Category Archives: Tech Tips

Reclaim Online Privacy

As we make our way around the internet, we are constantly being tracked by websites and the companies they belong to. This article will cover some basic steps you can undertake to reclaim online privacy.

Data collected via tracking is used for many purposes. Some examples include; detect number of visitors to the website, device and software being used, location of the user, and to see what other websites they have visited as to allow for more targeted advertising.

While to some users this does not matter; there are great tools available, and a few habits to break, to lower the amount of data companies obtain about you.

Owners of public WiFi may also collect data regarding users on their network.

Read the Terms & Conditions/Privacy Policy

When was the last time you read the terms & conditions or privacy policy? While at times these documents can be long and cryptic, many now use simple language explaining what data is being collected and being shared with who.

When you click ‘Agree’ you could be agreeing to anything. Always have a read through the terms & conditions and privacy policy to ensure you do actually agree with what the company is asking.

There is no middle ground; if you disagree don’t use the service.

Search Engines

Search engines, like Google, are great tools; but they love collecting data. There are alternative search engines that work just as well but are focused towards privacy.

DuckDuckGo is the search engine that doesn’t track you. DuckDuckGo uses multiple search engines to provide results – These results can vary from what you would get in Google, but are still relevant to the search terms.

Startpage is another privacy focused search engine. It runs the users search via Google, giving you Google search results without the tracking.

DuckDuckGo and Startpage do not keep records of IP address, use cookies, or keep records of the searches provided.

Browser Plugins

The EFF have two great plugins available that can help to maintain some privacy when online.

HTTPS Everywhere is a browser extension available for the major web browsers that ensures you connect to the website via HTTPS if the website support it.

Connecting to a website via HTTPS opposed to HTTP means all data being sent and received to the server in encrypted. This is especially important when entering a password on a website or entering credit card details.

Privacy Badger is a browser extension that helps to stop trackers and advertisers tracking where you go on the internet.

VPN

A VPN, or Virtual Private Network, is an encrypted tunnel from the connecting device to the VPN server stopping anyone in between seeing what data is being sent.

A VPN has multiple purposes; Many businesses use VPN to allow their employees to remotely access servers securely.

VPNs are a must if you are ever using public WiFi. This will protect you is anyone is attempting to intercept data over the WiFi connection. Without a VPN, any data sent from your machine via HTTP could be intercepted. This could include email, passwords, or other sensitive information.

Habbits

Our personal habbits can also be a breach of our privacy. We happily give out our personal details to any website that asks, whether it be email, phone numbers, or date of birth. Limit the personal information you give to websites, most of the time they don’t require it anyway.

Don’t sign up for everything with personal email address. Setting up an Alias to use as a “throw away” email is simple to do on both Hotmail and Gmail. This also makes it simple to remove junk emails by deleting the Alias.

Avoid browsing websites while signed into Facebook, Google, or other websites. When you are signed in to these services, the service is able to track websites you visit.

Use a different web browser for casual browsing and for websites requiring a sign in. Using private browsing or incognito mode will ensure the browser is fresh the next time you open a search.

Conclusion

While these steps do not give you anonymity when browsing the web, they can help to lower the amount of data websites collect about your browsing habits. More tips can be found on our ‘Tech Tips‘ page.

Tech Support Scam

A Tech Support Scam is when a scammer poses as a legitimate company offering to repair your devices they claim have been hacked or infected with malware.

There are many variants of these scams. Two common variants are cold calling and website popups.

Cold Calling

The cold calling variant is simple. The caller claims to be from a well know company (i.e. Microsoft or Telstra) and advises the victim that they have malware or someone has hacked their device, and that they are calling to help rectify the problem.

The caller will often talk the victim through the steps of opening and viewing errors in the event viewer. The errors, which do show items that may need attention on your machine, are then used by the scammer to help support their false claims.

The scammer will then talk the victim through the steps of installing remote access software, which give them access to the device, allowing them to undertake the “repair”. Before doing the “repair” they will require a credit card to charge a fee ranging anywhere between $300 to $1300, depending on the “support package” the victim agrees to. Often they will install software that can be acquired for free (or cheaply) and sell it to you at a very high mark-up.

Pop-up Message Scam

A pop-up message scam works the same as the Cold Calling scam except for the victim is the one who initialises the call.

