Securing your digital life, part one: The basics

 

In this first of two parts, we go over some security steps everyone should be taking.

I spend most of my time these days investigating the uglier side of digital life—examining the techniques, tools, and practices of cyber criminals to help people better defend against them. 
Even those who consider themselves well educated about cyber crime and security threats—and who do everything they’ve been taught to do—can (and do!) still end up as victims. The truth is that, with enough time, resources, and skill, everything can be hacked.
The key to protecting your digital life is to make it as expensive and impractical as possible for someone bent on mischief to steal the things most important to your safety, financial security, and privacy. If attackers find it too difficult or expensive to get your stuff, there's a good chance they'll simply move on to an easier target. For that reason, it’s important to assess the ways that vital information can be stolen or leaked—and understand the limits to protecting that information.

In part one of our guide to securing your digital life, we’ll talk briefly about that process and about basic measures anyone can take to reduce risks to their devices. In part two, coming in a few days, we’ll address wider digital identity protection measures, along with some special measures for people who may face elevated risks. But if you’re looking for tips about peanut butter sandwich dead drops to anonymously transfer data cards in exchange for cryptocurrency payments... we can’t help you, sorry.

You are not Batman

A while back, we covered threat modeling—a practice that encompasses some of what is described above. One of the most important aspects of threat modeling is defining your acceptable level of risk.

We make risk-level assessments all the time, perhaps unconsciously—like judging whether it’s safe to cross the street. To totally remove the threat of being hit by a car, you’d either have to build a tunnel under or a bridge over the street, or you could completely ban cars. Such measures are overkill for a single person crossing the street when traffic is light, but they might be an appropriate risk mitigation when lots of people need to cross a street—or if the street is essentially a pedestrian mall.

The same goes for modeling the threats in your digital life. Unless you are Batman—with vast reserves of resources, a secret identity to protect from criminals and all but a select few members of law enforcement, and life-or-death consequences if your information gets exposed—you do not need Batman-esque security measures. (There are certainly times when you need additional security even if you’re not Batman, however; we’ll go into those special circumstances in the second half of this guide.)

For those who want to lock things down without going offline and moving to a bunker in New Zealand, the first step is to assess the following things:

  • What in my digital life can give away critical information tied to my finances, privacy, and safety?
  • What can I do to minimize those risks?
  • How much risk reduction effort is proportional to the risks I face?
  • How much effort can I actually afford?

Reducing your personal attack surface

The first question above is all about taking inventory of the bits of your digital life that could be exploited by a criminal (or an unscrupulous company, employer, or the like) for profit at your expense or could put you in a vulnerable position. A sample list might include your phone and other mobile devices, personal computer, home network, social media accounts, online banking and financial accounts, and your physical identification and credit cards. We’re going to cover the first few here; more will be covered in part two.

Each of these items offers an “attack surface"—an opportunity for someone to exploit that component to get to your personal data. Just how much of an attack surface you present depends on many factors, but you can significantly reduce opportunities for malicious exploitation of these things with some basic countermeasures.

Physical mobile threats

Smart phones and tablets carry a significant portion of our digital identities. They also have a habit of falling out of our direct physical control by being lost, stolen, or idly picked up by others while we’re not attending to them.

Defending against casual attempts to get at personal data on a smart phone (as opposed to attempts by law enforcement, sophisticated criminals, or state actors) is fairly straightforward.

First, if you're not at home, you should always lock your device before you put it down, no exceptions. Your phone should be locked with the most secure method you're comfortable with—as long as it's not a 4-digit PIN, which isn't exactly useless but is definitely adjacent to uselessness. For better security, use a password or a passcode that's at least six characters long—and preferably longer. If you're using facial recognition or a fingerprint unlock on your phone, this shouldn't be too inconvenient.

Second, set your device to require a password immediately after it’s been locked. Delays mean someone who snatches your phone can get to your data if they bring up the screen in time. Additionally, make sure your device is set to erase its contents after 10 bad password attempts at maximum. This is especially important if you haven't set a longer passcode.

