Sunday, September 29, 2024

Cybersecurity FAQ

 


I regularly contribute to a subreddit named r/cybersecurity_help and a few others like r/scams, r/IdentityTheft, r/privacy, r/MacOS etc on Reddit, where I help answer questions on a wide range of topics, including online safety, identity theft, scams, extortion, malware, and viruses. I often encounter repeated questions in these forums, so I decided to consolidate all the frequently asked questions (FAQs) in one place. This way, cybercrime victims seeking help or advice can find answers and support for many of the frequently asked questions here. While this isn’t a comprehensive list, it covers many of the questions I’ve seen posted in these forums. This will be a living blog to which I will continually add as I find more of these repeated questions.

Feel free to provide any feedback or additional FAQs you’d like to see in this blog in the comment section. With that said, here are the FAQs in no particular order.

FAQs

1. Someone on the internet says they know my IP address, I am scared.

There is a common misconception among many internet users that knowing their IP address somehow gives someone the power to "hack" them. This myth has been spread by non-technical users, social media, and news outlets, among others. The fact is, every website you visit knows your IP address because it needs this information to send content (text, images, etc.) to your browser so that it can be displayed on your screen. This is how everything on the internet works, not just websites. In addition to your IP address, your internet browser provides much more information to the websites you visit than you may realize. Visit this link (https://myip.selvansoft.com) to see some (not all) of the details your browser shares with websites you visit. An IP address is just a number; only your Internet Service Provider (ISP) knows that it was assigned to you, and they will not disclose your information unless they receive a request from law enforcement accompanied by a proper court order. Being afraid that someone knows your IP address is like worrying that people saw your car’s license plate number while you were driving around the city. Unless you’ve committed a crime and are fleeing from law enforcement, this isn’t a problem. Similarly, if you haven’t done anything unlawful online, you have nothing to worry about if someone claims they have your IP address. They can’t do anything with it. With that said, and to be thorough on this FAQ answer, I wanted to add the following. If you intentionally expose a vulnerable service or, worse, enable UPnP (some do this for running a gaming server without fully understanding the impact), it is possible for someone to attack your machine. Last but not least, if someone with a deep understanding of TCP/IP networking is determined to attack you for some strange reason, they can always perform a DOS attack on your router using just your public IP (you don't need to expose anything) and knock it offline. But while this is possible, it is not probable.

2. I got an email mentioning Pegasus, is this real?

The Pegasus email scam is one of the most popular scams in circulation, and yes, it is 100% a scam. While it is true that Pegasus is a sophisticated spyware developed by the Israeli cyber-arms company NSO Group, it is used for surveillance purposes, often by government agencies and law enforcement for espionage and counter-espionage activities. Unless you are involved in espionage, a spy agency, terrorism, or are a powerful political figure, there is no ROI in spending money (the cost of the software can be $500k or more) on you to infect your devices with Pegasus! Ordinary citizens are not the target. The idea behind this scam email is to use scare tactics with bits and pieces of information like your address, name, email, phone number, a picture of your house from Google Maps etc. all of which are publicly available, to make you send them money. Whatever you do, never send money. Just delete and block this email as spam and move on with your life. No one is going to come after you.

3. Does VPN keep me safe online?

First, a VPN (Virtual Private Network) is a privacy tool that primarily focuses on your privacy by masking your IP address and encrypting your internet traffic. It is not a security tool. While privacy and security do overlap, they are distinct concepts. Privacy is about protecting your personal information and activities from being observed, while security involves protecting your data and device from unauthorized access and threats. That said, if you think running a VPN will protect you from all compromises, you are misinformed. You could run a VPN and still visit a malware site, install pirated software, or use a compromised network, and your device would be compromised just like anyone not using a VPN. Moreover, pretty much all data communication today is done in encrypted form. As long as you are using the HTTPS protocol, you are relatively safe, and you don’t necessarily need a VPN. See additional details at the blog (https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html).

4. My name, address, phone are listed on a website, what do I do?

While this is a problem, the short answer is that there isn’t much you can do other than ask them to remove it, which is not an easy task. You can follow this blog (https://blog.selvansoft.com/2022/07/how-much-of-your-info-is-freely.html) for guidance or try a paid service like Incogni or Optery. The reality is that many data aggregator sites collect your publicly available data, such as your name, address, and phone number, and sell it legally to anyone online. This is a big business, and these data aggregator sites are popping up all over and are here to stay.

