Go to the Support Web Site

❌ - Rough works

✔️ - Published

• (a) Never set your password as the name of any of you family members or loved ones.

• (b) Never have a password of fewer than 10 characters.

• (c) Never use your phone numbers as your password

• (d) Never use any regular combination "1234567890" i.e 1234, 12345, 01234... as your password

• (e) Never use birthday of yours or your loved ones as your password

• (f) Never use Cuss words as your password

• (a) Update your devices regularly(OS, Softwares, Firewall etc)

• (b) Consider switching-off the PC or disconnecting the WiFi when you’re not using it.

• (c) Enable second layers of authentication(also called two-factor authentication).

• (d) Don’t re-use the same password for all the different website logins.

• (e) Don't connect your device to a public/unknown Network(WiFi, Bluetooth, Hotspot) but in case you have to, don't share personal data or make online transactions.

• (f) Be suspicious of any of the emails that you might receive from outside the organization & NEVER open attachments(unless you're really sure)

• (a) LEVEL 1: Novice- Less than 10 characters long password

• (b) LEVEL 2: Master- More than 14 characters with at least a special character or a digits in it.

• (c) LEVEL 3: Grandmaster- Between 14 and 20 characters with the irregularly used words in our daily conversations.

• (d) LEVEL 4: Zen- More than 22 characters contributed by four irregularly used words in our daily conversations(adding a special character between words is a plus).

• Step 1: Break Long Passwords into three parts:- Master(M), Unique(U), Number(N)
• Step 2: Master- Constant throughout all websites; it would take two words(e.g griffithCones)
• Step 3: Unique- Only unique part for all the passwords(e.g rubikF!b for Facebook, gm!lrubik for Gmail etc)
• Step 4: Number- Come up with a number based on a fixed formula decided by special character used in the Step 3.(e.g- ! means addition to me, so my Gmail value would be g+m+a+i+l =42)
• Step 5: My Gmail password maybe "griffithConesgm!rubik42"(you may change the order of M,U,N)

• (a) Avoid installing any browser extensions(consult IT team if you must).

• (b) Don't give your browsers the access to remember your username and password for you

• (c) Develop the habit of cleaning your browser data at regular interval of time. by using Ctrl+Shift+Delete

• (d) Don't allow a website to send notifications or pop-ups to your browser

• (e) Always update your browser whenever there's is an update.

• Never Consider your loved one's names, birthdays or any significant dates in your password.

• Never use any daily used words or your domain specific words in your password

• Never use your favorites(movies,location,actor etc.) in your password.

• Malicious WhatsApp hacks are tricking more users to surrender their accounts to attackers which initiates the chain reaction. The following changes help in countering the threat.

• 1. Enable Two-step verification: (Settings>Account>Two-step verification) by clicking Enable; where you'll be asked for a 6-digits PIN followed by backup e-mail(in case you forget the PIN). NEVER SHARE THIS PIN.

• 2. Multimedia: Files sent to you are saved to the album on your phone by default which isn't safe as an unknown user might send a hiding malicious code which might run malware or put down your entire phone(while media files viewed within WhatsApp is safe). Turning-off the auto-save option would help. iPhone: Settings>Chats>Save to Camera Roll(turn-off), Android: Settings>Chats>Media Visibility(turn-off).

• 3. Protecting Privacy: Managing last seen, adding to groups etc., Common convention is change everything(Last Seen, Profile photo,About,Groups,Status etc) to My contacts. Path: Settings>Privacy>_(here you need to make changes)

• Never keep any app in your phone that you don't generally use(you may download it whenever needed) as some big names at Android platforms have not updated the libraries used within their own software(as per Forbes) which invite major threats.

• Always check the last updated date of the app at play store before installing and customize it whenever you install them(e.g. Enabling 2-FA, Turn-off auto save multimedia files, hide e-mail/mobile numbers, etc.)

• Never download an image/video from social media unless you're sure of the source or click on any random links that you might have received(online/text message).

It's always great to remember your long password(covered in 1.4) but PMs are helpful as well.

