Sept. 20, 2015, 10:31 a.m.
IT | Security in IT

Don't Let The Internet Ruin Your Life

The internet is unlike anything we as a species has ever encountered before. It appeared out of the blue, made the world as small as a pack of cards and gave everyone access to all the combined knowledge of humans. Computers in the form we know them today were introduced in the early 80's, and became commonplace in the average home in the 90's. By the mid 90's many home computers became connected to the internet via dial up modems, however this was mostly on demand access. Only 15 years ago did always on broadband connections to the internet become commonplace. I can think of no other system that has appeared only so recently yet influenced our lives so much.

Due to this timeline, we have a population of mostly technologically inexperienced people. That is understandable - most people aged 40 and over would not have grown up with computers, and many between the ages of 30 and 40 may not have had access to computers either. Therefore it would be something they had to learn how to use on their own time - not as part of a school curriculum. This causes a critical concern because whether people like it or not, most of us have access to a computer (be it a PC, Mac, tablet of smartphone) and use it to manage sensitive aspects of their lives, such as banking, business, personal communications etc.

Regardless of age, most people use the internet like we use appliances, or our cars. We use them to provide a service to us, and don't care about its inner workings. Why would you want to understand the Otto cycle in your car? Or how the magnetron works in your microwave oven? Or how the escapement mechanism keeps your mechanical watch ticking? As long as it perform its function, we just don't care. Nor should we. You do not need to understand these things to drive your car or heat a cup of tea. If it breaks, you send it in to be repaired or you replace it. Not understanding the inner workings does not affect us negatively.

With computer technology things are very different. Sure, you still do not need to know how a computer works to use it. You do not need to understand nomenclature such as CPU, RAM, SSD, PCI, SCP or WQXGA to be able to send a tweet or post a Facebook update or call a friend over your internet phone. But, this is where the analogy stops. The car will not steal your bank account information. The microwave oven will not enable your built in video camera of your monitor and publish compromising photos of you undressing while getting ready for bed. The watch will not steal your password from your Ashley Madison account and then blackmail you to pay up else your participation in the site would be made public, disgracing you in front of your friends and family, causing you to commit suicide. However, by using computer technology always connected to the internet, you will be put right smack in the middle of this never ending war between the good guys and the bad guys.

The difference between your home security and the security of your computer or phone is that for someone to break in your home, they have to be standing in front of your house. There are only a limited amount of people geographically close to you, severely limiting the percentage of bad guys that will indeed attempt to break in. With your internet connected computer, you suddenly have more than a billion people that can attack you. At the same time. And that number can quickly go up to 7.1 billion. You are exposed to a much bigger population of bad guys, greatly increasing your risk profile. Couple that with the fact that it is almost impossible for most people to know their devices have been compromised until it is too late, and you have the perfect storm. Everyone understands how a burglar breaks in to your house. He can come in through the window, pick your lock, use the roof etc. Everyone knows how to protect yourself from a lion chasing after you - you run away as fast as you can and hide in a tree or somewhere it cannot get to you. But almost nobody (statistically speaking) knows how bad guys get in to your computer. It is black magic, mysterious and spooky. One cannot use your normal senses to see the threat coming and you cannot use them to detect the breach and respond properly. Before the always on internet, we could SEE (most of) our threats. Now we can't.

If you do not understand something that is a potential threat to you, you are putting yourself at great risk. Imagine a car speeding towards you whilst crossing the road. Without understanding that a car driving towards you with you in its way (the threat) will cause you great harm (the attack), you will not get out of the way (the response) and will suffer the consequences (the fallout).

I am belabouring this point because I believe the core problem with our current standing with the internet is due to our ignorance in recognizing this new threat and understanding that we have a social responsibility towards ourselves and others, to adapt by becoming well versed in those aspects that will improve our recognition of technological threats and attacks we are exposed to daily, how to prevent these attacks from succeeding and how to respond and deal with the fallout in case an attack bypassed our defenses. It is no different how we lived our lives before technology, however we need new tools in our arsenal to be able to deal with this new invisible invention. We cannot rely on our senses alone like we did for millions of years, we need a new sixth sense.

