The CANS Guide to Not Getting Hacked

KEEP YOUR APPS UP TO DATE

Probably the most important and basic thing you can do to protect yourself is using up-to-date software. That means using an updated version of whatever operating system you’re using, and updating your apps and software. Bear in mind that you don’t necessarily have to use the latest iteration of an operating system, such as, say, Windows 10. (In some cases, even slightly older versions of operating systems get patched. Sorry, that’s not the case with Windows XP, stop using it!) What’s most important is that your OS is still receiving security updates, and that you’re applying them.So if you come away with one lesson from this guide is: update, update, update, or patch, patch, patch.

Many common cyberattacks take advantage of flaws in outdated software such as old browsers or PDF readers. By keeping everything up to date, you have a way lower chance of becoming a victim of ransomware, for example.

PASSWORDS

We all have too many passwords to remember, which is why people just reuse the same ones over and over. And even though our brains aren’t actually that bad at remembering passwords, it’s almost impossible to remember twenty or more unique and strong passwords.

The good news is that the solution to these problem is already out there: password managers. These are apps that keep track of passwords for you, automatically help you create good passwords, and simplify your online life. If you use a manger, all you have to remember is one password, the one that unlocks the vault of your passwords.

Intuitively, you might think it’s unwise to store your passwords on your computer. What if a hacker gets in? Surely it’s better that I’m keeping them all in my head? Well, not really: for most people’s threat models, the risk of a crook taking advantage of a shared password on a website is far greater than some sophisticated hacker dropping a load of super-fancy malware onto your device. Again, it’s all about understanding your own threat model.

So, please, use one of the many password managers out there, there’s no reason not to do it. It will make you—and the rest of us!—safer, and it’ll even make your life easier.

TWO-FACTOR AUTHENTICATION

Having unique, strong passwords is a great first step, but even those can be stolen. So for your most important accounts (think your main email, your Facebook and Twitter accounts) you might want to add an extra layer of protection known as two-factor (or two-step or 2FA) authentication.

By enabling two-factor you’ll need something more than just your password to log into those accounts. Usually, it’s a numerical code sent to your cellphone, or it can be a code created by an ad-hoc app (which is great if your cellphone doesn’t have coverage at the time you’re logging in).

There’s been a lot of attention recently around how mobile phones may not be suitable as 2FA devices. Activist Deray McKesson’s phone number was hijacked, meaning hackers could then have the extra security codes protecting accounts sent straight to them. And the National Institute of Standards and Technology (NIST), a part of the US government that writes guidelines on rules and measurements, including security, recently discouraged the use of SMS-based 2FA.

The attack on Deray was low tech: It essentially involved getting his phone company to issue a new SIM card to the attackers. It’s hard to defend against that, and there are other ways to get those codes sent via SMS, as text messages can, in theory, be intercepted by someone leveraging vulnerabilities in the backbone that carries our conversations. There is also the possibility of using an IMSI-catcher, otherwise known as a Stingray, to sweep up your communications, and verification texts too.

But apart from the trick of getting a new SIM card, these are attacks that are not trivial to pull off, not just because they might requires specific hardware like Stingrays, but also because they are relatively expensive.So, realistically, though, for the vast majority of people, SMS 2FA is still a robust security measure that does what it’s designed to do: add an extra layer on top of your password that might get phished or otherwise stolen.

You could, if the website allows it, use another 2FA option that isn’t SMS-based, such as an authentication app on your smartphone (for example, Google Authenticator), or with a physical token like a Yubikey. If that option is available to you, it’s great idea to use it. But it would be foolish to disregard SMS 2FA altogether, especially if you’re not under targeted attack.

2FA is a great way to make it nearly impossible for average cybercriminals to break into your most important accounts. You can check out all the services that offer it and how to turn it on here.

A 2FA token like a Yubikey (pictured) can be a more secure 2FA solution that doesn’t require a cell connection.

DOs & DON’Ts

Don’t use Flash: Flash is historically one of the most insecure pieces of software that’s ever been on your computer. Hackers love Flash because it’s had more holes than Swiss cheese. The good news is that a lot of the web has moved away from Flash so you don’t really need it anymore to still enjoy a fully-featured and rich browsing experience. So consider purging it from your computer, or at least change the settings on your browser so you have to click to run Flash each time.

Do use antivirus: Yes, you’ve heard this before. But it’s still (generally) true. Antiviruses are actually, and ironically, full of security holes, but if you’re not a person who’s at risk of getting targeted by nation-state hackers or pretty advanced criminals, having antivirus is still a good idea. Still, it’s far from a panacea, and in 2016 you need more than that to be secure.

Do use some simple security plugins: Sometimes, all a hacker needs to pwn you is to get you to the right website—one laden with malware. That’s why it’s worth using some simple, install-and-forget-about-it plugins such as adblockers, which protect you from malvertising threats presented by the shadier sites you may wander across on the web. (We’d naturally prefer if you whitelisted Motherboard since web ads help keep our lights on.)

Another useful plugin is HTTPS Everywhere, which forces your connection to be encrypted (when the site supports it). This won’t save you if the website you’re going to has malware on it, but in some cases, it helps prevent hackers from redirecting you to fake versions of that site (if there’s an encrypted one available), and will generally protect against attackers trying to tamper with your connection to the legitimate one.

Do use VPNs: If you’re using the internet in a public space, be it a Starbucks, an airport, or even an Airbnb apartment, you are sharing it with people you don’t know. And if some hacker is on your same network, they can mess up with your connection and potentially your computer.

Don’t overexpose yourself for no reason: People love to share pretty much everything about their lives on social media. But please, we beg you, don’t tweet a picture of your credit card, for example. More generally, it’s a good mindset to realise that a post on social media is often a post to anyone on the internet who can be bothered to check your profile, even if it’s guessing your home address through your running routes on a site like Strava, a social network for runners and cyclists.

Personal information such as your home address or high school (and mascot, which is a Google away) can then be used to find more information via social engineering schemes. The more personal information an attacker has, the more likely they are to gain access to one of your accounts. With that in mind, maybe consider increasing the privacy settings on some of your accounts too.

Don’t open attachments without precautions: For decades, cybercriminals have hidden malware inside attachments such as Word docs or PDFs. Antiviruses sometimes stop those threats, but it’s better to just use commons sense: don’t open attachments (or click on links) from people you don’t know, or that you weren’t expecting. And if you really want to do that, use precautions, like opening the attachments within Chrome (without downloading the files). Even better, save the file to Google Drive, and then open it within Drive, which is even safer because then the file is being opened by Google and not your computer.

Do disable macros: Hackers can use Microsoft Office macros inside documents to spread malware to your computer. It’s an old trick, but it’s back in vogue to spread ransomware. Disable them!

Do back up files: We’re not breaking any news here, but if you’re worried about hackers destroying or locking your files (such as with ransomware), then you need to back them up. Ideally, do it while you’re disconnected to the network to an external hard drive so that even if you get ransomware, the backup won’t get infected.

Your life needn’t be the above-pictured cyberhell. Most hacks are opportunistic, and these basic precautions go a long way toward securing yourself. Image: Shutterstock

GO OUT THERE AND BE SAFE

That is all for now. Again, this is just meant to be a basic guide for average computer users. So if you’re a human rights activist working in a dangerous country or a war zone, or an organization building IT infrastructure on the fly, this is certainly not enough, and you’ll need more precautions.

But these are common sense essential tips that everyone should know about.

And remember, always be vigilant!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s