Personal cybersecurity is lopsided in favor of the criminals. Criminals may attack and be repulsed hundreds of times before they are successful, but the victim must deflect every single attack or they lose. Does that mean we all should give up and suffer? Or quit using our computers? No. There is no guarantee that anyone can stop every attack that the criminals throw at us, but the odds that the bad guys will be successful can be reduced. When they do succeed, the damage can be minimized.
Stopping the criminals does take some effort. You must gauge for yourself the effort you want to expend. Personally, I am a moderate. I am usually willing to accept some risk in exchange for convenience, and I always look for ways to reduce risk with minimal inconvenience. I am often willing to accept compromises.
When considering security, always question what is at risk . For instance, access to your brokerage account could place your life savings at risk , but a hacker turning your computer into a bot is an affront and annoyance, not necessarily a financial loss. Therefore, you may be willing to put more effort into maintaining a strong password on your brokerage account and avoiding compromising that password. You may be less willing to disable JavaScript on your web browser, which will prevent most drive-by malware infections, but make many popular websites unusable.
Most the subjects covered in this chapter have been mentioned previously. Here, you will learn how best to protect yourself from dangers using the technology that has been explained in earlier chapters.
Passwords
Passwords are the first line of defense against hackers breaking into your computer and data, but possibly not in the way you expect. Even a four-digit PIN is fairly effective against someone trying to break directly into your phone or your laptop because your device will begin throttling —forcing a pause between attempts—after a few wrong guesses and eventually stop accepting entries.
The real threat is from automated password cracking systems that can try millions of guesses in minutes. Password cracking was discussed in detail in Chapter 3.
It bears repeating that when choosing passwords, the challenge is stay off the “passwords for dummies” list and out of the dictionary. Easily remembered passwords, such as “1234”, “password”, “opensesame”, and so on are on the dummies list. Assume that every name in the baby names books, every common pet name, and all cute phrases are there. For a while, you could strengthen passwords by substituting “@” for “a”, “0” for “o”, mixing in uppercase and lowercase letters, and so on, but processing speeds are much greater now and the hackers can try variations or the items in the dummies list. The common obfuscations, such “P@ssW0rd!” are on the list. And, yes, all the obscenities, vulgarities, and profanities are there too. One way to avoid the dummies list is to google your password choice. If there are a lot of hits, chances are good that your choice is on the list.
The strongest passwords are long, random sequences built from a large character set. A 64-character password, created from random choices from just a 90-character pool (all the usual characters and symbols) is uncrackable even by computers with many orders of magnitude more capacity than the best available today.
Password length is the cracker’s enemy and your friend.1 A long phrase is better than a short phrase. My trick is to open a book and choose a sequence of words at random that I can remember. I am not particularly concerned about adding symbols or mixing case, unless the symbols and case can help me remember how to type the phrase in correctly. As an example, “datapassingthroughyour” is one which I happened to pull out of a book on my shelf. I can probably remember that one. Another approach is to string together outlandish images like “purplegoatstretcher”. I slightly prefer grabbing phrases at random from books because the mind plays tricks. Purple Goat Stretcher could be a submerged memory of a rock band I once heard and just might appear on some hacker’s dummy list. The Google test is handy. Google returns “No results found for purplegoatstretcher,” indicating that it is a good phrase.2
Choosing strong passwords is not the only thing to watch. Look carefully at your smartphone or tablet. Could an invader infer your PIN from the smudges and worn spots? Or do you always enter your laptop PIN at the same time and from the same seat in a coffee shop on your way to work? Could an attentive invader figure out your PIN or password by watching you? They don’t have to look over your shoulder to pick up clues. When dealing with PINs, it isn’t necessary for the invader to snatch the complete PIN. All they need are enough clues to reduce the number of tries it takes to guess correctly before the device locks up. And invaders can make very clever inferences.
There are solutions. Keep your devices smudge and wear free is for security as well as hygiene and appearances. If you see evidence that your PIN or password has been worn into any of your devices, it is time to change them. Don’t give criminal invaders all the time in the world to mount an assault.
Reusing Passwords
Using the same password for more than one important account is extremely dangerous. Even carefully protected strong passwords can be skimmed by a keystroke recorder or weaseled out of you by a social engineer. Hackers know that people reuse passwords. If a hacker kips your work account password, he will try it on your bank account. And your medical accounts. And your Amazon account. And so on. Reusing passwords can cascade an annoyance into a major catastrophe.
Not reusing passwords is one of the most important cybersafety practices, but today, most people have many critical accounts and managing even a few unique strong passwords is a challenge. Practically, few people can do it without a system.
Changing Passwords
Conventional wisdom is that passwords should be changed monthly, and some systems force you to change your password on schedule. The new NIST guidelines relax the rules on changing passwords because people tend to use weaker passwords and reuse them more often if they are forced to change them frequently. You must always change a compromised password as quickly as possible, but changing passwords without reason is no longer advocated. Note that if you have broken the rules and you reused a compromised password, you must create a new unique password for every account where the compromised password was used. You should also periodically change any critical password that you enter frequently and regularly in public.
Password Management Systems
Passwords are difficult to manage well. If you have a steel trap memory, the best plan is to memorize them and never write them down, but with hundreds of online accounts, each with a different long password, few people are capable of that feat. Even if you are capable, you may want to be able to share your passwords in an emergency. For example, if an accident were to put you in a coma, you may want someone with power of attorney to be able to access your accounts. That requires something more than memory for tracking passwords.
