Ah, the world of digital security. Computer security is a gaping pink elephant in the room. The digital world has allowed for so many wonderful things, but us humans, we have an ugly side. Petty thievery, scamary, are ubiquitous on the web. There’s some basic things you can do to do to help yourself. This is one of the most frugal things you can do, an ounce of prevention is worth a pound of cure, this is double true in the realm of computer security. We lock our doors, we lock our cars. We do all sorts of things to help secure our physical property. This is pretty intuitive, my Grandma played the world of physical security pretty well. But the digital world, while we negotiate the nuances of shares, likes, and buying things, there is a lot that happens behind closed doors that we don’t understand. When it goes wrong, we stand to lose money, time and patience. The best played hand is to be smart and secure yourself in times of peace, before shit goes sideways. Best of all, everything you that is covered here, you can do right now and you can do it for the great price of:$0.
Everyone knows Hackers wear all black and wear full face masks while they steal your information[/caption] Your passwords probably suck. If you answer yes to any of the following you are at risk of being comprised
- Password is something easily guessed, “Password1”, “IloveJusticBieber” or “P@$$W0RD”. Advisories know you substituting letters for other characters like A=@.
- You use the same password across multiple platforms.
- Recycle old password
- Use dictionary words
- Your dog’s name (oh lil’ Rover).
Chances are you have numerous accounts, you probably have some social media accounts, banking accounts, emails, YouTube, etc, the more accounts you have, and if you’re using the same password across them the more vulnerable you are. It only takes one site being compromised now hackers have a password to all your accounts.
There is a great resource you can use to see if your email or user names have been compromised; it’s called “Have I been Pwned“. If the answer is yes, you should really invest the time to diversify your password. Otherwise you are at big risk. Just ask yourself, do you have an online bank access? Well that’s vulnerable, your cash, credit, investments, everything is at risk. Do you have an account on a website with your financial information stored on? Like Amazon? Do you have an account with valuables on it (e.g., Steam?), do you have accounts that use professionally, or invest time in? For instance, perhaps a photographer on Flickr. If you lost your email, would you lose access to other accounts? It’s a big web, and it’s likely to happen.
Have I been Pwned, reports over 3 billion accounts (yes that’s billion with a B, boys). And that’s probably just a tip of the iceberg kind of thing. Just remember, sites like Ashley Madison, LinkedIn, Myspace, Adobe, Dropbox all have been hacked, and it’s naive to think these are freak occurrences. It’s going to keep happening and if you don’t do anything you’ll spend time and money trying to unfuck yourself. Solutions?
Your best case is to use a Password manager. I can’t recommend Keepass enough. It’s Open Source, so the bones of the system can be audited. It’s a local file, so you know your password safe isn’t sitting on some server in China. It works as a good account registry too. How to use it? You download it first, then you open it up and start a new database. You will be responsible for knowing one password. Make it a good one, and remember it well. This password is used to encrypt your password database. Once the database is made you make new entries. There is a built-in password generator and you can choose all sorts of variables to match that of the web service. Some websites have stupid rules about password (e.g., 4-8 letters, numbers, no special characters, etc). So, you can match your password generator to the limitations of the web service. I typically go full open, numbers, characters, letters, underscores, and make it 60+ characters plus, when there are no limitations. You’re not remembering these passwords, so it might as well be super long. Then you save it on your computer and use it when you need it. For redundancy, I have my safe on Drop Box so if my computer passes away, I still have all my passwords. I may have it backed up in other places too. There are other services like LastPass, and 1Password. They are web based and work using an extension. They make it more convenient, by allowing these services to auto-fill forms, and auto log you in when you land on a web page. Keepass has a Firefox and Chrome extension that does the same thing and you have the benefit of knowing that your files on your local computer and not in some web serve in the Soviet Union.
Sites like LastPass and 1Password have of have paid models subscriptions too, which allow additional services, like syncing password to your phone. In my opinion, not worth it, so if you want to keep it frugal I’d recommend Keepass. You can get Keepass on your phone as well and use Dropbox to sync your master file from desktop to your phone, that way you always have the most recent copy. It’s not as sleek, but it’s free. Some users feel LastPass and 1Password are more “feature rich” and more “convenient”, hey, if that is what you feel works best for you, then I say good for you. Better to use random passwords than the same password you’ve been using since high school. EFF has a good guide on getting Keepass set up.
I know the “ethical” battle about ad blockers is raging in the valleys of the internet. But forget it, ads are a known attack vector for malware and they are annoying. A U.S Senate report says that in 2013, malvertising has increased 200 percent to over 209,000 incidents. It goes on to quote a finding from a Symantec study that more than half of internet website publishers have suffered an attack through advertisement. A high profile includes the time Forbes asked its visitors to disable their ad blockers then served them malicious ads. This is because there is a fundamental flaw in how ads are done on the internet, many websites just trust the ad partner network to serve safe ads. Forget it, there isn’t many people you can trust on the internet. Don’t even trust me, do your own research if you are skeptical. Arguably the best ad blocker is Ublock. It works in Firefox and Chrome. It is a steadfast sentinel and watches your back as it blocks ads for you. It helps keep you safe and keeps you from being annoyed. Adblock Plus had been the hegemonic ad block player, but they are in the epoch of development where they are starting to do questionable things. So, I’m sure AdBlock Plus does the job for you, but there are extensions like Ublock Origin that are simpler, lighter, and do they job more effectively. And if you are so concerned about people making money off you viewing ads, you can always white-list the sites you want to support. There is no reason you have to automatically serve your eyes to every ad on every site. Especially when there is a chance they are malware.
