Part I: Why We’re All Here
Welcome, one and all, to “The Firewall”, a series on cybersecurity for everyone — especially those of you who aren’t tech savvy. I’ve designed this series with you in mind. You might think it’s impossible for anyone to make technology seem understandable, but you’d be wrong. Having spent the past 25 years both in technology and theater, I’m in a unique position to help guide you on this path.
So let me offer just three promises to help set the stage:
- I promise to use “regular people” language. That means I won’t use terms like “DDoS,” “Rootkit,” or “SQL injection” — the latter of which, I think we can all agree, sounds inappropriate anyway.
- I promise to empower you. You’ll learn that taking a few simple security measures can really protect yourself while you’re on your computer or smartphone.
- I promise to be honest with you. You’ll never hear me say, for example, that perfect digital security exists. It doesn’t! Instead, I’ll recommend small, reasonable changes you can make to help reduce your digital security risk.
To begin our journey, let’s examine just one statistic: the total number of internet users. In 1994, at the dawn of the internet, 25 million people surfed the web; a decade later, that number had grown to 913 million; by the end of 2017, that number should pass 4 billion.
Four billion digitally interconnected humans.
That’s a staggering number, a magnificent achievement, and — as this amazing technological wonder continues to unfold — we reap tremendous benefits that our parents and grandparents could never have imagined. However, that amazing access to technology has also meant amazing risk from malicious actors. No, I’m not talking about Mel Gibson. I’m talking about hackers. “Hackers” is the term I’ll use to mean people who break laws to gain unauthorized access to your data.
Part II: Understanding the Risks
Hackers are smart, sophisticated, and very, very successful. Statistics for cybercrime are sobering. Every year, 556 million people are victims of cybercrime, and 232 million identities are exposed. More than 600,000 Facebook accounts are compromised per day. Every year, more and more companies are targeted and breached by sophisticated hackers who gain access to our personal data, including health and financial information. Every year, security researchers make clear: Some companies and organizations are doing a really poor job — if any — of protecting your data. And because most everyone and everything is interconnected in our world, the scope of what is being stolen is simply staggering:
- 40 million customers of Target had their credit card accounts stolen.
- 80 million customers and employees of Anthem Blue Cross had their accounts stolen, including Social Security numbers.
- 145 million members of Ebay had account info stolen.
- 191 million U.S. voter records were exposed when discovered by a researcher.
- 400 million users of the website AdultFriendFinder had their accounts stolen; some had their identities revealed by malicious hackers.
- 1 billion user accounts were stolen from Yahoo.
- 1.2 billion usernames and passwords were stolen by a Russian hacking ring.
An easy-to-use graphic of all hacks from 2004 until now can be found here.
But as bad as those statistics are, they pale in comparison to other revelations. In 2013, Edward Snowden leaked classified information to the public about programs used by the U.S. government to collect data on billions of people, including both citizens of the United States as well as others from around the globe. Revelations from Snowden continue to be published today and collectively describe different government programs used to massively mine data from emails, phone calls, social media, personal webcams, and device location/network trace records from millions of cellphones worldwide.
The days of wondering if we’re vulnerable to digital tracking or digital theft are long over, dear friends. We are, all of us, currently at risk of having our personal and corporate data accessed, stolen, or misused. But that doesn’t mean we’re powerless.
On the contrary, we are not.
Part III: What We Can Do
I encourage all of us to think of cybersecurity as we’d think of a home alarm system. We all know, for example, that those with the right tools and experience can thwart even the most sophisticated alarm system. However, we also know that we can prevent most individuals from gaining access to our valuables with reasonable effort and expense.
So it is with cybersecurity. We’ll begin in this first installment, just as we do in the physical world, with our home. Let’s examine some of the most glaring digital vulnerabilities in our homes, and then suggest a few, simple ways to fix them.
Vulnerability: Browsing the Internet
Much of what we do online is not secure. There are many reasons why this is so, but here are the three most glaring:
- Many website don’t encourage you to use the secure version of their sites.
- Advertisements often bombard us everywhere we go.
- Our browsing history is not only traceable but also shareable.
One personal example: I recently went to a the luggage website eBags to do some comparison research. I saved a few favorites that I’m considering purchasing, and then went back to my work. For the next week, every time I opened Facebook, ads for the exact models of luggage I’d saved on eBags were appearing on my Facebook feed.
How’d that happen?!? The answer: cookies.
No, not the delicious baked goods that we all enjoy stuffing into our mouth. A cookie is also the term for a piece of text a website can store on your computer, smartphone, or tablet and then later retrieve it. Cookies usually make websites easier for the consumer, but because they’re stored on your digital devices, they can also be used to track your choices from website to website. That just creeps me out.
Solution: Use a More Secure Web Browser
Of all the solutions I’ve tested, the easiest and cheapest is to start using an application called Brave, a new web browser designed from the ground up to focus on speed and security, two categories in which it excels. It’s 100 percent free and available for both Mac and Windows, as well as for iOS and Android. The application automatically routes you to secure versions of the websites you seek, blocks all advertisements (if that’s what you prefer), and blocks all cookies. You can set global preferences, but you can also change settings on individual websites. Click or touch the orange application icon in the upper right of the browser window to open the interface, shown in the following two images. On the left is Brave running in macOS, and on the right is Brave in iOS:
As you can see, Brave provides numerical counters to demonstrate how well it’s blocking ads, scripts, fingerprints, and forcing the use of secure websites, something called HTTPS Upgrades. Click or touch a button to activate or deactivate that particular block.
