Sign up to our newsletter
“It won’t happen to me” is often uttered by citizens and businesses who are adamant that they won’t become a victim of cybercrime. But this confidence is often misplaced, with even the most basic security errors exploited by hackers. We Live Security looks at 5 signs you’re making yourself a target to the bad guys.
Social media lures were huge in 2013 and despite clicks dropping significantly in 2014, according to Verizon’s DBIR report, the temptation to click on a link sent on Twitter or Facebook remains too much for some.
Although the vast majority of these links are benign, there are those that are not, especially in the aftermath of a natural disaster.
These links, once clicked, redirected users to either legitimate sites that have been compromised or malicious websites, with the same intention of stealing credentials (via a bank log-in page, for example) or ‘drive-by-download’ attack to launch malware on the user’s machine.
Users should think carefully about how much they trust the source of the information, and consider tools – such as checkshorturl.com– for properly investigating Bitly and other shortened links.
Passwords remain a problem for almost everyone; they need to be complex, they’re hard to remember and you’re constantly told to use unique multi-character passwords for each of your online accounts.
Some people have taken to using passwords managers like 1Password or Lastpass to provision and manage passwords (with just one master password required) but others continue to write them down on paper or on the PC. A huge number of people use the same password across multiple accounts.
The danger here is if a hacker compromises one account – and that’s not difficult with phishing emails and brute force attacks – they can go on to to compromise others using the same credentials.
It’s also worth noting the passwords you might forget about, such as the ones used to secure your router, webcam or even internet-of-things (IoT) devices. Many of these come out-of-the-box with default passwords which, if left unchanged, could be taken advantage of.
Aside falling for phishing scams and social engineering, people are also frequently being exposed to potential data loss, financial fraud and more simply by failing to patch – or fix – the software running on their computers.
Security patches are designed to fix vulnerabilities in the software they use. Last year’s Heartbleed flaw in SSL encryption meant millions of web users traffic was exposed, and though this had more to do with IT administrators serving web servers, the point is there that patching is important. On that occasion, hackers had unfettered access to passwords, credit cards details and more.
For end users, Microsoft Office, Adobe Flash Player and Java updates are the most commonly ignored or forgotten, while hackers also look to exploit flaws on WordPress. The end goal is the same – to get in via the backdoor and steal information or money. They do this by “reverse engineering” to discover how to compromise systems not fully-patched.
The good news is that patches are regularly scheduled – Microsoft does Windows updates once a month on Patch Tuesday, as just one example, – while increasingly all major operation systems have options for automatic updates. The latter is certainly recommended if you know you’re not good in this area.
The more tech-savvy users of iPhones and Android smartphones sometimes jailbreak or root these devices to work around the strict controls imposed by Apple and Google, in order to get more apps and functionality.
However, with this come security risks. Jailbreaking makes apps behave in unpredictable ways, while the third-party app stores – admittedly less prevalent than a year ago – have been found to offer up malicious apps, or legitimate apps cracked and recoded by cybercriminals.
If you’re browsing the internet from your home, you’re in relatively safety – your ISP router will likely be protected by a strong password (and perhaps firewall too), so the chance of an outside attack is relatively low.
However, it is a different thing entirely when people use the Wi-Fi in the outside world, especially in hotels and coffees shops where the wireless connection is open and unsecured.
As the Wi-Fi is open, hackers could potentially place themselves in between you and the server in a so-called Man-in-the-Middle (MiTM) attack, in order to steal data or serve up malware. Some ingenious hackers have even managed to hack the connection point itself, causing a pop-up window to appear during the connection process offering an upgrade to a piece of popular software. Just clicking this window installs the malware.
Others, meanwhile, have used readily accessible tools online to act as the Wi-Fi point itself (so beware of those general ‘Coffee Shop Wi-Fi’ identifiers).
Instead, it’s best to avoid sending sensitive information or – if you have to – download and use a VPN.
Author Karl Thomas, ESET