Digital Security Tips 資安小撇步

快來探索GNA的資安小技巧吧!本週我們將交給您安全存放資料在雲端的小技巧。快動動手吧,讓我們為更安全、更可靠的數位空間共同努力!

Discover our digital security tips, designed to equip you with the essential know-how to safeguard your data online. Join us in taking proactive steps towards a safer and more secure digital presence today!

快檢查!你的電腦、手機系統更新了嗎?

每當你的電腦或手機系統跳出更新訊息,你是不是常按下「下次提醒」然後從此忘記?
系統更新,是個非常簡單、但又很容易被忘記的資訊安全小撇步。


由於系統是人類設計的(也許以後會是ChatGPT🤖)。
人會犯錯,這些錯誤可能造成系統漏洞或重大安全問題,使有心人可輕易利用這些漏洞危及你的資訊安全。
但人類能從錯誤學習改進,因此各公司都會不斷修復錯誤和發布系統更新。
為了確保你的資訊安全,定期更新作業系統是非常重要的!

時常更新你的系統還有其他好處,比如提升作業系統的相容性、提高系統效能表現,還有讓你及時享有最新功能!

👉 今天就來檢查你的電腦和手機的系統是否更新了吧!


Is your operating system up-to-date?

When the message "Your latest updates are ready" pops up, do you simply click "remind me later" and forget about it?

Keeping your operating system up to date is a simple but often forgotten tip for ensuring your digital security.

The reason for doing it? Your operating system is created by humans (well, maybe ChatGPT in the future 🤖).
Humans make mistakes, and these mistakes can lead to software vulnerabilities or security flaws that malicious hackers can exploit.

Humans also learn from their mistakes and improve. That’s why updates and bug fixes are regularly released.
Patching these vulnerabilities is crucial to safeguard your system!

The bonus? Enhanced compatibility, boosted performance, and timely access to new program features.

👉 Let's do a check today! Make sure the operating systems of all your devices, including your PC, laptop, and mobile phone, are up to date!

㊙️ 只用幾組密碼打天下?你需要密碼管理員!

abc12345
生日+身分證字號
我猜中你的密碼了嗎?

你只用少少幾組密碼應付所有的平台服務帳號嗎?​

🆖 密碼太簡單、或是使用重複的密碼,都是資訊安全大忌!想想如果你有不同的金庫,一組太簡單的金庫密碼,或是不同金庫共用同一把鑰匙,有心人要入侵你的金庫都會更加容易。

那要怎麼樣為每項服務平台帳號創造強大密碼,又能輕鬆記住呢?

👉 你需要密碼管理軟體!

⭕️ 密碼管理軟體可以幫助你:
為不同服務或平台創造無數強大密碼,而且不佔你腦袋太多記憶空間!使用密碼管理員,你只需記住一組用來進入密碼管理庫的超強密碼。

你可以立刻上網搜尋:密碼管理 軟體
你可能會看到一些常見推薦:Bitwarden, , KeePass, Strongbox,1Password…

有些人可能會質疑,難道這些密碼管理軟體就可以信任嗎?質疑是好的習慣,畢竟使用任何軟體或服務永遠都有信任問題。不過,你還是有些可以參考的標準:

1️⃣ 開源:程式碼透明,降低程式被植入惡意功能的可能性

2️⃣ 頻繁積極的定期維護和更新:當有任何漏洞或問題時較能即時修復

3️⃣ 參考軟體過去的紀錄或使用者評價,看是否有被駭或被發現重大漏洞

不過請注意!如果你的電腦或手機已經被間諜軟體攻擊或被植入惡意軟體,那安裝在你的電腦或手機的密碼管理軟體當然也無法確保你的密碼安全了。


㊙️ Yes, You Need a Password Manager!

abc1234
Birthdate+ID number…
Did I just get your password, like, really close? Do you use the same password for all your accounts and platforms?

🆖 Using a simple password or reusing your password everywhere is a digital security disaster! Imagine if you had several treasure vaults; would you use simple passwords for them or use the same key for every treasure vault? If you have security concerns about something, I bet you wouldn't do that!

So, how do you create strong passwords for all your accounts and actually remember them?
👉 You need a password manager!

