I remember as an eight-year-old watching sci-fi films and imagining our world with robots, self-driving cars and thought reading devices. I always thought I would never actually see any of that come to fruition in my lifetime. Now, a few years on, I’m not too excited about approaching fifty years old but I am excited that what was once stuff of my dreams is not only possible but a reality that is with us right now. With technology advancing at a rate very few ever thought possible forty years ago I constantly find myself in awe of new scientific developments and I realise I will see so much more than I could ever have imagined.
As with technology, cybercrime also evolves just as fast and cyber criminals have many different methods with which to get the job done. Yesterday it was ransomware, today it is cryptojacking, tomorrow, who knows, maybe brain hacking!
I have been involved in communications solutions and security in both the technological and physical sense since the 80’s. I’ve worked with government departments, law enforcement, security organisations and large service providers and have seen first hand how criminals evolve to stay ahead of crime defence initiatives.
At this point I was going to add in a frightening statistic or two but we all know cybercrime happens and while there is the technology to propagate it, it is unlikely to go away. Rather than spout on about how many attacks there are I’ll concentrate on how you can avoid becoming a victim.
I often get asked about how companies and individuals can protect their information and property in such a fast-moving technical environment, be it corporate or personal. Well, I could go on for hours about data encryption, intrusion detection, vulnerability and penetration testing but I always say the best starting point is using some common sense. Its pretty cheap and most people are able. Let’s first look at some areas which in my opinion are easy wins.
General Common sense
We’ve all seen the emails from that rich African prince or the oil baron from the middle east that wants to give away his fortune, if you just do this or that, usually the this or that involves you paying money to ‘facilitate’ the transaction. Obviously, a scam and most of us see this for what it is but there are other unsolicited email variations, commonly called “phishing”;
- Mails asking you to reset your password due to suspicious activity. Ensure these have been sent by a genuine person or company – Check the domain if you know how or call the company in question and get the mail & the problem confirmed before clicking or opening anything attached.
- Mails asking you to open an attachment, if you weren’t expecting a mail with an attachment then there is a good chance it contains something dodgy like malware of some sort, maybe a RAT (Remote Access Trojan, not good!). A common variety of this is a receipt or travel itinerary, trouble is human curiosity kind of comes in to play here and although we know it probably isn’t for us, we need to have a quick peek! That’s what the attacker is hoping for, one peek and your infected.
- Beware of mails with attachments that are archived, this is a common trick to get around anti-malware mechanisms as they cannot scan the data in a .zip, .rar or other encrypted file archives.
Ensure your mail client automatically blocks images when you collect your mail, they can contain viruses. Only allow this if you are sure the sender is genuine.
If you use MS Office be careful of files with macros enabled, these can contain malicious code, luckily there is built-in protection to this in the form of a disablement by default. If a file you have opened contains a macro you will be warned and you can make an informed choice, if you weren’t expecting this as you were told the file is just a simple list then steer clear!
When surfing be careful of clicking advertisements, although the providers of the advertising mechanism offered to websites try their best to filter out untrustworthy ads, some may still slip through the net. These ads usually offer free goods, free holidays or free software or service like anti-malware but when clicked install malicious programs instead. Also, beware of pop-up pages and windows appearing to be a warning of some kind, a large portion of these are a warning that you have become infected with a virus and need to take action. When you click it actually then installs malware of some kind.
Some of these fake warnings sometimes contain a telephone number for you to call for IT support rather than malware itself but this is a scam where you will pay for support to remove a virus that does not actually exist.
“RATting” (infection with a Remote Access Trojan, mentioned above) is becoming more common, it can amongst other things allow your data to be copied, modified and deleted without your knowledge, it can even allow your machine’s operating system be corrupted causing a complete loss meaning you would have to re-install from scratch. Another increasingly common problem is the ability to control the resources of a compromised computer like the webcam, leaving you open to possible blackmail. An increasingly popular threat is for an attacker to add your computers resources to a bot group (a whole network of compromised computer resources) which it then uses to mine cryptocurrency for instance.
It is my opinion that you should not leave your computer switched on overnight unless you really need to. Don’t leave your computer logged in while away from the keyboard to avoid other members of your family or office using it and unwittingly allowing malicious code to activate.
Don’t put your intimate details on social media, for instance; you put your name and DOB on a public website, the cybercriminal could access this information. Bad in itself if you use any of that information within your passwords but If the cybercriminal then manages to find your bank account number and sort code (which by themselves are not a security threat) you could find yourself the victim of identity fraud. I won’t go into details about how or where to find one’s bank account details but if you think hard enough I’m sure you can figure out that they are pretty easy to get hold of.
Most operating systems have a built-in firewall, I recommend using it especially if you don’t have any other aftermarket firewall software running. Also, you may have a firewall built into your router or device which you use for your internet connection, don’t rely on just that for your firewalling as an attack can just as easily come from inside your local network, from another infected machine, say on your WiFi network.
