Russ Harvey Consulting - Computer and Internet Services

Security Basics

Preventing Unauthorized Access

Restrict Access | Key Elements of Security | Why Security is Necessary

Preventing Unauthorized Access
Modern cybercrime…the perfect storm.

[O]rganized crime now gains more revenue from cybercrime than from the illegal drug trade and is on pace to eclipse all its other forms of illegal activities combined within a few years.

Combine that with the global shortage of experienced security professionals and the forecast calls for very rough weather ahead. — Trustwave

Stop. Think. Connect.

Most of today's devices (computers, phones, tablets, etc.) are all connected to the Internet, often continuously. Many services and applications record and report on your activities (read the terms of service for everything you subscribe to).

You can prevent a lot of problems if you follow StaySafeOnline.org's advice and Stop to Think before you Connect.

  1. STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
  2. THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family's.
  3. CONNECT: Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.

Take the time to determine if the message is legitimate even if it comes from someone you know.

  • It is easy to copy images and use them to commit fraud or identity theft.
  • If you're asked for your password in ANY email that is a warning sign.
  • Don't trust the linked text in an email or on a website. It can be faked.
  • Be wary of phone calls or emails that ask for personal information or insist you to go to a website to fix a problem — these calls are scams, no matter who they say they are.

Take Care in What You Share

Only share online what you'd like others to share about you. Once posted, that information is “in the cloud” forever. In an instant you could ruin someone's reputation — even yours.

Security Isn't Just a Technical Issue

We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: the people who could protect a system are not the ones who suffer the costs of failure. — Bruce Schneier's Crypto-Gram

Microsoft Products More Vulnerable

Microsoft has placed the emphasis on ease-of-use rather than on making their software secure. Not only Windows, but Office and other software is designed to easily exchange information. That ease allows any vulnerability in one component to affect ALL the others.

Hacking Windows: Easier Than You'd Think

Hacking Vista: Easier than you'd think is an instructive video on YouTube that shows how a hacker can gain access to a computer without the user being aware of it.

What is particularly interesting is how the user can misinterpret the “infection” incident so that the hacker gained total access in a very short time.

If Microsoft bore the cost of security failures in their Windows and Office software, as Ralph Nader forced the auto industry to accept responsibility for their failures, fewer vulnerabilities would exist or be allowed to continue unchecked. Instead, we are spending large amounts of money annually on security programs.

Windows Updates Critical

One example of a vulnerability that could be avoided by installing updates is the WannaCry ransomware variation:

Your first line of defense is to diligently install every security update as soon as it becomes available, and to migrate to systems that vendors still support. Microsoft issued a security patch that protects against WannaCry months before the ransomware started infecting systems; it only works against computers that haven't been patched. And many of the systems it infects are older computers, no longer normally supported by Microsoft -- though it did belatedly release a patch for those older systems. — Bruce Schneier

Unfortunately, Microsoft chose to trick people into updating to Windows 10 via Windows Update and many of those have turned off Windows Update as a result. The threat of unwanted upgrades is no longer present, but the residual effect is an increased risk to your legacy Windows.

Other Systems Also Vulnerable

Other operating systems have experienced fewer security problems because they are not as vulnerable nor targeted as readily. This is changing for Mac users as Apple products like the iPhone, iPad and Mac computers gain market share.

And it's not just operating systems. Hardware is also vulnerable since so many of our devices are now connected via Wi-Fi.

Every Brother printer with an embedded web server are vulnerable to denial-of-service attacks that could allow attackers to remotely disable the machines, rendering them unusable. — Trustwave

Don't Run Obsolete Software

Running obsolete (unsupported or unpatched) software makes you vulnerable and puts everyone at risk by allowing the spread of malware, viruses (particularly ransomware) and security holes that can be exploited by hackers, governments and other parties that threaten our privacy.

Mozilla's Update Your Software has instructions for updating Windows, Mac, GNU/Linux, iPhone, Android and commonly-used browsers (and their plugins).

Beware of Software Utilities

Many folks search the Web looking for a quick fix for an issue they're having. Many download and install utilities that promise to repair the issue or to provide them with updated drivers with one download.

