With more and more of our daily lives going digital and the ever increasing number of apps one needs to operate effectively in today's society, I thought I would share some tips on how to remain safe and secure on the digital wild west we call the internet.
It's important to note first, however, that nobody is un-hackable. With enough determination and resources, you can and will be compromised. This guide is about making you a less attractive target to a would-be attacker. You don't have to be the most secure person in the world, you just have to be more secure than most other people.
In an effort to strengthen our defences, we will be looking at the following tools, technologies or practices:
- Phishing and Malware
- Password Managers
- Multi-Factor Authentication
- Virtual Private Networks (VPNs)
- Software Updates
- Digital Segregation
Phishing and Malware
Phishing is when an attacker tries to steal your login details, by trying to dupe you into entering them into their malicious website. This bogus website will be made to look the same as its legitimate counterpart.
Most attackers will attempt to gain your login details or compromise your machine by sending you a link in an email to their bogus website, or to a piece of malicious software for you to download and run.
It is good practice to NEVER open a link contained in an email you were not expecting, or from someone you do not know. If you know the sender, but are unsure, contact them by another means of communication and confirm that they sent you the email.
If you feel safe enough to open a link in an email, always double and triple check the address that the link is going to take you to. If it is a website link, make sure that the padlock icon is present in your browser's address bar, and that the address matches what the site looks like. Always look at the whole address and not just the beginning.
Legitimate: https://login.microsoftonline.com/common/reprocess?ctx= Malicious: https://login.microsoftonline.com.common.evil.com/reprocess?ctx=
Be on the look out for any typos or design irregularities on the site itself. If the site you are on does not look like what you were expecting, or as polished as it usually does, this is a red flag. Do not type anything into it.
If a link you visit downloads a file onto your computer, DO NOT OPEN IT. Regardless of what type of file it is. Delete the file immediately.
If you fall foul of a phishing campaign, you can limit the damage done by following the advice below.
If you are using the same username and password on more than one website, you are at risk. If a website you have an account with gets compromised, attackers will attempt to use the stolen login data on other websites, like your Gmail, Facebook or online bank, to see if you use the same username and password there.
To find out if your login details have been stolen, there is a very good service operated by Microsoft Regional Director @troyhunt called have i been pwned? This website allows you to enter your email address, and will tell you if your details have been leaked as part of a data breach. If they have, then it is advisable to change your password on any other websites where you have used the same account information to log in.
The best practice is to use a different password for each and every website you have an account with. It can be difficult, however, to create and remember multiple different passwords, for every website you want to create an account with.
Thankfully due to password manager tools, you don't have to.
By using a password manager, you only have to remember 1 master password. This password then unlocks your password vault, which contains your username and password information for other websites you have accounts with.
Some of them will also help you to generate new random passwords or passphrases, when you want to sign up to a new website.
The most important thing here is to make sure that the master password you choose is completely new, hard to guess and is never used for anything else. This password should be created and used solely to unlock your password manager.
It can take time to build up your vault with your existing username and password information, but once you have them all in there, you never have to remember them ever again. Some of these password managers, like LastPass can even rate your password security, based on metrics like how long it's been since you last changed the password, if the password has been included in a data breach or how easy your password is to crack/guess.
Once all your login information is stored securely in your vault, you can go through and change your passwords on all of the sites with longer, more random and secure passwords.
When you want to login to a website, you can use the password manager's accompanying browser plugin to unlock your password vault, and auto-fill in the username and password fields for you, without you ever having to type in or even know what the password is.
This practice, combined with enabling Multi-Factor Authentication is probably the best thing you can do to improve your security.
Another way to ensure that your accounts are secure, is to enable Multi-Factor Authentication or MFA for short, wherever possible. The multiple factors it describes are usually, something you know i.e. your login details and something you have, e.g. a one-time temporary code, or a USB device, such as a YubiKey.
MFA is an extra layer of security, which requires you to add an additional piece of information after you have logged in with your username and password. This means that even if your username and password are compromised, a would-be attacker cannot gain access to your account.
