Don't Get Caught in the Net

Anyone can become a victim of a cyberattack. We have therefore prepared an exciting and helpful series of advice, tips, and news for users at Masaryk University, which will help you protect your data and sensitive information from attackers.

12 Oct 2022

 

Phishing, or roughly translated into Czech as “rhybaření”, is not accidental. It is based on the fact that, similarly to real fishing, attackers cast a fishing line in the form of fraudulent e-mails and wait for their victims, like a fisherman for fish, until they take the bait. Most often, hackers create fake login pages that try to authentically replicate the original ones, with which they aim to obtain the victim's login data. You might be thinking, why would I be an interesting target for Internet fraudsters? Let’s think about it for a second. Each of us has a bank account and a profile on social networks. Each of us regularly logs into various applications or has important files stored on the computer. Villains can, for example, lure money from us and exploit our laptop and our accounts for their intentions without our knowledge. They do this en masse (for example, using mass phishing e-mails). They literally catch their victims like a shoal of fish in a net, and the attacker benefits from every fish caught. So each of us has a value for the attacker - if he manages to catch us. 😉

Spam vs. phishing and how to recognize them

Do you know what spam is?
And that also harmless spam e-mails exist, but also dangerous types which can bring you trouble?

Spam is a general term for unsolicited e-mail messages, and there are several types. The protective tools against them are constantly evolving, and so are the tricks of the senders, and it will never be possible to detect all suspicious messages automatically. At the same time, messages marked as suspicious are sometimes entirely harmless. Unsolicited advertising e-mails may be annoying, but they are not harmful. Whereas phishing messages, which try to lure access data from you so that attackers can attack computers and systems, are very dangerous. Therefore, it is necessary for every user to be cautious and also be able to recognize individual types of spam and know how to deal with them. About what kinds are we talking about?

Commercial messages - may not actually be spam. It can be messages that you subscribed to, for example, when you made a purchase in an e-shop or when you downloaded an e-book. Such e-mails should contain visible information about the possibility of unsubscribing. Do not mark such messages as spam, but unsubscribe from them. Only if the unsubscription doesn't work, then it makes sense to mark the message as spam.

Ordinary spam - won millions, dead bankers of Nigeria offers of goods, medical supplies, alarm messages... Annoying but not dangerous. Just don't respond and mark such messages as spam.

Phishing is dangerous and aims to get users' login information. They imitate messages from service administrators (for example, bank employees) and try to take advantage of human weaknesses, such as fear, desire to get rich, and others, to manipulate you. They often seem urgent ("if you don't do something, we'll delete your mailbox TOMORROW!"), contain a link to a page for entering a username and password. The login details are then used to attack computers, spread spam, or break into other systems. You should never respond to such messages and immediately report them to faculty administrators or csirt@muni.cz. If the message doesn't ask for login details or other sensitive information (such as a bank card number), it's not phishing. It's regular spam.

Spear phishing - a particularly dangerous version of phishing because it is tailored to the organization or even the user. For example, it can use MU graphics or the logo of Masaryk University, and the link can lead to a page very similar to the MU unified login page, or the MU IS login page. Again, it is crucial not to react and report it to the CIT or csirt@muni.cz.

What password is secure enough?

Today, most of us know that password123 isn’t a safe option. But do you know why you shouldn’t use passwords like H0usE, $0!L, or Doggie1?

The password strength

The strength of a password does not lie only in using as many special characters as possible. If an attacker sets his sights on your account, he won't spend weeks thinking about your pet's name, favorite color, or band. He will use a more effective weapon - Internet bots. These bots can try thousands of password combinations per minute. It won't take much work for them to identify the passwords formed by special characters in expected places (see examples mentioned above: D0MecEK, M!$t0). Alternatively, it can use the technique of dictionary attacks. This means that an attacker will use a dictionary that contains frequently used passwords and start modifying them. Typically, they will try, for example, to add an exclamation point, a number to the end of the word, change the first letter to the capital, and so on (see the example mentioned above: Pejsek1).

A more secure option is to create phrase passwords. It is a combination of several words that may not make sense to someone else at first glance but will become easy to remember for you.

How to do it? As a basis for creating such a password, which you will easily remember, can be a part of a poem, a view of the street from the window, or a memory from childhood - there are no limits to your imagination. Three to four words will do. If you want to perfect your password, add special characters (spaces, numbers, punctuation, symbols) in random places. The resulting password can look like this: H0OPjumpingover2fields, 3-caratringfromM., 10%chanceofbettingwithPeter, 8_kissingcoattoBlackbirds, tearingvioletswithB00Mdynamite. It will take millions of years to crack such a password by brute force.

Password managers: a salvage for the forgetful

At the same time, we all know that we should not use the same password for multiple accounts. But let’s talk frankly. Are you really following this rule? You might think, "But who can remember all those passwords?". We have good news for you - you don't have to remember them all yourself. That's what password managers are for. It is a help in the form of a chest full of your passwords, encrypted with one master password, which you use to unlock.