These utilities may do as they say, but it is far more likely that they'll also add browser toolbars or other vulnerabilities — particularly if they're free. There is good software out there, but you need to be sure to vet it first. Try searching for the software name to see what others say about it.

Windows Particularly Vulnerable

If you are running an older, unsupported version of Windows, you should consider upgrading or running Linux.

  • Windows 7 support continues until January 14, 2020. It is the last version of Windows to run and store data primarily on your computer. It was aimed at keyboard & mouse users.
  • Windows 8 & 8.1 were Microsoft's first attempt to address the mobile market. Because it sacrificed the needs of legacy users, it was problematic for Microsoft and users alike. You should upgrade to Windows 10.
  • Windows 10 has improved support for newer protocols and hardware and is rated as the safest version by Microsoft (partially because it updates you whether asked to or not).

There are also troublesome upgrade issues with Windows 10, particularly for those upgrading from Windows 7. Such upgrades are best done on newer hardware as the system requirements (the speed, storage and memory needed to run them) are more demanding. Windows 10 seems to be less demanding of hardware, but some of the newer technologies require modern hardware.

Try Linux

If your computer is not capable of running Windows 7 or later, you might want to consider using an alternative like the free Linux Mint or its variations.

  • Linux is free to download, install and use (you can also purchase support if needed).
  • The system requirements are lighter than the newest Windows versions so you can continue to use your current hardware.
  • Many current distributions (Linux Mint recommended) automatically installs most of the software the average person uses, including an alternative to Microsoft Office.
  • Linux is more secure than Windows by design (it allows you to run your system while keeping out unauthorized users yet you can perform administrator tasks by providing the Administrator password).
  • Many Windows programs can be run under Linux using WINE. Be sure to read the FAQ before installing WINE.

Linux updates itself in a similar manner to Microsoft Update (you need to download and install newer versions but not updates to the installed version). If you are a typical user, it will work better than the Windows currently installed on your existing hardware.

Close Security Loopholes

Windows is full of security loopholes and we're exposed to many others if we give precedence to convenience over security.

Return to top

Restrict Access

Create a security policy for the computers in your home or office. This will provide guidelines in making security decisions and help your family or employees understand the need for security.

Free Wi-Fi Presents a Risk

We're constantly on the go and want to remain connected. But choosing a free Wi-Fi network could undo all that we've done to secure our computers and devices.

Others on the same network could intercept information like passwords and confidential information using easily-available hacking software. Watch this YouTube video.

KRACK Wi-Fi Security Flaw

KRACK is a new Wi-Fi critical flaw was found in the WPA2 security standard. It affects virtually all Wi-Fi devices. More…

Captive Portals No Safer

Don't be fooled by a log-in screen requiring you to agree to the Wi-Fi network's terms in coffee shops and elsewhere. These are called captive portals and are no safer than an open Wi-Fi network, but give you the illusion of safety.

Captive portals can interfere with secure (HTTPS) sites, calling them “untrusted connections” which leads people to ignore such warnings in the future.

ZoneAlarm infographic: “The risks of public hotspots: How Free Wi-Fi can harm you”

ZoneAlarm's infographic, The risks of public hotspots: How Free Wi-Fi can harm you (shown to the right) provides some excellent advice on precautions when connecting to free Wi-Fi.

Recommendations

ZoneAlarm recommends you consider the following BEFORE you connect:

  • A secured home or office network is always preferable to an unsecured network.
  • Ensure that your security software (antivirus, firewall) is turned on.
  • Using a VPN (Virtual Private Network) is recommended.*
  • Confirm the Wi-Fi network name with the business owner.
  • Be sure to use secure sites, those starting with HTTPS, especially where you need to login to an account.
  • Turn on two-factor authentication for your accounts.
  • Disable file sharing.

*NEVER access financial sites like banks and PayPal while on a network you don't control without using a trusted VPN.

