Thursday, October 6, 2016

Basic cyber advice

What better time than National Cyber Security Awareness Month for a refresher on cyber safety? Start the new school year off with some healthy habits.

For the second year in row, Security For Real People is proud to be a National Cyber Security Awareness Month Champion. NCSAM is a month of cooperative efforts involving government, private businesses, and individuals working together to promote online safety and digital privacy. It began as a joint effort government and industry program between the National Cyber Security Alliance and the Department of Homeland Safety. It now includes over 700 corporations, small and medium businesses, educational institutions, and individuals, all with the shared goal of making the digital world just a bit safer for us all.

The news is full of stories about extraordinary threats: Baby monitors hacked to spy on you. A billion Yahoo email accounts exposed. Sophisticated spies taking over iPhones. Movie plot-worthy heists draining millions of dollars from thousands of ATMs at once.


Elite hackers exist, and they do elite things - but they are generally not the greatest threat to most people. Consumers are undone by far more pedestrian problems. Passwords. Outdated software. Phishing. Improperly configured networks. Routine malware. Malicious advertising. Unwittingly trading privacy for "free" services.


What follow are practical suggestions that anyone can follow. None of these are earth-shattering - I and my fellow security professionals have recommended most of these for years, though the order of importance has changed a bit recently. Together though they form a strong foundation for basic cyber security.


Passwords and Accounts


To a computer, you are your login. That means if someone can login as you, as far as the computer is concerned they are you. 2016 has seemingly been one password theft report after another: 1 million Forbes accounts. 4 million Snapchat accounts. 65 million tumblr accounts. 68 million Dropbox accounts. 165 million LinkedIn accounts. 360 million MySpace accounts. And most recently, at least 500 million (and possibly well over a billion) Yahoo accounts.


Passwords alone can be stolen or guessed, but a few simple measures provide strong protection:

  • Use a unique password for every website that you care about. Reused passwords are a hacker's dream: all too often, a password will be stolen from an unimportant news site, only to be used to break in to one's bank accounts. Unique passwords per account ensure that if one password is stolen, only that one account is at risk.
     
  • Use a password manager program to store your passwords. I can't speak for you, but I have at least a hundred different online accounts: email, social media, financial institutions, insurance companies, utility services, retail sites, professional organizations, news outlets - the list could go on and on. Keeping track of individual, strong passwords for every site on my own would be a fool's errand; instead, choose a password manager to do the remembering. Popular options include LastPass, 1Password, KeePass, and DashLane.
     
  • Use long passwords - because mathematically, the length of a password is the single greatest measure of its strength. Since you are going to use a password manager (you are, right), it is no harder to use a 32-character password than to use a 6-character password - so use the longest password a site will allow.

  • Let a password generator program make up your passwords. Humans are notoriously bad at choosing good passwords. Even when we think we've chosen strong, unique passwords (Uppercase letters! Lowercase letters! Numbers! Special characters!), we tend to follow predictable patterns. Austin2015! and Z)0fG5^nq4t both have the same number of characters and the same mix of character types. Guess which one is more difficult for a hacker to discover?
     
  • Use multifactor authentication where available. The strongest password in the world can still be stolen, whether by a clever phishing email or by password-harvesting malware. With multifactor authentication, logging in requires both a password, and something else. Common approaches are a physical card, a keyring-style token generator, or a one-time code sent via SMS. The key consideration is, the second factor should not be another password or "security question" (which could be stolen as easily as the original password).


Computers, Smartphones, and Devices


The Internet is no longer made up only of traditional computers - gadgets as diverse as refrigerators, thermostats, toasters, and garage door openers can be connected to a network, making up the so-called "Internet of Things." A gadget connected to the Internet though faces the same malicious hacking risks as a computer - and in many cases the gadgets were not designed with that in mind.


