Russ Harvey Consulting - Computer and Internet Services

Security Basics

Preventing Unauthorized Access

Stop and Think | Key Elements of Security | More Time Online
Webcam Vulnerabilities

Preventing Unauthorized Access
I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually “Nothing; you're screwed.” But it's really more complicated than that.

 

Against the government there's nothing you can do. The power imbalance is just too great.

 

But there are some things you can do to increase your security on the Internet. None of these are perfect; none of these are foolproof.

 

But they're all good network hygiene, and they'll make you a more difficult target than the computer next door. — Bruce Schneier

 

Do You Practice Security Hygiene?

Do you routinely use weak or repeated passwords, use outdated or unpatched software, share personal details on Facebook or use public WiFi to access your accounts?

Security Practices Critical

Too many people pass off security practices as annoying.

In general, the research suggests that about half of consumers do not know how to protect themselves from cyber criminals. — McAfee

Just like seat belts and helmet laws are designed to protect our bodies, good security practices are meant to protect our privacy and our devices.

Our World Has Changed

The world we live in has seen massive changes.

Information that used to be on paper locked in filing cabinets is now “in the cloud” which provides 24/7 access to anyone — including hackers.

Improving Security

Sooner or later you will become a victim unless your security software and security practices are up to the task of preventing unauthorized or malicious access to your computer and devices.

Deadly Security Threats

Scams are increasingly effective.

[O]rganized crime now gains more revenue from cybercrime than from the illegal drug trade and is on pace to eclipse all its other forms of illegal activities combined within a few years. — Trustwave

Newer and deadlier versions of malware and hacking software are being developed regularly.

Security is Everyone's Responsibility

Everyone needs to take security seriously if you're going to remain safe.

Action Steps

Your protection depends on following these action steps:

  1. Ensure that your devices and software have the latest updates installed.
  2. Protect your device with good quality security software and update regularly.
  3. Learn how your security software operates so you're not fooled by fakes.
  4. Be aware of security threats and how to respond to them correctly.

If others use your computer or devices, they can compromise your security unless they also follow these protective measures.

Update Your Software

Update your operating system as well as all your software (apps), replacing them when no longer supported.

“Update your software!?” infographic -- click to learn more.
See the full infographic.

Ensure Your Security is Current

Invest in decent security software recognizing that security needs have changed.

Be sure to update your security software. Older versions may not have the ability to protect your computer or device as effectively.

  • Frequently check your security software company's website to verify you have the most recent version.
  • Minor updates like virus or spyware signatures generally install automatically.
  • If you need to manually download a file then it has to be installed before it updates your software.

Know Your Security Software

Get to know your security software so that you can use it effectively. Learn its limitations and know how it responds to threats so you know how to protect yourself and your devices.

Don't Fall for Scams

Besides the threats noted above, scams come in many forms but the most common are:

Responding to these fraudulent attacks is certain to result in identity theft, financial loss, or both. Just hang up or delete the email.

Avoid Extra Software Installations

Be wary of extras included with the software you're installing such as optional (but pre-checked) software De-select these options. You neither need nor want them.

How Cyber Safe Are You?

Businesses need to train their employees and increase their security budget. Home users need to educate themselves and their household about the risks.

Get CyberSafe

Recognizing the security gap, the government of Canada has made resources available on their Get CyberSafe website.

“How Cyber Safe are You in the Digital Age?” infographic -- click to learn more.

See the full infographic.

Cybersecurity Myths

There is a lot of cybersecurity practices that are not as effective as people think or have are less important because of newer technology such encryption.

Return to top

Stop and Think Before Acting

Most of today's devices (computers, phones, tablets, etc.) are continuously connected to the Internet. Many services and applications record private information and report on your activities.

Now we live in a world that is strictly bounded by our capacity to understand it, by our ability to keep up with the pace of technological change, and to manage the new risks and security challenges that come with limitless storage capacity, limitless transmission capacity, limitless data mining capacity.

 

We are bounded by our own limited capacity to understand, to imagine the implications of data flow and data aggregation, and our ability to teach. — Privacy Commissioner of Canada

You're Being Tracked

Too many sites collect unnecessary information “just in case” they can monetize it later. The size and number of data breaches attests to the fact that few secure that information.

Be sure to read the privacy policies and terms of service for everything you subscribe to before signing up for that service or installing that app. These policies are subject to change.

The larger the terms of service page, the more you're giving away. The vaguer the context of who they share your content with (e.g. unspecified third parties) the more likely your identity is being sold.

Stop. Think. Connect.

Staying safe online involves both being prepared and knowing the signs of suspicious websites, phishing emails and other nefarious online activity.

You can avoid a lot of problems if you follow the advice on StaySafeOnline.org:

STOP. THINK. CONNECT.™
Protect yourself and help keep the web a safer place for everyone.
  1. STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
  2. THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
  3. CONNECT: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.

Protect Your Identity

If you've bought into the “nothing to hide” mantra or have decided that your information is worthless, consider these costs.