Business Computers

Restrict access to business computers:

  • Only employees with significant understanding of the risks should have administrative rights and your policies should indicate what software they can or can't add or remove without express permission.
  • Software, security and Windows updates are best done by you so that you know your computers are protected.
  • Access to personal social media sites like Facebook or personal software on business computers can lead to security risks for your business.
  • You'll also want to be careful with business use of these accounts as it is just as easy to unLike you if something goes wrong.
  • The use of unsafe media like USB thumb drives can infected computers on your network as well as the one that was initially accessed.

Home Computers

Restrict access to home computers:

  • Your children should not have Administrator rights on their computers.
  • Your children should not be running software on your business computers. Why put your business data at risk?
  • Your children should not allow their friends to make changes of any kind to the family's computers.
  • Use passwords and answers to security questions NOT based upon information posted on social media sites like Facebook or easily guessed by others.

Computer Servicing

It is important that anyone servicing your computers is knowledgable and trustworthy:

  • Get professional help from a reliable source.
  • While an employee or the kid across the street might know more than you, they might not know enough.
  • Your policies should indicate how servicing is to be carried out and by whom.
  • The FBI has been accused of using Best Buy Geek Squad employees to conduct warrantless searches of customers' computers.

Educate About Evaluating Risks

Ensure that everyone using your computers understands how to evaluate risks. It is very common to receive warning by phone or email indicating your computer is “infected.” ALL are scams. Watch for these signs:

  • Simply opening an infected image or other attached file can be enough to endanger the data on your computer. More….
  • Any warnings that appear on your screen, particularly if they indicate that you have hundreds of infections, are scams. Know how your security software reacts to an infection.
  • Do NOT follow instructions given by an unsolicited email or phone call. These calls are scams, no matter who they say they are. Just hang up.
  • There are logs on Windows computers that show errors even when they are operating normally. Scammers may try to use these logs to convince you that your computer is infected.
  • If you provide the caller with access to your computer so they can “fix a problem” you'll end up with an infected computer, an excessive credit card bill, or both.

Children and employees should be instructed NOT to respond to such ploys. If you're concerned, call the person that maintains your computers.

Increase Your Security Budget

Corporate and business Information technology (IT) departments are seriously underfunded and a significant number of employees aren't concerned about the affect their lax security habits could have on the company.

Saving money on IT security may benefit you in the short term, but could cost you a great deal in the long term — even your company's credibility if you're hacked and lose critical business information.

Return to top

Key Elements of Security

To enhance the security of your computer(s) and computer networks, you need to include the following components in your protection plan:

There is more information about each of these, either on this page or on other pages on this site. Follow the links in each of these subsections to learn more.

Choose Your Programs Wisely

The choice of software to use on your computer affects how vulnerable you are to security-related attacks. This is particularly true for Windows users, specifically in regards to your choice of web browser and email client.

Some Free Software “Expensive”

Many of the free utilities, screen savers and similar programs available on the Web contain either malware or collect information about you or install potentially unwanted third-party software (PUPs).

Search for what others have said about a program using the program name or executable file as the search criteria. Blogs often provide interesting insight to the usability of such programs and their relative merits.

Krebs's 3 basic rules for online safety:
  1. If you didn't go looking for it, don't install it.
  2. If you installed, update it.
  3. If you no longer need it, get rid of it!

One of the things to look out for are the third-party PUPs that come with free products like Adobe Flashplayer, Java and CCleaner.

Scroll through the options and de-select the extra software like toolbars (rarer today), Google Chrome, McAfee Security, etc. before downloading or installing the software you actually wanted to install.

Microsoft Products Share Vulnerabilities

Microsoft pursued a policy of making Windows “friendly” so that sharing between programs was seamless and reduced technical requirements.

This practiced has made us more vulnerable to inappropriate uses of that technology such as viruses, hacking, phishing, and more. For example, the widespread use of Microsoft Office exacerbated the spread of the GDI+ Windows vulnerability for JPEG images as a direct result of this seamless sharing.

Firefox Recommended

This is one of the reasons I strongly recommend using Firefox as your primary browser. It focuses on the needs of the user rather than the corporation that sponsors it.