A webcam (a home monitor camera with an Internet connection) can allow voyeurs, creeps, and worse to spy on the private activities of your family. In recent weeks, reports have surfaced of thousands of cameras and DVRs taken over by criminals and used to mount collective attacks to disrupt the websites of major businesses.


Here's what you can do:

  • Change the password before you connect a new device to the Internet. Many products come with a built-in default password - which in most cases is well-known to the hacker community.

    If you do nothing else today, do this!
     
  • Cover or unplug webcams when not in use. This might seem a bit paranoid, but to be frank, I am simply not comfortable with the current state of Internet camera security, at least not if it is inside my home. Even FBI director James Comey recommends doing this.
     
  • Mind your apps. Mobile device apps can (mostly) only do what you allow them to do. So read the permissions an app requests before blindly installing Fuzzy Kitten 97. Read the permissions requested by an app update as well: I have more than once removed a once-satisfactory app because an update expanded the permissions unnecessarily. In addition, stick to the major app stores. While the major app markets (such as Apple's App Store, Google's Play Store, Amazon App Store for Android, Windows Phone Store) can be compromised, they are still far safer than sources off the beaten path.
     
  • Keep programs up-to-date. Android OS, Apple iOS, Windows, Mac, and many software products have automated update features. Turn them on. Software developers make mistakes - that's what the updates fix. If your car had a factory defect that might leave you stranded on the side of the road, and offered a free fix, you'd take them up on it, right? This is the same thing.

  • Change the phone book. This is the one and only "complicated" recommendation I make - and I make it because it is so darned effective.

    DNS, or Domain Name Resolution, is how your computer knows that www.google.com is actually “74.125.224.242.” It happens silently in the background and is usually ignored unless it stops working. OpenDNS and Norton among others offer free services that simply don’t resolve website addresses that go to known undesirable content (more accurately, they resolves such websites to a benign address that says “you can’t go there.”) In my opinion this is one of the strongest controls you can add to the security of your network.


    Mind your own behavior


    • Think before you click. Phishing scams as well as malware rely on our tendency to click first, think later. Phishing scams in particular can be incredibly believable - they are designed to imitate something legitimate to abuse your trust. Oh, and they can disguise themselves quite cleverly.
       
    • Use social media strategically. The old adage that on the Internet no one knows you are a dog is absolutely true: with social media you only know who someone claims to be. Different social media platforms offer different audiences, as well as different degrees of control over who sees your posts.
       
    • Favor credit cards over debit cards. For purchases, credit cards have inherent consumer protections, and your cash is separated from the transaction. In the US, the Fair Credit Billing Act limits your liability for credit cards to $50 if you report fraudulent use promptly (and further, limits it to $0 if you report the card stolen before it is used fraudulently). In addition, many banks have sophisticated pattern-tracking systems that detect your typical patterns and will alert if something seems out of the ordinary. The liability law for debit or ATM cards is considerably different. The Electronic Fund Transfer Act limits your liability to $0 if you report the card or number stolen before it is used, and to $50 if you report fraudulent use within 2 days after you learn of the theft. However, after two days your maximum loss increases to $500 - and if not reported within 60 days, you are on the hook for the entire loss.

      An additional step I take is to reserve one credit card for recurring transactions (monthly utility bills, for example), and a separate card for purchases. In recent years, most payment card breaches have involved point of sale devices. Replacing a piece of plastic in my pocket is easy, but updating a dozen or so recurring payments is a pain. Using a separate card for purchases means if I have to replace that card, my recurring transactions are not affected.

    • Place a Fraud Alert on your credit report - and renew it every 90 days. This isn't strictly an online security protection, but it is highly effective at minimizing the damage caused by identity theft. A Fraud Alert tells potential creditors that they must take additional steps to verify your identity before issuing you credit. Often, this means the creditor will call you - at the phone number listed in your credit report (not a number provided by a fraudster) - to ensure you are in fact the one requesting a new credit account. Note that you do not have to be the victim of identity theft to put an alert on your credit report.

    Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen