The internet can often be a useful tool to communicate and engage with online communities. However, at times it can be a dangerous climate for those unfamiliar with the very present threats which follow in its shadow. Fortunately, there exists a plethora of information out there explaining how one should go about protecting themselves on the internet. This information can often be monotonous and difficult to summarize into practice. In this article we’ll walk you through the steps you need to take to protect yourself online and provide the community with a reference which can be relied on for internet safety.
This post has been organized into sections to make it easier to reference specific elements of the article for the purposes of educating members of the community about such topics. The goal of this article is clear; to spread awareness about these issues and share knowledge which can help combat them. For this reason, I’ve chosen a primarily transparent approach. As opposed to blindly offering advice in the hopes that it’ll be acted upon; I’ll explain the initial issue we wish to rectify and offer a range of potential actions one can take to help protect themselves from said issue. Above all else, the most important thing is to remain level headed about these risks. Historically speaking, threat actors within the CPA community have only had a fundamental level of skill with a limited range of tools at their disposal. This has primarily been limited to doxxing and ddosing (although occasionally ratting and other forms of malware).
Disclosure of Personal Information
One of the most obvious ways to prevent your personal information from falling into the hands of a threat actor is by not disclosing it in the first place. This limits the possible methods through which an attacker could find your information. Sharing personally identifiable information with people inside the community can allow someone to build up a profile of your over time. This includes, but is not limited to; names, phone numbers, home addresses and email addresses. It should be noted that other types of personal information such as the country or city in which you reside or your age can also be useful to an attacker. This kind of information won’t in and of itself identify you, but it will allow a threat actor to verify who you are at a later stage if they happen upon some personally identifiable information.
Social Media Linking
Commonly attackers will use social media profiles to identify people. This is because social media is one of the few ‘profiles’ which contains your personally identifiable information. They can attempt to pivot from your online profile to a personal profile. An obvious method of doing so is through Discord where users will commonly link their other profiles such as Youtube, Instagram, Twitch and Twitter (among others). These profiles open attackers up to an entirely new attack surface for identifying personal information. YouTube can often expose a user’s email address; Twitter can link to a user’s personal Twitter accounts and so on. Even the username used on these accounts can be searched to uncover accounts on other websites such as Steam (which may reveal a location and profiles of friends you know from your real life). This is all a possibility because a Discord account links directly to these profiles. It’s critical that these chain links are broken; and not just in one place. Every step along the chain should be obfuscated so that it becomes an impenetrable task to move onto the next. Steps one can take to combat this include unlinking their social media profiles from their Discord accounts, not sharing social media accounts which contain a username associated with personal accounts and not using a personal email address (more on this below).
Email Address Safety
The email address is the one piece of information routinely thrown around the internet. Despite this, it serves as a digital fingerprint like no other. Email addresses follow you throughout your online endeavours. They’re used on most websites which you sign up to. You may have an email address dedicated to your specific alias but is it one which you have, at some point, linked to your true identity? Email addresses can be recovered from database dumps (websites which have been previously hacked and their data made publicly available online). A useful tool to identify what websites your data may have been exposed in is HaveIBeenPwned.
This can expose information such as IP addresses, usernames, hashed passwords and other information stored by these web services. It’s worth mentioning that recovering hashed passwords to plaintext is a trivial task; the complexity of which entirely depends on the hashing algorithm implemented. This further reinforces the importance of using a unique password across every website.
Perhaps it would be even more useful if it were possible to use a unique email address across every website too. One tool which is available to make this a reality is known as a temporary email address provider. It creates a unique email address which can be used to receive emails. It’s not recommended for accounts that you intend on using long term (as these can be accessed by anyone usually) but it can often be considered generally good practice to use these services when registered throwaway accounts. Tempmail is an example of one such service. There are other services which allow you to quickly create a new email address with a password which can also be a good option. By using a unique email address across such services, it makes it very difficult for someone to piece the entire puzzle together.