As the developer of the only major browser that isn't owned by a tech giant, the company is free from ulterior motives. — VentureBeat

If you're determined to use Internet Explorer, be sure to use the most recent version available to you and install all critical updates.

Google Chrome

While Chrome is very popular, it got that way by surreptitiously installing itself as the default browser as a paid add-on to other free software such as CCleaner, Java and Adobe Flash. While it was an “optional” addon, it was pre-selected and folks simply clicked through the options without checking for extra software.

When uninstalling Chrome, it automatically made Internet Explorer the default browser for Windows rather than asking which browser should be default (as it does now).

Google Chrome shares a great deal about your surfing habits with Google, particularly if you sign-in. This data is used to create a profile on you that Google uses to sell targeted advertising.

If after checking out a product while using Chrome then notice you're seeing ads for that product, you've experienced the power of that Google profile. Companies can use cookies and other technologies to track you, but that is Chrome's business.

Java, Reader and Flash Most-exploited Windows Programs

A 2013 study indicated that Java, Adobe Reader and Flash are the most-exploited Windows programs. These programs are so widely installed that they make an attractive target for malware.

  • Regularly check to see if your Firefox plugins are up to date.
  • Adobe Flash is frequently updated because of a massive number of security flaws. Fortunately it is rapidly losing ground to HTML5's native rendering.
  • Adobe Reader has tried to include everything and as a result is bloated and more vulnerable. Try alternatives like Nitro PDF Reader which is safer and provides more features.
  • Oracle's Java should be removed if unnecessary, but if installed should be checked frequently for updates regularly and older versions removed. More….

Use Peer Sharing Carefully

Peer-to-peer (P2P) sharing can be useful, but that depends upon what is being shared and what service is being used.

The attraction of downloading free music, movies and more using peer-to-peer software have created problems for many users.

  • You're exposing your computer to any viruses and malware on the computers you're connecting to.
  • Most file-sharing programs automatically create an upload of files from your computer making you subject to fines for illegal sharing.
  • The owner of the Internet connection (you, not your children or their friends) is liable for any activity on their account.

What you need to know about peer-to-peer file sharing includes the following suggestions (see the article for explanation):

  1. Before you start, make sure your computer's security software is up-to-date.
  2. Stick to legal file-sharing services.
  3. Use your computer's security software to scan downloads.
  4. Don't upload (or download) copyrighted material.
  5. Pay attention when you install P2P programs.
  6. Close the P2P connection when you're finished (default settings start it with Windows and leave it running continually).
  7. Refrain from using P2P file sharing at work.
  8. Make sure your kids understand the risks.

Finally, if you have any doubts, just don't do it.

Effective Security Software

Traditional security products, firewalls, security suites, antivirus, and antispyware products, are made to fight PC-based threats, but you also need to worry about web-based threats which can develop very quickly.

Threats are no longer simple viruses (or “worms”) but multifaceted attacks on several fronts at once. You need to protect yourself with a security suite that protects you simultaneously from all possibilities and is constantly updated to deal with the threats you face when surfing the Web.

More and more we're saving our private information in cloud-based servers elsewhere. Unfortunately, these companies spend far less on securing your data from attack than their own. This is unlikely to change as long as they suffer no major financial loss when breaches of public data occur.

Security Programs Should Have Minimal Impact on Computer Performance

Be sure that it can do the job without degrading your computer's performance too much. I strongly recommend ZoneAlarm's Extreme Security for the most extensive protection including protection from keylogging (the capturing of data entered via the keyboard).

Malware or Spyware Protection

Your privacy has never been under attack as intensely as it is today. You need to protect yourself using legitimate privacy tools. All current security suites and most antivirus software contains some form of antispyware/antimalware protection.

Firewall Protection

An effective firewall is an essential part of your protection. Microsoft's built-in firewall is insufficient.

Most computers access the Internet via either a broadband or a wireless connection that is turned on continually. This makes you more vulnerable than you were in the early days of the Internet when dial-up connections were the norm and therefore brief.

