their cryptocurrency platform which caused an estimated $40M or 7K BTC loss. It is interesting to note that this occurred on the 7th of May also around the time of the Baltimore, Maryland hack according to Wikipedia.
- BlackRock had at least twenty thousand of their advisers’ information leaked on the internet in January. (IdentityForce)
- Microsoft had a large data breach giving hackers access to email.
- Graeter’s found some malicious code on their website that could potentially capture people’s information.
- Dow Jones had some two million records leaked online from a database.
- Facebook had most of its passwords in plaintext of millions of users. Also their WhatsApp had a security flaw and Instagram had contact information exposed.
- And also Bodybuilding had a massive data breach that exposed and potentially exposed seven million customer’s data.
So what can a person do to keep from having and experiencing exposure of data and personally identifiable information? Well here are some basic security 101 tips.
- Keep your mailing address up to date to keep from having a security breach and leak of information. If something gets sent to the wrong address then you basically gave someone a free pass into your information.
- Use firewalls to keep from someone trying to use forced entry aka brute force into your system. Block unused ports in your computer. If you don’t know how to do this then do a web search. A lot of people don’t realize that some operating systems have a way to do a remote connection to their computer. For example, Windows has a remote desktop connection feature that gave tech support a way to go in and fix things but in day to day use this access should be disabled. And some ports like Telnet uses port 23 and you don’t typically need this open on your computer. Do some research and figure out how to disable unused access permissions and ports on your computer whether it be Windows, Linux, Mac etc. This also holds true for giving people access to servers and pages online. This is the concept of reducing attack surfaces or the amount of entryways into a system.
- Do password changes frequently. This is debatable somewhat if you have a good password but still a possible good idea to prevent someone from being able to easily get into your system. If you regularly change your password it keeps someone trying to brute force your site from hitting a moving target. Just be careful that during changes you don’t open a vulnerability.
- Do not auto-save passwords. If you have this already saved then check your browser settings. However this is also debatable because as long as your system isn’t compromised then having already saved passwords in some cases can prevent leakage of passwords to a phishing program.
- Use a SAFE computer to access accounts that don’t have high risk applications like gambling, file sharing etc. Consider having an air-gapped PC or separate system or separate backup server not connected to the main server.
- Logout after each session and clear your browser memory.
- Avoid public unfamiliar networks. This can open up yourself to man-in-the-middle attacks. Check your browser to see if there’s a security green lock to show you are connected to a secure connection.
- Don’t share info on social media. You have way too much information and too many breadcrumbs online. Minimize your online footprint. Don’t give away the farm and all your secrets. Consider some security through obscurity and also fake honeypots or some semi open items for lower required permissioned data. Lot of people overshare s*** on social media. That means their phone, what OS they are using (oh yes, this was written on iOS or from a mobile platform etc). Turn off location and don’t advertise you’re on vacation and away from your house and post the fact that you bought a new $50,000 blinged out diamond crusted gold plated e-watch etc either online or anywhere and let people know of your assets so they come and yank it out of your house or garage or raid your store at night. Out of sight. Out of mind.
- Don’t open suspicious links. If it’s too good to be true, it probably is and also likely a phishing scam. You could have the securest password in the word that’s 40 to 100 characters long for instance but if someone tricks you into putting it into a fake site then they will have stolen your information.
- Be careful of access to your computer. Back in the day in college some of us used to prank our dormmates with keyloggers and such. They were so easy to install while they were out partying. Be careful of what’s installed on your phone or your computer and have your phone and laptop on your person at all times especially when boarding a plane. And keep your carry ons and tech out of sight.
- Do not share passwords and PINs. No one needs access to your information. If you have started doing sharing of passwords then stop. There are so many companies and people’s data leaked and identity theft daily you wouldn’t believe. Consider changing your password if it’s already happened and without warning as to not to tip off anyone that already has access to it.
- Review your application settings periodically. Apps ask for so many permissions these days. Do they really need location access or to get your contact list? If you don’t want to give them that then consider using a different application or just don’t use that application. You never have to give them information. What they don’t have they can’t use to compromise your identity or friend’s identity with.
- A great feature in many applications now includes session deactivation. You can see for instance what applications or browsers you are logged in on and forgot to sign out on. For example you might be signed in on Firefox or Edge or some other browser and in Linux on another. Clicking security settings allow you to see what you’re still logged in on and deauthorize or log out of those sessions. Also if you are on a web platform that may have gotten hacked it can allow you to forcibly log out all sessions.