5. I sent intimate photos to someone online, and now they are threatening to share them with my contacts if I don’t send them money. I am scared. What should I do?

There is nothing you can do at this point but block and ignore them. Most importantly, never send any money; if you do, that will only make them ask for more, and it will never stop. Likely, the scammer will move on to the next victim. However, be prepared for the possibility that they might get angry and send your pictures to your contacts if they have access to them. While it’s very unlikely this would happen, as they could be scamming someone else instead of wasting time on you, there’s a chance they might persist if they believe you’re a high-value target with the potential for a significant payout. In that case, they would likely continue with the charade. I hope you learned your lesson.

6. I see a lot of attempted logins on my Microsoft account. How do I stop it?

Though it may sound strange, the short answer is, it is normal these days to see multiple attempts daily or even hourly, as shown in the screenshot below.

With so many data breaches in the last decade or so, pretty much everyone’s email is leaked. You can check your email in HIBP (https://haveibeenpwned.com/). Scammers use automated scripts to attempt to login using your email with an attack technique called credential stuffing (i.e. using leaked passwords) and it will not stop. Just ignore it as long as you have your account well protected with unique and strong password, MFA with an authenticator app or better (hardware keys) or passwordless login etc, you have nothing to worry about. There is a way you can minimize these attempts by eliminating the number of email aliases you have that has login ability. The more you have, obviously the number of attempts will multiply by the alias count. You can restrict which alias can log in and remove login ability to others would reduce the attempts and lower the risk. Follow the link (https://account.live.com/SignInPreferences) when you are logged into your Microsoft account and check if you have multiple aliases with login privilege. Finally, by creating a brand-new alias and allowing only that alias login access you can stop these attempts altogether … well, until your new alias is leaked down the road 😁.

7. Is using public Wi-Fi safe? 

Public WiFi (airport, hotel, coffee shop, etc.), comes with inherent security risks. While complete safety is impossible to achieve, you can significantly improve your online security by following good cyber hygiene best practices. Avoid sensitive transactions like logging into bank accounts, credit card portals, or other financial platforms while connected. If the website you visit does not offer HTTPS transport, do not visit it. Make a habit of only visiting sites that offer HTTPS transport, even on private networks. Enable your firewall; most operating systems come equipped with a built-in firewall, so enable it and block all inbound connections. Keeping your firewall enabled is a simple yet effective way to bolster your security on any network, public or private. Optionally, you can run a VPN for an additional layer of protection. However, it’s not strictly necessary. Contrary to popular belief, a VPN doesn’t make you invincible. Here is a blog (https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html) that outlines what a VPN is and is not, if you’re interested in reading it.

8. I opened a sketchy PDF file. Is my computer compromised?

While there are documented cases of malicious executable code being embedded in PDF files, malware cannot do anything on its own. It relies on exploiting vulnerabilities in your PDF reader software to run. Therefore, the security of your system depends on the PDF reader you use. If you keep your operating system, browser, and applications updated with the latest security patches, you should be fine. For example, if you opened the PDF with your browser, which is typically the case, as long as your browser is updated with all the recent updates, you should be fine even if the PDF is infected with malware. Finally, if you only downloaded the PDF and did not open it, it should not cause any damage whatsoever. Just delete the PDF and move on.

9. I was part of a data breach; how do I protect myself from identity theft? 

First, you are not alone. Given the numerous major data breaches in recent years, many people’s SSNs are unfortunately exposed. For instance, the AT&T breach in 2022 reportedly compromised the SSNs of between 50-100 million customers. Additionally, the recent National Public Data leak included a vast number of individuals. To prevent identity theft, you should freeze your credit reports. This restricts access to your credit information, making it difficult for criminals to open new accounts in your name. You can easily freeze and unfreeze your credit as needed, such as when applying for a loan or credit card. Here’s a simple blog (https://blog.selvansoft.com/2023/05/howto-credit-freeze.html) outlining how to freeze your credit.