  • Free software and games are funded by capturing our metadata.
  • Employers now look at your online activity to determine employability.
  • If your actions compromise your employer's computers or network what do you think your chances are
    • of keeping your job?
    • of facing prosecution?
  • If your home computers and devices become infected, you could be on the hook for how it is used by the thieves:
    • Your personal reputation could be damaged.
    • Your private information could be used to obtain loans or credit cards.
    • You could be held liable for any illegal activities perpetrated using your identity.

It is much easier to establish credit online than to protect yourself. Fraud reporting relies on paper documentation.

Tips & Advice

Review StaySafeOnline's Basic Tips and Advice:

  • Keep a clean machine.
  • Protect your personal information.
  • Connect with care.
  • Be Web wise.
  • Be a good online citizen.
  • Own your online presence.

Details are on their website or available as a PDF.

Their site contains additional information about how to stay safe online:

Return to top

Key Elements of Security

To enhance the security of your computers, devices and computer networks, you need to include the following components in your protection plan:

There is more information about each of these, either on this page or on other pages on this site. Follow the links in each of these subsections to learn more.

Choose Your Programs Wisely

The choice of software you install on your computer affects how vulnerable you are to security-related attacks.

This is particularly true for your choice of web browser and email software.

Windows users have easier access to third-party software that can affect their security.

The User Pays for Security Failures

If software developers bore the cost of security failures in their software, as Ralph Nader forced the auto industry to accept responsibility for their failures, fewer vulnerabilities would exist or be allowed to continue unchecked.

We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: the people who could protect a system are not the ones who suffer the costs of failure. — Bruce Schneier

Instead, we are spending large amounts of money annually on security programs.

Free Software

There is some excellent free software available to you, including LibreOffice, Firefox and GIMP.

Unfortunately, many of the free utilities, screen savers and similar programs available on the Web contain either malware or collect information about you or install unnecessary third-party software.

“Free to Play” Games Manipulate Us

While free to download and play, many such games are very profitable. How else could they afford to advertise during prime-time television?

"Free to play" games manipulate us through many techniques, such as presenting players with a series of smoothly escalating challenges that create a sense of mastery and accomplishment but which sharply transition into a set of challenges that are impossible to overcome without paid upgrades. — Cory Doctorow

Assessing Software

Search for what others have said about a program using the program name as the search criteria. Blogs often provide interesting insight to the usability of such programs and their relative merits.

Learn about my recommended software….

Keep it Updated

All software requires maintenance. Be sure to update your software regularly. When a program is no longer maintained, uninstall it then find a currently-supported replacement.

Replacing old software can be pricey, but there's a serious risk of data loss if your system isn't kept up-to-date. — Acronis

This also applies to operating systems such as Windows. When no longer supported, find a replacement.

Avoid Unwanted Programs

One of the things to look out for are the third-party optional programs (PUPs) that may be installed along with free products like Adobe Reader, Java and CCleaner.

Krebs's 3 basic rules for online safety:
  1. If you didn't go looking for it, don't install it.
  2. If you installed, update it.
  3. If you no longer need it, get rid of it!

Scroll carefully through the installation option screens and de-select any extra software like Google Chrome, McAfee Security, etc. before downloading or installing the software you actually wanted to install.

Keep it Clean

Where possible, uninstall any unwanted software, including programs installed with Windows 10. Regularly clear any unnecessary programs and data from your computer.

You should schedule regular times to cleanup your computer. Removing unnecessary files and software will increase your productivity.

Effective security software

Traditional security products (antivirus and antispyware) are made to fight PC-based threats.

All current security suites and most antivirus software contains some form of antispyware/antimalware protection.

The Threat Landscape Has Changed

Today's computers face multifaceted attacks (multiple sources at the same time). Web-based threats (including ransomware) can develop very quickly.

You need a security suite that protects you simultaneously from all possibilities.

Keep it Updated

Security software must be constantly updated to deal with emerging threats.

One study indicated that the time from the discovery of a vulnerability to when it is exploited is now four days or less.

More recently that window of discovery has narrowed to less than a day. Zero-day exploits are usable immediately (0 days until useful because they are generally undiscovered except by hackers and government spy agencies).

  • Check for updates at least daily.
  • Weekly scans are a bare minimum.
  • Real-time scanning is critical for today's threats.

Learn more about security software….

Secure Your Network

You cannot afford to be without an effective firewall. Today's computers and devices are continuously connected to the Internet.

No firewall is like leaving your front door open for anyone to walk into your home uninvited. Not everyone is polite enough to resist the temptation.

Your Privacy Threatened

“Nothing to hide” is a falsehood perpetrated by those profiting by collecting your information.

Your privacy has never been under attack as intensely as it is today. You need to protect yourself using legitimate privacy tools.

Effective Protection

An effective hardware and software firewall combination is an essential part of your protection.

Your Router

Your router not only secures your high-speed access to the Internet, but it allows you to share it between both hard-wired (LAN) and wireless (WLAN) computers, laptops, tablets, smartphones, game consoles, TVs and “smart home” devices.

While many issues have been fixed in newer routers, there are undocumented and unpatched vulnerabilities (zero day exploits) that both governments and hackers take advantage of to steal information from your devices.