Stratify Your Accounts
Not all accounts are equal and you don’t have to manage them all the same. Your critical accounts , such as your bank account, PayPal account, accounts like Amazon that have your credit card number, and your email accounts are your first-tier accounts; they each must have a strong and unique password. You should also use multi-factor authentication if it is offered. More on email accounts later. You must be vigilant for any indication that the suppliers of those accounts have been hacked into and be prepared to change the password instantly. These accounts should be checked weekly or daily for odd activity. Be prepared to contact customer service immediately when something looks wrong.
The quicker you respond, the more contained the damage. The variability of time scales is a maddening aspect of cybersecurity. Sometimes the damage occurs in milliseconds as money is electronically transferred out of your account. But a hacker may wait for years to use a stolen password or personal data against you. No activity for days or weeks is no guarantee that a compromise will not be used for harm later.
Some accounts are not as important as the first tier. These are places where a hacker might steal information to use for stealing your identity, or information that you want to keep private for some reason. I place government accounts like Social Security, medical accounts, and online vendors that don’t have my credit card on file but I do business with moderate frequency in this tier. Social media accounts will fit here for many people, although those, like Facebook, that can be used for authenticating other services should be tier one. Your online backup service may be in this tier, or, if you consider your data more valuable, you might place it in tier one.
Second tier accounts must also have strong and unique passwords, but they require less vigilance. You must be prepared to change passwords and take action, but not on a hair-trigger like the first tier.
And then there is the third tier. These include online subscriptions to magazines and newspapers. These are the accounts that don’t know much about you and exist more to track your involvement on the site than any significant service. Convenience is more important than security in this tier. You probably would not care much if one of these accounts were hacked. Be a bit cautious, however. There may be more on these sites than you expect, and it may not be pleasant if someone were to log in to one of these sites and masquerade as you in a forum. Be suspicious and cautious. However, suspicions aside, reused passwords in this tier are probably are not so dangerous, as long as the reused password is not from the first or second tier, and shorter, weaker passwords are not so bad.
Paper Password Storage
The traditionally recommended best practice is to memorize your passwords. For most people, that is totally impractical. The practice has led to weak and reused passwords. The solution is a thoughtful management system.
You can record your passwords on paper. That practice has been discouraged by some, especially in offices. An intruder or a malicious insider can easily go through the office looking for passwords on notes stuck to computer displays, under keyboards, or in other obvious places, but keeping passwords on paper is not so much a problem for a personal user because you have more control over who is in your home. Nevertheless, a paper record gives a burglar or other invader an opportunity to steal both your computing gear and your passwords at the same time. You should treat your paper password record like cash or other highly portable valuables. Keep them under your control in your wallet or purse, or lock them up.
Web Browser Password Management
Another approach is to use the password management system that is built into most web browsers. This is not the best solution, but it is convenient. Google Chrome and Microsoft Internet Explorer and Edge use your Google and Microsoft accounts to control access to their stored passwords. You must be signed into the Google or Microsoft system to get access to the passwords stored in their respective browsers. Therefore, if a criminal can get into your Google or Microsoft account, they have access to all your passwords. Firefox requires you to set up a Firefox password and log in to access your passwords. Firefox will store passwords without a password, but that offers no security—anyone with access to your computer can access the passwords. Using browser password storage is convenient and it means you only need to know one password to access all your online passwords automatically.
Password Managers
Password managers encrypt and store passwords, often both locally and in a cloud repository. They resemble using a web browser with stored passwords. Users only need to know the password for the manager and it takes care of the rest. In addition to storing passwords, most of these tools will generate strong random passwords and help manage passwords by informing you of duplicate passwords and passwords that may need changing. You can also arrange to share access to passwords on several different devices and even among family members or other trusted partners.
For a long time, I opposed password management tools. I no longer do and I use one myself. My former objection was that these tools are single points of failure. If a hacker can hack into a password manager, they have unlimited access to all the accounts in the manager. The password management tool vendors must be special targets for hackers. You must trust that your password manager designers and developers will keep ahead of the hackers who are trying to beat them. One mistake and you lose everything.
For me, the strength of well-managed automatically generated random strong passwords is more important than single point of failure weaknesses. With my complex online life, I have found that I cannot maintain a long list of sufficiently strong passwords, even with a paper system, but a password manager meets the challenge. If a password manager uses strong local encryption , only you can access your passwords; not even a court order can compel your vendor to open them without your master password, which you have and your password manager vendor does not. An added convenience is that cloud-stored passwords are available to all your computers, tablets, and smartphones. For me, the security and convenience provided by a manager far exceeds the potential single point of failure weakness. However, you must be careful to choose reputable vendors who take proper care of the security of their product.
There are several password management tools available. Some have free versions. Their features change frequently and not all have the features I deem essential, so you must do some research when you make your choice. I look for automatically generated cryptographically random passwords, strong local encryption , and passwords accessible from more than one device. The last feature is important to me because I use Linux and Windows desktops, a Windows laptop, a Windows tablet, and an Android smartphone depending on what I am doing and where I am. Prior to using a password manager, I had nearly a two-inch stack of index cards to manage all my passwords. I no longer have duplicate passwords and they are all as strong as the account will allow.
If your passwords are now weak and duplicated, do the research and get a password manager.
Administrative Account Password
The default configuration for Windows assigns administrative privileges to the primary user account. As an administrator, you can add programs, change computer configurations, replace drivers, access files, and perform other actions forbidden to ordinary users.
