June 10, 2021

2183

0

Author: Billie Walden

Cybersecurity Expert Breaks Down 10 Myths About Data Protection

In recent years, the number of cases of internet fraud in one form or another have only increased. In addition to viruses and other malware, there are methods of social engineering that sometimes work successfully. At the same time, many rumors and myths have accumulated around internet security, which only simplifies the “work” of attackers.

Learn more about social engineering here.

Today we’ve collected for you 10 common beliefs about computer security and asked a cybersecurity expert to comment on each of them.

“I have a good antivirus program — so I’m safe.”

— It is not so much the cost of the security solution itself that is important, as its reliability, the expert noted. When choosing an antivirus, you can rely on international independent tests: AV-Test or AV-Comparatives.

First, you need to look at the quality of protection. How successfully does the solution block known and still unknown threats? In addition, it is convenient when a vendor offers products for protecting both computers and mobile devices.

Be sure to pay attention to whether the solution has anti-phishing technologies, protection of online payments, and whether it can block malicious advertising banners.

“Antiviruses block lots of harmless files, so I do not use protection and everything is fine with my computer.”

Here, everything is not so clear: even if a file or program seems harmless, it can nevertheless hide malicious software. In addition, virus developers know how to lull the user’s attention.

— In some languages, words are written from right to left. In “Unicode,” the standard character set, it is possible to change the direction of typing. This is one vulnerability the attackers have used. For example, let’s say a malicious Trojan file is being created with a “.js” extension. The virus writers rename it, for example, like this: “cool_picture*U+202E*gnp.js.” Here “U+202E” is the Unicode override that will write the following letters and punctuation marks from right to left. As a result, the file name will look like this: “cool_picture. png.” Now it seems that the file extension is “.png” (a normal picture), but it is still a Trojan.

The scheme has been known for a long time, and many products have successfully protected against it. But the attackers are also aware that everything new is actually well-forgotten old. In 2018, they used this technique for the first time in Telegram, and many users fell for this bait again.

Also, scammers monitor trends in user behavior and understand what people can fall for. For example, attackers recently distributed malware under the guise of Netflix series.

— They added the names of popular shows to advertising and malware programs. Among the files found were Trojans with various kinds of functionality, allowing for example to delete or block data, as well as spyware with which you can steal photos and passwords from online banking.

“Why pay for an antivirus when there are free versions?”

— Another popular opinion: for home use, a free antivirus, which seems to be no worse than a paid one, is enough. If you really have to choose between a free antivirus and no antivirus at all, then, of course, the first option is better, the expert said.

— But it should still be a licensed solution (not a pirated version) from a well-known, reliable vendor. An unlicensed version or free software from an unknown developer can be ineffective and dangerous. Another possible disadvantage of many free solutions that you should be aware of: often such products collect a lot of data about the user.

As a rule, the paid version offers more advanced protection and additional functionality: a password manager, online payment protection, and a solution for children’s online security.

“I don’t store anything valuable on my computer — so there’s nothing to protect.”

This logic can be used by people who use a computer for routine household tasks, like watching movies, reading the news, making a few documents in a text editor, or playing games. However, it is much more complicated.

— Any person who has access to the internet is a potential target of intruders. They may not be very interested in what is directly on the device, but they can, for example, send a link to a phishing site to extract card data, use a Trojan to steal credentials from accounts, or use a ransomware program to demand money for returning your access to the device. In this case, it is unlikely that you will still think you didn’t keep anything valuable or important on it, the expert said.

Moreover, in recent years, hackers have adapted software for mining “crypts” with the popularization of cryptocurrencies. In addition, attackers can use the computer of an unsuspecting user for hacker attacks.

— For example, some time ago we investigated the Loapi Trojan, which uses a smartphone to mine Monero tokens. This function can overheat the device due to prolonged operation of the processor at maximum load.

*Note: There are also programs known as stealers. They steal information, including from the browser and data from crypto wallets, gaming platforms, and files from the desktop.

“There are almost no viruses on macOS and Linux, so an antivirus is not needed for them.”

There is an opinion that due to its popularity, Windows is of the greatest interest to hackers, and therefore viruses for this system are the most important. And, they say, if you choose something less common like macOS or Linux, then you can relax. But this is a big mistake.

— The number of threats to macOS is growing year by year. Moreover, we are talking not only about viruses, Trojans and other malicious programs, but also about online fraud, including phishing, and unwanted advertising. You might think, what is so bad about advertising? Unwanted advertising applications (adware), firstly, can greatly slow down the operation of the device, and secondly, collect large amounts of data secretly from the user, which then may find its way to the servers of third parties.

With Linux, the situation is the same. According to the expert, attackers have been paying more and more attention to this operating system in recent years. Plus, do not forget about the scams and phishing: no operating system is immune from them.

