Pragmatic approaches to combating cyber threats today
This post first appeared on Agenda NI on April 8th 2017.
Professor of cyber security at Ulster University and senior member of the Institute of Electrical and Electronics Engineers (IEEE), Kevin Curran, outlines best practice advice for prevention of computer fraud.
There is a well-known investigative reporter on security called Brian Krebs. He is best known for his coverage of profit-seeking cybercriminals and is so good at what he does that he was the subject of the largest Denial of Service attack to date. His maxims on computer security are:
1) if you didn’t go looking for it, don’t install it; 2) if you installed it, update it; and 3) if you no longer need it, remove it.
Basically, do not get fooled into clicking on pop-ups which lead to malware and keep your installed software ‘footprint’ small as one of your unused software programs could be just the path by which an attacker enters your system. Each passing day, more of us increasingly go online to send money and make purchases. Keeping our connected devices secure is becoming more important. Here I share general best practice advice for preventing you becoming a victim of computer fraud which does not require much technical knowledge. Of course, recommendations outlined here can become outdated but as of today, what I write is good practice.
Use different passwords on all sites and change them frequently. Hackers often steal a login and password from one site and attempt to use it on other sites. To make it simple to generate – and remember – long, strong and unique passwords, it is good practice to install a reputable password manager which will create complex strong passwords and store them in an encrypted file on your own computer. You then only need to remember one ‘master’ password and the password manager will automatically take care of logging you into different sites with secure passwords.
Register with haveibeenpwned.com. This is a legitimate website which collects all the emails associated with publicly known website hacks. Here you can submit your email to see if your personal details have been released in previous website hacks and you can also register your email to receive future notifications if your details appear in a future hack. If you do find your details registered, then login into the site where you were compromised and change your password. Watch out also for phishing emails from the site just hacked.
Change default passwords. Whenever you buy an internet connected device e.g. router, baby monitor, connected CCTV – change the default password. In fact, every device you purchase which has a default password should be changed on first use. There are search engines like Shodan which crawl the web for connected IoT devices and hackers will try default passwords on those devices. You are basically leaving your keys in the door.
“Every device you purchase which has a default password should be changed on first use.”
Use an ad blocker. Believe it or not but there are a lot of malicious ads that can cause your device to become infected. Using an ad blocker on your browser can prevent these malicious ads appearing. It also speeds up browsing so you will experience quicker loading of websites. It is a win-win but unfortunately, some websites require you to turn it off to see their content.
Keep software updated. Running the most recent versions of your mobile operating system, security software, apps and web browsers is among the best defences against malware and other threats. When you see a message on your computer or mobile to update, then do so immediately. These updates often contain security patches which protect against new vulnerabilities.
Look for a secure padlock icon in your browser. This icon to the left of your URL signifies that the website is using https. Https is ‘secure http’ which ensures an encrypted connection is active so that your sensitive information like credit cards or passwords is not ‘sniffable’ by a hacker who is snooping on a network between you and the legitimate website. Not all websites support https now but you should expect all sites which accept payments to have https enabled.
Double-check the domain name of the website. Always check before entering sensitive information to make sure you are not on a phishing website like paypa1.com or g00gle.com. You should also never click on a link in an email telling you to login to your sensitive accounts to resolve an issue. Instead, leave the email and go directly to the site and login. Links in emails which look legitimate can reroute you to rogue sites which capture your login details.
Do not click on anti-virus popup windows. This is a common scam which tells you that your computer is infected with a virus. Genuine antivirus software does not do this. The popups install malware on your computer, with your permission. Many now require you to pay money to have the software removed. This new Malware such as Cryptolocker is a nightmare and is generally unremovable without paying a ransom.
“Close out old accounts. They simply create more points of vulnerability.”
Close out old accounts. They simply create more points of vulnerability. Sometimes that might mean having to go through steps to recover an old password you might not remember, but it is worth it. The less footprint you have online, the better in general.
Review your online accounts and credit report. You should review your bank accounts, auction accounts, and mobile phone accounts for signs of fraud or charges that you did not make. Make this a regular habit. Yes, banks and credit card companies are quite good at spotting fraud but ultimately, it is up to you to spot fraud on your account.
Enable two-step authentication when offered. Many sites such as Apple, Microsoft and Google now ask you to associate a mobile phone with your account. Two-factor authentication does not let you login without access to your mobile phone and this ultimately makes it much harder for an attacker to hijack your account (as they do not have your mobile phone to change account details).
Email and WiFi
Do not open links or attachments in suspicious emails. Be aware that even when they seem to be sent by someone you know, use caution as their email account might have been compromised by a hacker. If in doubt, call the person or company to check first. Do not try emailing unless you can ask them for information only known to you both. Remember also to not trust any phone numbers in the email.
Treat public WiFi differently. You should not use public WiFi hotspots without using a VPN connection. A VPN will encrypt your communications to and from the internet to prevent eavesdropping. At home or on wireless networks, where you enter a password, the connection is encrypted so that your information is not sent ‘in the clear’. Just be aware that wireless networks with no required logins, can be easily sniffed by a stranger on the same network.
Finally, do not download pirated or cracked software as it can often contain malware. It is common for scammers to release compromised software on torrent sites. Where available on IOS devices, use touchID and register multiple fingers. Place tape over your webcam when not in use and use credit card online as you are then protected for purchases >£100 and <£30,000. Do not text or email your credit cards, bank account numbers, or passwords, even if you feel you can trust the person on the other end. They are not the problem. Snoopers are. Keep your mobile device secure by using a strong password to lock it. If you are going to use email, use Gmail, with a physical security key on your laptop and install Google Authenticator on your phone. Use Signal or WhatsApp on your phone to communicate with other people. Do as much of your work as feasible on an iOS device such as an iPhone or iPad. You could use a Bluetooth keyboard to make it easier to type. If you use Windows, then uninstall any antivirus products except for Windows Defender which is from Microsoft and free and is now considered the best and least buggy. I strongly recommend using Chrome as your browser (or Firefox). Be especially careful about installing unknown or unnecessary extensions as these are a common infection vector. Turn on full-disk encryption on devices. Do not plug your device into an unknown port and never plug an unknown device into your computer. Instead, carry a “’USB data blocker”’ to charge when on the road. OK, these last recommendations may be extreme but sometimes it is hard to know where paranoid approaches to being secure turn into pragmatic approaches.