10. I changed my password and enabled MFA, but an attacker still accessed my account. How?

It is likely that you have info-stealing malware on your device, which exfiltrated your authenticated session token. Alternatively, you may have visited a malware-laced site that ran a malicious script to read your authenticated session token. Either way, a remote attacker has your authenticated session token. This is a form of attack called Session Hijacking. Keep in mind that strong passwords, MFA, and hardware keys are irrelevant against session hijacking attacks, as the attacker can use the valid session token to log in as you until the session token expires, which can be hours, days, or even weeks, depending on how the session management is implemented on the website. To remove the access, you need to invalidate your sessions by logging out of all your accounts on all your devices. In case you find your device is infected with a virus or malware, follow FAQ#11 below to remove it. Also read FAQ#21 below on a new feature that will prevent Session Hijacking in the future.

11. My computer is infected with malware. How did it happen, and how do I recover?

The root cause could be anything from installing pirated software or game cheat codes to clicking on malicious links or visiting compromised websites (inadvertently or intentionally) which enabled malicious code running on your browser without the need to install anything (these are called fileless malware that scanners often miss). Run a full scan of your device with a malware scanner like Malwarebytes and/or a good VirusScan tool to remove/clean the infection. In most cases, that is all you need to do. However, while most virus/malware removal tools do a good job of removing infections, they may not be effective if you are infected with a persistent rootkit. In that case, you may have to do a complete wipe (wipe the hard drive, including the EFI partition) and reinstall the OS. This is quite different from the typical “Windows reset/reinstall” step most people are familiar with, which doesn’t remove things hiding in partitions outside the reach of a standard OS reset/reinstall. An explanation of how to do that is outside the scope of this answer, but you can consult an expert to help you accomplish it, or you can do it yourself by following the FAQ #13 below. Finally, to prevent future attacks, be cautious about the websites you visit, avoid clicking on random links, and refrain from downloading pirated software or crack codes, etc.

12. How do I backup my Google Authenticator secrets?

As a cybersecurity professional and practitioner, I would not advocate syncing authenticator secrets to any form of cloud storage; instead, keep them local. MFA is your second layer of protection and having the secrets for generating OTPs for MFA reside in the cloud makes you vulnerable in the event of future data leaks. Follow my instructions below to detach Authenticator from Google cloud sync and take responsibility for guarding your secrets under your control. 

First, export all your secrets. Google Authenticator allows you export all secrets to a giant QR code. Save this QR code image to your local drive and follow the steps.

  1. Enable google sync.
  2. Now delete all the secrets.
  3. Let google sync empty Authenticator.
  4. Now, disable google sync.
  5. Import everything back from the giant QR code you saved above.
  6. Keep the QR code in a safe place or better yet, print a paper copy to store it.
Ultimately, Authenticator cloud syncing boils down to the "convenience over security" argument. In the digital age, online security is your lifeline. Therefore, I generally advise everyone to never prioritize convenience over security.

Alternatively, if you are a command-line interface (CLI) user like me, the ultra-safe and secure way is to completely discard phone OTP apps and use a command-line tool called oathtool on your laptop/desktop (macOS or Linux) to generate OTPs. I have a shell script that I personally use that wrapps oathtool to make it secure by encrypting the secrets using GPG or OpenSSL on your laptop/desktop. You are welcome to use it, and it can be found on my GitHub (https://github.com/aselvan/scripts/blob/master/security/oathtool.sh)

How to use the oathtool.sh script:
Add secret (example: gmail):  oathtool.sh -k gmail -a "gmail_authenticator_secret"
Generate OTP (example: gmail):  oathtool.sh -k gmail

13. How do I completely wipe my hard drive to remove a rootkit or to dispose of it with no sensitive information?

Contrary to popular belief, deleting partitions and formatting a drive does not truly wipe data. While it renders the data inaccessible to the operating system, the actual data persists on the drive until overwritten by new information. Therefore, if your system was compromised with a rootkit (commonly hides in the EFI partition), repartitioning or formating does not guarantee its removal. To achieve a completely clean drive, every byte in every sector must be overwritten with zeros (or random byte) before partitioning and formatting to install fresh new OS. While numerous methods exist for wiping a drive clean, here's a straightforward approach if you know basic command-line skills in Linux.

