Saturday, September 8, 2018

Thinking About Security

Ok, this is going to be a subject that I bet a few are going to gloss over or just ignore. But really, it is something we all should take WAY more seriously: computer security. We have how much of our lives in cyberspace and do we really think about the kinds of risks that puts us in? Google knows how many times you've been to your favorite restaurant down the street and pops up an alert when you are nearby. Map searches that you aren't even intending to drive to appear on your car's dashboard. You get reminders of that plane flight that you never put on your calendar. Amazon's Echo and Google Home can have conversations with each other. Oh, and your voice is stored on their servers whenever you make a request. It is amazing what technology can do and at the same time, it is amazing how easily our information can be compromised. We spend a lot of our lives today on a computer and it is frighteningly easy to put our information at risk. From the bored hobbyist in his garage, to thieves, to governments friend and foe alike, there are plenty of actors that want your information and can use it against you.

Look, I understand ... information security is tricky. Who wants a bunch of apps telling you NOT to do something? Who wants a virus scanner slowing their computers down? Information security is about making everyone's lives difficult right? You need to find a balance. In this post, I am going to describe a number of things you can do to protect yourself and your computer with a minimal amount of intrusiveness into your digital life and the threats that go along with them. The bottom line is: good information security does require YOU to take an active role in ensuring your information is safe.

Phishing: "fishing" is just what it sounds like. A bad actor baits you with something - a link or an email saying you've won a jackpot, from an institution you may or may not do business with telling you to provide your financial info so they can "validate" something, from 'dating sites,' a 'virus scanner' promising to clean the 12 viruses it sees from your browser or inbox, or even a link from a friend or family member's own email address. These links or emails look legitimate, but if you click on the link or open the email, you open yourself up to an incredible amount of danger. Phishing can deposit all sorts of malware on your machine. From tracking your keystrokes or your location without your knowledge, to acquiring your personal information (addresses, SS number, credit cards, etc., to DoSing (denial of service - slowing down your apps or devices to make them basically useless), making your machine a part of a phantom network called a 'bot-net,' or ransomware - locking your machine until you pay the attacker for the decryption key to name a few. The simplest way to combat phishing attacks is:

DO NOT CLICK ON ANY LINK OR EMAIL YOU DO NOT RECOGNIZE. Don't open it, don't even try to discern where it came from. Just delete it. Banks, virus scanners, the IRS, or other companies communicate with you in a predictable manner or not at all. Seriously, if you see a link to something you don't recognize or didn't ask for just friggin delete it. Social engineering is a clever trick attackers use to get you curious enough to click. So ... DON'T!!!! Am I clear enough?

Ever received an email from a family member or friend that was just spam? Ever had it happen to you? Well it means that your account was hacked ... somebody managed to acquire your username and password and use your account against you. There are several obvious risks: someone can use your information to spam others, acquire your personal information, or at worst even assume your digital identity. The first thing to do when this happens is to change your password. Another simple way to protect yourself is to log out of public computers (a computer you don't own).

Passwords are a VERY WEAK form of security. Often times, people use simple passwords that are easy to remember, but doing so puts your digital information at greater risk since simple passwords are easy to guess. The longer and more complicated the better, but still ... passwords are very VERY weak. Even more complicated passwords can be easily cracked by computers and a determined hacker. To prevent your accounts from being hijacked, many services offer a form of security called TWO FACTOR AUTHENTICATION. It involves using two different ways to identify yourself as a valid user of the account. For example, using something you have (a token, smart card with a certificate, or code generator) and something you know (your password). The 2nd method of authentication usually requires use of a separate device ... something else an attacker would also have to compromise and be in physical possession of in order to try to hack the account. Devices you 'trust' - (a device you own) can be added so you only have to use 2-factor the first time you log on. Or .. just remember to log out of the devices you use when you are done with them and uncheck that little box that says "remember this device."

For info about two factor authentication from popular vendors go to:

Google: https://www.google.com/landing/2step/
Apple: https://support.apple.com/en-us/HT204915
Facebook: https://www.facebook.com/help/148233965247823

Many banks also require a 2nd step to verify your identity online, so if you have questions, talk to your bank directly.

