Yesterday, Apple announced that the recent leak of photos from celebrities’ accounts is not caused by any kind of breach into their systems. In other words, they are saying that the attack was done through “guessing” and “phishing”.
So what does that mean? guessing is self-explanatory. As for phishing attacks, they are the kind of attacks where the victim sees a fake interface (that looks similar to that of a famous website), once you enter your login credentials into that website, they are sent to whoever designed this trick.
You can find tons of articles online about protecting your accounts, but I am going to take it from a user’s perspective and focus on 5 common types of mistakes I see around me that people often miss.
Know that – If you are not careful enough, it won’t really require “hacking skills” for someone to hack into your account.
First thing you need to know, is that there are tons of people out there who know loads of information about you, enough to perform successful guessing attacks on your accounts. If you are not careful enough, it won’t really require any “hacking skills” for someone to hack into your account.
Know that – “But.. I have nothing to hide” does not apply on anyone!
“If you really think that you have nothing to hide. Please make sure that’s the first thing you tell me, because then I know that I should not trust you with any secrets, because obviously you can’t keep a secret.” Mikko Hyppönen, a computer security specialist.
There is a common concept in security, “the security of a network is as low as the least secured entity in that network.”. In our world, this would mean that if you compromise your privacy, then you are compromising the privacy of everyone who trusts you.
Take Facebook as an example. You might have nothing to hide, I doubt that, but even if you do, if you give away your Facebook password for example, then whoever was telling you about their personal secrets online, and those who decided to share things with you specifically (because they trust you), have all gotten their privacy compromised. So you’d better realize that you’ve got stuff to hide.
Pitfall 1 – Your “Secret” Question
A really stupid idea that seems to me that it is only there to allow hackers to get you, is the so-called secret question (maybe that was considered secure long time ago, because its inventors did not value the amount of stalking psychopaths who are going to be using the internet in the future).
This thing is very common with Yahoo and Hotmail/Live or whatever it is called now. And now since most of the online services are connected, you can recover your an account’s password from another account if you connect them. Recall the least-secure concept!
The thing is, 15 years ago when you created your email account, probably you thought a question like: “Where was your grandmother born?” to be secure enough.. But guess what, now your grandmother is on Facebook, where everyone can see that she is your grandmother and know where she was born! So someone can answer your secret question on some account, reset the passwords of every other connected account, and you’re wasted!
If you insist on using a secret question, use a real ‘secret’ question! or better yet, get rid of this primitive thing for good! We tend to set less complicated secret questions, and it is very easy to collect information about anyone online now, plus, there are tons of better alternatives out there (check 2-step verification for example).
Pitfall 2 – Lock your computer!
Whether it is at work, at home (especially if you have visitors) or basically anywhere, always lock your PC when you are not attending it, and set it to automatically lock when its idle!
You cannot imagine the amounts of problems you can get into if you forget that, I know someone who forgot his PC unlocked, his co-worker sent an invitation for dinner at the victim’s place! the poor victim started getting “Thank you for the invitation” messages and had no idea what was going on.
Another guy at a reputable company actually sent a resignation email to everyone in the team on behalf of some guy who forgot his PC unlocked!
Bonus info: These kinds of attacks are called: “workstation hijacking” btw.
Pitfall 3 – Your browser was so nice to save all your passwords in one place
Browsers save your passwords to make it easier to log-in next time. The problem is, now workstation hijackers know where to look!
Lock your computer, and as an extra precaution, set a password to this page as well. Google chrome uses your system’s password (the one you use for unlocking) before unveiling any saved password. Not sure about other browsers, but I am sure there is a way to set passwords in any decent browser, if your browser does not provide that feature, then you’re better off with a different one!
Pitfall 4 – Don’t use the same password everywhere!
Just don’t.. otherwise uncovering one password would mean uncovering all your accounts.
Pitfall 5 – Keep an eye for phishing attacks
I cannot really give advice on how to do that, but things like: “You won’t believe what happens in this video”, “hey you look so funny in this photo!”, “Hey I didn’t know you work in the porn industry!”.. these things should look fishy to you, take care of the way messages with links are written, you can usually tell that it is not your friend’s style (and thus it could be a program writing these messages). Think before downloading .exe files or installing apps, why would viewing a video require installing a facebook app? or simply just ask the friend before accessing suspicious links
Have any other tips? share them!