You can also install a plug-in in your browsers that will make it easier for you to log in to your accounts and, at the same time, increase their security. You can also download the selected password manager mobile application, which will take care of secure logins from your mobile phone. The next time you ride a tram and log, for example, into the MUNI Information System from your mobile, no one will be able to see your password over your shoulder. That’s because you will no longer have to enter it manually - letter by letter, number by number, symbol by symbol.

You might be thinking, “Save all my passwords in one tool? That sounds so risky!” We understand these concerns. Nevertheless, according to scientific research, password managers are the most reliable method. We know that writing passwords on a piece of paper is not a safe storage of login details. And at the same time, it would be utopian to think we can keep all our passwords in our heads. This is also why most people recycle their passwords. They use the same password for multiple accounts. In the end, the password for our internet banking may be identical to the password for our Facebook account. And that’s a problem - we gave the attacker a good deal of two for the price of one. We don't want to make it easier for cybercriminals, do we? For our expert team, we can recommend, for example, Bitwarden (completely free), ESET (only in the paid version), and for owners of Apple devices, KeyChain.

How does cyber security relate to physical security? 

If you read it all the way here, great! You have reviewed the basics of safer behavior in cyberspace. But have you ever wondered how leaving your laptop with the unlocked screen on the desk in the library can relate to the cancelation of your studies?

Not even five minutes and the fire is on the roof. Yes, that can happen too. If you don't log out from your accounts regularly (Again, let's be honest with ourselves - are you really strict about logging out of your accounts?) and without a second thought, you leave your unlocked laptop on a table in a public place, in this case, the library, you're leaving to an attacker almost limitless possibilities of how he can harm you. The example, with the cancellation of studies, given in our story, will not be difficult for him. He will simply open your Information System and submit a Notice about Leaving Studies to the office. Done.

So rule number one is: NEVER leave your devices unlocked in public places, not in the library, not on the train, not in the study hall, anywhere. Big problems can arise in a short time. Therefore, even if you go to the toilet, always lock your device's screen. Press the Win + L combination for a computer on the Windows operating system. Ctrl + Shift + Eject or Ctrl + Shift + Power in a MacBook case (variant with the Power button is an alternative for models that no longer have an Eject key). Or simply close the display. Easy, right?

Similarly, we should not leave the office unlocked when we leave. Let's pour some clear wine - who among us carefully stores documents with sensitive data in a locked drawer every time we go to get a coffee from the machine in the hall? If we leave such documents, which can be digitally misused, lying on the table, and the attacker would get access to them, he wouldn’t think twice about exploiting such a situation.

Another security principle that pays off in physical security is not to lend a device used exclusively by your person for work and personal purposes to another person and leave it without your supervision. If we do so, we must be aware of the risk – we are handing over all our valuables to that person, and if they want, they can abuse them according to their taste. An alternative may be to create a separate Guest account with limited rights for that person. 

Furthermore, it is not a good idea to plug unknown physical devices (USB flash drives, SD cards, etc.) into our computer. Before plugging in, we never know exactly what the given device contains. We have no idea if, for example, it is infected with malicious malware that will delete all files from our computer, steal all our passwords, or block access to our computer and require a ransom to restore it. If you become a victim of such an attack, we recommend you never pay the ransom and report the incident to us.

Do you think you wouldn't do this? Don't underestimate attackers. They are cunning. They deliberately leave such devices with malicious code in public, frequently visited places. By doing so, they increase the probability that they will be able to catch a curious person who will take the device and plug it into their computer to see what is on it. This form of insidious deception in cybersecurity is called Baiting. However, you won't be fooled after reading this article!

Last but not least, we should follow the golden rule: back up, back up, back up. Whether your valuable computer or mobile phone is stolen, infected with the malware mentioned above that renders it inoperable, or your device is dropped and broken, it pays off to have backed up our data. The unfortunate situations happen suddenly, without warning, and typically at the most inopportune time. This is nothing new, is it? But stop for a moment and imagine that your cell phone stops working right now. Would that be a problem for you? Or would such a situation not endanger you in any way because you were prepared and have all the essential data backed up?

If you belong to the second group, congratulations, we are glad that you have learned to back up regularly, and now you can enjoy the sweet feeling of well-deserved work! We all know that something like this can happen to us, but unfortunately, not many people back up regularly. Everyone says to themselves: "It won't happen to me today." But the opposite may be true. Don't rely on a lucky chance that nothing will happen to you and back up. In our online course Cybercompass, we have written a short guide on how to start backing up in four simple steps, which you can quickly master. Go for it!

Now you know the differences between spam and phishing and how to deal with them. But that's certainly not all! We have other interesting topics prepared for you, which we will publish during October since it is Cyber Security Month. Therefore, do not forget to follow us so your secure passwords won’t leak. Password Security will be the next topic. ;)

IT MUNI CSIRT-MU Institut of Computer science


More articles

All articles

You are running an old browser version. We recommend updating your browser to its latest version.