Jump to content
Invision Community
ANTIVIRUS & SPAM Antivirus Anti Spam Anti Spyware Free Virus Scanner Antivirus Comparison Antivirus for Android Antivirus for Mac Anti Spam for Android Anti Spyware for Android

All Activity

This stream auto-updates     

  1. Earlier
  2. There is a hell of a difference between spying and hacking. Spying means you need to have software that is been developed by an expert developer in order to use it on the target device to get the information. On the other side hacker is a person or brain that can trace out the loopholes of the particular program and then manipulate it on their terms and conditions. However, internet users cannot make difference between spying and hacking. Hackers can simply infect the information stored on the target computer machines and spying software can help to protect the information stored on the target device. It means none of the viruses may exist in the spy software. Hackers create such kind of viruses in order to steal the account information, financial statements and they use it for Monterey purposes. While on the other side, the spying program needs to install on someone else’s device to make a check on the device to keep something under constant surveillance. Hackers can use the information illegally and pose a serious threat for the target in terms of financial resources. How spying is useful & hacking is illegal? These are quite useful for parents and for employers in particular in order to know the hidden digital activities of young children. On the other hand, hackers could be a serious danger for the state-controlled institutions not because they steal information but they can misuse the information to the third party. In addition, the spying activity in terms of a program enables you to monitor employees work performance. Apart from the spying activities through track a cell phone, hacking activities are seriously punishable in the book of the law of U.S. It says hackers are liable for serious punishment in terms of several years in prison and penalty. On the other side, the activity of spying is not an offensive thing or you can say it is not illegal in the light of U.S law of cybercrime. Software that empowers to perform monitoring doesn’t pose a threat to its users. The intentions of the hackers are always malicious in order to misuse the hacked data or device. They can hijack things in terms of identities of the users of those hacked devices. They may get involved in the terrorist activities and they could have such types of ambitions that could be against the law of the state. Moreover, black hate hackers may get involved in kind of theft online and robberies since the banking sector have been governed by the programming they have become legal for the banking sector. On the other side, spying activities using a program or TheOneSpy monitoring software user can track, monitor and keep children under surveillance till the time they get satisfied to make sure kids online safety. Moreover, you can monitor employee’s productivity and also can prevent any illegal activity happen on the company’s owned devices. Hackers are very talented, but dangerous persons for any country or state. Apart from the dangerous activities they can use their skills for illegal motives but for the protection of their country. Moreover, they can steal the important information in terms of personal data of individuals and agencies, damage their reputation and last but not the least drain then financially to the fullest. However, monitoring program in terms of software enables you to protect the data of the users stored in the devices. In addition, it can also enhance the productivity of the employees due to check and balance that keep the employers updated all the time. Hacker activities are totally against the privacy laws because they steal the information to misuse it later on for financial motives. They can steal the information of the credit cards especially when a user is using their digital devices by sending malicious links and scams. All these kinds of activities of the hackers’ falls under the cyber –crime act. On the other software for spying are legal. It is useful for digital parenting to protect kids and teens from cyber dangers and parenting online is not an illegal act according to U.S law. Under the same law you can spy on your employees having their consent. Bottom Line: It means spying someone is legal for the protection of the target and on the other hand hacking is an illegal act that can steal information to making money or to damage someone’s reputation.
  3. We compiled a short guide about malware and how to tell if you're a victim of cybercrime: https://medium.com/@AiroSecurity/airoav-is-shedding-some-light-on-a-malware-definitions-83a790c920e?source=friends_link&sk=5b5e5c79284126ac2cda40d90d9a2c7c
  4. Nice blog, thanks for sharing, i saw one more blog hackercombat, very informative endpoint security products for business
  5. frankzappa

    Ethical Hacking Images

    Images of ethical Hacking, which is identified in the weakness of computer systems and / or computer networks and comes with countermeasures that protect weak points
  6. lindagray

    Phishing Attacks

    Album about Phishing Attacks, which are the attempting to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials, and more. By posing as a legitimate individual or institution via phone or email, cyber attackers use social engineering to manipulate victims into performing specific actions—like clicking on a malicious link or attachment—or willfully divulging confidential information.
  7. lindagray

    Anti Spam Symbols

    Album of Symbols of Anti Spam Software
  8. lindagray

    Best AntiVirus Software

    AntiVirus Software Comparison
  9. Almost all of the IT pros we talk to at KnowBe4 agree that end-users are their number one headache when it comes to cybersecurity and managing that problem continues to be a big challenge. Social engineering is by far the easiest way for hackers to gain access, either tailgating through the side door or phishing employees via email and other attack methods. It is now a must to protect against phishing threats by educating end users. The IT teams that get the approval from management to do this get great results. Apart from budget issues, sometimes there is resistance at the C-level to sending phishing tests to all employees, often driven by departments like Legal or HR who claim "we should not trick our employees". IT in those situations often run into office politics that prevent the phishing project from getting started. However, today you have to consider a new approach to securing your IT assets. You can’t afford to simply respond to attacks that WILL happen if nothing is done. Instead, you should take a proactive approach that effectively prevents your organization from being a target for cybercriminals. Here is some ammo to get approval, and more important, air cover from the top of your organization: First of all, let's talk about the "tricking our employees" issue. If we don't do it, you can bet the bad guys will. Prevention is key. We do not want to wind up like Yahoo, Target, JP Morgan or Home Depot to name just a few and see our organization on the front page with an extremely expensive data breach or worse. The next big issue is that most small and medium business owners think that they are not a target for cybercrime, but this couldn’t be further from the truth. Cybercriminals choose small and medium sized businesses (SMBs) more often than larger organizations as their prime attack targets.The reason is that many SMBs lack the expertise, budget and time to really defend their network like the bigger companies do. You are the low-hanging fruit and attacks can easily be automated. New strains of ransomware have a strong potential to cause users sitting on their hands for days because all their files are encrypted and backups failed. Can you really afford that? Wall Street Journal reported that the Target, Home Depot and Sony hacking incidents grabbed the attention of executives everywhere, bringing home the reality that cybersecurity has become a top risk consideration in the board room. These days getting air cover from the Board is much easier. Employees are not stupid, they are just trained in another field than IT. Once it has been communicated by the CEO that this is a company-wide ongoing training initiative which includes regular phishing tests and needs everyone's cooperation to be cyberaware, after stepping through the training almost always the employees say: "Wow, I did not know it was that bad on the web." If you frame this as part and parcel of safe Internet usage, there is mostly very positive feedback from end-users. So, here are the steps we recommend: Use the above five points to get the OK to do a free phishing security test and get a baseline of how high the employee phish-prone percentage is. Usually an unpleasant surprise but great to get budget. Find out how affordable this is for your organization. This is normally the pleasant surprise and essentially a no-brainer. Start the campaign with support from your CEO or another C-level executive and provide a deadline and incentives for the initial security awareness training. Schedule frequent simulated phishing tests, about once a month, and make it a game where you compare the percentages of different employee groups (this is supported by the KnowBe4 Admin console). Report regularly to both employees and executives about the positive results and show everyone graphs of the progress you’re making as an organization.
