Everyone has had that moment when someone they know, who is already on Facebook, sends another friend request. The recipient clicks on the link in the message, only to later see the same person posting, 'Don’t expect friend requests from me, I’ve been hacked.' Or perhaps you're concerned about someone accessing your baby monitor but don't know how hackers do it. Maybe you're the one who has numerous passwords written down and is too afraid to use a password manager. If you answered yes to any of these examples, this article is for you.
Here are my tips and tricks for you to fortify your digital defenses at home and in your personal life.
Facebook Security 101: If you are going to be on social media and not be a victim, you need to know how to protect yourself from cybercriminals. I am sure you have had a moment when someone sends you a friend request or a Facebook message and it looked “sketchy” to you. You didn’t open it, and soon, you see a post about that person getting “Hacked.”
The attack the cyber criminals use is relatively easy to compose. All they need to do is buy an available domain name and hope you don’t notice when you are redirected to a webpage they own but clone Facebook for your credentials to harvest. Got that? Allow me to explain.
The internet operates on something called “DNS” Domain Naming System. If it didn’t exist, it would make your web surfing very difficult. Why do you ask? Well, it’s because every internet site around the world actually has a numerical identifier but uses DNS to make it easier to remember an internet site. An example would be when you search for Amazon.com, you search for Amazon.
If DNS did not exist, you would search for Amazon using a numerical sequence of 104 dot something in the browser, it would make your shopping difficult, and you probably wouldn’t remember the numerical sequence. Welcome to DNS! It’s a love/hate relationship among IT professionals around the world.
The most common attack vector for a cybercriminal to compromise your Facebook account is to send you a friend request. It’s not a real request which is hurtful if you ask me. To make the attack successful, the cybercriminal will buy a domain name, and it can be anything because they are hoping you will not focus on the domain name and only on the pretty Facebook login page you are so fond of seeing every day.
Most of the attacks are in the narrative below. Someone sends you a message about some pictures they found of you. You can either click the link or you can be like me and say, ‘Enjoy the pictures.”
If you are the daring type and actually click the link, it will magically transport you to another page that looks like the Facebook login page. Here is where you will input your username and password so you can log into Facebook…..NO!! You will do no such thing; keep reading this article to protect yourself.
The reason why these attacks are so successful is because the cybercriminal is hoping you cannot read or care about what is so obvious. If we look at the top of the screen, we should see a Facebook where there is a “wb5sys.us.” This is a malicious domain that is owned by the cybercriminal used to harvest your credentials to Facebook. To make it more convincing, they use free software to clone the actual Facebook login page to convince you to input your credentials. So…friend request denied!!!
What can you do to prevent yourself from becoming a victim? You can follow these steps to keep yourself safe.
You can usually find an instance of a baby monitor being hacked. It’s something that frightens parents or anyone who requires there be a camera in their family member’s room. Such a story was published by the New York Post titled “I heard a strange man talk to my daughter in her room — our baby monitor was hacked.” The article is about an Australian family who had their VTech baby hacked by an intruder and the intruder was making sounds on the monitor.
Commenters on the parents’ video said the Wi-Fi feature may be to blame for the invasion of privacy. If you are a parent like me, you understand the importance of Wi-Fi-enabled devices. Was Wi-Fi really the catalyst for this story that led an intruder to access the baby monitor? Yes and no. In this example, the parents are using a VTech baby monitor, and we should read the user manual on best practices for WI-FI security.
So, if the family in the article followed all the steps located in VTech’s Wi-Fi security recommendations, how did the attacker gain access to the baby monitor? Elementary my dear Watson. There are a few scenarios, but I will use the top two that I can think of for a successful attack.
For this attack to be successful, the attacker would have to achieve the following items first.
After gaining access to the network, I use a network scanner to see what network devices are available to access. The picture below shows that I do see that there is a VTech baby monitor available but it does not have any communication ports available for me to connect to. Even though I am not able to access the baby monitor directly, I know the name of the baby monitor. This is beneficial because since I am on the network now, I can install the app for VTech and add the monitor to my device list.
This will give the attacker access to the baby monitor, and they will be able to talk through it. Giving the parent and child years of needed therapy.
Since there are no open ports on the baby monitor for me to communicate through, I downloaded the VTech baby monitor app so I could use the baby monitor. VTech has a website that has a wonderful “How To” section on how to add a device to your app.
After downloading and installing the app, you can scan the network and search for the baby monitor. After you find the baby monitor, you can add it to your device list. This gives the attacker the ability to access the baby monitor and interact with it.