Also, regularly back up your phone. The safest way to back up data if you’re concerned about privacy is an encrypted backup to your personal computer; however, most iOS device owners can back up their data to iCloud with confidence that it is end-to-end encrypted (as long as they have iOS 13 or later). Your mileage will vary with different Android implementations and backup apps.

Along the same lines, make sure you have installed the most recent version of the phone OS available to prevent someone from taking advantage of known security bypasses. For iOS, this is generally simple—when your device prompts you to upgrade, do it. The upgrade situation on Android is somewhat more complicated, but the same general advice holds true: upgrade ASAP, every time. (There is a school of thought that says you should hold off on the latest upgrades in order for bugs to be worked out, but adhering to that advice will put you in a position where your device might have exploitable vulnerabilities. You can mitigate those vulnerabilities by upgrading.)

Other mobile threats

That covers most of the physical security threats that about 90 percent of mobile-device users will face—but physical security is only one aspect of security. There are other areas to address, including software and network threats. While Apple and Google have done many things to make their mobile devices more secure, there are still plenty of ways for rogue apps and even not-so-rogue apps to do things that they should not.

For instance, apps (and the devices themselves) can be used to track device owners in disconcerting ways, despite their manufacturers’ countermeasures—and those apps can leak information accidentally (or purposefully) over local wireless networks, the cellular network, or Bluetooth.

Side-loaded apps can also lead to security issues. Never side-load an app from an untrusted source or allow an iOS app that requires a “profile” to be installed on your device if the app isn't one you've created or one provided to you by your employer’s mobile device management (MDM) platform. (For privacy purposes, you should avoid MDM altogether on a personal device, unless you’re using it to lock down your kids’ devices.) There are several “fake app” scams that involve tricking people via social engineering into going to websites that resemble app stores, and these schemes almost always end in the loss of thousands of dollars and massive privacy exposure.

To mitigate such vulnerabilities via apps, regularly review the permissions that applications request from the device. Some apps want to collect location data even when they’re not in use (hello, Uber!), and not every app developer has a sterling data privacy history. Avoid apps with sketchy permission asks, and deny anything that seems like overreach—like when Facebook Messenger asks to be your SMS client and then logs all your phone calls to your Facebook account so it can find “friends” for you more efficiently. (Also, for the love of God, don't use Facebook Messenger.) And if there are apps that you don't use, delete them. Apple’s iOS does this if it’s so configured, but only if the apps are not running in the background.

Besides issues that arise from questionable app behavior, mobile devices can be vulnerable through normal functions like Wi-Fi or Bluetooth. Consider turning off Wi-Fi when you’re away from home. Your device may otherwise be constantly polling for the network SSIDs in its history to reconnect automatically or to connect to anything that looks like a carrier’s Wi-Fi network. When this happens, your device gives away information about networks you’ve seen and might allow a hostile network access point to connect. Also, your phone's Wi-Fi MAC address could be used to fingerprint your device and track it. (Apple randomizes the MAC address of its iOS devices’ Wi-Fi adapters while scanning for networks—but if your home Wi-Fi network’s name is particularly memorable, that may not matter.) When your phone tells you to turn on Wi-Fi to improve location accuracy, ignore it.

The same goes for Bluetooth. If your device has Bluetooth turned on, it’s broadcasting information that could identify it—and you. (I have demonstrated this to journalism classes by calling out students' names that I picked out from the default names of their iPhones.)

Along those same lines, name your device anything other than [Your Name]’s iPhone. Your phone's network name is broadcast all around you, and it's like holding up a beacon saying "Hello, my name is..."

Personal computers (and web browsers)

I’m writing this just after dealing with Patch Tuesday, which has for much of this year (as it has been for as many years as I can remember) been immediately followed by Exploit Wednesday. While the pandemic has lowered many of our concerns about physical attacks on laptops—I mean, not too many people are traveling on business or hanging out to work at Starbucks right now—it has created an entirely new collection of risks by putting so many people on computers all day long without a whole lot of security preparation.

