Cybersafe For Humans E-Book

Table of Contents

Table of Contents

Copyright

Foreword

Introduction

Chapter 1: Threat Alert - The Struggle Is Real

Chapter 2: Keeping It Simple

Chapter 3: Easy Fixes

Chapter 4: Personal Safety

Chapter 5: Secure Your Stored Data

Chapter 6: Social Media

Chapter 7: Internet Browsing

Chapter 8: Secure Searching

Chapter 9: Email

Chapter 10: Secure Communications

Chapter 11: Secure Payments

Chapter 12: Internet of Things

Chapter 13: Are You Being Held To Ransom?

The Last Word

CyberSafe checklist for individuals

Further Reading

Additional Resources

Tools And References

About The Author

Glossary & Index

Copyright

Copyrighted Material

Copyright © 2021 by Patrick Acheampong

All rights reserved. This book or parts thereof may not be reproduced in any form, stored in any retrieval system, or transmitted in any form by any means—electronic, mechanical, photocopy, recording, or otherwise—without prior written permission of the publisher. For permission requests, write to the publisherat “Attention: Permissions Coordinator,” at the following email address [email protected]

Visit the author’s website at: www.livecybersafe.com

Edition Date - September 2021

ISBN - 978-988-75962-1-9

Disclaimer

Every effort has been made to ensure that the content provided in this book is accurate, legal, and helpful for our readers at publishing time. However, this is not an exhaustive treatment of the subjects. No liability is assumed for losses or damages due to the information provided. You are responsible for your own choices, actions, and results.

Foreword

That we live in an ever more digitised world is immediately apparent if you are a citizen of Western Europe, North America or East Asia/Australasia. Accessing social media, banking, communications and retail shopping – increasingly on a smartphone – are commonplace today.

But this ‘always on’ scenario is not without risk. Today data is a source of wealth for many companies as valuations of the giant tech companies indicate. As in the ‘real’ world, criminals will take advantage whenever they see a chance to make money from stealing or denying access to data.

Nearly 2 billion files containing personal data were leaked in 2017 – and this was only in the US – and is probably under reported. Large companies and governments are addressing this issue through both technical means and training, but what can the individual citizen, or the owner of small and micro business do?

Pat Acheampong has the answer – plenty! An unlocked door or window is a human failure that is an invitation to criminals; similarly people are still the main cause of data theft, denial of use and therefore loss of assets and money.

Protection of your digital life is an important part of protecting yourself, your family and your assets. This clear and concise guide will go a long way to achieving that goal.

Michael Mudd

Asia Policy LLC

Have you ever been scammed on the internet? I have, numerous times.

What is an online Scam? It's a method to cheat you, usually financially, without your conscious consent while you are using different services online.

Scammers can tap into your personal data (Government IDs, Credit Card numbers, Date of Birth, Legal Names, Addresses, Phone Numbers, Usernames and Passwords) either by hacking into leaked information from third party companies, unencrypted channels such as free Wi-Fi in coffee shops or hotels or any internet services where you may have shared private details with. Pretending they know you and/or requesting you to take actions based on something you potentially care about.

I am sure 9 out of 10 of you have been cheated by an unknown source on the internet at least once during your lifetime online, and it's totally not your fault.

We are spending more and more time to stay connected online, and are more dependent on technology for work and personal life. It will continue to increase with the current rate of digital transformation in the new world of Covid-19. Scammers are more active than ever as they know more vulnerable people are getting online and may not be savvy enough to protect themselves on the internet.

My latest scam experience involved my Uber account getting hacked, and I lost three thousand USD a few years ago. The hacker used my account to simulate fake pick up requests and UberEats orders all around New York. I called Uber support numerous times and requested to suspend my account, all I got back was that they will investigate and could not stop all activities immediately. There was also an issue with the app that I couldn't use my email to reset my password or change my phone number. I couldn't bear seeing fake transactions keep adding to my credit card, so I took the matter in my own hands and canceled the credit card instead. This created a lot of inconvenience to have to redirect all utilities and direct debits against that card.