First, download a Linux distribution (e.g., Ubuntu) to a USB drive, then shut down your machine and boot from it (adjust BIOS settings to prioritize USB boot). Once in Linux, open a terminal and type "sudo su" to gain root privileges. Identify the device file corresponding to your Windows hard drive/SSD. This will typically resemble /dev/sdc or /dev/sdd. For reference, the screenshot below shows a Windows hard drive at /dev/sdi. Ignore other details in the screenshot as they pertain to a different context.


You can determine your Windows drive's device file by running "fsdisk -l" without arguments and examining the output. Once you identify your windows drive device file, execute the following command, replacing "/dev/sdi" with your actual device file. 

shred -vf -n1 /dev/sdi 

Be prepared for a lengthy process (potentially hours) depending on the hard drive or SSD's size. Note: If you are disposing the hard drive, remove the -n1 argument to shred. It would not be a bad idea to perform a full scan of all the data you have backed up from the infected drive. In fact, it would be quite easy to do so in the step mentioned above while operating under Linux. You can install ClamAV (https://www.clamav.net/) using this command "apt install clamav". Then, identify the mount point of your USB drive that contains your backup data and run clamscan on it. This can be done simultaneously while you are wiping your hard drive as described in the previous step. Once your drive is completely wiped and your backup data has been scanned, install a fresh copy of Windows from read-only media. At this point, your Windows installation should be as clean as a whistle.

14. I run Minecraft server for my friends and notice random IPs are attempting to connect to my machine. What do I do to protect my machine?

Running a service publicly on your machine can attract attackers worldwide looking for vulnerable services to exploit. Although your firewall may block attempts to connect, you will soon notice the number of attempts will continue to grow. Eventually, they may succeed if they manage to exploit any known vulnerabilities in the service. It is bound to happen; it is not a question of if, but when. Keep in mind that all services have vulnerabilities (both known and zero-day), and Minecraft has its fair share of vulnerabilities. With that said, if you must run the gaming server while accepting the risks outlined above, you might consider disabling UPnP if it is enabled on your router. In my professional opinion, this setting poses a significant security risk as it automatically opens ports on your network, potentially allowing unauthorized access. I recommend disabling UPnP to enhance your network’s security. If you require specific ports open for gaming, you can manually forward them instead of relying on UPnP.

15. An attacker hacked everything (laptop, phone, router, network etc.) simultaneously, how do I recover?

The scenario you are describing, i.e., a hacker installing malware on all of your devices simultaneously, is highly unlikely. It is improbable that someone (or something) could infect a heterogeneous collection of devices across different architectures and operating systems with just a single piece of malware, virus, or rootkit. Such an all-in-one compromise is simply not feasible in the real world and is more likely to occur only in movies.

16. Which 2FA is better?

First, SMS-based authentication is the weakest form of all MFA methods. Unfortunately, not all websites provide multiple options beyond SMS for MFA. So, in the absence of stronger methods like TOTP authentication, hardware keys, or passwordless options, SMS is better than just using a username and password. Regarding TOTP authentication, all applications, including Google Authenticator, Microsoft Authenticator, and other similar apps, use the same underlying algorithm and are interchangeable. They typically follow the TOTP algorithm defined in the IETF standard RFC 6238. Lastly, for backing up authenticator secrets in case you lose your device, follow the FAQ#12 above.

17. Someone says they know my MAC address. Can they see my internet activity?

Yes and no. First, the MAC address is only applicable to the LAN (local area network) i.e. your wired or wireless network. It does not go beyond the LAN to the WAN (wide area network), a.k.a. the internet. However, by using your MAC address (and sometimes even without it, depending on how much effort they put in), someone could see which websites you visit unless you use your own DNS. They cannot, however, see or read the content of what you are browsing since most communication is encrypted these days. On a related note, many people panic about someone learning their IP address, which does indeed go outside of the LAN, but the same answer more or less applies. You can read more about it in FAQ #1

18. How can I stay safe online? What are the basic tips to avoid becoming a victim?

Using common sense is your first line of defense in staying safe online and avoiding becoming a victim. Trust your instincts, be cautious of unfamiliar websites or emails, and think twice before sharing personal information. Common sense can go a long way in protecting you online. In addition to using common sense, adhere to the following guidelines to enhance your online security.