  10. Nobody wants to fall prey to a phishing scam. There’s a good reason that such scams will continue, though: They are successful enough for cybercriminals to make massive profits. Phishing scams have been around practically since the inception of the Internet, and they will not go away any time soon. Fortunately, there are ways to avoid becoming a victim yourself. Here are 10 basic guidelines in keeping yourself safe: 1. Keep Informed About Phishing Techniques – New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at much lower risk of getting snared by one. For IT administrators, ongoing security awareness training and simulated phishing for all users is highly recommended in keeping security top of mind throughout the organization. 2. Think Before You Click! – It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead? A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. Most phishing emails will start with “Dear Customer” so you should be alert when you come across these emails. When in doubt, go directly to the source rather than clicking a potentially dangerous link. 3. Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free. 4. Verify a Site’s Security – It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals. 5. Check Your Online Accounts Regularly – If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge. 6. Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it. 7. Use Firewalls – High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network. 8. Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window. 9. Never Give Out Personal Information – As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams. When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”. 10. Use Antivirus Software – There are plenty of reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time. Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to prevent damage to your system. You don’t have to live in fear of phishing scams. By keeping the preceding tips in mind, you should be able to enjoy a worry-free online experience.
  11. If a random person with an official-looking business card approached you and asked for your Social Security card, driver’s license and other sensitive information, you probably wouldn’t give it to them. For one reason or another, however, people are more easily duped when it comes to online interactions. It’s far easier to trick users, which is why phishing attacks are so rampant. Phishing refers to the act of obtaining victims’ sensitive information by posing as trusted companies and organizations. It is usually carried out through spoofed emails and spoofed websites that urgently ask for various types of information. There are many potential consequences, and identity theft is among the very worst of them. Personal Data Gets Compromised Phishers with identity theft on their minds can do a whole lot of damage with seemingly small amounts of information. When you fill out a credit card application, for example, you typically need a handful of things: your Social Security number, your current address and your occupation, to name a few. Those types of things are easy to obtain once a cybercriminal has gained access to one of your online accounts. Before you know it, a bunch of credit cards with your name on them could be sent out into the wrong hands. Cleaning Up ID Theft Isn’t Easy It is vastly preferable to avoid becoming a victim of identity theft than to try to clean up the mess later. You will have to jump through a whole lot of hoops in order to prove to banks and creditors that your identity has been stolen. In the meantime, your credit rating will be shot and you won’t able to take out new loans or mortgages. You might even have trouble finding employment. Avoid Identity Theft by Being Aware of the Signs of Phishing If identity theft is often caused by phishing, it stands to reason that you should do your best to avoid falling prey to the many phishing attacks that take place every year. Educate yourself about the common signs of phishing. Learn how to identify spoofed emails and spoofed websites. Exercise extreme caution whenever you do any sort of business online. Guard your personal information as carefully as you can. Undoing the damage that can occur due to phishing and identity theft isn’t easy, and avoiding phishing in the first place is the best way to go.
  12. Phishing is a serious problem that is achieved in a number of different ways. Email spoofing and website spoofing are two of the primary methods by which phishers acquire sensitive information from unsuspecting Internet users. While email spoofing and website spoofing are sometimes used separately, they are often used in concert with each other. For example, a spoofed email is used to lead a victim to a spoofed website; the spoofed website requests sensitive financial information or login information from the victim. In this way, a successful phishing attempt may be undertaken. What is Email Spoofing? Most people know that it’s unwise to download files or click on links that appear in emails from unknown senders. What happens if the sender appears to be legitimate but really isn’t, though? This is precisely what happens in an email spoofing or phishing attack. The hacker sends emails that appear to originate from trustworthy sources. In some cases, they appear to be sent from legitimate companies; in others, they may even appear to come from friends, family members and coworkers. This is exactly how crimes like CEO fraud are started, criminals bank on targeted employees not questioning to comply with what the 'CEO' is asking for. In any case, they lend the recipient a false sense of security that makes them more likely to open files and click on links. For IT professionals, it's a good idea to run a free KnowBe4 Domain Spoof Test to see if it's possible for hackers to spoof your domain. Email Spoofing Methods There are many different ways to mask the true origins of an email. The clever use of subdomains can make emails look like they are arriving from trusted sources. For instance, the name of a company may be added to the term “customer service” to create a seemingly trustworthy domain. Emails that are sent from that domain are more likely to be perceived as trustworthy. In other cases, phishers simply transpose a couple of strategic letters to make email addresses look more legitimate. They don’t just stick with the “from” field, either; they typically switch around the return path and the “reply to” fields to appear as realistic as possible. What is Website Spoofing? Like email spoofing, website spoofing is used to make people believe that they are interacting with a trusted, legitimate company or person. Especially sophisticated methods of website spoofing can result in forged sites that appear nearly identical to their legitimate counterparts. If you are in a hurry, it is especially easy to fall prey to these sites. At a glance, they often appear to be real. Whenever you access a site through a link, it is important to be especially skeptical about it. Look closely at the URL. Keep in mind, however, that there are ways to cloak URLs. Website Spoofing Methods A wide range of phishing techniques are used to create spoofed websites. As mentioned above, URL cloaking is a popular method. Through the use of specialized scripts, phishers can cover up the true URL with one that is associated with a trusted website. Subdomains are also commonly used to confuse Internet users and to lend them false senses of security. Internationalized domains are increasingly being used in this way too. As with spoofed email addresses, URLs sometimes contained a few transposed letters. At a glance, they appear to be correct and are trusted by unsuspecting Internet users. Don’t Become a Victim! Even if you are a seasoned Internet user, it is easy to fall prey to the sophisticated techniques that are used in website and email spoofing. With the wool pulled over your eyes, you could inadvertently give phishers extremely damaging information. The best way to handle spoofed emails and spoofed websites is by exercising caution at all times. If something seems “off” about an email, do not open attached files or click on included links. Type in a site’s URL manually to avoid landing on a spoofed version of it. By taking your time and being careful, you should be able to avoid most problems.
