Thursday, September 1, 2022

Don't Lose Everything: Your Guide To Staying Safe Online

 Don't Lose Everything: Your Guide To Staying Safe Online

 By: Dominique Miller

It's been awhile since I've written a real blog post. But I'm back, and here's why... I've been working with many coaching clients on improving their personal digital security.

  In fact, so many have asked me to focus on that aspect of my coaching work, that I haven't been doing too much else lately (and I am happy to help!). 

 Look, if you use the internet...like...at all...for anything...ever...even if you only have a smart phone...

You NEED an end-to-end encrypted password (and private information) vault yesterday. 

 I know some of y'all just said or thought to yourselves, "I don't get that tech stuff," "I don't have the time," or something similar, but I'm here to tell you something. 



 You WILL have your identity stolen, and/or your sensitive information compromised. 

  I want to help you to avoid what almost happened to me--and what has happened to so many others--identity theft, either partial or total, including personal and financial assets, some of which may be irreplaceable.


 Unfortunately it's not a matter of if it will happen, but WHEN it will happen.

Jonah Hill freaking out


 Cyber attacks have increased by a whopping 500-700% (conservatively) globally, since 2017. Much of that cybercrime took place--you guessed it--during the global pandemic that is SARS COV-2, or COVID-19. And what are some of the easiest vectors for attack? 

 What? I'm sorry, what is that one of you just said? 

 Did someone  just say 'my front door?' 
It sounds like reader Karen just said that she thinks cyber attacks are likely to happen by way of her front door.

Yeah...no, Karen. Cyber attacks happen online--that is, through your smart phone, laptop, desktop, tablet, or other internet-connected device, and/or through nearly any of the apps, services, and websites you might use on the internet connected devices I just mentioned, which most of us use.

I hope that most of you are smarter than Karen here, and to prove to yourself that you are, I'd like for you to take this simple personal digital security quiz before we begin. I have made up this quiz, based on input from friends, family members, clients, and even my own experience being self-taught in the realm of IT.

Take the quiz here

👉A note about data collection from my blog, before we get started:👈

☝*** (I have turned on the 'rel=no-follow' protocol for all links shared on this page, which means that I am disabling trackers that might attempt to follow you from THIS site. As I will mention again below, I have no control over what other trackers you may be exposed to, based on your own personal settings in the application you are using to read this blog post, and/or the security and privacy settings you have configured on your own device).***


 Cyber threats can happen to anyone, and they can happen in many ways, from many avenues, through many vectors. 


 Cyber criminals, contrary to popular belief, aren't weird, geniusy hackers, sitting behind a computer, wearing sunglasses and a hoodie, rubbing their hands together in glee, and waiting for their next target to roll in. 

 

Cyber criminals are usually just laypeople taking the opportunity to do some dishonest work for a living...

 ...and to hopefully catch one of you lovely readers out there on the interwebs with your metaphorical pants down. 

But back to those potential attack vectors, yeah? Popular attack vectors i.e. inviting places for cyber criminals to launch an attack on you, are:

 

 

While some of the bullet points below are, and should be by definition, areas of  concern for all of us, I want you to remember while reading over them that I will be providing you with some great solutions below, to help prevent them from ever being an issue for you.



 Read on for some of the biggest attack vectors that you need to lookout for, in order to protect your own digital security.

          1.  Compromised (or poorly managed) credentials



    1. Logins, passwords, and personal information must be stored in a safe,         secure (encrypted) manner. Not doing this leaves everyone using a particular app, site, service, or business open to personal attack.

             2. Imagine those of us who don't know better, who reuse passwords, use                      
                  passwords with unaltered dictionary words, consecutive numbers, and the   
                  like, having their data exposed in even ONE data breach with a company, 
                 website, or app they have login credentials stored with. 



             3. Imagine that data being shared on the darkweb or otherwise bought, sold, or  
                 traded between malicious entities and/or actors.

               4. Now, imagine that person using the same login credentials across multiple                         
                   platforms--maybe even on their banking and investment websites. That             
                   person could wind up in real trouble, really fast!


                5. Data breaches happen all the time. What's stopping you from losing             
                   everything when one finally happens at YOUR financial institution, or on 
                   your crypto platform, or your investment platform?

