November 12, 2017

Sensible Computing Security Tips

Being secure in this fast moving and ever changing digital world can be a challenge, especially for those who are not IT professionals. Security is usually the last thing folks want to deal with; bad stuff won’t happen to me, devices and services are secure out of the box, right?

You lock your doors for a reason, that real world logic also applies to the digital world. There are many bad actors out there: nation-states, cybercriminals, and hackers all the way through to script kiddies and wardrivers.

This is a guide of common-sense tips that most folks should be able to follow to greatly improve their digital security.

Keep Up To Date

The most important rule to enhance your digital security is to keep all software and devices up to date. Security flaws are constantly being discovered and fixed, unpatched flaws are a real danger. Running end of life software is also very dangerous. Cybercriminals use these known vulnerabilities to target the unsuspecting.

Modern software such as operating systems, browsers and smartphone apps by and large automatically update themselves, or will notify you when updates are available.

Please, never turn off automatic updates. Please be proactive in searching for and applying these updates. Replace old software that does not automatically update with a modern equivalent that does automatically update, an example would be an old PDF reader.

Passwords and PINs

Computers are getting faster and so is the ability for cybercriminals and hackers to crack user passwords. Most folks have poor password hygiene; passwords that are weak in combination with password reuse.

A six character password can be cracked in seconds on a modern password cracking machine. Seven character passwords are also weak, same for eight and nine character passwords.

Please watch this exchange between Edward Snowden and John Oliver explaining the importance of passwords.

My recommendation, passwords should be at least fifteen characters long, preferably more. Use phrases to gain complexity, for instance boatsWillFloatPlanesWillGl1de! is a far stronger password than ghU89!yhkQwl$ and is a heck of a lot easier to remember.

Also, the need to remember passwords results in users reusing passwords across multiple services. This is very bad. It is strongly recommended to use unique passwords per context, your laptop user password should differ from your Google password which should also differ from your Facebook password and so on.

If reusing passwords is bad then what can we do to remember all these long passwords?

Use a password manager.

I much prefer locally installed password managers such as KeePass or one of its derivatives such as KeePassXC (this is my password manager of choice). These, compatible, password managers store your passwords in an encrypted database protected by a master password. Please choose a very strong master password. Also, when using a locally installed password manager, such as KeePassXC, please keep a copy of the encrypted database, usually Passwords.kdbx, safely stored offsite, I recommend a CD-R in a safety deposit box.

I suggest storing all your accounts and passwords in KeePassXC; when a new password is needed let KeePassXC generate one for you. With experience using a password manager will become second nature whilst at the same time it will greatly improve your digital security.

With smartphones I recommend PIN codes that are at least eight digits long. Also configure fingerprint unlock, Touch ID on iPhones, if available, for fast unlock. Long PINs will then not be that bothersome.

Lastly, please configure all your devices to auto-lock themselves after a period of inactivity. Five minutes for computers and two minutes for smartphones are reasonable choices.

Phishing Scams

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

The most common form of phishing is unsolicited email disguised as coming from a legitimate entity you may have an account with. For example it may be an email styled to look like it came from PayPal with a link to a fake PayPal site designed to fool the victim into typing in their username and password.

To protect yourself from such scams please be sceptical of any unsolicited correspondence, either in email or messaging form. Do NOT click links, do NOT open attachments, do NOT be tricked into sending your password in electronic form. Do not trust links in emails, they may be a scam.

When required to, log directly into the official portal of a service provider, such as a bank or ecommerce vendor, via a browser bookmark or by typing the web address directly into a browser.

If you receive such phishing email, delete it immediately.

Social Engineering Scams

Social engineering is the manipulation of people into divulging confidential information through conversation.

The most common form of computer-related social engineering are unsolicited phone calls from persons claiming to represent an entity, say a bank or telecommunications provider, who then request your personal details to solve an issue of sorts. These cold calls are never real, all they are after are your credentials for nefarious purposes, usually to steal money.

To protect yourself from these scams please never provide your confidential details to anyone ever. No one but you should know your confidential information such as an online banking password. Note, a real bank will not ring you asking for your password.

If you receive such a call, please hang up immediately.

Malicious USB Sticks

A trick used by certain cybercriminals is the dropping of malicious USB sticks in public places ready for unsuspecting folk to pick them up, take them home, and insert them into their computer. Such malicious USB sticks, once inserted, will compromise your home network.

Your should never trust a found USB stick.

If you see a USB stick on the ground, simply leave it there and walk on.

Public Wi-Fi, Be Very Cautious

Using free public Wi-Fi can be very dangerous. Free Wi-Fi opens you up to: man-in-the-middle attack, snooping & sniffing , and malicious hotspot attack.