• (a) Ease factor: You just need to remember only one Master Password. That's it.
• (b) Security Advantage: You are forever secured from whole lot of attack types(e.g. Keylogger attacks) as PMs allow you to copy your passwords which you may use by pasting at the login time.
• (c) Popular PMs: 1Password, LastPass are some popular PMs to consider.

2FA adds an another layer to your security on top of your Passwords, but there are few things that you need to know before applying them to your accounts.

• (a) Cons to 2FA: Some popular examples of 2FA are OTP messages, Authenticator app etc.,Which are connected through an another device(phones generally), if your device is lost, you might be on the verge of losing your accounts' accessibility.

• (b) Overcoming the Cons of 2FA: Use Multi-Factor Authentication(another layer on top of 2FA), it might be your backup mail, some personal questions etc., so that even if you lose your device, you would have an another way to access your account.

• **

• **

• (a) If you receive any phishing link which might look like- https://facebo0k.tinylink.com/marketplace/321234, https://amaz0n.in/reset-password among the many, these are scam mails

• (b) Go to this google's report phishing page: https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en and enter the URL and click submit report

• (c) You may go for google voice abuse report as well if there's any phone number provided by the scammer

• (d) These steps would help google to take the site down or at least alert other users when they visit the link

• (a) Never do it from a device that isn't your own.
• (b) Make sure you're using safe network.
• (c) Never Save your card details in an online account
• (d) Always verify your transactions on regular intervals to make sure there is not anything fishy going on.

• (a) It's very easy to put a compiled virus into a USB(Pen drive, Hard disk, etc.) and take down your entire system's data in a matter of seconds
• (b) Taking images shot of your entire system file tree is also possible and that too in the matter of a few minutes.
• (c) So, deeply thank this IT policy for the greater good, so that it doesn't hurt you even if you mistakenly plug it in.

• Step 1: Make a list of all your digital accounts(Facebook, Twitter, Reddit etc.)
• Step 2: Set strong password for all of them(1.3 might help in this).
• (c)Step 3: Delete the accounts you haven't used in the past six months.

• Even the legit and most trusted websites can be compromised, some basic cyber etiquette might help minimize the risk by not adding confidential details(e.g.Bank account details, PAN cards), avoiding random quizzes(chances of social engineering),controlling the urge to connect all you social media accounts.
• There are plenty of attacks that happen without user action(clicking or downloading data etc.) - it's called drive-by attacks; Updating your software/browser plugins consistently, by stop using privileged account(e.g. use Guru & Jana mail id only for the work purposes.),Disable Java, JavaScript(put trusted websites that requires it on white list) etc.
• Even if you're a cyber security expert, there are still plenty of vulnerabilities that can be exploited to get you, so always question anything irregular and at the same time, introspect whether the way you're approaching the web is secure?

• Yes, you read it right(we'll discuss the 'how' in the later section). but your password can't be received by hackers in the plain text format(it's encrypted).
• Which means the hackers have to put in an efforts to decrypt your password(stronger the password harder it is to crack)
• Did you know that the recent Big Basket data breach, which later was put on the dark web by hackers; out of which, about 22.5% of the passwords were decrypted within 5 hours

• A Cookie is stored at your local system: your browser sends a request to the server, but the server sends back two things: the page you asked for and a little text file(called a cookie) that your browser then saves.

• After it is saved, every time that browser makes a request to that same server,it sends the cookie along with it.

• So, the cookie could contain your preferences(say you choose dark mode), browser would now send a "dark mode" preference in the cookie, every single request until the cookie is cleared from the browser even if you restart your system.

• Don't tick the "Remember Me" option while logging in to a website(like Facebook, Google etc.), it allows them to track you all around the web that's why these websites display precise adverts that you might be thinking.

• Keep clearing your browser cookies at regular intervals and use the "reader mode" while reading a blog/news to avoid unnecessary newsletters of popups.

• Most of the websites ask for the consent to use your cookie, Never give them the permission to use it.

• Interruption: It doesn't contain those irritating adverts imposed on the page, you won't be forced to provide your e-mail for the newsletter amidst reading a blog at a website.

• Security: Websites can't force your browser to mine cryptocurrency for them in the background until your presence at their site

• Ease: you may as well turn the page to an audiobook.

