Personal internet security: how to avoid getting hacked
I’ve written about the most common hacking techniques. Now I’d like to talk about how to avoid those hacks on your personal devices. Why should you care about avoiding hacks? Here are a few examples:
- Alina’s computer was targeted by a hacker and infected by a malicious program (malware). The hacker extorted her for $1000 to regain access to her photos and documents on her computer.
- Amy Krebs clicked on what seemed like a harmless link in her email. A hacker found out her social security and other personal information, and used that information to open over 50 medical, shopping, and utility accounts in Amy’s name. Her credit score was destroyed. It took Amy 2 years and countless hours on the phone with various agencies to dispute all of the fraudulent charges and restore her credit.
- Employees at an American data storage company were spear phished, causing malware to be installed on employee computers and threatening the security of numerous American defense contractors that used the storage company.
- Miss Teen USA had her webcam hacked, and the hacker secretly took videos and photos of her for years. He then privately messaged her and attempted to extort her.
- Oh yeah, and that episode of Black Mirror (spoiler alert) where people get hacked and are extorted into robbing banks and fighting to the death.
Also, you should care about hacking because there’s overlap between business and personal security in a few ways. First, you can’t rely solely on your employer to provide all of your security. If your employer has a BYOD (bring your own device) policy, you won’t have key security techniques and software described below such as VPN, multi-factor authentication, and a malware scanner. Even if you’re using a company-provided device, this software could be missing. Second, as an employee of a company, if your devices are compromised, sensitive company data on your devices can be compromised. Third, in the process of protecting your own data, you learn key security techniques and concepts that you can apply to your company. Security on your company’s network and machines is critical to protecting your company against hackers. Hackers can compromise user data and exploit it financially. Even if your application’s user data is not inherently valuable, hacks can undermine user confidence in your company’s ability to protect them, resulting in lost users.
This blog post is relevant to both engineers and non-engineers. It started off as a personal security TODO list for myself, so it’s a bit long and dry. That’s a lot of what security is though; mitigating as many vulnerabilities as possible in a methodical way. If you’re an engineer, read the explanations of the security TODO list. If you’re a non-engineer, skip the next paragraph and just do the items on the TODO list! If the list below seems overwhelming, I’ve ranked the action items in order of security benefit + ease of implementation.
An overarching concept to this post is the concept of attack surface. Attack surface describes the number of ways in which a hacker could attack you. The greater your attack surface, the more likely that a hacker will find their way in through one of them. The number and types of devices that you own, the number of wifi networks you use, the way that you browse the internet, and the way that you manage your passwords are all typical parts of someone’s attack surface.
A caveat to all of the advice in this post is that when determining what security measures to take, you should consider your technical abilities as well as the kind of attacker you’re defending from. The question of whether or not you should install antivirus software is a good example. Antivirus software protects a user from malware by scanning downloads and attachments and removing any viruses it finds, and by scanning the user’s computer for spyware and adware. For the average person with limited technical knowledge and security training who is defending against rogue hackers, antivirus software is recommended. However, vulnerabilities have been discovered in well-known antivirus software that allow malware to subvert the antivirus software. Because antivirus software has high levels of operating system permissions, compromising the antivirus software means that the malware can gain control of the user’s entire machine. In other words, antivirus software protects people against viruses that would be a mild to severe security threat, but if someone gets a virus that compromises their antivirus software, it’s an extremely severe security threat. So if you have more security training on how to avoid malware getting on your computer in the first place, you should not install antivirus software. The question of the amount of security training necessary to avoid relying on antivirus software does not have a straightforward answer, either. Another example is that if you are a C-suite executive, employee at a defense company, or someone who’s defending against advanced persistent threat actors like the NSA or the PLA, you should consult a cybersecurity firm because the techniques in this post will make it harder for you to be hacked, but you’ll probably still get hacked due to the persistence and skill of these groups.