               6. If you're one of my clients, readers, or listeners, I'll tell you what's stopping 
                    you from losing everything: your free, secure, open source, end-to-end 
                    encrypted password and personal data vault that you took the time to 
                    download from your App Store or your Google Play store. One of the best 
                    such apps out there is Bitwarden.

  1. 2. Malware



      1. Malware is, essentially, malicious code or software, which corrupts and may even scrape for certain data. For example, you may have been infected by malware if you clicked a link from a Facebook friend in Messenger that looked a little funny, and noticed maybe a day or so later--maybe more, maybe less--that you could no longer get into your Facebook account. That is one of the most popular malware delivery vectors for scammers to employ, and if your password and login information are just sitting around, unprotected, because you haven't taken an opportunity just yet to download Bitwarden, or something similar in terms of end-to-end encrypted security for all of your personal and private information, including login information and passwords, you could wind up not only having a tough time getting your Facebook account back, but also losing much, much more (see above, re compromised credentials).
                         2.  While apps like Bitwarden can't totally offset the potential cost of such serious             
                                user error, it CAN inform you when a password or login credentials have been                 
                                compromised, and it CAN help you to take immediate steps to re-secure your                     
                                data.              

                

           3.  Phishing

      1. An attack based on social engineering, where a malicious actor attempts to get someone to click a particular link, download a particular app, etc., with the intention of getting access to their target 's device, login credentials, and other personal and/or financial information.
                         2. Malware is often delivered via phishing attacks.    


            4. Ransomware

    1. Ransomeware CAN be linked to weak credentials or poor encryption, and is often used to lock a user out of their accounts, or even their devices, and can be used on a much larger scale when companies are targeted, rather than individuals.

            5. Missing or poor encryption



    1. Hopefully this one is self explanatory. When an individual or company neglects to make sure that their information is protected by encrypted means, it is that much easier for a malicious actor to exploit.

            6. Insider attack (more for organizations, though this is applicable to individuals too, depending on their level of basic personal digital security and tech literacy)



    1. For organizations, a malicious insider with an axe to grind might attempt to sabotage networks, servers, applications, platforms, or even individual devices from within.
    2. When it comes to individual privacy and protection, this could simply look like a friend of yours on Facebook innocently clicking a link sent to them by another friend, on Messenger, and winding up losing their account, at which point your friend's account, which you may not realize is even compromised at this point, sends you some phishing links, hoping that you'll click on them.

            7. Old, out of date, or un-updated devices



    1. When we update our phones, laptops, desktops, and tablets, our security settings are impacted positively.
    2. For example, someone whose device has been infected with malware who allows for automatic device updates, by enabling that option in their device' settings will allow said updates to remove that malware from their device, or otherwise render it useless.
    3. Not updating your device regularly, in addition to not removing any potential spyware or other malware or malicious trackers from your device, leaves major holes in your security. 
    4. Eventually, if you go long enough without updating, your device will simply cease to function.

    5. Please note that as technology for the hardware that we use (smart phones, laptops, desktops, and tablets) improves, companies must continue to improve the software that hardware runs on. Given enough years, a device may simply become incompatible with the software available through the company that manufactures your hardware and software, and you will, like it or not, have to upgrade your device (i.e. get a new model of phone, of laptop, of desktop, or of tablet).





    6. Phone, laptops, desktops, and tablets are, essentially, just a silicon motherboard (or, more likely today, a silicon chip) with as many functional semiconductors jammed onto it as is spatially possible. So let's say you're still running on the iPhone 4. That hardware is not only going to be incompatible with newer software, it will be utterly foreign to it. Your device is unlikely to run at all, so as technology improves, and we have faster and faster software, your old iPhone 4, which may have worked great for you in 2014, will cease to work well, and then, eventually, cease to work at all. DO NOT WAIT until it stops working at all. Long before it does, you'll be working with severely downgraded security, which makes you a soft target for cybercriminals.
\

            8. Unpatched servers (for organizations)

    1. Similar to un-updated devices for individuals, unmatched servers will leave your organization's platforms, devices, employees, and sensitive information open to attack. Respect your organization and its hard working employees more than this.

  1. DDOS attacks (for organizations)

    1. DDOS, or denial of service attacks essentially ping your organization's servers so frequently, that it is overloaded with traffic, and ceases to function until such an attack is over.
    2. One way for your organization to prevent possible DDOS attacks is to keep your organization's servers patched and updated.

