Neowire

Why Internet Security is Hard for Businesses and Users

January 23, 2020

In business, education, and personal life Internet security remains something that most users don’t understand. From changing passwords, to 2FA, to what you should share with tech support, people everywhere continue to get hacked and have their information released by anonymous third parties. While there are many situations users can’t stop, such as data breaches of a popular service, there are many aspects in which you can improve your Internet security.

Getting Started

To start off improving your own Internet security, begin thinking of all the accounts you have. These may be social media accounts like Facebook, Instagram, Twitter, and others. Then think of your financial accounts such as bank accounts, PayPal-like accounts, and any accounts that process financials. Finally there’s email and other messaging services which can transport secure information. These are all types of accounts that you should prioritize security on, as compromising these can cause significant pain and possibly monetary loss.

Securing Passwords

The first step to securing an account is having a strong password. I’m sure you’ve heard this before and have probably even been forced to change your passwords from stuff like “schmitty” to “Schm1tty_” in order to comply with password rules enforced by certain sites and applications. While these passwords are probably strong than the previous passwords, what helps the most is having a longer, more complicated password. For example, here’s one of my favorite web comics on password strength:

XKCD Password Strength

Using these types of easily rememberable passwords such as correct horse battery staple are more secure than passwords such as C00lHorse!$3 due to their length and general randomness. When coming up with new passwords, skip on naming them after pets, birthdays, and family names. These things can all be easily guessed when an attacker is trying to take over an account.

However, if you’re not really in the mood for remembering passwords, you have another option! You’ve probably noticed that your web browser or mobile device supports auto-filling fields with random passwords, then it can fill them again when you’re logging in for the next time. This is what’s called a “password manager”, a program that keeps track of your passwords and allows you to use long, randomized passwords without having to remember them. While the ones built into browsers like Mozilla Firefox, Apple Safari, and Google Chrome are generally good to use for websites, there are many built to be used even outside of websites. Ones like 1Password and LastPass are very highly rated for both business and personal use, however I highly recommend MasterPassword also for business and personal use due to it being free/open-source with no server required.

Once you’ve changed passwords for your important accounts, make sure not to lose those passwords! I don’t recommend putting them in a Word document or on a Post-It attached to your monitor since those can be easily found by viruses and nosy people. Using a password manager instead is a great way to keep track of these passwords without them easily being lost to an attacker.

Securing Through 2FA

It’s possible that you’ve heard of, or possibly use 2FA already. 2FA stands for two factor authentication, or basically another way to log into an account that’s not a password. Most 2FA methods rely on being physical, instead of being a password that could be stored on a server or on your computer. The most common methods are phone calls or messages, timed based codes through an app, and physical USB keys.

Phone Calls and Messages

Using your personal phone as a way to verify who you are has been very common over the last few years. Nearly everyone has a phone now and all you have to do is type the code you get from your phone into the website. Easy, right? While simple to get started, using phones as verification opens a person up to SIM-jacking attacks. Essentially your phone provider has the ability to re-issue a SIM card matching your personal number, so there have been several attacks on popular celebrities and important figures in recent years using this attack.

All it involves is a rogue employee issuing a new SIM card, then selling it to the highest paying bidder or using it to attack the person themselves. As most sites with 2FA through phone calls and messages allow using those codes to also reset the password, this kind of attack can get into nearly any account that uses 2FA. Recently, the CEO of Twitter had his own Twitter account hacked through a SIM-jacking attack. If the own CEO of Twitter isn’t not safe against this kind of attack, it’s unlikely any user is.

While you may think you’re not an important target of a SIM-jacking attack, these kinds of attacks have been on the rise. In the UK alone there have been over 300 of these attacks in the last year, with the count only rising. Using your phone for 2FA will give you better security over having no 2FA, but I can’t recommend using it if other options are available due to the SIM-jacking threat.

Timed One Time Password

OTP Example

Another popular 2FA method are One Time Passwords, which are essentially randomly generated numbers that can only be generated by your phone or another device. This involves downloading an app, scanning a barcode on the site you want to use it for, and then inputting the code each time you want to prove that you’re you. While simple to use, this is one of the most effective 2FA method. An attacker without access to your phone simply cannot get into your account. Provided your phone doesn’t get hacked (which generally isn’t an issue on the iOS platform, or on Android anymore) and your phone doesn’t get stolen, you are provided great security with a very simple method.