⭕️ A password manager can help you:
Create strong passwords for all your services and save them for you. The only password you need to remember is the master password that allows you to access your password vault.

You can search for "password manager reviews" and you'll likely come across recommendations like Bitwarden, 1Password, KeePass, Strongbox, and more.

Maybe you have some doubts about these password managers. Well, there are always trust issues when using different software and applications, so it's good to be critical! Don't worry; there are still some indicators that can help you choose the right tool for you:

1️⃣ Open source: code transparency can help reduce the possibility of malicious features being implanted
2️⃣ Active and regular updates: ensuring timely bug fixes for any vulnerabilities.
3️⃣ Check user reviews or conduct research to find out if there are any vulnerabilities or records of being hacked.

Beware! If your devices have been hacked or infected with malware or spyware, a password manager alone may not be enough to keep you safe.

🔐 強化帳號安全,二階段/兩步驟驗證開起來!

足夠強的密碼,就像是幫你的帳號們加上一道鎖,而今天要講的 二階段/兩步驟驗證Two-Factor Authentication (2FA) 則是幫你的帳號們加上第二道鎖!

一般登入帳號時,只要有帳號和密碼就能登入。當你開啟二階段/兩步驟驗證,登入後系統會要求你輸入一組驗證碼。如此一來,即使有人偷走你的密碼,也還是無法順利登入你的帳號。

根據電子前哨基金會(Electronic Frontier Foundation),二階段/兩步驟驗證有以下幾種形式,每種方法都有好有壞。你可以選擇一組最適合你的方式:

1️⃣ 由簡訊或Email產生的驗證碼:這是最普遍的二階段/兩步驟驗證方式。但使用簡訊發送驗證碼並不如想像中安全,因為有心人可以攔截你的驗證碼。而且當你的手機號碼是實名登記的,使用簡訊發送的方式也等於讓服務公司可以輕易將你的帳號和你的真實身分相關聯。
2️⃣ 由Google Authenticator 或 Authy 等Apps 產生的驗證碼:雖然下載Apps之後使用上相當方便,但並不是所有服務都支援這個方法。
3️⃣ 備用碼或復原碼:這種方式通常會提供一組清單,清單上有許多一次性的代碼,你可以下載儲存或列印出來。使用這個方式,第一你可能把代碼檔案搞丟,第二是你可能在要登入帳號時才發現這張清單不在手邊。
4️⃣ 安全金鑰,如Yubikey: 這可能是目前最安全的方法。但因為體積小,遺失的可能性也非常大,所以對你來說也不一定安全。

請注意,不要以為有了二階段/兩步驟驗證,你就可以在密碼方面偷懶❌ 強大的密碼還是帳號安全的基本!

點擊以下網站,你可以查詢哪些服務提供了哪種形式的二階段/兩步驟驗證:
🔗 https://2fa.directory/int/

一起花點時間,檢查一下你使用的平台和服務們是否可開啟二階段/兩步驟驗證。
今天就把二階段/兩步驟驗證全部開起來,讓你的帳號更安全!


🔐 Let’s add an extra lock to your door: use Two-Factor Authentication

To have a strong password is like adding a standard lock to your door.
And today, we're going to talk about Two-factor Authentication (2FA), the extra lock to your door!

When logging in to your account, usually you only need your username and password. And with two-factor authentication, after entering your username and password, you’ll be asked to enter an identification code. As such, even when someone steals your password, with 2FA, they still cannot access your account!

According to the Electronic Frontier Foundation, there are several forms of two-factor authentication, each of them has pros and cons. You can decide which one is suitable for you:

1️⃣ A one-time verification code sent to you via SMS text message or email: this is the most common type of 2FA. However, using SMS messages might not be that secure. Some attackers can get your code through your phone network; and if you choose the SMS method, the company will know your phone number. When your phone number is registered with your true identity, the company can easily link the account with your true identity!
2️⃣ A one-time verification code generated by an app, such as Google Authenticator and Authy : it’s convenient once you install the apps, but some services might not offer this option.
3️⃣ A short list of single-use “backup” or “recovery” codes: you can print out or save the codes with you, but you might lose the code, or maybe when you’re in need, the code list is not next to you.
4️⃣ A hardware token, like a Yubikey: this might be the safest one, but it's small, and you might lose it easily.