I have found several common themes when things go wrong; the biggest is that malware protection is frequently not up to date or, worse, is disabled. Even allowing Windows Defender to run in the background provides a significant bump in protection over nothing, and disabling it without a very good reason is a very bad idea. Other common issues include:

  • The operating system is not up to date or patched with the latest security releases. I regularly see vulnerabilities patched over five years ago being actively exploited by malware, because victims put off updates for various reasons—like software compatibility. (For years, I had my mother disconnect her iMac from the network because she kept it on an older MacOS version. Why? So she wouldn’t lose the version of Adobe Photoshop she preferred.)
  • Usually, malware gets in because it was installed by the computer user, either accidentally or deliberately. I don’t mean that users intentionally install malware but rather that they click on something they think is legitimate and give it whatever permissions it asks for. These cases often happen because of social engineering: the file gets delivered by a website found via evil search engine optimization, or it comes from someone on Zoom or Discord, or an email made them feel compelled to act. (I recently researched a “dropper as a service” operation that delivered malware packaged in installers advertised as “cracked” software downloads.)
  • Sometimes the malware is in a malicious web advertisement—either served up by a marginally funded website or something that sneaked into legitimate ad networks. An older or misconfigured web browser is typically involved in these cases.
  • A router, server, or other device with an Internet-facing connection is compromised because it has a vulnerability that had not been patched. This allows the attacker to act as part of the local network, explore it for devices, and use other tricks to get remote access to the victims’ computers. A large percentage of targeted ransomware attacks use recently patched infrastructure and server application vulnerabilities to get a foothold.
  • A remote access application is poorly secured or had a known bug.
  • In very rare cases, someone gets physical access to the PC and is able to install something bad—or steal the machine outright. Theft of notebook PCs is a real risk while you’re traveling, and if your computer is in sleep mode and doesn’t have strong on-wake login protection, your data could easily be exposed to anyone who lifts the lid.

  • The basic fixes for these threats are straightforward but require some behavior modification. And one of the easiest behaviors to modify is how we browse the web. We need to treat this the same way we would a walk home in the dark—with extra, active attention to our surroundings.

  • Another easy way to minimize threats to your PC, first and foremost, is running the most recent fully updated version of the operating system of your choice. I’m not going to advocate for any particular flavor of operating system here, but if you’re on an older release of any OS and connected to the Internet, you’re increasing your risk of compromise. Turn on automatic updates and leave them on. When an update is pending, stop what you're doing and install it immediately. Yes, this can often be inconvenient. Welcome to the modern world of malware. Suck it up and install your updates or risk compromise. (This applies to your web browser, too—stop putting off that Chrome update prompt and do it right now.)

  • All modern operating systems have a built-in firewall, and it should be turned on, no exceptions. You can use the firewall's profile settings to relax its strictness when you're at home, but make sure when you're in a public place that your computer's firewall is in public mode.

    In the event that your physical device is compromised, you can minimize damage by caring for your actual data. To prevent all types of data loss, back up your data—in encrypted form and offline (either locally or in the cloud) so that ransomware doesn’t get the backups, too. Keep multiple backups just in case, because if your latest backup contains the compromised or encrypted files, it's useless.

  • And don't just back up your data, use full-disk encryption. Period. It's a one-time setting to activate and there are no excuses for not using it. Full-disk encryption transparently encrypts your hard drive so data can’t be read off of it without your credentials. This is accomplished with Bitlocker on Windows and FileVault on macOS.

    As noted above, make sure your antivirus protection (whether it’s Windows Defender or something else) is up to date and enabled. This is especially important on Windows, which is the operating system targeted by the majority of threats.

    Just as a phone's solid unlock password prevents data theft, the same is true of enabling password or PIN protection on your notebook computer for sleep mode. When traveling in high-risk areas like airports, power-down your computer when it’s not in use so that the risk of someone playing “Evil Maid” or surreptitiously gaining access in some other physical way is reduced.