There is a big myth: it is believed that there are no viruses on iOS. However, this is not the case, and malicious software is found even on a very closed platform. But most often, hackers steal Apple IDs. Once they get it, they can arrange very unpleasant things for the account owner, for example locking the device and demanding a ransom for unlocking it, or getting access to personal data (photos, notes) as well as to other devices to which the Apple ID is linked.

“I don’t use general flash drives, and I don’t visit “bad” sites — there is no place to catch viruses, so I don’t need an antivirus.”

This is another common misconception. The fact is that, in addition to viruses and other “bad” software, social engineering methods are widely used. And even if you don’t download anything, it’s not the computer that’s at risk, but the person himself — vishing is aimed at psychology.

— No one is immune to traps that exploit ordinary human emotions like fear, shame, curiosity, greed. And, unfortunately, the attackers use them very skillfully. Let’s remember that phone fraud is on the increase and last year, for example, phishing emails and fake pages for various social payments, including those related to the coronavirus, were very common.

A scam is understood as fraud when a user is offered a monetary reward for minor efforts, such as completing a survey. At the same time, the amounts are neither too small nor particularly large, so that the prize seems plausible. After passing such a survey or questionnaire, the users are usually asked to make a “security payment” (about 5 dollars), after which the scammers disappear.

“The privacy/anonymity mode of the browser will completely protect me from surveillance of my activity on the internet.”

In fact, “incognito” mode is not as incognito as the name suggests. Indeed, the browser does not save the search history, sites visited, or cookies. However, your provider still sees all the activity, so there is no question of complete anonymity.

“I don’t save my card details in the browser, so it’s safer if my account is stolen.”

In part, this method can be considered effective, but it does not guarantee complete security in every case. The fact is that the creators of browsers, by default, assume that you have well protected your device and account. Therefore, expert says, a program running from your account on your computer can potentially get and decrypt the data because it supposedly acts on your behalf. However, this is malicious software called a stealer — and it steals information even from the browser.

The specialist’s recommendation is as follows:

— For storing valuable files, it is better to use special solutions, such as password managers that have such functionality. If you still keep passwords in the browser, set a master password to protect yourself and then use different passwords for different accounts.

“If the URL string contains an HTTPS certificate, the site is definitely real.”

The materials on network security advise you to pay attention to the HTTPS connection, which supposedly means high security. But this is a misinterpretation of how the protocol works and is issued.

— This only means that the site has been issued a certificate and a pair of cryptographic keys has been generated for it. Such a site encrypts the information transmitted from the user to the site and from the site to the user; that is, the information exchanged between the browser and the site will not be able to get third parties — providers, network administrators, attackers who decided to intercept traffic, and so on. But the green padlock and the issued certificate do not say anything about the site itself.

That is, a phishing page can also have an HTTPS certificate, and it will encrypt all your interactions with the site. However, the username and password that you enter on such a page will be stolen if the site itself is fake.

“I’m not a well-known person, so my data is not interesting to hackers.”

Do you remember the scandal with the theft of personal photos of movie stars from iCloud? Of course, a lot of public people were under attack then. But there may be an argument: if I am a very ordinary person and take standard family photos from vacation, why do attackers need them? Any personal information is very popular on the darknet.

— At the end of last year, we investigated the offers on the darknet and found that, for example, bank card data costs $6-20 on the black market, and passport scans from $6 to $15.

Moreover, the data may not be sold. Doxing is becoming popular nowadays — searching and publishing personal information about internet users without their consent. Attackers do not blackmail a person, demanding money, but simply for the sake of causing harm to the victim, they distribute their data.

10 cybersecurity tips from an expert

1. 1. Do not click on questionable links in mail, messengers or social networks, and do not click on advertising banners on suspicious sites.
2. 2. Carefully check the website address in the address bar before entering any payment details.
3. 3. For online shopping, it is better to have a separate card, such as a virtual one, and keep small amounts on it with daily withdrawal limits.
4. 4. If the online store is unknown, it is better to check the information about the domain on special WHOIS services: if it is completely fresh and registered to a private person, you should not buy anything there.
5. 5. Update your installed apps and operating system regularly.
6. 6. Use unique strong and different passwords for all your accounts (at least 12 characters with letters in different case and special characters). It is better to use password managers to store passwords.
7. 7. In those services that allow it, set up two-factor authorization.
8. 8. Download apps only from official stores and periodically check what programs are installed on your device.
9. 9. Pay attention to which apps on your smartphone have access to your personal information and what permissions they have been granted. Do not give apps permissions that they do not need. For example, the flashlight app clearly doesn’t need access to photos or contacts.
10. 10. Update your social media privacy settings.

Don’t forget our top cybersecurity tip: if you want to stay protected and not give hackers a chance to hack you and steal your data, use Utopia P2P. Forget about online surveillance and data leaks!