This does not mean everyone should be signing up for computer courses. Or that you even need to know what the acronyms I mentioned earlier stand for. Just like you do not need to know what the Otto cycle is to be able to recognize the danger in crossing a road with cars driving on it and subsequently crossing it safely, I will be teaching you how to better prepare yourself for this new era of being interconnected to each other. Naturally I cannot possibly cover all aspects as this is indeed a very complex landscape. I will merely be applying the Pareto principle in trying to teach you 20% of what you need to know to make you 80% safer.

First thing to understand is that I am always talking in the generalized sense unless explicitly mentioned otherwise. Secondly, this article is aimed at individuals - not corporations. Third thing to know is that the threat is not a computer or a smartphone or an iPad or even the internet. It is our always on connections to this internet that raised our risk profiles so dramatically. With dialup in the 80's and 90's, the time you spent online was very little. For someone to attack you, they only had mere minutes or hours. This significantly reduced the chances of being attacked online. It does not mean there were no attacks, just that they were of much lower frequency. In the early 2000's DSL, Cable and 3G changed all that. Suddenly we paid a fixed monthly fee for the ability to be connected to the internet 24/7. Our phones were no longer phones, they became internet connected communication devices. And it is with this change that our risk profiles suddenly shot through the roof. Now an attacker can spend days trying to break in to your system. And there are now millions of systems online, a fertile playground for nefarious individuals to hone their skills and tools (and to share their tools with other less skilled minions).

As mentioned before, there are five major aspects to internet security:

  1. Threat
  2. Attack
  3. Defense
  4. Fallout
  5. Response

I will discuss each aspect individually. Keep in mind that you only have control over defense and response. The rest are not under your control, though you should still understand it.

Threat Threats from the internet come in many shapes and sizes. Depending on your presence on the internet, your threat profile can look very different to someone with a different presence. The kind of services you subscribe to and the kind of information you share determines your online presence. This in turn opens you up to certain kinds of threats. For instance, if you use online banking, then a corresponding threat might be that an attacker can steal your account login information and transfer money from your account to theirs.
If you have a Facebook profile and post a drunk photo of yourself at the last party you went to, your employer might be made aware of this and fire you.

Below, in no particular order, are some common online threats you should be aware of - all of them have been executed successfully in the past:

  1. Stealing of sensitive information such as credit card, banking accounts, login details, photos, documents etc.
  2. Identity theft
  3. Stealing money from your online banking accounts
  4. Blackmailing you after acquiring compromising or sensitive information from you
  5. Taking control over your car's electronics potentially with lethal consequences (assuming an internet connected car - becoming more and more common each day)
  6. Wreaking havoc with your IoT (Internet of Things) internet connected home appliances, unlocking your electronic door etc.
  7. Compromising your computer to be used in distributed attacks against other organizations

Threats do not stand in isolation. A threat is a risk - something that can be done to you to cause you harm. A threat cannot be defended or prevented - it exists due to the existence of the internet.

Attacks
A threat becomes an attack once a method of execution has been selected by an attacker. An attack can be defended against as is a physical realization of a threat. Since each threat can be realized in an almost infinite amount of attacks, only the most common ones will be discussed below.

  1. Hacking in to a site you have a profile with using weaknesses in applications, cracking your password and using it to log in to other sites where you use this same password - doing anything from sending tweets as you, posting Facebook entries under your account, taking over your web site, sending emails as you or anything else you can do with your online accounts.
  2. Hacking in to your computer via email attachments, malicious web sites or poorly configured networking and planting keyloggers or malware that steal your documents and passwords, enable your video camera and take videos / pictures of you or join your computer to a botnet (huge group of compromised computers that can be remotely controlled and tasked with activities such as taking down a major web site or infesting other computers)
  3. Take over your new car's electronics by exploiting manufacturing weaknesses in programming and cause it to accelerate, brake or cut off its fuel supply causing a crash.
  4. Remotely disable your internet connected burglar alarm by guessing your default password of 0000, allowing someone to break in to your house
  5. Remotely turning off your internet connected refrigerator and causing all your food to spoil
  6. Stealing your identity by combining everything you published about yourself online, compromising your accounts and posing as you, making it very hard for you to claim it back
  7. Compromising your sensitive online accounts such as dating site Ashley Madison or a pornography site, and then blackmailing you to expose this information if you do not pay up.
  8. Driving past your house and logging on to your unsecured / weakly secured WiFi network and stealing sensitive information from your computers such as documents, photos, passwords and credit card information.
  9. Creating a fake WiFi hotspot at an airport and intercepting your passwords and other sensitive information while you think you are connected to a secure WiFi network
  10. Change the DNS system so that you think you are connected to your banking site but in fact you are connected to a lookalike site that allows the attacker to steal your account information
  11. Steal your login information as you log in to a site you use that does not support secure HTTPS
  12. Steal your computer and take out the hard drive, plug it in to another computer and thus bypass your passwords completely - having full access to all your data
  13. Call you and proclaim to be a Microsoft Support engineer or some other support person and that they need to fix problems on your computer, in the mean time creaking it so that you have to pay them money to get it working again. An alternative version of this threat is a web site you visit showing a popup that your computer is infected and you need to call some number to get it fixed. This is used by scammers to compromise your computer without you knowing, then offering to fix it if you pay them.
  14. Guess your password and log in as you to any of your services by guessing your password as password or 123456 or qwerty or john1978 or logging in to your phone by guessing 0000 or 1111 or 1234 as your PIN, instantly gaining full access to all your services.