           9. Misconfigured or poorly configured information on behalf of a website, app, or organization you use

    1. Often times, data breaches occur due to misconfigured clouds. When organizations are not careful to update software and hardware, be vigilant about settings and data storage, AND make sure that their servers are patched, they may either knowingly or unknowingly be exposing their customer base to potential cyber attack.
    2. I was once attacked by way of a sim swapping scam, which may have occurred due to a data breach with my phone service provider. Fortunately because my personal digital security was decent (it's even better now),  the cyber criminals weren't able to get away with even one red cent, and I was able to scrape some sensitive information from their data trail, verify it, organize and collate it, and deliver it right to the FBI. RIP to my scammers. They messed with the wrong person, but often times this isn't the case. Too often, scammers mess with the exact 'right' person, and I am here to help to ensure that person isn't you.

            10. Application attacks (by way of malicious or poorly configured apps)



    1. Apps that: a) don't respect user privacy, or b ) don't update regularly are a no-go. If you notice that you have an account with an app that doesn't seem to have patched or updated itself in awhile, delete your account. If you can't, try contacting the developers of the app, or the hosting service of the app if it is a web application. Usually a network admin, systems admin, developer, or hosting site admin will be able to help you out with something like that, if all else fails.
    2. Some applications that look fun, interesting, or informative are flat out spyware. Download judiciously and always, ALWAYS do your own research, using methodologically clean search criteria and platforms. 

            11. Algorithms, AI&Trackers That Encourage You To Click Before You Think



    1. If you've read something on a blog somewhere, perhaps this one, or on a Facebook post, for example, do not take that information as fact. Search for information from trusted sources, and act accordingly. 
    2. Remember, apps like Facebook use algorithms to direct you to posts, links (that they then track), and opinions that they think you'll like, whether or not said posts, links, or opinions turn out to be even remotely fact-based. THEY. DON'T. CARE. THEY JUST WANT YOUR CLICKS.
    3. Sites and apps like Facebook, again, using Facebook just as an example here, because unfortunately it's a good one, are in it for the clicks, not because they care WHAT you're clicking ON. 
      1. Every time you click on a link, share a post, etc. they stand to make money, and one of the ways they do this is by collecting your data as you click along through their app or website, and then tracking you and selling your data to other websites, apps, groups, political organizations, stores, and more--some more scrupulous, some...well...not so much.
         
    4. Platforms and apps like Facebook (not JUST Facebook, of course) also drive people down extremist rabbit holes, where, in addition to...well...extremism, more malicious trackers, spyware, and cybersecurity threats lurk. 
      1. In fact, the January 6th insurrection at the United States Capitol was planned, after fears and anger about the election of President Biden were stoked on social media sites and apps like Facebook. 
      2. We can talk more about Facebook and similar data mining platforms more in a future post, because I believe it does warrant more discussion.

      3.  Suffice it to say that unless you are highly technologically literate, and have your settings configured appropriately (I suppose that not having your security settings on an app or web application like Facebook could be considered app misconfiguration creating a vector for possible attack, only on a more personal level, rather than on an organizational level), Facebook is tracking your every move, and selling your data, hell, even information about things like when you sleep, what's likely to engage you (spoiler alert: "engagement" often means 'what's likely to make a particular user or group of users--say liberals or conservatives, for example, angry,' so that they'll share and get more people to click, click, click, leading those unsuspecting users to inadvertently spread not only mis and disinformation, but to spread trackers to others, whose data they scrape, sell, and even use for non-consensual research). Being an informed web surfer matters now more than ever. 

      4. The online group Cybersecurity For Democracy found, in a study which they self-published in December of 2021, that far right, factually inaccurate, emotionally driven content creators and similar platforms on Facebook got so much more traction than any other type of 'viral' media, Facebook accounts, or Facebook pages, that they weren't even playing in the same metaphorical social media ballpark as the rest of us. Read the study here (I have added the 'rel-no follow' attribute to this link, so that you will not be tracked or followed by me, or my blog--though I obviously cannot guarantee that you will not be followed by any other trackers that are not under my control).

 


 

 

              12. Working remotely

    1. Remember when the pandemic--or "Plandemic," as you might have been led to believe by conspiracist pages, websites, and posts on platforms like Facebook and YouTube (which is a subsidiary of Alphabet, Inc., which owns Google) , through no fault of your own, (at least if you are like many internet users out there)? Remember how workers and companies alike were put into a position of having to implement tons of Zoom calls? And do you remember how popular a cyber criminal practice called "Zoom bombing" was, where trolls and cyber criminals would join zoom meetings, hoping to glean sensitive information?

