Monday, April 1, 2019

Phishing, not Fishing

Wikipedia defines fishing as, "the activity of trying to catch a fish". However, Wikipedia additionally defines phishing as "the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication". Let's talk more about "phishing"...

What is Fishing
Fishing is a sporting activity where the participant tries to catch fish. We're not going to discuss this further at this time :-)

What is Phishing
Phishing is a cyber-crime. The cyber criminal's targets are typically contacted by email (although telephone or text message can be used) by posing as a legitimate institution. The goal is to lure individuals into being fooled into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. If the phishing attack is successful, it can have devastating results for the victims.

How a Phishing Scam can Work
An attacker sends out thousands of fraudulent messages in attempt to acquire significant information or large sums of money. The fraudulent messages are designed to look like real messages. It's essentially a numbers game. Even if only a small percentage of recipients fall for the scam, the reward can be plentiful.

As a made-up example... an attacker targets alumnus from a university asking for donations. The message will contain a logo from the university, include names of school programs and appear  to be sent from the alumni director, a dean or even the school president. They even use an email address that may look like the real email address. Then, then message will direct you to a phony website that looks like your university's website with logos and other information likely copied from the real website. While your university's real website address might be "university.edu/alumni", the phony website address might look like "university.edualumni.com". At first glance, some people will be fooled.

How to Protect Yourself from Phishing
Vigilance is important:
  • Keep your operating system, anti-spam and anti-malware programs current with all updates. This will help block some phishing attacks, or even block attacks trying to access your system via an automated means.
  • Phony messages contain subtle differences or mistakes. In addition to the website address difference as above, they may have a phony physical address, phony email address or even simple spelling mistakes.
  • Be wary of tight deadlines or even threats. If the message indicates you need to pay quickly, pay a fine or send cash, that might not be a legitimate message.
  • Such messages sometimes don't address you by name (e.g. Dear Sir/Madam). A legitimate message from an organization that knows you will likely address you personally.
  • When asked to pay online, make sure you are using a secure website. Secure websites start with "https", not "http" to encrypt the connection between the browser and server. A phishing website may not have the SSL configured.
Always make sure you know and trust the person or entity that sends you an email. By exercising a little caution and attentiveness, you can avoid the dangers and problems from a phishing attack.

Click here to contact me regarding this or any other blog post. Also, I welcome comments, which you can enter below.

Friday, March 1, 2019

How a VPN Keeps You Safe When Using WiFi

Nowadays, WiFi hacking is a common occurrence. Whether your mobile device (PC, tablet or smartphone) is connected to the internet via a private or public WiFi, your connection to the internet may not be as secure or private as you may think. When using WiFi you are vulnerable to theft of your data, or worse - your personal information and finances.
Your Internet Connection
When in or outside of your home, you connect to the internet via a router. Most home routers have built-in WiFi, and most stores and offices have WiFi added to their network. Since a WiFi service can cost $40/month or more, or you may be asked to pay an hourly charge to connect in public, it's not uncommon for people to search for and use free WiFi.

The features that make free WiFi desirable for you also make it desirable for hackers. That being, it requires no authentication to establish an internet connection. And, it may easily be hacked (illegally accessed) to gain access to the online users. Not taking the necessary precautions can lead to lasting harm. For mobile devices, the harm is digital: the theft of your personal data, such as passwords, financial information, and private documents, pictures and videos.

How Hackers Get Access to Your PC Data
The most common method of attack is known as “Man in the Middle.” In this method, internet traffic is intercepted between the end-user’s device and the destination by making the victim think the hacker’s machine is the access point to the internet. In this case, you log on to the free WiFi at your location thinking you’re joining the provider's network. But somewhere nearby, a hacker is broadcasting a stronger WiFi signal from their laptop or smartphone. They trick you into using it by labeling it with the location's name (e.g. Library Free WiFi). Recognizing the name of the location where you are, you innocently connect to the hacker’s network. As you surf the web or do your online banking, all your activity is being monitored and even captured by the hacker.

Also, if you use the location's actual WiFi, it is often unsecured and vulnerable to a hacker's intrusion. Even WiFi that requires a password can be hacked when the hacker uses a password hacking tool.

Although antivirus protection and firewalls are reliable methods of cyber defense, they are useless against hackers that gained access to WiFi networks. That's because the hackers are not using virus software to gain access to your devices. You willingly connect your device to an unsecured network essentially allowing the hacker to look at what you are doing.

I read a nice analogy of how theft occurs when you are using public internet. Imagine you are walking on a crowded sidewalk or in a busy mall. You just left one place and you're heading to your next destination. Lots of people are walking around you. While you feel safe, you accidentally bump into another person. While you did not intend to bump into that person, they may have intended to bump into you. The end result is that person picked your pocket.

What is a VPN?
With a Virtual Private Network (VPN), you create a secure, encrypted tunnel between your computer and a remote VPN server. The data is essentially gibberish to anyone who might even be able to intercept it. A VPN will also protect you when you inadvertently connect the the hacker's WiFi.

So, consider the same scenario about the crowded sidewalk. In this case, before you leave to go to your next destination, you initiate a tunnel that lets you walk privately and securely alongside the other people. Nobody can get into your private tunnel while you have it turned on. Even if they can see you are in your tunnel, they can't see who you are. So, nobody can "pick your pocket".

A VPN can be either hardware or software. For most personal devices, the VPN is a software application or app. For a medium to larger computer network, the VPN may be its own network appliance or software within another network device.

How a VPN Protects You
To become protected by a personal VPN, you typically subscribe to a VPN software service. You pay for a subscription monthly or annually, usually at a cost of a few dollars per month. Many of the VPN providers offer a big discount for your initial subscription. Some subscriptions cover one device, others cover multiple devices. Once you install the software on your device, here's what you do when on public WiFi:
  1. Using your device, find and connect to the public WiFi, even if it is completely free and does not require a password. That establishes your internet connection.
  2. Now that you have an internet connection, start your VPN app.
  3. Follow the VPN app login instructions. That will connect your device to the VPN service and establish the secure VPN tunnel.
You may now surf the web securely.

VPN Providers
While I will not recommend any specific VPN app providers in this post, here is a list of a few of the popular VPN software, as per CNET: NordVPN, ExpressVPN, Hotspot Shield, PureVPN and CyberGhost VPN.

Alternatives to Using a VPN
If  you don't yet have a VPN service, consider these steps to reduce your risk of a security breach when using public WiFi:
  • Don’t use public WiFi to shop online, log in to your financial institution, open your email, or access other sensitive sites - not ever! While hackers may see your activity, at least they won't see your means to access data.
  • Implement two-factor authentication when logging into sensitive sites. That way if hackers have the passwords to your online banking, social media or email accounts, they won’t be able to log in. The online account service will send your device a code (the 2nd level of authentication), but not via the internet (e.g. a text message) to confirm your access.
  • Turn off the automatic WiFi connectivity feature on your device so it won’t automatically seek out and connect to public internet hot spots.
  • Turn off your Bluetooth connection on your device when in public places to ensure others are not intercepting your transfer of data.
  • Acquire an unlimited data plan for your mobile devices. Then, use the device's cellular data plan for your internet activity and stop using public WiFi.

The more you take your chances with using a public WiFi connection, the greater the likelihood that you will suffer some type of security breach. The better you protect yourself, the greater your chance of minimizing the potential damage. Using a VPN is a very reliable way to minimize the risk of a data breach when using public WiFi.


Click here to contact me regarding this or any other blog post. Also, I welcome comments, which you can enter below.