This scenario is more involved than the first example and requires more technical experience to execute. The attacker will need to be in close vicinity to the Wi-Fi they wish to attack. In order to capture the password for the Wi-Fi, the attacker will need a few items.
For this attack to be successful, the attacker will want to capture a device successfully connecting to the network. We call this the handshake aka the password. The best way for us to accomplish this is to run an attack against the connected device and kick it from the network. It will attempt to reconnect, allowing us to capture the handshake. After the attacker captures the handshake, they will then need to crack the password with a wordlist, and we know passwords can be weak.
Follow the VTECH Wi-Fi security recommendations.
Everyone receives an email or alert at some point about their password being seen on the “Dark Web.” Do not be discouraged because it’s just a password, and it can be changed or maybe you don’t use the account associated with the password. Sometimes, it’s the password you use for Facebook, and you start to sweat over it. Well, towel off because you look awful, and people are staring at you.
How do you create a secure password, remember it, and utilize it effectively when you want? There are numerous websites devoted to creating new passwords for you to use. Let’s face it, passwords are an out-of-date concept, but we still need them. A password should be 8 characters or more containing at least a number or symbol. You can even add spaces if that helps. The longer the better but most importantly, you need to remember it. How do you accomplish this task? Strap in, and let me show you.
For secure password generation, you can use a variety of tools. For the sake of time, I will name two and show you how they work. Since most of the world is in a constant mobile state, we will first look at the Apple IOS password built-in generator. The great feature of the Apple password generator is you can use FACE ID to automatically sign into the accounts you create the passwords for. You will not need to remember passwords using this feature.
For anyone who does not have an iPhone, I would suggest using a webpage to create a secure password. I would recommend the 1Password generator. When you use the 1Password generator, you have the ability to create a password matching all criteria needed.
You also have the ability to copy and paste to whatever password manager you are using.
What does someone do with so many passwords to so many websites and apps? Well, you need a manager to keep everything so you don’t have to remember it. To quickly summarize, using the same password for every website and app is an open invitation for hackers to access all of your accounts. That's because passwords regularly leak, and a leaked password on one site can give hackers access to all your other accounts if you use the same password everywhere.
It's best, then, to use a totally different password on every site, but no human being can remember that many passwords. My suggestion is the password manager on your iPhone. One of the best “How to guides” is an article published by Forbes called “How To Save Passwords On iPhone (2024 Guide).”
As someone who makes a living as a tech safety expert, I have been asked if Alexa can be hacked. I always answer with this: If it’s connected to Wi-Fi, then it is always possible to a degree. There have been some articles about exploiting the Echo Dot but most of them require the attacker to take the Echo apart and solder some parts and then get you to purchase the Echo or install it on your network. Here are some scenarios and safe practices about the Echo Dot.
Voice Squatting - One of the biggest security risks around Alexa right now is fake skills – also known as Voice Squatting. Researchers were able to register skills that sounded like popular incumbents, using accents and mispronunciations to illicit unwitting installations. The study created Alexa skills and Google Actions that hoovered up slight nuances in people’s commands. This exploit has been closed by Amazon.
However, it’s still a good job to monitor the skills you have installed via the Alexa app. With some skills looking for payment information and boasting the ability to hook up with other services, and the low barrier for installation of skills, this is a problem that might not go away too quickly.
The connected home hack - You can set Echo up as the center of your smart home array. It’s easy to do, and we certainly wouldn’t advise anyone against it. It is worth bearing in mind, though, that Alexa will talk to anyone. Amazon’s virtual assistant doesn’t come with any kind of voice recognition authentication constraints.
So, in theory, if you put Echo within earshot of the outside world, then a stranger standing near your windows, or your front or back door, could start making requests for Alexa. So, they could turn your lights off and on, tamper with your heating or, even, possibly, unlock your doors.
Voice history hack - This one’s an extension of ‘voice squatting’ that was discovered by cybersecurity firm Check Point Research in August 2020 but has been fixed by Amazon. CPR found that your entire voice history could be made available to a hacker with just one click of a fraudulent link that surreptitiously installed a rogue skill.
There’s not a huge amount of value in nicking hours and hours of recordings of you setting timers and turning your lights on and off, but the data could potentially be used to trick voice verification systems and even create audio deepfakes. When it comes to smart devices such as the Alexa Dot, if there is a fear of having a device steal sensitive information or listen in on your conversations, there are some safeguards that will help.