Be aware, enabling two-factor authentication doesn’t mean that you can have a weak password. ❌ Strong passwords are still mandatory for your account safety.

Here's a list that you can take a look at to see how many services or software adopt Two-factor authentication!
🔗 https://2fa.directory/int/

Let’s spend a few minutes and check out if the platforms and services you’re using adopt the two-factor authentication. And enable two-factor authentication today for all your services to enhance your account safety!


🈲 你開啟二階段/兩步驟驗證,卻勾選了「記得我」功能?

還記得我們上次談了二階段/兩步驟驗證嗎?

你是否有為你的帳號開啟二階段/兩步驟驗證呢?

使用一陣子後,因為好麻煩,你就點了「這部裝置以後不需要驗證」或「記得我」呢?

怕麻煩是資訊安全的大敵!

有些服務平台知道大家重視方便性更勝於資訊安全,所以很貼心提供「這部裝置以後不需要驗證」或「記得我」的選項。

比如大家生活中高度依賴的Google,在你通過一次二階段驗證後,只要勾選「這部裝置以後不需要驗證」,以後就不需再輸入二階段驗證碼。

等等!這樣做你等於是把二階段/兩步驟驗證這第二層防護功能關閉了。

這麼做的風險,就是當有心人拿走你的設備,要盜用你的各種帳號服務也會更簡單。

💯 讓你的帳號更安全,今天就關閉「這部裝置以後不需要驗證」或「記得我」這些功能吧!


Did you tick the "Remember Me" or "Don’t ask again on this device" feature? That's a NONO ❌

Remember we talked about Two-Factor Authentication (2FA) last time?

Did you actually turn it on for your account?

And, after using it for a while, did you get fed up and just tick the box "Remember Me" or "Don’t ask again on this device" feature?

Convenience is the enemy of digital security!

Some service platforms understand that people value convenience more than their digital security, so they kindly offer you the options like "Don’t ask again on this device" or "Remember me." After you enter your 2FA code once, you can skip the verification step next time.

Take Google – the service we use almost everyday for example, after you pass 2FA once, you won't need to enter the 2FA code again if you tick the "Don’t ask again on this device" box.

But hold on! By doing this, you're disabling your second layer of protection provided by 2FA. The risk? Well, if someone with malicious intent takes your device, it will be easier for them to steal your accounts and services.

💯 For your security, disable "Remember Me" or "Don’t ask again on this device" feature today!

🤖 瀏覽Http網站風險高?別忘了為你的瀏覽器啟用限定https連線功能!

❓HTTPS & HTTP❓
我們每天都在網上,對上面這兩組字並不陌生,但是我們可能從來都不清楚他們到底有什麼差異。

▶︎ HTTPS = 超文本傳輸安全協定
▶︎ HTTP = 超文本傳輸協定

看到了嗎?https中的「s」就是安全(secure)。
光從名稱來看,應該就很清楚誰比較安全了。

簡單來說,使用HTTPS的網站會以加密方式在網路上傳送資訊,包含你瀏覽了哪個頁面、你在網站上輸入的任何訊息,個人資訊、信用卡號碼等等,因此可降低你的資料被有心人查看或操控的可能。

相反的,若使用HTTP,就沒有這個加密機制,未經授權的人都可能透過網路輕鬆查看甚至操控你的資料。因此,造訪一個使用HTTP連線的網站,你瀏覽的頁面、你在網站上輸入的帳號資訊、你的密碼、你的信用卡資訊,你輸入的任何訊息,都可能會被有心人竊取或操控。

現在大部分網站都會使用https連線。但有時會有某些機構、或者某些國家的網站並不注重是否有使用安全的傳輸協定。這時候是否真要造訪這個網站,就看你是否真的很需要這個網站的資訊了。如果真的有需求,那也絕對不要輸入任何該避免被別人偷走的資訊(如身分證字號、帳號密碼、信用卡等等)。

💯好消息是,多數瀏覽器(Firefox, Chrome, Edge, Safari等)現在都有限定只能以https連線的功能。某些瀏覽器如Firefox及Chrome,會需要你手動啟用。

☑︎ 快去設定頁面搜尋HTTPS,確認你常用的瀏覽器是否都已啟用「僅使用HTTPS連線」的功能吧!