Defense
Even though the amount of attacks are overwhelming, there are several things you can do to mitigate these risks. It is important to note that a determined attacker can and will break in to any of your services / systems, this is just about making it hard enough for them to look elsewhere for easier targets. Remember the locked car next to the one with rolled down windows? Guess which one will be stolen. Both can be stolen, but the likelihood of it being the locked car is much lower. The good thing about the internet is that there are so many insecure targets that it is not too hard to make attackers look elsewhere. Unless they are out to get you.

  1. Make use of good passwords. Until such a time we can come up with safer biometrics for authentication, passwords are all we have. At minimum, a password should be 10 characters. Mix upper and lowercase and digits and symbols. Do not use dictionary based words or your name or pet or birthdates or keyboard sequences such as qwerty or asdflkjh etc. Do not use common passwords like those in the top lists. A good password could be a contraction from a nonsense phrase, such as "I am out to get bones from chills" and making a password such as iaotGB4.clzz. For PINs such as your credit card or mobile phone, do not use common values such as 0000 or 1111 or 1234 or 1212.
  2. Do not share your passwords between services. You can share a password between services that store no personal or sensitive information, but use unique passwords for important sites such as banking, Facebook, Twitter, Email, your corporate login etc.
  3. Do use password managers such as 1Password or Dashlane to help you store your passwords safely.
  4. Do enable 2FA (Two Factor Authentication) if your service provides this feature. It sounds scary, but it is very simple to understand. There are three ways to authenticate yourself: something you know (passwords), something you have (mobile phone) and something you are (biometrics - fingerprint, retina). All that it does is it combines something you have with something you know. In addition to specifying your password, the service will send a unique, one time code to your mobile device or have you enter a pre calculated number from an authenticator application you run on your phone as additional security mechanism. Since this PIN can only be used once and changes every time, and is only accessible via a secondary device, compromising this in addition to guessing your password suddenly becomes much harder.
  5. Contrary to popular belief, aggressively applying application updates will greatly reduce your risk profile. Many attacks today work because attackers exploit unpatched software applications. This is also not black magic once you understand how applications can be compromised. A good analogy of an application compromise is the good old car door trick. Take a coat hanger, bend it into an U shape, push it against the glass down inside the door mechanism and after some wiggling you can unlock the car door. This works on some cars because of a poor implementation of the locking mechanism. If a manufacturer could "patch" a car, they would release an updated door mechanism that prevents this attack from working. The same principle applies to software. The difference is that software are compromised over and over as the complexity is so high. Therefore regular patching is crucial. Furthermore, it is not enough to just apply Windows Updates. You also need to keep your browser, Flash Player and other software up to date.
  6. Lock down your WiFi access point. Perhaps you got WiFi with your service provider's modem. Or you purchased a WiFi access point at Best Buy. Regardless, you need to familiarize yourself enough with the device to know how to change the password to something secure, and to enable WPA2 encryption. WEP and WPA are NOT secure and should not be used. If you need help, there are manuals on the internet, and your service provider can also assist you with this.
  7. Install a firewall on your computers. A firewall blocks connections from being made to your network that should not be allowed in. Properly configuring a firewall is not easy, but it is a start. Windows and Mac OS X comes with a built in firewall that should be enabled by default, check that it is indeed enabled and working.
  8. Install an anti virus application. Do not install multiple as that will only slow down your system and potentially cause them to function incorrectly. Windows comes with Windows Defender that should be enabled.
  9. Use whole disk encryption on your home computers. This prevents someone from stealing your computer and then bypassing your password by taking out the hard drive and installing it on another computer. If someone steals your computer your data will still be secure, albeit stolen. Windows has BitLocker in the Pro and Ultimate editions. Mac OS X has FileVault2.
  10. Enable a 6 digit PIN or a password on your mobile devices, and enable a 2 or 5 minute lockout to ensure the system auto locks itself. This will prevent someone from picking up your unattended device and accessing your data.