• Under the General Data Protection Regulation(GDPR) which was passed in 2018(amended from the one passed in 2016 ), it's not just "no cookies without consent" but "no tracking without consent".

• That's the reason why you might see a lot of websites(even in India) ask for you approval to track cookies. Never allow it.

• The potential minimum fine is 4% of company's global annual revenue(not profit) or 20 million euro whichever is higher.

• Don’t trust unsupported claims..

• Verify the information from at least 3 credible sources.

• Maintain a critical attitude towards the information you receive.

• Question the claims you find difficult to believe (and even those easy to believe).

It’s a simple and useful tool offered by Facebook.

• Log out of unused apps (which can compromise your data)

• Get login alerts (so no one else gets into your account).

• Protect your password (by making it stronger).

• Start here:

  https://www.facebook.com/help/799880743466869

Try asking these questions to yourself

• Have you not saved any passwords in your browser?
• Do you have no browser history?.
• Do you never send emails with documents and other information in them?

Alone, these data might not be a threat, but assembling information about you from other sources like your public information from your social media profile, stuff you’ve posted on forums, your email address, etc. would gives them a big picture of your online habits, which might be used to steal your online identity and/or use it against you.

• Online reviews(for a product/service)at Google, Ola, Amazon etc. can be used by hackers to social-engineer the target. A review alone might not seem harmful but a collection them has a huge value and it is good enough to crack the thinking pattern of a person.

• You as a person can easily be judged and henceforth manipulated by your online reviews, which is already being used by certain powerful institutions(Politics, Corporations,Cyber Criminals) to enforce certain behavioral alterations by targeting your sub-conscious minds in order to seize your free-will.

• So Next time when you're about to write a review online, DON'T just consider yourself as an exclusive host(who gives the review) but you might easily be used as a product as well.

• WHY: It is quite easy to cluster the target audience at LinkedIn as everyone provides their professional designation, their place of origin and of course those posts, which is nothing short of a gold mine for a hacker.

• HOW: The pursuit to attracting a potential employer/employee forces people to put as much information as they can in order to paint themselves unique(which helps in estimating the salary which then leads to their lifestyle that results in the process of Social-Engineering) and that's how LinkedIn became a hacker's paradise.

• Being mindful and aware that you have these data exposed which can be misused is the only way to minimize this issue, coz even LinkedIn can't stop scrapping of your data from its website.

• Justpay had a huge data breach where more than 3.5 Crore records were compromised, although the officials claim that the leaked data were masked card data & fingerprint(which is non-sensitive info) which is obviously an official statement

• Try not adding your card details with any online portals despite the fact that it provides a single click payment which is fast and easy, but the downside is just too costly.

• Try to provide least information to any of the online portals, coz they just aren't capable enough to protect it.

❌Rough Works for Cookies

• After it is saved, every time that browser makes a request to that same server,it sends the cookie along with it.

• So, the cookie could contain your preferences(say you choose dark mode), browser would now send a "dark mode" preference in the cookie, every single request until the cookie is cleared from the browser even if you restart your system.

• A cookie could be used for authentication: After you've logged into a site, that site sends your browser a cookie, that's a long random string of characters, but no-one except the server and that cookie have that long string of characters, it can act like a password: browser sends it back along with every page request, and that's why you don't need to provide your user credential every time you go to the next page of a website.

• Despite strict rules(i.e only the site that set the cookie can read it back), because the way the web is built, sites can include material from other server(pulling image from other server, some scripting code, even an entire website, included in the frame) and all those other servers could set and read their own cookies( called third part cookies).

• So when web pages included advertising, those adverts came from the advertising company's servers, so these advertisers could set a cookie that tracked people across the entire web.

• If the same company partnered with a loads of websites, they could start building up some very detailed profiles, although they might not know who you are at first, but based on your activity(your visit to the home town website, then your college website, that website about a very specific medical condition then you bought something from an online store, so they can work behind the scenes, combine the details from that shop and their cookies and add your name and address to your profile.

• All those fancy share with Facebook,Twitter buttons could report back to them where you're going and also tailor adverts based on your site recent activity online. which is why you could be on a site that seems to be completely disconnected from these social media platforms and still see adverts that were uncannily linked to the things that you have been thinking about.