Recently I heard that a 67 year old lady lost over one million US dollars of her retirement savings due to Covid-19 online scams. The story is too long to be told here, but I am sure you have heard many of these cases through friends, families, or co-workers. The point is, these unfortunate events can happen anywhere and anytime if we are not paying attention or being skeptical before pressing the button.

We don't need high IQ or get a computer science degree to use the internet safely, but we need to know the basics of cyber security, and learn some of the tricks and tools that could armour us from being attacked or cheated. The internet is a massive place with billions of people online, and with a lot of opportunities for evil people to do bad things. Just like when you are walking on a busy street or browsing in a night market, you have to ensure your bags are well protected, wallets and cash are secured and in your awareness, as pocket pickers are hidden everywhere. We need to possess knowledge to protect our data online, and configure the right settings with our tools so that the chance for scammers to take advantage of us is mitigated.

This second edition book by Patrick Acheampong is a rare find and a must read for anyone from kids to teenagers, adults, and grandparents to stay safe and confident online in the world of working from home. Don't be intimidated by the misconception that you need to be an expert to secure yourself. This self-guided book is so easy to read, and it will bring many aha moments with an easy checklist to follow for protecting yourself online.

Danny Wong

Financial Professional and Tech Start-Up Entrepreneur

Introduction

Botnets, hackers, viruses, worms, snoops, trojans, capricious governments. You’ve probably heard of one or all of these at one time or another. If you haven’t, don’t worry. By the time you’ve finished reading this book, you’ll be well equipped to defend yourself against them, and that’s the important thing. They’re all out there trying to invade your privacy, take over your computer, steal your identity and your cash, spy on you, and map your life. This book aims to give you some tools and strategies to fight back against this online assault, and reclaim your safety online while also maintaining your right to privacy.

At a recent World Economic Forum Davos summit, a cyber security roundtable discussion revealed that the biggest banks can now expect up to two billion cyber-attacks a year; retailers, around 200 million.

Recent research from IT consultancy Capgemini found that only 21% of financial services organisations are highly confident they could detect a data breach.

In 2013, confidential documents leaked by Edward Snowden indicated that major email and cloud storage providers like Google, Microsoft, and others were part of the NSA’s top secret surveillance program called PRISM. In 2017, the U.S government passed legislation that allows internet and telecom companies to share customers’ personal information, including web browsing history, without their consent. It wasn’t just governments though. If that wasn’t enough, there have been numerous reports of companies, including well known ones such as Microsoft, and Google, snooping on their customers themselves.

All these revelations have made internet privacy a burning issue, with many privacy conscious users now turning to services that claim to be secure from prying eyes.

The first rule of internet safety, as with most other aspects of life, is to keep it simple and that’s exactly what this book will help you do. There may be far more sophisticated ways of staying safe that the more technical amongst you are familiar with, but this book is designed for the majority out there with basic technical knowledge.

That means that you should be able to implement most if not all of these techniques. It also means that this book is not hundreds of pages long, filled with unnecessary fluff just to pad it out. As well as keeping matters simple, this book also aims to offer solutions that are practical, and affordable for individuals.

These tools are a mix of open source and commercial applications. Woah, stop, open source? Isn’t this supposed to be a guide for non-techies? Before I go any further, I suppose I should let you know what open source means. The good folks at Wikipedia have a clear definition: “Generally, open source refers to a computer program in which the code used to create the program is available to the general public for use, or modification from its original design. Open source code is meant to be a collaborative effort, where programmers improve upon the source code and share the changes within the community. This code is then released under the terms of a software license. Depending on the license terms, others may then download, modify, and publish their version back to the community.”

Why use open source you may well ask. Isn’t commercial software better built? Well, open source software can be built to just as high a standard as commercial software. Also, if the source code is available for anyone to view, it’s harder, if not impossible, to hide a backdoor in the software that can allow someone to track and log your activities or even gain direct access to your computer. For example, the source code for Skype is closed so we don’t really know if a backdoor is built in. With open source, on the other hand, if a backdoor was built in, it would quickly be discovered because of the number of coders working on it at any time. Hopefully that explanation was straightforward enough without getting into more jargon.