  13. Credit Card Phishing Scams In our digital age it’s easy to monitor your credit card accounts online. But are you taking every precaution to protect those accounts from phishing attacks? Many people are so busy and pressed for time that they assume that every email they receive from their credit card company is legitimate. The backbone of any successful phishing attack is a well-designed spoofed email or spoofed website, which is why it pays to have a healthy level of skepticism when it comes to opening emails and visiting websites. Learn more about the basics of credit card phishing scams by checking out the following information! Email Alerts that Lead to Trouble You are probably used to receiving occasional emails from your credit card company. That is precisely what phishers are banking on: that you won’t recognize a spoofed email before it is too late. Most of the messages that you receive from your credit card company are probably friendly reminders and sales pitches. If you receive a message that has an unusual level of urgency, however, you should be extremely careful. Phishing attacks usually involve spoofed emails that include a lot of urgent language. That urgency is used to prompt quick, unquestioning action from the recipient, which often leads to serious trouble. Clicking on Links in a Spoofed Email Although spoofed emails sometimes include forms that request personal information, they are more likely to contain links that lead to spoofed websites. This is why you should never click on a link in an email from your credit card company, even if you think that it is legitimate. It only takes a few extra seconds to open a new tab in your browser, manually type in the credit card company’s URL and log into your account. If a truly urgent situation exists, you will learn more about it after logging into your online credit card account. Spoofed Credit Card Websites Spoofed credit card websites can be extremely well done. Even if you visit your credit card company’s website on a regular basis, it is all too easy to be fooled. Phishers use many sophisticated techniques to make spoofed websites that look eerily similar to their legitimate counterparts. In the rush to find out what is wrong, it is easy to fall right into phishers’ traps. The consequences of doing that can be dire. Avoid Serious Consequences If you fall victim to a credit card phishing scam, the perpetrators can gain access to your credit card numbers and a lot of other personal information. They can use your credit card to go on shopping sprees, and they can use your personal information to steal your identity. From there, they can attempt to open new accounts and wreak all sorts of other havoc. You can avoid phishing scams by being conscientious of the threat of phishing attacks and by protecting your sensitive information at all costs. Bank Phishing Scams Bank customers are popular targets of those who engage in phishing attacks. If you have a bank account, you more than likely access it online from time to time. As a result, you probably have a username and a password that are associated with your online account. Most people understand the importance of keeping that kind of information confidential; if it falls into the wrong hands, a great deal of sensitive financial information would be compromised. Unfortunately, many people fall victim to bank phishing scams each year and inadvertently give out sensitive information to people who have criminal activities on their minds. Spoof Bank Emails The most common way that a phisher gets the ball rolling on a bank phishing attack is by sending out thousands of spoof emails. These emails are carefully crafted to look nearly identical to the types of correspondence that are sent out by actual banks. Skilled phishers can replicate the logos, layout and general tone of such emails to uncanny degrees. They bank on the fact that most people are quite busy; at a glance, these spoof emails appear to be legitimate. As a result, recipients are more likely to take what is written in them seriously. One way to avoid falling victim to spoof bank emails is by looking at them closely. Never assume that such messages originate from legitimate sources. Be especially vigilant if the email requests information from you. For one thing, no legitimate bank is going to include a form within an email that they send to you. This is a well-known phishing ploy and it should raise a big red flag for you. Look closely at the sender’s email address as well. Above all else, double-check on the actual bank’s website or give the bank a call if you are in doubt. Spoof Bank Websites Spoofed bank emails almost always include links that will take you to spoofed bank websites. Like spoof emails, spoof bank websites look nearly identical as their legitimate counterparts. One telltale sign of a spoofed bank website is a popup window that demands various types of credentials. There are many scripts that phishers can use to make these popup windows appear, and real banks never use them. Never follow a link to your bank’s website. Always type the URL manually into your browser’s address bar or give them a call to check on your accounts. Chase Bank Phishing Scam One of the most famous examples of a bank phishing scam involved Chase. Phishers especially went to town when Bank One of Indiana was bought out by the huge bank. Phishers obtained the email addresses of thousands of Bank One customers and used the changeover as a ruse in order to cull sensitive information from the victims. Like so many other phishing scams, these emails and fake phishing websites included a lot of urgent language. They implied that customers needed to supply the requested information right away or lose access to their accounts, which would certainly be a cause for alarm. The Chase bank phishing scam is a prime example of just how easy it is for people to fall into phishers’ traps. Actual Chase logos were used in the emails, which made it even trickier to tell them apart from spoofs. You can be sure that future bank phishing scams will use even sneakier and more sophisticated methods. Whenever you receive an important email from your bank, make a point of logging on to its website. Do not follow a link to the bank website; instead, type in the URL manually. If something important really needs your attention, you should be alerted about it somewhere on the online interface. If questions persist, pick up the phone and contact your bank. You can’t be too careful when it comes to protecting your financial information from phishing attacks. Email Phishing Scams A spoofed email message is often the cornerstone of any well-executed phishing scam. From the earliest days of phishing, fraudulent email messages have been used to catch Internet users unawares. Phishing attacks picked up steam during the heyday of AOL. Instant messages and email messages were used to carry out those attacks. Although many things have changed, many others have remained the same. To this very day, major online entities like PayPal and eBay have to grapple with the problem of email phishing. Learn more about how email phishing works, what it looks like and how avoid falling victim to it below. What is Email Phishing? Email phishing refers to the act of creating and sending fraudulent or spoofed emails with the goal of obtaining sensitive financial and personal information. Under such schemes, emails are designed to look exactly like the ones that are sent by legitimate companies. Sophisticated phishing attacks use the email addresses of people who are registered to use certain services. When those people receive emails that are supposed to be from those companies, they are more likely to trust them. Spoofed emails often contain links that lead to spoofed websites, where various methods are used to request and collect a person’s financial and personal information. Forms are occasionally contained within the emails themselves too. Why Email Phishing Works Considering how long email phishing has been used, it may seem odd that it continues to work. It isn’t because people are foolish; it is because these emails are very well done. Phishers know precisely how to design spoofed emails to look like their legitimate counterparts. By throwing in some urgent language, phishers dramatically increase their odds of success. Busy people scan such emails, trust them and click on their links because they look almost exactly like the real thing. One wrong click can lead to a world of hurt. Signs of Email Phishing There are many signs of a phishing email. The first thing that you should look at is the greeting. Does it use your actual name, or does it have a generic greeting? Look closely at the email’s header. What is the sender’s email address? These addresses are usually carefully designed to look authentic. By taking a very close look at them, though, you can usually see inconsistencies and things that don’t make sense. If possible, compare the sender’s email address to that of previous messages from the same company. If it’s a phishing email, you will notice things that don’t add up. Examples of Successful Email Phishing Many successful email phishing attacks have been carried out in the past, which is why they continue to be used to this day. Prominent examples include eBay phishing scams and PayPal phishing scams. Both companies were prime targets of email phishing campaigns in the past. eBay and PayPal users receive messages that look legitimate. The messages typically urge them to verify their account information or to update their credit card numbers. People often fall for these ruses because they are afraid of losing access to these important services. Both companies now offer extensive information on ways to avoid such phishing scams on their websites. There is no simple way to completely avoid email phishing attacks. Sooner or later, someone is bound to send you a spoofed email. The easiest way to avoid these scams is by never clicking on links that are included in email messages. Make it a policy to always type in the URL of the site that you need to access manually. Upon arriving on the site, you will be able to confirm whether or not the message that you received was legitimate. If it’s a spoofed email, find out where to send it – most companies like to know about the scams that are going on out there. Website Phishing Scams It is never a good idea to blindly trust a website. Assuming that a site is legitimate can cause you to fall prey to phishing attacks. If that happens, you could inadvertently disclose sensitive information to people who may use it for identify theft and other malicious things. You don’t have to live in fear, though. By familiarizing yourself with a few of the main signs of a copycat website, you will have an easier time protecting yourself against these attempts. Keep in mind that phishing techniques can be quite sophisticated, and keep the following tips in mind as you browse the Internet. Unusual Urgency – A legitimate website for a bank, credit card company or other organization isn’t going to have an air of desperation about it. You aren’t going to find urgent messages sprawling across such sites. If you land on a site and it seems to include a lot of inappropriate urgent messages, you should double-check the URL and make sure that you’re really in the right place. Phishers rely on this type of urgency to increase the odds that people will quickly and willingly disclose sensitive information. Poor Design – The websites of professional businesses and organizations are generally sleek and stylish. If you visit one that seems to look a little ramshackle, there’s a very good chance that you’ve stumbled upon a spoofed site. Legitimate businesses are not going to allow their sites to go live with glaring design flaws. If things look sloppy, take the time to do a little investigating before you proceed. Misspellings – Business websites typically include copy that has been written by professionals. They are not going to be riddled with misspellings and glaring grammatical errors. Scan through a site before you proceed. Does it seem to be well-written and professional? Has anything changed since your last visit? Pop-Up Windows – Legitimate sites are not going to bombard you with pop-up windows the second you land on them. Everyone knows that pop-ups are commonly used to gather sensitive information from unsuspecting victims. Use a browser that allows you to block pop-ups. If one slips through, you should consider it to be a major red flag.
