Tips from the newly security conscious
I’ve never been one of those people who’s hugely concerned about my online privacy. I loved the autofill function, had one password that I used for 60% of things. At university I had a friend who took this to the opposite extreme — every time he logged on to the internet he did so through a sandbox and VPN so that his internet history would be automatically deleted. We always made fun of him — all this security was made for people who
a) had loads of money which might be stolen (definitely not us, as university students), or
b) were someone important who other people actually cared about
All anyone hacking into my computer was going to find was loads of pictures of my dog. I became a bit more security conscious after joining a tech startup and being made to sign a pretty draconian cybersecurity contract — the shame of 1password announcing to the whole company that I had 55 websites with a duplicate password was also pretty strong motivation to get that under control. There were some parts though that I still found a bit silly, for example setting my laptop to autolock after 1 minute, and having an 18 digit password to open my computer. Do you have any idea how irritating it is to have to type in those 18 digits again every time you look up to chat to a colleague, grab a cup of coffee, or make a couple of notes in your diary?
Then I started learning to code at Flatiron School. I was actually weirdly excited whenever we learned about things related to cybersecurity — I’m a big fan of The Girl with the Dragon Tattoo and it was super cool to be learning about some ACTUAL HACKING RELATED things. One of our lecturers recommended a podcast called Darknet Diaries to us, which I can honestly say is one of the most interesting things I’ve ever listened to, and has finally got me super switched on about the importance of cybersecurity. I’ve also learned that most of the hacking we see in films is a myth — you don’t need to be a genius to get into other people’s devices (and in a lot of cases it isn’t actually that tricky). There are so many bits of code prewritten on the internet, and vulnerabilities already known, all it takes is for a few people to be lazy with their security (like I was). So I thought I’d go through a few of the things I’ve learned that really scared me into making changes
Passwords
Yes, I know most of us by now know not to have ‘password’ or ‘P@ssw0rd”, or our name as our password (or Porsche911 — to all the men out there using this as your password please change it). But there are still 1.5million older computers connected to the internet with the username ‘admin’ and password ‘admin’ AND NO ENCRYPTION of either of these. In China, this means that if you scanned IP addresses near you for these credentials, you’d be able to get into 1 computer every 20 seconds. Aside from the fact that this means anyone can read anything that’s on your computer and anything you do on the internet, it also means your computer can be used in DOS attacks against other networks. Not good.
In general we’re getting clued up to having one password in multiple places (check if your email address and password have been compromised for free at https://haveibeenpwned.com/). There are so many good password managers out there that there isn’t much excuse for this anymore. One thing I would suggest is making sure that the password manager you’re using doesn’t have a history of being hacked itself — otherwise all your encrypted passwords are for nothing.
But there are a couple of less obvious things that are super important when it comes to password cybersecurity that aren’t perhaps quite so obvious. For example:
Your smart devices
I’m a huge fan of my Alexa, my wifi lights, my wifi switches, my wifi aromatherapy, my roomba, you get it… I’m also pretty guilty of buying a lot of these things from slightly dodgy manufacturers in China from Amazon. Which makes me more vulnerable to this — how many of you have checked whether your smart devices have default passwords on them? There are a huge number of smart devices connected to the internet with password 0000, or admin, or password. Whilst that might not matter so much with my smart lightbulb (if a hacker wants to repeatedly turn my light on and off it’ll be annoying but I can just unscrew the bulb), it gets more stressful when it comes to things like webcams (yes these have passwords), or voice assistants, or lawnmowers (I really don’t want to be chased around the garden by an out of control mower). There are entire sites run using webcams that belong to other people all over the world — incredibly creepy.
EVEN WORSE — have you ever updated the password on your wireless router?You know, the thing that gives you access to the internet? I’m not talking about the one on the back, I’m talking about the one you use to login to it on the browser to edit settings. You’d be amazed how many of these also have shitty default passwords, and what’s worse is that once someone gains access to your router, they can then gain access to anything that’s connected to it no matter how secure you may have made the passwords or antivirus, including your laptop. As you can see, none of this takes any incredibly complex knowledge — I got the list of passwords for webcams above by googling ‘default webcam passwords’. You should NEVER leave default passwords on anything that could be connected to the internet, especially when it really doesn’t take much effort to change them.
There are all kinds of other weird vulnerabilities with smart devices — for example, Alexa has a feature where it can access all your contacts, list those who have an Alexa next to their number (if you’ve linked your phone number with your device) and allow you to ‘drop in’ on their Alexa — ie, listen to it or talk to it, at any time.
Voicemail Passwords
Another thing you’ve probably never bothered to change the password on is your voicemail. I personally don’t tend to use my voicemail (ever) and ask that people email me instead. Which is probably just as well given the following:
And also the fact that journalists (not professional hackers) at News of the World — remember this? could get into targets’ phones so easily.
