The internet is not a safe place. Not in a, you will receive bodily harm kind of danger, but the safety of your private data and identity. Over the past thirty years the collision of the Internet and Privacy is an atom-splitting explosion of leaked and abused data. Being part of the computer security profession, we try to solve this issue as well as we can for you, but it is imperative you are doing everything you can to ensure you are as bullet-proof as possible. June is Internet Safety Month and in that spirit let’s dive really deep into security practices that can keep you, your private information, and your financial security safe in an always online world.
Decades old tech
The technology that we use everyday is wondrous in it’s own right. If you were to show scientists and great thinkers of 100-150 years ago what we can accomplish today with our tools, they would assume we are already exploring other solar systems in our light-speed ships. However, just like how in 1989 we imaged 2015 as a year we had flying cars, hoverboards, and mini-pizzas that grow full size in a microwave, that future doesn’t really come to pass that quickly. The technology we use today is built upon the technology that came from before and this will always be the case. This is no different for computers and the internet. Unfortunately, a lot of this tech is now decades old and is still with us today. The ultimate drivers of the world wide web are built upon a couple key technologies, NIC, MAC, IP, TCP, and HTTP.
NIC refers to ‘Network Interface Controller’ and it is the bridge between the physical network device and MAC addresses. MAC address is ‘Media Access Control’ address and it’s the static identifier that is applied to the NIC so that each is addressable individually on a network. For an analogy think of a PO Box; the NIC is your physical mailbox and the MAC is the mailbox number. IP address is the second layer of addressable numbers that is tied to a network device, but on a larger and more dynamic scale. In general, IP address is what is most commonly used to add an address to a computer on a network. Think of the IP address as the city, state, and zip code of the previously mentioned PO Box. TCP is ‘Transmission Control Protocol’ and it is the medium for which data is encapsulated for transmission over a network. TCP and IP generally work hand-in-hand to know where data needs to go in a network and how to get it there. There isn’t a great analogy to pull from the previous example for TCP, but you can kind of think of it like the envelope or box that the letter or items travel within. There is also another type of transmission protocol called UDP, or ‘User Datagram Protocol,’ but I don’t want to get too deep into the weeds of it. Finally, HTTP is ‘HyperText Transfer Protocol’ and it’s the ‘language’ that your web browser and web servers speak to deliver the websites you use today. So to wrap up the analogy, HTTP is the paper and words within the envelope delivered in the envelope (TCP), to an address (IP), to the PO Box number (MAC), in physical PO Box (NIC).
What’s the point of describing all of this? I like analogies, but these are the basic technologies that support the internet that we know of today. The standard put forth for NIC and MAC were established during 1973-1983. IP was first conceived in 1981, same with TCP. HTTP 1.0 became a standard in 1996 and HTTP 1.1 in 1999. We are still currently using HTTP 1.1. HTTP 2.0 became a standard in 2015 but it’s wider adoption is still fairly slow growing and HTTP 1.1 will still need to be supported for many years still to come.
There has been a lot of effort put into patching issues with these old technologies over time as vulnerabilities are discovered, but the funding for these efforts are extremely lacking. If you want to help make the internet more secure but don’t have the computer security skill(z) to help, you can always donate money to open source funds. And even as we do fix these issues, we have to remember that this is all driven by computer code that is written by humans, so the human error factor will always be an issue with computer security.
Assume that your data is already leaked
It sounds pretty nihilistic to come from this point of view, like “what’s the point now?” It’s a sad fact that this is true for most people. Your full name, email, home address, and phone number is already in the hands of ner-do-wells or criminal groups, so the question is now, what do we do now that your information is already compromised? Well there is actually a whole lot you can do, so let’s jump into it.
Passwords
Passwords are the first line of defense for securing your online accounts like your email, banking, and social media. However passwords are notoriously insecure. First, they depend on the creativity of the user to create a good password that is also memorable. But even that is not good enough, because a lot of online users re-use their passwords in all of their online accounts, which makes that password weaker with each re-use. If that single password gets cracked even once, it will compromise all of your internet accounts in which it’s used.
Passwords are also weak against phishing attacks, by fooling users to type their password out into a compromised or attacker-owned form for collection by hackers. According to the Verizon Data Breach Report, 43% of security breaches last year involved some form of hacking websites and 80% of that involved stolen credentials.