  14. There are a number of different techniques used to obtain personal information from users. As technology becomes more advanced, the cybercriminals' techniques being used are also more advanced. To prevent Internet phishing, users should have knowledge of how the bad guys do this and they should also be aware of anti-phishing techniques to protect themselves from becoming victims. Spear Phishing While traditional phishing uses a 'spray and pray' approach, meaning mass emails are sent to as many people as possible, spear phishing is a much more targeted attack in which the hacker knows which specific individual or organization they are after. They do research on the target in order to make the attack more personalized and increase the likelihood of the target falling into their trap. Email/Spam Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email. Web Based Delivery Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it. Link Manipulation Link manipulation is the technique in which the phisher sends a link to a malicious website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation. Keyloggers Keyloggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse clicks to make entries through the virtual keyboard. Trojan A Trojan horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually allows unauthorized access to the user account to collect credentials through the local machine. The acquired information is then transmitted to cybercriminals. Malvertising Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in malvertisements. Session Hijacking In Session Hijacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally. Content Injection Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is then asked to enter personal information. Phishing through Search Engines Some phishing scams involve search engines where the user is directed to products sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites. Vishing (Voice Phishing) In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Phone phishing is mostly done with a fake caller ID. Smishing (SMS Phishing) Phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information via a link that leads to a phishing website. Malware Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files. Ransomware Ransomware denies access to a device or files until a ransom has been paid. Ransomware for PC's is malware that gets installed on a user’s workstation using a social engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking on malvertising.
  15. As widespread and well-known as phishing is now, it hasn’t been around forever. Although the practice originated sometime around the year 1995, these types of scams were not commonly known by everyday people until nearly ten years later. That doesn’t mean that phishing was not a force to be reckoned with right from the start. In order to avoid falling prey to such scams yourself, it is helpful to have a basic understanding of the history behind them. Name Origins Phishing scams use spoofed emails and websites as lures to prompt people to voluntarily hand over sensitive information. It isn’t surprising, then, that the term “phishing” is commonly used to describe these ploys. There is also a good reason for the use of “ph” in place of the “f” in the spelling of the term. Some of the earliest hackers were known as phreaks. Phreaking refers to the exploration, experimenting and study of telecommunication systems. Phreaks and hackers have always been closely linked. The “ph” spelling was used to link phishing scams with these underground communities. First Recorded Mention According to Internet records, the first time that the term “phishing” was used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. It is fitting that it was made there too; America Online is where the first rumblings of what would become a major criminal issue would take place. Phishing’s America Online Origins Back when America Online (AOL) was the number-one provider of Internet access, millions of people logged on to the service each day. Its popularity made it a natural choice for those who had less than pure motives. From the beginning, hackers and those who traded pirated software used the service to communicate with one another. This community was referred to as the warez community. It was this community that eventually made the first moves to conduct phishing attacks. The first way in which phishers conducted attacks was by stealing users' passwords and using algorithms to create randomized credit card numbers. While lucky hits were few and far between, they struck the jackpot often enough to cause a lot of damage. The random credit card numbers were used to open AOL accounts. Those accounts were then used to spam other users and for a wide range of other things. Special programs like AOHell were used to simplify the process. This practice was put to an end by AOL in 1995, when the company created security measures to prevent the successful use of randomly generated credit card numbers. Phishing Attacks Begin With their random credit card number generating racket shut down, phishers created what would become a very common and enduring set of techniques. Through the AOL instant messenger and email systems, they would send messages to users while posing as AOL employees. Those messages would request users to verify their accounts or to confirm their billing information. More often than not, people fell for the ruse; after all, nothing like it had ever been done before. The problem intensified when phishers set up AIM accounts through the Internet; such accounts could not be “punished” by the AOL TOS department. Eventually, AOL was forced to include warnings on its email and instant messenger clients to keep people from providing sensitive information through such methods. The Evolution of Phishing In many ways, phishing hasn’t changed a lot since its AOL heyday. In 2001, however, phishers turned their attention to online payment systems. Although the first attack, which was on E-Gold in June 2001, was not considered to be successful, it planted an important seed. In late 2003, phishers registered dozens of domains that looked like legitimate sites like eBay and PayPal if you weren't paying attention. They used email worm programs to send out spoofed emails to PayPal customers. Those customers were led to spoofed sites and asked to update their credit card details and other identifying information. By the beginning of 2004, phishers were riding a huge wave of success that included attacks on banking sites and their customers. Popup windows were used to acquire sensitive information from victims. Since that time, many other sophisticated methods have been developed. They all boil down to the same basic concept, though, and it is safe to say that this concept has proved to be quite effective.
  16. Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss. The first phishing lawsuit was filed in 2004 against a Californian teenager who created the imitation of the website “America Online”. With this fake website, he was able to gain sensitive information from users and access the credit card details to withdraw money from their accounts. Other than email and website phishing, there’s also 'vishing' (voice phishing), 'smishing' (SMS Phishing) and several other phishing techniques cybercriminals are constantly coming up with. Common Features of Phishing Emails Too Good To Be True - Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Just don't click on any suspicious emails. Remember that if it seems to good to be true, it probably is! Sense of Urgency - A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it's best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email. Hyperlinks - A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.bankofarnerica.com - the 'm' is actually an 'r' and an 'n', so look carefully. Attachments - If you see an attachment in an email you weren't expecting or that doesn't make sense, don't open it! They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file. Unusual Sender - Whether it looks like it's from someone you don't know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don't click on it!
