Glossary

Adware: unintentionally-installed software on your system that delivers advertisements, like pop-ups, to you without your consent

Algorithm: a set of math and logic instructions that can be used to encrypt your data

Bot: a computer that has been compromised and can be remotely controlled by a hacker. Hackers usually band several of these compromised computer systems together to achieve some larger goal, like attacking a website’s server and taking it down.

Breach: different organizations use different definitions for the term breach, but it always means the bad guys got access to something they aren’t supposed to be able to access. In a breach, it may not be 100% certain that data has been stolen, but they accessed the data, and you should assume that they did indeed take the data. Often times the organization doesn’t have a technology in place that can absolutely confirm that the attackers successfully snuck the data back home to their own computers, but you should always assume they did.

Brute force: when a hacker tries many passwords to login to an account he or she doesn’t have access to.

Cookies: a means for websites to track and remember you over repeat visits. Cookies are what prevent you from having to enter your password on every single webpage you visit after you login to that website.

Cracking: when a hacker steals the hash of a password from a website or server (see below for a definition of “hash”), he or she will try to crack the hash using computer software to find the original password and use it.

Credential: a username and password pair.

Cybercriminal: a hacker whose objective is to gain money through hacking. They typically steal data such as health records, credit cards, or identity and attempt to sell it on the Dark Web.

Dark web: the portion of the internet that is not publicly accessible through search engines like Google, and can be accessed through using the TOR network (see below for a definition of “TOR”) and a web browser. The dark web houses a black market for stolen credentials and data, drugs, and other illegal activities and products.

Data disclosure: similar to a breach, but it is known for certain that the hackers stole the data. Oftentimes, when journalists write that a website or company has been breached, they may actually mean that data disclosure has occurred – that data was stolen. Typically hackers have published at least a portion of the stolen data in order to prove they were successful and embarrass the company.

DDoS: DDOS stands for “Distributed Denial of Service” attack. Hackers use numerous bots (also known as a “botnet”) of remotely-controlled computers to overwhelm a website with fake connections, which will then take that website offline for regular users. Analogy: let’s say you wanted to block some phone somewhere from receiving any phone calls. You might bombard that single phone line with many incoming calls from hundreds or thousands of other phones you control in order to prevent someone from receiving legitimate phone calls.

Encryption: the scrambling of data in a way that can only be understood by the intended recipient of that data. An encrypted text message, for instance, could only be read by the person receiving that text message. Sometimes, however, data might be encrypted while it’s in transit so it can’t be easily intercepted, but a service (Gmail, for instance) will store an unencrypted copy of that data that could be accessed by a third party.

End-to-end encryption: a form of advanced encryption where only the final device that receives that data can decipher that data. No intermediate devices or third-party individuals can access that information. This is a privacy-centric form of encryption that may render data taken from a subpoena useless without the associated password or encryption key.

Fake anti-virus: a website popup that falsely claims that your system has been infected by a virus when it hasn’t. These popups will often ask for money or access to your system to “clean it” when they will, in fact, compromise it.

Hacker: an individual who accesses or breaks into systems that he or she does not have permission to. These unethical hackers are often referred to as “blackhats”.

Hash: companies and websites often will “hash” your password to make your password harder for other people to get. To do this, they’ll use a complex mathematical formula to scramble your password into a huge chain of letters and numbers that bear no resemblance to your original password. They’ll store that – the scrambled hash – in their database rather than your actual password. There’s no direct or easy method to convert the hash back to the password, but if hackers steal your password’s hash they may try “cracking” the hash to get your original password. If you a notified that your password’s hash has been stolen, you should still rotate your password(s).

IP Address: a numeric address that identifies your computer and that other computers use to communicate with it.

Javascript: a programming language that can make websites look pretty, but can also be used nefariously to infect website visitors.

Malware: any malicious code or program that could infect your system. Malware exploits vulnerabilities to compromise your system.

Multifactor authentication: MFA requires a user to both something they know (password) along with something they have (a cell phone). Users must provide their password to login and provide additional confirmation of his or her identity through having a physical object (most frequently, sites will send you a text message with a 6-digit code that you must then enter on the website after logging in). This is a much more secure way to login to websites than single factor authentication- a password alone.

Password manager: a program or app that stores all of your passwords to websites for you. They can generate strong passwords automatically and log in to sites for you. Examples include Lastpass and KeePass. These passwords are typically stored as safely as possible on their servers with very, very intense encryption methods.

Patching: installing updates for your operating system (on a phone, computer, tablet, etc.) and the apps or programs on it. Patching often fixes vulnerabilities in systems that people become aware of over time, and is one of the best lines of defense in preventing bad guys from breaking into your systems.

Penetration tester: an ethical hacker who is employed to break into systems and companies to alert them about vulnerabilities that they then fix. Companies have legal agreements with the penetration tester that allow them to hack them.

Phishing: when someone, pretending to be someone legitimate, sends you an email urging you to disclose your password, personal information, or click a link that will infect your system.

Privacy: not being visible to or tracked by another party.

Proxy: a server through which you can route your website traffic in order to obfuscate your location or identity. If you route your traffic through a proxy server in Chicago, for example, the server you’re communicating with will think you’re located in Chicago.

Ransomware: malware that locks your computer system and demands a certain amount of money to unlock it.

Risk: the likelihood that you will get compromised because of some vulnerability in your system.

Server: an internet-facing computer or device that holds webpages, email, and data that your computer will communicate with to get to those pages.

Social engineering: a process by which people exploit human weakness to gain unauthorized access to a system, website, or physical location. Phishing is an example of social engineering.

Spyware: malware that tracks your computer usage habits, browsing habits, and website traffic, and reports that information back to some individual or organization.

Threat: an event or action that compromises data and secrets or knocks a server offline. We have little control over threats; for example, an earthquake is a threat, as is an incoming phishing email. Threats happen regardless of what we do, but we can mitigate them with intelligent responses or tools.

TOR (The Onion Router Network): an anonymization service that runs on the internet and allows individuals to browse the internet without other people or entities knowing what they are doing, or to set up a server that someone does not want authorities to know about (often for illegal activity or simply to maintain as much privacy as possible). To access the dark web, people would typically use TOR.

Two-step authentication: a particular kind of multifactor authentication in which you log in to a website with your password first and provide additional information sent to your phone via SMS second.

Virus: a particular kind of malware that requires a human to propagate (for example, downloading and opening an infected email attachment onto your system that then sends itself to the rest of your email address book).

VPN: VPN stands for “virtual private network.” A VPN allows you to access a private network, like a university network or a company network, while you are elsewhere. Using a VPN allows you to send and receive data on that private network as if you were directly connected to the private network in the office or on your campus.

Vulnerability: a flaw in a program or website that can potentially allow attackers to compromise that system. Patching systems through installing system updates is one of the best ways to mitigate vulnerabilities.

Zero knowledge: an approach to privacy in which the servers that store your data can’t actually see into it – only the people who are supposed to have access to the data are able to see and understand the data. For example, Signal, the messaging app, is a zero-knowledge program because the company that built Signal (Whisper) does not store your messages in a way that they can read them.