As promised, here's the second part of our series of articles looking at what you can do to protect your data. It's not that complicated, but few people pay attention, and attackers take advantage of that. In case you missed the first part, here to make up for an unexcused absence.
Places
In many places we hear about strong passwords, don't give out your details, scammers, spammers, scams, terrorists, cousin scammers, etc. etc.
The fact is that the media don't necessarily handle things properly, they scare you with all sorts of things, and that's why the information is not as effective.
There is a real danger
Really, no joke, an attack like this could happen to anyone at any time. Speaking from personal experience, you have to be very careful. And that's our first key word for today.
Attention
How does a virus get onto your computer? How does an app from an unknown source get installed on your phone? And how do you get to a phishing site?
We are not paying attention, we click everywhere, even when we are aware of the dangers.
Antiviruses are not very protective, in many cases they are useless if we don't pay enough attention.
So: we don't click, we don't browse random sites, we don't post cracked Among Us, and we do our research before clicking on emails with a link to what it is and whether it's realistic.
And what will be harsh, but very important: we trust no one!
Yes, OK, that was a bit of a line from the aluminium tipped anti-virus 5Gers, but in many cases this is what the bad guys can exploit most effectively: we trust the people we know.
And we shouldn't, because this can inadvertently put us in a tight spot.
Why?
Nowadays, when attackers get hold of a Facebook account, they start sending messages with links to people they know. Now, if you think about it, Sanyi sends a link, Sanyi and I talk daily, he sent a great TikTok 5 minutes ago, and we expect this to be brilliant.
But: Sanyi was careless and the scammers got hold of his details, sending links in his name. We click on this one, assuming it was sent by him.
But no. The page that loads is a Tumblr link embedded with a YouTube video, but you can only view it if you're logged in with your Google account. Makes sense, right? It might even be plausible.
Here comes the question:
But comrade, Chrome has anti-phishing protection, doesn't it?
Yes, but a cleverly written program embedded in a Tumblr page can bypass this, so we, and the browser, think it's a legitimate page.
The example given here is based on real events, the attack is to scare us with naked pictures, and well, anyone who is scared or just curious will fall for it.
Nowadays, you can even have the bot that sends the message call you by name. Let's say you're screwed if your name is reversed, i.e. it calls you "Hi, Tamás! :D
This is a so-called phishing attack, the previous article was about something else, but it's important to mention this too.
In a phishing attack, we are tricked into giving our data ourselves, so we are not hacked, it can be called simple fraud.
This can be done in practically any way, even by phone (e.g. they call you from WQ bank and ask you for some details to identify you, such scams have been around for a long time, hopefully you won't fall for it!), then by email, or even by message, as I outlined above.
There is no really effective protection against phishing attacks, beyond not being fooled. Back to where we started: we need to pay attention.
Pro tip: if the content of a letter or text message is strange and the spelling is far from correct, it's probably a phishing message
The other two attacks described in the previous article, the so-called data breach exploit and cookie theft, are now discussed.
Data breach attack
What is a data breach? Let's remember, krumpli.hu, remember anything?
In short, a website or service is attacked in some way, from which data is stolen, lots of data, sold or simply put online. So the essence of a data breaches attack is to use the leaked data.
Chrome has been warning us since August if any of our backed up accounts are at risk, but it's worth checking the Have I Been Pwned? page with our email address, and possibly our password, to see if such a leak has occurred. It certainly has.
Adobet, Spotify, but also Hungarian sites, including the former mayor of Győr, The websites of singer Zsolt Borkai and singer Ákos Kovács were also hacked, and data has been made public, but as I said, this can happen to any site.
Defending against a data breaches attack
Password exchange, two-step identification, and Have I Been Pwned? Checking.
And another very important thing: don't use the same password in more than one place. Really don't.
If you can't remember strong passwords, which is understandable - because you have your pinko, your popsicle, your customer ID, your parking machine phone number, Aunt Jolika's gate code, in short, everything in your head - use a password manager, such as LastPass.
In this case, we need to remember a very strong password, and it's important that it's strong, because what good is a hyper-secure undecipherable password everywhere if it's protected by another weak one. Make it strong, remember, and it won't be easily attackable.
Two-step identification
Even if the attacker has your password, he cannot log in if two-factor authentication is enabled. In this case, an SMS code is sent to your phone and you have to enter it to log in. You can also use an app, such as Microsoft or Google's authentication app.
No perfect protection
I used to say that what you design, man makes, man destroys, so you can never be safe until 100%. But you shouldn't be scared either, you can't live in fear, but a little attention and a combination of the right software can give you a tolerable level of security and a sense of security.
Up-to-date, legal software
I know that in this small country surrounded by flames, it is not always usual to use clean software, but it is worth it. Our Russian friends often put Trojan viruses into cracked software, which in themselves have no apparent influence on the functioning of the computer, but in practice are very damaging, because they can be burst out at any time by the goon soldiers who immediately go into battle.
What can happen? Keylogger, botnet, reverse shell.
If you have time, watch it, it's brilliant :D
Keylogger: monitors your keystrokes and all your actions, and then passes them on to attackers.
Botnet: In the event of an overload attack designed to bring down or slow down a website, such viruses are activated and use our computer to attack a website.
Reverse shell: remote access, giving you full control over your computer, almost undetectable.
Just because software is legal doesn't mean it's safe: there are often security flaws in open source software that can be fixed with an update, but if you don't install it, you put yourself at potential risk. So, make sure you install all updates!
Defending against a pumpkin-sucking attack
Well, if we follow the above, we have increased our security considerably, but a cookie theft or session theft attack can still happen to us.
So when installing Chrome extensions (or Firefox, Brave, Edge, Safari, etc.), be careful what you put in your browser plugins.
And check what's installed from time to time, because malicious software might add a browser extension against your will.
Check out when you're ready, but at least once a week anyway!
When you check out, the session expires, so even if a cookie is stolen, you are much less likely to use it.
That's all for today's not-nearly-brief article on data protection. There will surely be more, as the topic is always topical, cyber attacks happen all the time, and the methods are changing. If you have questions, feel free to ask them here, On Facebook, or On Instagram.
