The internet has brought many conveniences to us; and convenience is duly appreciated when we’re always so busy with our lives. With algorithms that notify us of new items from our favourite brands, to Facebook showing us endless scrolls of newborn babies or kittens – the web is always actively transmitting and collecting information, whether or not we are actively doing so ourselves. Unfortunately, such ease sometimes comes at a price when we least expect it – but only if we let our guard down.
Where we barely pay attention to our online security in our daily lives, 11 February, also known as Safer Internet Day, is a good time to reconsider our protective measures – or lack thereof – being the one day in the year responsible internet use is promoted globally. To help you get started, here is a list of tips (some from hackers, too) to protect your privacy and security online:
Newbie HackerOne hacker, Katie Paxton-Fear aka InsiderPHD, shares her practical approach for managing passwords, which, as she reminds us, can be a huge mental load to remember and generate:
“I use a password manager (LastPass) to store my passwords – it also generates them for me, which saves me coming up with new ones. I know it sounds super insecure but for some passwords I write down a hint – it’s better to have something written down physically than stored digitally anywhere other than a password manager.
Obviously I keep these written password hints in a safe location, always on my person, and keep good physical security measures – not writing what the hint is for or taking pictures of the hint.
Multi-factor authentication can also help add another layer of security so, if a password is compromised, the account does not also become compromised. You have program-specific authentications such as Blizzard Authenticator, but there are also authenticators that can be set up for multiple programs, such as Microsoft Authenticator.
My final piece of advice is to use an algorithm, incorporating the name of a website or service into a password. I used to use this method but now I simply keep all unique passwords in my password manager.”
It’s oh-so-tempting – connecting to free WiFi while you’re idling at the airport or a coffee shop. Public WiFi might seem harmless, but it’s not – most users do not realise the extent to which their personal information, passwords, logins and other sensitive data are left exposed when connecting to an unsafe public WiFi network.
Such unsecured networks generally don’t encrypt their data traffic – so plain text, unscrambled images, and sound flying over the network are all there for enterprising hackers to intercept or collect. Sure, it’s fine for some light browsing and reading, but never try to shop or access your financial accounts via an unsecured network, unless you’re using a VPN (virtual private network). You’re generally safer sticking to 3G or 4G.
In a similar vein, be extremely cautious about using public USB charging points at places like the airport. Read why here.
Privacy conscious German hacker, Julien Ahrens a.k.a Mr. Tuxracer, says “I personally avoid any app or website that has had major breaches in the past. For example, certain social media sites because they have had breaches or data privacy issues, and more than once.
Pragmatist Katie adds, “I know a lot of people avoid certain technology but I rely on a spidey sense of cyber danger; I look for red flags, similar to spotting a phishing website: if it seems dodgy, you should trust your instincts. When I do use sites that I suspect don’t take security seriously, I opt to use services like Paypal where I know security is a priority, instead of letting a website save my payment details.
As for mobile apps, I keep on top of any apps that use sensitive information, like my location or health information, and if I think they don’t need that information, I simply delete the app from my phone. The only technology I avoid using for anything day-to-day is my hacking tablet! It’s purposefully completely unsafe for bug hunting.”
We’ve all done this – logged into Facebook from someone else’s device to check our notifications, and then neglected to log out. Simply clicking the Close button on the browser, for example, does not necessarily mean that you’ve logged off Facebook and the session may remain active.
A session remains active unless you specifically log-off Facebook on that device. However, active sessions doesn’t mean that someone has access to your Facebook account – but it is still generally good practise to close Active Sessions, especially ones you don’t remember logging into, or recognise as your own.
How to do this? On Facebook on your desktop, navigate to “settings” using the drop-down in the right hand corner of your screen, then “security”, then “where you’re logged in”. From this screen, you will be able to close an open session, on whichever device it’s still running on.
Contrary to what most people think, “incognito” mode on your browser isn’t anything to be ashamed of – it’s not for looking at explicit or otherwise embarrassing content (embarrassing if anyone else found out). It’s a handy private browsing mode which means your previous activity will not be logged and stored in your browser’s history.
