- Joined
- Apr 7, 2016
- Location
- Indiana, US
Hi, everyone. This information is pulled from a training course I provide to companies on a regular basis using my IT and Network Security experience. Granted, I have been out of that career for well over a decade now, but a lot of the basic concepts still apply, and I still keep abreast of new cyber threat developments and vectors. I try to the best of my ability to avoid highly technical terms and use layman's terms wherever possible. I might have to break this into multiple threads if I exceed character or image limits.
Some of my IT background:
As hyperbolic as that sounds, he's not that far off the mark. The greatest feature of our 21st century devices is that they are designed to easily communicate across the internet and internal networks. That is also their greatest weakness. Threats range from criminal bad actors and corporations attempting to steal your data to sell to other criminals or companies to poor product development where security is an afterthought. As part of an investigation I was conducting several years ago, I had to go on the Dark Web and download a database of user information from a website that had not only been compromised, but was also storing their user data in plain text. It took me less than half an hour to download that database and confirm that my client's personal information - including username, password, e-mail, and credit card information - none of which was encrypted. Things like this happen on an almost daily basis. Anytime you hear of a major breach from companies like AT&T or Facebook, that information has already been available on the Dark Web for weeks, if not months, before the general public hears about it.
Users also play a part by engaging in inherently unsafe online behavior:
Bad actors are constantly evolving and improving their techniques:
Before I get into the details of this post, I want to dispel some very common myths about privacy and cybersecurity that a lot of people believe:
“I don’t have anything on my _________ anybody would want.”
Yes, you do. Your phone especially has a treasure trove of information for criminals. It has your personal information as well as the personal information of everyone in your contact list. Any bookmarks you have in your browser can tell a criminal where you shop and which financial institutions you use. Even worse, if you have saved your login information to those accounts in your browser or a specific app, that bad actor now has full access to those accounts and can impersonate you. That person can also hijack your e-mail account if you check your e-mail on your phone and send out password requests to accounts, effectively locking you out of everything.
“Oh, I have ___________ security software installed.”
That's a good start, but too many people think that makes them invulnerable, and it doesn't. It might make it a little more difficult for a bad actor to gain access to your devices, but if you are being specifically targeted, they will get in. Think of your computer or phone as your house. You lock all your doors and windows when you go to work and you have an alarm system installed. That will weed out the amateurs from getting in, but if a professional wants to get into your house, they will, no matter how secure you make it. Your computers, tablets, and phones are no different.
“I only use my computer/phone for e-mail & games.”
That's what you might be using it for, but that doesn't make you safe. First, there is a lot going on in the background having nothing to do with your e-mail or your games that you are completely unaware of. Second, e-mail and game apps are primary threat vectors for bad actors.
“I never engage in risky behavior on the internet.”
This usually translates to "I don't visit adult websites." But the mere act of turning your device on and allowing it to connect to the internet is risky in itself. At one point during the Windows XP days, someone ran an experiment taking a brand new XP system out of the box, hooking it up to the internet and just turning it on. The amount of time for that XP system to become compromised was usually measured in minutes, even with nothing being done on the computer.
“If a hacker wants to get in, he’ll get in. Why even bother?”
This might be true, but I always return to my analogy of your house. By making it as difficult as possible to gain entry you weed out the amateurs, decreasing the odds of being broken into. The same philosophy applies to computers and phones.
“All this security stuff is too complicated for me.”
Maybe, especially for people from the Boomer generation and about half of GenX. Anyone born in the 80s or later has grown up with the technology. If you find you are overwhelmed by the concept of securing your devices, let someone else do it for you. Chances are you have have a younger member of your family who can help you out for free, and the worst-case scenario is find someone like me and pay them $50 to $100 to do it for you.
“I’ve been on the internet for years & never been hacked.”
Yes, you have. I absolutely guarantee you have and you just weren't aware of it. Now, the severity of that hack is up for discussion, but thinking you've been on the internet for 20 years without being hacked is pure hubris.
“My password is super-strong. Nobody could guess it.”
Maybe, but usually it's not humans trying to guess it, it's a computer running thousands of passwords per minute trying to find the right one. This is called a "brute force attack." Also, if I have physical access to your computer, especially one with a Windows operating system, I will gain access in less than five minutes, not by guessing or brute forcing your password, but by booting to a disc or USB drive with specialized software that will allow me to reset or simply bypass whatever password you have in place. I have done this hundreds of times for data recovery. Apple computers take longer and Linux computers even longer than Apple. If the data stored on your computer isn't encrypted all I have to do is boot to a USB drive with a Linux OS installed on it and I can just directly access your file system with no login information required, copy what I want, shut down, and you'll never even know I was there.
Part 2 of this thread to be posted soon.