So what can we do to prevent this? Well the permanent solution is to no longer use passwords. That sounds crazy but many security professionals, myself included, agree that passwords are no longer a viable security protection going into the future. There is an ample amount of money and research going into this but the real issue to tackle will be the eventual transition and acceptance of a non-password protected internet. It’s still a long ways off, but here is what you can do now.
Longer passwords Passwords get stronger the longer they become. If you have a short password, 8-10 characters long, and your strategy to strengthen it is to change a letter to a special character (e.g. ‘a’ to ‘@’), then that will only make the password linearly stronger, to which there is a cap in possible strength. Real password strength is derived from how many characters are in it, not how many different characters. A password that only uses lowercase letters takes 6.66 months to crack once it hits 15 characters in length. Hackers tend to flow in the areas of least resistance and trying to crack a password that strong is a non-starter. It makes more sense to pivot to other passwords or to a different strategy.
Passphrases So how do you make a longer password that is also memorable? Using random numbers, letters (upper and lowercase), and special characters (!@#$) that is at least eleven characters long can be a challenge. The modern advice now is to utilize ‘Passphrases.’ Instead of using randomization for your passwords, come up with a phrase that is memorable but is long. A short string of random words with spaces is a far stronger password than a short string of random characters, for example ‘Tire Split Hobby Motion.’ versus ‘Jd83h@i4’. The former password is twenty-four characters long which would take centuries to crack where the latter password would take less than two minutes.
Different passwords everywhere As previously mentioned, a single password gets weaker with each re-use, because the protection of passwords depends wholly on the security of that website, which is generally unknown in most cases. As soon as you use the same password in multiple websites, the security of all your accounts that use that password are now at greater risk. Are you sure that every website you use that password in are using the best security practices to protect it?
Use a Password Manager Bringing this all together, you need to make your passwords strong and each website or service you use online should use a different password. Sounds like a tall order. A lot of people then result in saving their passwords in a word pad or notes app but keep in mind that anywhere the password is saved in clear text (not encrypted) increases the risk of the password being stolen. So the suggestion from security pros is to utilize a ‘Password Manager.’ There are numerous products available, both third-party and built into your devices, and most of them are good. These password managers will store all of your account credentials for you and also randomly generate you unique passwords for each website you use, so you don’t need to remember them yourself. It is still worth doing your own research just in case, but my suggestions are LastPass, 1Password, or the built-in password keychains on the iPhone and Mac computers.
Then you may be asking yourself, “So to make my passwords secure I should put all of my eggs into one basket and protect it with a password which you have just laid out is insecure by its very nature.” Yes, you’re correct. But this is where you can pull out all of the stops creating one password to rule them all. Since you now only need to remember this one password for access to the remainder of your passwords, your master password should be:
Unique and only used for unlocking your password manager.
A very strong passphrase that is 16-20+ characters in length.
A password that you do not write down or share anywhere, both physically and digitally.
There are two caveats to password managers to avoid: using any managers that are built into web browsers and using them for work credentials. Firefox, Edge, and Chrome all have built-in password managers and third-party managers like LastPass have browser plugins. This is generally not recommended because the web browser has a large attack surface for hackers and it makes your passwords vulnerable to an entire class of attacks. By using the manager that runs on the computer instead of the web browser sandboxes it away from that environment. The mobile version of these managers are also recommended as they can auto-fill your passwords into other apps for you. Secondly, please be aware, do not save your work passwords in your own personal password manager. Many companies may not have an approved manager for saving sensitive data in and you may be in breach of a company policy if you do so!
However, the risk or your password being guessed or stolen can still always happen, so there are further ways to lock down your online accounts.
Multiple-Factor Authentication
There are four primary factors that prove to a computer system you are who you say you are:
Something you know, like usernames and passwords.
Something you have, like a cell phone or other physical device.
Something you are, including biometrics like face and fingerprint scanners.
Somewhere you are, your physical location grants you access to internal resources.
Anytime you use more than one of these factors to log in or be identified by a computer system, that is ‘Multi-Factor Authentication.’ The more of these that are required, the more secure the system is. With the previous section on passwords, that is only one factor and it is the most prevalent way to secure websites. We can do better.
Highly locked-down websites already either offer or even enforce this, especially in banking. If you’ve ever tried to log into your banking website the last few years and were asked to input a code that was texted to your phone, that is the banking website enforcing multi-factor authentication. It is highly recommended that you use multi-factor authentication wherever it is offered. This is especially true for the previously mentioned password manager. So even if something were to happen to your master password, multi-factor authentication will further stop unauthorized access to your passwords.