Some people are just plain good at stealing other people's information or attacking digital assets. Direct hacking is difficult to predict, but the consequences are potentially unlimited. Fraud, identity theft, espionage, to name a few can have dramatic and serious consequences for yourself, your employer, even countries. Here are a few methods you can use to protect yourself - some ways are more invasive than others:
  • Credit/Identity monitoring - Services like Credit Karma are free and allow you to track your credit history. If someone takes out a loan in your name you can put a stop to it quickly. Banks are also much better at tracking fraud and may even include credit monitoring themselves, but keep an eye on your balances and account statements. If you see transactions you don't recognize, call your bank and dispute them. You should be able to get your money back and a new bank card. Credit tracking isn't fool proof either if you recall the Equifax hack in 2015. You can go a step further in protecting your identity using services like TrustedID or LifeLock, which monitor use of your personal information and credit history so you can take action if your identity is compromised. 
  • AV/Firewall protection - Don't count on using a Mac or Linux system to protect you completely from viruses or malware. There are a great many options out there, but using anti-virus, firewall, or internet threat plugins can protect you .. at least alert you if there is something suspicious. Microsoft started adding its own AV solution (called Windows Defender) with Windows 10. Linux systems often have a firewall service (firewalld) or a computer hardening service (SELinux) to protect how those machines are used. AV isn't a foolproof solution as hackers try to find ever more innovative ways around existing protections, but if you leave your AV solution with weak permissions it doesn't do you much good. To minimize performance impacts, you can schedule your virus scans at a time when you don't use your machine. Norton/Symantec, McAfee, Trend Micro, Bit Defender, and Avast are all reputable COTS products (Commercial Off The Shelf) with varying levels of cost, quality, and performance impacts. Remember, often times a cyber threat is due to YOUR own actions. If you happen to click on a link that contains malware, your AV should (but not always) catch it.
  • Proper Internet Protocol - Not all wi-fi protocols are created equal. If you use WEP on your home router you should change it IMMEDIATELY. You should at least be using WPA or WPA2. WPA/2 + AES offers even more protection as AES encrypts your wifi stream and makes it much more difficult for someone snooping on your network from hacking your wifi password. A longer and more complicated password (don't use your router's default) will make it much more difficult for a bad actor as it would take a lot more time on the network to learn it, keeping your router's firmware up to date will also help keep your home network abreast of advancing cyber threats. If someone can hack into your home network, they can get anything that is on or transits the network. Google your router type to learn how to change your wifi protocol and update your router firmware.
  • Speaking of updates - keep your devices up to date. Seriously .. I know it is annoying when your computer's vendor bombards you with updates even if you don't want them. Apple, Google, Android, Linux, and Microsoft all have varying levels of annoyance in this department. The purpose of many of these updates is not just to provide you with new features, but to better secure your operating system and applications. Different vendors have different styles in 'forcing' updates, but if it bothers you that much, you can work with your vendor to learn how to schedule those updates at a time when it is most convenient for you or set your device to perform them automatically at a specific time. Our computers and cyber protection often lag behind the threats so keep that in mind when deferring or ignoring those updates.
  • Physical protections - different vendors have different or multiple ways to secure your devices. Patterns, PINS, passwords, remote locking/wiping, fingerprints, encryption at rest, eye or face scans. Each come with their own pros and cons. Best practice: use at least two methods to secure each device. Breaking these protections usually involves physical possession of the device. So if your device gets lost or stolen, you can still protect your device ... and your data.

Privacy - the subject of privacy probably warrants its own post. A simple fact to keep in mind is that whatever you put on the internet, stays on the internet. Innovation in technology has gotten extremely good at making our lives easier and our world more accessible. Being able to see our photos and documents from any device anywhere in the world while useful, can also leave you exposed if you are not careful. Once you put information into the hands of a vendor (Google, Facebook, Apple, or Amazon to name a few), they tend to do whatever they want with it. From photos, to status updates, to shopping trends, to political preferences ... once it is out there, it is out there and it can be used against you. How can you protect yourself in the world of privacy?

  • Be careful what you post online - read the above paragraph again. If you don't want your grandma's secret crispy chicken recipe out there, don't post it. If you want to go the distance, don't use social media or cloud platforms at all. But since most of us aren't and don't ... lets keep going.
  • Inspect your privacy settings - while a tedious effort there are ways to limit how much reach your digital information has. You remember that conversation you had about a gadget you wanted and you saw an ad for it later on your machine ... yeah ... it's that good. Here is some advice:
    • Stopping Amazon ads: here
    • Facebook Privacy settings: here
    • Google Privacy settings: here