🤖 Browsing HTTP websites is risky? Don't forget to enable HTTPS-only browsing mode for your browser!

❓HTTPS & HTTP❓
We go online every day, and these two sets of words are not unfamiliar to us, but we may have never really understood what’s the differences between them.

▶︎ Https: Hypertext Transfer Protocol Secure
▶︎ Http: Hypertext Transfer Protocol

Notice the “s” in HTTPS? Yes, it stands for “secure.” Just by their names, it's pretty clear which one is safer.

To put it simply, websites using HTTPS encrypt your data transmitted over the internet, including the pages you browse and the information you enter on the sites, such as your password or personal details like credit card numbers. This encryption acts as a shield that helps reduce the risk of your data being stolen or manipulated by malicious individuals.

On the other hand, websites using HTTP lack this encryption, making you vulnerable to unauthorized individuals who want to steal or manipulate your data. Visiting an HTTP website will exposes your data, your browsing history, your account information, passwords, and credit card details to potential malicious actors.

Most websites use HTTPS nowadays, but sometimes certain institutions or websites from certain countries may not prioritize secure transmission protocols. In such cases, whether you should visit such a website depends on how much you really need the information from it. If you do need it, make sure not to enter any sensitive information (such as your ID number, account passwords, credit card details, etc.) to avoid the risk of it being stolen by others.

💯 The good news is, most browsers such as Firefox, Chrome, Edge, Safari now have an “HTTPS only” mode. For some browsers, you need to enable it manually (e.g., Firefox and Google Chrome).

☑︎ Let's go to the settings page of your browser and check if you've turned the “HTTPS only” mode on today!

🎣 網路釣魚:小心,別上鉤了!

🐟 什麼是網路釣魚?
網路釣魚就像釣魚,它的發音也如同英文的釣魚。它是一種網路攻擊形式,有心人士藉由各種形式的「誘餌」來誘騙並竊取您的敏感資訊。這個「誘餌」可能以不同形式出現,而網路釣魚的最終目標,就是引誘你做一些可能觸發攻擊的事情,例如點擊會下載惡意軟體的有毒連結,或者用假網站欺騙你輸入密碼,又或是以某種方式讓你安裝了惡意軟體。

根據電子前哨基金會(Electronic Frontier Foundation, EFF),釣魚攻擊可能採取以下形式出現:
🔗 點擊一個連結
📁 開啟一個文件
📥 安裝一個軟體
🔑 在看似真實的網站上輸入你的帳號和密碼

㊙️ 那麼,如何避免網路釣魚攻擊呢?以下是一些小撇步:

⚠️ 點擊任何東西前千萬要小心
⚠️ 在點擊、下載或安裝任何東西前必三思而後行
⚠️ 輸入敏感資訊時,請確保你是在正版且合法的網站上

這些撇步聽來簡單,但網路釣魚的可怕之處就在於,再小心謹慎的人也可能在無意間上鉤!

多多練習吧!
一個小測驗,看看你是否能成功避免上鉤!
https://phishingquiz.withgoogle.com/


🎣 Phishing: Be aware—don’t take the bait!

🐟 What is Phishing?
Phishing is like online fishing, with the same pronunciation as “fishing.”Phishing is a form of attack in which malicious actors attempt to steal your sensitive information using various forms of “bait.”

The ultimate goal of phishing is to lure you into taking actions that trigger the attacks, such as clicking a malicious link that downloads malware, tricking you into giving up your passwords on a fake website, or somehow making you install malicious software.

According to the Electronic Frontier Foundation (EFF), this phishing attacks can come in the following forms:
🔗 Clicking on a link
📁 Opening a document
📥 ​ Installing software on your device
🔑 Entering your username and password into a website that’s made to look legitimate

㊙️ So, how can you avoid phishing attacks? Here are some tips:

⚠️ Be cautious when you click
⚠️ Think twice before taking any actions, including clicking, downloading, and installing
⚠️ Ensure that you’re on a legit site when entering sensitive data

It may sound simple, yet even the most cautious can fall into its traps!

Practice makes perfect! Let’s see if you can avoid taking the “bait!”
https://phishingquiz.withgoogle.com/