All very useful if you want to keep your tracks clean, for example, if you’re browsing around for a secret birthday gift for your other half, but not so useful if you think it prevents the websites you go to (eg. Amazon, Facebook, Google) from tracking your activity using cookies or location and device logging.
The easiest workaround is to use two browsers: one for accessing your social media, banks and shopping sites; and another for randomly browsing the internet. By splitting up your web activity between free-roaming and private, it will help maintain your anonymity out in the digital wild west.
Is this painful – yes; but is this necessary – most definitely. It instantly adds an extra layer of security to your personal accounts, making it much harder for nefarious elements to access your information.
What does it mean? You sacrifice the convenience of immediately accessing your online accounts (eg. social media like Facebook, or personal accounts like Gmail), but you gain the security of an added identity check, usually in the form of an OTP (one-time password) being sent to your mobile phone via text message.
Alternatively, you can download a secure authenticator app to generate time-specific OTPs. If it’s someone who isn’t you trying to gain access by figuring out your credentials, you will receive a notification informing you of an unrecognised machine or someone asking to reset your password. Thankfully, this cannot be authorised without your special code.
Swedish hacker, Fredrik Alexandersson a.k.a Stok, recommends using your password manager in combination with 2FA, and “preferably one that uses any kind of ‘push’ technology so you just have to approve your login on your phone.”
“I’m also a big advocate of using VPN services that care about their customer’s privacy, just like mullvad.net. So always make sure you read up on the Privacy agreement on your VPN (virtual private network) provider so you don’t end up signing a user agreement with a Man in the middle attack like service,” he adds.
Jesse adds, “Whenever possible, enable multi-factor authentication on your accounts. Using a mobile app like Authy or Duo to obtain an authentication code that allows you to log in after you supply your password will stop a huge portion of attacks on the average person.”
Social engineering, in information security, means manipulating others to perform actions or give out personal information without being aware of doing so themselves.
American hacker, Jesse a.k.a Random Deduction, advises:
- Don’t follow links in emails. Instead, go to the site directly.
- If you receive a call/text from a bank or any organisation, tell them you will call them back. Use the number on the back of your card or from the company’s website, not one the potential hacker gave you, to reach out to the organisation directly.
Lisa Jiggetts a.k.a cyberjin adds, “Things that make me the slightest bit suspicious raise red flags, like weird calls, texts and emails. It’s getting harder these days because the bad guys are really good. I fell for one earlier this year; they spoofed one of my banks’ phone numbers for an old account that I don’t use but a couple of minutes into the call, alarm bells started ringing.
They had already changed my address on my account and I didnt have 2FA set up the time, so I knew that my login credentials were compromised and that’s how they initially got in.”
Hackers prefer to eschew IoT (Internet of Things) as a notorious security weak spot, but British hacker, James Kettle a.k.a albinowax, advises that anyone who wants to sleep safe in the knowledge they’ve secured their smart fridge, doorbell or TV should follow these rules for smart devices:
- Smart devices are most exposed to attack if attackers end up on your WiFi/LAN, so I lock down my wifi by using a strong, non-default, password.
- Use wired connections instead of WiFi where possible.
- Isolate smart devices on a different VLAN, however, this is not very easy and may require a fancy router.
Indian hacker, Sandeep Sing a.k.a GeekBoy, recommends the Telegram messaging app, which offers multiple features for security and privacy, while Lisa says she tries to keep social media posts minimal, without divulging too much personal info that could be used for a potential attack.
“I always check the privacy settings to make sure a new setting wasn’t ‘snuck in’ after an update, and that the settings are set at the most restrictive option. On my phone, I keep bluetooth, Wi-Fi and GPS turned off unless I’m using it.”
We know, random software updates pop up at the most inconvenient times, and they can sometimes take ages – but that’s no excuse to skip an update. Why is it important?
Updates are essential for plugging the security loopholes hackers will find and try to expose in an attempt to perform a malicious action. Updating your system in a timely manner helps protects your computer against threats.
Keep all your software updated so you have the latest security patches. Turn on automatic updates so you don’t have to think about it, and make sure that your security software is set to run regular scans.
Stay safe, everyone!
Text: HackerOne and Pearlyn Quan