Is it ok to be unsafe online?

In 2022, protecting your privacy and online activities is not optional.

Everything you need to start hacking is available for free online, and by “online” I mean the “regular web” like YouTube tutorials or blogs, not the dark web or whatever hidden blackmarkets people go to buy illegal stuff or just for the thrill. I don’t see many encouraging trends, though:

  • default security settings in apps and products are often terrible or inexistent
  • convenience almost always prevails over basic security
  • most free products have a huge price in terms of privacy
  • authorities praise the sacrifice of individual freedom but it doesn’t seem to (and will probably never) bring more safety
  • many websites push users towards predictable security strategies
  • cyberattacks are skyrocketting these days (e.g., DDoS, ransomware, spear phishing)
  • while unwise attackers can end up in jail, the legal uncertainty in some countries will likely penalize more the victims than their adversaries

Permalink to heading Consequences for the users Consequences for the users

  1. the required level of attainment has been raised dramatically
  2. Internet-based services are less and less safe for the average user

In other words, becoming a script kiddie keeps getting easier, which might put a lot of people at risk, especially those who are aren’t cybersecurity-aware yet. In my experience:

  • privacy is bearly existent in products and services unless you take serious measures that can have drawbacks
  • while a decent level anonymity is possible, it takes significant efforts and often raises the curiosity
  • your protection can turn into a single point of failure (e.g., VPN, password managers, biometric authentication)
  • less and less technical background is required to use attacking tools
  • popular technologies such as NFC and QR codes are often poorly implemented and prone to attack
  • critical sectors such as healthcare or energy still rely on outdated and highly vulnerable systems
  • there are valid economic models for various threat actors

Permalink to heading What I mean by “unsafe” What I mean by “unsafe”

Your home network is not a safe place by default. You’d be surprised by the intruders’ motive, which is mostly money but not only. The “because I can” argument can be the only reason, and don’t assume your attacker will have any moral limits.

Don’t believe hackers only target public Wifi. While it’s true that MITM (Man in The Middle) attacks often happen in such favourable conditions, there are complete documentations online to hack misconfigured networks, including wireless connections.

Be also aware that script kiddies will likely attack the easy preys, as a pragmatic approach. Reused passwords, default settings, weak encryption, or misconfigured connections will make you pretty vulnerable.

Securing wireless networks (e.g., Wifi, Bluetooth) is a bit challenging, even for tech savvies. Free tools such as Aircrack-ng and many other combined with wordlists such as Rockyou can be used to crack weak Wifi passwords in minutes. Wireshark provides deep analysis and monitoring for various kinds of networks, including wireless connections.

It’s not exactly like pushing the “hacking button” and breaking into the victim’s computer but there are comprehensive tutorials on YouTube that explain the operation step by step.

Permalink to heading Read, learn, practice and reject nihilism Read, learn, practice and reject nihilism

The current threat landscape is growing fast and bad actors are even open-sourcing their databases and scripts. Advanced tools, frameworks, and distributions for hacking are available for free.

You need very little knowledge to use this arsenal. However, even if hackers are always a few steps ahead, defenders are getting better too.

The big concern is that many users neglect essential aspects of their privacy and security for more convenience or cheapest entertainment, which makes them preferred targets.

I’ve also noticed some security nihilism with the rise of zero click attacks and the huge security flaws revealed in big platforms (e.g., Facebook leaks, supposed NSA backdoors, etc), like there’s nothing you can do in the end.

Don’t give up. While experienced hackers have managed to break 2FA (2-factor authentication) and MFA (Multi-factor authentication) in specific conditions, it’s still a massive pain for most kiddies.

Security hygiene is less and less sufficient but it’s necessary:

  • share wifi passwords only with people you trust (or maybe don’t do this 🙅🏻).
  • enable additional protections, especially 2FA and MFA.
  • don’t use weak passwords (~ short passwords), don’t reuse them. It’s best if you can modify them regularly.
  • don’t rely on only one security layer to avoid the single point of failure
  • learn some basics of how some information can lead back to you, especially with JavaScript enabled
  • mask your IP address and geo-location
  • learn everything you can about isolation and compartmentalization

The more you read, learn, and practice, the more layers you will add to your defense to lift common threats and protect your privacy.