There has long been debate about the ramifications of having one’s IP address fall into the hands of an attacker. Threat actors which exist within the community at present are not thought to have achieved a level of sophistication to carry out much more than a DDoS using an IP address. This being said, it has also presented a risk by leaking certain information such as an approximate location or the ISP with which the user is signed up to. There is little point in going into the details of more sophisticated attacks but if more sophisticated threat actors were to begin operating within the community, it would in theory be possible for more damage to be done with an IP address such as recovering personally identifiable information or even accessing the user’s network. Such attacks haven’t been seen to great extents in recent years but their occurrence has been increasing. Any webpage you visit can see your IP address along with other information. An example can be found below. We hope this will enlighten users about the dangers of visiting untrustworthy websites.
CPAHQ has not logged the above information. For your protection we have relied on a third party service to display the above content. This illustrates the data that can be logged when you visit any website.
Thankfully there are many steps one can take to prevent their IP address being leaked. One of the most popular is through the use of a VPN service. ProtonVPN is a good free option but there are paid options too which can offer a better user experience and faster speeds. This will mask your IP address. General browsing hygiene is also useful to combat this; such as actively avoiding any suspicious links.
Try to use a unique passwords for every account you own. As previously mentioned, it’s possible for a threat actor to recover your password from a leaked database using your email address. From here, they could try to log into your accounts. Most browsers include built-in password vault managers that allow you to save passwords for specific sites. It is recommended that you either use these, or another popular and trusted password vault. These will allow you to save really long and secure passwords for us across each site. Otherwise, ensure your password is long and a mix of numbers, letters and symbols. Avoid obvious patterns or known information such as your name or alias.
It can be useful to enable services such as 2fa on your accounts. This is particularly useful across websites like Discord or WordPress. It will prevent an attacker who has found your password from being able to log in and actually access your account. Enabling it is easy and it’s widely supported. If you are a website administrator or run a Discord server, it’s also possible to implement stricter 2fa policies so that staff members must have it enabled. This is useful in preventing a threat actor from gaining access to a privileged account.
This follows on from what has been previously established around clicking suspicious links. Currently, threat actors within the community will require a user to download and run a specific file to install malware on their device. It’s considered extremely unlikely that one could infect themselves with malware from simply clicking a link. Such an attack requires a complex browser exploit which is not presently a concern for this community. However, threat actors will be able to infect users if they download and run code or compile code which is sent to them. Avoid suspicious downloads and certainly avoid copying any code you receive into your browser console or other areas.
What You Can Do
It is recommended that server administrators take extreme precautions when it comes to member safety. Having an internet safety officer appointed in your server, who is responsible for ensuring the safety of users, could be a great way of maintaining security within your server. The following tasks could be carried out to ensure user safety:
- Ensure users do not have any social media profiles linked to their Discord
- Inform troops of the importance of internet safety
- Declare rules which prevent the sharing of personally identifiable information
- Enact strict punishments against members who do not comply with safety regulations
- Recommend the use of random passwords/temporary emails when signing up to third party websites
- Explain how users can set up a VPN to prevent their IP address from becoming compromised
In the event your information is posted in the public domain, or some event of a similar nature occurs, it’s often the case that people can inherit some irrational behaviour. Therefore it is paramount that there exists some simple steps which can be followed to offer some degree of protection. It’s important to remember that the most useful action you can take is to immediately contact a server administrator who can provide you with some helpful information about dealing with this. This can be a difficult situation to do deal with alone; relying on community administrators for assistance could be vital in helping you deal with such an occurrence.
Internet safety is incredibly important in the digital age. With a few simple steps; you can ensure that you remain safe while you browse online. This way, you can enjoy a safe, online existence while you engage with your respective communities. Every precaution you take is another link in the chain broken, which makes it more difficult for a threat actor to target you. The best time to begin practicing good digital hygiene is now!
Written by Jack283
Leave a reply