Fabian Bräunlein and Lukas Euler – the folks behind Positive Security – know this better than most. They work to provide companies with a holistic view of their security posture and identify ways to efficiently improve it.
Since September, they’ve set up their basecamp in Berlin right here at betahaus. They’re kicking off an IT Security Office Hour where they can answer your toughest cybersecurity questions. And today, they're sharing their expertise right here as part of our Experts in beta series.
Ready to delve into hacking, why people get hacked, and what to do if it happens to you? You're probably more vulnerable than you think. Here’s what the experts at Positive Security have to say.
Positive Security is a hacking research collective and consulting firm founded by two alumni of renowned Berlin-based IT Security company SRLabs. They’re one part hacking, one part engineering, one part strategizing, but everything they’re working on has them on the cutting edge of security research.
Originally, the term hacking was used to describe a general playful-creative approach to technology. Nowadays it’s mostly used to describe the practice of researching and applying methods for breaching defenses and exploiting weaknesses in a computer system or network.
These weaknesses can take up a vast variety of different forms, but at the core they are typically based on an unintended and unexpected bit of exposure or functionality.
A hacker will always look for the easiest route to the data or system they want to access. For computer systems accessible by authorized individuals, the easiest route for a hacker oftentimes involves manipulating such an individual. In this post we will be exploring the most common cybersecurity attacks targeted at individuals.
There are quite a few, but below, we've outlined some of the most common cybersecurity threats and shared some simple tips to avoid them.
Brute Force is one of the simplest attacks imaginable: the attacker attempts to login to an account by trying out many different common passwords. Credential Stuffing attacks are a little more sophisticated in that they are based on username and password combinations recovered from previous data breaches. They typically have a higher success rate than Brute Force attacks, and are not targeted at a specific account. You are at risk if you’re using:
Phishing is when a target is contacted (often via email) by someone posing as another institution or individual to trick them into disclosing sensitive data or performing critical actions. To avoid phishing...
Malware is any malicious software that causes damage or gives the attacker unauthorized access to a system. To avoid malware from an attachment/ad...
Untrustworthy download portals often bundle malware with installers for known (free or paid) software. To avoid malware bundled with desired software...
Outdated software needs to be updated to avoid vulnerabilities that have been patched by the developer in updates. To avoid outdated vulnerable software...
Malicious commands/self-XSS are when an attacker tricks their victim into executing a malicious command which gives the hacker access to the victim’s account or device somehow. For example there are “tutorials” on “how to hack somebody’s Facebook account” which ask you to paste a code snippet in your browser’s developer console. The executed code would then compromise your Facebook account, rather than the one of your intended target.
An important note: Be extra vigilant in untrusted or open networks like public WiFi hotspots. In 2020, most websites and apps use transport encryption (https) to protect from attacks by a malicious WiFi endpoint or user. However, some still don't, or may be vulnerable due to mistakes in configuration. Triple-check https and the correct domain for login forms and downloads. By using a VPN, you can ensure that your communication can not be intercepted by a hacker in the local network (however, please note that now the VPN provider can access the information that was previously exposed to that hacker).
The most important step towards improving your personal cybersecurity is proper password hygeine. In 2020, you really need to be doing each of the following:
While some of these do not reduce the likelihood of a compromise, they will aid you significantly in dealing with the fallout and locking the attackers out again as quickly as possible.
This means checking primary or multiple secondary sources, even for advice from well trusted support forums. When doing a web search to troubleshoot a problem, you'll often come across proposed solutions like "install utility X" or "change setting Y to Z". In such a case it's best to follow up with another search to verify some of the following things before doing what the proposed solution suggests:
Attacks like XSS and CSRF require you to open a malicious link while being logged in to a specific website. 3rd party browser extensions are sometimes compromised by a malicious entity and can be used to spy on your activity online. You can counter these threats by working with multiple browsers or browser profiles:
This container extension for Firefox (created by the developers of Firefox) presents another approach to separating your different “online lives” which some might find more convenient for everyday use. If you click a malicious link in your social media container, it will not result in a successful XSS or CSRF attack on the accounts you’ve only logged in to from your online banking container.
Unfortunately, this is not always fully clear. There is no test which could tell you with 100% certainty that you were not hacked. However, if you observe any of these behaviors, it can be a strong indicator that you were hacked:
Indicators of compromise for devices
Indicators of compromise for online accounts
We recommend subscribing to notifications from trusted breach monitoring services like haveibeenpwned to be alerted as early as possible when a breach in an online service might put you at danger.
For all password change operations below, follow the secure password guidelines from above.
If a device gets compromised...
If an online account gets compromised...
Experts in beta is a series for the betahaus Magazine where we ask experts from our community to share their insight on a specific topic or question that is relevant to their area of expertise. Take a look at our events calendar for upcoming events and office hours where you can take a deeper dive into these topics.