  • Another helpful trick for keeping laptops safe is using a privacy browser plugin such as the EFF’s Privacy Badger and being very selective about which sites are allowed to use tracking cookies. This will reduce the threat of malicious ads. Using endpoint protection software that blocks known malicious websites, especially if you share the computer with other family members who might visit high-risk websites, is also highly recommended. (You could also pay for access to the sites you like and run an ad blocker.)

    Wi-Fi access points and routers that support firmware or software updates add another layer to the security of your devices while web browsing. If you have an older Wi-Fi access point that you can’t update, toss it. Consider using access points that have built-in threat detection and tracker blocking.

    And, finally, use a password manager. An easy-to-guess password renders all other security efforts moot. Whether it’s a password built into your web browser of choice or a standalone program, use one. Chrome, Firefox, and Safari all have reasonably secure password managers, and you can replicate passwords for web accounts across devices. If you don't like the idea of a password manager because you're one of those folks who just uses letmein123! as your password everywhere, you need to decide if the convenience is worth the price you'll eventually pay when you're compromised. (Spoiler alert: it's not.)

    Stay tuned

    That’s it, as far as “normal” device protection goes. You don’t need a burner phone, a secret boot USB, or anything else to reduce your threat profile on your devices by 90 percent. Just using up-to-date devices with up-to-date security protection set at a reasonable level will protect you from the majority of nastiness out there that targets your devices.


Comments

Post a Comment

Popular posts from this blog

Chinese missile launch very concerning, says top US general

Image
  The top US general has said China's suspected hypersonic missile test is close to a Sputnik moment, referring to the Soviet satellite launch that sparked a Cold War arms race. Chairman of the Joint Chiefs of Staff Mark Milley said in an interview with Bloomberg News that the Chinese military was "expanding rapidly". The Financial Times reports that the test stunned the US military. Beijing denies any missile test, saying instead it was a spacecraft. "What we saw was a very significant event of a test of a hypersonic weapon system. And it is very concerning," Gen Milley told Bloomberg. "I don't know if it's quite a Sputnik moment, but I think it's very close to that. It has all of our attention." His comment is the first official acknowledgement by the US of claims that China conducted two missile tests over the summer. Reports indicate that it was a nuclear-capable missile that could evade US air defence systems. The 1957 Soviet satellite...
Read more

The notch on the new MacBook Pro breaks several menus, but it's easy to fix — here's how.

Image
If you're experiencing trouble with the camera notch on the new MacBook Pro, here's an easy workaround. Apple's latest MacBook Pro models are powerful creative machines, but they have a flaw. Menu functionality on some apps is being broken by the notch at the top of the screen that houses the webcam. Apple offers a solution that keeps apps below the notch until app developers update their apps to leave the notch region alone. If you've seen any of the videos showing some apps' strange behaviour around the notch region on the new MacBook Pros, you know how broken macOS' present notch behaviour is. Menus may appear beneath the notch, or other items such as battery indications may become stuck beneath it, appearing only when the user moves the mouse cursor across the notch area. It's an unappealing appearance, but there's a quick fix. Here's how to repair the notch issue on the MacBook Pro temporarily: Using control click. To bring up the context menu, ...
Read more

10-day application period for L.A.’s guaranteed income program to open Friday

Image
The application window for a new  $1,000-a-month cash assistance program  in Los Angeles run by City Hall kicks off Friday, making L.A. the biggest city in the nation to launch such an initiative. The city’s guaranteed basic income program will give 3,200 Los Angeles households the monthly stipend for a year. The 10-day application period opens Friday, when officials say they will release details about how to apply. Recipients will be announced in early January. Recipients will be randomly selected by the city’s research partner, the Center for Guaranteed Income Research, city officials said. To qualify, applicants must live within the city of L.A., have an income at or below the federal poverty level, have at least one dependent child or be pregnant, be at least 18 years of age or older and have experienced financial and/or medical hardships related to the COVID-19 pandemic.
Read more