It's that time of the year again - colorful leaves, sweater weather, and more importantly, Cybersecurity Awareness Month! For this post I'm going to be highlighting a few important security topics that everyone, not just security professionals, should be aware of when using the internet.
If you've had an email account for any significant period of time, then you've probably encountered what seem to be terribly spelled emails from weird addresses. They also tend to have poor grammar and ask you to visit some link or to send money to someone. These are known as phishing emails, in which someone with malicious intent sends an email to trick the recipient into doing something such as inadvertently sending money, or installing malware. In many cases, such as in the email below, phishing emails are usually pretty obvious to the average person.
You may be wondering why criminals send emails with blatantly bad spelling and grammar. Believe it or not, this is done on purpose to specifically target those who are the most gullible and least tech-savvy. People who read these terribly written emails and STILL respond to them thinking they are real are the most likely to follow through with the scam through its entirety. Sending a properly worded email may lead to more responders, but many people will drop out of the scam once they start getting asked for money or to share information. The thought process here is that scammers can save time by only talking to those that are the most likely to follow through with their requests.
With that being said, this isn't the case for 100% of phishing emails, and some can still be worded properly and highly targeted, so always be on the lookout for suspicious emails that ask for money or your personal information!
Compared to 10 years ago, privacy is a much bigger deal for the average user. Nowadays we have things like the European Union's GDPR, scandals over improperly labelled end-to-end encryption, and privacy as a sales enabler from vendors such as Apple.
With this change in privacy in our culture, we've also seen a rise in consumer adoption of Virtual Private Networks, or VPNs for short. VPNs allow you to route some or all of your device's internet traffic through a private network so that no one on an open wireless network or an employee at your internet provider can see the websites that you are visiting. They are particularly popular in certain regions of the world where internet censorship is prevalent.
VPNs can be great for privacy, but you should just be aware that any VPN provider, no matter how trusted, can technically still see the domain names of the websites you visit. Even if a website is using HTTPS, the domain name is still visible in each request, though the contents inside the page and the full URL are not. This basically means that if you use a VPN and browse reddit.com for example, the VPN provider may have a log of reddit.com, but won't know what subreddit you browsed. (Note that this applies for your internet provider as well). Check out this link for some VPN providers that have been verified to not retain user activity logs.
If you want to take your privacy a step further, you can choose to route your traffic through your own private VPN using a self-hosted OpenVPN instance. Just be aware that this will require some work on your end and will likely have a cost associated with it if you choose to host this on a cloud provider like Amazon Web Services.
Any macOS or Windows user at this point is probably used to seeing what seem to be endless notifications about software updates. While these can be disruptive and annoying, they are extremely important for keeping your computer safe from certain types of malware, such as ransomware. Humans make mistakes, and sometimes clicking on the wrong phishing email link or visiting the wrong website can have dire consequences.
These patches often have key security fixes that are a direct response to malware and exploits that are seen in the wild. If you're skeptical, read this article about how a tool called EternalBlue that exploited unpatched Windows computers ran havoc on the UK's NHS.
Of course, one of the reasons that people despise updates is that they can take a while. To make this process easier, you can choose to update your computer during lunch, after work, or other times when you won't be using your computer for a while. It should be noted that simply patching won't protect you from all malware, but a significant amount nonetheless.
Once in a while when you browse a website you might encounter an error about an expired or invalid certificate. In a nutshell, these certificates are proof that the website you are visiting is using encryption for your traffic and has also been verified by a third party certificate authority in terms of identity. Meaning, if you see a valid certificate for google.com, then you are most likely on the real google.com. The owner of the certificate has access to the private key, meaning they are able to see the decrypted traffic sent from your computer to the server. It's important that you only go on websites with trusted and valid certificates for this reason.
If you see that a certificate is invalid or expired, this could mean a few things:
- If the certificate is expired, it likely means that the admin of the website forgot to renew it on time. The website might no longer be operational, or the owner of the site simply forgot to renew.
- If the certificate is invalid, this means that the server of the website has not been configured properly with a certificate that has been issued by a trusted certificate authority. This could mean that the website has been taken over by a malicious actor and is no longer safe to browse, or that the team running the website is using the wrong certificate.
In either of these cases, you might want to avoid proceeding with that website since the certificate is no longer valid. It's always better to be safe than sorry when browsing the web.
Don't make a habit of hitting that proceed link at the bottom of these warnings. They exist for a reason!
Something else to note about certificates is that your work laptop potentially has custom ones installed by your IT team. What this means is that they theoretically would be able to decrypt all your web traffic as you browse the internet. This is almost always done as a security measure to ensure that important data isn't being exfiltrated from the network, and that users aren't going on malicious websites. Just keep this in mind if you are ever doing anything personal on a corporate owned device.
You might also get certificate related warnings for what are seemingly normal websites if you are connected to an open wireless network in an unfamiliar place. Under no circumstances should you ever proceed with this, because this likely means that someone is able to decrypt and look at traffic on the network.
Locking Your Laptop
In an age of an increasingly remote workforce, many people work from home, coffee shops, or shared coworking spaces. If you choose to work from public or semi-public locations, it's always a good idea to lock your laptop if you need to step away for a coffee break or to use the restroom.
You may think that strangers would generally leave your computer alone, especially if you're in a safe venue, but you never know who the people around you are. They could be competitors, thieves looking to gain access to your private accounts, or just malicious trolls looking to mess around with your email. It's always better to be on the safe side and to lock your computer.
Just to be clear, locking means that you just need to enter your password or use your fingerprint to unlock the computer when you come back to it. This doesn't put your computer to sleep, so if you're currently downloading a large file or executing a long Excel macro, everything will continue to run in the background.
- On Windows devices, you can use the shortcut Windows Key + L to lock.
- On macOS devices, you can use the shortcut CTRL + CMD + Q to lock.
Found this post to be useful? Be sure to share it with anyone you know that could use these tips!