It's been a long while since I've updated my blog. Ever since I became a full time pen-tester, I've been approached by multiple contacts, both random and acquittances for the following:
1. Can you hack into this other person's WhatsApp, FB, Social Media, Website, etc? Followed by very long story of why this is necessary. i.e. jilted lover, cheating spouses, long lost contact, asking for a friend, etc etc.
2. Would you like to work for some xxx regime to provide training or hacking services?
3. Someone sent me an email to claim to have taken compromising pictures/videos of me after I browsed some porn website, he says he has my private info and threatens to publish it to all my social media contacts, he is now asking for ransom in bitcoin. What do I do?
4. Can I get hacked by browsing porn websites?
5. How do I know if someone is spying on my device?
6. Is it safe to use FB, WhatsApp, Gmail or other social media products/services?
7. Is Mac more secure than Windows, is iOS more secure than Android?
8. Where can I learn more about online security?
9. Can I become a hacker??
10. Should I buy a commercial Anti Virus for my pc and phone?
Answers:
1. No, why not? Because it is illegal.
2. No, why not? Because I don't want to get caught up with someone's else war or conflict or politics. Security testing is a professional service to identify vulnerabilities for organizations to proactively secure their systems and not to serve someone's illicit gain for profit or political cause.
3. Firstly, do a simple google search on the content of his email, very likely you will find it is a scam. Always take precaution when uploading/posting private info online to avoid it falling into the wrong hands. Better still do not voluntary give out your personal info such as DoB, residential Addr, Age, Sex, etc to any website that asks for it. If you have never voluntary exposed sensitive info/pictures of yourself, you have nothing to worry about. Remember, your private data is only as secure as the org that it resides on.
4. Not just porn websites, any sites that is loaded with the right browser exploit can compromise/execute code on your machine if your browser is not properly patched, this is often called 0-click exploit. The good news is that client side browser exploits (0day exploits) are hard to come by and are usually sold and used by selected nation state actors or campaigns. It is rarely used to hack the average joe unless you are on some watch/wanted list. Even if your browser is properly patched, you can still accidentally execute code when/if you unknowingly/knowingly downloaded and/or clicked on some executable binary or link from some dodgy website. Almost all well known web browsers now days have built-in security to warn and prevent users from unknowingly executing malicious code. I would be more concern about simple online security practices, i.e - always keep your device and web browser updated with the latest security patches, don't click on unknown links and don't voluntary give out private data, use 2-factor auth for your important web accounts & don't install apps that you are unsure of where it came from; that would keep you 99% of harms way.
5. This is often a difficult question to answer, it is dependent on why you are asking that question, did you notice something unusual about your device? is it slower than normal, does my webcam suddenly activate w/o user interaction, are you getting weird messages/pop ups on your device? Unless your device is thoroughly examined by a IT forensics expert, it is difficult to ascertain if your device was compromised. Best course of action is to reinstall the device's operating system or factory resetting it completely.
6. The word safe is dependent on what & how you define as safe? Social media is a double edged sword. It is useful but can be abused. If you are paranoid about privacy, don't use it at all. The service is free because it collects private info about you and is used for marketing/advertisement purposes, you accepted the terms and conditions when you signed up. It can be unsafe, if you shared all your private info for the world to see. This can lead to identity fraud.
7. This is subjective. Apple products are known to be more locked down to avoid users from making silly mistakes that can compromise their security. Privacy concerns are still a matter of accepting the terms and conditions of use of the product and service. While it is assumed that American and European companies are bounded by stricter privacy laws, law enforcement agencies do have access to your data when required. The word secure/safe is subjective to how you define secure. Dummy proof would be a better word to describe Apple products.
8. There are thousands of materials online, some good, some not. I would go to youtube and google and search for specific topics of interest and do your own research.
9. The term 'hacker' is a over glorified term used synonym in Hollywood movies to portray rebellious teens in their mom's basement hacking NORAD. The professional term is referred as penetration tester or security tester. Yes, I would recommend offensive security courses if you are keen.
10. it is up to you, it like wearing a raincoat incase it rains. I usually don't use AVs as I am confident of best practices but I would recommend one if you are paranoid about security.
No comments:
Post a Comment