This is convenient but it’s not secure because administrative privileges are exactly what a hacker wants. Without administrative privileges, hackers can run programs, but they cannot turn your computer into a bot and their ransomware will likely fail. By changing the account you use every day to a regular user instead of administrator, you make the hacker’s job much harder. For example, if a social engineering attack tricks you into opening a bad attachment, there is a good chance the attack will fail because it requires administrative privilege . When the attack runs, a pop-up asks for an administrative password and the attack stops there.
There is some inconvenience in not having administrative privilege because you are asked for an administrative password each time you want to add a new application or make other configuration changes, but most people don’t make configuration changes often.
To configure a separate administrative account, first add a new administrative account. Then make your own account an ordinary user account. Removing administrative privileges from your account before you create another administrative account is like sawing off a tree limb while you are sitting on it. A computer must have at least one administrative account and an ordinary user can’t create an administrative account, so creating an administrative account must come first. Make your administrative password long and strong. A password manager -generated random password is best.
On Apple OS X, ordinary users are not assigned administrative privileges . Instead, OS X follows the UNIX and Linux practice where administrative privilege is only assigned temporarily, which is more secure than Windows default practice. Android and iOS are similar. However, getting full administrative privilege on these UNIX-like systems is not impossible, and, in fact, is likely easier than getting administrative privilege on a Windows system with a single, strong, and seldom-used administrative account.
Consult your operating system manual for instructions on changing accounts. On Windows, it considerably increases the security of your system. It is easy, it generates only minor inconvenience, and it can stop many attacks.
Other Forms of Authentication
Passwords are difficult. Security experts (and hackers) agree that people reuse passwords and choose weak passwords frequently. Passwords don’t mesh well with human capabilities—we have faulty memories and most of us have a lazy streak that dreams up a path-of-least-resistance solution when we know caution is required. Consequently, passwords have many failings when authenticating identity. These failings are compounded by increased use of computing, especially remote cloud computing, in our everyday lives. We must prove our identity for more accounts every month, and those accounts play an ever more crucial role in our lives. Whether passwords will be replaced by other forms of authentication is hard to predict, but there are alternatives available now and under development.
Password Hints and Questions
Don’t use hints and secret questions if you can avoid it. Hackers can easily find your dog’s name, your mother’s maiden name, your spouse’s birthday, etc. This method is still used, but they have proven to be a very weak form of authentication, especially with the advent of social media. NIST now recommends that US government systems not use them; I recommend that individuals not use them. The only time I would consider using these methods is in multi-factor authentication (see below).
Biometrics
Biometrics—finger print scans, face scans, retinal scans—have some important advantages: they can’t be forgotten, they are complex and unique, and they are easily entered using the proper scanners. Biometric authentication is attractive and much effort is being put into improving the technologies.
Nevertheless, there are serious limitations to biometrics. If a biometric is compromised, it can’t easily be replaced. When a password is compromised, a new password is easily substituted. Fingerprint scanners have been fooled with fake fingers made from fingerprints or molds taken from real fingers. If one fingerprint is compromised, you only have nine more to substitute. Retinal and face scans may be more difficult to fake, but when they are compromised, there are fewer alternates and crooks are working hard to devise ways to fake them.
These technologies are improving, but crooks are also working hard at compromising them. Ultra-high resolution photography and 3D printing can easily be sources of convincing fakes. In this race, my bet is on the crooks. However, as a factor in multi-factor authentication , biometrics could prove to be of great value.
Multi-Factor Authentication
Multi-factor authentication is a way of combining authentication methods so that the sum is stronger than the parts.
Authentication based only on a password is single-factor authentication, as is authentication based only on a fingerprint. Many laptops and phones can now authenticate using biometrics or a password or a PIN . This is not multi-factor authentication. Multi-factor authentication demands passing two or more authentication challenges, not one of several alternative challenges.
Many security systems are now based on two or more factors. The theory behind multi-factor authentication is simple probability . The probability of being dealt four aces in poker is low, but suppose you were dealt a poker hand and a blackjack hand at the same time. The probability of getting both four aces in the poker hand and a blackjack in the blackjack hand in the same deal is much lower than just getting four aces in a single poker hand. Multi-factor authentication takes advantage of this principle of probability.
Using multi-factor authentication, you might enter a password correctly only to get a pop-up instructing you to retrieve a code arriving by email and enter it within a limited time. Such a system is a two-factor system. A hacker who steals your password would also need access to your email to get into your account, which is unlikely. On the server side, a correct password not followed by a token from an email raises a flag that the password may be compromised. Using two-factor authentication, you may get emails or other messages saying one part of a two-part authentication failed. If you don’t have a satisfactory explanation, it is time to change your password because a hacker has trifled with your system. Not only does multi-factor authentication make your account more secure, the system can generate useful warnings.
If authentication requires a fingerprint scan as well as a password and a token from email, it is a three-factor system. Adding a biometric factor further challenges an intruder.
Other factors that are used are special devices, often resembling credit cards, with a digital readout that generates numbers based on the time. Each card uses a different formula for generating the number. When you log in, you have to enter the number on the card. Variants plug into a USB slot. A smartphone app can also perform the same function. These methods have an advantage that there is no communication between the authenticator and your computer or phone to deliver the authenticating token. Hackers cannot divert messages to their devices, grab the token, and defeat the additional authentication factor.
Multi-factor authentication is much stronger than single factor authentication and an excellent choice when it is available. For critical accounts , opt for multi-factor authentication whenever you can, but try to avoid using texting as an authentication factor. It has proven too easy for hackers to divert messages sent to phones by tricking the cellular provider into reassigning your phone number to a hacker’s phone. Email is often a more secure second factor than text messages or phone calls, although it means you must be careful that your email account is strongly secured.