Even if you don’t think you have anything very important on your voicemail, there are other important reasons you should change this password ASAP. It’s possible to gain access to call forwarding on many voicemail settings, and to send all incoming calls to a default number. Hackers have famously done this and send all calls to pay numbers that THEY own, and then repeatedly rang peoples phones (at offices over the weekend when nobody is about, or at night) racking up phone bill charges in the $100,000 range. It’s worth noting that you are legally obliged to pay your phone bill even if this happens, as the fault is seen as being your own as you haven’t changed your password. With this in mind, the 2 minutes it takes to change the password doesn’t seem such a lot of effort after all.
Physical security — Autolocking
You know earlier I was bitching about having a computer that autolocks after every minute of inactivity? Turns out there’s a REALLY good reason for that — and what’s more, you shouldn’t leave your computer when its unlocked EVER (or ideally, leave it by itself at all) if you work in a company with any data that anyone might want to steal — or if you’re worried about anyone getting access to your computer. There’s a USB stick device called a Rubber Ducky (available here from Amazon for £64 and way cheaper elsewhere) that you can plug into any unlocked computer to get control of it in 2 seconds. There’s a really fantastic Darknet Diaries episode about how a security expert who’s employed to test security at banks managed to get into the computers of every company who hired him, usually on the first try, just by walking in, looking confident and plugging this USB into peoples’ computers. He also managed to walk out with several computers belonging to employees, and was given login details by senior managers, just by acting confident.
Thinking back on my previous jobs, this is a very believable scenario. There’s no way you’re going to be able to know everyone in the company, and it’s rare for junior employees to think about bothering senior management to check when someone from IT comes around to help setup some new software on your computer. Even though most companies have security at the door, it’s also incredibly easy to follow after people who have login cards when you’ve left your own (as I’ve done many times) without being questioned. I know we’re worried about being rude (and I’d probably be pretty pissed off if someone tried to challenge me on this myself) but you should never let someone do that unless you know them or have checked they have a good reason to be there.
Keeping software updated
I’ve also been very guilty of this one. I keep about 100 tabs open in my browser, and it’s really annoying to have to shut everything down every time I need to restart my computer for a software update — but there’s a very good reason you’re being made to do this! Updates aren’t only for fixing annoying glitches and making improvements, they’re also often for fixing security vulnerabilities that have been found. If you haven’t updated your software, you’re vulnerable to any hack on the system that you’re using. This also applies to companies who should ALWAYS update their software ASAP on all internet facing sites — especially ones connected to databases with information about users.
Stack overflow, etc.
This one is a bit more niche and is more related to security at your future jobs rather than your personal security. At Flatiron, we’re taught a “Personal Empowerment Protocol” which involves trying to look up problems we have on the internet rather than immediately going to an instructor for help (as there are no instructors to run to in the real world of employment!). Stack Overflow is incredibly helpful for this…BUT have you ever thought of how your posts could be helpful to other people, say hackers? Let’s say I’m a junior developer at an app, and I’m posting about a bug I’m having in the backend. This can let a potential attacker know about what software I’m running, what gems I’m using, what language I’m writing in.
Everything you post online should be seen as public knowledge. Your Linkedin profile is probably associated with the company you work for, like most people’s are. This also tells attackers more about the company’s software — you’re showing off what your language skills are (aka what languages the software at your company is probably written in), what training courses you’ve been on. Your profile might have your email address — or more likely the marketing team have their email address up, which will give out information as to how the email addresses for everyone in the company are structured, and gives one half of your login details for secure systems. Running your profile picture and your name/school info/university info (all usually on Linkedin) may give your Facebook account, with pictures of your pet/spouse/child, info about your birthday/where you grew up — all common passwords.
The conclusion
I’m only currently about 20 podcasts in, so this journey of security awareness (or paranoia, as some might call it) is likely to continue for a while longer. I guess what I’ve learned is that whilst it’s really difficult for any one of us to be totally secure online when connected to the internet, we probably don’t need to worry about the higher level securities…unless we’re a high profile target. This can be related to our work as well as our personal situation, so it’s a good idea to keep your work and personal accounts as separate as you possibly can if you work in a sector which is vulnerable to hacking (aka anyone with access to user data/payments/intellectual property — pretty much most industries).
However, there are some extremely simple ways that hackers can gain access to a lot of your devices, and it’s definitely worth plugging up these obvious holes! I’m not going to be using a sandbox every time I log on to the internet any time soon, but I’m now a lot more careful about where I leave my laptop.
Side note: if you have any friends/colleagues who think you’re overreacting, I would highly suggest buying a rubber ducky and using this video for some tips. Nobody is laughing after their computer won’t stop showing videos of Gandalf playing the saxaphone for 15 hours straight.