Look up how to reduce your digital footprint from the vendors you use. Location settings, search histories, apps you download and use can all be tracked.
  • Consider using a VPN - a VPN or "Virtual Private Network" offers several benefits:
    • Encrypting all of your data streams - wherever you are and whatever you are doing, be it at home, using a non-SSL website, or unsecured public wifi, your data is always encrypted point to point, which means someone snooping on your internet traffic can't read it.
    • Masking your IP address - like the address for your house, your IP address can be used to identify you, the devices you use, and where they are. Using a VPN will use the VPN server's IP and not the IP of your device. As far as the site or snooper is concerned, they might learn that your device is using a VPN, but they can't learn who or where you are. 
    • Circumventing internet controls - If you live in a place like Communist China - which puts strict monitoring on what internet services you can use and what you can post, or blocks access outright, a VPN can help get around them by tricking the "great firewall" into believing you are in a different location. Your IP address tells the internet services you use where you are. So a VPN uses a different IP and tells those services you are someplace else! This trick can sometimes help you avoid viewing blackouts. (I say sometimes because many services use GPS to learn your location instead of your IP address). 
One thing to keep in mind about VPNs: browser cache (a record of address activity and direct device to device communication called WebRTC) is a vulnerability in VPN technology that services can use to circumvent it. WebRTC is a method used by browsers to speed up connection and data transfer times by sending requests directly to your intended target instead of using an intermediary server between you and your target. WebRTC requires each device to know your and the target's IP address in order to work. If you open and start using your browser, then start the VPN, the browser still has a record of your actual IP address. Simplest fix, start the VPN first, then launch the browser. You can also flush your browser's cache, start the VPN, then resume online activity to minimize WebRTC leaks.

There are a lot of VPN options out there so which one is the best to use? You need speed, reliability, coverage (number of devices that can use the VPN), support, one that can stay ahead of attempts to circumvent VPN capabilities, and all at a decent cost.

Continually at the top of the list of best VPNs (and the one I like best personally) is ExpressVPN. Learn more at expressvpn.com Here is why:

  • Device coverage - aside from the usual suspects, ExpressVPN has plugins for browsers, Netflix, routers, mobile devices, Linux, game consoles, and TV devices like Amazon Fire and AppleTV. 
  • Support - 24/7 tech support. Through email or the site - they are quick, knowledgeable, and have a massively useful blog that can explain how to best protect your online privacy a lot better than I can in one simple post. Whether you want to learn how to truly rid yourself of that old email account, tutorials, and step by step guidance ... even non-techy people can learn how to make use of VPN capabilities. Become a privacy ninja! Learn ... Learn ... Learn. 
  • Features including:
    • A "kill switch" that stops your internet traffic if the VPN is disconnected. 
    • ExpressVPN doesn't track or monitor your internet activity - and neither can your internet service provider or anyone else. Keep in mind that your target (e.g. Google) can still record what you are doing when you interact with their services, but they can't identify you directly.
    • Split Tunnel - letting some apps use the VPN and others use the internet in the open (I don't recommend this approach if you want to maximize the security of a VPN)
    • "Smart Location" - the service will provide a list of VPN server locations that will minimally impact your internet speed and throughput.
  • ExpressVPN is also reputed as being the best at staying ahead of attempts to circumvent it
  • Other benefits including 148 server locations, multiple encryption protocols, status tools (checking your IP, DNS Leaks, and your risk to the WebRTC vulnerability identified above)
  • Speed and reliability - speed is comparable to regular internet use, the apps are simple and easy to use, and connecting takes only a couple of seconds. 
Drawbacks? With quality comes cost unfortunately. ExpressVPN is probably one of the more expensive VPNs out there and limits the number of devices you can have the VPN active on to 3 per subscription (at $99 per subscription per year). You can get a coupon here that gives you a subscription for 15 months for $99 (3 months free). One of the best ways to get around the device limitation is to have the VPN on your router which would cover all devices at home, then use the VPN on your other device(s) when on the go. To better help with the cost of buying a VPN, if you use the coupon and referral link below, you get an additional 30 days of free use (4 months total).

If ExpressVPN is too much for you, a couple of good alternatives are: 

NordVPN - nordvpn.com - which has an awesome deal for a 3 year subscription at $99 DEAL! - they have the most servers and locations of any VPN service, but reliability and speed is a complaint.

HotspotShield - Here

While this is a lot to take in, you can take an active role in protecting your presence online and your computing assets. The information YOU provide and the activities YOU engage in create the most risk to yourself. If nothing else, you should at least do the following:
  • Don't click on any link, email, or text you don't recognize - seriously just ..  don't
  • Keep your devices up to date
  • Update your passwords
If you're not worried yet, just remember vulnerabilities like Spectre and Meltdown affect every computer on the planet. Every ... single ... one. While hackers haven't found a good means to exploit these vulnerabilities yet, you can bet they will. 

And yes, I appreciate the irony of writing this post on a Google blog. 

Stay safe out there folks!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)