       Not gonna lie, folks, I baited trolls a few times by starting zoom meetings, leaving them open, and then sharing them on social media sites, so that I could trap a few trolls and perhaps some online scammers (I promised not to hack them in return, or to use OSINT--open source intelligence protocol to pull personal data, and I kept my word to them), in order to interview them and get to know why it was that they did what they did--scamming people, ruining zoom meetings, etc...

      Maybe one day I'll actually get around to releasing the damn interview, when I have five minutes of time during the day when I'm not working. The answers I got were truly honest, and ranged from "I'm bored and wanted to see what I could shake up in this meeting" to "I'm scared, and I'm honestly taking my aggression out in an inappropriate way," to "I just wanted to see what would happen," to "I'm looking for personal information to sell, or to blackmail someone with.

    2. Remote work leaves people and companies alike open to all of the dangers of misconfiguration, un-updated devices, ransomware, malware, phishing attacks, malicious insider attacks, unpatched server issues, and so much more, on a much, MUCH larger scale.
    3. It should go without saying that in order to work remotely, companies and employees both have to work via web applications and chat programs, some of which may be mandatory for employees to use, and which may or may not be secure.
    4. Businesses leave themselves, their employees, and their customers open to theft, loss, and data breaches when they do not implement ssl encryption when working with payment providing platforms. 
    5. Some of the ways businesses, employees, and customers alike can suffer from the burden of remote work is when businesses or individuals start using payment, banking, and retail apps for the first time, and when they use reused or insecure passwords or login credentials

 While I've touched on a few attack vectors for organizations, I've tried to focus on individual digital security. 
 What do you think your weak areas might be? Discuss among yourselves and DO NOT comment down below 😂
 
 Here are a few of the best things you can do for yourself, to dramatically improve your own personal digital security:

 
  1.  Use an end-to-end encrypted password locker, like:
    1. Bitwarden
    2. KeePass
    3. PadLoc
  2. Do not reuse passwords
  3. Change old passwords
  4. Use an encrypted, or at least secure email service, like:
    1. Proton Mail
    2. Prevail
    3. Skiff
    4. CounterMail
    5. Hushmail

*There are many more encrypted email services, but many of them regularly track IP addresses, or are run by services located in a 5-eyes or 14-eyes country, whose laws forbid complete privacy online (more on that in a future post). For that reason, I've chosen not to include them. Know another that I forgot to list here? Let us know in the comments section!

 If you'd like to use Bitwarden as your end-to-end encrypted login and password storage locker, I have a tutorial I've done for several clients, friends, and family members right here, on the Dominique Does Life Podcast Network's YouTube Page. "rel=no-follow" protocol applies here. And while this tutorial was done on an iPhone, and refers often to the iCloud Keychain, which is the default login and password storage apparatus for devices that run on Apple software, like iPhones, iPads, iPods, iMacs, MacBook Airs, and MacBook Pros, these steps should work just fine even if you're not using an Apple device. All you'll need to do, in that case, is to search for the term "passwords," and you should be given a link to click on, that will take you to your device's default login and password storage area.


Just taking the simple steps of downloading a free, (open source is always good), end-to-end encrypted email application, and a free, open source, end-to-end encrypted password locker will drastically improve your personal security.

 When all is said and done, while it is *possible* that you personally could have drawn the ire of a cyber criminal, that isn't terribly likely. Most cyber criminals and scammers fish (or phish) in big pools. They comb eBay, Facebook, Facebook Marketplace, Messenger, Words With Friends, Instagram, leaked email addresses, and similar sites and applications, as well as looking through other customer data besides the email addresses I mentioned just now, that has been exposed in data breaches. 

 They look for soft targets--or those whom they THINK are soft targets, like elderly folks, those who use less secure email platforms, those who reuse passwords, and those who answer identity theft posts on social media ('wHo WaS tHe PrEsIdEnT wHeN yOu WeRe BoRn...WhEn DiD YoU gRaDuAtE hIgH sChOoL, wHaT wAs ThE fIrSt TyPe Of CaR yOu OwNeD?' and other posts and comments that could telegraph a potential lack of technological literacy). 