  17. SCALABILITY OF ANALYTICS FOR YOUR DDOS DEFENSE No matter which deployment mode and detection method you’ve chosen, it will all be for naught if you can’t scale up in order to adequately protect your entire network. After all, DDoS attacks work because of the sheer amount of traffic they can throw your way, so your mitigation system needs to be able to handle large numbers of packets. You should also keep the scalability of your analytics infrastructure in mind. For example, a flow sampling method can be easily scaled, but it sacrifices granularity and mitigation speed. Meanwhile, mirrored data packets certainly provide granularity, but they don’t tend to scale well. CHOOSING THE BEST DDOS PROTECTION With so many choices, it’s not always easy to choose a DDoS protection solution that’s right for both your company and budget. Here are some things you should look for when selecting a solution: Precision: When protecting yourself against DDoS attacks, it may seem like a solution’s precision is secondary to its ability to batten down the hatches and weather the storm. However, that couldn’t be farther from the truth: In order to effectively defend your network, a solution must be able to precisely parse traffic in order to correctly distinguish attacking bots from legitimate users. Form factor: Some DDoS solutions are offered as a one-size-fits-all product, which is often cost-prohibitive for smaller organizations and inadequate for very large organizations. So, look for a solution that offers a variety of form factors. Scalability and breadth: Depending on what type of business you’re in, you may depend on your DDoS solution to protect many downstream business customers. Because of this, a good solution should be capable of protecting your customers as well as your infrastructure. Deployment flexibility: As mentioned earlier, there are two types of deployment modes: proactive and reactive. One is not inherently better than the other, and they can each serve a valuable purpose depending on your goals, so ensure that the solution you choose can utilize either mode. Automated escalation response: Efficiency is important in all aspects of business, so your DDoS solution should be efficient, too. This means that it should recognize the difference between peaceful, run-of-the-mill traffic and a full-out DDoS attack and adjust its mitigations accordingly. Programmable API: While it’s important for DDoS solutions to have easy-to-use, it’s equally important that they have a completely customizable application programming interface (API). A programmable API facilitates automation and the speedy delivery of defenses, applications and virtual infrastructures, which is crucial for organizations using agile SecOps or DevOps models.
  18. HOW TO PREVENT DDOS ATTACKS As you can see after examining the five most famous attacks, DDoS attacks aren’t going away. In fact, they’re only growing larger and more destructive. So, the best thing you can do to prevent being a victim of one yourself is learn from attacks that have already happened. Here’s how you can start thinking about DDoS protection: CHOOSE A DEPLOYMENT MODE There are benefits to both proactive and reactive DDoS deployment modes, and which one you choose depends on your business goals. A proactive mode delivers the highest resolution detection capabilities and is commonly used for real-time apps such as voice, video and gaming. With a proactive mode, detection is always on, and you’re provided with an inline tool that gives 100 percent visibility through packet analysis. On the other hand, a reactive mode detects anomalies by analyzing metadata, as well as by leveraging the flow data available from switches and edge routers. A reactive mode is more cost-effective than a proactive one, but it doesn’t have the ability to respond in real-time. DDOS DETECTION METHODS When it comes to DDoS detection, there are many different methods to choose from, such as: Flow Sampling: In flow sampling, the router samples packets and then exports a datagram that contains information about those packets. Nearly all routers support this type of technology, plus it’s highly scalable, making it a popular choice. However, this method only gives you a limited snapshot of your traffic and doesn’t allow for detailed analysis. Packet Analysis: When a high-performance DDoS mitigation device is deployed in-path, it can instantly detect and mitigate anomalies. This type of device continuously processing all incoming traffic and can also process all outgoing traffic—this is known as asymmetric and symmetric processing, respectively. Mirrored Data Packets: Although mirrored data packets don’t operate in the path of traffic, they provide the full detail for in-depth analysis, and can detect anomalies quickly. The only downside to this method is that it can be difficult to scale up.
  19. THE SECURITY THREAT OF A DDOS ATTACK More importantly, in many cases a DDoS attack is merely designed to distract from other criminal activity, such as data theft or network infiltration. The attacker keeps its target busy fighting off the DDoS attack, to then sneak in a piece of malware. FIVE MOST FAMOUS DDOS ATTACKS In recent years, DDoS attacks have only been increasing in both frequency and severity. Here, we’ll examine five of the largest and most famous DDoS attacks. 1. GITHUB: 1.35 TBPS On Feb. 28, 2018, GitHub—a popular developer platform—was hit with a sudden onslaught of traffic that clocked in at 1.35 terabits per second. If that sounds like a lot, that’s because it is—that amount of traffic is not only massive, it’s record-breaking. According to GitHub, the traffic was traced back to “over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.” What’s worse is that GitHub was not entirely unprepared for a DDoS attack—they simply had no way of knowing that an attack of this scale would be launched. As GitHub explained in the incident report linked above, “Over the past year we have deployed additional transit to our facilities. We’ve more than doubled our transit capacity during that time, which has allowed us to withstand certain volumetric attacks without impact to users…. Even still, attacks like this sometimes require the help of partners with larger transit networks to provide blocking and filtering.” 2. OCCUPY CENTRAL, HONG KONG: 500 GBPS The PopVote DDoS attack was carried out in 2014 and targeted the Hong Kong-based grassroots movement known as Occupy Central. The movement was campaigning for a more democratic voting system. In response to their activities, attacker(s) sent large amounts of traffic to three of Occupy Central’s web hosting services, as well as two independent sites, PopVote, an online mock election site, and Apple Daily, a news site, neither of which were owned by Occupy Central but openly supported its cause. Presumably, those responsible were reacting to Occupy Central’s pro-democracy message. The attack barraged servers with packets disguised as legitimate traffic, and was executed with not one, not two, but five botnets. This resulted in peak traffic levels of 500 gigabits per second. 3. CLOUDFLARE: 400 GBPS In 2014, security provider and content delivery network CloudFlare was slammed by approximately 400 gigabits per second of traffic. The attack was directed at a single CloudFlare customer and targeted servers in Europe and was launched with the help of a vulnerability in the Network Time Protocol (NTP), a networking protocol for computer clock synchronization. Even though the attack was directed at just one of CloudFlare’s customers, it was so powerful that it affected CloudFlare’s own network. This attack illustrated a technique in which attackers use spoofed source addresses to send mass amounts of NTP servers’ responses to the victim. This is known as “reflection,” since the attacker is able to mirror and amplify traffic. Shortly after the attack, the U.S. Computer Emergency Readiness Team explained NTP Amplification Attacks are, “especially difficult to block” because “responses are legitimate data coming from valid servers.” 4. SPAMHAUS: 300 GBPS In 2013, a DDoS attack was launched against Spamhaus, a nonprofit threat intelligence provider. Although Spamhaus, as an anti-spam organization, was and is regularly threatened and attacked, this DDoS attack was large enough to knock their website offline, as well as part of their email services. Like the 2014 attack on CloudFlare mentioned above, this attack utilized reflection to overload Spamhaus’ servers with 300 gigabits of traffic per second. The attack was traced to a member of a Dutch company named Cyberbunker, who seemingly targeted Spamhaus after it blacklisted Cyberbunker. 5. U.S. BANKS: 60 GBPS In 2012, not one, not two, but a whopping six U.S. banks were targeted by a string of DDoS attacks. The victims were no small-town banks either: They included Bank of America, JP Morgan Chase, U.S. Bancorp, Citigroup and PNC Bank. The attack was carried out by hundreds of hijacked servers, which each created peak floods of more than 60 gigabits of traffic per second. At the time, these attacks were unique in their persistence: Rather than trying to execute one attack and then backing down, the perpetrator(s) barraged their targets with a multitude of methods in order to find one that worked. So, even if a bank was equipped to deal with a few types of DDoS attacks, they were helpless against other types.