Usually when enabling MFA on a website, you are presented with a QR code, which you can scan from your chosen MFA application, in order to setup the one-time code that you will require, in future, to log in with. Generally speaking, these one-time codes change every 60 seconds.
Another option, although not recommended, is to have a one-time code sent to your phone via text message. This is convenient as it means you do not need to have an application dedicated to generating codes for you, but it is open to abuse.
If an attacker manages to steal your phone number (using a technique known as sim swapping) they are then in possession of the second factor of security you relied on to keep your account protected.
A YubiKey is a physical USB device which you can use as your extra layer of security. This is arguably the most secure way to protect your account, as it requires the attacker to physically obtain the device from you without your knowledge.
Many of the most popular companies, like Facebook, Apple, Amazon and Google all offer the ability to enable 2FA or MFA on your account.
Virtual Private Networks (VPNs)
Do you use public WiFi? Do you sometimes connect to WiFi hotspots that do not require a password to join? If so, you are leaving yourself vulnerable.
You have no way of knowing if someone is eavesdropping on you and the traffic coming to and from your device. It is not enough to say to yourself that you have connected to this network before and nothing bad has happened.
It is very easy to create a malicious wireless access point with the same name as a legitimate one. Your device does not care which one is legitimate and which one is malicious. It will connect to whichever one is the closest, or has the strongest signal.
If your device is set up to connect automatically to known networks, you may not even realise that you are connected to this malicious hotspot.
When you connect to public WiFI, you have no control over who else is connected and what they are up to. Traffic coming to and from your device, if you are browsing to websites that are unencrypted, will be sent in plain text, open for anyone you are sharing the network with, to read.
In the worst-case, this can result in someone not only being able to see what you are looking at, but allow them to impersonate you and access the same websites as you, logged in as you, without even needing to know your login details.
One way to avoid this eventuality is to ensure that you are using a VPN when connected to any untrusted WiFi networks.
By connecting to a VPN, you are ensuring that all the traffic coming and going from your device is encrypted and therefore cannot be seen or understood by anyone eavesdropping on the network.
I recommend connecting to a VPN before you join any network that does not belong to you. You can download software for mobile and desktop devices that make it easy to connect to the VPN of your choice.
If you are a little more tech savy, you can even create your own VPN in the cloud, and then you do not have to trust a third-party with your browsing data.
The easiest way to compromise someone's machine is through exploiting known vulnerabilities in software that is known to be running on it. When a security vulnerability is found in a piece of software, an update is usually published to patch this vulnerability. If you do not update your machine regularly though, you are still vulnerable.
It can be annoying when it seems that every application is offering you the chance to update all day every day, but it is vital that you do these updates as often as you can.
In late 2021 and early 2022 there have already been 2 very high profile, critical vulnerabilities found in software that is run on about 90% of the world's computers.
If you do not update your devices, they are vulnerable. An attacker could quite easily exploit the vulnerability found in the first exploit, Log4Shell, to get your device to run malicious code, granting them access to it. They can then exploit the second vulnerability, DirtyPipe, to escalate their privileges to an administrator level. With this level of access, your device is now essentially owned by the attacker and they can use it to steal your contacts, read your email and switch on your microphone or camera. All of this without your knowledge.
Always make sure you regularly update all your devices as often as you can.
In order to make you as unattractive a target as possible to would-be attackers, it is advisable to keep as many things separate as you can.
Wherever possible, use separate email addresses for important, high-risk things.
Have a separate email address that you use solely for your digital banking for example. Do not share this with anyone and do not use it for anything other than banking.
This way, if your personal email is compromised, your bank account is still secure.
If you do receive a phishing email, strange phone call or are asked to install some software on your machine, do not panic. It is highly unlikely that the attacker is targeting you as an individual. More often than not, you are part of a larger campaign where thousands or millions of people are being targetted.
By following the advice above you are doing your best to ensure that an attacker would rather give up and move on to an easier target, than spend more time than necessary trying to compromise you specifically.
I hope this post has given you some pause for thought and has inspired you to up your game a bit when it comes to your digital hygiene.
For a very enlightening peek into the methods used by attackers, I recommend listening to the episode Dirty Coms, from the fantastic Darknet Diaries podcast.