• Cambridge Analytica has proved the doubts of the regulators(that advertising companies are having enormous databases) right on basically everything that people might be thinking, which might be a bit of a privacy problem. EU's 'cookie law' was the result of it.

Consent to place cookies: why it is not helpful? how ad agencies are countering it?

1. Isn't a well particularly well thought-out, because "consent" requires clicking ok, and if there is a confusing box in between the average person and the article they want to read, nearly everyone is going to click ok.

2. So by this point, browser makers(like Firefox) were starting to give users options to block third-party cookies anyways, so advertisers were adjusting, they were tracking people not through cookies but through "fingerprinting": looking at all the apparently innocent indivisual quirks of how that exact computer was set up and how it rendered a webpage.e.g- The fonts you had installed , the size of your moniter, the website you've visited in the past; all things that indivisually appear innocent and safe but which together uniquely identify each person.

3. Due to which browser makers and advertisers ended up in an odd war with each other about privacy: occasionally a civil war, given that one of the most popular browsers(Google Chrome) and also one of the major advertiser(Google Search Engine) were under the same corporate umbrella.

4. So, later the General Data Protection Regulation(GDPR) in EU put even stronger requirement in place , atleast for EU citizens.Which resulted in Not just "no cookies without consent": no tracking without consent. At all times, the user must have full knowledge what they are signing up for, and must consent to it even if the compant is not in the EU. Even if the company is not in the EU. Even if they're storing dataon EU citizens "outside", it still applies to them.

5. The potential minimum fine is 4% of company's global annual revnue(not profit) or 20 million euro whichever is higher. upto this point some of you might be thinking that, EU can't fine some of the american companies, for sure they can't but they can easily stop them to do business in the EU if they don't pay.

6. So all the advertisers had two options(unless they manage to find some other loophole)

(a) Stop tracking people (b) Add a big box on each page saying "hey is it okay we track you?" and legally you should be able to click "NO" and still access the site. Opting out should be a simple, one-click process, and any one of you who have been web lately knows it's often not true.

7. So yes, atleast some of those popups and frustrations are because of advertisers, certainly they normalized the idea of intrusive popup boxes.

8 ...but why can they put those boxes there in the first place?

The web is built around the freedom of design . it's one of the most fundamental principles: within the box that the web browser gives you, a designer can put almost anything. For decade after decade after decades, programmers have pushed the limits of what's possible: someone even managed to emulate an entire Windows 95 computer in the web browser(not the webpage that looks like Windows 95, but the entire virtual machine that thinks it's running on regular computer hardware, but it's actually just simulated in code, in a browser.) and that's incredible, give people the power to create and some will make amazing things, but some would look at the ability to run almost any codeand put almost anything on the screen, atleast within that box and go, ...maybe i can get more newsletters signups if i interrupt the reader or maybe i can make people's browsersmine cryptocurrency in the background while they're on my site, so the war starts again, that's why most web browsers now have a seperate view that you can switch into, that shows just the text you want. It might be called "article view" or "reader mode". The browser tries to figure out what the main content is, what the user actually wants to see, and puts just that text on screen, stripping out the adverts, removing all the popup boxes and yes losing all the creativity and design that the web allows. But that reader view is a lot closer to what the internet really means: a place for information and a way to find it afterwards. Ofcourse there are already techniques to detect and defeat reader view, and make sure the reader has to see the adverts, or the newsletter popups, or whatever else there is...

• (a) Visit this google link: https://www.google.com/advanced_image_search?hl=en&fg=1&q=images&sa=X&ved=2ahUKEwjS7MPh2eXsAhVDfn0KHXFSDA8Qo_oBegQIARAK.

• (b) Enter the image keyword that you want to search in Find image with... section.

• (c) Select Creative Commons licences in the usage rights section and click Advanced Search

• (a) Step 1: Don’t click on any links, attachment that you were not expecting even if it sounds obvious( we’ll discuss it why in our Social-engineering section)

• (b) Step 2. Confirm the sender's mail-id carefully before opening any file.

• (c) Step 3. Ask the sender for the credibility of the file if you encounter anything fishy.