Backup
I have seen more people lose their data because they did not back up, or had bad backups, than I have seen people rescue their data using a backup. The sad fact is that backing up properly is hard to set up and dreadfully easy to neglect.
You may go for years without needing to restore from a backup and easily drift into complacency, sure that your hard drives will last forever, ransomware will never strike you, some nasty malware will never require a full restore, and your house is immune from fire or flood. But those things happen to thousands of computers and their users each year.
Backups fail for many reasons. When you add storage devices or start to store things in new places on existing devices, your backup may have to be adjusted to grab data from new places. This can happen when you install a new application. If you neglect to make the changes, your backup will be incomplete. In extreme situations, it may not work at all.
Backups should be stored far enough from your computer that the backup won’t be affected by whatever might destroy the data on your computer. In the past, that meant copying data to portable media like tapes, CDs, or portable hard drives and moving them to a distant place. For an individual, this effort that has no apparent benefit while things are going well. Consequently, many individuals neglect to keep their backup properly configured or entirely give up on the concept. Which is when disaster strikes.
I have a lot of experience with losing data and I fully understand the value of backups, yet there have been weeks when I have struggled to remember to rotate the portable drives I used for backups and stored in my detached garage. Storage in a garage close to my house was a compromise; storing them miles away would have been better, but even that compromise did not keep me on the straight and narrow.
Rather than use portable media, even with the simple and reliable backup utilities now built into operating systems, I prefer cloud backup services . I firmly believe in removing as much of the human element as possible from the backing up process. That means using a cloud backup service to back up everything; no saving storage space by selecting only important files; no storing portable media with relatives or at the office; no remembering to start backups. None of that. It can cost, but I regard it as money well-spent.
Placing backups in the hands of a cloud backup vendor may seem dangerous, but I think relying on fickle human habits is more dangerous. Cloud data storage centers are guarded and protected against disasters. The storage is often redundant; duplicate data is stored in physically remote locations so it not vulnerable to a single local disaster such as a flood. Encryption keeps your data private, probably more securely than portable media that can be lost or stolen. Like passwords , if your data is encrypted locally and the key is never transmitted to the service, not even a court order will get access to your files. Cloud backup depends on an Internet connection and a slow or unreliable connection is the only reason I would return to portable media backups.
Ransomware
The best defense against a ransomware invasion is the same as defending yourself against other cyberattacks. Keep your operating system and application up to date with the latest patches. Make sure your antimalware is up to date and run often. Avoid drive-bys by shunning questionable click-bait . Don’t open attachments or click links in emails that are not from trusted sources.
Good backups will not prevent a ransomware attack, but if you are attacked, you must have a good current backup or you will be forced to pay the ransom and hope the criminals will keep their word about restoring your data. Restoring from a good current backup, you can be back to normal in a few hours without paying ransom.
There are some well-meaning products and services for dealing with ransomware that have not been as effective as one would hope. One version attempts to “vaccinate” computers against ransomware by making your computer appear to be already infected with ransomware. This works, in theory, because the ransomware hackers don’t want to immediately reinfect computers that have paid the ransom. Unfortunately, this works for only a few ransomware variants and generates false confidence.
Other services propose to unlock the encrypted files. These services succeed in some, but not all cases. There is no substitute for good backups.
A note of caution: smart ransomware attempts to encrypt your backups as well as your regular data. For example, if your backup is a portable disk drive plugged into a USB port, assume that the ransomware will follow the connection and tamper with it also. If you use an external drive or a network drive for backup, disconnect the drives except when your backups are running. Cloud backup services are usually safe, but check on ransomware resistance before you sign up for the service.
Antimalware Tools
Antimalware and antivirus tools are the same thing. Viruses, self-reproducing bits of code that travel from computer to computer, are no longer as common as they were when the term “antivirus” was coined. Cybercrime has shifted its choice of weapons to “malware ,” which is a more generic term that includes anything that might land on your computer and do damage. If your device connects to the Internet, you must have antimalware tool installed and running that will identify and remove malware . Not to do so is inviting trouble. No antimalware tool is perfect, but they ward off many problems.
Choosing an antimalware tool can be confusing because the market is very competitive. The relative standings of the tools can change rapidly and new competitive features appear regularly. Many free versions are available. Automatic update is a required feature. You don’t want to be caught unprepared for the latest nastiness.
When I shop for malware tools, I do not focus on which product will wipe out the most varieties of malware. The malware scene changes so rapidly that the leader one month may not be the leader next month. If the tool cleans up malware with respectable accuracy, I pay close attention to ease of installation, smooth auto-update, and unobtrusiveness, not the kill rate when the review was done. Poorly designed antimalware slows computers down and gets in the way even though they may wipe out every ugly thing in cyberspace. The biggest mistake you can make is to put off a scan or not to run any antimalware because your tool is clumsy, so easy and unobtrusive counts a lot for me.
On Windows, the easiest and least obtrusive antimalware tool is the built-in Windows Defender. There are other tools that have better kill rates, but Defender is respectable and it only takes a single click to activate it. Macs do not have an equivalent.
There are antimalware tools for tablets and smartphones also. Some experts do not recommend them because they are somewhat intrusive. These experts point out that antimalware does not prevent bad downloads from the app stores or lost or stolen devices, which are the most important attack vectors for phones. I recommend trying free versions. If you find one that doesn’t get in the way, use it.
Firewalls
A firewall selectively stops messages from getting to your computer from the network and may prevent malware that has slipped into your computer from communicating back to its master.