For readers with a digital version of this book, where relevant I have included links to tools so you can easily click on them to take you to the appropriate site. This book is not intended to be an exhaustive list of tools you can use. There are plenty of those lists on the internet already, e.g. http://www.expatpat.com/tools. Rather, this book intends to give you affordable, and what is more important, actionable steps you can quickly take to protect yourself and your family online.

Very few if any of the ideas and strategies in this book are my own innovations. They are proven strategies, tools, and tactics, road tested over the years by technology, security, and privacy experts. Just to be clear, simply reading this book won’t make you one bit safer on the internet, or protect your data, or privacy. IF you want to achieve that, you need to take action and implement the strategies outlined in the book.

While every effort has been made to ensure the accuracy of the information in this book, technology evolves so fast that some services and links may be out of date. Hopefully the information you will learn in this book will give you knowledge of how to find alternatives.

Who This Book Is For

After numerous overheard and face to face meetings with friends, family, colleagues, and clients, I came to the realisation that there are many people out there that are unaware of how open they are to all the nasty stuff that can happen with your digital life, thanks to people out there with bad intentions. The other group of people are those who know how bad things can be, but don’t know what to do about it.

I wrote this book essentially for anyone who has concerns about their digital privacy or security. The book is aimed predominantly at individuals with little to intermediate technical knowledge and small budgets. This book will help you to effectively manage digital security in your personal life.

Chapter 1: Threat Alert - The Struggle Is Real

Before we can delve into the various strategies to help keep you safe and secure online, I need to give you an idea of what threats you face online. The online world is full of various terms relating to the nefarious acts of online ne’er-do-wells out to do you cyber harm. You will come across these terms on the news, while surfing, or just in conversations with friends and colleagues. This chapter gives you an idea of what they all mean.

Viruses

Viruses are harmful computer programs that can be transmitted in a number of ways. Although they differ in many ways, all are designed to spread themselves from one computer to another through the internet and cause havoc. Most commonly, they are designed to give the criminals who create them some sort of access to those infected computers.

Spyware

The terms "spyware" and "adware" apply to several different technologies. The two important things to know about them are that:

They can download themselves onto your computer without your permission. This typically happens when you visit an unsafe website or by way of an attachment

They can make your computer do things you don't want it to do. That might be as simple as opening an advertisement you didn't want to see. In the worst cases, spyware can track your online movements, steal your passwords, and compromise your accounts

Botnets

Botnets are networks of computers infected by malware (computer virus, key loggers, and other malicious software) and controlled remotely by criminals, usually for financial gain or to launch attacks on websites or networks.

If your computer is infected with botnet malware, it communicates and receives instructions about what it’s supposed to do from “command and control” computers located anywhere around the globe. What your computer does depends on what the cyber-criminals are trying to accomplish.

Many botnets are designed to harvest data such as passwords, social security numbers, credit card numbers, addresses, telephone numbers, and other personal information. The data is then used for nefarious purposes such as identity theft, credit card fraud, spamming (sending junk email), website attacks, and malware distribution.

Phishing

To summarise Wikipedia, “Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising oneself as a trustworthy entity in an electronic communication.” The word sounds like fishing due to the similarity of using bait in an attempt to catch a victim.

According to research by Verizon, about 30% of phishing mails get opened, while approximately 11% of attachments in these emails also get opened. The average marketing email gets opened less than 1% of the time. How the villains behind these emails are getting this level of open rate should be the subject of a case study on marketing! There appears to be a clear mismatch between the false confidence people have over their ability to spot a phishing email, and reality. Interestingly, according to a Webroot survey, fully 79% of people claimed they would be able to distinguish between a phishing message and a genuine one, but then nearly half (49%) also admitted to clicking on a link from an unknown sender. A further 48% said they had experience of their personal or financial data being compromised by a phishing message. This level of hubris is what leads to bad outcomes for people at a personal and professional level. That’s why I wrote this book, to help you combat this.

Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are almost identical to a legitimate one. Communications purporting to be from social web sites, auction sites, banks, online payment processors, or IT administrators are often used to lure victims. Phishing emails may also contain links to websites that are infected with malware.

The emails cyber-criminals send often urge you to act quickly, because, for example, your account has been compromised, your order cannot be fulfilled, or some other seemingly logical reason.