More than half the routers currently in use are easily hacked. The recommendation is to replace your router if it is more than a few years old, especially if listed here.

Learn more about securing your network….

Strong Passwords

Passwords are an essential part of life today. They are used for everything from accessing your email to the millions of websites and forums that require you to identify yourself using a username/password combination.

Passwords and encryption can be effective tools — but only if you use them correctly.

Single Sign-on Flawed

Never choose to log into a third-party site using your Facebook or Google account (single sign-on). Instead, create a new login account using a strong and unique password.

Long and Strong

Make your passwords long and strong using random upper and lower case letter, numbers and symbols (some symbols are not permitted by some sites or vendors). Generally, the longer your passwords, the harder they are to hack.

Protect Your Passwords

Increasingly, sites are using your email address as your identity, making it very easy to hack your other accounts if you use weak passwords or use the same password on multiple sites. The following is only one example of how password reuse can have significant financial repercussions:

A total of 5,500 CRA accounts were targeted in what the federal government described as two "credential stuffing" schemes, in which hackers use passwords and usernames from other websites to access Canadians' accounts with the revenue agency. — Times Colonist

Use a Password Manager

Everyone has far too many passwords today to manage strong and unique passwords for every site and account we hold on the Internet without using a password manager. Humans simply have too much difficulty creating and remembering effective passwords.

I strongly recommend LastPass to manage your passwords. LastPass is secure, encrypts the passwords BEFORE uploading them and can be shared between your various computers and devices.

Two-Factor Authentication

Two-factor authentication provides additional security that isn't available with even a strong password. As implied by the name, two-factor authentication has two components:

  1. a strong password; and
  2. a second authentication device.

The YubiKey is a small USB and NFC device supporting multiple authentication and cryptographic protocols.

The second device could be

  • a cell phone number (recommended); or
  • a specially-design hardware authentication device like the YubiKey (shown above) in combination with LastPass; or
  • a second email address (less secure as it too could be hacked).

The authentication device is preferably something that is always with you and is inaccessible to potential hackers.

Unfortunately, it appears that it isn't that hard to hijack your cellphone's SIM card, after which they have access to the very two-factor security that is supposed to protect you.

Recovery Options Weak

Instead of hacking your password, the “Forgot password?” recovery option on a site can provide a much easier place to obtain unauthorized access to your email account.

People post too much personal information about themselves on public places including social media sites where the answers to typical security questions can be harvested. The nature of these questions are such that many are easily guessed such as:

  • your favourite sports team(s);
  • your favourite authors or movies;
  • your best man or maid of honour at your wedding; and
  • your home town or favourite teacher.

Many of these are items that you're prompted to include on your Facebook profile.

Protect Your Email Account

Some security protocols require you to respond to an confirmation sent to the registered email address for a requested password change. If your email account is protected by a weak password, this mechanism can be compromised.

Learn more about protecting your passwords….

Reliable Backups

There are many causes of data loss, including:

  • hardware failure (hard drive or backup media)
  • ransomware attacks
  • lost devices
  • theft or vandalism
  • environmental disasters (fire, flood, earthquake)

More and more our private information is electronic and stored on our computers or devices.

From the dawn of civilization until 2003, humankind generated five exabytes of data. Now we produce five exabytes every two days…and the pace is accelerating. — Eric Schmidt (2010)

Planning for Recovery

The first step in planning for recovery is to ensure that you regularly backup all your data using reliable systems and schedules. The more frequent the backups, the less you might lose.

Having multiple generations of backups ensure that a problem with one can be resolved with an older backup (you might not get everything, but most of it will be there).

You should also plan for disaster by ensuring off-site backups either via cloud backups or physical backups stored offsite.

Unfortunately, cloud storage data is threatened by poor security and government data collection policies.

Learn more about backup strategies….

 

More Time Online

We're stuck at home and spending more time online than ever before including virtual meetings.

Working From Home?

Almost four times as many Canadians are working from home than pre-pandemic. That trend seems to be continuing.

Security requirments are higher than they were for gaming and entertainment.

Phishing

Phishing attacks are on the increase. Be wary of attachments in unexpected messages, including delivery notices, voice mail notices, etc.

Home Networks

If you might find your home network isn't up to the task:

Learn more about security in a pandemic….

Return to top

Webcam Vulnerabilities

It has been known for some time that your computer and devices can be hacked to access the camera without activating the light that warns the user.

Many folks (including Mark Zuckerberg) cover their camera to ensure privacy. This has been more difficult during the pandemic as people working from home required frequent access to online meeting software.

Apple warned users that covering the camera could damage your laptop, stating that Apple's cameras are engineered so that it can't be accessed without the indicator light turning on.

With decent security software, the sorts of malware that make this possible are detected and removed. Kaspersky goes even further by ensuring that access is denied to the camera at startup.

Return to top

Related Resources

Related resources on this site:

Return to top


If these pages helped you,
buy me a coffee!


 

Return to top
RussHarvey.bc.ca/resources/security.html
Updated: April 3, 2021