Some of my IT background:
- First computer in 1983 running DOS 3.3
- 25 years in the IT industry
- 15 years as a Network Administrator
- Installed & secured ATMs for 3 years
- Fluent with DOS, Windows, Apple, Linux, Android, & iOS
- Attended annual cybersecurity conferences at IU University from 2008 – 2020
As hyperbolic as that sounds, he's not that far off the mark. The greatest feature of our 21st century devices is that they are designed to easily communicate across the internet and internal networks. That is also their greatest weakness. Threats range from criminal bad actors and corporations attempting to steal your data to sell to other criminals or companies to poor product development where security is an afterthought. As part of an investigation I was conducting several years ago, I had to go on the Dark Web and download a database of user information from a website that had not only been compromised, but was also storing their user data in plain text. It took me less than half an hour to download that database and confirm that my client's personal information - including username, password, e-mail, and credit card information - none of which was encrypted. Things like this happen on an almost daily basis. Anytime you hear of a major breach from companies like AT&T or Facebook, that information has already been available on the Dark Web for weeks, if not months, before the general public hears about it.
Users also play a part by engaging in inherently unsafe online behavior:
- Most people are completely unaware of what their computers & phones are doing in the background
- Most people use poor passwords
- Most people use the same poor passwords for everything
Bad actors are constantly evolving and improving their techniques:
- E-Mail “phishing” scams are becoming extremely sophisticated fooling even experts on occasion
- Criminal use of AI is becoming more common, making malicious activity even more difficult to detect
- Most “free” apps are designed strictly for advertisement & data mining purposes
- The most dangerous phone apps: Social Media & Games
- “Always On” connected devices
- Unencrypted cloud storage
- "Internet of Things" (IoT)
- Software & app developers are usually not security conscious
Before I get into the details of this post, I want to dispel some very common myths about privacy and cybersecurity that a lot of people believe:
“I don’t have anything on my _________ anybody would want.”
Yes, you do. Your phone especially has a treasure trove of information for criminals. It has your personal information as well as the personal information of everyone in your contact list. Any bookmarks you have in your browser can tell a criminal where you shop and which financial institutions you use. Even worse, if you have saved your login information to those accounts in your browser or a specific app, that bad actor now has full access to those accounts and can impersonate you. That person can also hijack your e-mail account if you check your e-mail on your phone and send out password requests to accounts, effectively locking you out of everything.
“Oh, I have ___________ security software installed.”
That's a good start, but too many people think that makes them invulnerable, and it doesn't. It might make it a little more difficult for a bad actor to gain access to your devices, but if you are being specifically targeted, they will get in. Think of your computer or phone as your house. You lock all your doors and windows when you go to work and you have an alarm system installed. That will weed out the amateurs from getting in, but if a professional wants to get into your house, they will, no matter how secure you make it. Your computers, tablets, and phones are no different.
“I only use my computer/phone for e-mail & games.”
That's what you might be using it for, but that doesn't make you safe. First, there is a lot going on in the background having nothing to do with your e-mail or your games that you are completely unaware of. Second, e-mail and game apps are primary threat vectors for bad actors.
“I never engage in risky behavior on the internet.”
This usually translates to "I don't visit adult websites." But the mere act of turning your device on and allowing it to connect to the internet is risky in itself. At one point during the Windows XP days, someone ran an experiment taking a brand new XP system out of the box, hooking it up to the internet and just turning it on. The amount of time for that XP system to become compromised was usually measured in minutes, even with nothing being done on the computer.
“If a hacker wants to get in, he’ll get in. Why even bother?”
This might be true, but I always return to my analogy of your house. By making it as difficult as possible to gain entry you weed out the amateurs, decreasing the odds of being broken into. The same philosophy applies to computers and phones.
“All this security stuff is too complicated for me.”
Maybe, especially for people from the Boomer generation and about half of GenX. Anyone born in the 80s or later has grown up with the technology. If you find you are overwhelmed by the concept of securing your devices, let someone else do it for you. Chances are you have have a younger member of your family who can help you out for free, and the worst-case scenario is find someone like me and pay them $50 to $100 to do it for you.
“I’ve been on the internet for years & never been hacked.”
Yes, you have. I absolutely guarantee you have and you just weren't aware of it. Now, the severity of that hack is up for discussion, but thinking you've been on the internet for 20 years without being hacked is pure hubris.
“My password is super-strong. Nobody could guess it.”
Maybe, but usually it's not humans trying to guess it, it's a computer running thousands of passwords per minute trying to find the right one. This is called a "brute force attack." Also, if I have physical access to your computer, especially one with a Windows operating system, I will gain access in less than five minutes, not by guessing or brute forcing your password, but by booting to a disc or USB drive with specialized software that will allow me to reset or simply bypass whatever password you have in place. I have done this hundreds of times for data recovery. Apple computers take longer and Linux computers even longer than Apple. If the data stored on your computer isn't encrypted all I have to do is boot to a USB drive with a Linux OS installed on it and I can just directly access your file system with no login information required, copy what I want, shut down, and you'll never even know I was there.
Part 2 of this thread to be posted soon.