Two other types of phishing attack that are gaining in popularity are Zombie Phishing, and the use of URL shorteners. Zombie Phishing happens when attackers take over an email account and reply to an old email conversation with a phishing link. Because both the sender and subject are familiar to the recipient, the recipient is more likely to accept the email as being genuine.

URL shortening is a service provided by companies such as Bitly or TinyURL. These services allow users to shorten really long URLs, typically to blogs, offers, etc., so they take up less space. You may have seen URLs that look like this example of URL shortening: https://tinyurl.com/m3q2xt. These links are rarely blocked by URL content filters as they don’t reveal the true destination of the link. Also, users who are generally vigilant and wary about suspect domain names might be less likely to identify a shortened link as malicious.

While email is still the number one form of phishing attack, cybercriminals are also using a variety of other methods to trick their intended victims into giving up personal information, revealing login credentials, or even sending money. Increasingly, phishing involves SMS texting attacks against mobiles, or the use of messaging on social media and gaming platforms. The first half of 2019 alone saw a 50% increase in attacks by mobile banking malware compared to 2018. This malware can steal payment data, credentials, and funds from victims’ bank accounts, and new versions are made available on the dark web for anyone that’s willing to pay the malware’s developers for it.

Spear Phishing

Spear phishing is a highly specialised attack against a specific target or small group of targets to collect information or gain access to systems.

For example, a cyber-criminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. From that attack, they may then launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic, and because the recipient is already a customer of the business, the email may more easily make it through filters, and the recipient may be more likely to open the email.

The cyber-criminal can use even more devious social engineering efforts such as indicating there is an important technical update or new lower pricing to lure unsuspecting victims.

Spam & Phishing on Social Networks

Spam is the electronic equivalent of junk mail. The term refers to unsolicited, bulk – and often unwanted – email.

Spam, phishing, and other scams aren’t limited to just email. They’re also prevalent on social networking sites. The same rules apply on social networks – When in doubt, throw it out. This rule applies to links in online ads, status updates, tweets, and other posts.

An increasingly popular phishing and social engineering method of scammers is the use of fake LinkedIn profiles. LinkedIn has over 700 million users, so it is a target rich environment for those wanting to spy on companies, or glean your personal information for identity theft purposes. In a James Bond-esque twist, the German intelligence agencies once accused the Chinese government of trying to recruit informants on LinkedIn by luring them with fake profiles. In the chapter on social media, I will cover how to try to spot dodgy LinkedIn profiles so you don’t inadvertently accept a bogus connection request.

Social Engineering

Social Engineering is an attempt to commit fraud by obtaining information from individuals through deceptive means, such as lies, impersonation, tricks, bribes, blackmail, and threats. A social engineer will commonly use the telephone or internet to trick a person into revealing sensitive information or doing something that is against company policies and practices. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes.

Social engineering makes careful and thorough authentication more critical. Impersonators may use some of the following methods to help their scam succeed:

Clickjacking

Clickjacking, also known as a “UI redress attack,” is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, Inline Frames (IFrame), and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

An example of this is an attacker who builds a web site that has a button on it that says “click here for a free iPhone.” However, on top of that web page, the attacker has loaded an IFrame with your mail account, and lined up exactly the “delete all messages” button directly on top of the “free iPhone” button. The victim tries to click on the button but instead actually clicks on the invisible “delete all messages” button. In effect, the attacker has “hijacked” the user’s click, hence the name “Clickjacking.”

There are two main ways to prevent clickjacking:

Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains. (This replaces the older X-Frame-Options HTTP headers).

Employing defensive code in the UI to ensure that the current frame is the most top level window.

SIM Swapping

Ever inventive, cyber criminals have now added SIM swapping to the list of ways to hack your life, and it’s becoming increasingly common. SIM swapping describes the scenario where someone contacts your mobile device carrier and is able to convince an employee that they are, in fact, you, using your personal data.

They usually manage to do this by using data that's been exposed in hacks or databreaches, or information you publicly share on social networks. Then they use this data to trick your mobile carrier's employee into switching the SIM card linked to your phone number, and replacingit with a SIM card in their possession.