  20. DDoS attacks are not only on the rise—they’re also bigger and more devastating than ever before. From independent websites to multinational banks, it seems like no one is immune. In fact, a 2017 report from Cisco found that the number of DD0S attacks exceeding 1 gigabit per second of traffic will rise to 3.1 million by 2021, a 2.5-fold increase from 2016. However, attackers aren’t the only ones who are capable of adapting. By examining five of the most famous DDoS attacks in recent history, you can learn how to better protect yourself in the future. Let’s look at the most famous DDoS attacks and the lessons they have to offer. WHAT IS A DDOS ATTACK? Before we dive in to the five most famous DDoS attacks, let’s first review what is a DDoS attack. DDoS stands for Distributed Denial of Service, which refers to the deployment of large numbers of internet bots—anywhere from hundreds to hundreds of thousands. These bots are designed to attack a single server, network or application with an overwhelming number of requests, packets or messages, thereby denying service to legitimate users such as employees or customers. Usually, attackers begin a DDoS attack by exploiting a vulnerability in a single computer system. The attacker’s system then becomes the DDoS master and works to identify other vulnerable systems to turn them into bots. The perpetrator directs those computer bots to attack through the use of a command-and-control server, or botnet. At that point, all the attacker has to do is tell the bots who to target. Who would carry out a DDoS attack? As it turns out, the answer includes many different types of bad actors such as cyber-criminals or disgruntled employees. Perpetrators execute DDoS attacks for a variety of reasons, such as extortion, revenge, or politics. DDoS attacks are measured by how many bits (binary digits) of traffic they send at the target per second—for example, a small attack might measure only a few megabits per second (Mbps), while larger attacks might measure several hundred gigabits per second (Gbps), or even more than one terabit per second (Tbps). It’s important to note that not all DDoS attacks are bandwidth focused. For example, network protocol attacks are low bandwidth with many packets per second (PPS).
  21. Currently, most computers are connected to the network, and various information is exchanged beyond national borders. Mobile devices such as smartphones and tablets have also been used in business, personal entertainment and productivity are way more than desktop PCs. In addition, the IoT (Internet-of-Things) technology that connects machinery and equipment used in production processes, social infrastructure, homes, etc. via the Internet is spreading like wildfire. Cases of cyber attacks have also become conspicuous behind the convenience due to the spread of such networks. It can be said that enterprises have not only taken measures against leakage of personal information but also have to protect the network and all the systems and computers connected thereto from the threat of cyber attacks, but the reality is the corporate world has deep pockets to fund credible cybersecurity defense systems. What about the ordinary everyday Internet user? Here are some of the tips for common users in order to keep themselves secure and private online: Using plain passwords alone no longer cut it when it comes to securing and identifying oneself online for a particular web service. This is because of the constant push of the threat actors with their phishing attempts and virus development. Many websites right now have started to offer two-factor authentication for their users, but not enabled by default. It is prudent for users to take advantage of this in order to lessen the chance that someone else will log in to their accounts without their consent. Operating systems are constantly being updated to fix bugs and security vulnerabilities. Same goes true for the application software running on top of the OS, as long as the version is still supported, the developers are regularly patching them to be safe. Internet-facing apps like browsers and extensions are the most exposed applications that need constant patching, and these should never be ignored. It is a good habit for everyone to encrypt their data before uploading to a cloud storage provider. Yes, many if not all the current players in the cloud storage market have AES encryption implemented, but just to be safe it is better for the files to be encrypted first before uploading. There were instances from the past that the storage drive was accessed by someone else, luckily the user uploaded encrypted files, hence they are rendered useless without a password. Never trust random links seen in email and instant messaging applications. Most especially if the links posted came from a URL Shortener service. URL Shortened websites are convenient to use, especially when users want to communicate it to a limited communication tool like Twitter. However, the bad about the use of a URL shortener website link is the non-transparency of the actual destination site. The user has no way to determine if the destination site is safe or not with URL shorteners. Never trust claims from a random person, it may be from an instant messaging on Facebook, a random phone call or an SMS message. The parents’ advice to their children of “don’t talk to strangers” is also applicable and helps people keep themselves online.
  22. Most small businesses just rely on an antivirus tool to mitigate cyber risks, despite the fact that hackers show an increasing tendency to target small businesses. Small businesses leave many devices unprotected, which causes security risks. Moreover, with BYOD devices and IoT devices being used in large numbers, cybersecurity is becoming crucial for small businesses today. But then, would it be good to have just an antivirus tool alone? Or, would such businesses have to choose endpoint security software for better protection? Well, it all depends. It depends on factors like the size of the network, the presence of remote workers, the nature of the business etc. Based on these and other important factors, businesses need to make the right choice. It does matter, because for any business today, cybersecurity is of crucial importance! Endpoint security vs. antivirus software Endpoint protection involves detecting malicious activity at all endpoints and protecting networks (including desktops, servers, mobile devices etc) from all kinds of intrusions and attacks. Endpoint security works based on the assumption that every endpoint, every single device that’s connected to a network is a vulnerability- a potential entry point for security threats. Endpoint security protects all endpoints in a network as well as the network; it does things like authenticating logins from endpoints, supporting software deployment, software updates etc. Endpoint protection software are a suite of cybersecurity applications- firewalls, antivirus tools, intrusion detection software etc. Antivirus software, installed on an individual device/system, detects and removes malware (viruses, trojans, worms, keyloggers, spyware, adware etc). Antivirus tools keep running in the background and scan device directories and file periodically for all kinds of malicious presence. This is done by matching virus definitions and signatures to a database of malware and then blocking/quarantining on finding a match. Antivirus software comes either as a stand-alone product or as a component of endpoint protection platform. Key features of endpoint security platforms Endpoint detection/response including detecting and reporting of vulnerabilities. Provides anti-malware protection. Protects data and even offers additional functionalities like DLP (Data Loss Prevention), firewall, mobility management etc. Provides reports and alerts about vulnerabilities and issues. Integrates with other security tools- intrusion prevention, network monitoring, SIEM etc- via open API systems. Provides incident investigation and remediation via centralized, automated tools. Key features of antivirus software Real-time scanning, which includes taking action against threats/malware detected. Identifies all kinds of malware. Gives web protection as well; secures online browsing sessions, downloads etc. Sends alerts and notifications about malicious software, infected files etc. Quarantines, removes infected files based on the severity of damage it could cause. Provides automatic updates about virus definitions, signatures etc. So, endpoint security or antivirus? The answer, in our opinion, should be simple. For a small business, the best option would be to go for an endpoint security solution, especially one that offers managed services to deploy/monitor software operations remotely plus managed detection/response capabilities. Which brand to choose? This is one area that we’d prefer to stay out of. The choice of brand, for endpoint protection software as well as for antivirus tools depends a lot on your requirements, which, in turn, depend on the nature of your business, the size of your network, the kind of devices you connect to your network etc. You should also consult peers, experts etc before making a choice. However, we’d always say that it’s better to go for reputed brands like Comodo, Avast, McAfee, Symantec, AVG, WebTitan etc. Every business needs to have a budget set aside for this, because, as we have already mentioned, security is crucial for the successful running of any business today.