Personal security TODO list:
- Don’t use a public computer
- Don’t connect any device or storage device (such as a USB) that you haven’t always owned to your computer
- Don’t open any files or download any software from unverified sources
- When in doubt, assume that any internet-connected device with audio or video are spying on you.
- Make them cryptographically secure
- Generate them randomly
- Use a password manager such as 1password
- Use multi-factor authentication whenever possible
- Get notified whenever your data may have been hacked
- Disable auto fill of passwords and credit card info on your iPhone
- Use HTTPS everywhere
- Use a private wifi network
- If you can’t join a private wifi network, use a Virtual Private Network (VPN)
- Be aware of phishing attacks
Private wifi network
- Give your router a cryptographically secure name/SSID and password
- Give your network a secure password
- Disable or secure your router’s guest network
- Use WPA2 for wireless encryption, and disable WPS
OS/Firmware of laptops (some advice may be Mac-specific), phones, and IoT devices such as wearables.
- Enable Find My Mac
- Lock your screen when you aren’t using your computer
- Disable sharing
- Make sure operating systems have the latest version installed
- Enable Apple FileVault
- Enable Apple Firewall
- Use a firmware password
- Install Sophos anti-virus software
- Keep your applications up to date
- Limit app permissions
- Disable bluetooth whenever possible
- Forget devices that are no longer being used, especially public devices like rental cars
Don’t use a public computer. Public computers could have malware that logs your keystrokes, captures videos of your screen, or compromises your personal information in another way. The wireless network that the computer is on could be compromised as well, meaning that a hacker could be reading internet traffic on the network. If you must use a public computer, assume that everything you’re doing is being recorded, and don’t login to any web application.
Don’t connect any device or storage device (such as a USB) that you haven’t always owned to your computer. A hacker can install malware (a malicious program that attempts to do things the installer of the program did not intend for the program to do) onto a device, and that malware can attempt to infect any other device that’s connected to it. If you have to use the device, then find a malware scanner that will scan the device when you connect it.
Don’t open any files or download any software from unverified sources. Just as devices can harbor malware, so can software. You can have a pretty high degree of confidence that software from businesses you recognize will be safe to download. The less you know about a business, the greater risk you are taking.
When in doubt, assume that any internet-connected device with audio or video are spying on you. The NSA, the CIA, and hackers have taken control of webcams, microphones, and now (possibly) headphones. If you follow the steps in the TODO list, you minimize the risk of that happening to you. Nevertheless, there’s the possibility that you will be hacked regardless. You may have nothing illegal to hide, but in order to protect your privacy, be careful of where you store your electronics. Use tape or buy a magnet to cover your webcam when you aren’t using it.
Make them cryptographically secure. This means choosing a password that has enough randomness to make it cost/time prohibitive for a computer program to guess. “Shannon entropy” measures that randomness in shannons (also known as bits, not to be confused with bits as a unit of data) by measuring the maximum number of guesses it will take to guess the password. It’s worth noting that on average, it will take half the maximum number of guesses to guess a password. Without going too much into the math,
Entropy = log2(maximum number of guesses)
For example, if you select a random letter from the alphabet for a password, that letter has 4.7 bits of entropy. Or if you select a random word from a database of 8000 words, that’s about 13 bits of entropy. This handy guideline based on recommendations from well-known security organizations recommends that you should shoot for 77 bits of entropy for most of your data (about 13 alphanumeric characters), and 90 bits for high value data such as your bank password (about 16 alphanumeric characters). Here’s a clever xkcd comic to put the concepts together.