The fundamental unit of information on computer networks is the packet . Packets contain the source and destination for the packet and some information on its status, along with the payload of information for transmission. A firewall examines each incoming and outgoing packet and decides whether to allow the packet to pass in or out based on rules. Some firewalls only examine the source and destination, others examine more, possibly going all the way to the contents of the payload.
One rule that is usually implemented blocks, with some exceptions, incoming packets that are not responses to previous outgoing packets. For example, your computer periodically requests email that may be waiting for you; the firewall will not allow it to accept email that it does not ask for. This policy protects your computer from malicious incoming messages and gives you control over what does arrive. Other firewall rules that may be implemented are blacklists or whitelists. A blacklist rule lists sources that the firewall will reject; all others will be accepted. A whitelist rule lists the sources that the firewall will let pass; all others will be rejected. Program or app installations may modify firewall rules to allow the installed software to operate.
A well-designed firewall is not inherently intrusive, but any firewall can be given a restrictive set of rules that slows network traffic to a trickle. Therefore, be careful if you decide to modify the configuration of your firewall. You may need to reverse the changes and try again before you get it right.
Is personal firewall protection necessary? Home network routers provide some similar protection. For typical home use, a personal firewall probably will not greatly increase protection. If a specific external site or program is a threat, then a firewall configured to stop the threat is useful, but such situations are more common for businesses, not home systems.
Nevertheless, I have the Windows firewall running on all my Windows computers. Why? Because it gives me one more layer of protection. If I found evidence that it was hindering performance or hassling me with error messages, I would reconsider, but, in recent years, it has been unobtrusive and has not raised issues, so it stays on. If it stops one threat, it has proved its worth. Apple also has a built-in firewall that I would treat in a similar fashion.
There are also many personal firewalls available beyond those supplied by the operating system manufacturers; some are free, some are part of antimalware packages. If you feel compelled to install one of these firewalls, you may prefer to use a firewall and antimalware tool from the same vendor.
Always set your firewall to the most restrictive level, and then relax the level if it interferes too much with your activities. Default restrictions are usually less the maximum. If you are comfortable with the more restrictive policy, you are safer.
Wi-Fi and Bluetooth
Wi-Fi and Bluetooth are two technologies that free us from cords. Wi-Fi connects computers to the network; Bluetooth connects peripherals, such as mice, keyboards, and headphones to computers, including smartphones and tablets. Both use radio signals to make computing more convenient. However, a radio signal is easier to intrude upon surreptitiously than a cord or cable. Both Wi-Fi and Bluetooth are great conveniences I would not be without, but some caution is necessary.
Wi-Fi
Public Wi-Fi sites have become more conscientious about warning users that public Wi-Fi is not secure, but you are still responsible for your safety. Anyone who is using a local area network can gain access to all the traffic in the local network. If the traffic is not protected in some way, other users can read and interfere with your traffic. When using public Wi-Fi, you are on a local network with all the other users of the Wi-Fi access point. You have no control over who might be interfering with your messages. To make matters worse, there are powerful and malicious tools for free download on the Internet that can turn any eighth-grader into a master invader of public Wi-Fi. You must protect yourself.
You can protect yourself by only interacting with sites that use secure communications for any high stakes transactions when on public Wi-Fi . Secure communication means using Transport Layer Security (TLS) , formerly called Secure Socket Layer (SSL). You are using TLS when https (not http) shows up in the Internet address in your browser. Even better, avoid any financial or private information transactions over public Wi-Fi.
If you use public Wi-Fi frequently, you may want to consider subscribing to a Virtual Private Network (VPN) . When using a VPN, all your Internet communications are almost as secure as on an actual private network. However, unsecured communication (non-https) can always be snooped. It’s harder when you are on a private network, but still possible. When using a VPN, you must still be careful.
Another possibility is to use the Tor browser discussed in Chapter 5. Tor makes it difficult to trace connections and is therefore more private than ordinary browsing. However, Tor has a performance overhead and it is not a replacement for transport layer security . When using Tor on public Wi-Fi , you should still only connect to https sites or use a VPN. I would not bother with Tor on public Wi-Fi unless I felt compelled to use Tor for all my communications. I would subscribe to a VPN before I would set up Tor.
Caution when using public Wi-Fi is not the end of the challenges. At home, your goal is to avoid turning your home Wi-Fi network into a public playground for neighborhood hackers or casual bandwidth thieves.3 The Wi-Fi standards groups have made some security missteps in the past that have been corrected, but the weak security options live on. The Wi-Fi vendors, the hardware manufacturers, and the network providers who offer packages that include Wi-Fi gear are, as usual, more concerned with convenience than security. Default Wi-Fi configurations are often poorly secured. However, tightening up Wi-Fi security is not hard. If you happen to have an older Wi-Fi router that does not have the latest security, an upgrade is a good idea. It will probably improve performance also.
Bluetooth
Bluetooth is problematic because it can take many different forms. Some forms are secure, some not so secure. Common commercial Bluetooth headphones are so insecure that the NSA banned them in government agencies. The Bluetooth standard is written to accommodate many different applications using profiles. A profile narrows the scope of the standard to a specific purpose. Bluetooth has over 30 documented profiles. Some are secure, others not.
The profile that the NSA banned is terrible for top-secret communications, but it is fine if you don’t care who might listen in on your tunes. Lax security makes the headphones easier to use and simplifies the electronics. It is up to you to sort out whether your Bluetooth devices are safe or not. One danger is an insecure Bluetooth keyboard that permits a hacker to log your keystrokes as you are typing in passwords . Since it is hard to determine what is secure, I assume all Bluetooth communications can be snooped upon, although I know some may be secure.