Usernames & Passwords
With regard to login information, if possible don’t use your email address as your username as this is usually easy to obtain.
Use a different password for each purpose so that if an attacker did ever obtain your password then the rest of your logins will still be safe. Passwords should be strong, I mean use a long password which includes special characters (the likes of !&%*), also use numbers and both upper-case and lower-case letters and don’t use your date of birth, family names or any parts of your house or work addresses. Don’t use standard words as these can easily be broken by use of a ‘dictionary attack’ whereby the attacker uses software to scan through dictionary words. Basically, the stronger the password the longer it would take an attacker to break your password making it less likely to happen.
My grandad used to say “loose lips sink ships”, now I know we are not in 1942 and pardon the pun but I think that statement still holds water; Don’t tell anyone your passwords (someone untrustworthy may overhear) and make sure you don’t write them down in a place where they could be stolen, i.e. in your laptop bag, wallet or purse. If you absolutely have to write your passwords down then you should be using a super secure encrypted application (like our secure password storage software) to store them so that storage itself cannot be accessed by anyone but you.
Don’t let your browser remember your login details for any sensitive accounts, these can be viewed within the browser if an attacker gains access to your device and it obviously takes no effort at all to gain access to your accounts if you bookmarked say your bank login and let your browser auto populate the login credentials!
If you keep your passwords in an unsecure place like an excel file then ensure it is password protected. Don’t rely on your operating system login password to keep your cleartext password files safe, most OS passwords can be broken or worked around quite easily. If you use some sort of password storage software the same rule applies, use a very strong password.
If you are using your device and entering your login details in public, make sure nobody is looking over your shoulder, just as you do at the cash machine.
Software & firmware updates
Update regularly, update as soon as an update is released; Updates are released for a reason and it’s not just to force you to close all your windows then reboot in order to waste your time! Updates are not only released for harmless user experience bug fixes but also when there is a known security vulnerability that cyber criminals have already exploited. Not only should you update your operating system but also your applications, these updates apply a fix to specific security issues and keep you safe, don’t become a statistic!
WiFi networks at festivals, events or parties can be an opportunity for an attacker in a few different ways. Firstly, when you connect and are redirected to what you think is the landing page for a legitimate WiFi service it could be a ‘spoofed’ page which looks exactly like the legitimate signup page asking you for your credit card detail in order to buy your internet time. It could then be used by the criminal and you will not only get no internet connection but while you are wondering why it is not working the criminal is spending your money or selling your details.
I would also recommend steering clear of unencrypted or WEP based WiFi networks (i.e. an open or WEP network) as another method criminals can use is to sit in a coffee shop with free unencrypted WiFi and run a ‘sniffer’ which scans the network and can be used to capture your information after it leaves your device on its way to the legitimate coffee shop internet connection. For WEP networks the data is encrypted but it is easy to crack with minimal software and knowledge leaving you just as vulnerable as if you were using a network with no encryption.
Also, with regard to your home WiFi, if you are attempting your own configuration, only use WPA2. If you use WEP its very easy to obtain your password. For instance, as I touched on previously, the attacker can imitate your WiFi router and force your workstation to re-authenticate, when your workstation then goes through the authentication process again they will capture your password. You will be completely oblivious to this as it just looks like any other hiccup where your WiFi signal drops and comes back a moment later.
Most of us have at some point used a physical external storage device, these come in a few different guises but the most common is a USB stick. One thing they all have in common is they plug into your computer and store your data but they can also store malicious code.
Now I’m not about to tell you to stop using these but rather to be careful, only use a device that you yourself have bought and have kept safe, don’t borrow or use anyone else’s storage device and don’t lend yours out. One problem is that many computers will automatically initialise USB devices and that’s all that is required for the malicious code to transfer to your computer.
Find a storage device that incorporates encryption software, they are not hard to find and will protect your data with a password. This will ensure that in the event of loss or theft your data cannot be viewed or manipulated in any way without your password. Remember, the same strong password advice stands and don’t write it down on the case of the device!
There is a lot of software out there that does a good job of protecting your computer and data, I won’t mention any names here but I have my favourites. There are free programs out there although they are a little limited in some areas. I would recommend paying a small fee for one of the more comprehensive packages, when I say pay I don’t mean through the nose, they are available for less than the cost of a Valentines meal (usually for a 1-year subscription) and will love your data!
For businesses I would recommend taking on a managed service as this removes any guess-work on your part and your provider can advise and configure a bespoke, tailored solution. Also, businesses may well have a responsibility regarding the data they keep, the new General Data Protection Regulation (GDPR) asks that customer data is secured in several different ways. Non-compliance can mean hefty fines or worse.
I think I have covered the basics and I don’t want to bore anyone any further! I’ll write some more articles with some deeper technical recommendations and explanations for those of you who are interested in the more advanced options. Watch this space.