April 22, 2017, 1:39 p.m.
IT | Security in IT

How To Protect Your Digital Self

The internet is a very large place. Some estimates place it at 1 exabyte (1 billion billion bytes). Or almost 5 billion web pages. Take note that these are horrible simplifications as the internet is comprised of much more than just the World Wide Web. Regardless, every person who has ever interacted with anyone will probably have some kind of digital footprint. Do you have a driver's license? Passport? Health care card? Have you ever visited a doctor? Even though you may not have given any consent, interacting with the world will create digital traces of you all over the internet.

Unfortunately the internet is a little bit like entropy - it always only increase. The internet gets more complicated, bigger and with that, your privacy becomes more and more at risk. Every day we connect more devices to the internet than ever before. Think of the prefix "smart" that has become so commonplace. Smart phones. Smart baby monitors. Smart video cameras. Smart TV's. The list goes on. Most modern Blu-Ray players, TV's and amplifiers can connect via WiFi or ethernet to the internet. Your baby monitor can probably do that too - so too your security cameras, smart light bulbs, smart smoke detectors, smart air conditioning, smart car...

Being connected is cool - it makes many things much simpler and better. But there is a dark side to all these advancements. Unfortunately technology outpaces our ability to reason properly. We build smart cars that can download firmware updates over the air and update your status with Facebook, without stopping to think what the downsides of doing that might be. It is trivial for people to hack your smart car and take over control of the automated components such as braking, sometimes steering etc. This is a terrible risk. Many of these smart cars have no security whatsoever. I recently reviewed a smart surveillance camera that does not even support secure HTTPS connections - it only had HTTP. This for a security product!

We hear every day of passwords being compromised - look at this graph and compare how the breaches only increased since 2004. If you ever had an account with any of those companies, chances are your account was compromised. And if you share passwords between sites, all those other sites would have been compromised by association.

Just when you think you have a good strong password, you read that it will not help you. Passwords like Apr!l221973, qeadzcwrsfxv1331 and Philippians4:6-7 were cracked too.

So what about 2FA (Two Factor Authentication)? Surely, it helps but again there is some disheartening news.

Biometric security? Can be worked around using the legal system or by hacking.

So you think about going dark, but you still need a computer. You read up about air gapped computers - basically computers not connected to any network. You think you are safe but there are so many ways to breach such a computer you would fall off your chair.

What about anti virus? Not nearly as useful as people might think. I personally have had to rescue client's data multiple times even though they had up to date Avira anti virus on all their computers, and Ransomware sneaked right past it.

Social engineering have always worked, and will continue to do so. People just do not want to be educated, or they do not understand IT. Regardless, social engineering is one of the most powerful attack vectors around. It works so well even high profile targets get compromised.

One thing is clear - online security will only get worse as the pace of technological advancement exceeds our ability to control what we have created. However, things are not completely as bleak as they might seem. There are some things you can do to reduce your risk of exposure significantly. Note that there is nothing anyone, not even the NSA, can do to guarantee security. It is like the speed of light - a particle with mass can never reach the speed of light, the closer it gets the more energy is required to accelerate it. You will need infinite energy to reach the speed of light. Likewise, the more effort and money you spend on security, the better you can protect yourself but it will never be 100%.

Here are my recommendations in no particular order - only by doing ALL these things will you reduce your risk of exposure as IT security is like a chain with a weak link:

  1. Never use the same password on more than one site. If you must, use a password manager to keep a list of all your passwords, or even write them down on a piece of paper and store it in your wallet / safe.
  2. Do pick strong passwords. Never use any personal identifiable details in your passwords.
  3. Do use 2FA (Two Factor Authentication) - it is better than not using it.
  4. Never click on any email link if you are not absolutely certain you know and trust the sender. 95% of all breaches probably occur due to malicious email links being clicked.
  5. Never browse to shady web sites, such as torrents and other illegal download sites. Never call any numbers when your web browser suddenly tells you that you need to contact support as your PC is infected. These are always scams.
  6. Never share your passwords with other people.
  7. Do use strong encryption to protect sensitive data, and aways connect to HTTPS sites. Never enter your credit card details or personal information on a site you do not know or if the site is not secured with HTTPS.
  8. Protect your devices with passwords and make sure they auto lock - this includes your mobile devices.
  9. If you have any IoT devices (Internet of Things), make sure to change their default passwords to something strong, disable any services you will not be needing and even consider not connecting them to the internet. You could always use VPN back to your home with a little bit of effort to remove your risk almost completely regarding your IoT devices.
  10. Do put a good password on your WiFi access point.
  11. Think before sharing any confidential information with anyone. Most companies will NOT reach out to you to support you, you will need to go to them. Make sure you know who you are talking to before providing sensitive information. And no, I guarantee you no Nigerian knows or needs you.
  12. You will probably not get hacked because you are someone special - most people are not special, they are just people. Most people get hacked by automated bots - computers running automated scans and exploits to try and increase the size of the botnet (network of bots, or compromised computers). You may not even know you are hacked - but your PC could right now be happily joining others in attacking even more computers or leaking information from your network. Because of this, it is important that you make use of a firewall at home and at the office, and restrict internet access to only those services you need.
  13. This forms part of the previous point but it is so important I am mentioning it on its own: Enable automatic updates on ALL your devices. Unpatched machines are the single biggest attack vector for hackers and bots. If all your devices are always fully updated, your risk becomes greatly reduced. Do not fight Windows 10 and its aggressive updates - in the end it is good for you and for everyone else. Especially important are:
    1. Operating System updates (Windows, Mac, Linux)
    2. Adobe Acrobat Reader / PDF Reader software
    3. Adobe Flash Player
    4. Java
  14. Remember that security is not always just about you - if your machine becomes compromised then it will attack other people's computers too, and you become part of the problem. You need to be a good netizen and think about your fellow netizens.
  15. Do not think just because you are nobody special you will not be hacked. As I said, by far the largest amount of attacks come from automated bots targeting ALL connected devices. That includes you. For a bot, you are very special.
  16. Do take your computer to a reputable service centre from time to time to ensure you have not been hacked. You will need to find a skilled person as this is not always trivial to check.
  17. Think outside of the box. Put measures in place to mitigate your risks if you do get hacked. Some measures might be transfer limits on your bank accounts, required phone call to verify certain actions on your accounts, not using real answers for security questions as these then become the weak link in the chain, have backups of your data so that you can always restore if you do get hacked and so on.

These are only some pointers, but following them will definitely reduce your risk significantly.

In the end it is about being informed. We no longer have the luxury to claim ignorance. We have a social responsibility to understand technology well enough to protect ourselves from the dark side. Without understanding we will never be safe. And since technology is ever changing, we too need to evolve with the times to understand the Next New Thing.