Email is not private. Privacy was not a goal for early email designers; they aimed for convenience and simple implementation. Email today is more private than early implementations that forwarded messages from server to server, potentially leaving copies on unsecured servers all over, but email privacy today is still dependent on the security of both the sender and receiver’s email service. Your email service may be secure, but that says nothing about the security of your recipient’s service. Electronic discovery of email is a well-established practice under law. Email can be subpoenaed or subject to a search warrant and produced in court. Although you may not be involved in a lawsuit or criminal proceeding, your email may be caught up in discovery of your recipient and made public. If you or your recipient are using company email , the employers are in control, not you. Also, forwarding email takes only a few keystrokes and clicks; your mail may be accidentally, carelessly, or maliciously forwarded to the wrong place.
A practical personal policy for email is to assume that whatever goes into an email may become public. Make a habit of reminding yourself just before you click send that your message may go viral whether you want it to or not.
Email can be made more private by encrypting the email before it enters the email system. A strongly encrypted message with a key known only to you is nearly impossible for anyone to decrypt without your consent. The problem is that your recipient must have a key in order to read the message. Using asymmetric encryption , your correspondents can send you messages that only you can decrypt and vice versa. There are various commercial packages that support this.
Hackers use email to trick you into installing malware , revealing information, and clicking on poisonous websites. See the “Social Engineering” section below for more information.
Email Account Passwords
Email account passwords are important and deserve special attention. A hacker with access to your email account can read your email, send email in your name, and is already most of the way to having stolen your identity. Email is often a factor in multi-factor authentication and password resets. A hacker who controls your email account may be able to request a password reset on your bank account or other important accounts, locking you out and the hacker in. You may have many important accounts that the hacker can grab from your email. Therefore, be certain that your email account password is long, strong, and unique. It may be the most important password you own.
Social Engineering
Social engineering takes advantage of the ways humans think and act to execute computer-related crime. Most cybercrime begins by swiping access through social engineering. Social engineers have a relatively short list of goals. They want your accounts and passwords , opportunities to place malware on your computer, access to your computers, your identity, and your money. Social engineers use the same trickery and deception that con artists have used forever. Sometimes, a social engineer will appear on your doorstep in a uniform appearing to be from your ISP. They might call you, threatening your arrest by the IRS, Homeland Security, or your local law enforcement. Legitimate sources will oblige requests for further information and identification, and acknowledge your rights. Social engineers will evade, bully, and deceive.
Social engineers trick you with phony emails with attachments that install malware or lead you to dodgy websites that download malware onto your computer without your consent. They lure you into sending money that disappears, perhaps for a too-good to-be-true deal or free money from a distant country. A good social engineer knows how to sound legitimate. Always seek information from different sources before you respond to any email , phone call, or website, and then respond carefully.
Installing Software
Well designed and implemented software is a pleasure to use but, realistically, all software contains flaws that hackers exploit. Each app on your computer, tablet, or smartphone that you don’t use adds hacking opportunities with no return benefits. Clogging up systems with software you don’t use can impair performance. The simple solution is to uninstall anything you don’t use. Create a system restore point before removing software that came with your computer, so you can restore easily if it is critical.
For a premium, you can buy laptops, tablets, and desktops that have no non-essential software installed. Impressively, a 10% to 20% performance improvement over comparable “loaded” devices has been reported. Software vendors pay hardware vendors and retailers to load free or ad-laden versions on new computing devices to market the for-a-fee versions of their software. The practice would be annoying but benign, except that each of these free programs is yet another opening for attack. Some hardware vendors have announced that they have reduced or eliminated non-essential software shipped on their products.
Be careful when you install new applications. A loosely written or hacker-written application can wreak havoc on your device and open it up to being taken over. Hackers also tamper with install scripts to install backdoors and other malware along with legitimate applications. When you download from a site other than the original developer, you run a risk of getting a doctored installation. This is especially easy with free open source products, even though many are high quality products. Make it a policy to download from the person or organization that developed the software, not sites with collections of free software.4 Before installing any free or paid software, check it out. Bad reputations generally show up quickly on the Internet.
The single greatest danger to tablets and smartphones is installing apps that contain threats. The vendors’ app stores are supposed to prevent this by thoroughly examining apps before they are available in the stores. The app stores are safer than the free-for-all of downloads to desktops and laptops, but the vetting is not perfect. Malware does occasionally appear in all of the app stores. Apple, Google, and Microsoft may say that their stores are perfectly safe, and they may believe this, but hackers are smart and they find ways. The worst part is that an app that is intentionally installed by the user can often be hidden from antimalware scans. Whenever you install any software on any device from any source, be cautious. Use the search engines to scrutinize the reputation of any software before you install. It only takes a few minutes and it can prevent a world of grief.
Surfing the Web
The great dangers in surfing the Web are the result of social engineering trickery, man-in-the-middle attacks, and drive-bys.
Man-In-The-Middle
Your best protection against the man in the middle is communication secured with Transport Layer Security (TLS) , the successor to Secure Sockets Layer (SSL) . Any time you are doing anything that you don’t want to be snooped on or tampered with, you should insist on TLS. Addresses of sites using TLS start with “https ” and most browsers display a locked symbol when using TLS.5
Using TLS or SSL is the server’s decision, not the client. When TLS was first used, performance was much lower for secure communication, so it was used sparingly. Computers and networks are more powerful today so the performance drop is negligible. Amazon, for example, formerly only used TLS when taking payments and executing orders, but today it uses TLS for all communication. If you can choose between sites, choose those that use TLS. Never do anything critical over simple and insecure HTTP. You can get extensions for most web browsers that will force use of HTTPS if the site supports it. HTTPS Everywhere is the most well-known.6
Certificates are an important part of TLS . A certificate is proof that you are communicating with the site you think you are communicating with and not hackers who have tricked their way in. If your browser comes up with a “faulty certificate” error when you try to connect with a site, the problem is often an expired certificate. The site has gotten behind on renewals. It happens. Or a hacker has gotten into the works and wants to tamper with your session. Many people are tempted to assume a clerical error and ignore the warning. I do not recommend succumbing to the temptation, but if you do, don’t click the box that says to permanently ignore faulty certificates from the site. Don’t ever exchange critical information over a connection that does not have a valid certificate. HTTPS Everywhere provides additional warnings on invalid certificates .
Drive-bys
Another danger while surfing the Web is a drive-by, a bit of malicious code that is downloaded with a web page and compromises your computer. There are two main culprits: Java and JavaScript . Both of these computer languages enhance web browsing. It would be hard to imagine the Web today without the contributions of code written in these languages. Although their names are similar, they are rather different.
The Java language was originally written for embedding into web pages, but it is not often used that way now because the original safety measures that were supposed to prevent local machines from being attacked via downloaded code have proven inadequate. However, Java has become the most popular language for large software projects and most business users need Java support.
For Java to work, you must have a Java Virtual Machine installed. Few popular websites now rely on Java. Therefore, unlike business users, most individual users don’t need a Java Virtual Machine installed. You are safer without it. Don’t install Java. If you have it installed, uninstall it. If you must have it for some reason, be diligent about keeping it updated because Java security flaws are patched frequently.
JavaScript bears a vague resemblance to Java , but most of the similarity is only in the name. You can’t avoid JavaScript. Almost all websites use JavaScript and will not work properly without it. The best defenses are to avoid questionable sites, keep your antimalware tool up to date, and run scans frequently. You can turn off JavaScript in your web browser, but you will find that many websites no longer work properly. There are extensions to browsers that are designed to help. NoScript is an extension for Firefox, Chrome, and Opera web browsers that uses a whitelist.7 Trusted sites on the whitelist can execute scripts. New sites are easily temporarily or permanently added to the whitelist. It also warns of especially risky scripts and blocks Java and Adobe Flash on non-whitelisted sites. This is an effective compromise, although by no means totally secure or convenient.
The Internet of Things —Dangerous Devices
Almost everyone has at least one dangerous online device in their home. These devices are things like home wired and wireless routers, webcams, DVRs, even printers that are connected to home networks and to the Internet. These present two dangers: hackers may gain control of these devices and turn them on you, and they may use them as bots in denial of service attacks. Some of the largest and most destructive denial of service attacks have come from massive networks of compromised IoT devices.
These devices are small computers, often running some variant of Linux . The usual line of attack is to gain access to the administrative account for the device, such as root or admin. These accounts often all have the same weak default password set at the factory. Criminals scan the Internet, searching for devices with this flimsy security. When they find them, they log on and begin to make trouble, like installing malware for launching denial of service attacks.
The solution is to place strong passwords on all your devices. You should begin by resetting the device to factory defaults, in case it has already been hacked. Consult your user manual. Resetting is usually a mechanical step: pushing a button or inserting a pin into a socket. Mechanical operations require physical access to the device, which is good in this case. Then follow user manual instructions for setting the device password . The process will be like setting the password on your router.
There is another step that may be necessary. The device may not block telnet or secure shell (ssh) access to the device. If you are familiar with and have access to a Linux installation, you can attempt to telnet or ssh into the device and change the root password . This step may not be necessary Your safest path is to choose IoT devices carefully, inquiring into their security and waiting for security issues to be resolved before risking and insecure installation. because the device password is often also the telnet or ssh root password, but there have been reports of devices that do not block telnet or ssh and still allow default access after the main account is changed. If telnet and ssh are beyond you, simply changing the device password still gives you much more protection than leaving the defaults. Manufactures already are said to be recalling and fixing these dangerous devices. Approach IoT devices cautiously. Inquire into their security and wait until security issues are resolved before installing them.
IoT-based denial of service attacks are particularly insidious because patching the problem is fraught with obstacles. Most of the vulnerable devices are manufactured as unlabeled generics, which become components in systems sold under many different labels. The manufacturers may have no record of where their products have been deployed and there is seldom any provision for updating the equipment after the end consumer has deployed it. Devices such as webcams are infrequently replaced or upgraded and by the time an issue appears, the manufacturer may no longer support the design or may even have gone out of business. The consumer whose IoT device is used in the attack probably does not know that their device is doing damage because a device participating in an attack may still work well. Therefore, the consumer has no direct incentive to fix or replace their devices and the victims have scant leverage.
Protecting Children
Children now appear on computers, use computers, and fall victim to cybercriminals.
Privacy
My childhood was in a rural community in the 1950s. My parents knew everyone residing within a mile of our farm. The entire county was knit together through ties of family, church, business, and acquaintance. Everyone seemed to know something about what everyone else was doing, and felt free to comment on it. These ties formed a granular news service that helped hold the society together.
People today reproduce that nostalgia-laden network of social ties using social media. But the new social media network is quite different. The old ties were symmetric. If I saw you, you saw me. If you knew what I was doing, I knew what you were up to. But Internet social media is not symmetric. I may have many friends on Facebook and receive many posts, but I reveal nothing about myself when I see a post, unless I choose comment or post myself. The relationship is symmetric only if I choose to make it so. In the social media world of asymmetric privacy, predators watch and prepare, leaving few clues to where they are or what they are thinking.