  • Strong Passwords: Use complex passwords and change them regularly. Consider using a password manager.
  • Multi-Factor Authentication (MFA): Wherever possible, use more than just a password to secure your accounts, commonly referred to as 2FA. Most websites provide multiple options for MFA these days. Always choose an OTP authenticator if that option is offered and avoid SMS-based 2FA.
  • Enable Firewall: Ensure your device's firewall is enabled. Most operating systems come equipped with a built-in firewall, so enable it and block all inbound connections. Keeping your firewall enabled is a simple yet effective way to bolster your security on any network, public or private.
  • Antivirus and Anti-malware Software: Keep them updated to protect your device from threats.
  • Phishing Scams: Be skeptical of emails or messages with links or attachments that urge immediate action or ask for personal information. If it sounds too good to be true or creates a sense of urgency, it's likely a scam.
  • Web browsing: Always ensure websites use HTTPS, especially when entering sensitive information.
  • Public Wi-Fi: When using public Wi-Fi, avoid logging into sensitive accounts or performing financial transactions. It's safer to wait until you're on a trusted network.
  • Installing Software: Only download and install software from reputable sources. Avoid pirated software and gaming cheat codes, as they often contain malware and viruses.
  • Software Update: Regularly update your operating system, browsers, antivirus definitions and apps to protect against security vulnerabilities. 
  • App Permissions: Check the permissions granted to apps and revoke any that are unnecessary.
  • Personal Information Sharing: Be mindful of what personal information you share online. Don’t overshare on social media and be wary of websites or services asking for more information than necessary.
  • Monitor Your Accounts: Regularly check your bank and credit card statements for any unauthorized transactions.
  • Backup: Regularly back up your data to an external hard drive or a cloud service.
  • Educate Yourself: Stay informed about the latest cybersecurity threats and how to protect yourself.
  • Trust Your Gut: If something feels off or too good to be true, it probably is. Your intuition can be a powerful tool in staying safe online

19. Are QR codes safe to scan can?

The answer is neither yes nor no, but more like a maybe. While most QR codes are safe to use, it's important to be aware of the risks of fraudulent QR codes. "Quishing," or QR phishing, is a cybersecurity threat where attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content. Scammers can place these fake QR codes in many places, including emails, text messages, social media, public places, printed flyers, or physical objects. Unfortunately, some, if not all, of the QR code scanners on mobile devices do not give the option to check/inspect the URL before navigating to the website; instead, they directly take you to the link represented in the QR code. At this point, it is too late to do anything if that URL is indeed malicious. Scammers take advantage of the fact that QR codes are very common, and most people trust them because they are usually from reputable places like restaurants or ad posters. This is another example of convenience over security that gets people in trouble.

20. Are URL shorteners safe to click?

The answer is neither yes nor no, but more like a maybe. Many of you are likely familiar with URL shorteners that redirect you to a different long-winded URL when clicked. If you’ve ever seen or used tinyurl.com or bit.ly links, you know how they work. URL shortener services have been abused by scammers for phishing campaigns for a while now. Recently, there has been an increased use of these techniques, specifically leveraging reputable and legitimate websites. Read the blog at (https://blog.selvansoft.com/2023/03/shorturlscams.html) to learn more about it and, most importantly, how you can view/inspect the URL to find out where it would take you before actually clicking on it.

21. What is Device Bound Session Credentials (DBSC) and how it will prevent Session Hijacking?
While this is not a FAQ, I documented it here to raise awareness. Device Bound Session Credentials (DBSC) is a cutting-edge security feature developed by Google to counter session cookie theft (a.k.a. Session Hijacking). Its unique approach stands apart from traditional security measures. The goal is to disrupt session cookie theft by linking authentication sessions to a specific device using the Public Key Infrastructure (PKI) platform. This means stolen cookies become useless as they can only be used on the device from which they were obtained, where the private keys are stored using the Trusted Platform Module (TPM). Google has already implemented this on the Chrome browser as of this writing, which can be enabled with the experimental flag (chrome://flags/#enable-bound-session-credentials). However, for this to work effectively, every website's session management code needs to be modified to use the DBSC API to prevent cookie theft, which may take a long time to adopt. So for now, we are still at risk of session cookie/token theft, one of the most common ways online accounts are compromised today.