Effective Protection is Multifaceted

You need two kinds of firewall protection:

  1. A router provides hardware firewall that secures your high-speed access to the Internet and allows you to share it between various hard-wired (LAN) and wireless (WLAN) computers, laptops, tablets, smartphones, game consoles, and TVs.
  2. An effective software firewall protects you from outgoing as well as incoming attacks and should be part of your security suite.

More and more we connect our devices to third-party wireless services in coffee shops, the mall and elsewhere. Since we don't control the hardware portion of the firewall (the router) it is essential that your security suite be up to the task of protecting you as best as possible.

As well, more than half the routers currently in use were easily hacked in a recent test. There are also undocumented and unpatched vulnerabilities (zero day exploits) that both governments and hackers take advantage of to steal information from your devices.

Strong Passwords

Passwords are an essential part of Internet life today. They are used for everything from access to your email to the millions of websites and forums that require you to identify yourself using a username/password combination on a daily basis.

Passwords and encryption can be effective tools only if you use them correctly.

Long and Strong

Make your passwords long and strong using random upper and lower case letter, numbers and symbols (some symbols are not permitted by some sites or vendors). Generally, the longer your passwords, the harder they are to hack.

Given the difficultly humans have in creating and remembering effective passwords, I strongly recommend LastPass to manage your passwords. LastPass is secure, encrypts the passwords BEFORE uploading them and can be shared between your various computers and devices.

Wireless Connections

We don't generally think of Wireless connections in this category, but you need to secure your wireless connections. WEP and newer variants like WPA & WPA2 use a similar format to how we access email from out ISP.

The wireless key provides security like an email account password:

Wireless Protection is Like Email Security
Account Type: User Name: Security:
Wireless (WEP or WPA) SSID Security Key
The Smith's WLAN Smith 5D969892AF
Email Account User name Password
jsmith@example.com jsmith {AuRIMWJW$PEGSWy~fQ!Nrw(

In both wireless networks and email accounts, at least part of the information is public:

  • The SSID is the public name of a wireless network which is broadcast unless the router is configured not to (making it harder for new computers to connect to it).
  • The email user name is public because it is placed before the @ symbol (e.g. the jsmith in jsmith@example.com) and some use the entire email address for the user name.
  • Only the WEP or WPA2 key provides security just like your email account's password does.

Protect Your Email Address(es)

Increasingly, sites are using your email address as your identity, making it very easy to hack your other accounts if you use weak passwords or use the same combinations on multiple sites.

Social Engineering

Hackers use social engineering to gain access. People naturally want to trust people that they know and businesses they use. Hackers use this and social media “friends” to gain their trust (essentially usurping that trust for malicious purposes).

Because of this tendency, you need to be particularly careful to examine any messages before opening them, their attachments (JPG images can be infected as can ZIP files, PDFs and others) or clicking on the links.

Another method is to send a message telling you there is a file to download and provide realistic-looking images with links to a fake site where they request you login with your email address and password “to gain access” to the file. This is a phishing attempt and will compromise your account on the actual site.

By-Passing Passwords

Instead of hacking your password, the “Forgot password?” recovery option on a site can provide a much easier place to obtain access to your email account.

People post much personal information about themselves on public places including social media sites like Facebook that can be harvested for the answers to typical security questions. The nature of these questions are such that many are easily known by friends and family such as:

  • your favourite sports team(s)
  • your favourite author or movie
  • your best man or maid of honour at your wedding
  • your first address

How your email account could be the weakest link to your online accounts provides more detail about this vulnerability.

So how do you protect yourself?

Two-Factor Authentication

You can add a second method of authenticating your email passwords, preferably something that is always with you and inaccessible to potential hackers.

Two-factor authentication provides additional security that isn't available with even a strong password. As implied by the name, two-factor authentication has two components:

  1. a strong password; and
  2. a second authentication device.

The YubiKey is a small USB and NFC device supporting multiple authentication and cryptographic protocols.

The second device could be

  • a cell phone number (recommended); or
  • a specially-design hardware authentication device like the YubiKey (shown above) in combination with LastPass; or
  • a second email address (less secure as it too could be hacked).

