Yesterday I had the privilege of attending a Cybersecurity Town Hall with Congressman Mike Honda, as well as members of the FBI and U.S. Secret Service. The overarching theme of this event was how we, as citizens, can improve our personal cybersecurity hygiene. While this topic is broad, and this particular event was hours long, at the end, the presenters were asked to summarize their findings into the top three things we can do right now to better protect ourselves:
While the presenters covered a variety of attack types ranging from spear phishing to implementing RAM scraping malware to collect customer credit card data at point-of-sale systems (an incredibly effective technique, apparently), these three recommendations will go a long way in preventing common attacks, and protecting you in the off chance that you do get hacked. Since it can be quite difficult to know what exactly to do next, I’d like to walk you through a step-by-step process of protecting yourself based on my experience/research. Let’s dive in. . . .
I wrote about this recently, but I rarely come across individuals who execute this step correctly. Backing up your data doesn’t mean simply copying your computer’s files over to an external drive, it means verifying that your backups are intact to begin with and that your backups are reliable (and not subject to single-region geographic disasters). First of all, you should be running some sort of antivirus software on your machine prior to backing anything up. Otherwise, you could also be backing up malware and the like (I have seen this happen, and you will receive virus warnings each time you connect to your backup).
Malware and various viruses will often come through via your email, so if you are using third-party email software, make sure you aren’t downloading attachments by default. If you are, and you receive something dangerous, your antivirus software will complain. If you are backing up your locally-hosted email, this can create a perpetual virus alert loop.
Now you’re better prepared if someone targets your machine and successfully deploys a Ransomware script (that shows a single screen with a request for money to unlock your computer and files).
I would recommend you spend a few minutes to watch this video detailing how someone goes about cracking modern passwords (including the types we previously considered “secure”) in a matter of minutes. Now that we have access to GPU clusters—which can run millions of comparisons and calculations per second, password cracking attacks can now run at overwhelming speed. The old attack techniques are now running on steroids—and many common types of attacks can be run together in sequences to break apart harder passwords. I really want to emphasize how much easier this is nowadays, and if it’s easy for just one competent individual with a good GPU cluster, they can leak the compromised dataset, and thousands of other hackers (with less sophisticated gear) can use the revealed passwords to test your online systems—and own them. Don’t be stupid, use strong passwords.
To cut to the chase, your password should be a string of randomly generated gobbledygook (using a mix of case, characters, numbers, and weird symbols) that you couldn’t reproduce under any circumstance. You shouldn’t “know” any of your passwords, and every password you use should be different. Use a password management system, like 1Password (standalone version), and for the love of all that is good—run it locally, and don’t save all of your passwords in the cloud! Saving passwords to the cloud is a huge strategic risk depending on the security practices of the company, even if said companies are hashing the password database, since focusing password cracking efforts on a leaked password repository is a huge payoff since it gives attackers every password at once if they determine your master password.
You can easily generate highly secure passwords with 1Password (in 10 seconds or less). Your passwords should be as complex and long as the site you are generating them for will allow. For example, a 64-character long string of insanity (many sites only allow 32-34 characters for some reason). I don’t care if you don’t want to spend the time going through and changing all of your passwords—do it. Also, do it every so often—or just change your most high-leverage passwords every couple of months (e.g., Gmail, Twitter, Facebook). If you are using fake email accounts for spam newsletters, that’s less important. Focus on the systems that would change your life if compromised.
This is a funny one, because the presenters merged two concepts into one final recommendation. I’ll separate them out and address each in turn.
Careful about your link clicks
First of all, I would suggest running a browser plugin to block external ad calls—like uBlock Origin, since it’s a common and successful way attackers can introduce malware using seemingly harmless ads. It also significantly speeds up page loading times, since many external code requests won't load. The downside is a few news outlets will prevent access to content if you run an ad blocker, but I don’t care. Staying safe and maintaining personal privacy is more important to me, and I can always run their trusted sites using another browser, for example.
Many attacks rely on automatically downloading a piece of code, or initiating a script of some sort when you click a link. This is common sense to a degree, but be vigilant about what links you click. Better to be overly suspicious than download malware that somehow penetrates your networks and personal email accounts. I see this happen regularly to people I know, who have me in their email address books, and then I receive a shady email that could spread like a chain letter in the event I wasn't careful.
Practice safe thumb drive sharing
Don’t use random thumb drives you receive for free at conferences. Make no assumptions about the quality of the drive. Don’t install thumb drives from anyone, basically. Does someone need to share a PowerPoint deck? Email it or use a service like Dropbox. Buy your thumb drives and keep them safe. I might do a future post with specifics for doing this in a step-by-step way, but dirty thumb drives take down top operatives. One of the presenters walked through how he was infected with a virus by a trusted entity using a thumb drive—because people we like can overwhelm of usual security practices.
Following these steps will not only increase your level of personal safety in the cybersecurity domain, but ensure that you have a plan if you are attacked by something less preventable. Backups are essential, strong passwords are a must, and being smart about how you allow access to your machine is something everyone needs to prioritize. If someone won’t allow me to share a thumb drive, I respect that, even if it is a pain to me in the moment. It’s the right thing to do.
Nick Warren is the Founder & CEO of MetaSensor, a venture-backed IoT startup located in Silicon Valley, and a consulting Product Designer at the Center for Advanced Hindsight (with Dan Ariely et al.). | Read Full Bio »
There are times when a lot of things can simultaneously go wrong, and a person can quickly find themselves in a veritable . . .
Let's say I wanted to create a module to display my blog's "popular posts." No harm in that, right? Wrong! The sheer . . .