Don’t Let Downloads Open Automatically

In your internet browser preferences, look for the option, “open files automatically after downloading” and make sure it is OFF.

This is a Safari example.

There are no “safe files”.

Opening a file is what unleashes the problems.

Those problems (malware, virus, trojan horse, whatever) can be hidden within a photo, text document, music file, and especially a PDF.

The Attack:

Visit a webpage > a file is downloaded without your consent > that box is checked > file opens > computer is compromised

The Defence:

Any service that allows you to download a file, should have this setting OFF.  Skype, chat program, email program…

Therefore, even if the file downloads automatically, you can then delete it from the downloads folder, without opening it.

 

 

The ‘USB to Ego’ Attack

A brief backstory first, to set up the attack.

I arrived at the end of Honda’s FCEV launch, extra unfortunately, because there was water involved, a simulated rainstorm, rare. Like the guy mopping up said, “ya you missed a good one”.

It was in celebration of their latest invention – hydrogen fuel cell technology. Don’t know much about it, you know how I feel about Hybrids, points to Honda for being so bold in their design (coming 2015)…

….but this is a security post, so!

I was taking the below photo, the crowd was starting to thin, and a well-dressed gentleman appeared to my left.

“Hi Keri, here’s the USB key with photos and the presentation, have a good show”. We smiled at one another, he left, I went back to photo-ing.

It wasn’t until later that it hit me, it was so perfect a moment, maybe too perfect.

The Attack:

At a busy event, it’s normal to see a face once and never again, if you notice many faces at all, because cars.

Then an “executive” appears all full of flattery… “hello, I am noticing you, you are a name, so it’s important that you get this information, because you and your opinion matter”… take this USB key, put it into you computer… pretty good right?!

Appear, praise the ego > give a USB key > melt away >
wait a few hours >access target’s computer

NOTE: I’m not at all saying this is what occurred, just that it’s in the realm of possibility (Honda and I know one-another a long time (and if this is the case, USB guy: please LinkedIn me.))

The Defence: 

Never use a USB key you find laying around in public, or from a source you don’t totally trust.

 

 

 

Always Backup Twice

Make 2 copies of the same back up.

1 copy stays with you, and 1 copy is stored offsite

Because imagine your house burnt down,
with both your computer and backup inside.

Alternative Method

Subscribe to an online backup service.

It automatically searches your computer for new files, then remotely saves and stores them for you.

(I use the main method, I haven’t decided yet if I trust the cloud)

 

 

Expand and UnMask URLs Before Clicking

URLs shorteners are used to simplify a complicated URL, for the purpose of sharing.

Shrink it to better fit into Tweets, Instagrams, make it more manageable. For example:

http://keriblog.com/car-talk/driving-a-honda-civic-si-hfp-at-the-niagara-drive-centre/

becomes

http://bit.ly/N8PrR5

Bit.ly, or Google’s goo.gl shortners are popular, good ‘ole TinyURL.

However!

It’s a blind click, just trusting that the URL
goes to where you’re expecting it to

The attack:

Phishing and social media scams use shortened URLs… example: a private message is sent, “Click here to see the photo I posted of you on Facebook!”.

Click the shortened link > hey this isn’t Facebook > it’s a website that just gifted you a virus, or malware.

The defence:

Expand the URL, “unmask it”. Then, decide if you want to click it.

Try LongURL.org or UnmaskURL.com

If your gut makes you pause, listen. Don’t click it.

Infecting your entire system irreparably, can happen with one bad click.