Unfortunately, it appears that is isn't that hard to hijack your cellphone's SIM card, after which they have access to the very two-factor security that is supposed to protect you.

There is more about two-factor security on passwords.

Return to top

Summary

Good Security Practices

Ensuring a secure computing experience involves all of the following:

Ease of use is contrary to good security, although there are some tools that can help you retain security yet help you manage passwords and other settings.

Keep Everything Updated Frequently

Because things change so fast on the Internet, it is important that you both keep your antivirus, firewall and anti-spyware security software current (install all updates). Remember, if you have to download the update (i.e. save it to your Downloads) you need to install that download.

One study indicated that the time from the discovery of a vulnerability to when it is exploited is now four days or less. More recently that window of discovery has narrowed to less than a day. Zero-day exploits are usable immediately (0 days until useful because they are generally undiscovered except by hackers and government spy agencies).

  • Check for updates at least daily.
  • Weekly scans are a bare minimum.
  • Real-time scanning is critical for today's threats.

Return to top

Security News

Updated information about security issues can be found here:

  • Crypto-Gram is a free monthly email newsletter from security expert Bruce Schneier. Each issue is filled with interesting commentary, pointed critique, and serious debate about security.
  • DarkReading is InformationWeek's security news.
  • OpenMedia works to keep the Internet open, affordable, and surveillance-free.

Return to top

Security is Necessary

Security software is necessary to prevent access to your computer. Newer and deadlier versions of malicious software are being developed regularly.

Sooner or later you will become a victim unless your security software (including an effective firewall) is up to the task.

We're Overconfident

In general, the research suggests that about half of consumers do not know how to protect themselves from cyber criminals.

[R]esearchers found that 87 percent of respondents reported they had an anti–virus program, but only about 52 percent had updated their program in the last week.

Further, 44 percent of respondents did not understand how a firewall worked, and one in four had not heard of the term phishing. — McAfee–NCSA Online Safety Study, 2007

I find that many people are confused about the multifaceted threats their computers face and the need for a competent suite of products that work well together.

Few understand that running multiple security products endangers them (each viewing the “protection” of the competing product as a threat).

We're More Vulnerable Than Before

The world we live in has seen massive changes. Information used to be on paper locked in filing cabinets but now it is on the Internet (or “in the cloud”) which provides 24/7 access to anyone including hackers.

This fundamental shift in our reality challenges our understanding of the concept of security:

Now we live in a world that is strictly bounded by our capacity to understand it, by our ability to keep up with the pace of technological change, and to manage the new risks and security challenges that come with limitless storage capacity, limitless transmission capacity, limitless data mining capacity.

We are bounded by our own limited capacity to understand, to imagine the implications of data flow and data aggregation, and our ability to teach. — Privacy Commissioner of Canada.

Security is Everyone's Responsibility

The point of greatest vulnerability? It is you and everyone else that uses your computer.

Your protection depends on:

  1. protecting your computer with good quality security software that is updated regularly;
  2. knowing how that security software operates so you're not fooled by fakes; and
  3. your knowledge about other security threats and how to respond to them correctly.

Ensure Your Security is Current

Be sure to use current versions of your security software. Older version may not have the ability to protect your computer as effectively.

  • Minor updates like virus or spyware signatures generally install automatically.
  • If you need to manually download a file then it has to be installed before it updates your software.
  • Frequently check your security software company's website to verify you have the most recent version.

Know Your Security Software

Get to know your security software so that you can use it effectively, know its limitations and know how it responds to threats. That way you

Phone calls “from Microsoft” (or any similar authority) are almost certainly bogus.

Avoid Extra Software Installations

One example is the optional (but pre-checked) McAfee software that downloads with Flash Player updates.

You don't need it or want it. Be sure to de-select it (and other optional software that appears when updating products).

Test Your Security Knowledge

Test yourself in The Case of the Cyber Criminal, a fun animated game that will help you to learn about security.

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top


If these pages helped you,
buy me a coffee!


www.RussHarvey.bc.ca/resources/security.html
Updated: November 20, 2017