Keeping Community Members Safe from Hackers
TLDR — Always verify the sender of an email! Always check the url before typing in your password! Use long complicated Passwords! Use a password manager and enable 2FA/MFA on all of your accounts! Be aware of who you are communicating with! Do not be lazy! Take security seriously!
The answer to this question may seem obvious but there are many users who do not seriously consider the importance of staying secure online. We are a Blockchain company which makes us one of the most targeted types of startups and as many of us have witnessed over the last few years, the amount of attacks on startups in this space has dramatically increased. There are a number of very simple safeguards that we can implement to help us achieve the highest level of security but in order to do this let’s take a look at the different types of attacks.
Types of Attacks
Most users assume that hackers use magical code to “hack” computer systems but the reality is that this is not always the most effective way to attack a system. There are a few different types of attacks which are even more effective and very unsuspecting to users.
Social Engineering Attacks
Most of us have heard of phishing attacks. These types of attacks typically happen via email and can be quite effective. Hackers will simply send an email to a user requesting private information such as passwords or simply request funds to be sent. They accomplish this by changing the name on their email and hope to find a busy user who doesn’t have the time to pay attention to who is asking for the information.
Hackers may also use this attack to get unsuspecting users to reset their password by forwarding them to a website which looks similar to a website they always login in to and giving up the information there. Another way a hacker may exploit a user is by attaching a pdf or other file type which may have malicious code embedded in it.
Oftentimes phishing requests are generic — asking you to “login” to Dropbox, GSuite, or some other mainstream portal which they just assume you have an account with — such as the hack that got John Podesta. That said, when it merits the overhead on behalf of the hacker, some phishing attacks will be much more sophisticated and utilize personal data (such as impersonating a friend, colleague, or family member). Key personnel within Regen are more likely to be targeted in this sort of attack.
Information Gathering (Data Mining)
This type of attack may not be as obvious to a user because it can happen over a longer period of time and users on Discord or other chat forums such as Telegram are typically most vulnerable to this attack. Hackers simply befriend a user inside of a company and try to gather as much information as possible. We are all humans and typically when choosing passwords or security questions we will use something that we can remember. Have you ever filled out those security questions when signing up for an account on a website? Questions such as, what elementary school did you go to, what is your favorite type of food and what was your childhoods best friends name are examples of commonly used security questions. They are common because they are easy to remember and they pose a security risk because hackers know the questions and can gather this information from users.
Even though this may not be the most successful type of attack in today’s world it is still very common. Basically, hackers will exploit the fact that users are only human and will use short passwords that are actually common among users. There is software that everyone has access to which allows hackers to attack a system by getting their computer to guess a password. There are actually lists of passwords that have been used over the years that hackers have stored in what is called rainbow tables.
There are many other types of attacks but for the purpose of this guide we will stick to the most basic kinds.
All Systems are Vulnerable
No system is safe from attacks and nothing is 100 percent secure. There is no foolproof way to keep everything safe from attacks including Google Drive, email and computer hardware but we can try our hardest to keep these systems as secure as possible by following security best practices.
When it comes to security the best thing a user can do is to pay attention. Be aware of the fact that you are a target and that hackers, especially in our industry, will try to exploit you in any manner possible. Be aware of who you are communicating with and what you are communicating to them. It is absolutely of the utmost importance that we are aware of the types of attacks that hackers may use to get inside of our systems or accounts. Luckily, we can follow some easy steps to try and thwart these attacks.
Gmail and Google Drive
This is probably the easiest section to follow in this guide. When sending emails always make sure you know who you are sending the email to. It might even be a good idea to CC or BCC someone in your department so a couple of eyes are paying attention to this. As I explained above, hackers will commonly send emails that may appear to be from within the organization however they are not (carefully read the email address itself — not just the name of the sender).
When sharing links to documents on google drive think about the concept of need-to-know. Does the person you are sharing the document with actually need access to the document. Do they need to have edit permissions? Sadly, a common attack is one that comes from within organizations and always be aware of who you are giving access to, what level of access you are giving and why.