In general the most common multi-factor authentication that is offered by websites and services is the combination of what you know and what you have, a physical device on your person. But there is a tier ranking to physical devices that are more and less secure. The most secure is an OTP token or a discreet device where its only purpose is to generate a random 6-8 number code that must be inputted into the website or service in addition to your username and password. Second down the line is your cell phone, but even with that there are two levels of security for multi-factor authentication. The best you can use on your cell phone is an app that generates codes like an OTP token. Some examples are the Google Authenticator app and apps tied to the actual service. The Steam gaming platform has a mobile app that includes an OTP token generator for logging in. Lastly, other websites will use your phone number as your physical device by texting you a code that needs to be inputted into the website to be logged in. Phone numbers however are not as secure as previous hacks in the past have demonstrated that this can be compromised.
Some websites or services will use your email as a secondary factor for authentication, but this is the weakest of them all because it wholly depends on the security of the email service. If your email is only protected with a username and password that effectively negates the second authentication factor. There is also the risk that the email service may have vulnerabilities that could allow unauthorized actors to read your emails remotely. The physical separation offered by a device or cell phone is gone in this case.
Beware of Phishing Emails or Texts and How to Spot One
Phishing is emails or text messages that look like the real deal that try to fool a user to follow a link and/or input private information back to the malicious sender. It’s a form of social engineering that preys on people’s fear of punishment, inconvenience, or promise of a reward to make them do things that they wouldn’t normally do. A good example is the Nigerian prince that has labeled you as an inheritor of a family fortune by getting you to send them your private information.
It may sound silly but it is still extremely effective. The Verizon Data Breach Incident report lists ‘Social Attacks’ were used in 22% of all breaches and security incidents last year and the tactics used to fool users are getting increasingly sophisticated. The emails sent look more real, have more context, look like they’re coming from legitimate senders, and link you to convincing facsimiles of the websites you are used to for stealing your information. However there are some key indicators to check to protect yourself from being taken advantage of.
Does it make sense you are receiving this? A lot of the time you may receive an email from a service that you do not use or pay for. This is your first indicator that something may be ‘phishy’ (pun fully intended). One of the tactics of malicious social engineers is to just send out a massive amount of phishing emails all at once to a giant list of stolen email addresses. For them it’s all a numbers game, where they only need a few to take the bait.
Spelling and Grammar A large number of spam emails originate in non-english speaking countries. Therefore translations of these may not be perfect. Generally companies that send out mass emails for customer communication have a whole Communications team with editors and proof-readers, so legitimate emails from businesses should be free from spelling and grammar errors (obviously not 100% of the time).
Check the sender’s domain name In your email application or service (for example Outlook or Gmail), there is always a way to check the sender’s full information. It’s pretty simple to spoof from whom an email looks like it’s coming from but luckily checking the full email meta-information should expose the full identity of the sender. If the email domain name (email@domainName.com) does not match the company that the email claims to be from, that’s a major indicator of a phishing email. Take some time to familiarize yourself with your preferred email tools and how to show the full sender information for your emails.
Check link destination Hyperlinks on websites or emails can be easily spoofed. The text that the link shows may not be where the link will lead you to (for example, www.google.com). The previous link looks like it will go to Google but it really goes to Twitter. An easy way to check this is to just hover your mouse on the link and a drop-down should reveal the actual destination (try it on the previous Google link). If the drop-down destination does not match the company or said destination in the text, this is highly suspicious.
Check email context information Nowadays companies will customize their official email communication with a piece of data that is only known to you and the company that could not be reasonably guessed by a phishing email. Some examples of are:
Banking and credit card emails will include the last four digits of the card or bank account.
Say your name or another detail about the account that isn’t public.
Include a unique message or image that you chose on account creation.
Google search the domain and company If you’re unsure if the website the email is trying to direct you to is legitimate, instead of following the links in the email use Google or another search engine to just look the company up. If they are legitimate their online presence will show up in search results with their website and contact information. Additionally, some websites will list scam domain and company names, so they may show up in search results as well. If the company has a legitimate online presence and no scam tracking website lists them as suspicious or known scammers, they are probably real.
Beware direct threats Legitimate companies will rarely if never send you an official email with a threat. Threats include legal action, closing of your account, or other punishments if you don’t perform an action described in the email. This is a popular tactic for phishing because it targets the psychology of victims to panic and follow the instructions in the fake email without scrutinizing it. If you receive an email that looks official and recognizable, but they are threatening some kind of punishment against you or your account, be sure to take a deep breath and check all of the known factors listed above of phishing first before following instructions.
