Owning Your Personal Security

By: Moonstone Team on 2. Oct. 2016

With the recent increase of sophisticated phishing attacks that utilize channels such as email, phishing sites and paid ads, we’re witnessing a rise in hacking complaints from all types of users in a global scale. Although some of these attacks might be smart and well placed, that even a cautious user would be lured into it - most of them are basic. How come in a time where users are becoming increasingly more tech savvy than ever before so many people seem to fall for cheap phishing tricks. The only answer I can think of is complacency and reliance. Relying on third party applications to safeguard you on the internet. Companies that provide security solutions are partially responsible for the image. They have managed to create unrealistic expectations through their marketing efforts. Their ads tend to be some variation of: buy our product and you will never be hacked again - resulting in internet users who are more careless.

To get back to practical matters here, the best that the companies are doing is encrypting your data and hashing your passwords, but they can’t protect your password if you hand it to phishing e-mails. They can’t protect your data either, if you don’t have the common decency to check the link where you are inputting your data and whether it is a phishing website.

All the roads lead to: taking personal responsibility for your security

1. If “a friend” asks you to access the website, just take the time to go through the normal website. What I mean by this is, if a website asks you to go to a shady www.faceb00k.com, just take your time to type www.facebook.com

2. Same goes for attachments, or download files. Dot not open them before you check the extension of the file first. If you are a windows user and the file is .exe or a .exe inside a .zip file its red flag immediately. Same goes for .dmg files on mac. No matter who the email is coming from - do not open it without a confirmation from the sender If it’s an application your friend is sending you, ask your friend for the name and go through the hassle of downloading it yourself.

3. Don’t e-mail personal or financial information, no matter how close you are with the recipient. Because the person you e-mail can be compromised, this also means that the personal information is possibly not being requested from your friend and can be used for malicious intent.

4. Don’t click ads. Ads are targeted towards you, they work that way. Algorithms. So if you’re always searching for virtual currencies, the targeted ads will be about virtual currencies. With or without an adblocker, just don’t. That leads us to the next point.

5. Install uBlock Origin. It’s the least CPU intensive and RAM hungry adblocker.

6. Use a separate browser for more sensitive work. Use one browser for surfing, the other for more tedious work. Regarding that sensitive browser, clear your cache, cookies, browser history each time you’re done with it.*

7. You’re not getting free Bitcoins, Ether, Bitshares, or any other virtual currency in a shady e-mail in three simple steps. Step 1. Don’t enter your username. Step 2. Don’t enter your password. Step 3. Don’t give out your credit card information.

8. Two-factor authentication. Period. Although not 100% safe, it’s a massive hassle towards any hacker that wants to access your data. If this is present, and you still get hacked because you don’t have it, then it’s COMPLETELY your fault.

9. Know exchanges are not unbreakable. Websites like ShapeShift, GateCoin, Cryptsy have been hacked before. Of the many reasons, insecure systems, inside jobs, leaks etc., you name it. So use them with caution.

10. Use a password manager. Programs like LastPass, Keepass are great options. This makes sure you don’t reuse two, or three passwords, and if one of them leaks, it doesn’t mean doom for half your social medias. (And no, qwerty123 is not a safe password.)

11. Use NoScript. This blocks a major of javascripts from being loaded automatically. You can also selectively allow which script you want to load.

Point 6 is sensitive. The reason this is done, the whole cache, cookie, history clear, is because of XSS vulnerabilities. These can be service-related, browser-related, or 0-day vulnerabilities. What this means is that if the vulnerability is exposing your browser memory, at least the sensitive information is safe.

Two-factor Authentication

Unless you are targeted by a group of hackers, then yes, a simple phishing website will have an issue getting that authentication code. Of course, that’s if you don’t give them the auth code yourself, which is also being asked for in phishing websites. Check the domain name, check it again.

If you access www.facebook.com, through this random link your friend sent you, and it asks you to type in your two-step auth code, make sure you check the domain name. Unless you told the website to SPECIFICALLY not remember the browser, or cleared your cache, this domain is most likely a phishing site.

Take the step towards personal safety. You are responsible for these things. Educate yourself against these simple, yet effective ways. Companies can only do so much to protect you.