  23. I recently read a friend’s post about her family’s catastrophic woes dealing with a hacked Apple ID account. Her story was so troubling that it inspired me to remind folks of some of a few small security things that slip through the cracks in our daily lives that can cause a profound impact on our personal digital lives. Even as dedicated IT professionals, there are minor, crucial details which may blend into the background as part of modern life. Let’s briefly discuss five commonly-forgotten security best practices, and explore the potential real-life impact on our personal security if we neglect to perform them. Home Router Security What It Entails Home routers (should) receive security updates just like any other device. Unfortunately, these updates are often not applied automatically (because doing so will briefly interrupt internet service). Routers also blend into the background of our daily lives – they’re something we don’t notice until there’s a failure or outage. We should be routinely logging into our routers, ensuring that administrative passwords are strong, wireless networks are configured as intended, and applying any available device updates. Home routers should also be replaced with newer models once they’re not longer supported and updated by the manufacturer. Finally, I highly advise purchasing and installing a home router your family can manage and ultimately replace behind anything provided to you by your internet service provider. What Goes Wrong, if we Forget? Bad guys and gals know perfectly well that we forget about routers, and that millions upon millions of them are vulnerable around the world. This makes home routers a juicy target for many reasons. For one, they make a good launch surface for Distributed Denial of Service attacks. They also can pose a risk during targeted attacks against a household or individual, as any security they provide can potentially be circumvented if they are configured with a weak admin password or they lack security updates. Multi-Factor Authentication on Email What It Entails Almost every major global webmail provider provides an option to enable some sort of multi-factor authentication. Their first factor of authentication is typically a traditional password or passphrase. The second factor may be in the form of an authenticator app, a physical token (like a YubiKey or smart card), biometrics, or an SMS message code sent to a user during login. This means two (or more) verification steps are required to access an account, instead of one. While security experts may debate ad infinitum about which of these factors is the most secure (SMS is generally considered the weakest), everyone should be using at least two factors of authentication on his or her personal email accounts. Two-factor authentication is a really small inconvenience in exchange for notably increased deterrence against hacking. Instead of simply stealing or guessing a password, a hacker will have to evade or gain access to the second (or third…) form of required authentication to successfully log into the email account. What Goes Wrong, if we Forget? Your primary home email is far more integral to your daily life than you may immediately imagine. Consider all of the accounts you’ve registered with it over time. Social media, financial, software, online storage, games, home business, and even dating..? The parade of juicy personal information continues. It’s very likely, if you were to request to reset the password to one of those accounts, a reset link or code would be sent to the email in question. Consider the control over all of your other accounts that this one email account and its associated password provides. Next, recall all the personal and business contacts who are referenced in your email correspondence and address book. It’s quite common for hackers to spread scams and malware by using a trusted email to send malicious or phishing emails to collected contacts. Finally, recall all of the sensitive correspondence you might have in your webmail. While I never advise sending sensitive photos or private medical, financial, or tax data via unencrypted email, the unfortunate truth is that the practice is common and sometimes outside our control. Could a bad guy or gal find your social security number, your bank routing number, sensitive medical data, or intimate photos by searching your mailbox? Could this put you at risk of extortion or blackmail? The bottom line is that your email is very likely a “key to your kingdom”. In a best case scenario, we should create separate, well-secured email accounts for both correspondence and sensitive account registration. At an absolute minimum, every email account we use should have two-factor authentication configured. Multi-Factor Authentication on Apple ID and Microsoft Accounts What It Entails A few years ago, our email accounts alone were the primary point of access to our online presence. This has shifted slightly with an increasing number of popular consumer services in “the cloud” and available by subscription. MacOS and Windows now highly encourage the use of their own centralized online accounts to manage computers, software, apps, phones, and tablets. Similar to email and social media, our Apple ID accounts and Microsoft accounts allow us to configure two-factor authentication. This will require anyone accessing these accounts to provide a second form of authentication to log into a new device. What Goes Wrong, if we Forget? Our iTunes accounts may have been created in an era where their sole purpose was purchasing $2 songs, but Apple IDs control far more than that today. Dependent on device settings, an Apple ID may provide the ability to purchase expensive software, access personal photos and videos, remotely track or erase devices, or even make system changes. Indeed, the theft of an Apple ID account can lead to a pretty dire situation in an Apple ecosystem. While enabling two-factor authentication isn’t a silver bullet against a determined attacker, it’s an important deterrent and well worth the time and effort. Microsoft was a bit later to the game, as Windows 8 was the first heavily Cloud-integrated Windows operating system. However, Microsoft has followed Apple’s lead since then in integrating app purchases, online photo and document storage, and remote device tracking and management into Microsoft accounts. Convenience creates a single target for attackers. Treat these accounts as extremely sensitive, and use them only on trusted devices. If your device is stolen or accessed by somebody you don’t trust, change your password immediately on a secure computer. Understand that if they are stolen, the thief may have substantial ability to tamper with your devices until their access is revoked. Facebook Authentication and Privacy What It Entails Facebook is best known as a social media (and data aggregation) platform, but they provide another popular service we rarely twice about: Facebook Login. Across the web, Facebook Login has become a popular and sometimes mandatory mechanism for authenticating users to apps, services, and accounts. It’s far too easy for me as a security person to make the blanket statement, “never use Facebook Login”. Sites and apps often request far too much personal Facebook profile information with use of the service, and a password manager is far more trustworthy. However, Facebook Login does counter a lot of common security problems such as weak and reused passwords, and poor login security configuration on websites. For now, it legitimately serves a place to reduce poor security practices on the internet. If we choose to use Facebook despite significant privacy concerns, we should ensure our accounts are as secure and private as possible. Once again, two- authentication should be enabled. We should use a strong password, and restrict the public visibility of our personal information as much as possible. What Goes Wrong, if we Forget? We discussed some substantial privacy and security concerns regarding our email addresses being linked to more sensitive personal and business accounts. The problems with Facebook Login are similar – while it may provide an increase in security over weak or reused passwords, a hacker gaining access to our Facebook account could be catastrophic. So, increasing our Facebook account security is a must if we choose to use Facebook to log into other services and apps. Secondly, there is the matter of the information we share on Facebook. Common account security questions like, “What was your first pet”, and, “What was your high school mascot” are useless if the answer can be relatively easily located on your social media. While we’ll talk a little bit more about security questions in the next section, it’s always a good idea to avoid oversharing with the publicly-facing internet. The internet remembers forever. Always Lie (On Security Questions) What It Entails Whether the site wants to know your favorite band or your mother’s maiden name, it’s probably a good idea to make something up. Worried about forgetting your made-up answer? Store it in your password manager. What Goes Wrong, if we Forget? Password reset questions are an unfortunate relic of the past which are still used all over the internet and financial institutions to verify identity. There are two fundamental problems with this: A) The same questions are used (and reused) all over the internet. and B) The internet is full of interesting facts about our lives which we put there, and that are collected and posted without our permission. Not only is it likely websites you use will eventually be hacked into and your security question responses will be sold on the black market, but the most common questions are ones that can be answered with a little hunting and social engineering on the internet. It can feel difficult to lie to a formal institution or even to a commercial service about anything, but outside some government forms, there is rarely any law that says you must provide an honest answer to these security questions. It’s best to not tempt fate.