  11. Enable auto screen saver with password lock on your desktop computers.
  12. Ensure that you always use the HTTPS version of a site if you enter any login credentials, credit card information or any other sensitive information. Furthermore, check the URL bar in your browser to ensure it shows the lock icon. Sometimes a site is HTTPS but still insecure, the browser will indicate this by not showing a lock, or by showing a lock with a red cross through it. In that case, do not connect to the site.
  13. Do not open email attachments from people you do not know, or that look suspicious, like parcel delivery notices. Most of these attachments contain malware and once you double click it, it infects your computer.
  14. Do not browse to web sites that you do not know or contain pirated software, and do not download pirated software.
  15. Do not fall for scammers by calling phone numbers that pop up on your screen for technical support. Do not fall for scammers calling you requesting remote access to your computer. Do not fall for web sites that look like legitimate companies but in fact are run by scammers. Good examples of companies you should NOT be contacting are plentiful to find.
  16. The previous point ties with never trusting results returned by Google or any other search engine. Remember, their job is not to protect you from the internet (though they sometimes try). Their job is to make the whole internet searchable and available to you. A search for "Quickbooks support" returned the aforementioned sites run by scammers. If you need support, best is to go to the vendor's public web site directly (in this case QuickBooks) and not searching for support sites.
  17. Never share your passwords with anyone. Even legitimate IT support personnel should never ask you for your password. Never let IT support work on your computer unattended unless you know and trust them.
  18. Never type in your password in front of other people - just like your PIN, protect your password by ensuring you have privacy when entering it.
  19. Be mindful of what you post publicly - you may be compromising yourself or your employer. Information never gets deleted once on the internet. Sites such as The Internet Archive and others ensure the survival of pretty much all information.
  20. If you feel adventurous and invest in IoT (Internet of Things - internet connected appliances), make sure you understand the security risk this involves. Make sure you change all manufacturer default passwords to strong passwords, that you enabled all security features applicable and that you do not leave your home open to attack.
  21. If you feel the need to drive an internet connected vehicle, make sure you follow all manufacturer advisories and that for any security related advisory you immediately return your vehicle to the shop for updates to be applied.
  22. When not using the camera in your computer, put a piece of black tape over it. That way, even if someone remotely enables the camera, they cannot use the camera.
  23. When connected to WiFi hotspots not under your control, never trust the connection. That means do not even use VPN and think it will be secure. There are ways for attackers to compromise all your communication if you connect to a WiFi access point they control. This is especially relevant at airports, hotels and restaurants / coffee shops.
  24. Treat the internet as a hostile place. Just as you would not leave your wallet / purse at a bar in plain sight, you need to be cognizant of the risks whilst online and protect yourself correspondingly.

Fallout
If your defences were not good enough, eventually some attacks will succeed. This is when fallout happens - the result of an attack. Some types of fallout are:

  1. Blackmailing
  2. Theft of money, goods and information
  3. Embarrassment
  4. Losing your job
  5. Self humiliation
  6. Suicide / Death

Response
Responding to these fallouts is most probably the hardest aspect of modern security. You could pay blackmailers, and might have a chance at getting rid of them. Or they might extort you even more. Insurance will not cover you for your negligence if someone steals your money. Having your naked photos published online, or the fact that you had an affair exposed could be detrimental to your social life.

Unfortunately these response mechanisms are highly personal and there are no good guidelines how to respond. The best response is a good defence. The better your understanding of your risk profile, how attacks take place and how best to defend yourself, the lower the chances are you have to deal with fallout and the subsequent response. Attacks will only become stronger and more prevalent, it is up to each person to get to grips with the modern world and enhance our understanding of these modern threats, enough so that we are not caught blindfolded with our pants around our ankles. This will not go away, and we need to skill up to keep pace or suffer the consequences.