Second Factor Authentication
Ever wonder why your bank account is only protected by a four-digit code? But your online accounts need sophisticated passwords? It’s because using your bank card is a second factor authentication system, not only do you need your bank card but you need the pin too. Location plays a role in this as well, if your card is used in Uzbekistan, your bank knows you make most of your purchases in Niceville Florida, a half decent bank will flag that as an of fraud (in this case third factor authentication). Web accounts are vulnerable because there is only one factor authentication (i.e., just your password). More and more services are introducing second factor authentication (2FA). You should enable it. If a service has it, enable it. Do it now. It typically works in a couple ways. One way is, every time you attempt to log in it sends you a code to your phone via SMS. You will have to input this code as well as your password. This ensures that the user A) knows the password and B) has your phone to receive a code. So, it’s unlikely that a hacker in Nigeria will have your phone and your password. But in my case, I have an authentication app on my phone. You have to pair your app to the service (usually by scanning a bar code), you input a code from the phone and it’s paired. From here on out when you log in you have to use your authentication app. This website lists all the websites that support 2FA so far. In a recent Sam Harris podcast (Waking up with Sam Harris), he was chatting with self-styled techno-sociologist Zeynep Tufekci about a myriad of things, but near the end of the podcast Harris asked her about things you can do to help secure yourself (in the context of surveillance and cyber security). Tufecki recommended listeners go out and buy a hardware dongle for 2FA. This isn’t a bad idea for security, but it’s easier to do the software approach, and I’m puzzled to why she did not recommend the easier software approach. But if you want even more security, go out and buy a hardware token.
I think privacy and security go hand and hand. There are a few browser add-ons that you can utilize to secure your computer.
Privacy Badger: Privacy Badger was created by the EFF. It’s a great add-on that helps block ads and tracking. It’s largely unobtrusive, but can break social media sites (fine with me). It has settings, so you can allow certain elements to work to keep the stuff you want working, working.
HTTPS Everywhere: HTTPS, the focus is on the S at the end, think of S as ‘secure’, it’s ‘secure’ by encrypting your web traffic between your browser and the web server. Realistically most sites should have this, HTTPS Everywhere forces sites that have HTTPS enabled, to use it. Some sites have a non-HTTPS (i.e., just HTTP) that sometimes is the default when you visit the site. Facebook was a prime example of this. It’s at this point I want to share an anecdote about HTTPS.
As I mentioned Facebook did not used to enforce HTTPS, you had to enable it yourself in the settings. I heard about Firesheep, an app that lets users “packet sniff” to hijack unencrypted session cookies on Wi-Fi. I had it downloaded it, and I went to work hijacking my cousin’s Facebook session. I went on to post a lame status update. She blamed my other cousin, and naturally he had no idea what she was talking about. Then we all opened another beer and had a great time (or so I think).
Web of Trust: I’m reluctant to mention it, because it was caught up in a scandal of it’s own (i.e. Selling user’s data). But before that was in the open, it provided a means for users to crowd source security reviews of sites. It would display a green circle next a web link if it was deemed safe by the collective, or red if it was found to be unsafe by the collective. There were some flaws with this approach, some sites that were fine from a cyber security point of view were rated bad because they had deplorable content (e.g., Storm Front, Conservepedia, etc). Read about it, and make up your own mind if you think it’s worth checking out.
The Electronic Frontier Foundation also provides a good overview for those who want to be more private on the web. I would highly recommend it.
For the over achievers: Noscript
I use this. It’s great, it’s the hardest to get used to. Noscript is an extension in Firefox and it works by disabling all scripts by default. Now the internet has moved past the simple HTML and CSS days, basically every site has a long list of scripts that are used to make sites work. Hell, my website has five such scripts, just to get the basics of the site running. But as these scripts deliver rich content, they also can deliver very malicious content. When you are cruising the uncharted web in your vessel of a browser, I prefer to have that extra layer of security. It’s one of the greatest security enhancements you can have. But it can be frustrating. I’ve come across sites, and there is usually a bunch of scripts that you need to enable to get the site to work. And when you’re allowing scripts to work at random, you’re not really sure if they are good or not. But at the least, if I land on a sketchy page, instead of getting a blast of malware, I can exit without much issue. Anyways, I’ll cut it short on Noscript. I strongly recommend it. If you want to read more about it: here is the Wikipedia entry. I’ve been reading that the author has been kind of a dick, and his website sort of seems like a site you’d want to block in Noscript, but over all I think the extension is great.
As way of conclusion: web security takes a little bit of work, but goes a long way of protecting you on the wild west of the web. Everything I recommended here is free and to download extensions, set up a password manager, will take under half an hour. Perhaps a little longer to get used of it. But more protection is better.
How to Protect Yourself Online with Former Black Hat hacker Hector Monsegur Life Hacker The Upgrade (podcast) Very interesting podcast, with a hacker formerly known as Sabu of LulzSec. Electronic Frontier Foundation – great organization that helps advance internet freedom and has done great good for the world in terms of internet privacy (and by extension security).
Credits: Photo credit: cafecredit via Visualhunt / CC BY