Which of these three links is malware?
None actually. But how do you know before it’s too late?
We want to show you how.
Our goal with the security minded section of our blog is to give you a quick-and-dirty rundown on all the things that you could be doing to improve your online safety.
Starting with the 8 essential security topics:
- Social Engineering – You
- Social Networks
- Phishing for Bad URLs
- Passwords are Hard
- Firewalls or Antivirus
- Locking your D!@# Computer Screen
- Working in Public?
- Hard Drive Encryption
In the end, we will compile this into an e-book for you to download and share.
Disclaimer: This series is not intended to replace IT policies your organization has in place. If you want to make changes to a work computer we highly recommend additional research and consulting your IT staff. They are there for a reason!!
1. Social Engineering – You
Ultimately, there is one thing consistent with all low-level exploits being used today: You.
‘Hackers’ would much rather target you than the system you are using. It is much easier to leverage human weaknesses than to find small errors in a computer program.
Specifically, it is far more effective to make an educated guess about a password than it is to hack into a computer system.
Leveraging relationships and manipulating human nature to gain access to a system is typically referred to as social engineering.
During the early days of the internet and social networks, there were questionnaires that asked you to fill in “20 things people don’t know about me.”
Yup. 20 different pieces of information that can help guessing password or password reset questions.
The first thing a hacker worth his salt would do is check all the passwords he thinks are more likely to be used by the victim. A decent system will protect against this by limiting the number of password entries possible within a small timeframe.
This is exactly what happened in the iCloud fiasco. Someone at Apple forgot to limit the number of password attempts possible on a particular part of the platform.
Once the attacker had his targets’ email addresses, all he had to do was check common passwords and … well you know the rest.
2. Social Networks
Social networks are the worst, right?
Most Social Networks, in our experience – and we have quite a bit – are pretty good at doing exactly what their privacy settings say.
When you select the “Friends Only,” setting on your profile or “Private,” it is a decent-to-good bet that your information is much harder to access from the outside world.
“IF YOU DON’T PAY RENT IN THE BARN, YOU ARE WHAT IS BEING SOLD.” [Tweet this]
One interesting trend we are seeing to improve your online privacy and overall safety is quite manual. Use a pseudonym for your profile’s username.
Do you really need your full legal name on a social media site? Probably not.
Most of the people that connect with you either have mutual friends or know you in some way that doesn’t require them to know your full name.
For of example, “James Carl Jones” could be easily identified if his profile listed “JC Jones” or “James Carl.”
How can I check what is already public and out there?
There are a couple ways of doing this.
Our first recommended method is to open Chrome’s “Incognito Browser,” or equivalent, which simulates a user that doesn’t have any prior information about you. Then search yourself on Google, Facebook, Twitter etc and see what comes up.
We also use Echosec to check out our own social media exposure and make sure that the posts we find are the ones we intended to share. In the example below, we used Echosec to map one of our employees recent Twitter posts:
3. Phishing for Bad URLs
This best practice is critical. No exceptions. This method will keep you out of trouble for years to come. And it’s easy. Dead easy.
Phishing is the art of getting you to click on something (bait) that leads to a site under their control. Often times this bait is painfully obvious – some sob story about getting stuck in part of the world you have never heard about.
DID YOU KNOW: SCAMERS OTFEN INTENTIONALY MAKE SEPLLING MISTAKS. [Tweet this]
Scammers often intentionally make put spelling mistakes in their emails, to make it easier for skeptics to dismiss the email. Intelligent people won’t send money, so weeding them immediately out with misspelled messages keeps them from wasting the scammer’s time! Scary.
But, recently, these messages have been getting better, shorter, simpler, and easier to miss.
Something as simple as,
“hey Joe, here is the link you wanted.”
There is a decent method for figuring out if a link is valid or not. Unfortunately, this method isn’t as reliable as it used to be because of the prevalence of link shorteners.
Link shorteners are used to shorten any URL but still allow it to direct you to the correct page. This is very convenient and often used for things like Twitter which limit the number of characters you can use in a post. For example the URL “https://app.echosec.net/?bbox=-13127994.966334,4003018.6387233,-13125276.674516,4004236.8538615&query=-13127340.104605718,4003225.6272393544,-13126225.341071617,4004340.3907728936&start=2015-03-05&end=2015-03-12″ can be shortened to “http://j.mp/1FbyjcH”
Outside of use in social media, or by another trusted source, a shortened link is a strong indicator that it is untrustworthy.
Does the actual link match your expectations? That’s it. It is trivial to change the text of a link to direct to a different location. But how to you check?
If you aren't sure about a link, type the destination site into a trusted search engine such as Google or DuckDuckGo. [Tweet this]
Look at the following picture. In Google’s Chrome browser, you can hover a link to see where it goes. In other browsers, you can simply right-click, copy the link and paste it in your URL bar.
In this case, the link matches the URL I would expect it to direct too.
If, as in the following example, the link points to a site that you were not expecting. Don’t click it. That simple.
(We made this example up, this is not the real Wikipedia page, but it isn’t hard to do if you control the link)
Often times there is additional information contained within the link, this can be information that logs your click or automatically plays a video and is largely harmless.
If you are unsure about a link, type the destination site and a few keywords into a more trusted source such as Google or Bing and follow the link through there.
If you do end up on a questionable website, you can look at the URL to determine if it is valid or not. If it has a verified domain, (a green box or green padlock before the HTTPS) you are good to go.
Think you are pretty good at it already? Here is a test for you. I only got 12/14!
Did you check that link before you clicked on it?
To Learn More about Echosec, Request A Consultation.