  24. Every app installed on your smartphone with permission to access location service "can" continually collect your real-time location secretly, even in the background when you do not use them. Do you know? — Installing the Facebook app on your Android and iOS smartphones automatically gives the social media company your rightful consent to collect the history of your precise location. If you are not aware, there is a setting called "Location History" in your Facebook app that comes enabled by default, allowing the company to track your every movement even when you are not using the social media app. So, every time you turn ON location service/GPS setting on your smartphone, let's say for using Uber app or Google Maps, Facebook starts tracking your location. Users can manually turn Facebook's Location History option OFF from the app settings to completely prevent Facebook from collecting your location data, even when the app is in use. However, unfortunately, disabling Location History would also break some Facebook features that rely on location data like checking into a nearby location, tagging locations in an uploaded photo or while using Nearby Friends, a feature that lets friends share their locations with each other. When talking about iOS, Apple offers its users more control over such situations at device level where users don't want to completely stop an app from using location, allowing them to choose if an app can also access location data in the background or not. However, people using Facebook on Android have an all-or-nothing option when it comes to location sharing, which means either they have to grant Facebook full access to their location data or completely prevent the social network from seeing your location at all, without any option for accessing your location data only when the app is open. How to Stop Facebook From Tracking You When Not in Use Facebook has finally changed this behavior by introducing a new privacy setting to its Android app, giving users more explicit, granular control over background collection of their location data. Here's how you can prevent Facebook from tracking your location when the app is not in use: Open the Facebook app on your Android smartphone Go to the Settings menu on the top right corner (looks like this ☰) Tap on Settings & Privacy Choose Privacy Shortcuts Select Manage your location settings Now, toggle "Background Location" to OFF If you enable this setting, two things will happen—"you would share your location when you weren't using the app, and you would allow Facebook to store a history of your precise locations." "We're not making any changes to the choices you've previously made nor are we collecting any new information as a result of this update," Facebook's post reads. "For people who previously chose to turn their Location History setting 'on,' the new background location setting is 'on.' For people who had turned Location History 'off' – or never turned it on in the first place – the new background location setting is 'off.'" With this update, Facebook gives users a dedicated way to choose whether or not to share their location when they are not using the social media app. iOS users need not worry about such features, as Apple already offers iPhone users an option to block an app from using their location in the background when the app is not open. If you are an iPhone user and have not already stop Facebook—or any other app—from tracking your location in the background, you can follow these simple steps: Go to Settings Select Privacy Choose "Location Services" If you want to completely stop all apps from tracking you, turn Location Services off. If you want to limit this setting depending on every app, tap each app and choose "Never" or "While Using." Make sure apps that don't require your location, like most games, photo sharing apps and editors, are set to "Never." Meanwhile, Facebook is also sending out alerts to both Android and iOS users, asking them to review their location settings.
  25. 5. Reaver Reaver for Android, also called short RfA, is a WiFi password hacker app that’s a simple-to-use Reaver-GUI for Android smartphones. Shipping with the monitor-mode support that can be activated and deactivated anytime, Reaver detects WPS-enabled wireless routers on its own. With its GUI, all the Reaver settings are available. This WiFi hacking app launches a brute force attack against WPS registrar PINs and recovers the WPA/WPA2 passphrases. Tested on a wide variety of devices, Reaver is able to get the target AP’s plain text WPA/WPA2 passphrase in 2-5 hours. Last but not the least, Reaver for Android also supports external scripts. — Reaver for Android 6. Penetrate Pro Penetrate Pro is a simple tool that has the potential to take care of your WiFi analysis needs. It requires rooting to work and scanning the WiFi networks available around. It works with different kinds of routers and calculates WEP/WPA keys. — Penetrate Pro 7. Nmap Nmap for Android is a useful app to hack WiFi and taking a look into available hosts, services, packets, firewalls, etc. Nmap for Android is useful for both rooted and non-rooted Android devices. However, non-rooted users don’t get to use advanced features like SYN scan and OS fingerprinting. The developers of this WiFi hacker app have shared the already compiled binary versions of Nmap with OpenSSL support. Nmap is also available on other platforms like Windows, Linux, etc. — Nmap for Android 8. WiFi Kill For most of the ethical hackers out there, WiFi Kill is one of the WiFi hacking apps that really work. As its name suggests, WiFi Kill is an application that lets you disable the internet connection of a device. With a simple interface, you can use WiFi Kill to get rid of the unnecessary users on the network. Its other features include showing the traffic used by a device, the network names, and grabbing the traffic of websites visited by other devices. Please note that WiFi Kill hacker app needs root access for functioning. When you fire the app, after scanning the network it shows different users connected. You can simply use the kill button to end the internet connectivity. — WiFi Kill 9. WPS Connect WPS Connect is a popular WiFi hacking app for Android smartphones which you can install and start playing with the WiFi networks of the surroundings. Working on a rooted Android device, this application helps you disable other user’s internet connection. Its creator says that WPS Connect is primarily intended to use for verifying if your WiFi router is secure. Apart from default PINs, WPS Connect also includes algorithms like Zhao Chesung (ComputePIN) or Stefan Viehböck (easyboxPIN). Please note that this WiFi hacking app for Android works with Android 4.0 or higher. — WPS Connect 10. WIBR+ WIBR+ was created to test the security and integrity of WiFi networks. By using Bruteforce and dictionary attacks, this app answers your “how to hack WiFi” questions. Moreover, WIBR+ app for cracking WiFi passwords also lets you use custom dictionaries. Depending upon your priority and network, you can select different options–lowercase, uppercase, numbers, and special characters–for performing the attack. Depending upon your password strength, WIBR takes time and cracks the password. — WIBR+ 11. Netspoof Whenever we start any discussion on how to sniff someone’s WiFi using Android devices, the mention of Netspoof, or NetwoSpoofer, comes very soon. It’s a WiFi hacker app that lets you play with websites on other people’s devices using your smartphone. Licensed under GNU GPNv3, this mobile application runs on rooted devices with ease. You can also use a custom firmware like CynogenMod to use this app. Some of the major features of this app are redirecting websites to other pages, deleting random words from websites, changing all pictures to troll face, etc.’ — Netspoof 12. WiFi Analyzer (a prank app) WiFi Analyzer isn’t exactly a WiFi hacker app for Android, it’s a prank app. I thought it would be a good idea to end this list of WiFi hacking apps with an app that lets you pretend as if you’ve broken into your friend’s WiFi and gained access. It has a very professional look and a WiFi scanner that detects all WiFi hotspots nearly. So, if you’re simply interested in fooling your friends, give this a try. — WiFi Analyzer
  1. Load more activity
  • Create New...