There’s a number of apps that can generate these codes, the most popular probably being Google Authenticator. While it works fine, one issue is that if you lose your phone or uninstall the app you lose access to all the codes that would let you log into your accounts! These means you could possibly be permanently locked out of your accounts if you don’t have a backup of the codes. But since the codes constantly change, the app itself has to back them up. Google Authenticator doesn’t support backing up codes, only transferring between phones. So if you delete the app completely, lose your phone, or your phone breaks you lose all the codes. My recommendation for apps instead is andOTP on Android and OTP Auth on iOS. Both apps allow saving an encrypted backup, which you can then safely backup to your computer, a flash drive, or an online storage provider (like Dropbox or Google Drive.)

Physical USB Keys

You may have seen them before, especially if you work at a business that requires them. These have been used forever as an extra step to log into a secured computer, but have slowly made their way into working in the web browser. They’re very simple, in that all you have to do is plug them into your computer, press the button on it, and you’re logged in! They start at $20 and are very easy to set up with providers that support them such as Google, Twitter, Facebook, and more. I personally recommend the YubiKeys however any key from a trustworthy company would work.

The one downside with these keys is the same downside that exists with the OTP codes: if you lose the key, you lose access to your accounts. Since you can’t back a backup of a physical key, you simply have to buy one. So I recommend buying two keys, setting them both up on each account, putting one key on your keyring, and putting the other in a secure place. This will ensure that if you ever lose your key, you don’t lose access to your accounts.

Next: Data Breaches

So you’ve changed your passwords, added a 2FA step for additional security, and are more aware about some of the threats involved. The next thing I recommend people to do, is check what data breaches they’re in. I wrote a previous article on data breaches, but essentially data breaches are what happens when a company has their customer data hacked. This can happen due to misconfiguration, vulnerable software, or combinations of a lack of physical security.

Data breaches impact nearly anyone who has had an account on an Internet site before. Yahoo had a data breach, First American Financial Corp. had a data breach, Facebook had a data breach, Marriot had a data breach, Capital One had a data breach, and the list goes on. In these data breaches not only customer data like names and addresses are leaked, but also potentially credit card information and passwords! Knowing what passwords and information has been leaked is key to resecuring it after such a breach.

The easiest way to keep up with data breaches is a personal favorite site of mine called have i been pwned? which allows you to enter your email addresses, which are then checked to see what data breaches they have been in. They get donated the same information that hackers get from these breaches, then they put a secure version of it in their database. This allows people to understand what accounts have been breached, sometimes even before the company announces it themselves! As of now they have over 425 different breaches in their database, with more constantly being added. I highly recommend adding your email to their notification service to keep up with data breaches.

Once a password has been in a data breach, I recommend never using it again. There are a lot of hackers out there that use the email addresses, usernames, and passwords from these data breaches to attack accounts by the same user on other sites, assuming that they may be reusing the password. Even worse, most of these people make the same kind of common modifications to the password that you may do to “secure it” such as adding more numbers or symbols to it. So make sure to change passwords after a data breach and consider using a password manager like I recommended before!

Keeping Mobile Devices Secure

One more thing to keep secure is your mobile device, as compromising it can compromise all of your accounts. These steps very quite a bit between Android and iOS:

Android

Android is praised for being an operating system that allows its user to do what they want, without the restrictions of iOS. While this is great for power users, those restrictions are the same things that keep the device secure. So there’s a short list of things not to do, primarily never download an app not through the store. This can be the Play Store, or f-droid (an open source repository, probably safer than the Play Store for some apps!) Since Android can install apps from the Internet, these apps can infect your device like a virus unless you completely trust the source. Generally to be secure, never download apps from the internet. Finally, try to always keep your device up to date. New updates come frequently to fix security issues that can pop up over time.

iOS

iOS is generally considered a safer OS, however due to this there are constant attempts to hack it. Large groups will pay up to $2,500,000 for an exploit on iOS. Due to this, exploits are found all the time by Apple and quickly patched. Keep your phone up to date with these security patches, as even installing a rogue app generally cannot be used to exploit your phone.

Finishing Up

Congratulations! If you at least read most of this article, you probably know more than 90% of people do about Internet security. Sticking to a password manager, using 2FA, and keeping up with data breaches is key to surviving in our current technological world where at any moment hackers could drain thousands of bank accounts in a snap of their fingers. Remember to keep up to date with Internet security, and maybe show those grandparents a thing or two about keeping safe online.


Written by Paul Sauve. Software & Tech