The victim may be browsing a legitimate website that when an outbound link is clicked (i.e. an advertisement, or a link shared on social media) a pop-up message will be displayed. The pop-up message may be hard to close and will advise the user that they are infected with malware and to call a 1800 number to have the problem rectified.

These pop-up messages can be very hard to close. This is an effective method used by the scammers to trick the user into believing there is malware on their machine.

A simple trick to close the message is shutting down the device.

Example of a Tech Support Scam pop-up

Protecting Yourself

Social engineering techniques can be hard to protect yourself from. Familiarising yourself with scams can help you be vigilant if you are targeted by a scammer.

Scamwatch is run by the ACCC. It provides information to consumers and small businesses about how to recognise, avoid, and report scams.

Our Tech Tips articles also have great tips on protecting yourself online, so do check them out as well.

Vulnerabilities

Vulnerabilities are weakness that can be exploited to compromise security of computer systems. Vulnerabilities differ in severity with some being easier to attack than others. Vulnerabilities exist in software, hardware, and people.

Vulnerabilities are exploited by an attacker in both random and targeted attacks. A home computer user is mostly likely to be exploited by random attacks and it can be compared to a criminal walking a car park checking for unlocked cars. The cybercriminal does the same thing by scanning the web for known vulnerabilities in hopes to find a device that is easily exploited. Unlike the carpark analogy, a cyber-attack can be automated meaning the attacker can be scanning for 1000s of vulnerabilities all at once. Targeted attacks are when an attacker has a set target he wishes to exploit. This could be a large company or business but individuals may also become victims of targeted attacks.

Software vulnerabilities may allow an attacker to remotely execute code, steal data or take over your machine. Patching or installing the latest software and apps, updating Operating systems via Windows Updates (Software Update on Mac) and installing the latest iOS or Android build on your phone and tablet are an essential part of keeping your systems secure. A fully patched device makes a harder target for an attacker. Software vulnerabilities are likely to be exploited in random hacking attacks as well as targeted attacks. Exploiting a vulnerability can often allow the attacker to bypass any Internet Security you may have in place.

Hardware vulnerabilities are often used in targeted attacks against high value organisations but may also be used in random attacks. BadUSB is a well-known hardware vulnerability and affects the firmware of some USB sticks. The USB stick can be modified to run malicious code, without detection from antivirus. It does this by emulating a keyboard and commands are ‘typed’ in when the USB stick is inserted. The commands entered may download malware or open a back door allowing an attacker access to your machine. This kind of attack relies on the attacker exploiting the hardware and exploiting a person. It is an effective attack as it is low-cost and people, who are naturally curious will plug in USB sticks to see what is on it. USB sticks can also be used to exploit software vulnerabilities or install malware.

Social engineering is used to exploit the trusting nature and curiosity of people. It can take place as phishing via emails and website, tech support scams via the telephone, and person to person. An attacker using social engineering tactics can quite easily gain access to your system. The tech support scams that are quite common and are an effective attack. The attacker, posing as a well-known company, tells the target they have been hacked, they have malware, or their internet will be cut off it specific tasks are not taken. This is often enough to get the user to comply and the attacker will then talk the target though installing tech support software. Tech support software gives the attacker full access to your machine. They can access your photos, emails, documents, and even passwords you have stored in your web browser. Social engineering can allow an attacker to bypass all security you have in place.

Protecting against social engineering can be quite tricky as it exploits the nature of people. Some tips can be to avoid attachments and links from unknown senders – Files and links can be scanned with online services such as www.virustotal.com although this may not recognise a file designed to exploit a vulnerability. Do not enabled macros in documents. Macros allow code to run, potentially allowing malware to be downloaded onto your machine. A common threat that uses this kind of attack in ransomware. Also, avoid USB sticks that you may find laying around or unsure of the origin.

Zero-day vulnerabilities are those known by a third party but have not yet had a patch created by the vendor. These are highly sought after by cyber criminals as they have a higher success rate. Zero-day vulnerabilities are often used by exploit kits with a common attack being to deliver malware via compromised website advertising. Malvertising as it is known, is where a website delivers malware via ads displayed on their website. This is often due to weaker security of the advertising companies and not an actual breach of the website you visit. To avoid this kind of attack it is recommended to removed plugins such as Adobe Flash Player and Java and to use an AdBlocker.