I’m all for people promoting security advice about using the internet and computers, but only when it’s good advice (obviously). So just how can one judge the quality of the suggestions given?
Well you should probably listen to the experts – not currently trendy, I know. The problem is made harder, though, when it’s unclear what makes somebody an expert on tech and security. My general rule is that even if they’re writing for a popular publication, take everything they say with a pinch of salt.
The BBC got conned by Craig Wright, primarily because of a tech publications screw up, and then the Guardian posts articles like this: Extreme online security measures to protect your digital privacy – a guide. Since the article is getting a bit of heat on twitter here is a link in case it gets taken down.
It starts off with the now infamous picture of Mark Zuckerberg where you can see his laptop in the background with the webcam and mic taped over. Now before you rush to tape over your webcam and mic, note that this is the guy whose Twitter and Pinterest accounts were hacked because he had used the password ‘dadada’ for both of them, which was most likely obtained from the 2013 LinkedIn hack. Sure those accounts aren’t important to him, but he should have known better, so it’s embarrassing nonetheless.
Anyway, on to the actual guide. It’s not all bad, in fact it’s mostly overly hopeful with a couple of egregious exceptions, which we’ll get to.
1. Encrypt your email
The article gives a brief summary on how to manually do this. While this might be a good idea, it’s also kind of hopeless to expect all of your recipients to be using a compatible email client.
From the article itself, detailing the potential problems: “if they’re using Gmail on their smartphone, they’ll just be annoyed when you keep sending them unreadable strings of garbled data.” Great start. If you’re Edward Snowden you can expect your friends and acquaintances to go through the trouble (and that’s if they’re capable of working out how to do it), but you’re not.
Instead many companies are trying to make this more straightforward and automated. Gmail is a good example of this and will try to encrypt messages by default and warn you if it’s not possible. Ideally you’ll want to avoid sending anything sensitive over email if it can be helped, or use reliably secure end-to-end encrypted instant messaging apps such as iMessage or Whatsapp.
Additionally, your email account can be incredibly vulnerable. So, more important than making sure your emails are encrypted, is to make that you’re using a good, unique password. If your email account gets compromised, then any online accounts that are associated with that email can be compromised by abusing the ‘forgotten password’ feature. An increasing number of online sites use this and most security questions can be socially engineered.
It might be a good idea, for example, for your pet to be a random eight character alphanumeric sequence saved in your password manager/written down. Keep it somewhere safe, (not a post-it note on your screen) and use it was an alternative to the actual name of your pet.
2. Get Virtual
This also falls under the problem of being far too hopeful. We haven’t yet managed to get people to stop using the same password everywhere, as well as still using passwords such as ‘LetMeIn’. That said, if you can and want to do this, go ahead. The prerequisites are a powerful enough machine and the technical know-how. As mentioned in the article, a VM (virtual machine) is probably best used for downloading something you are suspicious of and then opening it after you’ve disconnected the VM from the network.
It also won’t protect you if you are tricked into revealing passwords and banking details. If you open something suspicious and nothing disastrous happens to your VM then that is still no reason to trust it. A lot of malware is made specifically so it runs unnoticed, collecting data in the process.
The article doesn’t actually mention any virtualisation software, but I would recommend VirtualBox as a good free cross platform and well supported application. For Windows there’s Hyper-V, for Mac there is VMWare and for both, Parallels .
3. Keep a second, secure PC
This is fine and dandy if you stick to it. My issue, is with “perhaps an old laptop – as your “secure” device”. Most people have an old laptop lying about because it is old, it is slow and as a result they have not updated any of the software on it for a while because it is a pain to use, or it’s not even supported anymore.
If it is old it does not matter, but if the software is out of date, e.g. running XP, does not have all the latest patches, etc. then you are leaving yourself wide open to threats. As a baseline it should be running Windows 7 or newer and OSX 10.9 (Mavericks) or newer. If it’s running a Linux distro then I really don’t need to tell you.
If it is an old computer you never know what might already be lurking on it, so it would be a good idea to wipe it and do a fresh install – this may net you some speed improvements as well.
4. Clean out your system
This is certainly good advice. I would also add that if buying a Windows laptop, try and get a signature edition from Microsoft’s online store, as the pre-installed software on these is vetted and all the junk is removed.