Generate them randomly. Don’t trust yourself to do this; instead, use a random password generation tool such as Diceware. Password entropy also assumes that the password generation method is not known by the attacker. For example, the password “to be or not to be that is the question” appears to have strong entropy if you just consider the number of characters:
Alpha characters + whitespace = 27
Number of characters = 39
log2(27) * 39 = 185 bits
or the number of words:
Number of words in the English language = 171K
Number of words = 10
log2(171000) * 10 = 173 bits
But you have to consider that hackers have access to databases of previously stolen passwords (this article indicates that over 1 billion hacked passwords are publicly downloadable) and common phrases in different languages. So let’s say the hacker has access to a database of 5 billion passwords, and one of the passwords is this very common literary quote. The hacker will iterate through every password in this database before assuming the password is completely random. Then the entropy is:
log2(5 *10⁹) = 32 bits
Not good. So, your password is not just about its length and complexity, but also its generation method.
Use a password manager such as 1password. These programs make it easy to follow best security practices when using passwords such as:
- Generating cryptographically strong passwords via an obfuscated generation method.
- Using a different password for each application so that if one application is compromised, the damage is limited. For example, in the John Podesta hack, his Gmail account was compromised, then his Twitter account, probably because he used the same password on both sites
- Encrypting your stored passwords
- Changing your password every 6 months regenerating a new password and updating the login
Password managers require a master password, which I generate using Diceware and memorize. I use Diceware for any password I have to enter manually, and 1password for the rest. If you’re wondering what to do for your iPhone, you should ideally use a Diceware password + Touch Id to minimize the pain of a longer password, and if you don’t use a Diceware password, you should enable the option that erases your iPhone data after 10 failed login attempts. If that sounds like too much of a pain, then just have a stronger iPhone password while you’re traveling or in some other situation when there’s a higher risk of your phone being stolen.
Use multi-factor authentication whenever possible. Multi-factor authentication involves more than one method of authentication; usually entering a password in a browser followed by entering a code texted to your phone. Multi-factor authentication provides additional security over a single password security model because in order to gain access to your account, an attacker will need to compromise multiple devices. That means that even if an attacker compromises your password, they still may not be able to access your account. Not all companies provide MFA, but key accounts that you may own such as your Gmail or iCloud account have a MFA option. Make sure you’ve set up a backup way (usually denoted as a “rescue email” or “recovery email” to log into your account if your phone is lost.
Get notified whenever your data may have been hacked. HaveIbeenPwned.com monitors data breaches and sends you an email whenever the breaches are discovered, so that you can immediately change your password for the hacked site. Changing your password is still useful after a hack because stolen passwords may take months to be used by a hacker (or sold on black markets to be used by other hackers). In fact, you should probably sign up now because you probably have an account with one of the companies that got hacked.
Disable auto fill of passwords and credit card info on your iPhone. That prevents someone from being able to login to every account you have stored in case your phone is stolen. Go to Settings > Safari > AutoFill to do this.
Use HTTPS everywhere. It’s a browser extension developed by the Electronic Frontier Foundation that automatically makes websites use the more secure HTTPS connection instead of HTTP, if the browser supports it. HTTPS is a URI scheme that tells the client (usually a browser) to use asymmetric and symmetric encryption via the Transport Layer Security (TLS) protocol, which is the successor to the Secure Sockets Layer (SSL) protocol, to encrypt data sent to a server, so that only the server can decrypt the data. This article provides a more in-depth summary, but a quick piece of background knowledge is that encryption is the process of encoding data with a key so that only software/hardware with the right decoder can read that data.
Here’s how the TLS handshake works using the Ephemeral Diffie-Hellman key exchange (EDH), which modern browsers are switching to in place of RSA:
- The server that the client is attempting to connect to sends the client its public key, a certificate for that key, and an ephemeral.
- The public key is paired with the server’s private key. The server does not share its private key with anyone.
- The certificate is signed with the private key of a trusted certificate authority. The client uses its embedded list of public keys of certificate authorities (check out keychain > certificates on your Mac for an example list) to decrypt the certificate signature and verify that the certificate was issued by a known certificate authority. Certificate verification is important because known certificate authorities guarantee that the certificates they issue, as well as the public-private key pair associated with each certificate, have not been issued to anyone else, are not expired, and are cryptographically secure. Certificates expire to minimize the damage of a certificate being compromised, and ensure that certificates are cryptographically secure.
