Computer Security Awareness is no Longer an Option
If asked we will all undoubtedly agree that computer security is important. But do we actually think about security in our day-to-day interactions with our computers and smartphones? Thankfully many security threats can be avoided without really doing much. Most personal computers come out of the box with some form of user account control, a firewall, and automatic updates. Some platforms, most notably Windows, even come with antivirus or antimalware software preinstalled and running from day one. Smartphones and tablets running iOS and Android are all sandboxed, which means downloaded applications can only access files within their own specific directory and not let's say your contacts folder. So with all this preconfigured security where is the threat? Why should we concern ourselves with security? Microsoft, Google, and Apple have our backs right?
Let's start with the personal computer. The problem for most personal computers is not so much with the operating systems themselves, but with the software that is installed on them. Unfortunately, once a piece of software has been installed on a personal computer it has a lot of freedom on what it does and what it accesses. This is especially dangerous if users are using administrative accounts which is almost always the case. But, wait, these are programs we have already screened and we know they are reputable and trustworthy; where's the treat? Do you have automatic updates activated for all of your software? For your computer's Flash, Java, Acrobat, web browser, apps, and operating system? How about your web browser's extensions and plugins? How about your hardware's drivers? Even if a program is trustworthy it may contain bugs which can be exploited by hackers to gain access to your personal data and frequent patches and updates are absolutely necessary to prevent this kind of intrusion, but unfortunately most users only update software if it is an automatic option and many disable updates because they find them annoying! Smartphones have also recently been the target of hackers who have managed to breakout of the sandbox on Google's Android platform. The problem was solved quickly, but only for those who updated their phones.
Ok, so we are updating all of our software and hardware what's next? Internet use has increased enough that many users, especially of younger generations, are now much more aware of some of the most common treats. These include:
- Malware
- This is where a criminal tries to install malicious software on a computer usually through an email attachment or website popup.
- Phishing
- This is where a criminal sets up a site that looks just like another site in the hopes that users will enter their personal information which can then be used for some form of criminal activity.
- Scams
- This is where a criminal pretends to be someone else and tries to convince or extort information or money. Two of the most infamous and successful of these being the Nigerian and FBI scams.
- Man-in-the-Middle
- This is where a criminal sets up listening software somewhere between a user and their destination. This can be on one of the numerous distributed Internet routing servers, but is more often done through spoofing WiFi routers and monitoring unencrypted communications.
- Dictionary Attacks
- This is where a criminal tries to access a passworded account using common words or phrases as passwords.
However, there are still some threats. While you may be aware of phishing do you always verify a site's URL when you access it and make sure it is correct and that it is encrypted or better yet has an EV SSL certificate? It is so easy to click through a link on search engine or email and enter in a password without checking the URL.
In addition to phishing strong passwords are not always so strong. For example do the passwords you use contain easily identifiable patterns such as birth dates or an address? Do you use the same password for multiple accounts? This last one is important, because it can significantly increase your exposure because only one server among many needs to be hacked and all of your accounts are vulnerable. More subtle is the use of keychains such as Safari's auto compete for online forms. If a keychain is used it will mean that there is a single password controlling access to ALL of your information both locally and in the cloud. Is it a strong password? Do you feel comfortable using one password for all of your information?
Man-in-the-Middle attacks are also sometimes more subtle. We are all so used to accessing unknown and unsecured wireless networks. Is that really a Starbucks router or did someone just setup a router that is broadcasting it's name as Starbucks-WiFi? Are you only using secured communication while on these networks such as HTTPS or FPTS / SFTP. This is especially important if using old FTP based software as passwords are transmitted in PLAIN TYPE!
Now some of the less known threats to personal computers are related to file routers, hard drive encryption, file downloads, and what is called social engineering. Unfortunately, common household routers have become a target for hackers due to their numerous and easily exploitable holes in their firmware. This is an ongoing problem that most router companies don't seem interested in fixing so if you are cautious you should treat all networks as though they are public and keep your communications encrypted. This is especially important for any network attached storage (NAS) which should at the very least be be encrypted.
Not only should NAS devices be encrypted, but also any other removable storage that has sensitive information on it. This includes your computers hard drive, external hard drives, THUMB DRIVES, and discs. If your computer is stolen and your information is not encrypted a thief may be able to gain a good deal of information from your computer that could be used in fraud. Thumb drives are especially important as they are very easy to misplace! Encrypted virtual drives are also an excellent way to store information on a computer if full encryption does not make sense such as for a hard drive with an OS installed which may also have a lot of media such as music and videos.
Speaking of media viruses can be embedded in or masquerade as just about any format including photos, videos, and more notoriously PDFs. While it is difficult to embed a virus into a photo or video, which will usually depend on vulnerabilities in viewing software, it is fairly easy to disguise a virus executable as a jpg or mp3 which will then run once double clicked. PDFs are more dangerous as they can run scripts embedded in the file and can even access the internet to download information! So always make sure to run antivirus software on everything you download or run your browser within a sandbox or virtual machine to prevent infection
Social engineering is less common, but also much more dangerous. This is where a criminal tries to elicit information from you by pretending to be someone else, but is usually one-on-one as apposed to phishing, scams, or man-in-the-middle. For example someone may pretend to be a maintenance worker, give you a phone call pretending to be your internet service provider, or someone who just needs to use your phone to make a call. You may think this could never happen to you, but if the thief does their research and targets you specifically they can be very convincing. Some thieves will also monitor social networks to gain valuable information such as if someone is leaving for vacation or if they got a new fancy sports car.
Finally we come to mobile devices which are perhaps the greatest threat of all to the security of your personal information. The real problem with mobile devices is that they provide many more and less secure access points to your personal information than ever before and they are easy to lose or be stolen. We all want access to all of our information no matter where we are. We also want that access to be as easy as possible. A very popular solution to both of these problems is to store everything in the cloud, including keyrings, and use any of our devices to access any of this information. The problem with this strategy is that there is only one password separating a potential hacker from all of your information and possibly access to your other devices. To make matters worse this 'password' is usually just a pin! Not only are pins way to short and easily seen by looking over someone's shoulder or in a window they can also be inferred from smudge or wear patterns on the device's surface! Also, many mobile devices do not come preconfigured with encryption and must instead be activated by the end user after their purchase. So if you are going to be in the cloud create strong passwords, keep track of that phone, and understand the risks!
Aside from passwords and the like mobile devices are also often used to broadcast our current locations, which could be used by thieves or worse to target us.
So what is the point this rather lengthy discourse? Security is not guaranteed and it is important for all of us to be aware of the increasingly sophisticated treats that exist today!