2017 brought new challenges for personal security, and 2018 will likely do the same. While we have little control over major data breaches as individuals, we do have control over our own personal security processes. Here are five common cybersecurity mistakes to avoid in the coming year and beyond.
Connecting Everything That Can Be Connected
How important is it to you that your eating utensil measures how quickly you consume food? Do you really need a digital assistant to tell you the weather or play music? These are the kind of questions you need to answer before buying smart devices.
The Internet of Things, or IoT, continues to grow astronomically. Imagine a life where your refrigerator and pantry automatically calculate how many calories, carbs, and sugars your groceries have and use that info to suggest recipes. Sounds cool, right? Well, that coolness comes at a price. The devices and apps we use have unprecedented access to our personal lives. From our viewing habits to our shopping habits to our eating habits, it’s all being collected and stored by a third party. The more data you allow to be collected, the less control you have of your identity, and the more likely your personal info ends up in the hands of the wrong person.
Our personally identifiable information (PII) is essentially currency. It’s just as important as the money you have in the bank. Consider that before allowing apps and devices to connect and share your PII. And for every device you do connect, be sure to update the default usernames and passwords ASAP.
Using Weak or Outdated Passwords
As usual, inferior password practices rule the “how to get hacked” world of connected accounts and devices. The list of most commonly used passwords seems to never change. Just compare the 2017 list to the 2016 and the 2015 lists.
If you fail to implement strong passwords or forget to change them every now and then, you essentially give up on security. The good news is that generating strong, unique passwords doesn’t have to be difficult. Here are three tips to help:
Use a passphrase instead of a password. Passphrases trump passwords by forming a sentence that’s easy to remember, such as a quote from your favorite movie or book.
Use the SNL Triad – symbols, numbers, and letters. Upgrade your passphrases with multiple characters, including upper and lower case.
Use a password manager. It’s nearly impossible to remember every password for every account you own. Password managers turn that difficulty into a luxury by generating, storing, and syncing your logins across multiple devices.
Relying on SMS Two-factor Authentication
We always recommend utilizing two-factor authentication, or 2FA, wherever possible, which provides an extra layer of security by requiring multiple steps to access accounts. But 2FA via SMS (text messaging) is far from secure. Methods to intercept SMS have been around for a while. Here’s a great example of it in action:
And it isn’t necessary to have a sophisticated understanding of hacking tools in order to compromise someone’s phone. Using good ol’ social engineering on human beings works just as well:
I was hacked today: my Twitter account, two email addresses, & my phone. It was not due to passwords, they hacked my phone account itself.
— deray (@deray) June 10, 2016
Today I learned that it is rather easy for someone to call the provider & change your SIM. The hacker got the account verification texts.
— deray (@deray) June 10, 2016
The above example is what is known as a SIM swap, where an attacker steals your phone number and ports it to a phone of his own.
SMS certainly presents too many security issues to be trusted. But what other options do we have? One is Google Authenticator, which implements a process called Time-based One-time Password Algorithm, or TOTP. Here’s a good explanation of how it works.
The other option is to bypass all software-based authentication methods and instead use physical tokens such as Yubikey.* Products like Yubikey require a physical key in order to access an account or device.
But the bottom line is this: two factors are better than one. No matter what. So even though 2FA via SMS may not be secure, it’s still better than not using 2FA at all. Just remember: there is no such thing as 100% security.
Jumping on Unsecure Trends
Congrats to everyone who used the Google Arts and Culture app today and is now in the NSA facial recognition database.
— Alex Halpern (@HalpernAlex) January 15, 2018
Snark aside, trendy apps that collect, send, and store personal information represent a major challenge to personal security. The above example exemplifies how dangerous these seemingly harmless trends could be.
The Google Arts & Culture app has the ability to match your selfie to a famous painting, which is definitely awesome. But it also poses huge security concerns. As of this writing, it is the top app in the Google Play store with over one million downloads. And even though it was designed to be educational, as well as entertaining, by connecting people with arts and culture around the world, the selfie art-matching feature is the driving force behind the popularity.
Google, of course, claims they won’t use the data collected from uploaded images for any other purpose and that the images are deleted after the match is made. Be that as it may, would you upload your fingerprints to a database to see if your hands are anything like (enter famous person here)? Of course not.
Perhaps that comes off as paranoia, but the reality is, app developers collect and store tons of our data. Be selective in the ones you choose. Not every trend is worth joining. And be sure to review security settings and permissions before installing. Think before you app!
Failing to use Browser Plugins for Additional Security
It’s no secret that browsers, search engines, and websites track our online habits. For the most part, this process is a shared compromise stating that we, the user, can access free content in exchange for a few cookies. We can also opt out of this by turning on private browsing or using alternative browsers that do not store any history or cookies, thereby granting us anonymity.
But remaining anonymous isn’t the top concern. Websites and advertisements are prone to cyber attacks that, in some cases, don’t even so much as require a click in order to spread malware. As attacks become more sophisticated, the need for additional security measures in general web browsing increases. Here are a few plugins that can help you right now:
HTTPS Everywhere* – HTTPS is the secure version of HTTP that encrypts the connection between your computer and the website you are accessing. But not every site offers HTTPS, and even when they do, you still may be redirected to an unsecure page. HTTPS Everywhere explains:
Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by using clever technology to rewrite requests to these sites to HTTPS.
Adblockers – Not only are popup advertisements annoying, they can also be dangerous. Malvertising—malicious advertising—is a common attack that utilizes advertisements to spread malware. Adblockers help prevent this and provide a cleaner browsing experience.
VPNs – Short for virtual private networks, VPNs encrypt your traffic and make it nearly impossible for someone to snoop your data. They are a must-have security tool for anyone that connects to public WiFi but are also a good way to prevent internet service providers from collecting your browsing data or blocking you from various websites. You can read about how VPNs work here.
*The Security Awareness Company does not endorse or have any affiliation with any products mentioned in this column.
Latest posts by Justin Bonnema (see all)
- Incident Response: Time Is Not On Your Side - April 1, 2019
- 5 Traits of Security Aware Parents - March 14, 2019
- Bad Habits of Senior Managers That Put Security of Organizations at Risk - March 1, 2019