- Do not communicate important things via email. If it’s that important use a special private messenger or just dial the person and talk instead. Lot of people have forgotten the importance of basic communication via phone and voice. Also consider just meeting up in person to exchange information or things that important.
- Be careful of misspellings in emails and letters coming from someone. It may indicate fraud or an imposter.
- Stay alert and awake to your surroundings. There might be some tom-peep or other person looking over your shoulder or eyeballing your information that doesn’t need to be doing so. Cover you key inputs when you’re entering information into public terminals and credit card key swipe readers and make sure your payment terminal doesn’t have a skimmer especially at gas stations. With the crazy stuff in the news also it’s also a security thing. There are a lot of high alerts unfortunately in the world nowadays and if you’re looking down at your cellphone or have headphones in your ears while walking you can’t hear possibly a car coming your way or someone shouting at you warning you of impending danger. Unfortunately even though the world is more connected, a lot of people simple don’t understand they are not the same and are unique in different ways. So if you are going through a security check point and not aware of surroundings and let’s say disabled or hard of hearing they may think you’re being rude or something when you just are having a sleepy morning. Being savvy means being aware and understanding of different scenarios and outcomes.
- Protect your assets with security keys, safes, and physical guards or barriers, cameras. Do not rely on a single point of failure. Lot of people like Batman because he thinks of every possible scenario and studies things thoroughly. It’s called having a contingency what if plan. You may never need it, but it’s in your arsenal of tools to select from if you need it. And time slows down enough to give you pause to think also giving you an edge when you are prepared.
- Don’t run outdated, unapproved or unpatched systems. With some of the security systems like Baltimore’s hack the systems were using older computer systems with security flaws and a person or machine still has to download the software and make sure to upgrade to the most recent versions.
- Be careful of certain bundled software, spyware, unapproved rooted, compromised & exploited software that you get online. Don’t just casually download “wares” and run freeware CD’s and USB drives freebies that are offered from from companies or download games and apps from anywhere or get software necessarily from outside your app store. Some third party apps, jailbroken set ups etc can install hidden files that change your hosts files in your home and root directory that redirect IP address or weblinks to a URL or website that you didn’t really intend to go to and cause man in the middle attacks, pharming and phishing. That means someone redirects you to a fake site posing as a legitimate site complete with the normal graphics but maybe off by one character or something in the web address for example and you don’t notice it and you put in your login information. According to Wikipedia, antivirus and spyware can’t protect you from redirects to fake sites for pharming. Think before you click.
- If you get a weird message on your phone or computer alerting that something is wrong and you need to take action immediately then think and step back and ask if it’s legitimate first. There’s a lot of scam calls also in the physical world also and we’re not just talking about online asking for banking information or you won a prize or need to reactivate your account or benefits or some other adverse action. Don’t get pulled into being a sucker. Usually you have time to take action. And so if you are ever worried. Consider pulling the computer or the phone plug. Shut it off. Give yourself time to think and get a second opinion. Technology usually lets you take time. Even if you lose a file or two. Better than opening yourself up to worms and viruses by clicking and installing some weird popup. It’s less likely to be fake if you have someone in your face physically, but even then there are some brazen and bold cons out there able to smooth talk you into doing some action because it is human behavior to want to help someone out.
- Backup your information in at least 3 places or ways. Two local and one offsite is the typical scenario. But you’re smarter than that. *insert Eddie Murphy meme tapping forehead* Just because everyone does it and it’s “typical” doesn’t mean you should do the exact same thing. Make sure to do security in a way that makes sense to you and doesn’t compromise your site if someone was to get into your location.
While no plan is completely fool proof and humans are still highly susceptible to phishing and social engineering (there are also zero-day exploits and other scary uncontrollable factors such as relying on someone else to follow through with security on their end), just having a bit more awareness can improve your online security game plan.
Also according to The Verge the Baltimore exploit that affected the city was known many months beforehand. This should have been a priority for budget and one of the first things implemented if possible. And the exploit was leaked by another different gov organization never intended for what happened. So it’s a good idea to notify software companies to let them know how to create patches and do fixes. And also any buggy code should have been removed and deleted so it doesn’t fall into the hands of no-do-gooders.
Remember, some basic information like name, address, date of birth information and account information is always sensitive information even if it’s the last four digits of your account. A particularly overly helpful phone representative may still go ahead and edit or change your information if they think you have enough aggregated information to “prove” your identity. This can cause sim-jacking and allow voice phishing or vishing to happen. Don’t take security as an after thought.