5. Switch to hipster applications
The article was not perfect, but admittedly pretty good… up until this point. No. 5 really is objectionable advice and not just because of the word ‘hipster’. Obscurity is not security. Repeat it, scream it.
The article even notes this, but it really should have left this advice out altogether. As a Computer Science student this is face-palm territory – if I was a cyber security expert I would probably be livid.
If an application is obscure and less well known, it is typically for a reason: because it is worse. This isn’t always the case, but a less popular application is also likely to be supported by a company that has less of a budget to spend on security, and fewer good guys looking for vulnerabilities that the company behind the software can then fix.
Ironically the example given, using Opera instead of Chrome, would most likely not help you anyway. Opera and Chrome are both built upon the open source Chromium project, sharing the Blink rendering engine, so any exploits that target Chrome can most likely target Opera as well.
6. Browse the web incognito
VPNs (virtual private network), typically route all your traffic through a foreign country and company which removes your legal protections. If that doesn’t faze you that’s fine, but VPNs are slower and they aren’t foolproof. For example, Netflix can often tell when one is in use and will stop you from enjoying their far better American library.
7. Set your router to a stealth mode
Stealth mode: sounds cool. This involves stopping your router actively broadcasting it’s SSID (the name of your WiFi), so any malicious actor would have to both work out both the SSID and guess your wireless password, instead of just guessing (brute-forcing) the latter.
The problem is anyone scanning for wireless SSIDs will also scan for hidden SSIDs and won’t take long to find it. Your laptop and phone will blindly broadcast it as well, so there’s really no point to this.
Secondly, it’s recommended to lower the transmission strength of your network. This way the network won’t cover such a large area and might not overlap with areas outside your house as much. If you do this, your neighbours may thank you as your WiFi won’t interfere with theirs, and they might be able to watch Netflix with less buffering. Unless you’re not that fond of your neighbours and don’t think this worth bothering with (especially since WiFi signal is never good enough in the first place).
8. Don’t use Windows
This again falls under the heading of ‘Obscurity is not security’. Microsoft has done a lot to harden Windows with versions 8 and 10, and they push regular security updates – I say this as a Mac user. There is no need to arbitrarily switch operating systems for the illusion of security. Instead just make sure that you are keeping your operating system up to date.
9. Check your online footprint
This is probably a good idea. I wouldn’t pay for a sweep – it may find something, but you also run into the issue of ‘once something is on the internet, it is on the internet forever’. Case in point: judging by the heat this Guardian article is getting on Twitter and the risk of it being taken down, it is now saved on the wayback machine; a digital archive of Internet information.
Instead, prevention is most certainly best, and googling your name every now and again as well as setting up Google Alerts can’t hurt.
While it is entertaining to make fun of poorly thought out security tips, it also gives me the opportunity to provide a few tips of my own:
1. Use an Ad Blocker
We spend a lot of time surfing the web, and as such this has become an increasingly used attack vector. Typically, malicious code is served as ads by third parties that a website uses. So even if you trust the website and those running it, you probably don’t know and thus can’t trust all the 3rd parties that they use for their ads.
This can feel a little like stealing, but many sites now (including the Guardian) prompt you to pay a subscription if you do not want to turn your ad blocker off – so that’s an option if you feel guilty. I use ABP (Ad Block Pro), but there’s also uBlock Origin and no doubt a top 10 ad blockers list somewhere. It shouldn’t be any surprise that this didn’t make the list for the Guardian’s article, because their business model relies on it.
2. Turn off Adobe Flash
Adobe Flash is notoriously unsafe, requiring critical security patches nearly every other day. Many ads rely on them, but those should have been wiped out by your (newly?) installed ad blocker. But many sites still use Flash for first party content, and if the site itself is compromised then Flash is usually the attack vector used to serve malicious content to the website visitors – that’s you. Preferably you would just uninstall it, but many popular websites still rely on it, such as BBC news and Twitch. So instead, using a browser extension (or in Chrome just ensuring ‘Always allowed to run’ isn’t checked), to set Flash to ‘click to play’ is nearly as good.
3. Common Sense
Unfortunately it isn’t always that easy. Often if we’re busy dealing with life, we let our guard down because we’re focusing on something else, but on the internet you must always be vigilant.
Recently, a friend of mine was successfully phished, but realised almost immediately, enabling them to take more effective action against it. In one of my next articles I will be covering a few basic tips that don’t require any specialist knowledge, but can help you stay safe.