• (a) First look at the questions asked in the Q&A section and check whether the questions that you have has already been asked or not?

• (b) If it’s already there, don’t repeat it,instead consider upvoting or liking the question; it would mean that you too have the same question to ask.

• (c) Try not using social media lingo(FYI, BTW, FOMO etc.) and be precise while asking any question.

• (a) Don't trust the google search results blindly(especially the ads that is shown at the top of every search results)
• (b) Don't trust the Customer care numbers provided by google for a service provider at the top of its results(it might be an ad by a scammer)
• (c) Most service providers(like swiggy, Yulu etc) these days have no customer care number, they provide services through their app itself.
• (d) Never trust or approve any transaction requests made at your UPI without confirmation, it's irreversible.

• (a) WHAT- It's the most impactfult strategy(nothing to do with programs or servers) used by hackers to decode/guess your password based on your social activity(social media, friend circle, domain of work, etc.).
• (b) WHO- Members/Partners who are active speakers at public platforms(Seminars/Webinars) are the potential targets of this threat.
• (c) HOW- Say partner A is the speaker at ICAI, and a hacker got to know this information, what he/she can do is just send an email with an attachment(keylogger, virus, etc.) designating him/her as an ICAI member, even the most aware one of us might fall for this ploy.

• (a) ASK- Always ask questions when in doubt(even if you've to authenticate it from multiple sources).
• (b) Access- Never grant any additional privileges to a third party(client, colleague, etc.) without permission.
• (c) Analyze- Before answering any question to an irregular party, think of possible repercussions of your act(if in doubt, IT is always there to help you).

• (a) Do frequent data backups in multiple locations.
• (b) Don't keep vital information only on your computer.
• (c) Never access .zip attachments in your inbox from an unknown sender.

• (a) Check if a website link starts with https and NOT http.
• (b) S is key here as a website starting with https encrypts the data you put in the website and data you get from it.
• (c) If a website doesn't start with https, DON'T give them confidential info(card details, Aadhaar/PAN, address etc.).

• (a) Check your recent activity(if you see it being accessed at some odd time, immediately inform the IT team).
• (b) Your account involvement(e.g. Avoid syncing your Guru & Jana mail to different websites, especially your browser add-ons/extensions).
• (c) Consider Enabling the 2-step verification or use the Authenticator app to login(as recommended by IT team).

• (a) Use filters and mark e-mails as spam to help your email provider(google/microsoft/iCloud etc.) block it more effectively.
• (b) Disable the automatic downloading of HTML graphics in your mails.
• (c) Never click on links or download open attachments in spam mails

• Don't check-in at airport/railway stations when you're leaving for vacation.
• Don't check-in on Instagram/Facebook when you take those holiday pictures.
• REASON: The more data is about you online, the more cyber criminals can gather and use to compromise you. In some cases, this info can be used to break into your house while you're away.

Three common tricks you may come across

• Shocking or fake celebrity news, cyver criminals would use anything to draw your attention.
• FREE stuffs(Mobile phones, Free trips, Free beauty products etc.). it always works.
• LIMITED TIME DISCOUNT: It says click here now the discount is only available for today.

• Any short link that you have no idea where they lead.
• Any e-mail or attachment link that you never requested or were expecting.
• Any shady Facebook apps(especially those who claim to let you see who visited your profile)

• So what if they don't use two-factor Authentication?. Don't compare, you use it.
• So what if they don't care about basic cyber security etiquettes(checking e-mail before opening/clicking on links or attachments, only accessing https based websites etc.)? You do it.
• So what if they don't update all their softwares or backup their data? you do it because you know it's important.

• If it's Too Good To Be True. It probably is.
• Nothing in this world is free, try to think of the possible ways they might be making money(if you're really interested in the proposal).Good old internet is always there to help you on this.
• Always check from at least three trustworthy sources: (1) Official Website, (2) Official Social Channel, check for blue tick mark (3) Legit media sources or by directly contacting the company.

• Step 1:- Visit this path: Start > Settings > System > Storage

• Step 2:- Select Temporary files in the storage breakdown. Note: If you don't see Temporary files listed, select Show more categories.

• Step 3:- Select the items you want to delete, and then select Remove files.