If it is required that you send an encrypted message, most commonly used when sending private information, it is recommended that you use a piece of software that uses pgp encryption. This may require some technical knowledge and may not be easy to accomplish. If you are in need of using software such as keybase please reach out to someone who knows how to use such pgp and keybase. Typically someone in the development team will know how to use this and should be able to guide you through setting it up. Keybase can be used on your laptop or your mobile device and is highly recommended for sending encrypted messages. You can of course reach out to me for more instructions on this.
Hackers try to gain access to sensitive information and systems by obtaining user passwords. Our passwords are the key to our failure and the key to our success and we must take absolute care of them. Below is a list of best practices for creating and storing passwords. These must be followed and are not something to pass over as redundant information. It is absolutely necessary that we as a company follow these guidelines.
- Create complicated passwords
- DO NOT use something you can easily remember
- Use NON-repeating characters
- Make your passwords 8 to 12 characters long or longer
- Use special characters and whenever possible a space or two — Put these throughout your password
- DO NOT write passwords down where they can be found
- Use a password manager — keepassX, Google password manager, 1password
- DO NOT use the same password for multiple accounts — Hackers may sell or share your passwords with others
- Change passwords often — Every couple of months is ideal
I know it seems complicated and that it might be a hindrance to continually change passwords and that remembering long complicated passwords that you are not allowed to write down is going to be hard. The third bullet above however, is going to be a lifesaver for us. Password managers are a very convenient way of keeping track of your passwords, create complicated passwords and can be encrypted themselves. Please learn how to use them and do use them!
2FA (Two-Factor Authentication) and MFA (Multi-Factor Authentication)
In today’s world, even long complicated passwords may not be enough to secure your systems or accounts. Computers are very powerful and hackers, with enough time, may be able to crack your passwords and for this reason 2FA and MFA exist. As the name suggests 2FA uses a second layer of security in order to protect your systems or accounts. Typically this second layer is in the form of an email, a text message or a secret code. Multi-factor Authentication uses a combination of them. MFA is going to be the most secure form of authentication and makes it very hard for hackers to get into your accounts even if they have your password.
It is required that we use at the minimum 2FA and whenever possible MFA. Typically when creating an account 2FA/MFA are not enabled and it is up to the user to go into their security settings and enable them. Before you can use 2FA/MFA with authentication codes users will be required to download an authenticator. It is recommended that users utilize either Google Authenticator or OTPAuth on their mobile device. Once installed follow the common steps below to enable this second layer of security on the account of your choosing ie. gmail.
- Access your settings and click on security
- Enable 2FA or MFA
- Open your authenticator and scan the QR code
- Store this qr code somewhere safe (not on the same device as your authenticator)
- Enter the code from your authenticator
Sometimes you will have the option of choosing to receive a text message over using your authenticator. Unless you have the option of using both, choose to use the authenticator instead of text messaging, as some cell carriers make it quite easy for someone to port your phone number by the hacker impersonating you and claiming they have a new phone.
The last important piece of security is securing our hardware. In our industry we are not typically working from an office with security badge access, instead we are working from coffee shops, co-working spaces, the beach or any number of public spaces. This means that we are vulnerable to prying eyes and glances from others. There are a couple of best practices that we can follow to protect our information while in public.
- Use screen privacy protectors
- Use passwords to login to your machine, and require them after sleep (not just from boot)
- Always logout when not at your machine
- Whenever possible, don’t leave your computer or mobile device unattended
- Use a passcode to secure your mobile device
- Set your mobile devices to go to sleep after a short period of inactivity (such as two minutes)
- Don’t discuss confidential subject matter in public places!
I hope this gives everyone some good working knowledge of security and best practices to stay secure in this information age. This is not everything and I recommend taking the time to learn more about best practices but it should at least give you a great starting point. I cannot stress enough that it is very important to follow all of the above practices. I know it seems hard and that there are some extra steps involved with staying secure but you do not want to be the reason our systems or accounts are compromised!