We all have locks on our front doors, cars and safes. This physical protection for our property is so commonplace that we are prone to forget why it exists in the first place. Crime is a sad reality we all face and is why there is a business based around securing homes in various forms. Just as you need locks on your front door because you know that is a common access point into your home, you also need to be familiar with the entry points for the bad guys into your computer and digital systems.
The best online defense is to know the tools and tactics of these internet bad guys who want to leverage the information on your computer for their financial gain. Review the top 7 ways cyber criminals attack computer systems below so that you can be aware and prepared for any malicious activity directed towards you and your family.
Shoulder Surfing
Let’s start with the simplest way for someone to access your information: shoulder surfing. This is done by someone simply looking over your shoulder unawares. This process can be used to examine your keyboard inputs when typing passwords or to simply view your screen and the private or sensitive information you are accessing. Shoulder surfing is a phenomenon of public internet use such as libraries, cafés and airports.
The solution is to always have your back to a wall when on a laptop or computer. Physical Privacy Filters can be placed over your laptop screen that, at certain angles and distances, appears black to onlookers.
Brute Force
This is the process whereby an attacker uses software to generate passwords to log into your account through trial and error. The failed attempts can be just as useful to attackers as the actual passwords as they can collect the results of failed attempts to create what is known as a Rainbow Table and narrow down the process or sell to other attackers.
Many systems now timeout after so many failed attempts and even notify you if your account has been accessed from a different location. The solution is to use strong passwords. We will demonstrate how to create powerful and memorable passwords later in this series.
Router Finder
Do you know that anyone can access the default password of your home or business router? This is done by simply going to www.routerpasswords.com and looking up the name of your default WiFi name. With unwanted access to your internet, someone could potentially take over your entire system, or do something illegal on your network that will be traced back to your home by the police. This can also be done at a distance, someone doesn’t need to sit outside your house. Here is a gamer who explains how he hacked the WiFi of a house using a Pringle can!
The solution is to visit https://www.whatsmyip.org/ and type your IP address in the URL bar of your browser. You will need to log in to your router, change the default login details of your router and then change your SSID and password to your WiFi.
Social Engineering
This is the process whereby the attacker tricks you over the internet or phone to give up information willingly. Some of these schemes are obvious- like that Ethiopian prince that wants your bank account information so they can wire you a small fortune- and others are not so obvious, like a dodgy email that’s made to look like an official Paypal email. These tactics are ever changing, however, there are some common elements that attackers use in all social engineering hacks:
1. Authority- They present themselves as an authority (like your internet provider, an IT department, etc.)
2. Intimidation – If you don’t do this, bad things will happen.
3. Consensus – Everyone is doing it.
4. Urgency – Don’t think about it- you need to act now or else you are in danger!
The solution is to be very skeptical when any of these elements are present. Seek to get them to verify who you are. If they are saying that they are part of your bank or some other organisation, they should already have all your information on hand.
Phishing
Phishing at its most basic form is using various methods to retrieve personal information. It is normally done to retrieve banking details or personal information to fake your identity when contacting a bank to withdraw funds.
It can at times incorporate spoofing. Spoofing is when something takes on the identity of something else. An example of spoofing is if your DNS server (the thing that translates your IP into a readable URL) becomes compromised and the URL that you are seeking to access is in reality a fake website designed to phish or collect your private and personal information like bank details or login information.
The solution is to never connect to an internet service you do not trust. If you happen to be connected to the public WiFi in a café, for example, use a VPN to encrypt your connection and always make sure that when entering sensitive information into a website that the URL of the site includes the “S” in the “https://” extension. This S stands for secure and uses a certificate system to demonstrate that the website is legitimate. Also, make sure your social media is locked down and you never publish information publicly that your bank needs to identify you such as your date of birth, first pet’s name etc. Use HaveIBeenPwned to determine if your information has been breached.
The USB Killer
Another way for your system to become compromised by attackers is if you connect an infected device to your computer. Never connect a USB flash drive to your computer that you do not trust. You never know where it has been or what programs are installed on it. Some USB flash drives could contain malicious worms that can attack and spread from computer to computer without any human intervention. Some of these worms can collect data, some can even permanently damage your computer and destroy physical components such as the USB Killer.
The solution is to never install unknown or untrusted software on your computer. Apps have the same permission as users so a dodgy program could literally take over your entire system. You can purchase USB locks that block the physical USB ports on your computer that can be accessed only with a physical key or use a USB condom to prevent data transfers if you simply want to charge a device.
Zero-Day
Finally, the most dangerous of all attacks are the ones we don’t know about yet. These are called Zero-Day attacks. These are security breaches that have not been discovered. If someone with integrity finds them, they can contact the developer to update the software or system to safeguard the user. However, those who have malicious intent will use such exploits to attack their online victims. An example of this would be the CVE-2019 error in the Windows Reporting Service that gave temporary admin access to regular users. This, if left uncorrected, could have been used by attackers to gain admin access to any Windows computer.
The solution is to keep your software up-to-date with the latest updates, ensuring you have a good firewall is the next. Use a secure browser like Brave when doing business and finally use Pi-Hole to block known bad actors and adverts. We will show you how to use Pi-Hole to safeguard your business later in this series.
I hope that you are now in a better position to defend yourself from cyber-attacks. The more people who know this information, the harder it will be for attackers to succeed in their crimes.
Cover Photo by Donald Tong from Pexels