Always maintain more than 25% free space in the working drive, it minimizes the chances of a whole range of attacks(i.e Buffer Overflow Attack)

• Step 1:- Click on “File” > “Options”

• Step 2:- In the “Outlook Options” window, select “Trust Center”

• Step 3:- Click on the “Trust Center Settings” button

• Step 4:- Check the boxes labeled “Don’t download pictures automatically in standard HTML messages or RSS items” and “Don’t download pictures in encrypted or signed HTML email messages.” You can make a number of exceptions to the first item if you want by checking the boxes underneath it.

• Step 1:- Click on the gear icon in the upper right corner to access your settings

• Step 2:- In the “General” tab (the first one), scroll down to “Images”

• Step 3:- Select “Ask before displaying external images”

• Step 4:- Scroll down to the bottom of the page and click on “Save Changes”

• Step 1:- Select “Mail” > “Preferences”

• Step 2:- Click on the “Viewing” tab

• Step 3:- Uncheck “Load remote content in messages”

• Step 1:- Tap on the three lines in the upper left corner

• Step 2:- Scroll down to and select “Settings”

• Step 3:- Tap on the email account that you want to work with

• Step 4:- Scroll down to and select “Images”

• Step 5:- Tap on “Ask before displaying external images”

• If you didn't notice, you already have tons of check ins from your home, you also have the option to delete previous history location.

• In Facebook you’ll have to do that manually for all the photos you uploaded and turn off Location for future posts.

• In Instagram, you can Remove Geotag for all your uploaded pics.

Create completely separate email accounts with different purposes.

• One email account to subscribe to newsletters and shopping deals

• Another one for online accounts, such as your Facebook, Twitter, Ola etc.

• Different email accounts for work and personal conversations, Don't sync your priviledged Guru & Jana account: Keep it exclusively for work purposes.

• Ending support for a software means that the software had reached end-of-life, and that the software maker stops sustaining it through sales, marketing and especially through support.

• Ending support for a software means that the software maker will no longer create and implement security, performance or feature updates to that application..

• e.g.- Microsoft ended support for Windows XP in July 2014 and Apple discontinued support for QuickTime for Windows in April 2016. As a consequence, those who continue to use unsupported software expose their system to a huge range of vulnerabilities.

• Cyber attackers are not exactly trustworthy individuals, so there’s no guarantee that you’ll get your decryption key and your data back

• By paying the ransom, you’re fueling the malware economy, which is already thriving and affecting all of us through the damages it creates

• Every paid ransom is feeding another similar attack on other people, and the next victim could be someone your love.

• Cyber attackers are not exactly trustworthy individuals, so there’s no guarantee that you’ll get your decryption key and your data back

• By paying the ransom, you’re fueling the malware economy, which is already thriving and affecting all of us through the damages it creates

• Every paid ransom is feeding another similar attack on other people, and the next victim could be someone your love.

• In case that your smartphone is ever lost or stolen, the easiest way to remotely locate it is by installing a dedicated app.

• For Apple there’s the tracking solution called “Find my iPhone”

• Microsoft has “Find my phone”

• Android has “Android Device Manager”.

Make sure that the option to track its location is always turned on.

• In case that your smartphone is ever lost or stolen, the easiest way to remotely locate it is by installing a dedicated app.

• For Apple there’s the tracking solution called “Find my iPhone”

• Microsoft has “Find my phone”

• Android has “Android Device Manager”.

• WHAT - SMB attacks are targeted on Windows OS by executing codes remotely, remote code means a hacker can be from any parts of the world. All they need is to gain a foothold in a system from the vulnerabilities and exploit that by running commands on the system.

• WHY - There has been a huge positive surge in this type of attack from the Chinese hackers(on some of the important Indian Institutions like Banks, Hospitals,Food Production industry etc.) which is all known as "Gh0st" LINK

• The best way to protect ourselves from these types(WannaCry , Gh0stRAT etc.) of attacks is to patch your system.If your Windows system is Windows 10 or later, then the update patches are already built in.

One of the major reasons why these govt. institutions are being targeted is simply due to the fact that they are still stuck with Windows 7 or earlier and these attacks won't stop until the upgradation issues are dealt with.