The expansion of the internet and its evolution has been so meteoric that few people have kept up with safeguarding their digital life and digital identity. While employing an anti-virus and creating a backup are nowadays commonplace, they are the minimum that individuals should be doing to safeguard their information. For companies or businesses, the demands are even greater.
In this, the first of a series of three articles, we will look at some of the risks of poor internet security. The second article will look at password management, and the third at Two-Factor Authentication and using a VPN (Virtual Private Network) service to encrypt network traffic.
Not using some form of safeguard is similar to getting into a car and driving as fast as you can, ignoring all road signs, speed limits and traffic lights – it relies more on luck than any kind of forward thinking or “good practice” to avert disaster. Most people’s reaction to treating a car in that way is, “that’ll end badly”. (Not counting those select individuals who thought, “that sounds like fun!”) Relying solely on an anti-virus for protection is basically doing the same thing, but with a seat belt on and now being convinced that you’re safe.
Ok, Now Take A Deep Breath
Although it is a scary topic, this article isn’t intended to be totally alarmist. Rather, it aims to shed some light on some of the more common threats that exist and what can (reasonably) be done to minimize them.
Let’s start with one fact, however: complete digital security, just like personal security, is a myth. An individual with enough time and dedication will be able to penetrate any defense. We’re not talking about these talented individuals who choose to misuse their skills in an effort to harm you personally. Nor are we talking about supervillains. We’re dealing rather with the more mundane, everyday transgressors, where opportunity is considerably more important than advanced planning.
Imagine leaving your car in a parking lot: locking your doors, tucking valuables away out of sight, and having an alarm are not going to guarantee the safety of whatever is inside, but they will deter most would-be criminals. A car without an alarm; or a mobile phone or wallet left on the seat, poses a more attractive prospect to would-be thief – and an easier opportunity – than something hidden out of sight. A car with its doors unlocked is easier to rifle through than a locked one.
In much the same way, “bad practices” (using weak passwords; the same password across multiple accounts; surfing unsecured networks; or not enabling Two-Factor authentication) will leave you more vulnerable to attack than using “good practices”. Luckily these are things that can be learned and applied with a little application and discipline.
But I Don’t Know Where To Start
The different areas of internet security need to be addressed in different ways. For most common users, they can bolster their digital security massively in four major ways:
- Using strong, unique passwords for each account accessed
- Using a password management tool to create, store and access passwords
- Enabling Two-Factor Authentication (2FA) where available
- Using a VPN (Virtual Private Network) to encrypt internet traffic when on public hotspots (where it is most vulnerable to people monitoring traffic and recording/stealing log-in or password information)
You’re Mentioning Passwords A Lot
Passwords are a great place to start. While using strong passwords do not guarantee your security, using weak passwords means that you are relying more on luck than any good practices to keep your data secure. Think again of the example above of driving irresponsibly with a seatbelt thinking it will protect you. The outcome is based on luck, not appropriate behavior.
Recent celebrity scandals where private pictures and information have been released publicly were not a failing of the security systems themselves, but were rather the result of weak passwords being compromised. Passwords will always be the point of greatest weakness in a system because they rely on humans to create and maintain them, and humans are, unfortunately, reliably predictable and lazy.
There are a number of common techniques that can be used to create strong and memorable passwords. We even published one here (in French), or you can find a guide in English here. A password manager can also be used to store and create passwords, a topic we will treat further next week.
So Strong Passwords Are The Most Important Thing?
Not quite. As stated, they’re a great place to start, but they really only make it more complicated for someone to “guess” your password using common sense or a brute force attack (where special software is used to rapidly make guesses at a password in an attempt to access the account). And the software is rapid: modern computers can make work at making up to 10 million guesses per second. Larger computers or networks are even faster.
Still, a sufficiently complex password can still prove difficult for such machines to crack. But what happens if an attacker already knows your password? This can be accomplished by network “sniffers” or keystroke loggers, which either monitor the information passed over a network or typed in on a keyboard. This is collected by an individual, who can then search through the information and literally pick out your username and password.
There are two possible solutions to this: either to require a second level of verification (Two-Factor Authentication); or to encrypt the data leaving your device using a security service such as a VPN.
Two-Factor Authentication can take several forms, but the most basic is to associate a phone number with your account (Twitter does this). Whenever you log in, a text message is sent to your phone in order to verify that it’s actually you who is trying to access the account. Without your phone, an attacker cannot access your account. Another version of it is to download an application such as Google Authenticator, which makes you scan a QR with your phone and will then create a security code which expires every ninety seconds. The advantage of this method is that one does not require network access for it to work.
A VPN, or Virtual Private Network, works by encrypting any information leaving your device. This means that even if someone logs your keystrokes, they will be converted to meaningless gibberish before they can be recorded. The resulting gibberish is unreadable and your information therefore remains secure.
I’m Not A Celebrity, So Why Would I Be A Target?
The past few years have seen a growth in “ransomware”. Typically, this is where a virus or Trojan infects a computer or system and blocks the user’s access, demanding a payment in exchange for freeing the information. It is equally applicable if an attacker penetrates an individual’s or business’s account personally though, usually by modifying the password (or required access privileges) and demanding a payment in return. For individuals, this may be small amounts of less than a hundred to several hundred dollars, but for businesses ransoms may run in to the tens of thousands. Most people will pay this quickly as it is generally a small price to regain one’s digital life, but it is certainly an unnerving experience.
What makes this worrisome though, is unlike public figures who are obvious targets, ransomware is a crime of opportunity. An individual with malicious intent who stakes out traffic on a public Wi-Fi network (internet cafes, airports, etc.) looking to copy login information with the intention of ransoming it is not targeting YOU personally. They are looking to exploit the weakest security possible. This means that the cost-benefit of trying to break into an individual’s account with elevated security is effectively zero. It is simply easier to attack a more vulnerable target.
It is relatively easy to move into the “one percent” of individuals whose accounts are so secure that it is not worth an attacker’s time to try and penetrate. However, it is also easy not to be part of it. As with most things, the first step is knowing the problem and being informed on how to deal with it, which is what this article (and its follow-ups) aim to do. After that, it’s up to each of us to take charge of our security.
Photo credits: D3Damon
Sources:
http://blogs.wsj.com/digits/2014/07/15/commentary-what-i-learned-and-what-you-should-know-after-i-published-my-twitter-password/
http://www.techrepublic.com/blog/google-in-the-enterprise/use-google-authenticator-to-securely-login-to-non-google-sites/
https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd#.bze2t63zg
https://www.wired.com/2012/11/ff-mat-honan-password-hacker/
https://en.wikipedia.org/wiki/Ransomware
