As someone who is interested in privacy and data security, I try to keep up on the topics and to be aware of the various threats that exist online and offline. This repo is to pull together some of the information I find myself repeating a lot and make it accessible to people in an easy format.
So first off,
A data breach is when an attacker gains unauthorized access to information, such as personal, sensitive, or confidential information. Data breaches are all too common these days and companies seem to treat them as a cost of doing business.
After a data breach, the sensitive information that has been obtained is typically sold, traded, leveraged against you, used to pivot into another attack, or released publicly.
In some cases, the data obtained in a breach may be sold to data brokers, who then sell the information to other organizations, often for marketing purposes. These organizations may use the information for targeted advertising, sales leads, or to make decisions about you.
In other cases, stalkers, abusive exes, and the like use it to find and harass their victims.
It's important to understand that once your personal information is available online, it's incredibly difficult to remove, and it can be used for malicious purposes for years to come.
I like to categorize breaches into two broad types: Meat-based and silicone-based. Meat breaches primarily exploit a human to gain access, whereas silicone breaches exploit bugs or misconfigurations. The distinction can get a bit fuzzy, but it'll do for an overview.
Social engineering attacks are methods used by attackers to manipulate individuals into divulging confidential information or performing actions that compromise security. Here are a few of the more common types:
Phishing π£: A method of tricking individuals into revealing personal or sensitive information, often through fake emails or websites that appear to be from a legitimate source.
Vishing π: A voice phishing attack, where the attacker calls and pretends to be from a legitimate organization to obtain sensitive information.
Pretexting π¬: An attack where the attacker creates a false scenario or scenario that requires personal information from the victim.
Watering Hole Attacks π: A type of attack that involves compromising a website frequently visited by the target individual or organization.
Baiting πΎ: A physical attack where an attacker leaves a malicious device, such as a USB drive, in a public place with the hope that someone will pick it up and plug it into their computer.
β One of the more interesting attacks I've seen in the past couple years was QR spoofing or replacing the QR code for the menu at a local cafe with a malicious one that directed the user's phone to an alternate site with an evil PDF version of the menu. Since COVID, we've become so used to scanning QR codes to check-in or view menus without making contact, that it's become a ligitimate means of targeting certain groups (like the pricey cafe across from Amazon's downtown buildings).
Bad actors often use pressure tactics to try to get individuals to take immediate action. These focus on negative consequences if the victim does not comply with the request.
Some common ways of generating pressure are:
Urgency πββοΈ: Creating a sense of urgency, such as a deadline for payment or a service being disconnected.
Authority πββοΈ: Pretending to be from a government agency, law enforcement, or company executive in order to scare the victim into complying with their request.
Fear π±: Threatening the victim with negative consequences, such as arrest or loss of personal information, if they do not comply with the request.
Duty π: Appealing to a victim's sense of duty, responsibility, or compassion.
Greed πΈ: Creating an offer that's too good to pass up, like unclaimed lottery winnings, rebates, and the like.
The goal of pressure tactics is to keep you from taking the time to think carefully and critically about the situation. If you are feeling pressured, take a step back, verify the authenticity of the communication, and ask yourself if this seems reasonable before taking any action.
Bad actors can use Open-Source Intelligence (OSINT) to gather information about their victims, including personal details, movements, and online activity. By using publicly available information from sources such as social media, public records, and online forums, they can build a comprehensive profile of their target.
For example, a stalker may use social media to track the victim's location and movements, gather information about their relationships and activities, and monitor their online behavior. Public records such as property records, voting records, and court records can also be used to gather information about the victim's address, employment, and other personal details.
Hackers can exploit bugs and misconfigurations in applications, servers, or databases to gain access to sensitive data. Software bugs are errors in code that can be used to compromise security, while misconfigurations occur when software is not properly set up and maintained, leaving it vulnerable to attack. This includes leaving sensitive info exposed through public APIs and not encrypting user-data or credentials.
While there's no silver bullet to protect yourself from data theft, there are a host of things you can do to minimize the risk and the potential damage.
Use strong and unique passwords for all your accounts and use a password manager. π
Enable two-factor authentication (2FA) on all your accounts that offer it. π»π±
Keep your software and operating system up to dateβthis includes your browser. π οΈ
Don't click on links or open files from unknown or suspicious sources. β
Regularly back up important data to an external hard drive or cloud storage. πΎ
Don't use untrusted devices. π€¨
Use a VPN if you have to connect to or through untrusted networks (like public WiFi). π―
Unfortunately, a lot of the onus for protecting your data falls on companies who are notoriously bad at keeping it safe. To minimize the risk and the potential damage in this case, you can do some of the following:
Close unused accounts and request their deletion. β‘
Remove any unnecessary information you can from sites and services you use. β
Pollute your dataβmake it less useful to, and more work for, someone to exploit. π
Use anonymous accounts unless you need them to be tied to your real self. π₯·
Don't overshare. You can have full, rich interactions online without disclosing everything about you. π