If it seems too good to be true… And lastly like above, beware of emails promising you the world for very little from your or asking for your information to receive a reward. Just think to yourself the old saying, ‘If it seems too good to be true, it probably is.” It’s a pessimistic saying but it is a good attitude to take in this case.
Beware of lost and found computer devices like USB sticks
It’s a popular tactic of both hackers and penetration testers to litter cheap computer devices like USB sticks and memory cards, hoping that someone will pick it up thinking they just got a cool device for free. These devices will generally be pre-loaded with malicious scripts that will run on your computer as soon as you plug them in. In general they may enable a tunnel to an outside attacker which will give them access to the rest of the network. If you find one of these, it’s best to either dispose of them or turn them into your company’s IT or Security department if it was found on campus.
Lock up your phone, tablet, and computers
Your computers, laptops, tablets, and cell phones should all have locks and passwords enabled on them and should be locked when you are not presently using them. This helps prevent access to your files and data if the computer or device is stolen or lost. These passwords should follow all of the above password rules that we’ve already talked about above.
Check for HTTPS on Websites
Websites use the HTTP protocol to communicate over the network with servers to function. However, HTTP by itself does not encrypt the data you are sending back and forth from that server to your web browser. That is where HTTPS comes into play. HTTPS is ‘Hypertext Transfer Protocol Secure’ and this is a security layer that is added onto HTTP to encrypt the traffic back and forth. This is necessary anywhere you are inputting or handling any sensitive data, like your username and password, credit card number, or banking information to name a few. You can easily check on your web browser URL bar if the website is HTTPS enabled. Check this article for additional details.
Do not connect to public Wi-Fi signals
When you’re out and about and need an internet connection it may be tempting to look for Wi-Fi signals near you to use. If your device is not capable of connecting to known cellular networks, without a Wi-Fi signal you’re dead in the water (and by dead I mean without the internet, which to me is the same as death). However, Wi-Fi signals can be controlled by anyone including someone with malicious intent. Wi-Fi signals may be put up in crowded areas by hackers and label them to make them look legitimate, luring people into connecting to them to spy on your data.
If you have to connect to a Wi-Fi signal, first check the name of the signal. The signal should be tied to some kind of business or event that you are near or attending. Approach that business or event organizers regarding their Wi-Fi and confirm that that signal is indeed their Wi-Fi. If they can confirm that it is and they can provide you with the password for access, you at least know that the signal is legitimate and not malicious. You should only use Wi-Fi signals that have a password to access it because that password access also guarantees the signal is encrypted. Without encryption, the Wi-Fi signal will be available for anyone to listen to and see your data, like a radio signal.
However, even with all of that confirmed, the signal is still public with multiple strangers on the same network. A user with malicious intent can also access that business’ Wi-Fi legitimately and run tools on their computer to attack other computers on the same Wi-Fi network. The only way to be absolutely sure you’re protected on public Wi-Fi is to us a VPN.
Use a VPN
A VPN is your Swiss army knife of security as it’s one tool you can use to solve a lot of your online security problems. A VPN stands for a ‘Virtual Private Network’ and it secures your internet connection on your computer, solving two issues. One, it wraps an additional layer of security around your internet connection, adding a layer of encryption that no one but you and the VPN server can decrypt. Second, it anonymizes your internet connection to those websites or apps you connect to, making your online activities more difficult to track.
In the above case of using Wi-Fi networks, if you connect to a Wi-Fi signal then turn your VPN on, you have now encapsulated your internet traffic securely from anyone else who may be sharing that Wi-Fi with you (for example everyone at the Starbucks coffee shop). Some recommended VPN services are NordVPN and ExpressVPN. They are paid services that will charge monthly or yearly and offer their VPN software for your computers, tablets, and phones to encrypt your connections with a simple toggle of a switch. This will be money very well spent.
Secure your home network
Your home network has numerous attack surfaces that people local to you may take advantage of. Here is a list of tips to harden your home network:
Create a strong password for your Wi-Fi router that is different from the default one it comes with.
Also create a strong password for the router admin account that is different from the default one. This allows you to login to the router device itself and configure it.
If the router provides it, you can offer a guest Wi-Fi in your home with a different password. That guest network is separated from your home network so your guests do not have access to the rest of your home network.
Change the Wi-Fi network signal name to something more generic. The default format of the Wi-Fi signal name indicates to others around you what type of router you are using.
Ensure you use the strongest Wi-Fi encryption the router offers, namely WPA2-PSK.