Since blocking ads will hurt advertisers’ bottom line, the makers of Brave have created a new model: Brave Payments. In a nutshell, the nearly automatic system allows users to pay a monthly fee — from $5 to $20 — to websites they most frequently visit, all without being tracked. I’ve made Brave my new full-time web browser and enjoy it immensely.
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
— Edward Snowden
Vulnerability: Prying Eyes
Now that we’re using the new Brave web browser, we can better prevent websites and advertisers from tracking us online. However, there are other, more powerful entities that can track and log which websites we visit and how long we spend there. Making matters worse, our right to online privacy was recently obliterated thanks to…the U.S. Congress. In late March 2017, Congress voted to allow our internet service providers (also called ISPs) to sell our browsing data without our consent. That means if your ISP notes, for example, that you regularly go online to travel websites, it might choose — without your permission — to sell that information, along with your email address and phone number, to travel agents, vacation planners, and anyone else willing to pay for that data. Yuck.
In truth, our online privacy has been under attack for a long time. As a citizen who values my privacy, that troubles me greatly. Even if my ISP is interested in what I view online, the revelations published from Edward Snowden in 2013 are far more alarming. Knowing that the FBI, CIA, and NSA are regularly collecting data on U.S. citizens makes me want protect myself and family.
Solution: Take Back Your Privacy with a VPN
There’s a simple, legal, and affordable solution to regain some of our privacy: Use a virtual private network, or VPN. To use a VPN service, we simply install an application on our computers, smartphones, or tablets. Then, once we connect to the internet, we use that VPN application to route all of our internet browsing through the VPN service, instead of through our ISP’s servers. It looks like this:
When we use a VPN, if an ISP, malicious hacker, or government entity is interested in knowing the specifics of our browsing habits, it can see only that we’re connecting to a VPN service for a period of time, but nothing more. However, and this is important, we need to pick a VPN service that puts a very high premium on protecting privacy and can demonstrate that to us as potential customers.
Based on the research I did for my technology book, I’d choose a VPN provider that never keeps logs on the websites that its customers visit, isn’t headquartered in the United States, is not a member of the Five, Nine, or Fourteen Eyes security agreement, offers its customers strong data encryption, provides a free trial and/or money-back guarantee, supports all desktop and mobile device operating systems, and costs no more than $10 per month.
A small group of providers do a really good job of accomplishing these core principles. I found those providers by sorting through a lot of data at this amazing website. I’m a fan of the following VPN programs, listed in this order, because (a) they meet my criteria for running a reputable VPN service, and (b) they do a great job at serving the privacy community in general.
- NordVPN (based in Panama)
- Trust.Zone (Seychelles)
- Cactus VPN (Moldova)
- My Private Network (Hong Kong)
- Boleh VPN (Seychelles)
- IBVPN (Gibraltar)
Click on any of the company names listed above to visit their websites and learn more.
Vulnerability: Internet Routers
Below is a diagram I made to help you better understand how you can go online in your home. The internet comes into our home via a modem, but it’s shared with all of our devices via something called a router, a small device that turns your home into a computer network. Our modem connects to our router, which acts as a central hub where all of our computers, smartphones, and tablets can share our internet connection:
Most consumer routers and modems are not very secure, something hackers use to their advantage. In 2012, one attack on DSL modems in Brazil resulted in 4.5 million DSL modems being hijacked. In another attack, one nifty hack hijacked more than 300,000 consumer home routers made by D-Link, Micronet, and others.
Solution: Change Key Settings on Your Router
Change your router username and/or password. This website publishes the default usernames and passwords for most of the routers in the world. Now you know: Everyone also has them, so it’s essential that you choose different and complex usernames and passwords. By “complex,” I mean passwords that are a mix of words, numbers, and punctuation marks. Something fun to do: Use phrases from your favorite songs, books or movies that are easier to remember. For example: “YouLose!GoodDAY,Sir!”
To change your router username or password, someone (maybe you!) needs to log into that device. If you’re on a PC running Windows, this video explains how to do that in simple language.
If you’re on a Mac, you can still follow the directions in that video, but you’ll need your router’s ID number. To get that, from the upper left of your screen, click on Apple Menu -> System Preferences -> Network. If you’re connected via ethernet cable, your router ID will be already be shown as the red box in in the left image demonstrates. If you’re connecting via Wi-Fi, you’ll first need click on the green “Advanced…” button, and then, on the next screen, on the “TCP/IP” tab to see your router ID, as shown in the black box in the image on the right.
Purchase a new router with better software preinstalled. Since most routers aren’t made for security, consider purchasing one that comes with better software preinstalled. DD-WRT is the name of an operating system made for an ever-growing number of commercial routers. Although it’s been available for years, upgrading the OS on your router to use DD-WRT — a process known as “flashing” — is difficult for novices. For a small investment, you can buy a new router with DD-WRT already installed. Here is one of many options currently on the market for less than $80.
Implement the Media Access Control feature on your router. Media Access Control (MAC) permits only certain devices to have access to your home network. In this case, the list of devices should include all computers, smartphones, tablets, and printers in your home. That list is kept on the router and must be manually entered by someone who knows what they are doing. I’ll be honest, in this case: That someone is NOT you! This is the only action item on my list where I’ll say this, but I recommend that you hire a trusted friend, relative, or consultant to do this work for you.
Using MAC, employing a VPN, and changing your router’s password doesn’t suddenly make us invisible to hackers. However, implementing some or all of those security methods can absolutely help reduce the number of unwanted individuals and attacks from breaching our home networks.
In our next installment, we’ll dive deeper into some of the security measures we can take to safeguard our data and identities when traveling away from our home networks. Until then…