Parents must be aware of asymmetric privacy. In some cases, you can block it. Facebook postings are a good example. Posting photographs of children’s birthday parties and Halloween costumes is a delight for everyone, including predators selecting their next victim. A predator who knows the names of relatives and details about a child’s life, such a favorite meals and toys, has a powerful advantage when convincing a child to get into a vehicle or step into a secluded corner of the playground. You can reduce this risk by selecting your friends carefully and limiting visibility of posts to friends. But remember that your friends can repost and their friends might not be as careful as you about who sees the post.
Predators are not limited to pedophiles. They can be overly inquisitive potential boyfriends or girlfriends. Or a mildly aggressive neighbor kid, or a virulent bully who is spoiling to humiliate and push a child to suicide.
You must always consider the possibility of lurking predators when you post anything involving your child. Check privacy settings and set them properly, or don’t post. These principles apply to all social media. As children mature, they may be prepared for greater exposure and they will almost certainly push for it. You may want to expose them to harsh reality gradually by loosening controls. That is a parent’s decision, but think about it rather than let it happen.
Protection
At some point, your children will begin using computers on their own. We all know that there are many sites on the Internet that offer pornography and other material that most people consider inappropriate for children. There are tools you can install on your children’s computer that offer varying degrees of protection. Both Apple and Microsoft have provisions for setting up children’s accounts that restrict access to apps and websites.
These tools are useful, but they are fallible. They work through a combination of whitelisting , blacklisting , and pattern recognition. Blacklisting and whitelisting depends on you or the tool vendor having information about a site to make the decision to block it. Although the vendor may be diligent, there will be occasions when their information is absent or incorrect and an undesirable site gets through or a desirable site is blocked. Pattern recognition looks for certain words, or combinations of words, or visual patterns that identify a site as good or bad. The best of the pattern matching tools use the same kind of machine learning used in driverless cars. They do not rely on prior knowledge of sites, but be aware that these systems learn from mistakes and mistakes do happen.
Use these tools, but do not rely on them. They are not a replacement for supervision and preparation for lapses in protection.
You may want to take steps to preserve your child’s identity. If an identity thief has your child’s social security number, they may start applying for loans and credit cards in the child’s name. You can prevent this by opening credit records with the credit bureaus (Equifax, Experian, Trans Union, and Innovis) and then freezing the records. When a financial institution does a credit check, a flag will raise, blocking the exploitation. Exactly how this can be done depends on the credit bureau and state regulations. Some people argue against establishing a child’s credit record because the record becomes a public record of the child’s existence.8
Attack
The simple fact is that children lack experience and judgment. Younger children have less experience and weaker judgment. Adults are social engineered and hacked often enough. Children are even more likely to be hacked.
Reducing cybermishaps for children is difficult, but possible. One of the first steps is to limit the sites and applications that the child may access using access control tools and built-in operating system tools. This includes limiting access to email and messaging. Children are easily tricked into opening malware attachments, falling for clickbait links, offering up information to miscreants, and responding to dangerous messages. Until they are old enough to make good decisions, they must be shielded.
The other important step is to prevent a hack on the child from affecting the rest of the family’s resources, especially financial resources and opportunities for identity theft. Unless children are strictly supervised, they should never sign on to any kind of computer using their parents’ accounts. They should not know their parents’ passwords . They must have their own accounts, not necessarily in their name, but with limited privilege.
It may be counterintuitive, but you are often safer if your children are on their own computer; if a hacker gets into a child’s computer, it is more difficult for the hacker to get to the parents’ resources from a separate child’s computer than from an account on the parents’ computer. The child’s account on the child’s computer should still be a child account, never an account with administrative privilege. If the child is hacked often, or you are very cautious, completely restore the system periodically, in the same way that public computers in libraries are restored daily to purge them of data and malware left by public users.
Footnotes
1 NIST is revising recommended password guidelines to reflect the need for length. For a good overview of the revision in process, see Jim Fenton, “Toward Better Password Requirements,” www.slideshare.net/jim_fenton/toward-better-password-requirements .Accessed October 2016. Fenton is an independent researcher and consultant to NIST. This PowerPoint is not an official document, but it appears to reveal thinking on its way into the revised guidelines.
2 But don’t rely on Google absolutely. No Google hits does not guarantee a good password. Your birthday in Roman numerals may not get hits, but it is still weak.
3 I expect bandwidth theft will increase as the Internet providers put more caps on data downloaded per month. The temptation to filch bandwidth from a neighbor’s poorly secured Wi-Fi will be great.
4 If a free software program is good and useful to you, don’t be a cheapskate. Pay the developers something for it. Support the good people.
5 TLS replaced SSL in 1999, but the term SSL is still common. SSL has been declared insecure, but there are still old installations of SSL around, but there is not much an individual user can do about it.
6 HTTPS Everywhere is available at www.eff.org/https-everywhere . Accessed October 2016.
7 NoScript can be downloaded from https://noscript.net/ . Accessed October, 2016.
8 See Brian Krebs “The Lowdown on Freezing Your Kid’s Credit,” KrebsonSecurity, January 20, 2016. https://krebsonsecurity.com/2016/01/the-lowdown-on-freezing-your-kids-credit/ . Accessed October 2016. Krebs provides detail on current regulations. The comments offer some insight into the controversy over the prudence of establishing a child’s credit file.