Turn off any additional ease-of-use features you don’t need like ‘Plug and Play’ or ‘Remote Management.’ These open additional attack surfaces into your home network.
WPS, or Wi-Fi Protected Setup, is a simple way to add physical devices onto your network, but it should only be used via a physical button on the router. The software version of WPS should be avoided as it is known to be insecure.
Keep your router up-to-date, as the router too will receive patching for issues.
Turn on the router firewall. This will ensure that anonymous connections to the router device will be blocked by default.
These rules are what I would say are the minimum to secure your home network. Do some more research on your own for additional things to secure the home network.
Do research on using IoT devices
IoT, or ‘Internet of Things,’ is a recent initialism that describes non-computer devices and appliances that are now receiving network and internet capabilities, like refrigerators, washing machines, kids toys, security cameras, home automation systems, universal remote controls and more. The security for these are notoriously insecure because the companies making these devices are just now within the last ten years or so getting into this space, so their security maturity is very far behind your usual tech company. There are numerous stories of these devices getting hacked and manipulated to either make them function unexpectedly, not function at all, or people being really creepy and talking remotely into kid’s toys to young children. They are also a privacy nightmare taking advantage of your provided private data without disclosing clearly how they will be using said data.
If you are considering buying a device or appliance that is internet connected, do your research beforehand to ensure these products do not have known security issues. When you do receive these products, set them up in your home securely with all of the same security recommendations listed above.
Use Disk Encryption
Disk encryption is a great feature to use on your computer if you handle sensitive data. Essentially the computer will encrypt all of the data on the hard drive automatically and will decrypt the data when you login with your password. However there are caveats, this does not protect the data when you simply put a computer to sleep, as the data is still available temporarily. Putting the computer into hibernate or switching it off fully protects the data. This is imperative for your laptops that you may travel with; turn disk encryption on and power off the laptop in transit. Mac OSX has this built in with Filevault and on Windows with BitLocker.
Private Domain Registration
While this is not entirely applicable to everyone, if you want to or already own your own domain name you can opt into private domain registration. As the owner of a domain name, your personal information becomes publicly available to anyone on the internet. A simple ‘whois’ command on a computer can pull this information for any domain name. However most, if not all, domain name registrars allow for private domain registration that masks this information from the general public. It costs a little extra money but it is worth it for domain name ownership.
Freeze your credit!
And last but certainly not least, probably the most important thing to protect your identity online is to freeze your credit. This essentially enforces an authorization check whenever you or anyone else may try to receive a loan or credit card in your name. This links back to the ‘Assume that your data is already leaked’ ethos wherein you assume your data is already available on the internet, so what do you do now? Your identity is the biggest factor required to get any kind of line of credit or loan. If your credit is frozen, even if someone tries to open an account in your name they will be forced to authenticate themselves with the credit agency with a secret code you set up for yourself. Freezing your credit does have a cost associated with it but it’s inexpensive and as long as you are not applying for loans yourself you can keep it frozen indefinitely until you need it. It is key that you freeze your credit at all three major credit bureaus. The following links go directly where you need to begin the freezing process for each bureau:
Equifax
TransUnion
Experian
Conclusion
I hope this was helpful for you to better keep yourself safe on the internet. Unfortunately due to old technology and human error the internet is not a great place for privacy, but we still use it as a necessity. Follow this bulleted list for a quick reference you can use for yourself and check them off when they are complete:
Use a password manager for your passwords.
Use a long passphrase for your master password and do not re-use it anywhere.
Use multi-factor authentication for your password manager and any other service or website that offers it.
Be aware of phishing emails or text messages and learn how to spot them.
Do not pick up and plug in found computer drives like USB sticks.
Ensure your phone and other computers are secured with a password or other authentication mechanism and lock them when not in use.
Ensure you only input private data into websites that use HTTPS.
Do not connect to random Wi-Fi signals unless you can confirm who owns it and they provide you with its password.
Get a VPN account to secure your online connections, especially when traveling or need internet access from outside your home.
Take steps to ensure your home network is hardened from outsiders accessing it.
Do your research before purchasing and connecting IoT devices in your home. In general, keep this type of technology away from young children.
Use disk encryption on your computers that contain sensitive data. Keep them powered off when in transit.
If you own domain names, use private domain registration.
And FREEZE YOUR CREDIT!!
About the Author
Aaron is an Application Security Engineer with over 10 years of experience. His unorthodox career path has led to many unique insights in the security industry.