- The ephemeral is a number that’s generated using the private key of the server. EDH makes use of the following math to provide Perfect Forward Secrecy by generating a symmetric session key without ever exchanging the session key, and instead exchanging the necessary components to construct the session key. It’s beautiful because the components (“A” and “B”) can’t be deconstructed to identify the secrets (“a” and “b”). Imagine the ephemeral sent by the server as variable “A”. “g” and “p” are numbers agreed on by the server and client:
A = g^a % p
B = g^b % p
session_key = A^b % p = B^a % p
- The client sends ephemeral “B” to the server, and then the client and the server generate the session key as described above, which they use to encrypt and decrypt further communication. Symmetric encryption is more performant than EDH.
Use HTTPS everywhere even if you’re using a VPN. VPNs (described below) are useful for preventing attacks on the wifi network you connect to, but as described in this article, VPNs don’t protect HTTP traffic against attacks by ISP providers and governments because once the VPN server has decrypted the traffic from the client, the traffic is forwarded onto the requested resource (say, Facebook) with whatever protocol the client requested. Also, you are trusting that your VPN provider’s servers are secure and that you have enabled your VPN. Sometimes I forget to turn on my VPN, and one window of opportunity is all that a determined hacker needs.
Use a private wifi network. On wifi networks that have no password, or networks on which you don’t know all of the devices on the network (such as a hotel network with a password) there are numerous security risks. A hacker could perform a man-in-the-middle (MITM) attack on unencrypted (HTTP) network traffic, which would allow them to read your traffic or redirect you to a site that attempts to install malware on your computer. Many common websites still use HTTP, and even if a site redirects you to HTTPS, if the site endpoint initially used HTTP you could still be redirected to a malicious HTTP endpoint via an attack called ssl stripping. MITM attacks could occur if a hacker spoofs a nearby public network that you inadvertently join; for example, creating a fake network called “Starbucks_1_wifi” that’s in range of a Starbucks. A hacker could also perform a MITM attack by using a traffic sniffer to monitor unencrypted traffic on the network. Finally, a hacker could join a public network and attempt to to log into your computer if you don’t have certain permissions disabled (see “OS/Firmware section” on what to disable).
If you can’t join a private wifi network, use a Virtual Private Network (VPN). Like SSL, VPNs use encryption, but they do so in a different way. A VPN consists of a client computer that has installed VPN software that encrypts outgoing network traffic (even HTTP), and a network of VPN servers that decrypt that traffic. VPNs protect you from the attacks outlined in the above section on public wifi networks. As mentioned in the “use HTTPS everywhere” section however, a VPN will not protect HTTP traffic against attacks by ISP providers or governments. I use TunnelBear, which I’ve found to be easy to use on multiple devices and have a low impact on browsing latency (compared to other VPNs) for a reasonable price.
Be aware of phishing attacks. Phishing, derived from “fishing”, involves an attacker using bait in the form of a legitimate-seeming electronic communication in order to steal information from a victim. Spear phishing is a targeted phishing attack, in which the attacker goes one step further than typical phishing by researching the target’s name, employer, and other information in order to increase the chance that the victim will take the bait. In many cases, the bait is clicking on a link and entering password information, or opening an attachment that results in malware being installed on the victim’s computer or network. Countering phishing is difficult, but strategies include not opening unfamiliar attachments or email links, unsubscribing from email lists via the company’s website and not via any link in the email itself, not using your corporate email for personal use, and sharing as little personal information online as possible.
Private wifi network
Give your router a cryptographically secure name/SSID and password. Give your network a secure password. Similarly to the section on passwords, if your password isn’t strong enough, a hacker can guess it. If an attacker gets on your network, they will be able to monitor any web browsing traffic sent via http, hack other websites and pin the blame on you and your network, and attempt to hack into your computer (since your computer is discoverable within the private wifi network).