22. When using Apple Pay or Google Pay, what information does the merchant see?
Regarding credit card information, merchants only see a token. Both Apple Pay and Google Pay utilize tokenization, which replaces your actual card number with a unique digital identifier or token that is mapped to your actual card number, name, billing address, etc., at the financial institution before payment is authorized. This means that when you make a purchase, merchants receive a token rather than your real card details. The two places where your actual card number and other information are stored are on your phone app and the financial institution that provided the token; merchants don't get to see any of that.

23. Can a photo/image contain executable malicious code?
Yes, it is possible. Just Google "Stegosploit" to learn more or read this blog. However, it is more complicated and rare compared to common methods of compromise, such as installing pirated software, game crack codes, or software from unknown sources. In order for the malicious code to run, you would need to load the infected image in your browser or any image display/rendering software, allowing it to exploit an unpatched vulnerability in your browser or image display software. Again, this is very rare, and as an ordinary user, you are unlikely to be targeted.

24. How to check if a URL is malicious?
There are several websites where you can post a URL to check if it is malicious, such as virustotal.com, which inspects the URL content and analyzes it for malicious signatures. However, interpreting their reports without deep technical knowledge of web technologies can be difficult, and non-technical people often misread them. Additionally, these tools often produce false positives because the signatures they look for, especially "MITRE Signatures," are common across all websites. Without fully understanding the report, it can cause unnecessary panic and fear. The best approach is to post on technical support forums, where people with expertise can help you. Here are a few more websites that perform URL analysis: urlscan.io, www.urlvoid.com, and checkphish.bolster.ai. Again, interpreting the results will not be straightforward.

25. I received a threatening email with accurate personal information. Is this real? I'm scared. What should I do?
The short answer is, although it is frightening, do absolutely nothing. It is not real, no matter how accurate the personal information listed in the email is; it is 100% a scam. So mark it as spam, delete it, ignore it, and get on with your life. The long answer is that cybercriminals reach out after gaining access to your data, which they can easily obtain from public sources as well as from numerous data breaches or leaks. This data can include email, personal photos, photos of your home, name, address, date of birth, phone number, and information about your friends and family. They then generate mass email campaigns threatening to disclose compromising images or videos or manipulate data unless the victim pays a ransom in cryptocurrency because of its anonymity. These scams are collectively called cyber extortion and are currently on the rise. Finally, if you're curious to find out where they obtained the data, you can search your email address on HIBP database (https://haveibeenpwned.com/), though this does not help you in any way other than telling you where they got your data.

26. Do I need password manager for hardware-based passkey?
No, you are confusing the passkey authentication standard with password managers. In hardware-based passkey authentication, absolutely nothing is stored in a password manager or any other place, hence the term passwordless authentication. Password managers, of course, store your passwords. If you have both a passkey and a password for a site, stop using the password as it is the weakest link and always use the passkey. Without going into too much detail, here is a simpler explanation of how passkeys with a hardware key, such as YubiKey, work. During the initial setup of a passkey with a website, your YubiKey creates unique key pairs (public/private) based on the FIDO2 and WebAuthn standards. The public keys are shared with the website along with an identifier, but the private keys never leaves the YubiKey. The only way someone can log in with your passkey is by having physical possession of your YubiKey.

27. What are the advantages of using hardware key vs. software authenticator apps for MFA challenge?
Hardware keys, such as YubiKey, are impossible to steal remotely because the private/master key never leaves the key. The only way someone can use your key to generate a response to an MFA challenge is by having physical possession of your key. In contrast, all authenticator apps store their secrets in cloud storage or browser plugins for convenience. The side effect is that if the secrets are leaked (which is bound to happen eventually), anyone who has them can generate any or all of your OTP challenge tokens. You can mimic the same behavior by not storing your secrets anywhere and keeping them under your full control (read FAQ #12). In that case, I’d argue they are more or less equivalent to hardware keys, with one exception i.e. the  convenience. You don’t need to carry a phone or need power; just plug in the key on the device doing the authentication and touch the key.


No comments: