‍

Fabian Bräunlein and Lukas Euler – the folks behind Positive Security – know this better than most. They work to provide companies with a holistic view of their security posture and identify ways to efficiently improve it.

‍

Since September, they’ve set up their basecamp in Berlin right here at betahaus. They’re kicking off an IT Security Office Hour where they can answer your toughest cybersecurity questions. And today, they're sharing their expertise right here as part of our Experts in beta series.

‍

Ready to delve into hacking, why people get hacked, and what to do if it happens to you? You're probably more vulnerable than you think. Here’s what the experts at Positive Security have to say.

Positive Security is a hacking research collective and consulting firm founded by two alumni of renowned Berlin-based IT Security company SRLabs. They’re one part hacking, one part engineering, one part strategizing, but everything they’re working on has them on the cutting edge of security research.

‍

‍

Originally, the term hacking was used to describe a general playful-creative approach to technology. Nowadays it’s mostly used to describe the practice of researching and applying methods for breaching defenses and exploiting weaknesses in a computer system or network.

‍

These weaknesses can take up a vast variety of different forms, but at the core they are typically based on an unintended and unexpected bit of exposure or functionality.

‍

A hacker will always look for the easiest route to the data or system they want to access. For computer systems accessible by authorized individuals, the easiest route for a hacker oftentimes involves manipulating such an individual. In this post we will be exploring the most common cybersecurity attacks targeted at individuals.

‍

There are quite a few, but below, we've outlined some of the most common cybersecurity threats and shared some simple tips to avoid them.

‍

Brute Force/Credential Stuffing

Brute Force is one of the simplest attacks imaginable: the attacker attempts to login to an account by trying out many different common passwords. Credential Stuffing attacks are a little more sophisticated in that they are based on username and password combinations recovered from previous data breaches. They typically have a higher success rate than Brute Force attacks, and are not targeted at a specific account. You are at risk if you’re using:

‍

• Weak or default passwords. Avoid easy to guess passwords like “Password123!”. We recommend using a password manager to securely store randomly generated passwords. And always change default passwords on devices like routers and IP cameras.
• The same password across multiple services. You should be using a unique, strong password for every service you sign up for. Every website/service you sign up for can see the password you’re using for it. If such a service falls victim to a cyberattack, the attacker often resells any passwords/password hashes recovered.

‍

Phishing

Phishing is when a target is contacted (often via email) by someone posing as another institution or individual to trick them into disclosing sensitive data or performing critical actions. To avoid phishing...

‍

• Never enter your password after clicking a link in an unexpected email/message.
• Check for the https: (lock symbol) and correct domain name (everything between “https://” and the next “/”) before entering your password.
• Confirm any unusual instructions you receive through a second channel of communication. For example, double check via slack before acting on an unexpected email from your boss instructing you to issue a money transfer.

‍

‍

Malware in Attachment/Ad

Malware is any malicious software that causes damage or gives the attacker unauthorized access to a system. To avoid malware from an attachment/ad...

‍

• Do not open attachments of unexpected emails.
• Do not give in to stubborn popups prompting you to install browser extensions etc.

‍

Malware bundled with desired software

Untrustworthy download portals often bundle malware with installers for known (free or paid) software. To avoid malware bundled with desired software...

‍

• Install software from trusted sources only (i.e. avoid “video player” installs from shady websites) and download Firefox only from the Mozilla Website or your platform’s App Store).

‍

Outdated vulnerable software

Outdated software needs to be updated to avoid vulnerabilities that have been patched by the developer in updates. To avoid outdated vulnerable software...‍

‍

• Enable automatic updates whenever possible.
• Regularly check for updates for all other software.

‍

Malicious commands/self-XSS

Malicious commands/self-XSS are when an attacker tricks their victim into executing a malicious command which gives the hacker access to the victim’s account or device somehow. For example there are “tutorials” on “how to hack somebody’s Facebook account” which ask you to paste a code snippet in your browser’s developer console. The executed code would then compromise your Facebook account, rather than the one of your intended target.

‍

• Do not execute any commands you don’t understand from untrusted sources like chain letters and shady forums.

‍

An important note: Be extra vigilant in untrusted or open networks like public WiFi hotspots. In 2020, most websites and apps use transport encryption (https) to protect from attacks by a malicious WiFi endpoint or user. However, some still don't, or may be vulnerable due to mistakes in configuration. Triple-check https and the correct domain for login forms and downloads. By using a VPN, you can ensure that your communication can not be intercepted by a hacker in the local network (however, please note that now the VPN provider can access the information that was previously exposed to that hacker).

The most important step towards improving your personal cybersecurity is proper password hygeine. In 2020, you really need to be doing each of the following:

‍

• Use a unique password for every website/service
• Use a password manager to securely store randomly generated, unique passwords
• For passwords that need to be memorized, use random combinations of at least 4 unconnected words rather than peppering a simple word with some special characters. Bonus points for mixing languages! Some of the math behind this is explained in the comic below.
• Don't worry about rotating your memorized passwords too much, uniqueness between different websites is far more important. Forced password rotation often leads people to simply append the current year or increase a counter digit in a generally insecure password, providing next to no increase in security
• Use 2FA, especially for accounts secured by a memorized password and recovery accounts like your main email. Time-based 2FA (TOTP, implemented in most 2FA-Apps) is more secure than the SMS-based method (see SIM swapping attacks)

‍

‍

‍

Other Cybersecurity Tips for 2020

‍

• Be vigilant and think critically - don't trust just any website or user on the internet
• Do not ignore security warnings from your browser or operating system. Note: Be wary of fake security warnings! When in doubt, consult a trusted expert you already know before following instructions in a security warning (see Tech Support Scam)
• Use ad block (uBlock Origin) when browsing websites you don’t want to explicitly support - this gets rid of many fake warnings, stubborn install prompts, and other exploit attempts (see this facebook scam for a recent example)
• Install software from trusted sources only (official website for well known software, official app stores for apps)

‍

1. Use centrally managed solutions that allow your IT administrators to remotely...

‍

• Lock and reset accounts and devices
• Monitor antivirus alerts
• Manage backups

‍

While some of these do not reduce the likelihood of a compromise, they will aid you significantly in dealing with the fallout and locking the attackers out again as quickly as possible.

2. Go the extra mile to verify what you're doing is correct.

This means checking primary or multiple secondary sources, even for advice from well trusted support forums. When doing a web search to troubleshoot a problem, you'll often come across proposed solutions like "install utility X" or "change setting Y to Z". In such a case it's best to follow up with another search to verify some of the following things before doing what the proposed solution suggests:

‍

• Is what I'm about to install well known and recommended by other parties as well?
• Check the official website of the application to see make sure the link or command they're suggesting to use for the installation is legitimate
• Look for official documentation to sanity-check suggested configuration changes. E.g. you should never have to touch proxy settings unless you're explicitly trying to set a proxy

3. Use Multiple Browsers

‍‍Attacks like XSS and CSRF require you to open a malicious link while being logged in to a specific website. 3rd party browser extensions are sometimes compromised by a malicious entity and can be used to spy on your activity online. You can counter these threats by working with multiple browsers or browser profiles:

‍

• Use one browser/browser profile without any 3rd party extensions for logging into all of your trusted websites like online banking, email, social media platforms, etc. Only open links and websites you fully trust in this browser.
• Use another browser/browser profile with an ad blocking extension for all other activities like searches that might lead you to questionable websites, or opening semi-trusted links. Never enter any passwords here.

This container extension for Firefox (created by the developers of Firefox) presents another approach to separating your different “online lives” which some might find more convenient for everyday use. If you click a malicious link in your social media container, it will not result in a successful XSS or CSRF attack on the accounts you’ve only logged in to from your online banking container.

‍

Unfortunately, this is not always fully clear. There is no test which could tell you with 100% certainty that you were not hacked. However, if you observe any of these behaviors, it can be a strong indicator that you were hacked:

Indicators of compromise for devices

‍

• Unusual, excessive amounts of advertisement pop ups
• Significant performance loss which cannot be attributed to any deliberate changes you've made recently
• Automatic typing/clicks - Anything that looks like your device is being controlled remotely
• Your webcam light turns on even though you did not start any application that should be accessing it
• Unusual, specific configuration changes, especially in proxy or certification authority settings

Indicators of compromise for online accounts

‍

• 2FA code sent without you logging in
• Login/Password change notifications not triggered by you
• Activity not caused by you, for example: Unknown logins (country, browser, time) in the online service’s “Recent Logins” panel (if it exists), posts on social media, sent messages in email/messaging services, ads in online marketplaces.

‍

We recommend subscribing to notifications from trusted breach monitoring services like haveibeenpwned to be alerted as early as possible when a breach in an online service might put you at danger.

For all password change operations below, follow the secure password guidelines from above.

If a device gets compromised...

‍

• Turn off the device or cut its network connection
• Use a different, non-compromised device to change all passwords for online accounts the compromised device had access to, starting with any recovery (email) accounts
• If required, recover files from the compromised device's file system onto an external storage by booting a live image, for example ubuntu. If you regularly back up all important files (which we highly recommend), you should be able to skip this step
• Completely wipe and reset the device by reinstalling the operating system

If an online account gets compromised...

‍

• Change the password (tick “Sign out all devices/existing sessions” if the option exists)
• If you've used the same password for any other accounts, consider them to be compromised as well. Perform all steps listed here for each of them.
• Verify all 3rd party apps with access to the account (e.g. Office 365 apps). Revoke access for anything you don’t know.
• If the compromised account is a recovery account (i.e. email), consider all accounts that can be reset with it to be compromised as well, and perform all steps listed here for each of them. The attacker could have reset any number of these accounts and deleted the notification emails in the meantime. Re-resetting the accounts now makes sure they're locked out.
• Enable 2FA wherever possible
• Review and clean up recent activity in previously compromised accounts (e.g. posts on social media, fake ads in online marketplaces etc.)

‍

Thanks to Lukas and Fabian for sharing their insight on how people get hacked and how you can protect yourself. If you still have questions for Positive Security, members can grab a 30-minute session with them or you can book a consultation by emailing office@positive-security.io.

‍

‍

Experts in beta is a series for the betahaus Magazine where we ask experts from our community to share their insight on a specific topic or question that is relevant to their area of expertise. Take a look at our events calendar for upcoming events and office hours where you can take a deeper dive into these topics.