Disable or secure your guest network. Some routers don’t implement guest networks with proper encryption, so your guests could be at risk for having their data snooped on.
Use WPA2 for wireless encryption, and disable WPS. WPA2 or Wi-Fi Protected Access II is a network security protocol that’s been available since 2004.
OS/Firmware of laptops and phones
Firmware is software that’s more tightly coupled to the underlying device hardware and changed less often than software running on top of firmware such as web, mobile, and desktop applications.
Enable Find My Mac and Find My Phone. If your device is lost or stolen you can lock your device by logging in on one of your other devices, locate the lost device, or delete all of your personal information on it.
Lock your screen when you aren’t using your computer. Apple icon -> System Preferences -> Security & Privacy: Lock screen. Set a time limit & a lock message (using Diceware). Always lock your computer when you step away from your computer by clicking Apple icon -> Sleep, but in case you forget, this is a good setting to have.
Disable sharing. Apple icon -> System Preferences -> Sharing: Nothing checked or be very careful. Take “Remote Login” for example, which if not configured properly could allow all users to login to your computer using SSH. An attacker could get on your network, discover your computer, SSH into it, and then download, install, or view whatever files they want on your computer.
Make sure operating systems have the latest version installed. Older software versions have security vulnerabilities, some of which may become known by hackers. For example, Mac OS X Yosemite (versions 10.9.5 to 10.10.5) allow an attacker to gain root access if the victim runs the attacker’s application. The vulnerability is fixed in Mac OS X El Capitan (10.11).
Enable Apple FileVault. FileVault encrypts your data so that an attacker who gains access to your laptop if it’s stolen or hacked won’t be able to read the data. Unfortunately, your computer has to be shut down for the data to be encrypted, but that’s better than your data always being unencrypted. If you’re away from your computer for an extended period of time and have FileVault enabled, you should shut down your computer.
Enable Apple Firewall. Apple icon -> System Preferences -> Security & Privacy: Enable Firewall. A firewall is a software program that controls connections made to your computer from other computers on your network. You can automatically software that is signed by a valid certificate authority to access your computer. If the firewall is enabled, then applications not signed by a valid certificate authority will ask you as needed for the ability to connect to your computer. That’s good, because then you have to explicitly approve an unknown application’s access.
Use a firmware password. Let’s say your laptop is stolen, but you have a login password. A firmware password prevents an attacker by getting around your password and getting access to your hard drive anyway by starting your computer in recovery mode or plugging in a USB device with malware.
Install Sophos anti-virus software. Sophos is free and scans your computer for malware, viruses, and ransomware. If you are confident in your ability to avoid malware however, you should not install an anti-virus software because AV software is highly privileged and has numerous vulnerabilities. See the introduction for more details.
Keep your applications up to date. Apple icon -> System Preferences -> AppStore: Enable updates. Make sure software programs have the latest version installed. Similarly to operating systems, out-of-date software can have very public vulnerabilities that hackers can exploit. You need to minimize the time period of those apps being vulnerable. MacUpdate is a highly reviewed update manager that I use.
Limit app permissions. Apps will ask for access to various parts of your phone such as its microphone, camera, and contacts. Be careful of which apps you’ve authorized, and review your Settings > Privacy menu occasionally to spot any apps you don’t recognize.
Disable bluetooth whenever possible. Bluetooth devices can be hacked just like wifi-connected devices, and if those bluetooth devices are connected to your phone, for example, the bluetooth devices could install malware on your phone or listen to your phone calls.
Forget devices that are no longer being used, especially public devices like rental cars. Since bluetooth devices can be compromised, the fewer bluetooth devices you’ve authorized to access your phone/computer, the lower the likelihood that a hacked bluetooth device will in turn compromise your phone/computer.
Phew! If you’ve made it this far, leave a comment and let me know what you think. You probably have something to add. Like I say, security is a lot of methodical identification and mitigation of vulnerabilities. And as the arms race between black hats and white hats continues, an update to this post will soon be necessary.