NYC Digital Safety

Wondering how to stay safe from malware? Sneak preview, it's possible to protect your data with a little bit of forethought and a whole lot of patience

 

Transcript

Davis: Welcome back, Dan. In our last episode, we discussed how folks might fall victim to scams, especially through social engineering. What are some ways that we might have these sorts of issues off at the pass?

Dan: Be skeptical in everything you do. Is this email really from the person who it claims to be from? Why is this person calling, asking me to help them in a strange way? Is my bank really calling to confirm my account data? Also, when asked for things about you, never give information when the calls come to you, especially unsolicited. If you want to do business with a bank, you call them on their posted phone number. If your mobile phone company sends you a message to confirm a SIM change, go to their website and use the official chat mechanism to ask them about it.

Don’t use the phone numbers or emails or addresses or URLs that you get during the social engineering call, because like I mentioned in a previous episode, these attackers have whole organizations that they use to make their claims look real, including answering phone calls and answering emails as the people who they claim you should be calling, all to make it seem real. If you get a call to you, make the person calling tell you the information that they want to confirm. If they want to know your phone number, ask them to tell you the one they have and you’ll confirm if it’s right or wrong. Don’t give them information, especially if the call came to you and you didn’t call them.

Don’t give suspicious callers any information, especially if the call came to you and you didn’t call them.

Davis: That is incredibly savvy. What sorts of research can we be doing to identify these types of scams?

Dan: The hovering over the link to see where it will send you is a good one. Look for fake versions of domains with small spelling errors like microsoft.com but with a zero instead of an o, or additional domains added on to the end, hoping you’ll just look at the first part see microsoft.com and think, yep that’s okay, and click it anyhow. Same with email addresses: look at the real email address of the sender. If it comes from gmail or a strange address you don’t know but pretending to be someone you do know, expect it’s fake. Also, check the links in the email to see if they go to the real domain. They’re supposed to be equally if not more skeptical with attachments before you click to open them.

Davis: Now that we know what to look out for in email, what can we do to prepare our devices?

Dan: First, have up-to-date anti-malware or endpoint protection installed on your machine, and keep those definitions up to date. It’s worth it, as those packages get constant updates on new attack types and could prevent them from executing if you do click on a link or open the attachment, but it also means you can’t get careless with attachments and links either.

For a long time, Macs had been thought to be immune, and not necessary to have endpoint protection on them, but that’s not the case. For a long time they really didn’t have enough volume of devices to make it worth building attacks for. Forward 20 years and now there’s Macs everywhere, so the malware is being built for them, just like Windows machines. Equal opportunity attackers.

Also, install and use a password manager. This is a place where you can store your passwords and autofill them into websites. The legitimate sites, of course, when you need to use them password managers also have great random password generators, since we as humans are not very good at being random when we create them. And having a place to store them means you don’t have to remember them all, which also lets you make them really complex. And only use each password one time for one service.

Have up-to-date anti-malware or endpoint protection installed on your machine, and keep those definitions up to date.

Since you should never reuse passwords, I do get asked a lot about whether it’s okay to write passwords down, and the answer is my usual: it depends. If you are at home and you have one machine that you use there and that’s all, go ahead and put them in a notebook if it means you’ll use stronger passwords and not reuse them. You’re not traveling with those passwords and the data and system all stay in your house. If you’re out and about and have a laptop or mobile phone, then it’s probably not a good idea to have your passwords in your bag along with the laptop that it’s protected by those passwords. If the bag gets nicked, they get a device and the passwords all together. Not a great idea. Use the password manager on the device make. And remember: the one difficult-to-guess password to get into the password manager and then be on your way.

Davis: On the tip of installing software, how can I tell which anti-malware software is trustworthy?

Dan: Use consumer products like Norton or McAfee or BitDefender or others you find at consumer technology stores. There are some free antivirus and anti-malware technologies, but you generally get what you pay for, and I can’t stop thinking about the adage “if you’re not paying for the product, then you likely are the product” whenever it comes to software.

When installing any software, make sure you get it from a legitimate source like the manufacturer’s actual website or the official device store like the Apple App Store, the Google Play Store. Alternative stores can be more risky, so use caution. Also, don’t install hacked or cracked versions of software, as they often also contain malware or spyware that’s added to them when the license keys were hacked away. Plus, violating license and copyright laws is against the law.

Davis: Any suggestions about how we as human beings approach technology in a philosophical sense? By which I mean, in my experience, the speed of connectivity has definitely influenced my behavior, and I sometimes approach my phone or my computer with some degree of haste.. Any suggestions for how I can make sure the sort of behavior doesn’t land me in hot water?

There’s no such thing as a stupid question. When it comes to security, we have an obligation to ask if something seems suspect or unusual.

Dan: For sure. We live in a rush rush world, and with faster speeds we get even more anxious. I grew up on 300 baud modems which transmitted slower than the screen could print characters. So always be slow and conscious about the actions you take online, whether it’s to click on a link, open an attachment, accept terms and conditions, or anything else. Think twice, act once, as we talked about in the last episode. Don’t fall victim to the urgency that comes during a social engineering attack. That urgency is trying to get you to override your own common sense about whether it’s a valid request or not. Ask questions, confirm the request, and then help out. Humans are funny creatures, but we’re also susceptible to being manipulated in this way. If we slow down, it’s much less likely that we’ll be taken advantage of.

And, finally, remember there’s no such thing as a stupid question. When it comes to security, we have an obligation to ask if something seems suspect or unusual. Ask it even if you think your question may come off as stupid. Ask how something works or why, if you don’t understand. The more we know, the harder it is to be taken advantage of. Bad actors prey on people not wanting to look or feel stupid, so they put you in situations that make you less inclined to ask. I promise you that the security and IT teams would rather you ask the question than have you get compromised in some other way.

Davis: Thank you so much for your advice, Dan. I’m looking forward to continuing our conversation in our next episode on what to do if we’ve already found ourselves on the receiving end of a hack, or if we’ve inadvertently downloaded malware so i’ll see you then.