Privacy and Security
I will be blunt. People don’t think about their privacy or security. Why should they? We live in a complacent society with expectations installed into us by the media and advertisements of governments and companies. Our upbringing comes from family and friends and the institutions that taught us like public education. The core of society is the belief in the institutions that make up that society and that kind of thinking translates down to every level of our lives. We trust the institution of education. We trust the institution of law and justice. And some of us even trust the institution of government, and while many of us don’t fully trust it, we accept it as is. We trust the people we interact with are not going to steal from us or kill us. We trust the person driving the bus is a professional and will not get us killed. Society can not work without some level of trust. And it is for this reason most of us do not second guess what is.
When we turn on a computer we trust that the computer is not spying on us. When we go to a website, we trust that the website only collects the information it needs to provide us with a service. We trust the company or the man behind the website has no ulterior motives. When we provide our credit card number for an online purchase we trust that information will get from our computer to the seller safely.
We trust too much…….
The sad fact is simple, if money can be made by stealing your information then someone out there is going to try and steal your information. And the digital age has made this so very easy. Most people only think about the credit cards. They don’t think about information such as your address, phone number, name. And lastly, passwords and usernames!!!!
I am not going to go into much detail about what people can do with this information. For that you can google it. The biggest concern I have for my clients is the usernames and password. This is the key to our digital lives. With it unscrupulous, profiteering criminals can take your digital lives away from you. You can lose access to all the photos you have collected over the last decade stored on a website. They can read your emails, cut you off and even pretend to be you. You can lose your reputation, money, respect, memories, history, and convenience. They can harm your non digital life by damaging your credit. Stealing from your friends. A stalker could even cause physical harm against you or someone you love. Frankly the what-ifs are endless.
So are the methods of attacks to gain your information, username and passwords. And while no one is perfect and no technology is perfect, there is a lot of room for improvement. Simple choices and simple tools that change the entire scope of your vulnerability to the criminals.
Here is the important part. It is the finding of a good balance between protection and convenience that matters for the common person. You have security geeks that lose sight on the ease of use and convenience factor that most common people would rather have over super tight and complex security that offers the most protection. For the security geek there is no compromise and honestly it really should be this way. But that isn’t how it is. Most of us choose to expose ourselves and our information for the trade of simplicity and convenience. So I am writing this on the premise of what the majority will choose to do vs what we should do.
Lets talk web browsers. The first step in security is the first tool you interact with for using the internet. For this it will be either a Generic or company branded Microsoft Windows computer or Apple’s Mac computer on the computer side and then on the mobile side a bunch of products between iOS, Android, Blackberry and Windows Mobile. Google Chrome, Internet Explorer, Mozilla Firefox and Apple’s Safari make up the majority of internet browsers for both the desktop space and mobile space. I am mostly going to talk about the security on the desktop space. What I am going to say about laptops, and mobile devices is you should not be doing anything secure at all, period, ever, when connected to an Internet connection shared by other people. In other words, a connection that is not your own that you set up at your house. And if you must, I highly recommend not using wifi. Turn that off. Use the mobile internet that is provided to you by your cell phone provider. So back to the browser. The only viable options for secure and safe usage of the internet is to use a secure and safe browser. Google Chrome, Mozilla Firefox and Apple’s Safari fit that definition. Internet Explorer does not. The first thing I will say is do not use Internet Explorer.
User Google Chrome, Mozilla Firefox and Apple’s Safari. Do not use Microsoft Internet Explorer.
The next critical step is in how we use our web browsers. Time and time again I see the same from users. They do not know the URL (Address) of a website they want to visit. Or they do but they do not type in the address. We have become a search engine society. And modern browsers do not help with this by integrating the search function in with the address function in the same place. Sure it’s convenient to just type “TD Canada Trust” into the search bar and let the search engine give you a list of choices with a clickable link. Its easy.
One way sites steal usernames and passwords is by registering domains that look like the one you want to go to and make a fake site that looks like the site you want to go to. It is easy to make a visible link, for example www.hotmail.com that really takes you to www.hotmall.com. It is easy enough to make a fake website that looks like the real thing just to collect your login information. This is phishing. The attacker that collects it can then go to the real site and do bad things to you.
Additionally other problems include links that take you to the non secure version of a website which then redirects you to the secure version of a website.
Good practice is to know the place you want to go and to type it in. Do not rely on a search engine except for when trying to discover new things. If you don’t know the address to your banks website then call the bank and ask them. Or look on your bank card it will be listed there. Do not type GMAIL into the search bar then click a link to Gmail. Put in the address https://www.gmail.com. And let me be clear here. Not www.gmail.com. I included the https:// for a reason which I will explain next.