 So what are some of the best ways that you can present a harder target?



  1.        Having secure, end-to-end encrypted data, and using an end-to-end encrypted password manager/locker app that alerts you if/when a password or login information has been exposed will shore up major potential vectors for attack, and having some tech savvy online "street smarts" will go a long way toward protecting you against any attempted attacks, and may well take you out of the running for appearing to be a soft target to begin with!
  2. Not keeping important personal data like logins, passwords, banking information, or other personal information in places in your phone, laptop, desktop, or tablet that aren't secure. The ONLY place such sensitive data should be stored is within your end-to-end encrypted password locker. I've listed a few of the end-to-end encrypted password lockers/vaults that I would recommend above.

  3. NEVER answer those ridiculous social media posts that ask for personal information. While it's true that some of the information these types of posts ask for is less than sensitive on its own, it is absolutely sensitive when coupled with other information that could be scraped or searched for 'by hand' from various government, land record databases, tax record databases, various licensing databases (driver's licenses, FOID card databases, professional databases, and other databases online) with a simple internet search. 
    Data Pulling Facebook Post Example via Engadget
    Credit: Engadget 

  4. Vet potential online buyers and sellers on any online marketplaces you might use for buying and/or selling items. While some such marketplaces--like etsy, Amazon,or poshmark, for example, might already vet buyers AND sellers, and may keep things like home addresses private, unfortunately relatively large platforms like Facebook Marketplace do not, which leaves both buyers and sellers open to extreme risk. Same goes for Facebook and other social media garage sale groups. Approach these types of groups with extreme caution, and if you're not certain that you're able to cover your tracks and vet your potential buyers and/or sellers, I would advise not using these sites. Gather some information, come back around, and if you still need to use a site that does not take important precautions regarding personal data, revisit the possibility of using such a site AFTER you've gone through some basic IT (information technology) literacy and online safety courses.
  5. For an added layer of security, use a REPUTABLE VPN--a virtual protected network--when you browse. Some of the better VPNs out there, according to Redditors (that is: users of the social media site, "Reddit"), according to the site vpnpro for 2022 are: 
    1. NordVPN
    2. Surfshark
    3. PrivateVPN
    4. Proton
    5. TORgard
 Happy browsing and stay safe out there, my friends!


Questions? Leave any questions without sensitive information in them in the comments section. If you feel you need more help than blog posts or videos can provide, consider hiring someone to assist you in getting started with better personal digital security. I do coaching and consulting work that includes getting folks setup with basic security, and educating them about best practices. You can reach me at trinitysswellnessandconsulting@gmail.com if you'd like to work with me. Normally, I get folks setup and ready to take it from there without further help within one to two meetings with me. My aim is to get you feeling confident in your own knowledge base and abilities, so that you don't need further help. 


Sources: 

  • Credit to Mule Yong, via giphy for the amazing gif art! View Mule Yong's giphy page here (rel=no-follow attribute enabled; see above and below for more information)
  • Wizcase (re: end-to-end encrypted password and login storage lockers): read here (rel=no-follow attribute enabled, which, again, means that I personally am not allowing normal trackers to track you when you click this link. I do not have any control, however, over which other trackers may be able to, as that is something you will need to address by taking a look at your device and application settings)
  • NPR (re: how Facebook influences conspiracies and American politics and elections): read here (see above re 'rel=no-follow')
  • Medium (re: documentation of Facebook's policies, algorithms, and platform, and how it has impacted the rise of conspiracies, encouraged the sharing, digestion, and personal integration of  mis and disinformation on a personal scale for many individuals, and on a group scale for many groups of people, and how it has given birth to a tribalist attitude within the bounds of the United States, and across the world, and, lastly, how it housed and gave quarter to those who planned and participated in the January 6th insurrection of the United States Capitol): read here (see above, re: 'rel=no-follow')
  • Github (facebook.tracking.exposed, re: the mechanisms Facebook uses to track you): read here (see above, re: 'rel=no-follow')
  • VPNPro: browse here, without tracking from my blog 





at
Labels: , , , , , , ,
Location: Chicago, IL, USA

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

First Question [podcast] Belle Gunness short show notes

​ Listen to THIS episode of First Question here! Born as Brynhild Paulsdatter Størseth Belle Gunness, nee Paulsen was born in Christiania, ...