It is strongly recommended that you use the data bandwidth associated with your mobile phone to access the internet when on the go. Tethering a laptop to a smartphone is not difficult these days.

If your data bandwidth is limited, and you simply must use public Wi-Fi, then it is strongly recommended that you only use such Wi-Fi in combination with a strong virtual private network (VPN). I recommend trusted commercial VPN providers such as: ProtonVPN, VPN.AC or IVPN. Note, ProtonVPN also offers a low-bandwidth free VPN option, this is an excellent choice if you infrequently need to use public Wi-Fi.

Disk Encryption

Disk encryption is technology that protects your data, stored on disk, by scrambling it when devices are powered off. For example, disk encryption will protect the confidentiality of your data if your lose a powered off laptop, or if a thief steals your home computer.

Disk encryption requires a master password, hence it is very important that you select a strong password as your master, at least fifteen characters long. Also, please never forget this password, without it you will be locked out of your own data.

Enable Firewalls

A computer firewall establishes a barrier between an inside network (such as your home network) and an outside network (such as the internet). Firewalls are used to prevent unauthorised access to a network like your home network.

Secure Your Router and Wi-Fi

Weak router and Wi-Fi configuration is a common source of network insecurity, it can allow hackers from the other side of the world, or wardrivers sitting outside your house, into your home network.

Configuring a router can be daunting for those not experienced in technology. Though modern routers are slightly less obtuse than they used to be. Again, don’t be afraid to call in help, better that than living with an insecure router.

These simple rules will greatly increase the security of your router:

Install Reputable Software from Trusted Sources

Be very cautious when installing software, apps or browser plugins. There is a lot of malicious software on the internet posing as useful or legitimate software. Only install reputable software and apps from official sources, prefer installation from app stores such as the Apple App Store or Google Play store.

Please NEVER install dubious software such as key generators, these more often than not are malicious.

Browser Recommendations

For all platforms, apart from iOS, I recommend the Google Chrome browser for its enhanced security. From sandboxing, to hardened builds, to auto-updates, to multi-platform support, Chrome is hard to beat. For iOS the best choice is the default Safari browser.

Chrome security can be strengthened by the addition of these three excellent extensions:

Windows Anti-Virus

Back in the day running third-party Windows anti-virus was a necessity. However, these days moderns versions of Windows ship with their own Defender product which is more than enough anti-virus for most people.

Instead of investing in an anti-virus product, I instead recommend using Malwarebytes anti-malware software. A free version, for personal home use, is available that will need to be run manually from time to time, whilst there is also a paid version that will offer real-time protection.

Windows Defender and Malwarebytes compliment each other and provide superior protection for modern versions of Windows.

Backups

Backups are critical in case you experience either: a computer failure, a major security incident that deletes your data, or a security incident that locks you out of your data. Ransomware is an example of such an attack, Ransomware will encrypt and lock your data permanently unless you pay a ransom to a cybercriminal to unlock your data. Note, paying a ransom will rarely gain you access to your data; please never pay Ransomware.

Backups came in two major flavours, local or online. The former usually entails USB drives, the latter will be internet based.

My preferred software for local backups:

When using these local backup software please enable their encryption support. You don’t want your backups in plain text in case your lose your backup drive or have it stolen.

If you already have a functional backup strategy, but you are not encrypting your backups, then I strongly recommend you simply buy an Apricorn drive and set a strong hardware PIN.

For online backup, that being backups that target the internet, I recommend the SpiderOak One service.

Please make sure that backups are running with regularity, at least once a week.

Whichever approach you take, please have a backup strategy, any strategy will do, since there will likely come a day where either your computer dies or you are a victim of cyberattack. At that point you will be extremely grateful that you had a backup to restore from. Backups are your digital insurance, just as you insure your home and contents, so you should backup your data.

Multi-factor Authentication

Multi-factor authentication (MFA) is a method of granting access only after a client has supplied multiple valid pieces of identity evidence.

Most systems and services default to single-factor authentication, which more often than not would be a solitary password or PIN.

Two-factor authentication (2FA) on the other hand requires two sources of identification; for example, a password and a one time PIN code which may be supplied by an authenticator app, or that may be SMS/emailed to you.

2FA is now available for many high profile services such as: Google, Facebook, Twitter and Apple to name a few.

2FA greatly increases account security and is strongly recommended for high value targets. However, most citizens are not high-value targets, so the question is whether the inconvenience is worth the benefit? That is a judgement you need to make. Currently, I recommend strong single-factor authentication for most persons.

Summary

Just as it takes a little effort to secure your physical assets, it also takes a little effort to secure your digital assets. But these days it really is necessary, and it should not be too difficult if you follow these sensible rules:

Be secure and happy computing.