Almost no one ever puts in the http or https with a website address. Mostly because people don’t even use website addresses any more they prefer to search and click. But lets just assume you don’t do that or you are going to follow my advice above and stop doing that and start using the address. Web browsers will fill in the missing http:// on its own. But they default, to http:// and not https://. All websites accept http but not all can accept https so this is the reason. Web browsers do not want to default to something that might not work and result in complaints, and support issues. It does actually matter for your security though. Almost all interaction with secure connections from users to websites come from a redirect. You put in paypal.com and then your browser adds the http:// to it to make http://paypal.com then when you reach http://paypal.com the site redirects you to https://www.paypal.com.
Whats wrong with this? The http is not secure, the https is secure. When you go to the http site before getting redirected you can be hijacked and instead of getting redirected to a real https connection you end up with an attackers version of the site while the server thinks its secure with you. This is referred to a man in the middle attack. If you share an internet connection with a landlord, or you use public or open internet connections or you share a network with a roommate or family member, these man in the middle attacks are easy enough to setup. For those that know what tor is, it is not that hard to compromise an out connection this way. Moxie Marlinspike, a creator in one kind of attack tested it with a tor connection and proved very well that he could get credit cards, user names and passwords from the traffic coming out on his tor node. So type in the address, include https and if its a site you visit then bookmark it.
Use the real address, type it in. Don’t search and click it. And when it is a secure site type in the https:// with the address. This is easy to do and not a burden to users. And don’t login in to sensitive stuff on other peoples networks you dont or cant trust.
Passwords and usernames
I say this as an absolute not a suggesting. Use a different password every single website. Never use the same password twice. I don’t care much about easy to guess passwords vs making sure you don’t repeat it. The most common way to get a password is through social engineering. That is tricking the user to give it up freely. I send you an email pretending to be your bank. You click on the link in my email and go to a fake website and put in your username and password thinking you are at your bank. Now that I have the password, I can test the username, email and password on other sites like your email account. This is where the chain starts and next thing you know you are locked out of Twitter, Facebook, gmail and so on because you used the same password everywhere. Use a password manager to store the passwords. Write them down in a book, but don’t lose the book or let people have access to it. Never share a password with anyone. Some websites don’t use encryption for passwords which leaves it wide open for anyone to find with simple tools. So a different password for every site is best. This is where I get yelled at by the all or nothing security geeks. I suggest using an online password manager like lastpass. Its given up some personal control and security for a convenience. But in this case its a convenience that means you will use a different password for every site which I feel is more important than using an online service that gives someone else some control over your personal data. This is a compromise moment between die hard security and something being easy enough to use to use it. An alternative is managing a local program to store passwords. But generally speaking people stop using that after a short time because they don’t like having to go in and copy and paste. A plugin like Lastpass just fills in those fields for you. There is other advantages in regards to keyloggers and spyware but I am not getting into that with this article.
Don’t share passwords. Use a different password for each site and record it. Preferably with a key management program like lastpass that makes use of random different passwords very easy.
Additional Safety (Setup and Forget)
Setup opendns for your devices and house and set it to block known malware sites and otherwise bad sites. Its a blacklist, it will only protect you from what they know. But its a good start.
Use the plugin Https Everywhere, it is a white list of known https sites and will default you to the https version of the site. But if you are typing in the full address anyways you shouldn’t need it. But its useful if you forget to or if you are going to a site and dont know if it has https.
Use the lastpass plugin to manage passwords and put them in the fields for you.
I like using adblock, while its not so much a security protective device it does hide you from marketing companies, and gets annoying ads out of the way and speeds up the general internet experience. Potentially reducing memory usage too.
I also like the WOT plugin which marks websites as green, yellow and red in google searches based on community input. If its a safe sight its green. If its dangerous in some way its red. It lets you know before you click it.
This article only covers Internet usage. There is a lot that should be done to secure a computer as well because a single virus can defeat everything listed here. But assuming your computer is in good health, how you use the internet is a very big part of things. And a few simple tips like this will go a long way at providing better security without it being a burden. I would love to convince everyone to use encrypted email but some technologies are more of a pain to use then its worth for the common person and requires mass adoption to be effective. And we are not there yet.
Links to some of the technologies I described in this article and some interesting videos on the subject
HTTPS Everywhere https://www.eff.org/https-everywhere
Interesting video about hacking SSL https://www.youtube.com/watch?v=MFol6IMbZ7Y